Win32.Load Money and Yandex removal advice please

[Juliet]

Is there anything else should I be doing and updating you on because you know I never went through with all your directions after the OTM thing ??

Yandex is an extension in your browser. I've been trying to locate it and delete it.

You really need to continue with the steps I outlined in a previous post.

• Please download RogueKillerX64.exe and save to the desktop.
• Close all windows and browsers
• Right-click the program and select 'Run as Administrator'
• Press the scan button.
• A report opens on the desktop named - RKreport.txt
• Please copy and past the results at pastebin.com and post the link to the log in your next reply.

~~~~~~~~~~~~~~~~~~~~

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.
Emergency Backup Procedure - Tech Support Forum

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

How to use ComboFix

Download ComboFix from here:
Link 1
Link 2
Link 3

Place ComboFix.exe on your Desktop <--Important

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
  * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
  
  You can get help on disabling your protection programs here
• Double click on ComboFix.exe & follow the prompts.
• You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
• Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
• When finished, it shall produce a log for you. Post that log in your next reply
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  
  Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer
  
  ---------------------------------------------------------------------------------------------
• Ensure your AntiVirus and AntiSpyware applications are re-enabled.
  
  Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
  Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
  ---------------------------------------------------------------------------------------------
• If there are Internet issues after running ComboFix:
  Internet Explorer:
  Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.
  Firefox:
  Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
  Chrome:
  Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
  Safari
  Launch Safari
  Go to general settings menu
  Then in Preferences/ Advanced
  Then on line click Proxies change settings ...
  Click Internet Options, then click the Connections tab, click Network Settings.
  Disable option (uncheck) for the use of proxy server ...
  

Please post:
RKreport.txt
ComboFix.txt

 

[wendyseana]

Stasis - shut out - Help

Dear Juliet, HELP !!

I had to spend a bit of time discovering how exactly to disable SP (I also btw took out the Fırewall), meanwhile I had already downloaded Combo fix which seemed to involve a reboot - which I did. but Combofix had gone and I went back to Bleeping computers to get it again, I then downloaded it again now the antivirus was fully disabled and I now it seems I am completely shut out of my computer Firefox says " The proxy serer is refusing connections. firefox is configured to use a proxy server that is refusing connections." chrome says something similıar.

What is happening ? Luckily I have access to a friend`s computer and can still communicate with you.

Thanks, Wendy

 

[wendyseana]

Btw typo above SP was meant to be SB ie.,Spybot

 

[Juliet]

Usually a reboot does the trick.


If there are Internet issues after running ComboFix:
Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.
Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
Safari
Launch Safari
Go to general settings menu
Then in Preferences/ Advanced
Then on line click Proxies change settings ...
Click Internet Options, then click the Connections tab, click Network Settings.
Disable option (uncheck) for the use of proxy server ...

 

[wendyseana]

MMMM whoops

Dear Juliet, Sorry about the glitch on the reboot front, I just didn't connect with what your directions implied and what happened. I have done as you suggested with Mozilla and that worked fine - though still manipulated by Yandex - but Chrome does not seem to have an options etc in its Tools menu and looking around in Settings I did not find it there ??
Having completed Roguekiller and Combofix I will now re-enable the antivirus

Here are the two reports from Rogue Killer and Combofix :

1. Roguekiller :

RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : gokarna [Admin rights]
Mode : Scan -- Date : 04/29/2014 10:44:40
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 1 ¤¤¤
[FF][PUP] kp5xybf2.default-1397910583341 : Yahoo Toolbar

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] EAT @explorer.exe (BeginBufferedAnimation) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746E09AE)
[Address] EAT @explorer.exe (BeginBufferedPaint) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D49A1)
[Address] EAT @explorer.exe (BeginPanningFeedback) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74700731)
[Address] EAT @explorer.exe (BufferedPaintClear) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D6395)
[Address] EAT @explorer.exe (BufferedPaintInit) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D940E)
[Address] EAT @explorer.exe (BufferedPaintRenderAnimation) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746E08ED)
[Address] EAT @explorer.exe (BufferedPaintSetAlpha) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746EE6B3)
[Address] EAT @explorer.exe (BufferedPaintStopAllAnimations) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746ED395)
[Address] EAT @explorer.exe (BufferedPaintUnInit) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D94AB)
[Address] EAT @explorer.exe (CloseThemeData) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D6A18)
[Address] EAT @explorer.exe (DrawThemeBackground) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D3982)
[Address] EAT @explorer.exe (DrawThemeBackgroundEx) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746ED9DA)
[Address] EAT @explorer.exe (DrawThemeEdge) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746F3B52)
[Address] EAT @explorer.exe (DrawThemeIcon) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x747035E7)
[Address] EAT @explorer.exe (DrawThemeParentBackground) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D53E5)
[Address] EAT @explorer.exe (DrawThemeParentBackgroundEx) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D51BF)
[Address] EAT @explorer.exe (DrawThemeText) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D4EA1)
[Address] EAT @explorer.exe (DrawThemeTextEx) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D63E6)
[Address] EAT @explorer.exe (EnableThemeDialogTexture) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746DFCAF)
[Address] EAT @explorer.exe (EnableTheming) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74702FEB)
[Address] EAT @explorer.exe (EndBufferedAnimation) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D3F9A)
[Address] EAT @explorer.exe (EndBufferedPaint) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D3F9A)
[Address] EAT @explorer.exe (EndPanningFeedback) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x747006CC)
[Address] EAT @explorer.exe (GetBufferedPaintBits) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D4BAF)
[Address] EAT @explorer.exe (GetBufferedPaintDC) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746E04BC)
[Address] EAT @explorer.exe (GetBufferedPaintTargetDC) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746E0473)
[Address] EAT @explorer.exe (GetBufferedPaintTargetRect) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74702E7F)
[Address] EAT @explorer.exe (GetCurrentThemeName) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746E05DD)
[Address] EAT @explorer.exe (GetThemeAppProperties) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746E0FB1)
[Address] EAT @explorer.exe (GetThemeBackgroundContentRect) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746DCD2E)
[Address] EAT @explorer.exe (GetThemeBackgroundExtent) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746DF8BF)
[Address] EAT @explorer.exe (GetThemeBackgroundRegion) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746E165D)
[Address] EAT @explorer.exe (GetThemeBitmap) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746DBF93)
[Address] EAT @explorer.exe (GetThemeBool) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D7C1F)
[Address] EAT @explorer.exe (GetThemeColor) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D616C)
[Address] EAT @explorer.exe (GetThemeDocumentationProperty) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74702932)
[Address] EAT @explorer.exe (GetThemeEnumValue) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D616C)
[Address] EAT @explorer.exe (GetThemeFilename) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74702412)
[Address] EAT @explorer.exe (GetThemeFont) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746DFF21)
[Address] EAT @explorer.exe (GetThemeInt) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D616C)
[Address] EAT @explorer.exe (GetThemeIntList) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x747023B1)
[Address] EAT @explorer.exe (GetThemeMargins) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D86E9)
[Address] EAT @explorer.exe (GetThemeMetric) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746E06E2)
[Address] EAT @explorer.exe (GetThemePartSize) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746DCDB1)
[Address] EAT @explorer.exe (GetThemePosition) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74702350)
[Address] EAT @explorer.exe (GetThemePropertyOrigin) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746F3FBB)
[Address] EAT @explorer.exe (GetThemeRect) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746E3611)
[Address] EAT @explorer.exe (GetThemeStream) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746E39D9)
[Address] EAT @explorer.exe (GetThemeString) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x747022E4)
[Address] EAT @explorer.exe (GetThemeSysBool) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74703172)
[Address] EAT @explorer.exe (GetThemeSysColor) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746F3274)
[Address] EAT @explorer.exe (GetThemeSysColorBrush) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7470301E)
[Address] EAT @explorer.exe (GetThemeSysFont) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x747029C4)
[Address] EAT @explorer.exe (GetThemeSysInt) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74702BD3)
[Address] EAT @explorer.exe (GetThemeSysSize) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7470320B)
[Address] EAT @explorer.exe (GetThemeSysString) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74702B3F)
[Address] EAT @explorer.exe (GetThemeTextExtent) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D2D57)
[Address] EAT @explorer.exe (GetThemeTextMetrics) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746DF992)
[Address] EAT @explorer.exe (GetThemeTransitionDuration) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746E1081)
[Address] EAT @explorer.exe (GetWindowTheme) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746DDF46)
[Address] EAT @explorer.exe (HitTestThemeBackground) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746E3CE3)
[Address] EAT @explorer.exe (IsAppThemed) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746DF869)
[Address] EAT @explorer.exe (IsCompositionActive) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D2E9A)
[Address] EAT @explorer.exe (IsThemeActive) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746DF785)
[Address] EAT @explorer.exe (IsThemeBackgroundPartiallyTransparent) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D60AB)
[Address] EAT @explorer.exe (IsThemeDialogTextureEnabled) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7470312B)
[Address] EAT @explorer.exe (IsThemePartDefined) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D85B4)
[Address] EAT @explorer.exe (OpenThemeData) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746D73D2)
[Address] EAT @explorer.exe (OpenThemeDataEx) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746F3D43)
[Address] EAT @explorer.exe (SetThemeAppProperties) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x74703296)
[Address] EAT @explorer.exe (SetWindowTheme) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746E0134)
[Address] EAT @explorer.exe (SetWindowThemeAttribute) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746ECFE6)
[Address] EAT @explorer.exe (ThemeInitApiHook) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x746DB176)
[Address] EAT @explorer.exe (UpdatePanningFeedback) : HID.DLL -> HOOKED (C:\Windows\system32\UxTheme.dll @ 0x7470068D)
[Address] EAT @explorer.exe (DllCanUnloadNow) : Wlanapi.dll -> HOOKED (C:\Windows\system32\Syncreg.dll @ 0x73863418)
[Address] EAT @explorer.exe (DllGetClassObject) : Wlanapi.dll -> HOOKED (C:\Windows\system32\Syncreg.dll @ 0x738634C5)
[Address] EAT @explorer.exe (DllRegisterServer) : Wlanapi.dll -> HOOKED (C:\Windows\system32\Syncreg.dll @ 0x738633A5)
[Address] EAT @explorer.exe (DllUnregisterServer) : Wlanapi.dll -> HOOKED (C:\Windows\system32\Syncreg.dll @ 0x73863408)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : PUP ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ATA ST9500325AS SCSI Disk Device +++++
--- User ---
[MBR] 731db79b3f40f638db6910776cba10f9
[BSP] 97970a6b0bbb08775dfcbf0a5cb6dd19 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 279896 MB
2 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 573435904 | Size: 196941 MB
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_04292014_104440.txt >>


2. Combofix:

ComboFix 14-04-30.01 - gokarna 04/30/2014 21:21:23.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3062.1994 [GMT 3:00]
Running from: c:\users\gokarna\Downloads\ComboFix.exe
AV: Spybot - Search and Destroy *Disabled/Updated* {20A26C15-1AF0-7CA3-9380-FAB824A7EE0D}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2014-03-28 to 2014-04-30 )))))))))))))))))))))))))))))))
.
.
2014-04-30 18:25 . 2014-04-30 18:25 -------- d-----w- c:\users\gokarna\AppData\Local\temp
2014-04-30 18:25 . 2014-04-30 18:25 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-04-30 18:25 . 2014-04-30 18:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-04-29 07:39 . 2014-04-29 07:39 26624 ----a-w- c:\windows\system32\TrueSight.sys
2014-04-29 06:48 . 2014-04-17 02:32 8050496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{037E7DDA-919D-4EAE-A2D4-3C7ACB2E29E0}\mpengine.dll
2014-04-26 14:28 . 2014-04-26 14:28 -------- d-----w- c:\programdata\Yandex
2014-04-26 14:28 . 2014-04-26 14:28 -------- d-----w- c:\users\gokarna\AppData\Local\Yandex
2014-04-26 14:28 . 2014-04-26 14:28 -------- d-----w- c:\program files\Yandex
2014-04-26 14:28 . 2014-04-27 01:18 -------- d-----w- c:\users\gokarna\AppData\Roaming\Yandex
2014-04-26 11:47 . 2014-04-26 11:47 -------- d-----w- C:\_OTM
2014-04-18 17:35 . 2014-04-18 17:35 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2014-04-18 17:22 . 2014-02-04 02:07 149440 ----a-w- c:\windows\system32\drivers\storport.sys
2014-04-18 17:22 . 2014-02-04 02:07 234432 ----a-w- c:\windows\system32\drivers\msiscsi.sys
2014-04-18 17:22 . 2014-02-04 02:07 27072 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2014-04-18 17:22 . 2014-02-04 02:00 2048 ----a-w- c:\windows\system32\iologmsg.dll
2014-04-18 17:11 . 2014-04-18 17:11 -------- d-----w- c:\users\gokarna\AppData\Local\WindowsUpdate
2014-04-18 17:06 . 2014-04-14 17:13 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-04-18 17:03 . 2014-04-18 17:03 921512 ----a-w- c:\program files\jxpiinstall.exe
2014-04-15 07:55 . 2014-04-15 07:56 -------- d-----w- c:\users\gokarna\Photos
2014-04-14 08:04 . 2014-04-14 08:04 -------- d-sh--w- c:\users\gokarna\AppData\Local\EmieUserList
2014-04-14 08:04 . 2014-04-14 08:04 -------- d-sh--w- c:\users\gokarna\AppData\Local\EmieSiteList
2014-04-13 13:38 . 2014-04-13 13:38 -------- d-----w- c:\windows\tr-TR
2014-04-13 13:38 . 2014-04-13 13:38 -------- d-----w- c:\windows\system32\XPSViewer
2014-04-13 13:38 . 2014-04-18 17:42 -------- d-----w- c:\windows\system32\drivers\tr-TR
2014-04-13 13:38 . 2014-04-13 13:38 -------- d-----w- c:\windows\system32\tr
2014-04-13 13:38 . 2014-04-13 13:38 -------- d-----w- c:\windows\system32\drivers\UMDF\tr-TR
2014-04-13 13:38 . 2014-04-13 13:38 -------- d-----w- c:\windows\system32\wbem\tr-TR
2014-04-13 13:14 . 2009-07-13 15:47 3584 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\tr-TR\LXKPTPRC.DLL.mui
2014-04-13 13:08 . 2014-01-24 02:18 1212352 ----a-w- c:\windows\system32\drivers\ntfs.sys
2014-04-13 13:08 . 2012-05-04 09:59 514560 ----a-w- c:\windows\system32\qdvd.dll
2014-04-05 19:16 . 2014-04-05 19:16 -------- d-----w- c:\windows\ERUNT
2014-04-05 18:21 . 2014-04-09 08:34 -------- d-----w- C:\AdwCleaner
2014-04-03 09:10 . 2014-04-03 09:10 -------- d-----w- c:\users\gokarna\AppData\Local\Spotify
2014-04-03 09:09 . 2014-04-08 05:54 -------- d-----w- c:\users\gokarna\AppData\Roaming\Spotify
2014-04-02 19:09 . 2014-04-02 19:09 -------- d-----w- c:\users\gokarna\AppData\Local\Skype
2014-04-02 19:09 . 2014-04-25 07:42 -------- d-----r- c:\program files\Skype
2014-04-02 19:09 . 2014-04-02 19:09 -------- d-----w- c:\program files\Common Files\Skype
2014-04-02 18:37 . 2014-04-18 17:08 -------- d-----w- c:\programdata\Oracle
2014-04-02 18:37 . 2014-04-02 18:39 -------- d-----w- c:\program files\Google
2014-04-02 18:04 . 2014-04-02 18:05 -------- d-----w- c:\program files\MPC-HC
2014-04-02 18:00 . 2014-04-02 18:00 -------- d-----w- c:\users\gokarna\AppData\Local\Secunia PSI
2014-04-02 17:58 . 2014-04-02 17:58 -------- d-----w- c:\program files\Secunia
2014-04-02 16:06 . 2014-04-26 10:27 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-02 16:05 . 2014-04-05 12:13 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-04-02 16:05 . 2014-04-03 06:51 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-02 16:05 . 2014-04-03 06:51 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-02 16:05 . 2014-04-03 06:50 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-02 16:05 . 2014-04-02 16:05 -------- d-----w- c:\programdata\Malwarebytes
2014-04-01 09:19 . 2014-04-09 10:02 -------- d-----w- C:\FRST
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-29 09:09 . 2014-03-15 21:28 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-29 09:09 . 2014-03-15 21:28 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-31 06:35 . 2014-03-07 18:50 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-03-21 12:02 . 2014-03-21 12:02 86016 ----a-w- c:\windows\system32\iesysprep.dll
2014-03-21 12:02 . 2014-03-21 12:02 74240 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2014-03-21 12:02 . 2014-03-21 12:02 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2014-03-21 12:02 . 2014-03-21 12:02 645120 ----a-w- c:\windows\system32\jsIntl.dll
2014-03-21 12:02 . 2014-03-21 12:02 62464 ----a-w- c:\windows\system32\tdc.ocx
2014-03-21 12:02 . 2014-03-21 12:02 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-03-21 12:02 . 2014-03-21 12:02 48640 ----a-w- c:\windows\system32\mshtmler.dll
2014-03-21 12:02 . 2014-03-21 12:02 36352 ----a-w- c:\windows\system32\imgutil.dll
2014-03-21 12:02 . 2014-03-21 12:02 337408 ----a-w- c:\windows\system32\html.iec
2014-03-21 12:02 . 2014-03-21 12:02 24576 ----a-w- c:\windows\system32\licmgr10.dll
2014-03-21 12:02 . 2014-03-21 12:02 194048 ----a-w- c:\windows\system32\elshyph.dll
2014-03-21 12:02 . 2014-03-21 12:02 182272 ----a-w- c:\windows\system32\msls31.dll
2014-03-21 12:02 . 2014-03-21 12:02 151552 ----a-w- c:\windows\system32\iexpress.exe
2014-03-21 12:02 . 2014-03-21 12:02 139264 ----a-w- c:\windows\system32\wextract.exe
2014-03-21 12:02 . 2014-03-21 12:02 13312 ----a-w- c:\windows\system32\mshta.exe
2014-03-21 12:02 . 2014-03-21 12:02 111616 ----a-w- c:\windows\system32\IEAdvpack.dll
2014-03-21 12:02 . 2014-03-21 12:02 1051136 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-03-21 01:03 . 2014-03-21 01:03 49152 ----a-w- c:\windows\system32\taskhost.exe
2014-03-21 01:03 . 2014-03-21 01:03 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 906240 ----a-w- c:\windows\system32\FntCache.dll
2014-03-21 01:03 . 2014-03-21 01:03 604160 ----a-w- c:\windows\system32\d3d10level9.dll
2014-03-21 01:03 . 2014-03-21 01:03 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2014-03-21 01:03 . 2014-03-21 01:03 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 293376 ----a-w- c:\windows\system32\dxgi.dll
2014-03-21 01:03 . 2014-03-21 01:03 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 249856 ----a-w- c:\windows\system32\d3d10_1core.dll
2014-03-21 01:03 . 2014-03-21 01:03 2284544 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2014-03-21 01:03 . 2014-03-21 01:03 220160 ----a-w- c:\windows\system32\d3d10core.dll
2014-03-21 01:03 . 2014-03-21 01:03 207872 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2014-03-21 01:03 . 2014-03-21 01:03 187392 ----a-w- c:\windows\system32\UIAnimation.dll
2014-03-21 01:03 . 2014-03-21 01:03 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2014-03-21 01:03 . 2014-03-21 01:03 1247744 ----a-w- c:\windows\system32\DWrite.dll
2014-03-21 01:03 . 2014-03-21 01:03 1158144 ----a-w- c:\windows\system32\XpsPrint.dll
2014-03-21 01:03 . 2014-03-21 01:03 1080832 ----a-w- c:\windows\system32\d3d10.dll
2014-03-21 01:03 . 2014-03-21 01:03 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2014-03-21 01:02 . 2014-03-21 01:02 1505280 ----a-w- c:\windows\system32\d3d11.dll
2014-03-20 01:07 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2014-03-04 11:25 . 2012-05-30 09:14 246804 ----a-w- c:\windows\system32\drivers\AtherosBt.bin
2014-02-07 01:07 . 2014-03-20 08:31 2349056 ----a-w- c:\windows\system32\win32k.sys
2014-02-04 02:04 . 2014-03-21 07:48 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-02-04 02:04 . 2014-03-20 08:32 509440 ----a-w- c:\windows\system32\qedit.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\Elements\bartab.dll" [2013-12-18 3094368]
.
[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91397D20-1446-11D4-8AF4-0040CA1127B6}"= "c:\program files\Yandex\Elements\bartab.dll" [2013-12-18 3094368]
.
[HKEY_CLASSES_ROOT\clsid\{91397d20-1446-11d4-8af4-0040ca1127b6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]
[HKEY_CLASSES_ROOT\Yandex.Toolbar]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2013-09-20 3666224]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2014-02-10 20924576]
"Spotify Web Helper"="c:\users\gokarna\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2014-04-03 1171968]
"uTorrent"="c:\users\gokarna\AppData\Roaming\uTorrent\uTorrent.exe" [2014-04-26 1270352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-07-11 74752]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-10-01 548864]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-29 200704]
"AtherosBtStack"="c:\program files\Bluetooth Suite\btvstack.exe" [2012-05-30 878208]
"AthBtTray"="c:\program files\Bluetooth Suite\athbttray.exe" [2012-05-30 696448]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2014-01-17 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2014-03-20 280576]
.
c:\users\gokarna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2014-3-4 113664]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.141\SSScheduler.exe [2014-1-16 277920]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2013-12-6 565464]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-10-23 172192]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-03-06 108032]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-04-26 107736]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.141\McCHSvc.exe [2014-01-16 235696]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-10-15 3921880]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-09-20 1042272]
R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-09-13 171416]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2014-03-15 1343400]
R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [2011-03-26 107776]
S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys [2013-03-18 541680]
S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys [2013-03-18 26608]
S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2013-02-22 16880]
S2 AtherosSvc;AtherosSvc;c:\program files\Bluetooth Suite\adminservice.exe [2012-05-30 97920]
S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [2014-04-11 1390720]
S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [2014-04-11 1764992]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2013-12-06 1229528]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2013-12-06 662232]
S2 ZAtheros Bt&Wlan Coex Agent;ZAtheros Bt&Wlan Coex Agent;c:\program files\Bluetooth Suite\Ath_CoexAgent.exe [2012-05-30 327296]
S3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys [2012-05-30 35968]
S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys [2013-03-27 302920]
S3 btath_avdt;Qualcomm Atheros Bluetooth AVDT Service;c:\windows\system32\drivers\btath_avdt.sys [2013-03-27 101192]
S3 BTATH_BUS;Qualcomm Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys [2013-03-27 27976]
S3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys [2013-03-27 158688]
S3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys [2013-03-27 66448]
S3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys [2013-03-27 119624]
S3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys [2013-03-27 496456]
S3 MEI;Intel(R) Management Engine Interface ;c:\windows\system32\DRIVERS\TeeDriver.sys [2013-03-20 85976]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf_x86.sys [2013-12-06 16024]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2012-10-18 258704]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2013-03-04 643656]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-08-03 9344]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-25 21:43 1078088 ----a-w- c:\program files\Google\Chrome\Application\34.0.1847.131\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-04-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-15 09:09]
.
2014-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-04-02 18:37]
.
2014-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-04-02 18:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yandex.ru/?win=121&clid=1991182
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = localhost:21320
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\kp5xybf2.default-1397910583341\
FF - prefs.js: browser.search.selectedEngine - Yandex
FF - prefs.js: browser.startup.homepage - hxxp://www.yandex.ru/?win=121&clid=1991182
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Notify-SDWinLogon - SDWinLogon.dll
AddRemove-Speed Test 127 - c:\program files\Speed Test 127\uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-04-30 21:27:50
ComboFix-quarantined-files.txt 2014-04-30 18:27
.
Pre-Run: 156,012,404,736 bytes free
Post-Run: 155,890,843,648 bytes free
.
- - End Of File - - 54DE6406A8B436D54D018FF1D720AE75
A36C5E4F47E84449FF07ED3517B43A31

Btw, when you said "Yandex is an extension of your browser and you are trying to delete it, how will this happen - remotely ?

Best of the best with all this, Wendy

 

[Juliet]

We need to disable Spybot S&D's "TeaTimer" only if you use this service.

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.
We can reenable it when we're done.

1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
2. If prompted with a legal dialog, accept the warning.
3. Click
   
   and then on "Advanced Mode"
   
   
4. You may be presented with a warning dialog. If so, press
   
5. Click on
   
6. Click on
   
7. Uncheck this checkbox:
   
   
8. Close/Exit Spybot Search and Destroy

Next: Disconnect from the internet. If you are on Cable or DSL unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

File::
c:\program files\Yandex\Elements\bartab.dll
c:\programdata\Yandex
c:\users\gokarna\AppData\Local\Yandex
c:\program files\Yandex
c:\users\gokarna\AppData\Roaming\Yandex
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91397D20-1446-11D4-8AF4-0040CA1127B6}"=-
[-HKEY_CLASSES_ROOT\Yandex.Toolbar.1]
[-HKEY_CLASSES_ROOT\TypeLib\{91397D13-1446-11D4-8AF4-0040CA1127B6}]
Firefox::
FF - prefs.js: browser.search.selectedEngine - Yandex
FF - prefs.js: browser.startup.homepage - hxxp://www.yandex.ru/?win=121&clid=1991182
ClearJavaCache::

Save this as "CFScript.txt" including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If there are internet issues afterward:

*In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection and uncheck the proxyserver, set it to No Proxy.


Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~``

Please post this log when done.

 

[wendyseana]

Unable to follow these directions.....

......because in my Spybot Sand D I do not seem to have these functions offered to me ???? No legal dialog, no mode selection, no 'Tools' section or, therefore a 'resident option'. I feel we must be looking at two different Spybot S and D universes. Nor btw have I seen anything in its contents called Tea timer.

Sorry its probably just me but I need more help to carry out this next operation. Wendy

 

[Juliet]

We need to disable Spybot S&D's "TeaTimer" only if you use this service.

That was no big deal, you should continue with the instructions I gave to clean your computer.

 

[wendyseana]

Done CF with Combfix

Hi Juliet, Sorry about the tea timer misunderstanding I just didn't know if my Spybot S and D ran this service or not and now I understand that it doesn't.

Pasted below is resultant log for CFscript united to ComboFix

ComboFix 14-04-30.01 - gokarna 05/03/2014 15:19:07.3.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3062.1926 [GMT 3:00]
Running from: c:\users\gokarna\Downloads\ComboFix.exe
Command switches used :: c:\users\gokarna\Desktop\CFScript.txt
AV: Spybot - Search and Destroy *Disabled/Updated* {20A26C15-1AF0-7CA3-9380-FAB824A7EE0D}
SP: Spybot - Search and Destroy *Disabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files\Yandex"
"c:\program files\Yandex\Elements\bartab.dll"
"c:\programdata\Yandex"
"c:\users\gokarna\AppData\Local\Yandex"
"c:\users\gokarna\AppData\Roaming\Yandex"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Yandex\Elements\bartab.dll
.
.
((((((((((((((((((((((((( Files Created from 2014-04-03 to 2014-05-03 )))))))))))))))))))))))))))))))
.
.
2014-05-03 12:23 . 2014-05-03 12:23 -------- d-----w- c:\users\gokarna\AppData\Local\temp
2014-05-03 12:23 . 2014-05-03 12:23 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-05-03 12:23 . 2014-05-03 12:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-05-03 00:00 . 2014-04-29 12:34 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-02 22:18 . 2014-04-17 02:32 8050496 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{6C9B3D11-6407-4AF9-90B2-9FF7A64F02E4}\mpengine.dll
2014-04-29 07:39 . 2014-04-29 07:39 26624 ----a-w- c:\windows\system32\TrueSight.sys
2014-04-26 14:28 . 2014-04-26 14:28 -------- d-----w- c:\programdata\Yandex
2014-04-26 14:28 . 2014-04-26 14:28 -------- d-----w- c:\users\gokarna\AppData\Local\Yandex
2014-04-26 14:28 . 2014-04-26 14:28 -------- d-----w- c:\program files\Yandex
2014-04-26 14:28 . 2014-04-27 01:18 -------- d-----w- c:\users\gokarna\AppData\Roaming\Yandex
2014-04-26 11:47 . 2014-04-26 11:47 -------- d-----w- C:\_OTM
2014-04-18 17:35 . 2014-04-18 17:35 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2014-04-18 17:22 . 2014-02-04 02:07 149440 ----a-w- c:\windows\system32\drivers\storport.sys
2014-04-18 17:22 . 2014-02-04 02:07 234432 ----a-w- c:\windows\system32\drivers\msiscsi.sys
2014-04-18 17:22 . 2014-02-04 02:07 27072 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2014-04-18 17:22 . 2014-02-04 02:00 2048 ----a-w- c:\windows\system32\iologmsg.dll
2014-04-18 17:11 . 2014-04-18 17:11 -------- d-----w- c:\users\gokarna\AppData\Local\WindowsUpdate
2014-04-18 17:06 . 2014-04-14 17:13 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-04-18 17:03 . 2014-04-18 17:03 921512 ----a-w- c:\program files\jxpiinstall.exe
2014-04-15 07:55 . 2014-04-15 07:56 -------- d-----w- c:\users\gokarna\Photos
2014-04-14 08:04 . 2014-04-14 08:04 -------- d-sh--w- c:\users\gokarna\AppData\Local\EmieUserList
2014-04-14 08:04 . 2014-04-14 08:04 -------- d-sh--w- c:\users\gokarna\AppData\Local\EmieSiteList
2014-04-13 13:38 . 2014-04-13 13:38 -------- d-----w- c:\windows\tr-TR
2014-04-13 13:38 . 2014-04-13 13:38 -------- d-----w- c:\windows\system32\XPSViewer
2014-04-13 13:38 . 2014-04-18 17:42 -------- d-----w- c:\windows\system32\drivers\tr-TR
2014-04-13 13:38 . 2014-04-13 13:38 -------- d-----w- c:\windows\system32\tr
2014-04-13 13:38 . 2014-04-13 13:38 -------- d-----w- c:\windows\system32\drivers\UMDF\tr-TR
2014-04-13 13:38 . 2014-04-13 13:38 -------- d-----w- c:\windows\system32\wbem\tr-TR
2014-04-13 13:14 . 2009-07-13 15:47 3584 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\tr-TR\LXKPTPRC.DLL.mui
2014-04-13 13:08 . 2014-01-24 02:18 1212352 ----a-w- c:\windows\system32\drivers\ntfs.sys
2014-04-13 13:08 . 2012-05-04 09:59 514560 ----a-w- c:\windows\system32\qdvd.dll
2014-04-05 19:16 . 2014-04-05 19:16 -------- d-----w- c:\windows\ERUNT
2014-04-05 18:21 . 2014-04-09 08:34 -------- d-----w- C:\AdwCleaner
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-29 09:09 . 2014-03-15 21:28 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-29 09:09 . 2014-03-15 21:28 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-04-26 10:27 . 2014-04-02 16:06 107736 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-04-03 06:51 . 2014-04-02 16:05 51416 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-04-03 06:51 . 2014-04-02 16:05 73432 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-04-03 06:50 . 2014-04-02 16:05 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-03-31 06:35 . 2014-03-07 18:50 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-03-21 12:02 . 2014-03-21 12:02 86016 ----a-w- c:\windows\system32\iesysprep.dll
2014-03-21 12:02 . 2014-03-21 12:02 74240 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2014-03-21 12:02 . 2014-03-21 12:02 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2014-03-21 12:02 . 2014-03-21 12:02 645120 ----a-w- c:\windows\system32\jsIntl.dll
2014-03-21 12:02 . 2014-03-21 12:02 62464 ----a-w- c:\windows\system32\tdc.ocx
2014-03-21 12:02 . 2014-03-21 12:02 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-03-21 12:02 . 2014-03-21 12:02 48640 ----a-w- c:\windows\system32\mshtmler.dll
2014-03-21 12:02 . 2014-03-21 12:02 36352 ----a-w- c:\windows\system32\imgutil.dll
2014-03-21 12:02 . 2014-03-21 12:02 337408 ----a-w- c:\windows\system32\html.iec
2014-03-21 12:02 . 2014-03-21 12:02 24576 ----a-w- c:\windows\system32\licmgr10.dll
2014-03-21 12:02 . 2014-03-21 12:02 194048 ----a-w- c:\windows\system32\elshyph.dll
2014-03-21 12:02 . 2014-03-21 12:02 182272 ----a-w- c:\windows\system32\msls31.dll
2014-03-21 12:02 . 2014-03-21 12:02 151552 ----a-w- c:\windows\system32\iexpress.exe
2014-03-21 12:02 . 2014-03-21 12:02 139264 ----a-w- c:\windows\system32\wextract.exe
2014-03-21 12:02 . 2014-03-21 12:02 13312 ----a-w- c:\windows\system32\mshta.exe
2014-03-21 12:02 . 2014-03-21 12:02 111616 ----a-w- c:\windows\system32\IEAdvpack.dll
2014-03-21 12:02 . 2014-03-21 12:02 1051136 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-03-21 01:03 . 2014-03-21 01:03 49152 ----a-w- c:\windows\system32\taskhost.exe
2014-03-21 01:03 . 2014-03-21 01:03 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 906240 ----a-w- c:\windows\system32\FntCache.dll
2014-03-21 01:03 . 2014-03-21 01:03 604160 ----a-w- c:\windows\system32\d3d10level9.dll
2014-03-21 01:03 . 2014-03-21 01:03 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 364544 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2014-03-21 01:03 . 2014-03-21 01:03 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 293376 ----a-w- c:\windows\system32\dxgi.dll
2014-03-21 01:03 . 2014-03-21 01:03 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-03-21 01:03 . 2014-03-21 01:03 249856 ----a-w- c:\windows\system32\d3d10_1core.dll
2014-03-21 01:03 . 2014-03-21 01:03 2284544 ----a-w- c:\windows\system32\msmpeg2vdec.dll
2014-03-21 01:03 . 2014-03-21 01:03 220160 ----a-w- c:\windows\system32\d3d10core.dll
2014-03-21 01:03 . 2014-03-21 01:03 207872 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2014-03-21 01:03 . 2014-03-21 01:03 187392 ----a-w- c:\windows\system32\UIAnimation.dll
2014-03-21 01:03 . 2014-03-21 01:03 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2014-03-21 01:03 . 2014-03-21 01:03 1247744 ----a-w- c:\windows\system32\DWrite.dll
2014-03-21 01:03 . 2014-03-21 01:03 1158144 ----a-w- c:\windows\system32\XpsPrint.dll
2014-03-21 01:03 . 2014-03-21 01:03 1080832 ----a-w- c:\windows\system32\d3d10.dll
2014-03-21 01:03 . 2014-03-21 01:03 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2014-03-21 01:02 . 2014-03-21 01:02 1505280 ----a-w- c:\windows\system32\d3d11.dll
2014-03-20 01:07 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2014-03-04 11:25 . 2012-05-30 09:14 246804 ----a-w- c:\windows\system32\drivers\AtherosBt.bin
2014-02-07 01:07 . 2014-03-20 08:31 2349056 ----a-w- c:\windows\system32\win32k.sys
2014-02-04 02:04 . 2014-03-21 07:48 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-02-04 02:04 . 2014-03-20 08:32 509440 ----a-w- c:\windows\system32\qedit.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"="c:\program files\Spybot - Search & Destroy 2\SDCleaner.exe" [2013-09-20 3666224]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2014-02-10 20924576]
"Spotify Web Helper"="c:\users\gokarna\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2014-04-03 1171968]
"uTorrent"="c:\users\gokarna\AppData\Roaming\uTorrent\uTorrent.exe" [2014-04-26 1270352]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2011-07-11 74752]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-10-01 548864]
"PLFSetI"="c:\windows\PLFSetI.exe" [2008-07-29 200704]
"AtherosBtStack"="c:\program files\Bluetooth Suite\btvstack.exe" [2012-05-30 878208]
"AthBtTray"="c:\program files\Bluetooth Suite\athbttray.exe" [2012-05-30 696448]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2013-07-25 5624784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-02-21 152392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2014-01-17 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SPReview"="c:\windows\System32\SPReview\SPReview.exe" [2014-03-20 280576]
.
c:\users\gokarna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE %SystemRoot%\ERDNT\AutoBackup\#Date# /noconfirmdelete /noprogresswindow [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2014-3-4 113664]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.8.141\SSScheduler.exe [2014-1-16 277920]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2013-12-6 565464]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2013-12-06 662232]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013-10-23 172192]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-03-06 108032]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys [2014-04-26 107736]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.141\McCHSvc.exe [2014-01-16 235696]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2013-10-15 3921880]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2013-09-20 1042272]
R3 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2013-09-13 171416]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2014-03-15 1343400]
R3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\DRIVERS\ZTEusbvoice.sys [2011-03-26 107776]
S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys [2013-03-18 541680]
S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys [2013-03-18 26608]
S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys [2013-02-22 16880]
S2 AtherosSvc;AtherosSvc;c:\program files\Bluetooth Suite\adminservice.exe [2012-05-30 97920]
S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [2014-04-11 1390720]
S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [2014-04-11 1764992]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2013-12-06 1229528]
S2 ZAtheros Bt&Wlan Coex Agent;ZAtheros Bt&Wlan Coex Agent;c:\program files\Bluetooth Suite\Ath_CoexAgent.exe [2012-05-30 327296]
S3 AthBTPort;Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys [2012-05-30 35968]
S3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys [2013-03-27 302920]
S3 btath_avdt;Qualcomm Atheros Bluetooth AVDT Service;c:\windows\system32\drivers\btath_avdt.sys [2013-03-27 101192]
S3 BTATH_BUS;Qualcomm Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys [2013-03-27 27976]
S3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys [2013-03-27 158688]
S3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys [2013-03-27 66448]
S3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys [2013-03-27 119624]
S3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys [2013-03-27 496456]
S3 MEI;Intel(R) Management Engine Interface ;c:\windows\system32\DRIVERS\TeeDriver.sys [2013-03-20 85976]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf_x86.sys [2013-12-06 16024]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys [2012-10-18 258704]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2013-03-04 643656]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\DRIVERS\SFEP.sys [2007-08-03 9344]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-25 21:43 1078088 ----a-w- c:\program files\Google\Chrome\Application\34.0.1847.131\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-03 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-15 09:09]
.
2014-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-04-02 18:37]
.
2014-05-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-04-02 18:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yandex.ru/?win=121&clid=1991182
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = localhost:21320
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\kp5xybf2.default-1397910583341\
FF - prefs.js: browser.search.selectedEngine - Yandex
FF - prefs.js: browser.startup.homepage - hxxp://www.yandex.ru/?win=121&clid=1991182
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{91397D20-1446-11D4-8AF4-0040CA1127B6} - c:\program files\Yandex\Elements\bartab.dll
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-05-03 15:24:50
ComboFix-quarantined-files.txt 2014-05-03 12:24
ComboFix2.txt 2014-04-30 18:27
.
Pre-Run: 155,436,085,248 bytes free
Post-Run: 155,359,883,264 bytes free
.
- - End Of File - - 5B846DB26390F8ACFA7B90617180273E
A36C5E4F47E84449FF07ED3517B43A31

 

[Juliet]

Please Run TFC by OldTimer to clear temporary files:

Download TFC from here http://oldtimer.geekstogo.com/TFC.exe
and save it to your desktop.

Close any open programs and Internet browsers.
Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
Please be patient as clearing out temp files may take a while.
Once it completes you may be prompted to restart your computer, please do so.
Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

~~~~~~~~~~~~~~~~~~~~~~~~~~~`

Go here to run an online scanner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activeX control to install
• Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
• Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
• Wait for the scan to finish
• When the scan completes, press the LIST OF THREATS FOUND button
• Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
• Include the contents of this report in your next reply.
• Press the BACK button.
• Press Finish

 

[wendyseana]

Esetscan

Hello Juliet,

So it looks even to my novice eyes that we may be getting to the nitty grits of my infection . Here is the ESEETSCAN log :

C:\Users\gokarna\Downloads\DriversForFreeSetup.exe a variant of Win32/InstallCore.JW potentially unwanted application
C:\Users\gokarna\Downloads\MediaPlayer__7392_i603528379_il146.exe a variant of Win32/Amonetize.AO potentially unwanted application
C:\Users\gokarna\Downloads\shrek-the-third2007dvdrip-ac3eng-axxo_BitLord.exe Win32/InstallCore.MT potentially unwanted application

Btw how goes it with finding and deleting Yandex ? Can you do it remotely ?

Salute, Wendy

 

[Juliet]

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (FRST) program (If asked to overwrite existing one please allow)

start
C:\Users\gokarna\Downloads\DriversForFreeSetup.exe
C:\Users\gokarna\Downloads\MediaPlayer__7392_i603528379_il146.exe
C:\Users\gokarna\Downloads\shrek-the-third2007dvdrip-ac3eng-axxo_BitLord.exe
c:\programdata\Yandex
c:\users\gokarna\AppData\Local\Yandex
c:\program files\Yandex
c:\users\gokarna\AppData\Roaming\Yandex
Reboot:
end

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Please post this log when finished.

 

[wendyseana]

Fixlist log

Hi Juliet, moving right along towards a conclusion then here is the fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:05-05-2014
Ran by gokarna at 2014-05-05 19:30:52 Run:2
Running from C:\Users\gokarna\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
C:\Users\gokarna\Downloads\DriversForFreeSetup.exe
C:\Users\gokarna\Downloads\MediaPlayer__7392_i603528379_il146.exe
C:\Users\gokarna\Downloads\shrek-the-third2007dvdrip-ac3eng-axxo_BitLord.exe
c:\programdata\Yandex
c:\users\gokarna\AppData\Local\Yandex
c:\program files\Yandex
c:\users\gokarna\AppData\Roaming\Yandex
Reboot:
end
*****************

C:\Users\gokarna\Downloads\DriversForFreeSetup.exe => Moved successfully.
C:\Users\gokarna\Downloads\MediaPlayer__7392_i603528379_il146.exe => Moved successfully.
"C:\Users\gokarna\Downloads\shrek-the-third2007dvdrip-ac3eng-axxo_BitLord.exe" => File/Directory not found.
c:\programdata\Yandex => Moved successfully.
c:\users\gokarna\AppData\Local\Yandex => Moved successfully.
c:\program files\Yandex => Moved successfully.
c:\users\gokarna\AppData\Roaming\Yandex => Moved successfully.


The system needed a reboot.

==== End of Fixlog ====

 

[Juliet]

The results look good to me, how is the computer operating now?

 

[wendyseana]

Reportage

Hello Juliet,

How is it going ? Well Yandex is still very much with me which is a downer. You haven't given me feedback on what's happening there for sometime. While it it has hijacked Firefox and Chrome I think its best not to use this computer for any banking or purchasing activity. I am not really sure what to make of the Spybot scan logs which although Win32.Loadmoney no longer appears still shows lots of entries every day and its often only a few hours after fixing show as many entries again. I have copy and pasted the latest here so as you can tell me if this is acceptable/normal or not ??

Search results from Spybot - Search & Destroy

5/10/2014 12:42:58 AM
Scan took 00:16:05.
20 items found.

Macromedia.FlashPlayer.Cookies: [SBI $6AA61750] Text file (File, nothing done)
C:\Users\gokarna\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\XY9GT5VC\kiks.yandex.ru\fuid01.sol
Properties.size=188
Properties.md5=7B8842C292510E47967FC622F91A4B28
Properties.filedate=1399417808
Properties.filedatetext=2014-05-07 02:10:08

Macromedia.FlashPlayer.Cookies: [SBI $1EF45977] Text file (File, nothing done)
C:\Users\gokarna\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\XY9GT5VC\ospank.com\#kernelteam\preferences.sol
Properties.size=61
Properties.md5=C58803187774833DFC9451A7E42B4002
Properties.filedate=1399420269
Properties.filedatetext=2014-05-07 02:51:08

Macromedia.FlashPlayer.Cookies: [SBI $1EF45977] Text file (File, nothing done)
C:\Users\gokarna\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\XY9GT5VC\skype.com\#ui\preferences.sol
Properties.size=217
Properties.md5=DD1BC5A42AEC607C0FEE7A07D7EB04F2
Properties.filedate=1399324437
Properties.filedatetext=2014-05-06 00:13:57

DoubleClick: [SBI $4E2AF2AC] Tracking cookie (Google Chrome: Default) (Browser: Cookie, nothing done)


Gabest Media Player Classic: [SBI $E81D76E1] Last captured file (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Gabest\Media Player Classic\Capture\FileName

Gabest Media Player Classic: [SBI $A8B11633] Recent file list (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Gabest\Media Player Classic\Recent File List

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\DirectInput\MostRecentApplication\Name

MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\DirectInput\MostRecentApplication\Id

Windows.OpenWith: [SBI $7E93AD81] Open with list - .CSS extension (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList

Windows Explorer: [SBI $AA0766B5] Stream history (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry Value, nothing done)
HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Cookie: [SBI $49804B54] Browser: Cookie (3) (Browser: Cookie, nothing done)


Cache: [SBI $49804B54] Browser: Cache (74) (Browser: Cache, nothing done)


History: [SBI $49804B54] Browser: History (83) (Browser: History, nothing done)


Cookie: [SBI $49804B54] Browser: Cookie (150) (Browser: Cookie, nothing done)


Cookie: [SBI $49804B54] Browser: Cookie (160) (Browser: Cookie, nothing done)



--- Spybot - Search & Destroy version: 2.1.18.131 DLL (build: 20130516) ---

2013-09-20 blindman.exe (2.2.18.151)
2013-09-20 explorer.exe (2.2.18.177)
2013-09-20 SDBootCD.exe (2.2.18.109)
2013-09-20 SDCleaner.exe (2.2.18.110)
2013-09-20 SDDelFile.exe (2.2.18.94)
2013-06-18 SDDisableProxy.exe
2013-09-20 SDFiles.exe (2.2.18.135)
2013-09-20 SDFileScanHelper.exe (2.2.16.1)
2013-10-15 SDFSSvc.exe (2.2.25.211)
2013-10-10 SDHookHelper.exe (2.3.30.2)
2013-10-10 SDHookInst32.exe (2.3.30.2)
2013-09-20 SDImmunize.exe (2.2.18.130)
2013-05-16 SDLogReport.exe (2.1.18.107)
2013-10-14 SDOnAccess.exe (2.2.25.4)
2013-09-20 SDPESetup.exe (2.2.18.3)
2013-09-20 SDPEStart.exe (2.2.18.86)
2013-09-20 SDPhoneScan.exe (2.2.18.28)
2013-09-20 SDPRE.exe (2.2.18.22)
2013-09-20 SDPrepPos.exe (2.2.18.10)
2013-09-20 SDQuarantine.exe (2.2.18.103)
2013-09-20 SDRootAlyzer.exe (2.2.18.116)
2013-09-20 SDSBIEdit.exe (2.2.18.39)
2013-09-20 SDScan.exe (2.2.18.177)
2013-09-20 SDScript.exe (2.2.18.53)
2013-10-15 SDSettings.exe (2.2.25.138)
2013-09-20 SDShell.exe (2.2.18.2)
2013-09-20 SDShred.exe (2.2.18.107)
2013-09-20 SDSysRepair.exe (2.2.18.101)
2013-09-20 SDTools.exe (2.2.18.150)
2013-07-25 SDTray.exe (2.1.21.129)
2013-09-20 SDUpdate.exe (2.2.18.91)
2013-09-20 SDUpdSvc.exe (2.2.18.76)
2013-09-20 SDWelcome.exe (2.2.21.129)
2013-09-13 SDWSCSvc.exe (2.2.22.2)
2014-03-15 spybotsd2-installer.exe (2.2.25.0)
2013-06-19 spybotsd2-translation-frx.exe
2014-03-15 unins000.exe (51.1052.0.0)
1999-12-02 xcacls.exe
2012-08-23 borlndmm.dll (10.0.2288.42451)
2012-09-05 DelZip190.dll (1.9.0.107)
2012-09-10 libeay32.dll (1.0.0.4)
2012-09-10 libssl32.dll (1.0.0.4)
2013-05-16 SDAdvancedCheckLibrary.dll (2.1.18.98)
2013-05-16 SDAV.dll
2013-05-16 SDECon32.dll (2.1.18.113)
2013-04-05 SDEvents.dll (2.1.16.2)
2013-10-14 SDFileScanLibrary.dll (2.2.25.14)
2013-10-10 SDHook32.dll (2.3.30.2)
2013-05-16 SDImmunizeLibrary.dll (2.1.18.2)
2013-05-16 SDLicense.dll (2.1.18.0)
2013-05-16 SDLists.dll (2.1.18.4)
2013-05-16 SDResources.dll (2.1.18.7)
2013-05-16 SDScanLibrary.dll (2.1.18.131)
2013-05-16 SDTasks.dll (2.1.18.15)
2013-05-16 SDWinLogon.dll (2.1.18.0)
2012-08-23 sqlite3.dll
2012-09-10 ssleay32.dll (1.0.0.4)
2013-05-16 Tools.dll (2.1.18.36)
2014-03-05 Includes\Adware-000.sbi (*)
2014-01-08 Includes\Adware-001.sbi (*)
2014-05-06 Includes\Adware-C.sbi (*)
2014-01-13 Includes\Adware.sbi (*)
2014-01-13 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2014-01-08 Includes\Dialer-000.sbi (*)
2014-01-08 Includes\Dialer-001.sbi (*)
2014-01-08 Includes\Dialer-C.sbi (*)
2014-01-13 Includes\Dialer.sbi (*)
2014-01-13 Includes\DialerC.sbi (*)
2014-01-09 Includes\Fraud-000.sbi (*)
2014-01-09 Includes\Fraud-001.sbi (*)
2014-03-31 Includes\Fraud-002.sbi (*)
2014-01-09 Includes\Fraud-003.sbi (*)
2012-11-14 Includes\HeavyDuty.sbi (*)
2014-01-08 Includes\Hijackers-000.sbi (*)
2014-01-08 Includes\Hijackers-001.sbi (*)
2014-01-08 Includes\Hijackers-C.sbi (*)
2014-01-13 Includes\Hijackers.sbi (*)
2014-01-13 Includes\HijackersC.sbi (*)
2014-01-08 Includes\iPhone-000.sbi (*)
2014-01-08 Includes\iPhone.sbi (*)
2014-01-08 Includes\Keyloggers-000.sbi (*)
2014-03-19 Includes\Keyloggers-C.sbi (*)
2014-01-13 Includes\Keyloggers.sbi (*)
2014-01-13 Includes\KeyloggersC.sbi (*)
2014-01-09 Includes\Malware-001.sbi (*)
2014-01-09 Includes\Malware-002.sbi (*)
2014-02-05 Includes\Malware-003.sbi (*)
2014-01-28 Includes\Malware-004.sbi (*)
2014-04-15 Includes\Malware-005.sbi (*)
2014-02-26 Includes\Malware-006.sbi (*)
2014-01-09 Includes\Malware-007.sbi (*)
2014-04-30 Includes\Malware-C.sbi (*)
2014-01-13 Includes\Malware.sbi (*)
2013-12-23 Includes\MalwareC.sbi (*)
2014-01-15 Includes\PUPS-000.sbi (*)
2014-01-15 Includes\PUPS-001.sbi (*)
2014-01-15 Includes\PUPS-002.sbi (*)
2014-05-06 Includes\PUPS-C.sbi (*)
2012-11-14 Includes\PUPS.sbi (*)
2014-01-07 Includes\PUPSC.sbi (*)
2014-01-08 Includes\Security-000.sbi (*)
2014-01-08 Includes\Security-C.sbi (*)
2014-01-21 Includes\Security.sbi (*)
2014-01-21 Includes\SecurityC.sbi (*)
2014-01-08 Includes\Spyware-000.sbi (*)
2014-01-08 Includes\Spyware-001.sbi (*)
2014-01-08 Includes\Spyware-C.sbi (*)
2014-01-21 Includes\Spyware.sbi (*)
2014-01-21 Includes\SpywareC.sbi (*)
2011-06-07 Includes\Tracks.sbi (*)
2012-11-19 Includes\Tracks.uti (*)
2014-01-15 Includes\Trojans-000.sbi (*)
2014-01-15 Includes\Trojans-001.sbi (*)
2014-01-15 Includes\Trojans-002.sbi (*)
2014-01-15 Includes\Trojans-003.sbi (*)
2014-01-15 Includes\Trojans-004.sbi (*)
2014-03-19 Includes\Trojans-005.sbi (*)
2014-01-15 Includes\Trojans-006.sbi (*)
2014-01-15 Includes\Trojans-007.sbi (*)
2014-01-15 Includes\Trojans-008.sbi (*)
2014-01-15 Includes\Trojans-009.sbi (*)
2014-05-06 Includes\Trojans-C.sbi (*)
2014-01-15 Includes\Trojans-OG-000.sbi (*)
2014-01-15 Includes\Trojans-TD-000.sbi (*)
2014-01-15 Includes\Trojans-VM-000.sbi (*)
2014-01-15 Includes\Trojans-VM-001.sbi (*)
2014-01-15 Includes\Trojans-VM-002.sbi (*)
2014-01-15 Includes\Trojans-VM-003.sbi (*)
2014-01-15 Includes\Trojans-VM-004.sbi (*)
2014-01-15 Includes\Trojans-VM-005.sbi (*)
2014-01-15 Includes\Trojans-VM-006.sbi (*)
2014-01-15 Includes\Trojans-VM-007.sbi (*)
2014-01-15 Includes\Trojans-VM-008.sbi (*)
2014-01-15 Includes\Trojans-VM-009.sbi (*)
2014-01-15 Includes\Trojans-VM-010.sbi (*)
2014-01-15 Includes\Trojans-VM-011.sbi (*)
2014-01-15 Includes\Trojans-VM-012.sbi (*)
2014-01-15 Includes\Trojans-VM-013.sbi (*)
2014-01-15 Includes\Trojans-VM-014.sbi (*)
2014-01-15 Includes\Trojans-VM-015.sbi (*)
2014-01-15 Includes\Trojans-VM-016.sbi (*)
2014-01-15 Includes\Trojans-VM-017.sbi (*)
2014-01-15 Includes\Trojans-VM-018.sbi (*)
2014-01-15 Includes\Trojans-VM-019.sbi (*)
2014-01-15 Includes\Trojans-VM-020.sbi (*)
2014-01-15 Includes\Trojans-VM-021.sbi (*)
2014-01-15 Includes\Trojans-VM-022.sbi (*)
2014-01-15 Includes\Trojans-VM-023.sbi (*)
2014-01-15 Includes\Trojans-VM-024.sbi (*)
2014-01-15 Includes\Trojans-ZB-000.sbi (*)
2014-01-15 Includes\Trojans-ZL-000.sbi (*)
2014-01-09 Includes\Trojans.sbi (*)
2014-01-16 Includes\TrojansC-01.sbi (*)
2014-01-16 Includes\TrojansC-02.sbi (*)
2014-01-16 Includes\TrojansC-03.sbi (*)
2014-01-16 Includes\TrojansC-04.sbi (*)
2014-01-16 Includes\TrojansC-05.sbi (*)
2014-01-09 Includes\TrojansC.sbi (*)

Talk to you tomorrow I hope, Wendy

 

[Juliet]

From what I can see it's stored cookies from using Flash Player

http://www.piriform.com/ccleaner/download
Download CCleaner

Once it's downloaded then set it to delete Flash cookies
http://www.piriform.com/docs/ccleaner/ccleaner-settings/cleaning-flash-cookies



The registry entries you have listed are all simply usage tracks, not malware, so there's really no reason to worry about them unless you're paranoid about your privacy.
http://www.safer-networking.org/faq/usage-tracks/

 

[wendyseana]

Cleaned according to plan

but Yandex is still very much there so what can we do now please You didn't say a reboot was necessary so I haven't but I will just to see if perhaps thatis the key...........

 

[Juliet]

It's odd, tools I've had you use find and say it's deleted but returns.

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :folderfind
  Yandex
  :filefind
  Yandex
  :regfind
  Yandex

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[wendyseana]

For your information

The Download Mirror #1 brought up this warning when I clicked on it

Reported Attack Page!

This web page at jpshortstuff.247fixes.com has been reported as an attack page and has been blocked based on your security preferences.

Attack pages try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack pages intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

Download Mirror 2 seems to be fine though

 

[wendyseana]

System Look - Download Mirror #2

Hi Juliet, here is the log for Systemlook


SystemLook 30.07.11 by jpshortstuff
Log created at 19:19 on 13/05/2014 by gokarna
Administrator - Elevation successful

========== folderfind ==========

Searching for "Yandex"
C:\FRST\Quarantine\C\program files\Yandex d------ [14:28 26/04/2014]
C:\FRST\Quarantine\C\programdata\Yandex d------ [14:28 26/04/2014]
C:\FRST\Quarantine\C\Users\gokarna\AppData\Local\Yandex d------ [14:28 26/04/2014]
C:\FRST\Quarantine\C\Users\gokarna\AppData\Roaming\Yandex d------ [14:28 26/04/2014]
C:\Program Files\AdwCleaner\Quarantine\C\Users\gokarna\AppData\Local\Yandex d------ [08:33 09/04/2014]
C:\Program Files\AdwCleaner\Quarantine\C\Users\gokarna\AppData\LocalLow\Yandex d------ [08:33 09/04/2014]
C:\Program Files\AdwCleaner\Quarantine\C\Users\gokarna\AppData\Roaming\Yandex d------ [08:33 09/04/2014]
C:\Program Files\AdwCleaner\Quarantine\C\Users\gokarna\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yandex d------ [08:33 09/04/2014]
C:\Program Files\AdwCleaner\Quarantine\C\Users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\hullhm7j.default\Yandex d------ [08:33 09/04/2014]
C:\Qoobox\Quarantine\C\Program Files\Yandex d------ [12:22 03/05/2014]
C:\Users\gokarna\AppData\LocalLow\Yandex d------ [14:28 26/04/2014]
C:\Users\gokarna\AppData\Roaming\Yandex d------ [16:35 05/05/2014]
C:\Users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\kp5xybf2.default-1397910583341\yandex d------ [01:18 27/04/2014]
C:\Users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\kp5xybf2.default-1397910583341\yasearch-xb\packages\{4177a8a5-e810-42e1-babf-23508a37688c}\locale\en\brand\yandex d------ [07:49 29/04/2014]
C:\Users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\kp5xybf2.default-1397910583341\yasearch-xb\packages\{4177a8a5-e810-42e1-babf-23508a37688c}\locale\ru\brand\yandex d------ [07:49 29/04/2014]
C:\Users\gokarna\Desktop\Old Firefox Data\hullhm7j.default\yasearch-xb\packages\{3a427092-f8a8-4cfc-8619-30830ef0df73}\locale\en\brand\yandex d------ [12:30 19/04/2014]
C:\Users\gokarna\Desktop\Old Firefox Data\hullhm7j.default\yasearch-xb\packages\{3a427092-f8a8-4cfc-8619-30830ef0df73}\locale\ru\brand\yandex d------ [12:30 19/04/2014]
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Yandex d------ [07:34 16/03/2014]

========== filefind ==========

Searching for "Yandex"
No files found.

========== regfind ==========

Searching for "Yandex"
[HKEY_CURRENT_USER\Software\AppDataLow\Software\Yandex]
[HKEY_CURRENT_USER\Software\AppDataLow\Yandex]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{54079e4f-b72f-4c73-939e-3e10f242767f}]
"AppPath"="C:\Users\gokarna\AppData\Local\Yandex\Updater\"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.yandex.ru/?win=121&clid=1991182"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"DisplayName"="Yandex"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURLFallback"="http://www.yandex.ru/favicon.ico"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"SuggestionsURL_JSON"="http://suggest.yandex.net/suggest-ff.cgi?part={searchTerms}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"URL"="http://yandex.ru/yandsearch?win=121&clid=1991183&text={searchTerms}"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\y]
@="http://yandex.ru/yandsearch?win=121&clid=1991186&text=%s"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
"DisplayName"="Yandex"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
"UninstallString"=""C:\Program Files\Uninstall Information\97\4258\uninstall.exe" /PUninstall="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser" /reg=32"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
"InstallLocation"="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
"DisplayIcon"="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe,0"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
"Publisher"="YANDEX"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
"OUninstallString"=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\30.0.1599.13014\Installer\setup.exe" --uninstall --verbose-logging"
[HKEY_CURRENT_USER\Software\Yandex]
[HKEY_CURRENT_USER\Software\Yandex\YandexBrowser]
[HKEY_CURRENT_USER\Software\Yandex\YandexBrowser]
"UninstallString"="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\30.0.1599.13014\Installer\setup.exe"
[HKEY_CURRENT_USER\Software\Yandex\YandexBrowser]
"name"="Yandex"
[HKEY_CURRENT_USER\Software\Yandex\YandexBrowser]
"InstallerSuccessLaunchCmdLine"=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe""
[HKEY_CURRENT_USER\Software\Yandex\YandexBrowser\Commands\install-extension]
"CommandLine"=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --limited-install-from-webstore=%1"
[HKEY_CURRENT_USER\Software\Yandex\YandexBrowser\Commands\on-os-upgrade]
"CommandLine"=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\30.0.1599.13014\Installer\setup.exe" --on-os-upgrade --verbose-logging"
[HKEY_CURRENT_USER\Software\Classes\.crx]
@="YandexBrowser.crx"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{4671DB2A-087D-4EB2-96DF-64AF0177FE1B}\LocalServer32]
@=""C:\Users\gokarna\AppData\Local\Yandex\Updater\yupdate-ctrl.exe""
[HKEY_CURRENT_USER\Software\Classes\CLSID\{5FAFC90A-D443-4E4F-B69B-DA1F8D553C6C}\LocalServer32]
@=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\30.0.1599.13014\delegate_execute.exe""
[HKEY_CURRENT_USER\Software\Classes\CLSID\{5FAFC90A-D443-4E4F-B69B-DA1F8D553C6C}\LocalServer32]
"ServerExecutable"="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\30.0.1599.13014\delegate_execute.exe"
[HKEY_CURRENT_USER\Software\Classes\TypeLib\{B01CA563-8D3B-4E50-94B7-BBCED71B3083}\1.0\0\win32]
@="C:\Users\gokarna\AppData\Local\Yandex\Updater\yupdate-ctrl.exe"
[HKEY_CURRENT_USER\Software\Classes\TypeLib\{B01CA563-8D3B-4E50-94B7-BBCED71B3083}\1.0\HELPDIR]
@="C:\Users\gokarna\AppData\Local\Yandex\Updater\"
[HKEY_CURRENT_USER\Software\Classes\YandexBrowser.crx]
[HKEY_CURRENT_USER\Software\Classes\YandexBrowser.crx]
@="Yandex Browser Extra"
[HKEY_CURRENT_USER\Software\Classes\YandexBrowser.crx\DefaultIcon]
@=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe",0"
[HKEY_CURRENT_USER\Software\Classes\YandexBrowser.crx\shell\open\command]
@=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.htm\OpenWithProgids]
"YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.html\OpenWithProgids]
"YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids]
"YandexPDF.FRWESAIQ3UMB4SAG6QDLDICFXE"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids]
"YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.swf\OpenWithProgids]
"YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids]
"YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xht\OpenWithProgids]
"YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgids]
"YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5FEC983-01DB-414a-9456-AF95AC9ED7B5}\InprocServer32]
@="C:\Program Files\Yandex\FastDial\fastdial.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\fd\DefaultIcon]
@="C:\Program Files\Yandex\FastDial\fastdial.dll,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AFBDA429-7995-4CCA-9298-7C7D6B4A244C}\1.0\0\win32]
@="C:\Program Files\Yandex\FastDial\fastdial.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{AFBDA429-7995-4CCA-9298-7C7D6B4A244C}\1.0\HELPDIR]
@="C:\Program Files\Yandex\FastDial"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\yabrowser\DefaultIcon]
@="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\yabrowser\shell\open\command]
@=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" -- "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE]
@="Yandex Browser HTML Document"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE\shell\open\command]
@=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" -- "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YandexPDF.FRWESAIQ3UMB4SAG6QDLDICFXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YandexPDF.FRWESAIQ3UMB4SAG6QDLDICFXE]
@="Yandex Browser PDF Document"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YandexPDF.FRWESAIQ3UMB4SAG6QDLDICFXE\DefaultIcon]
@="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe,-103"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\YandexPDF.FRWESAIQ3UMB4SAG6QDLDICFXE\shell\open\command]
@=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" -- "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE]
@="Yandex"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities]
"ApplicationDescription"="Yandex.Browser — web sayfalarını görüntülemek için kullanılan tarayıcı."
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities]
"ApplicationIcon"="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities]
"ApplicationName"="Yandex"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\FileAssociations]
".htm"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\FileAssociations]
".html"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\FileAssociations]
".shtml"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\FileAssociations]
".xht"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\FileAssociations]
".xhtml"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\FileAssociations]
".crx"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\FileAssociations]
".pdf"="YandexPDF.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\FileAssociations]
".swf"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\FileAssociations]
".webp"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\Startmenu]
"StartMenuInternet"="Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\URLAssociations]
"ftp"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\URLAssociations]
"http"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\URLAssociations]
"https"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\URLAssociations]
"irc"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\URLAssociations]
"mailto"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\URLAssociations]
"mms"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\URLAssociations]
"news"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\URLAssociations]
"nntp"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\URLAssociations]
"sms"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\URLAssociations]
"smsto"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\URLAssociations]
"tel"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\URLAssociations]
"urn"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities\URLAssociations]
"webcal"="YandexHTML.FRWESAIQ3UMB4SAG6QDLDICFXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\DefaultIcon]
@="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\InstallInfo]
"ReinstallCommand"=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --make-default-browser"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\InstallInfo]
"HideIconsCommand"=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --hide-icons"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\InstallInfo]
"ShowIconsCommand"=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --show-icons"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\shell\open\command]
@=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YandexSetup_RASAPI32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\YandexSetup_RASMANCS]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\browser.exe]
@="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\browser.exe]
"Path"="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\hullhm7j.default\yandex-offer\"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\gokarna\AppData\Roaming\Mozilla\Firefox\Profiles\kp5xybf2.default-1397910583341\yandex-offer\"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications]
"Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE"="Software\Clients\StartMenuInternet\Yandex.FRWESAIQ3UMB4SAG6QDLDICFXE\Capabilities"
[HKEY_USERS\.DEFAULT\Software\AppDataLow\Software\Yandex]
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\AppDataLow\Software\Yandex]
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\AppDataLow\Yandex]
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{54079e4f-b72f-4c73-939e-3e10f242767f}]
"AppPath"="C:\Users\gokarna\AppData\Local\Yandex\Updater\"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.yandex.ru/?win=121&clid=1991182"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"DisplayName"="Yandex"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconURLFallback"="http://www.yandex.ru/favicon.ico"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"SuggestionsURL_JSON"="http://suggest.yandex.net/suggest-ff.cgi?part={searchTerms}"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"URL"="http://yandex.ru/yandsearch?win=121&clid=1991183&text={searchTerms}"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Internet Explorer\SearchUrl\y]
@="http://yandex.ru/yandsearch?win=121&clid=1991186&text=%s"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
"DisplayName"="Yandex"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
"UninstallString"=""C:\Program Files\Uninstall Information\97\4258\uninstall.exe" /PUninstall="HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser" /reg=32"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
"InstallLocation"="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
"DisplayIcon"="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe,0"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
"Publisher"="YANDEX"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\YandexBrowser]
"OUninstallString"=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\30.0.1599.13014\Installer\setup.exe" --uninstall --verbose-logging"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Yandex]
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Yandex\YandexBrowser]
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Yandex\YandexBrowser]
"UninstallString"="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\30.0.1599.13014\Installer\setup.exe"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Yandex\YandexBrowser]
"name"="Yandex"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Yandex\YandexBrowser]
"InstallerSuccessLaunchCmdLine"=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe""
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Yandex\YandexBrowser\Commands\install-extension]
"CommandLine"=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" --limited-install-from-webstore=%1"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Yandex\YandexBrowser\Commands\on-os-upgrade]
"CommandLine"=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\30.0.1599.13014\Installer\setup.exe" --on-os-upgrade --verbose-logging"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Classes\.crx]
@="YandexBrowser.crx"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Classes\CLSID\{4671DB2A-087D-4EB2-96DF-64AF0177FE1B}\LocalServer32]
@=""C:\Users\gokarna\AppData\Local\Yandex\Updater\yupdate-ctrl.exe""
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Classes\CLSID\{5FAFC90A-D443-4E4F-B69B-DA1F8D553C6C}\LocalServer32]
@=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\30.0.1599.13014\delegate_execute.exe""
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Classes\CLSID\{5FAFC90A-D443-4E4F-B69B-DA1F8D553C6C}\LocalServer32]
"ServerExecutable"="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\30.0.1599.13014\delegate_execute.exe"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Classes\TypeLib\{B01CA563-8D3B-4E50-94B7-BBCED71B3083}\1.0\0\win32]
@="C:\Users\gokarna\AppData\Local\Yandex\Updater\yupdate-ctrl.exe"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Classes\TypeLib\{B01CA563-8D3B-4E50-94B7-BBCED71B3083}\1.0\HELPDIR]
@="C:\Users\gokarna\AppData\Local\Yandex\Updater\"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Classes\YandexBrowser.crx]
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Classes\YandexBrowser.crx]
@="Yandex Browser Extra"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Classes\YandexBrowser.crx\DefaultIcon]
@=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe",0"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000\Software\Classes\YandexBrowser.crx\shell\open\command]
@=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" "%1""
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000_Classes\.crx]
@="YandexBrowser.crx"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000_Classes\CLSID\{4671DB2A-087D-4EB2-96DF-64AF0177FE1B}\LocalServer32]
@=""C:\Users\gokarna\AppData\Local\Yandex\Updater\yupdate-ctrl.exe""
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000_Classes\CLSID\{5FAFC90A-D443-4E4F-B69B-DA1F8D553C6C}\LocalServer32]
@=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\30.0.1599.13014\delegate_execute.exe""
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000_Classes\CLSID\{5FAFC90A-D443-4E4F-B69B-DA1F8D553C6C}\LocalServer32]
"ServerExecutable"="C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\30.0.1599.13014\delegate_execute.exe"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000_Classes\TypeLib\{B01CA563-8D3B-4E50-94B7-BBCED71B3083}\1.0\0\win32]
@="C:\Users\gokarna\AppData\Local\Yandex\Updater\yupdate-ctrl.exe"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000_Classes\TypeLib\{B01CA563-8D3B-4E50-94B7-BBCED71B3083}\1.0\HELPDIR]
@="C:\Users\gokarna\AppData\Local\Yandex\Updater\"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000_Classes\YandexBrowser.crx]
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000_Classes\YandexBrowser.crx]
@="Yandex Browser Extra"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000_Classes\YandexBrowser.crx\DefaultIcon]
@=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe",0"
[HKEY_USERS\S-1-5-21-3506391524-3815322815-2224249592-1000_Classes\YandexBrowser.crx\shell\open\command]
@=""C:\Users\gokarna\AppData\Local\Yandex\YandexBrowser\Application\browser.exe" "%1""
[HKEY_USERS\S-1-5-18\Software\AppDataLow\Software\Yandex]

-= EOF =-