Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Computer infected with malicious malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Computer infected with malicious malware

Unread postby jprzybilla » February 7th, 2015, 10:09 am

On Feb 5 2015, approx. time; 9:00 am-12:00 pm, Central Time, my pc has become infected with malware:

large advertising pop ups, can not move or delete, which obscures viewing of pages.

Clicking on web page links, it will direct me to another ad website, my Norton software will block this page and display; Malicious Malware Page Blocked.

After closing all web pages, there will be some windows reaming on desktop (ads) or requesting downloads updates.

P C does not appear to have slowed in any operations.

Needles to say, My Norton software has been very busy last few days.
Thanks,
jprzybilla

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 05-02-2015
Ran by Jerome (administrator) on OFFICE on 07-02-2015 07:37:54
Running from C:\Users\j1977_000\Desktop
Loaded Profiles: Jerome (Available profiles: Jerome & Emma & Administrator & Guest)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\ProgramData\webzoom\1.1.0.29\cozwdhost.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\nis.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
() C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\nis.exe
(IObit) C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe
() C:\ProgramData\webzoom\1.1.0.29\coz32host.exe
() C:\ProgramData\webzoom\1.1.0.29\cozahost.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
() C:\ProgramData\webzoom\1.1.0.29\coz64host.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
() C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPNetworkCommunicatorCom.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\livecomm.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [BeatsOSDApp] => C:\Program Files\IDT\WDM\beats64.exe [41664 2012-08-22] (Hewlett-Packard )
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1703424 2013-11-20] (IDT, Inc.)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-01-18] (IvoSoft)
HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [3100440 2014-05-19] (Logitech, Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [358336 2011-08-11] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [CouponXplorer AppIntegrator 32-bit] => C:\PROGRA~2\COUPON~2\bar\1.bin\AppIntegrator.exe
HKLM-x32\...\Run: [CouponXplorer AppIntegrator 64-bit] => C:\PROGRA~2\COUPON~2\bar\1.bin\AppIntegrator64.exe
HKLM-x32\...\Run: [OnlineMapFinder AppIntegrator 32-bit] => C:\PROGRA~2\ONLINE~3\bar\1.bin\AppIntegrator.exe
HKLM-x32\...\Run: [OnlineMapFinder AppIntegrator 64-bit] => C:\PROGRA~2\ONLINE~3\bar\1.bin\AppIntegrator64.exe
HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2014-12-16] (Hewlett-Packard)
Winlogon\Notify\igfxcui: C:\WINDOWS\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-1141139573-402178876-1469993118-1001\...\Run: [HP Officejet Pro 8600 (NET)] => C:\Program Files\HP\HP Officejet Pro 8600\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-1141139573-402178876-1469993118-1001\...\Run: [Rainlendar2] => C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe [2611808 2014-01-20] ()
HKU\S-1-5-21-1141139573-402178876-1469993118-1001\...\RunOnce: [Adobe Speed Launcher] => 1423314303
Startup: C:\Users\j1977_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Alert.lnk
ShortcutTarget: Desktop Alert.lnk -> C:\LiveOnline_4108433.exe (No File)
Startup: C:\Users\j1977_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Officejet Pro 8600 (Network).lnk
ShortcutTarget: Monitor Ink Alerts - HP Officejet Pro 8600 (Network).lnk -> C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
Startup: C:\Users\j1977_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktop Alert.lnk
ShortcutTarget: Desktop Alert.lnk -> C:\LiveOnline_4108433.exe (No File)
Startup: C:\Users\j1977_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Officejet Pro 8600 (Network).lnk
ShortcutTarget: Monitor Ink Alerts - HP Officejet Pro 8600 (Network).lnk -> C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPStatusBL.dll (Hewlett-Packard Co.)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dn ... 457542&ir=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dn ... 457542&ir=
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK13/1
HKU\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://search.yahoo.com/?type=523482&fr=spigot-yhp-ie
HKU\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK13/1
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir=
SearchScopes: HKLM -> {722A3CD8-665F-4C4B-8147-0AB3273932E6} URL = http://www.amazon.com/s/ref=azs_osd_iea ... -keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {5a1d0d31-749c-4186-a295-4106e6e7b26a} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2=^AFA^xdm338^S10945^us&si=49588_Mom-Lander2&ptb=255CC981-9718-464F-A060-E9F26CC96869&ind=2014111908&n=780ce8a4&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKLM-x32 -> {722A3CD8-665F-4C4B-8147-0AB3273932E6} URL = http://www.amazon.com/s/ref=azs_osd_iea ... -keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir=
SearchScopes: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} URL = http://www.crawler.com/search/dispatche ... tp=bs&qkw={searchTerms}&tbid=60002
SearchScopes: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> {722A3CD8-665F-4C4B-8147-0AB3273932E6} URL = http://www.amazon.com/s/ref=azs_osd_iea ... -keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> {D6CD22A7-8473-4F32-9A6E-FF0FADCC59D0} URL = http://isearch.shopathome.com?user_id={111aba70-9bf7-4164-bc7c-af6a14334274}&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\SetPointSmooth.dll (Logitech, Inc.)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll (IvoSoft)
BHO: DVDVideoSoft IE Extension -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} -> C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll (DVDVideoSoft Ltd.)
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\ssv.dll (Oracle Corporation)
BHO-x32: Logitech SetPoint -> {AF949550-9094-4807-95EC-D1C317803333} -> C:\Program Files\Logitech\SetPointP\32-bit\SetPointSmooth.dll (Logitech, Inc.)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll (IvoSoft)
BHO-x32: DVDVideoSoft IE Extension -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} -> C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll (DVDVideoSoft Ltd.)
BHO-x32: HP Smart Print Helper -> {FD6C6509-FE36-44B0-A917-6C2A0DDBDF88} -> C:\Program Files (x86)\Hewlett-Packard\Smart Print 2.1\Espresso.dll (Hewlett-Packard)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine64\21.6.0.32\coIEPlg.dll (Symantec Corporation)
Toolbar: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> No Name - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
DPF: HKLM-x32 {55A2C0CD-3DE8-4264-9637-A0B40B05714E} https://col0-sec.mail.live.com/mail/Mai ... =588777323
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Tcpip\Parameters: [DhcpNameServer] 8.8.8.8 208.67.222.222

FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 -> C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @rocketlife.com/RocketLife Secure Plug-In Layer;version=1.0.5 -> C:\ProgramData\Visan\plugins\npRLSecurePluginLayer.dll (RocketLife, LLP)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\8\NP_wtapp.dll ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1141139573-402178876-1469993118-1001: hp.com/HPDetect -> C:\Users\j1977_000\AppData\Roaming\HewlettPackard\HPDetect\1.0.0.0\npHPDetect.dll (HP)
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.3.0.12\coFFPlgn
FF Extension: Norton Toolbar - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.3.0.12\coFFPlgn [2015-02-05]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt
FF Extension: Logitech SetPoint - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt [2014-06-21]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.3.0.12\IPSFF
FF Extension: Norton Vulnerability Protection - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_21.3.0.12\IPSFF [2014-06-12]
FF HKU\S-1-5-21-1141139573-402178876-1469993118-1001\...\Firefox\Extensions: [{B64D9B05-48E1-4CEB-BF58-E0643994E900}] - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\ff

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\Exts\Chrome.crx [2014-09-23]
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM-x32\...\Chrome\Extension: [mkfokfffehpeedafpekjeddnmnjhmcmk] - C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\Exts\Chrome.crx [2014-09-23]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 cozaghost; C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe [481776 2015-02-05] ()
R2 cozwdhost; C:\ProgramData\webzoom\1.1.0.29\cozwdhost.exe [247280 2015-02-05] ()
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [347200 2015-01-24] (WildTangent)
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company) [File not signed]
R2 Intel(R) ME Service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe [128896 2012-07-18] (Intel Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [165760 2012-07-18] (Intel Corporation)
R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\NIS.exe [276376 2014-09-21] (Symantec Corporation)
R2 STacSV; C:\Program Files\IDT\WDM\STacSV64.exe [339456 2013-11-20] (IDT, Inc.) [File not signed]
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-01-26] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3859968 2013-08-22] (Qualcomm Atheros Communications, Inc.)
R1 BHDrvx64; C:\Program Files (x86)\Norton Internet Security\NortonData\21.3.0.12\Definitions\BASHDefs\20150106.001\BHDrvx64.sys [1622744 2015-01-06] (Symantec Corporation)
R1 ccSet_NIS; C:\Windows\system32\drivers\NISx64\1506000.020\ccSetx64.sys [162392 2014-02-20] (Symantec Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-12-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142640 2014-12-11] (Symantec Corporation)
R1 IDSVia64; C:\Program Files (x86)\Norton Internet Security\NortonData\21.3.0.12\Definitions\IPSDefs\20150206.001\IDSvia64.sys [669400 2015-02-05] (Symantec Corporation)
R3 NAVENG; C:\Program Files (x86)\Norton Internet Security\NortonData\21.3.0.12\Definitions\VirusDefs\20150206.016\ENG64.SYS [129752 2015-01-26] (Symantec Corporation)
R3 NAVEX15; C:\Program Files (x86)\Norton Internet Security\NortonData\21.3.0.12\Definitions\VirusDefs\20150206.016\EX64.SYS [2137304 2015-01-26] (Symantec Corporation)
R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [17720 2010-11-26] ()
R1 SMR430; C:\Windows\System32\drivers\SMR430.SYS [108216 2015-02-05] (Symantec Corporation)
R1 SRTSP; C:\Windows\System32\Drivers\NISx64\1506000.020\SRTSP64.SYS [876248 2014-08-25] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NISx64\1506000.020\SRTSPX64.SYS [37592 2014-08-25] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NISx64\1506000.020\SYMDS64.SYS [493656 2013-10-30] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NISx64\1506000.020\SYMEFA64.SYS [1148120 2014-03-03] (Symantec Corporation)
S0 SymELAM; C:\Windows\System32\drivers\NISx64\1506000.020\SymELAM.sys [23568 2013-10-30] (Symantec Corporation)
R3 SymEvent; C:\windows\system32\Drivers\SYMEVENT64x86.SYS [177752 2014-06-11] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NISx64\1506000.020\Ironx64.SYS [266968 2014-08-06] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NISx64\1506000.020\SYMNETS.SYS [593112 2014-02-17] (Symantec Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
S3 EraserUtilDrv11313; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11313.sys [X]
S3 EraserUtilDrv11410; \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11410.sys [X]
S1 hlnfd; system32\drivers\hlnfd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-07 07:37 - 2015-02-07 07:38 - 00027077 _____ () C:\Users\j1977_000\Desktop\FRST.txt
2015-02-07 07:37 - 2015-02-07 07:37 - 00000000 ____D () C:\FRST
2015-02-07 07:33 - 2015-02-07 07:33 - 02131968 _____ (Farbar) C:\Users\j1977_000\Desktop\FRST64.exe
2015-02-06 20:37 - 2015-02-06 20:37 - 00000000 ____D () C:\Users\j1977_000\AppData\Local\CrashDumps
2015-02-06 20:25 - 2015-02-06 20:25 - 00000199 _____ () C:\Users\j1977_000\Desktop\Free Malware Removal Forum - community support for infected computers.url
2015-02-06 19:00 - 2015-02-06 19:00 - 37987520 _____ (Microsoft Corporation) C:\Users\j1977_000\Downloads\Windows-KB890830-x64-V5.20.exe
2015-02-06 10:35 - 2015-02-06 10:35 - 01513577 _____ () C:\WINDOWS\shost.bin
2015-02-05 18:29 - 2015-02-05 18:29 - 00001499 _____ () C:\Users\j1977_000\Desktop\Download Java for Windows - Offline Installation.url
2015-02-05 18:29 - 2015-02-05 18:29 - 00000477 _____ () C:\Users\j1977_000\Desktop\Norton Power Eraser has detected that you have an older version of Java which is vulnerable.url
2015-02-05 18:26 - 2015-02-05 18:26 - 00000020 _____ () C:\WINDOWS\system32\Drivers\SMR430.dat
2015-02-05 18:25 - 2015-02-05 18:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-02-05 18:25 - 2015-02-05 18:24 - 00098216 _____ (Oracle Corporation) C:\WINDOWS\SysWOW64\WindowsAccessBridge-32.dll
2015-02-05 18:17 - 2015-02-05 18:17 - 00001380 _____ () C:\Users\j1977_000\Desktop\Download Java for Windows.url
2015-02-05 18:08 - 2015-02-05 18:09 - 00000000 ____D () C:\NPE
2015-02-05 18:06 - 2015-02-05 18:26 - 00108216 _____ (Symantec Corporation) C:\WINDOWS\system32\Drivers\SMR430.SYS
2015-02-05 18:05 - 2015-02-05 18:26 - 00000000 ____D () C:\Users\j1977_000\AppData\Local\NPE
2015-02-05 10:35 - 2015-02-05 10:35 - 00000000 ____D () C:\ProgramData\webzoom
2015-02-05 10:02 - 2015-02-05 10:02 - 00016603 _____ () C:\Users\j1977_000\Documents\Inventory Template.dotx
2015-02-01 17:02 - 2015-02-01 17:02 - 00000204 _____ () C:\Users\j1977_000\Desktop\Seeing error You haven't accessed the Google Play Store app on your device with this email account - Google Play Help.url
2015-02-01 11:09 - 2015-02-01 11:15 - 00000000 ____D () C:\ProgramData\BlueStacksSetup
2015-01-30 20:06 - 2015-01-30 20:06 - 00000209 _____ () C:\Users\j1977_000\Desktop\Amazon.com Online Shopping for Electronics, Apparel, Computers, Books, DVDs & more.url
2015-01-30 09:22 - 2015-02-03 16:04 - 00000000 ____D () C:\Users\j1977_000\Desktop\Scott Grove
2015-01-27 19:02 - 2015-01-27 19:02 - 00000343 _____ () C:\Users\j1977_000\Desktop\Hangout With Matt Monarch.url
2015-01-26 16:32 - 2015-01-26 16:32 - 00000235 _____ () C:\Users\j1977_000\Desktop\The Raw Food World - Dragon's Blood 35ml-1.18fl oz (100% Raw Croton Lechleri Sap).url
2015-01-20 13:56 - 2015-01-29 16:19 - 00000000 ____D () C:\Users\j1977_000\Desktop\Amazon
2015-01-14 05:11 - 2014-12-19 00:26 - 00140800 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\mrxdav.sys
2015-01-14 05:11 - 2014-12-11 20:04 - 00087040 _____ (Microsoft Corporation) C:\WINDOWS\system32\TSWbPrxy.exe
2015-01-14 05:11 - 2014-12-11 18:51 - 00075776 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ahcache.sys
2015-01-14 05:11 - 2014-12-08 19:50 - 00225280 _____ (Microsoft Corporation) C:\WINDOWS\system32\profsvc.dll
2015-01-14 05:11 - 2014-12-08 13:42 - 00535640 _____ (Microsoft Corporation) C:\WINDOWS\system32\wer.dll
2015-01-14 05:11 - 2014-12-08 13:42 - 00531616 _____ (Microsoft Corporation) C:\WINDOWS\system32\ci.dll
2015-01-14 05:11 - 2014-12-08 13:42 - 00448792 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wer.dll
2015-01-14 05:11 - 2014-12-08 13:42 - 00413248 _____ (Microsoft Corporation) C:\WINDOWS\system32\Faultrep.dll
2015-01-14 05:11 - 2014-12-08 13:42 - 00372408 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\Faultrep.dll
2015-01-14 05:11 - 2014-12-08 13:42 - 00108944 _____ (Microsoft Corporation) C:\WINDOWS\system32\EncDump.dll
2015-01-14 05:11 - 2014-12-08 13:42 - 00038264 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFaultSecure.exe
2015-01-14 05:11 - 2014-12-08 13:42 - 00033584 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFaultSecure.exe
2015-01-14 05:11 - 2014-12-05 21:17 - 00360448 _____ (Microsoft Corporation) C:\WINDOWS\system32\ncsi.dll
2015-01-14 05:11 - 2014-12-05 19:41 - 00391680 _____ (Microsoft Corporation) C:\WINDOWS\system32\nlasvc.dll
2015-01-14 05:11 - 2014-12-05 19:35 - 00229888 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEndpointBuilder.dll
2015-01-14 05:11 - 2014-10-28 22:00 - 00465320 _____ (Microsoft Corporation) C:\WINDOWS\system32\WerFault.exe
2015-01-14 05:11 - 2014-10-28 22:00 - 00139984 _____ (Microsoft Corporation) C:\WINDOWS\system32\wermgr.exe
2015-01-14 05:11 - 2014-10-28 21:52 - 00500016 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioSes.dll
2015-01-14 05:11 - 2014-10-28 21:52 - 00482872 _____ (Microsoft Corporation) C:\WINDOWS\system32\AudioEng.dll
2015-01-14 05:11 - 2014-10-28 21:52 - 00394120 _____ (Microsoft Corporation) C:\WINDOWS\system32\AUDIOKSE.dll
2015-01-14 05:11 - 2014-10-28 21:52 - 00272248 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiodg.exe
2015-01-14 05:11 - 2014-10-28 21:12 - 00413136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WerFault.exe
2015-01-14 05:11 - 2014-10-28 21:12 - 00136296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wermgr.exe
2015-01-14 05:11 - 2014-10-28 21:07 - 00424544 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioEng.dll
2015-01-14 05:11 - 2014-10-28 21:07 - 00370424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AudioSes.dll
2015-01-14 05:11 - 2014-10-28 21:07 - 00344536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\AUDIOKSE.dll
2015-01-14 05:11 - 2014-10-28 20:44 - 00037888 _____ (Microsoft Corporation) C:\WINDOWS\system32\werdiagcontroller.dll
2015-01-14 05:11 - 2014-10-28 19:59 - 00033280 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\werdiagcontroller.dll
2015-01-14 05:11 - 2014-10-28 19:24 - 00086016 _____ (Microsoft Corporation) C:\WINDOWS\system32\nlaapi.dll
2015-01-14 05:11 - 2014-10-28 19:02 - 00911360 _____ (Microsoft Corporation) C:\WINDOWS\system32\audiosrv.dll
2015-01-14 05:11 - 2014-10-28 19:01 - 00065536 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\nlaapi.dll
2015-01-11 18:40 - 2015-01-11 18:40 - 00000000 ____D () C:\Users\Emma\AppData\Local\OnlineMapFinder_9p

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-07 07:33 - 2014-01-26 10:55 - 01115861 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-07 07:19 - 2014-01-25 16:09 - 00003596 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1141139573-402178876-1469993118-1001
2015-02-07 07:17 - 2014-09-15 18:54 - 00000354 _____ () C:\WINDOWS\Tasks\HP Photo Creations Communicator.job
2015-02-07 07:15 - 2013-08-22 09:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-02-07 07:05 - 2014-05-25 16:41 - 00000000 ____D () C:\Users\j1977_000\.rainlendar2
2015-02-07 07:05 - 2014-03-11 03:47 - 00000000 ___RD () C:\Users\j1977_000\SkyDrive
2015-02-07 07:01 - 2013-08-22 09:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-02-06 20:37 - 2014-02-02 19:13 - 00000000 ____D () C:\Users\j1977_000\AppData\Roaming\ClassicShell
2015-02-06 19:40 - 2014-02-09 08:11 - 00000314 _____ () C:\WINDOWS\Tasks\updaterex.job
2015-02-06 08:19 - 2012-07-26 01:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-02-05 19:17 - 2014-01-30 16:26 - 00003166 _____ () C:\WINDOWS\System32\Tasks\HPCeeScheduleForJerome
2015-02-05 19:17 - 2014-01-30 16:26 - 00000350 _____ () C:\WINDOWS\Tasks\HPCeeScheduleForJerome.job
2015-02-05 18:25 - 2014-02-07 13:52 - 00000000 ____D () C:\ProgramData\Oracle
2015-02-05 18:24 - 2014-02-07 13:52 - 00000000 ____D () C:\Program Files (x86)\Java
2015-02-05 18:13 - 2013-11-14 01:28 - 00956476 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-02-05 18:08 - 2013-08-22 08:46 - 00343794 _____ () C:\WINDOWS\setupact.log
2015-02-05 18:08 - 2013-08-22 08:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-05 18:07 - 2013-08-22 07:25 - 00524288 ___SH () C:\WINDOWS\system32\config\BBI
2015-02-05 18:06 - 2013-05-14 10:03 - 00000000 ____D () C:\ProgramData\Norton
2015-02-05 15:49 - 2013-08-22 09:36 - 00000000 __RHD () C:\Users\Public\Libraries
2015-02-05 14:38 - 2014-01-25 11:18 - 00000000 ____D () C:\Users\j1977_000\Documents\Natures Illuminations Expenses
2015-02-03 13:31 - 2013-08-22 09:38 - 00714720 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-02-03 13:31 - 2013-08-22 09:38 - 00106976 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-02-03 05:23 - 2014-01-28 19:31 - 00000052 _____ () C:\WINDOWS\SysWOW64\DOErrors.log
2015-02-03 05:22 - 2014-01-28 19:31 - 00000000 _____ () C:\WINDOWS\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2015-01-31 09:06 - 2013-08-22 07:25 - 00262144 ___SH () C:\WINDOWS\system32\config\ELAM
2015-01-31 09:05 - 2013-11-14 01:20 - 00174770 _____ () C:\WINDOWS\PFRO.log
2015-01-30 14:16 - 2014-01-28 14:33 - 00000000 ___RD () C:\Users\j1977_000\Desktop\Health & WellBeing
2015-01-29 14:21 - 2014-06-22 18:23 - 00000000 ___RD () C:\Users\j1977_000\Desktop\Guitar December 2014
2015-01-27 09:10 - 2014-02-04 20:29 - 00000000 ____D () C:\Users\j1977_000\Desktop\Info
2015-01-25 19:23 - 2014-01-29 19:00 - 00000000 ___RD () C:\Users\j1977_000\Desktop\Websites
2015-01-24 15:24 - 2014-02-08 13:19 - 00000000 ____D () C:\Users\j1977_000\Documents\Drive Green
2015-01-24 14:58 - 2013-05-14 09:47 - 00000000 ____D () C:\Program Files (x86)\WildTangent Games
2015-01-16 03:13 - 2014-01-26 08:05 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-15 16:04 - 2014-07-13 07:39 - 00003914 _____ () C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{18FB5B35-DD2B-4941-97DA-3B3CAFEEA49D}
2015-01-10 08:01 - 2014-07-13 07:43 - 00003598 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1141139573-402178876-1469993118-1007

==================== Files in the root of some directories =======

2014-01-28 13:26 - 2014-07-19 04:40 - 0000129 _____ () C:\Users\j1977_000\AppData\Roaming\WB.CFG
2014-01-27 17:35 - 2014-01-27 17:35 - 0003584 _____ () C:\Users\j1977_000\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-01-28 09:42 - 2014-01-28 09:42 - 0007616 _____ () C:\Users\j1977_000\AppData\Local\Resmon.ResmonCfg
2014-01-26 13:30 - 2014-01-26 13:30 - 0000057 _____ () C:\ProgramData\Ament.ini

Some content of TEMP:
====================
C:\Users\j1977_000\AppData\Local\Temp\BaiduJP_Setup_MINI_Silent.exe
C:\Users\j1977_000\AppData\Local\Temp\cfcabfccdd.exe
C:\Users\j1977_000\AppData\Local\Temp\ExPromo.exe
C:\Users\j1977_000\AppData\Local\Temp\GomEncDnInstaller.exe
C:\Users\j1977_000\AppData\Local\Temp\HPConnectedMusicInstaller_100100128.exe
C:\Users\j1977_000\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\j1977_000\AppData\Local\Temp\LMkRstPt.exe
C:\Users\j1977_000\AppData\Local\Temp\nse7AA8.exe
C:\Users\j1977_000\AppData\Local\Temp\nsgFB9C.exe
C:\Users\j1977_000\AppData\Local\Temp\nskA092.exe
C:\Users\j1977_000\AppData\Local\Temp\nssACC2.tmp.exe
C:\Users\j1977_000\AppData\Local\Temp\ShellHook.dll
C:\Users\j1977_000\AppData\Local\Temp\sp64126.exe
C:\Users\j1977_000\AppData\Local\Temp\Sqlite3.dll
C:\Users\j1977_000\AppData\Local\Temp\tmd_34014658.exe
C:\Users\j1977_000\AppData\Local\Temp\tmpFB48.exe
C:\Users\j1977_000\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\j1977_000\AppData\Local\Temp\UninstallRC-8876480.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-02-02 05:17

==================== End Of Log ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 05-02-2015
Ran by Jerome at 2015-02-07 07:38:32
Running from C:\Users\j1977_000\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: Norton Internet Security (Enabled - Up to date) {D87FA2C0-F526-77B1-D6EC-0EDF3936CEDB}
AS: Norton Internet Security (Enabled - Up to date) {631E4324-D31C-783F-EC5C-35AD42B18466}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Norton Internet Security (Enabled) {E04423E5-BF49-76E9-FDB3-A7EAC7E589A0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

4 Elements II (x32 Version: 2.2.0.98 - WildTangent) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Airport Mania (x32 Version: 2.2.0.95 - WildTangent) Hidden
Amazing Slow Downer (remove only) (HKLM-x32\...\Amazing Slow Downer) (Version: - )
Azteca (x32 Version: 2.2.0.97 - WildTangent) Hidden
Bejeweled 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Bounce Symphony (x32 Version: 2.2.0.97 - WildTangent) Hidden
Build-a-lot (x32 Version: 2.2.0.98 - WildTangent) Hidden
Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 13.0.0.6685 - Citrix Systems, Inc.)
Classic Shell (HKLM\...\{2368907C-E8F6-4750-A023-254C3E2B5E8D}) (Version: 4.0.4 - IvoSoft)
Cradle Of Egypt Collector's Edition (x32 Version: 2.2.0.110 - WildTangent) Hidden
Cradle of Rome 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Curse at Twilight (x32 Version: 3.0.2.32 - WildTangent) Hidden
CyberLink LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.3.5901 - CyberLink Corp.)
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.3.2509 - CyberLink Corp.)
Cyberlink PhotoDirector (HKLM-x32\...\InstallShield_{39337565-330E-4ab6-A9AE-AC81E0720B10}) (Version: 3.0.1.3724 - CyberLink Corp.)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.3.2301 - CyberLink Corp.)
CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.3.2524 - CyberLink Corp.)
CyberLink PowerDVD (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.8.4930 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Delicious: Emily's Childhood Memories Premium Edition (x32 Version: 3.0.2.32 - WildTangent) Hidden
DisableMSDefender (Version: 1.0.0 - Hewlett-Packard Company) Hidden
eReg (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
Extended Update (HKU\S-1-5-21-1141139573-402178876-1469993118-1001\...\UpdaterEX) (Version: - Extended Update) <==== ATTENTION
Farm Frenzy (x32 Version: 2.2.0.98 - WildTangent) Hidden
Free YouTube to MP3 Converter version 3.12.52.1215 (HKLM-x32\...\Free YouTube to MP3 Converter_is1) (Version: 3.12.52.1215 - DVDVideoSoft Ltd.)
GOM Player (HKLM-x32\...\GOM Player) (Version: 2.2.64.5211 - Gretech Corporation)
Google+ Auto Backup (HKLM-x32\...\{A50DE037-B5C0-4C8A-8049-B0C576B313D1}) (Version: 1.0.21.81 - Google)
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.110 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
House of 1000 Doors: Family Secrets (x32 Version: 2.2.0.98 - WildTangent) Hidden
HP Connected Music (Meridian - installer) (HKLM-x32\...\StartHPConnectedMusic) (Version: 1.0 - Meridian Audio Ltd)
HP Connected Music (Meridian - player) (HKU\S-1-5-21-1141139573-402178876-1469993118-1001\...\HPConnectedMusic) (Version: 1.1 (build 128) hp - Meridian Audio Ltd)
HP FWUpdateEDO2 (HKLM-x32\...\{415FA9AD-DA10-4ABE-97B6-5051D4795C90}) (Version: 1.2.0.0 - Hewlett-Packard)
HP MyRoom (HKLM-x32\...\{9C35EDE5-4B0F-45E7-A438-314BA889948E}) (Version: 9.0.0.0 - Hewlett-Packard Company)
HP Officejet Pro 8600 Basic Device Software (HKLM\...\{791A06E2-340F-43B0-8FAB-62D151339362}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Officejet Pro 8600 Help (HKLM-x32\...\{46235FF7-2CBE-4A84-BEDA-87348D1F7850}) (Version: 28.0.0 - Hewlett Packard)
HP Officejet Pro 8600 Product Improvement Study (HKLM\...\{2BF5E9CC-C55D-4B0F-ACAF-FFE77F333CD8}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.12992 - HP)
HP Quick Start (HKLM-x32\...\{574F0207-8E98-46CD-8F79-318348C98C46}) (Version: 1.0.4660.30220 - Hewlett-Packard)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.6263.4289 - Hewlett-Packard)
HP Smart Print 2.1 (HKLM-x32\...\{8046B41C-FB30-4614-898F-57D44D0C66EB}) (Version: 2.1.0.235 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE}) (Version: 7.4.45.4 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{B2B7B1C8-7C8B-476C-BE2C-049731C55992}) (Version: 12.00.0000 - Hewlett-Packard)
HP Update (HKLM-x32\...\{6F1C00D2-25C2-4CBA-8126-AE9A6E2E9CD5}) (Version: 5.003.003.001 - Hewlett-Packard)
HPDetect (HKLM-x32\...\{CCCDD476-98F9-4B06-91DB-23F27CEC3BE1}) (Version: 1.0.0.0 - HP)
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6451.0 - IDT)
ieSpell (HKLM-x32\...\ieSpell) (Version: 2.6.4 (build 573) - Red Egg Software)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3325 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Jewel Match 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
John Deere Drive Green (x32 Version: 2.2.0.95 - WildTangent) Hidden
Logitech SetPoint 6.65 (HKLM\...\sp6) (Version: 6.65.62 - Logitech)
Luxor Evolved (x32 Version: 2.2.0.98 - WildTangent) Hidden
Mah Jong Medley (x32 Version: 2.2.0.95 - WildTangent) Hidden
Mahjongg Dimensions Deluxe: Tiles in Time (x32 Version: 2.2.0.98 - WildTangent) Hidden
MediaDrug (HKU\S-1-5-21-1141139573-402178876-1469993118-1001\...\4C6927B3-61F1-4EBF-A5C7-68B60E4F40B9) (Version: 1.5 - MediaDrug)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4420.1017 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Professional Plus 2007 (HKLM-x32\...\PROPLUS) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-1141139573-402178876-1469993118-1001\...\OneDriveSetup.exe) (Version: 17.3.1229.0918 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM-x32\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Mystery P.I. - Curious Case of Counterfeit Cove (x32 Version: 2.2.0.98 - WildTangent) Hidden
Norton Internet Security (HKLM-x32\...\NIS) (Version: 21.6.0.32 - Symantec Corporation)
Online Plug-in (x32 Version: 13.0.0.6685 - Citrix Systems, Inc.) Hidden
Peggle Nights (x32 Version: 2.2.0.98 - WildTangent) Hidden
Picasa 3 (HKLM-x32\...\Picasa 3) (Version: 3.9 - Google, Inc.)
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Pro PC Cleaner (HKLM-x32\...\{C3060724-6AC7-4BEF-B516-4F6B1D90887D}) (Version: 2.5.5 - Pro PC Cleaner)
Qualcomm Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 10.0 - Qualcomm Atheros)
Rainlendar2 (remove only) (HKLM-x32\...\Rainlendar2) (Version: - )
Recovery Manager (x32 Version: 5.5.0.6208 - CyberLink Corp.) Hidden
Roads of Rome 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Royal Envoy 2 Collector's Edition (x32 Version: 3.0.2.32 - WildTangent) Hidden
Smart Defrag 2 (HKLM-x32\...\Smart Defrag 2_is1) (Version: 2.7 - IObit)
Tales of Lagoona (x32 Version: 2.2.0.110 - WildTangent) Hidden
TI xHCI Filter Driver 1.0.0.4 (HKLM-x32\...\TI xHCI Filter Driver) (Version: 1.0.0.4 - Texas Instruments Inc.)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Update Installer for WildTangent Games App (x32 Version: - WildTangent) Hidden
Vacation Quest™ - Australia (x32 Version: 3.0.2.32 - WildTangent) Hidden
WebZoom (HKLM-x32\...\webzoom) (Version: 1.1.0.29 - WebZoom)
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
WildTangent Games App (HP Games) (x32 Version: 4.0.10.5 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
Youda Jewel Shop (x32 Version: 3.0.2.32 - WildTangent) Hidden
Zuma's Revenge (x32 Version: 2.2.0.98 - WildTangent) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1141139573-402178876-1469993118-1001_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\j1977_000\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\amd64\FileSyncApi64.dll (Microsoft Corporation)

==================== Restore Points =========================

21-01-2015 07:54:41 Scheduled Checkpoint
28-01-2015 07:53:07 Windows Update
05-02-2015 08:14:05 Scheduled Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 07:25 - 2013-08-22 07:25 - 00000824 ____N C:\WINDOWS\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {12F62C9B-E443-4746-B1B2-ED7FFD7B10AC} - \ProPCCleaner_Popup No Task File <==== ATTENTION
Task: {1C750A35-F755-4280-A2E9-F0FD2FEBCD1E} - System32\Tasks\HPCustParticipation HP Officejet Pro 8600 => C:\Program Files\HP\HP Officejet Pro 8600\Bin\HPCustPartic.exe [2012-10-17] (Hewlett-Packard Co.)
Task: {22D68D4F-0B95-4275-A883-358DD9EB6DCC} - System32\Tasks\CLVDLauncher => c:\Program Files (x86)\CyberLink\Power2Go8\CLVDLauncher.exe [2012-11-01] (CyberLink Corp.)
Task: {23773136-5487-4AE5-BF35-36FA0EFFCFFB} - System32\Tasks\{9CFDB937-89A1-4FDC-984F-BF6BF36AEC10} => pcalua.exe -a E:\Setupx.exe -d E:\
Task: {285E7178-951B-4901-B23F-706A130EF5C7} - System32\Tasks\CLMLSvc_P2G8 => c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [2012-11-01] (CyberLink)
Task: {2C6B1CE8-BB74-4DCC-A675-897CB81C556A} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-11-04] (Hewlett-Packard Company)
Task: {376CB7EA-3D4B-479B-8156-DED86A10464C} - System32\Tasks\Norton WSC Integration => C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\WSCStub.exe [2014-09-21] (Symantec Corporation)
Task: {51F42602-2582-4505-B28E-4011ADF5B6CB} - System32\Tasks\HPCeeScheduleForJerome => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15] (Hewlett-Packard)
Task: {5B85ABCA-414C-4B70-9511-6EF6497F605A} - System32\Tasks\Norton Internet Security\Norton Error Analyzer => C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {6CCDB908-1B4A-4C73-8B42-CA60DFD79734} - System32\Tasks\UpdaterEX => C:\Users\J1977_~1\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {6E3C57C2-245B-4754-8F8F-4B3C5C249D39} - System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-1141139573-402178876-1469993118-1001 => %localappdata%\Microsoft\SkyDrive\SkyDrive.exe
Task: {7B32F929-163F-4448-8BAD-BDAA49DA0354} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2014-12-31] (Microsoft Corporation)
Task: {9382FBBE-4339-43A5-AA0C-7307D2174550} - System32\Tasks\SmartDefragUpdate => C:\Program Files (x86)\IObit\Smart Defrag 2\AutoUpdate.exe [2012-09-06] (IObit)
Task: {9C2BE776-B936-4694-843F-C5632B1809F1} - \ProPCCleaner_Start No Task File <==== ATTENTION
Task: {C47EE777-8EEC-4757-93A2-ABBBD9B0DB0B} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-11-04] (Hewlett-Packard Company)
Task: {C9704927-0451-4F73-BE88-F3D284C53A61} - System32\Tasks\Norton Internet Security\Norton Error Processor => C:\Program Files (x86)\Norton Internet Security\Engine\21.6.0.32\SymErr.exe [2014-01-30] (Symantec Corporation)
Task: {CAFECF26-9962-42A5-9344-69F2D1760091} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2014-05-12] (Hewlett-Packard Company)
Task: {DE806B0A-055D-401E-9491-E91111CDDDB0} - System32\Tasks\HP Photo Creations Communicator => C:\ProgramData\HP Photo Creations\Communicator.exe [2011-02-21] ()
Task: {E115B987-9845-49D6-BAF3-BE2E1179C551} - System32\Tasks\{A61B3EDE-3E38-4C3B-B19F-0911B828B45D} => pcalua.exe -a E:\setup.exe -d E:\
Task: {F25C1F6B-1B18-4901-B800-8C22CFED8558} - System32\Tasks\SmartDefrag_Startup => C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe [2012-12-25] (IObit)
Task: C:\WINDOWS\Tasks\HP Photo Creations Communicator.job => C:\ProgramData\HP Photo Creations\Communicator.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForJerome.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\WINDOWS\Tasks\updaterex.job => C:\Users\J1977_~1\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION

==================== Loaded Modules (whitelisted) ==============

2015-02-05 05:18 - 2015-02-05 05:18 - 00247280 _____ () C:\ProgramData\webzoom\1.1.0.29\cozwdhost.exe
2015-02-05 05:19 - 2015-02-05 05:19 - 00481776 _____ () C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe
2015-02-05 05:19 - 2015-02-05 05:19 - 00960512 _____ () C:\ProgramData\webzoom\1.1.0.29\webzooml64.dll
2015-02-05 05:19 - 2015-02-05 05:19 - 00073728 _____ () C:\ProgramData\webzoom\1.1.0.29\coz32host.exe
2015-02-05 05:19 - 2015-02-05 05:19 - 00106496 _____ () C:\ProgramData\webzoom\1.1.0.29\cozahost.exe
2015-02-05 05:19 - 2015-02-05 05:19 - 00081920 _____ () C:\ProgramData\webzoom\1.1.0.29\coz64host.exe
2013-10-21 11:52 - 2013-10-21 11:52 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2014-01-20 01:48 - 2014-01-20 01:48 - 02611808 _____ () C:\Program Files (x86)\Rainlendar2\Rainlendar2.exe
2014-11-25 04:25 - 2014-11-25 04:25 - 00183296 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.5.9600.20689_x64__8wekyb3d8bbwe\ErrorReporting.dll
2013-05-14 09:41 - 2012-07-18 02:50 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\ACE.dll
2015-02-05 05:19 - 2015-02-05 05:19 - 00346624 _____ () C:\ProgramData\webzoom\1.1.0.29\webzooml32.dll
2014-05-27 17:55 - 2011-08-19 15:33 - 00047960 _____ () C:\Program Files (x86)\IObit\Smart Defrag 2\NtfsData.dll
2015-02-05 05:19 - 2015-02-05 05:19 - 00479744 _____ () C:\ProgramData\webzoom\1.1.0.29\webzoomutil32.dll
2012-05-16 13:01 - 2012-05-16 13:01 - 00140800 _____ () C:\Program Files (x86)\Rainlendar2\lua52.dll
2014-01-04 11:20 - 2014-01-04 11:20 - 00249344 _____ () C:\Program Files (x86)\Rainlendar2\libical.dll
2014-01-20 01:48 - 2014-01-20 01:48 - 00060512 _____ () C:\Program Files (x86)\Rainlendar2\plugins\iCalendarPlugin.dll
2014-01-04 11:00 - 2014-01-04 11:00 - 00065024 _____ () C:\Program Files (x86)\Rainlendar2\libicalss.dll
2012-06-17 07:22 - 2012-06-17 07:22 - 00012800 _____ () C:\Program Files (x86)\Rainlendar2\lfs.dll
2013-05-14 09:47 - 2012-06-07 21:34 - 00627216 _____ () c:\Program Files (x86)\CyberLink\Power2Go8\CLMediaLibrary.dll
2012-06-08 12:34 - 2012-06-08 12:34 - 00016400 _____ () c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvcPS.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\Temp:373E1720
AlternateDataStreams: C:\Users\j1977_000\SkyDrive:ms-properties

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Registry Areas =====================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1141139573-402178876-1469993118-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\j1977_000\AppData\Roaming\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\Run: => "Logitech Download Assistant"
HKLM\...\StartupApproved\Run: => "EvtMgr6"
HKLM\...\StartupApproved\Run32: => "ConnectionCenter"
HKLM\...\StartupApproved\Run32: => "BlueStacks Agent"
HKU\S-1-5-21-1141139573-402178876-1469993118-1001\...\StartupApproved\StartupFolder: => "Desktop Alert.lnk"
HKU\S-1-5-21-1141139573-402178876-1469993118-1001\...\StartupApproved\Run: => "HP Officejet Pro 8600 (NET)"

==================== Accounts: =============================

Administrator (S-1-5-21-1141139573-402178876-1469993118-500 - Administrator - Disabled) => C:\Users\Administrator
Emma (S-1-5-21-1141139573-402178876-1469993118-1007 - Limited - Enabled) => C:\Users\Emma
Guest (S-1-5-21-1141139573-402178876-1469993118-501 - Limited - Disabled) => C:\Users\Guest
HomeGroupUser$ (S-1-5-21-1141139573-402178876-1469993118-1005 - Limited - Enabled)
Jerome (S-1-5-21-1141139573-402178876-1469993118-1001 - Administrator - Enabled) => C:\Users\j1977_000

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (02/06/2015 08:37:36 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: cozaghost.exe, version: 1.1.0.29, time stamp: 0x54d351c4
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x43636eec
Faulting process id: 0x15ac
Faulting application start time: 0xcozaghost.exe0
Faulting application path: cozaghost.exe1
Faulting module path: cozaghost.exe2
Report Id: cozaghost.exe3
Faulting package full name: cozaghost.exe4
Faulting package-relative application ID: cozaghost.exe5

Error: (02/06/2015 08:37:52 AM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2006) (User: NT AUTHORITY)
Description: There was an error with the Windows Location Provider database

Error: (02/05/2015 06:36:30 PM) (Source: MsiInstaller) (EventID: 10005) (User: OFFICE)
Description: Product: Pro PC Cleaner -- Error 2753. The File 'Uninst000.CA.dll' is not marked for installation.

Error: (02/05/2015 06:09:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: cozaghost.exe, version: 1.1.0.29, time stamp: 0x54d351c4
Faulting module name: ntdll.dll, version: 6.3.9600.17278, time stamp: 0x53eeb4a3
Exception code: 0xc0000374
Fault offset: 0x000debd8
Faulting process id: 0xbec
Faulting application start time: 0xcozaghost.exe0
Faulting application path: cozaghost.exe1
Faulting module path: cozaghost.exe2
Report Id: cozaghost.exe3
Faulting package full name: cozaghost.exe4
Faulting package-relative application ID: cozaghost.exe5

Error: (02/05/2015 05:42:16 PM) (Source: MsiInstaller) (EventID: 10005) (User: OFFICE)
Description: Product: Pro PC Cleaner -- Error 2753. The File 'Uninst000.CA.dll' is not marked for installation.

Error: (02/05/2015 05:41:43 PM) (Source: MsiInstaller) (EventID: 10005) (User: OFFICE)
Description: Product: Pro PC Cleaner -- Error 2753. The File 'Uninst000.CA.dll' is not marked for installation.

Error: (02/05/2015 05:06:44 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.17416, time stamp: 0x5452eed9
Faulting module name: MFMediaEngine.dll, version: 6.3.9600.17331, time stamp: 0x54023166
Exception code: 0xc0000005
Fault offset: 0x000754eb
Faulting process id: 0x4444
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3
Faulting package full name: IEXPLORE.EXE4
Faulting package-relative application ID: IEXPLORE.EXE5

Error: (02/05/2015 03:55:46 PM) (Source: MsiInstaller) (EventID: 10005) (User: OFFICE)
Description: Product: Pro PC Cleaner -- Error 2753. The File 'Uninst000.CA.dll' is not marked for installation.

Error: (02/05/2015 11:36:46 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.17416, time stamp: 0x5452eed9
Faulting module name: igd10iumd32.dll, version: 10.18.10.3325, time stamp: 0x52533e49
Exception code: 0xc0000005
Fault offset: 0x00093b27
Faulting process id: 0x4bfc
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3
Faulting package full name: IEXPLORE.EXE4
Faulting package-relative application ID: IEXPLORE.EXE5

Error: (02/05/2015 11:22:54 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: rundll32.exe, version: 6.3.9600.16384, time stamp: 0x52158827
Faulting module name: KERNELBASE.dll, version: 6.3.9600.17278, time stamp: 0x53eeb460
Exception code: 0xe0434352
Fault offset: 0x00012f71
Faulting process id: 0x256c
Faulting application start time: 0xrundll32.exe0
Faulting application path: rundll32.exe1
Faulting module path: rundll32.exe2
Report Id: rundll32.exe3
Faulting package full name: rundll32.exe4
Faulting package-relative application ID: rundll32.exe5


System errors:
=============
Error: (02/06/2015 08:38:24 AM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.

Error: (02/05/2015 06:11:27 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The cozaghost service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (02/05/2015 06:08:46 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozaghost service failed to start due to the following error:
%%1053

Error: (02/05/2015 06:08:46 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the cozaghost service to connect.

Error: (02/05/2015 06:07:06 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The NPEService service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (02/05/2015 05:36:25 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The cozaghost service failed to start due to the following error:
%%1053

Error: (02/05/2015 05:36:25 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the cozaghost service to connect.

Error: (02/05/2015 03:49:18 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The BlueStacks Updater Service service terminated unexpectedly. It has done this 1 time(s).

Error: (02/02/2015 03:54:39 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.

Error: (02/01/2015 05:10:08 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.


Microsoft Office Sessions:
=========================
Error: (01/15/2015 07:24:26 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6691.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 6440 seconds with 240 seconds of active time. This session ended with a crash.

Error: (12/09/2014 10:22:07 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6691.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 4240 seconds with 360 seconds of active time. This session ended with a crash.

Error: (11/20/2014 07:54:52 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6691.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 7655 seconds with 780 seconds of active time. This session ended with a crash.

Error: (11/18/2014 08:14:56 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6691.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 14483 seconds with 120 seconds of active time. This session ended with a crash.

Error: (11/14/2014 05:15:03 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6691.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 9153 seconds with 300 seconds of active time. This session ended with a crash.

Error: (08/31/2014 06:49:37 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6691.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 0 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/31/2014 02:51:35 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6691.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 395 seconds with 0 seconds of active time. This session ended with a crash.

Error: (01/25/2014 04:37:35 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 1224 seconds with 660 seconds of active time. This session ended with a crash.


CodeIntegrity Errors:
===================================
Date: 2014-06-21 20:10:44.825
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\LHidEqd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-06-21 20:10:44.803
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\LHidEqd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-06-21 20:10:44.772
Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Windows\System32\drivers\LHidEqd.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
Percentage of memory in use: 41%
Total physical RAM: 8076.84 MB
Available physical RAM: 4704.82 MB
Total Pagefile: 8956.84 MB
Available Pagefile: 5201.26 MB
Total Virtual: 131072 MB
Available Virtual: 131071.8 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:446.14 GB) (Free:324.32 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (Recovery Image) (Fixed) (Total:17.81 GB) (Free:2.18 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 982DFA3D)

Partition: GPT Partition Type.

==================== End Of Log ============================
jprzybilla
Active Member
 
Posts: 13
Joined: February 7th, 2015, 9:20 am
Advertisement
Register to Remove

Re: Computer infected with malicious malware

Unread postby Gary R » February 8th, 2015, 1:59 am

Looking over your logs, back soon.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Computer infected with malicious malware

Unread postby Gary R » February 8th, 2015, 2:09 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the "Infected? Virus, malware, adware, ransomware, oh my!" forum and wait for help.


Unless informed of in advance, failure to post replies within 3 days will result in this thread being closed.


Hi

I'm Gary R,

Before we start: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

As an added safety precaution, before we start removing anything, I'd like you to make a backup of your Registry, which we can restore to if necessary.

Please click on THIS link, and follow the instructions for installing TCRB and creating a backup of your Registry.

Please observe these rules while we work:
  • Do not edit your logs in any way whatsoever.
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to install any new software (other than those I ask you to) until we've got your computer clean.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process. If your defensive programmes warn you about any of those tools, be assured that they are not infected, and are safe to use.
If you can do these things, everything should go smoothly.
  • As you're using Windows 8.1, it will be necessary to right click all tools we use and select ----> Run as Administrator

It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


There are clear signs of infection on your computer, however before we start to clean your machine I'd like you to run a couple of additional scans for me, so that I've got a more complete picture of what we need to deal with.

First ...

Please download AdwCleaner and save it to your desktop.

  • Double click AdwCleaner.exe to run it.
  • Click Scan.
  • A logfile will automatically open after the scan has finished.
  • Close the adwCleaner window, click ok to the prompt.
  • Please post the contents of that logfile with your next reply.
  • You can also find the logfile at C:\AdwCleaner[R1].txt.

AT THIS POINT, DO NOT ATTEMPT TO CLEAN ANYTHING THAT MAY BE FOUND

Next ...

I'd like you to run a search for me using FRST.

  • Double click Frst64.exe to launch it.
  • FRST will start to run.
    • When the tool opens click Yes to the disclaimer.
    • Copy/Paste or Type the following line into the Search: box.
    Fun4IM;Bandoo;Searchnu;Searchqu;iLivid;whitesmoke;datamngr;kelkoopartners;trolltech;babylon;conduit;webzoom;crawler;mysearchdial

    • Press the Search Registry button.
    • When finished searching a log will open on your Desktop ... Search.txt
    • Please post it in your next reply.

Summary of the logs I need from you in your next post:
  • ADWCleaner log
  • Search.txt


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Computer infected with malicious malware

Unread postby jprzybilla » February 8th, 2015, 11:21 am

Farbar Recovery Scan Tool (x64) Version: 07-02-2015
Ran by Jerome at 2015-02-08 09:19:53
Running from C:\Users\j1977_000\Desktop
Boot Mode: Normal

================== Search Registry: "Fun4IM;Bandoo;Searchnu;Searchqu;iLivid;whitesmoke;datamngr;kelkoopartners;trolltech;babylon;conduit;webzoom;crawler;mysearchdial" ===========


===================== Search result for "Searchqu" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b9f41624-2083-45cd-ac36-af8119a22a41}]
""="CLocationSearchQuery"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{69563521-C154-4B45-B884-035872E3F96A}]
""="ISearchQueryCondition"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CAC6C3B8-3C64-4DFD-AD9F-479E4D4065A4}]
""="__x_Windows_CApplicationModel_CSearch_CISearchQueryLinguisticDetailsFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{46A1205B-69C9-4745-B72F-A8A4FC8F24AE}]
""="__x_Windows_CApplicationModel_CSearch_CISearchQueryLinguisticDetails"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
""="ISearchQueryHelper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Search.SearchQueryLinguisticDetails]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Search.SearchQueryLinguisticDetails]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{46A1205B-69C9-4745-B72F-A8A4FC8F24AE}]
""="__x_Windows_CApplicationModel_CSearch_CISearchQueryLinguisticDetails"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
""="ISearchQueryHelper"

[HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Classes\ActivatableClasses\CLSID\{B4D3E147-E963-562E-B1CB-6D689103948E}]
"ActivatableClassId"="AppEx.Sports.Services.TypeDefs.Request.AppSearchQuery"

[HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001_Classes\ActivatableClasses\CLSID\{B4D3E147-E963-562E-B1CB-6D689103948E}]
"ActivatableClassId"="AppEx.Sports.Services.TypeDefs.Request.AppSearchQuery"


===================== Search result for "babylon" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
"DllName"="BabylonToolbarTlbr.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
"DllName"="BabylonToolbar.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
"DllName"="BabylonToolbarTlbr.dll"


===================== Search result for "conduit" ==========

[HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Conduit_Search_Protect]


===================== Search result for "webzoom" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP]
"0"="Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
webzoom
C:\ProgramData\webzoom\1.1.0.29\Uninstaller.exe /ga=1503"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\webzoom]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\webzoom]
"DisplayIcon"="C:\ProgramData\webzoom\1.1.0.29\logo.ico"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\webzoom]
"UninstallString"="C:\ProgramData\webzoom\1.1.0.29\Uninstaller.exe /ga=1503"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\webzoom_29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\webzoom_29]
""="C:\ProgramData\webzoom"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cozaghost]
"ImagePath"=""C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe" /ts2=1"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{FEBB96C1-B31C-436C-A9CC-4ACDFDCEB1D1}"="v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe|Name=webzoom|"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{258C2716-4A20-4034-919E-7219908B3641}"="v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe|Name=webzoom|"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{24AAC5C5-1A45-49C8-899C-11A6ACA9E77F}"="v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe|Name=webzoom|"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cozaghost]
"ImagePath"=""C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe" /ts2=1"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{FEBB96C1-B31C-436C-A9CC-4ACDFDCEB1D1}"="v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe|Name=webzoom|"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{258C2716-4A20-4034-919E-7219908B3641}"="v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe|Name=webzoom|"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{24AAC5C5-1A45-49C8-899C-11A6ACA9E77F}"="v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe|Name=webzoom|"

[HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\AppDataLow\Software\webzoom_29]

[HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\71951466_0]
""="{2}.\\?\hdaudio#func_01&ven_111d&dev_7676&subsys_103c2ada&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\speaker2topology/00010001|\Device\HarddiskVolume4\ProgramData\webzoom\1.1.0.29\cozahost.exe%b{00000000-0000-0000-0000-000000000000}"


===================== Search result for "crawler" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08165EA0-E946-11CF-9C87-00AA005127ED}]
""="WebCheckWebCrawler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08165EA0-E946-11CF-9C87-00AA005127ED}]
""="WebCheckWebCrawler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\CatalogNames\Windows\SystemIndex]
"pkm:catalog:LastCatalogCrawlErrors"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Installer\UserData]
"CrawlerToolbar"=">:)@:@)FKPQ>II>QFLK:2)QRFA:S0.?@C>--A2-C/1B6?5>61A.6-6A42B341?-6..63--.32.5"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Program Files (x86)\Crawler\CToolbar.exe"="DisableNXShowUI"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{08165EA0-E946-11CF-9C87-00AA005127ED}]
""="WebCheckWebCrawler"

[HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
"DisplayName"="Crawler Search"

[HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
"SuggestionsURL_JSON"="http://www.crawler.com/s.aspx?q={searchTerms}"

[HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Users\j1977_000\Downloads\CrawlerSetup.exe"="0x534143500100000000000000070000002800000040980A003D780B0001000000000000000000010600010000975FD891C99ECE0100000000000000000200000028000000000000000000000000000000000000000000000000000000804C0200000000000100000001000000"


===================== Search result for "mysearchdial" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}\Instl\Data]
"hp_url"="http://start.mysearchdial.com/?f=1&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir="

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}\Instl\Data]
"hp_url"="http://start.mysearchdial.com/?f=1&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir="

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"="http://start.mysearchdial.com/?f=1&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir="

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"TopResultURLFallback"="http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir="

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
""="Mysearchdial"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\InstallCore\mysearchdial]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy]
"AppPath"="C:\Program Files (x86)\Mysearchdial\1.8.29.0\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}\Instl\Data]
"hp_url"="http://start.mysearchdial.com/?f=1&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir="

[HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\InstallCore\mysearchdial]

[HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"URL"="http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir="

[HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"FaviconPath"="C:\Program Files (x86)\Mysearchdial\1.8.29.0\FavIcon.ico"

[HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
"DisplayName"="Mysearchdial"

[HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\mysearchdial]

====== End Of Search ======
jprzybilla
Active Member
 
Posts: 13
Joined: February 7th, 2015, 9:20 am

Re: Computer infected with malicious malware

Unread postby jprzybilla » February 8th, 2015, 11:50 am

I Have submitted the AdwCleaner file several times, it will not show up in the posting.
jprzybilla
Active Member
 
Posts: 13
Joined: February 7th, 2015, 9:20 am

Re: Computer infected with malicious malware

Unread postby jprzybilla » February 8th, 2015, 11:52 am

# AdwCleaner v4.110 - Logfile created 08/02/2015 at 09:29:19
# Updated 05/02/2015 by Xplode
# Database : 2015-02-05.2 [Server]
# Operating system : Windows 8.1 (x64)
# Username : Jerome - OFFICE
# Running from : C:\Users\j1977_000\Desktop\adwcleaner_4.110.exe
# Option : Scan

***** [ Services ] *****

Service Found : hlnfd

***** [ Files / Folders ] *****

File Found : C:\END
Folder Found : C:\Program Files (x86)\Mysearchdial
Folder Found : C:\Program Files\002
Folder Found : C:\Users\J1977_~1\AppData\Local\Temp\BrowseMark
Folder Found : C:\Users\J1977_~1\AppData\Local\Temp\Hold Page
Folder Found : C:\Users\j1977_000\AppData\LocalLow\CouponXplorer_5zEI
Folder Found : C:\Users\j1977_000\AppData\LocalLow\iac
Folder Found : C:\Users\j1977_000\AppData\Roaming\Mysearchdial
Folder Found : C:\Users\j1977_000\AppData\Roaming\OpenCandy
Folder Found : C:\Users\j1977_000\AppData\Roaming\UpdaterEX
Folder Found : C:\Users\j1977_000\Documents\Optimizer Pro

***** [ Scheduled tasks ] *****

Task Found : UpdaterEX
Task Found : ProPCCleaner_Start
Task Found : ProPCCleaner_Popup
Task Found : updaterex

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKCU\Software\AppDataLow\Software\PassShow
Key Found : HKCU\Software\AppDataLow\Software\Rr Savings
Key Found : HKCU\Software\Conduit_Search_Protect
Key Found : HKCU\Software\InstallCore
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\007go.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\29597.click.007go.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\click.007go.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D6CD22A7-8473-4F32-9A6E-FF0FADCC59D0}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\UpdaterEX
Key Found : HKCU\Software\mysearchdial
Key Found : HKCU\Software\ProPCCleanerConfig
Key Found : HKCU\Software\SecuredDownload
Key Found : HKCU\Software\UpdaterEX
Key Found : HKCU\Software\wecarereminder
Key Found : HKCU\Software\WEDLMNGR
Key Found : [x64] HKCU\Software\Conduit_Search_Protect
Key Found : [x64] HKCU\Software\InstallCore
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D6CD22A7-8473-4F32-9A6E-FF0FADCC59D0}
Key Found : [x64] HKCU\Software\mysearchdial
Key Found : [x64] HKCU\Software\ProPCCleanerConfig
Key Found : [x64] HKCU\Software\SecuredDownload
Key Found : [x64] HKCU\Software\UpdaterEX
Key Found : [x64] HKCU\Software\wecarereminder
Key Found : [x64] HKCU\Software\WEDLMNGR
Key Found : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Found : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Found : HKLM\SOFTWARE\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{746c749a-528c-4e31-bc96-848c0d909fb4}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Found : HKLM\SOFTWARE\Classes\Installer\Features\4270603C7CA6FEB45B61F4B6D10988D7
Key Found : HKLM\SOFTWARE\Classes\Installer\Products\4270603C7CA6FEB45B61F4B6D10988D7
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{BB925FE4-7161-454F-88EE-7F58C40F549C}
Key Found : HKLM\SOFTWARE\InstallCore
Key Found : HKLM\SOFTWARE\InstallIQ
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5a1d0d31-749c-4186-a295-4106e6e7b26a}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C3060724-6AC7-4BEF-B516-4F6B1D90887D}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Found : [x64] HKLM\SOFTWARE\LevelQualityWatcher
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4270603C7CA6FEB45B61F4B6D10988D7
Key Found : [x64] HKLM\SOFTWARE\RrSavings
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{4B3803EA-5230-4DC3-A7FC-33638F3D3542}]

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17416

Setting Found : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxps://search.yahoo.com/?type=523482&fr=spigot-yhp-ie
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page] - hxxp://start.mysearchdial.com/?f=1&a=dn ... 457542&ir=
Setting Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page] - hxxp://start.mysearchdial.com/?f=1&a=dn ... 457542&ir=
*************************

AdwCleaner[R0].txt - [8745 bytes] - [08/02/2015 08:47:45]
AdwCleaner[R1].txt - [8804 bytes] - [08/02/2015 09:01:58]
AdwCleaner[R2].txt - [8637 bytes] - [08/02/2015 09:29:19]

########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [8696 bytes] ##########
jprzybilla
Active Member
 
Posts: 13
Joined: February 7th, 2015, 9:20 am

Re: Computer infected with malicious malware

Unread postby Gary R » February 8th, 2015, 1:06 pm

OK, lets get started cleaning your computer.

First ...

Please uninstall the following programs ...

Smart Defrag 2
WebZoom


IOBit have a poor name, and are known for stealing other people's intellectual property and incorporating it into their products.
Webzoom is known to come bundled with Adware.

Reboot your computer once it is removed.

Next ...

  • Double click AdwCleaner.exe to run it.
  • Click Scan and allow the scan to finish.
  • Now click Clean to remove the items found.
  • Click OK to the prompt.
  • The tool will run & your computer will be rebooted automatically. A logfile will open after the restart.
  • Post the contents of the logfile with your next reply.
  • You can also find the logfile at C:\AdwCleaner[s1].txt.

Next ...

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad (don't include Code: Select all).
Code: Select all
C:\ProgramData\webzoom
C:\Program Files (x86)\IObit
HKLM-x32\...\Run: [CouponXplorer AppIntegrator 32-bit] => C:\PROGRA~2\COUPON~2\bar\1.bin\AppIntegrator.exe
HKLM-x32\...\Run: [CouponXplorer AppIntegrator 64-bit] => C:\PROGRA~2\COUPON~2\bar\1.bin\AppIntegrator64.exe
HKLM-x32\...\Run: [OnlineMapFinder AppIntegrator 32-bit] => C:\PROGRA~2\ONLINE~3\bar\1.bin\AppIntegrator.exe
HKLM-x32\...\Run: [OnlineMapFinder AppIntegrator 64-bit] => C:\PROGRA~2\ONLINE~3\bar\1.bin\AppIntegrator64.exe
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dn ... 457542&ir=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dn ... 457542&ir=
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.p ... f=4&q= {searchTerms}&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.p ... f=4&q= {searchTerms}&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir=
SearchScopes: HKLM-x32 -> {5a1d0d31-749c-4186-a295-4106e6e7b26a} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2= ^AFA^xdm338^S10945^us&si=49588_Mom-Lander2&ptb=255CC981-9718-464F-A060-E9F26CC96869&ind=2014111908&n=780ce8a4&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.p ... f=4&q= {searchTerms}&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir=
SearchScopes: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} URL = http://www.crawler.com/search/dispatche ... tp=bs&qkw= {searchTerms}&tbid=60002
SearchScopes: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> {D6CD22A7-8473-4F32-9A6E-FF0FADCC59D0} URL = http://isearch.shopathome.com?user_id= {111aba70-9bf7-4164-bc7c-af6a14334274}&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
BHO: DVDVideoSoft IE Extension -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} -> C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll (DVDVideoSoft Ltd.)
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO-x32: DVDVideoSoft IE Extension -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} -> C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll (DVDVideoSoft Ltd.)
Toolbar: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> No Name - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
FF HKU\S-1-5-21-1141139573-402178876-1469993118-1001\...\Firefox\Extensions: [{B64D9B05-48E1-4CEB-BF58-E0643994E900}] - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\ff
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
R2 cozaghost; C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe [481776 2015-02-05] ()
R2 cozwdhost; C:\ProgramData\webzoom\1.1.0.29\cozwdhost.exe [247280 2015-02-05] ()
R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [17720 2010-11-26] ()
C:\Windows\System32\Drivers\SmartDefragDriver.sys
2015-02-05 10:35 - 2015-02-05 10:35 - 00000000 ____D () C:\ProgramData\webzoom
Task: {12F62C9B-E443-4746-B1B2-ED7FFD7B10AC} - \ProPCCleaner_Popup No Task File <==== ATTENTION
Task: {6CCDB908-1B4A-4C73-8B42-CA60DFD79734} - System32\Tasks\UpdaterEX => C:\Users\J1977_~1\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {9C2BE776-B936-4694-843F-C5632B1809F1} - \ProPCCleaner_Start No Task File <==== ATTENTION
Task: C:\WINDOWS\Tasks\updaterex.job => C:\Users\J1977_~1\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {F25C1F6B-1B18-4901-B800-8C22CFED8558} - System32\Tasks\SmartDefrag_Startup => C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe [2012-12-25] (IObit)
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Conduit_Search_Protect]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\webzoom]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\webzoom_29]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cozaghost]
[-HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\AppDataLow\Software\webzoom_29]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08165EA0-E946-11CF-9C87-00AA005127ED}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08165EA0-E946-11CF-9C87-00AA005127ED}]
[-HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\InstallCore\mysearchdial]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}]
[-HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\InstallCore\mysearchdial]
[-HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\mysearchdial]
EMPTYTEMP:
Hosts:
CMD: ipconfig /flushdns

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log

Next ...

Please run a scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on Run ESET Online Scanner
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed click on Start to start the scan.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed you will be presented with a list of found threats ....
    • Click on the List of found threats link
    • Click on Export to text file
    • Save as ESET.txt to your Desktop
  • Exit out of ESET Online Scanner.
  • Post me the contents of ESET.txt please.

Summary of the logs I need from you in your next post:
  • ADWCleaner fixlog
  • Fixlog.txt
  • ESet.txt


Please post each log separately to prevent it being cut off by the forum post size limiter. Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Computer infected with malicious malware

Unread postby jprzybilla » February 8th, 2015, 2:07 pm

# AdwCleaner v4.110 - Logfile created 08/02/2015 at 12:02:18
# Updated 05/02/2015 by Xplode
# Database : 2015-02-08.1 [Server]
# Operating system : Windows 8.1 (x64)
# Username : Jerome - OFFICE
# Running from : C:\Users\j1977_000\Desktop\adwcleaner_4.110.exe
# Option : Cleaning

***** [ Services ] *****

[#] Service Deleted : hlnfd

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Mysearchdial
Folder Deleted : C:\Users\J1977_~1\AppData\Local\Temp\BrowseMark
Folder Deleted : C:\Users\J1977_~1\AppData\Local\Temp\Hold Page
Folder Deleted : C:\Program Files\002
Folder Deleted : C:\Users\j1977_000\AppData\LocalLow\iac
Folder Deleted : C:\Users\j1977_000\AppData\LocalLow\CouponXplorer_5zEI
Folder Deleted : C:\Users\j1977_000\AppData\Roaming\Mysearchdial
Folder Deleted : C:\Users\j1977_000\AppData\Roaming\OpenCandy
Folder Deleted : C:\Users\j1977_000\AppData\Roaming\UpdaterEX
Folder Deleted : C:\Users\j1977_000\Documents\Optimizer Pro
File Deleted : C:\END

***** [ Scheduled tasks ] *****

Task Deleted : UpdaterEX
Task Deleted : ProPCCleaner_Start
Task Deleted : ProPCCleaner_Popup

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{746c749a-528c-4e31-bc96-848c0d909fb4}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{BB925FE4-7161-454F-88EE-7F58C40F549C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{4B3803EA-5230-4DC3-A7FC-33638F3D3542}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D6CD22A7-8473-4F32-9A6E-FF0FADCC59D0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5a1d0d31-749c-4186-a295-4106e6e7b26a}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\Conduit_Search_Protect
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\mysearchdial
Key Deleted : HKCU\Software\SecuredDownload
Key Deleted : HKCU\Software\UpdaterEX
Key Deleted : HKCU\Software\wecarereminder
Key Deleted : HKCU\Software\WEDLMNGR
Key Deleted : HKCU\Software\ProPCCleanerConfig
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\Rr Savings
Key Deleted : HKCU\Software\AppDataLow\Software\PassShow
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\InstallCore
Key Deleted : HKLM\SOFTWARE\InstallIQ
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\UpdaterEX
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C3060724-6AC7-4BEF-B516-4F6B1D90887D}
Key Deleted : [x64] HKLM\SOFTWARE\LevelQualityWatcher
Key Deleted : [x64] HKLM\SOFTWARE\RrSavings
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\4270603C7CA6FEB45B61F4B6D10988D7
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\4270603C7CA6FEB45B61F4B6D10988D7
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4270603C7CA6FEB45B61F4B6D10988D7
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\007go.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\29597.click.007go.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\click.007go.com

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17416

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]

*************************

AdwCleaner[R0].txt - [8745 bytes] - [08/02/2015 08:47:45]
AdwCleaner[R1].txt - [8804 bytes] - [08/02/2015 09:01:58]
AdwCleaner[R2].txt - [8863 bytes] - [08/02/2015 09:29:19]
AdwCleaner[R3].txt - [8708 bytes] - [08/02/2015 12:00:32]
AdwCleaner[S0].txt - [6914 bytes] - [08/02/2015 12:02:18]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6973 bytes] ##########
jprzybilla
Active Member
 
Posts: 13
Joined: February 7th, 2015, 9:20 am

Re: Computer infected with malicious malware

Unread postby jprzybilla » February 8th, 2015, 2:26 pm

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 08-02-2015
Ran by Jerome at 2015-02-08 12:15:05 Run:1
Running from C:\Users\j1977_000\Desktop\FRST-OlderVersion
Loaded Profiles: Jerome (Available profiles: Jerome & Emma & Administrator & Guest)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\ProgramData\webzoom
C:\Program Files (x86)\IObit
HKLM-x32\...\Run: [CouponXplorer AppIntegrator 32-bit] => C:\PROGRA~2\COUPON~2\bar\1.bin\AppIntegrator.exe
HKLM-x32\...\Run: [CouponXplorer AppIntegrator 64-bit] => C:\PROGRA~2\COUPON~2\bar\1.bin\AppIntegrator64.exe
HKLM-x32\...\Run: [OnlineMapFinder AppIntegrator 32-bit] => C:\PROGRA~2\ONLINE~3\bar\1.bin\AppIntegrator.exe
HKLM-x32\...\Run: [OnlineMapFinder AppIntegrator 64-bit] => C:\PROGRA~2\ONLINE~3\bar\1.bin\AppIntegrator64.exe
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dn ... 457542&ir=
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dn ... 457542&ir=
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.p ... f=4&q= {searchTerms}&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.p ... f=4&q= {searchTerms}&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir=
SearchScopes: HKLM-x32 -> {5a1d0d31-749c-4186-a295-4106e6e7b26a} URL = http://search.tb.ask.com/search/GGmain.jhtml?p2= ^AFA^xdm338^S10945^us&si=49588_Mom-Lander2&ptb=255CC981-9718-464F-A060-E9F26CC96869&ind=2014111908&n=780ce8a4&psa=&st=sb&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://start.mysearchdial.com/results.p ... f=4&q= {searchTerms}&a=dnldstr_14_16_ie&cd=2XzuyEtN2Y1L1QzuzzzzyDtC0F0ByC0A0EyDtC0E0B0A0C0DtN0D0Tzu0SzztAzztN1L2XzutBtFtCzztFtBtFyBtN1L1CzutCyEtDtAtDyD1V1RtN1L1G1B1V1N2Y1L1Qzu2StDyD0E0DtB0FyEyCtGtAzzyByEtGtAyDtByBtGyEtDzyzztGyByD0A0FyEzz0AyEtAyCtCtB2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBzyyDtBtBtC0FtG0EyBtDtAtGyBtCtCtBtG0B0ByC0BtGtByD0EtDyB0CyC0D0AtC0FyD2Q&cr=1978457542&ir=
SearchScopes: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} URL = http://www.crawler.com/search/dispatche ... tp=bs&qkw= {searchTerms}&tbid=60002
SearchScopes: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> {D6CD22A7-8473-4F32-9A6E-FF0FADCC59D0} URL = http://isearch.shopathome.com?user_id= {111aba70-9bf7-4164-bc7c-af6a14334274}&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
BHO: DVDVideoSoft IE Extension -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} -> C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns64.dll (DVDVideoSoft Ltd.)
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO-x32: DVDVideoSoft IE Extension -> {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} -> C:\Program Files (x86)\Common Files\DVDVideoSoft\bin\IEDownloadMenuAndBtns.dll (DVDVideoSoft Ltd.)
Toolbar: HKU\S-1-5-21-1141139573-402178876-1469993118-1001 -> No Name - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
FF HKU\S-1-5-21-1141139573-402178876-1469993118-1001\...\Firefox\Extensions: [{B64D9B05-48E1-4CEB-BF58-E0643994E900}] - C:\Program Files (x86)\Common Files\DVDVideoSoft\plugins\ff
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
R2 cozaghost; C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe [481776 2015-02-05] ()
R2 cozwdhost; C:\ProgramData\webzoom\1.1.0.29\cozwdhost.exe [247280 2015-02-05] ()
R0 SmartDefragDriver; C:\Windows\System32\Drivers\SmartDefragDriver.sys [17720 2010-11-26] ()
C:\Windows\System32\Drivers\SmartDefragDriver.sys
2015-02-05 10:35 - 2015-02-05 10:35 - 00000000 ____D () C:\ProgramData\webzoom
Task: {12F62C9B-E443-4746-B1B2-ED7FFD7B10AC} - \ProPCCleaner_Popup No Task File <==== ATTENTION
Task: {6CCDB908-1B4A-4C73-8B42-CA60DFD79734} - System32\Tasks\UpdaterEX => C:\Users\J1977_~1\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {9C2BE776-B936-4694-843F-C5632B1809F1} - \ProPCCleaner_Start No Task File <==== ATTENTION
Task: C:\WINDOWS\Tasks\updaterex.job => C:\Users\J1977_~1\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {F25C1F6B-1B18-4901-B800-8C22CFED8558} - System32\Tasks\SmartDefrag_Startup => C:\Program Files (x86)\IObit\Smart Defrag 2\SmartDefrag.exe [2012-12-25] (IObit)
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}]
[-HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Conduit_Search_Protect]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\webzoom]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\webzoom_29]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cozaghost]
[-HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\AppDataLow\Software\webzoom_29]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08165EA0-E946-11CF-9C87-00AA005127ED}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08165EA0-E946-11CF-9C87-00AA005127ED}]
[-HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\InstallCore\mysearchdial]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}]
[-HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\InstallCore\mysearchdial]
[-HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}]
[-HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\mysearchdial]
EMPTYTEMP:
Hosts:
CMD: ipconfig /flushdns
*****************

C:\ProgramData\webzoom => Moved successfully.
C:\Program Files (x86)\IObit => Moved successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\CouponXplorer AppIntegrator 32-bit => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\CouponXplorer AppIntegrator 64-bit => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\OnlineMapFinder AppIntegrator 32-bit => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\OnlineMapFinder AppIntegrator 64-bit => value deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{5a1d0d31-749c-4186-a295-4106e6e7b26a} => Key not found.
HKCR\Wow6432Node\CLSID\{5a1d0d31-749c-4186-a295-4106e6e7b26a} => Key not found.
"HKU\S-1-5-21-1141139573-402178876-1469993118-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKU\S-1-5-21-1141139573-402178876-1469993118-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} => Key not found.
HKCR\CLSID\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} => Key not found.
HKU\S-1-5-21-1141139573-402178876-1469993118-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D6CD22A7-8473-4F32-9A6E-FF0FADCC59D0} => Key not found.
HKCR\CLSID\{D6CD22A7-8473-4F32-9A6E-FF0FADCC59D0} => Key not found.
"HKU\S-1-5-21-1141139573-402178876-1469993118-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6} => Key not found.
HKCR\CLSID\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670} => Key not found.
HKCR\Wow6432Node\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6} => Key not found.
HKCR\Wow6432Node\CLSID\{EE932B49-D5C0-4D19-A3DA-CE0849258DE6} => Key not found.
HKU\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} => Value not found.
HKCR\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} => Key not found.
HKU\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Mozilla\Firefox\Extensions\\{B64D9B05-48E1-4CEB-BF58-E0643994E900} => value deleted successfully.
"HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => Key deleted successfully.
cozaghost => Unable to stop service
cozaghost => Service deleted successfully.
cozwdhost => Unable to stop service
cozwdhost => Service deleted successfully.
SmartDefragDriver => Service not found.
"C:\Windows\System32\Drivers\SmartDefragDriver.sys" => File/Directory not found.
"C:\ProgramData\webzoom" => File/Directory not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{12F62C9B-E443-4746-B1B2-ED7FFD7B10AC} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProPCCleaner_Popup => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6CCDB908-1B4A-4C73-8B42-CA60DFD79734} => Key not found.
C:\Windows\System32\Tasks\UpdaterEX not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UpdaterEX => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C2BE776-B936-4694-843F-C5632B1809F1} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProPCCleaner_Start => Key not found.
C:\WINDOWS\Tasks\updaterex.job not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F25C1F6B-1B18-4901-B800-8C22CFED8558} => Key not found.
C:\Windows\System32\Tasks\SmartDefrag_Startup not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SmartDefrag_Startup => Key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B} => Key Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC} => Key Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B} => Key Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC} => Key Deleted successfully.
HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Conduit_Search_Protect => Key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\webzoom => Key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\webzoom_29 => Key Deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cozaghost => Key not found.
HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\AppDataLow\Software\webzoom_29 => Key Deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08165EA0-E946-11CF-9C87-00AA005127ED} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08165EA0-E946-11CF-9C87-00AA005127ED} => Key Deleted Successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08165EA0-E946-11CF-9C87-00AA005127ED} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08165EA0-E946-11CF-9C87-00AA005127ED} => Key Deleted Successfully.
HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} => Key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8} => Key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\InstallCore\mysearchdial => Key not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8} => Key not found.
HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\InstallCore\mysearchdial => Key not found.
HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKEY_USERS\S-1-5-21-1141139573-402178876-1469993118-1001\Software\mysearchdial => Key not found.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

EmptyTemp: => Removed 2.2 GB temporary data.


The system needed a reboot.

==== End of Fixlog 12:17:02 ====
jprzybilla
Active Member
 
Posts: 13
Joined: February 7th, 2015, 9:20 am

Re: Computer infected with malicious malware

Unread postby Gary R » February 8th, 2015, 2:48 pm

Looking good so far, just the e-set scan to run now.

I'm going to be out for the rest of the evening, so it will be tomorrow morning my time (GMT) before I see your e-set log.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Computer infected with malicious malware

Unread postby jprzybilla » February 8th, 2015, 3:07 pm

I activated the EST Online Scanner, nothing appears to be happening. After the EST pop up, I checked accept terms & conditions, Clicked start, then a blank gray screen appeared within the EST popup. I left it alone for over 20 minutes and it is still up.

Before doing this, I disabled my Norton Antivirus & Firewall.

So far, I haven't seen anymore of them ad pop ups.
jprzybilla
Active Member
 
Posts: 13
Joined: February 7th, 2015, 9:20 am

Re: Computer infected with malicious malware

Unread postby jprzybilla » February 8th, 2015, 8:32 pm

I just now tried the ESET scan again, after turning off ActiveX filter, step 1 of 4 appeared, followed your setting instructions for ESET scan, clicked start, then notification On ESET appeared: Detected another anti virus: Norton Internet Security 2014. This the only anti virus I use on my PC. The auto protect & smart firewall are turned off as well as Windows firewall.
jprzybilla
Active Member
 
Posts: 13
Joined: February 7th, 2015, 9:20 am

Re: Computer infected with malicious malware

Unread postby Gary R » February 9th, 2015, 2:12 am

OK, no problem, let's try another sort of scan instead of e-set.

Please run Microsoft Safety Scanner
  • Click Download Now (this is a large download, approx. 70Mb)
  • If you are asked about 32-bit or 64-bit, click on the type matching your Windows system.
  • If asked to Run or Save, choose Run.
  • OK the User Account Permission or the query "Do you want to run this software".
  • If you get a message saying "running this type of program could harm your computer" or similar, just ignore it and tell it to Run anyway.
  • Click the box to Accept the license agreement.
  • Click Next.
  • Click Next to run the Scan.
  • Click the Quick Scan button. (... also Full Scan option)
  • Click Next
    • (If it finds nothing, it will just Exit. It still creates a report.)
    • If it has found anything, check the box titled "Help Remove potentially unwanted software"
      • Click Next (the Dialog label will become "Cleaning your computer").
      • After this operation completes, click Finish.
      • When removals are complete, it will report through a link, "View detailed results of the scan"
      • Clicking the link will popup a report in Notepad.
      • Please post the contents of the file in your reply.
      • The file is also saved in C:\Windows\debug\msert.log
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Computer infected with malicious malware

Unread postby jprzybilla » February 9th, 2015, 9:52 am

I completed the MS Safety Scanner. I clicked finish & the pop up disappeared, before doing this, I clicked on view details and it read: Adware: Win/32 ZoomyLib, if I recall correctly.

I haven't done much surfing since out last contact, but I haven't noticed anymore pop ups.
jprzybilla
Active Member
 
Posts: 13
Joined: February 7th, 2015, 9:20 am

Re: Computer infected with malicious malware

Unread postby jprzybilla » February 9th, 2015, 10:02 am

---------------------------------------------------------------------------------------

Microsoft Safety Scanner v1.0, (build 1.191.4427.0)
Started On Mon Feb 09 07:37:37 2015
->Scan ERROR: resource process://pid:388,ProcessStart:130678930964350438 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:524,ProcessStart:130678931117653178 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:600,ProcessStart:130678931123330019 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:688,ProcessStart:130678931130674210 (code 0x00000005 (5))
->Scan ERROR: resource process://pid:5964,ProcessStart:130679626517925490 (code 0x00000005 (5))

Quick Scan Results for EA89F60F-C199-4918-80A8-8BF9B7E02E5E:
----------------
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\swapfile.sys (code 0x00000020 (32))
Threat detected: Adware:Win32/ZoomyLib
containerfile://C:\WINDOWS\shost.bin
SHA1: 36a0b07b202ea5421f8bb65c372f8786d64e2254
file://C:\ProgramData\webzoom\1.1.0.29\content\dgapi.js
SigSeq: 0x00000A60BEFD3BDA
SHA1: c037b1e24531ebeb5d094cd1b5f68ab8cd4b2a2d
file://C:\ProgramData\webzoom\1.1.0.29\content\dgmain.js
SigSeq: 0x00000A60BEFD3BDA
SHA1: e0edb3dd5dbef29d1adadad5e7cdc3f31a3b1f8d
file://C:\ProgramData\webzoom\1.1.0.29\content\dgmain_app_bg.js
SigSeq: 0x00000A60BEFD3BDA
SHA1: bdda33a8e78b3bea4c0e474c70ab77ffdb325030
file://C:\ProgramData\webzoom\1.1.0.29\content\dgmain_app_cs.js
SigSeq: 0x00000A60BEFD3BDA
SHA1: c04db44e96fb66935232548fd4d56e292de15242
file://C:\ProgramData\webzoom\1.1.0.29\content\jquery4toolbar.js
SigSeq: 0x00000A60BEFD3BDA
SHA1: c559ab91e420bdca977c4c4c3f7f5e8564a78fb2
file://C:\ProgramData\webzoom\1.1.0.29\coz32host.exe
SigSeq: 0x00001087F66AECA1
SHA1: d089b03beedb1f032abd47b22b1f3e72ef6cf1be
file://C:\ProgramData\webzoom\1.1.0.29\coz64host.exe
SigSeq: 0x000010879BF97BDD
SHA1: ef73a77798b8a021443fde9e53d6f2f343908afb
file://C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe
SigSeq: 0x00001087C7008AEF
SHA1: 0002df5934f31aeec9aac24a5b3ad636818c06d3
file://C:\ProgramData\webzoom\1.1.0.29\cozahost.exe
SigSeq: 0x000010870499555D
SHA1: 710aacbeea0abd85a7222596992806b73169e7f3
file://C:\ProgramData\webzoom\1.1.0.29\cozwdhost.exe
SigSeq: 0x00001087E06CD6DF
SHA1: 2dc5954a2eb1e347f750a3b34f0d87fce56fbf30
file://C:\ProgramData\webzoom\1.1.0.29\logo.ico
SigSeq: 0x00000A60BEFD3BDA
SHA1: 05fb8a9e334558c07d39b6f9222d751d16270671
file://C:\ProgramData\webzoom\1.1.0.29\Uninstaller.exe
SigSeq: 0x00000A60BEFD3BDA
SHA1: 5c7210f77e09f7f3df3013ca77bc2b7840005129
file://C:\ProgramData\webzoom\1.1.0.29\webzoom.xpi
SigSeq: 0x00000A60BEFD3BDA
SHA1: cb4bc46c7b2c311fce9f144d62a4cad9f22ec1b2
file://C:\ProgramData\webzoom\1.1.0.29\webzoomL32.dll
SigSeq: 0x000010873CC3523E
SHA1: 748e948d0b17b40fe96d56521a0da02768169c88
file://C:\ProgramData\webzoom\1.1.0.29\webzoomL64.dll
SigSeq: 0x0000108738BA4B81
SHA1: 047458ccb74455aae356742de073bdab150e41d1
file://C:\ProgramData\webzoom\1.1.0.29\webzoomutil32.dll
SigSeq: 0x00001087495F84BF
SHA1: 219f2ac4a349aa7abf8d1ee2d10455ae4013fde8
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\29c726c70fa66389578f5986eedd9ce4
SigSeq: 0x00001B60F05E3E8D
SHA1: b858cb282617fb0956d960215c8e84d1ccf909c6
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\29c726c70fa66389578f5986eedd9ce4_expire
SigSeq: 0x00001B60F05E3E8D
SHA1: 5f372b61c873414317811e60789960b945f50c12
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\29c726c70fa66389578f5986eedd9ce4_gb
SigSeq: 0x00001B60F05E3E8D
SHA1: f5e53bbe24c82565dda4740af5d8b7d63f4f7473
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\2d455ce3c6c24563563a9d5d01ef3156
SigSeq: 0x00001B60F05E3E8D
SHA1: 77ed4b0ac6cc7dc4aa992a65d0e4322a6aa7ff6a
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\2d455ce3c6c24563563a9d5d01ef3156_expire
SigSeq: 0x00001B60F05E3E8D
SHA1: 6840b53c7d4bf2784a6a8e6e0b4624fcd5d90be1
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\2d455ce3c6c24563563a9d5d01ef3156_gb
SigSeq: 0x00001B60F05E3E8D
SHA1: e18169a860609cdc084feb284479acca45888ef8
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\3ab6cfcad30baf81fac23ae3890bffc8
SigSeq: 0x00001B60F05E3E8D
SHA1: f1101c1fab04c76d674b8c2e2ecf531d96f86d4e
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_expire
SigSeq: 0x00001B60F05E3E8D
SHA1: eda1922f64dd334a326a0b4f2519c25a150b8cbf
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_gb
SigSeq: 0x00001B60F05E3E8D
SHA1: 0bd5b4adf25a60e9afce0ccb2a604a8cb334ad44
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\5353fe618a525cf84c7c3e117446f2d5
SigSeq: 0x00001B60F05E3E8D
SHA1: f9a43df049fbb11dcba826db7107ff92ef35c031
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\5353fe618a525cf84c7c3e117446f2d5_expire
SigSeq: 0x00001B60F05E3E8D
SHA1: 29511146340e84e4fffde57a4198f7a8a5f7d7b7
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\5353fe618a525cf84c7c3e117446f2d5_gb
SigSeq: 0x00001B60F05E3E8D
SHA1: cfcc9bd64b33378156106454a2bf350864d4d6b1
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\73f82623658278cf03c2acf12426f916
SigSeq: 0x00001B60F05E3E8D
SHA1: 3fb10e80f2f073578c524663d40dcddf420fd401
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\73f82623658278cf03c2acf12426f916_expire
SigSeq: 0x00001B60F05E3E8D
SHA1: 83b3f8620c8568bbe9f64bd0824bbdd7a7a53060
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\73f82623658278cf03c2acf12426f916_gb
SigSeq: 0x00001B60F05E3E8D
SHA1: 46d2e5a55e772a22c54c566cd166d355fdba091b
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\7c0022298b948a99e406a6310bffea7f
SigSeq: 0x00001B60F05E3E8D
SHA1: f8ad0264048f76dd536094bc288fe67398e64864
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\7c0022298b948a99e406a6310bffea7f_expire
SigSeq: 0x00001B60F05E3E8D
SHA1: c37cf69aeb49591f0f741e74dfc9cce016800b54
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\7c0022298b948a99e406a6310bffea7f_gb
SigSeq: 0x00001B60F05E3E8D
SHA1: d75d1f900d57bbad2676c1f8e777b5c8616f4823
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\8f43b50088266b9870b42ce6ef7ffbde
SigSeq: 0x00001B60F05E3E8D
SHA1: c44edc4bda9d9790113a3e250049e754f85ed1b8
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\8f43b50088266b9870b42ce6ef7ffbde_expire
SigSeq: 0x00001B60F05E3E8D
SHA1: 16c2ffeb362c1367f182d5f8b736d36335b28d9d
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\8f43b50088266b9870b42ce6ef7ffbde_gb
SigSeq: 0x00001B60F05E3E8D
SHA1: 9c5d46d712996ec0bd1d27bde31004e001c780cd
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\b5b28719cb3fef1dcf3665a0fa5e467c
SigSeq: 0x00001B60F05E3E8D
SHA1: e51c527d588e3b006593b82fe2b4730a5ef96f56
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\b5b28719cb3fef1dcf3665a0fa5e467c_expire
SigSeq: 0x00001B60F05E3E8D
SHA1: 1537589e9c156fa5d53ad7c6847ddb33d7b10809
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\b5b28719cb3fef1dcf3665a0fa5e467c_gb
SigSeq: 0x00001B60F05E3E8D
SHA1: d32972df79aa44cec2cea935473d57ac4309ab3f
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\e8882aa44ad634f346a0b72f049c2e4c
SigSeq: 0x00001B60F05E3E8D
SHA1: 8566cf3b8edcdb98a09e34cf55dc6c2f9b8795eb
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\e8882aa44ad634f346a0b72f049c2e4c_expire
SigSeq: 0x00001B60F05E3E8D
SHA1: 113d96d5ffb089a50dbc9b3bade2ae171385e126
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\e8882aa44ad634f346a0b72f049c2e4c_gb
SigSeq: 0x00001B60F05E3E8D
SHA1: 09c63614167416a6f4bb2dc50f55673d26022b72
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\f549b5fe5415a60b55613d504ecb75f6
SigSeq: 0x00001B60F05E3E8D
SHA1: ca349deed20ceb707a53be7ba58ac885244f357f
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\f549b5fe5415a60b55613d504ecb75f6_expire
SigSeq: 0x00001B60F05E3E8D
SHA1: b7a064be67a3548127953e5eb75c1e1143b88314
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\f549b5fe5415a60b55613d504ecb75f6_gb
SigSeq: 0x00001B60F05E3E8D
SHA1: 6b6ba1a1b2ac1587391eb6d13c311e27a9f44abc
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\dgapi.js
SigSeq: 0x00001B60F05E3E8D
SHA1: c037b1e24531ebeb5d094cd1b5f68ab8cd4b2a2d
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\dgmain.js
SigSeq: 0x00001B60F05E3E8D
SHA1: 1c62e9e8544858a3e902281d30c52064c5bf964b
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\dgmain_app_bg.js
SigSeq: 0x00001B60F05E3E8D
SHA1: 36181d902d4707ca017b7e8a5a58265870d290f4
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\dgmain_app_cs.js
SigSeq: 0x00001B60F05E3E8D
SHA1: 2b9b0d8190a5f3dd8ae99d6e4c0db39b0d0c2123
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\jquery4toolbar.js
SigSeq: 0x00001B60F05E3E8D
SHA1: c559ab91e420bdca977c4c4c3f7f5e8564a78fb2
file://c:\users\j1977_000\AppData\LocalLow\webzoom\content\TrayIcons\logo.ico
SigSeq: 0x00001B60F05E3E8D
SHA1: 05fb8a9e334558c07d39b6f9222d751d16270671
file://C:\WINDOWS\shost.bin->coz32host.exe
SigSeq: 0x00001087F66AECA1
file://C:\WINDOWS\shost.bin->coz64host.exe
SigSeq: 0x000010879BF97BDD
file://C:\WINDOWS\shost.bin->cozaghost.exe
SigSeq: 0x00001087C7008AEF
file://C:\WINDOWS\shost.bin->cozahost.exe
SigSeq: 0x000010870499555D
file://C:\WINDOWS\shost.bin->cozwdhost.exe
SigSeq: 0x00001087E06CD6DF
file://C:\WINDOWS\shost.bin->webzoomL32.dll
SigSeq: 0x000010873CC3523E
file://C:\WINDOWS\shost.bin->webzoomL64.dll
SigSeq: 0x0000108738BA4B81
file://C:\WINDOWS\shost.bin->webzoomutil32.dll
SigSeq: 0x00001087495F84BF
SHA1: 219f2ac4a349aa7abf8d1ee2d10455ae4013fde8
file://C:\WINDOWS\System32\Tasks\Tempo Runner coz32host
file://C:\WINDOWS\System32\Tasks\Tempo Runner coz64host
file://C:\WINDOWS\Tasks\Tempo Runner coz64host.job
folder://C:\ProgramData\webzoom\
SigSeq: 0x00000A60BEFD3BDA
folder://C:\ProgramData\webzoom\1.1.0.29\
SigSeq: 0x00000A60BEFD3BDA
folder://C:\ProgramData\webzoom\1.1.0.29\content\
SigSeq: 0x00000A60BEFD3BDA
folder://c:\users\j1977_000\AppData\LocalLow\webzoom\
SigSeq: 0x00001B60F05E3E8D
folder://c:\users\j1977_000\AppData\LocalLow\webzoom\content\
SigSeq: 0x00001B60F05E3E8D
folder://c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\
SigSeq: 0x00001B60F05E3E8D
folder://c:\users\j1977_000\AppData\LocalLow\webzoom\content\TrayIcons\
SigSeq: 0x00001B60F05E3E8D
taskscheduler://C:\WINDOWS\System32\Tasks\Tempo Runner coz32host
taskscheduler://C:\WINDOWS\System32\Tasks\Tempo Runner coz64host
taskscheduler://C:\WINDOWS\Tasks\Tempo Runner coz64host.job

Quick Scan Removal Results
----------------
Start 'remove' for file://\\?\C:\WINDOWS\Tasks\Tempo Runner coz64host.job
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\System32\Tasks\Tempo Runner coz64host
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\System32\Tasks\Tempo Runner coz32host
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\shost.bin->webzoomutil32.dll
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\shost.bin->webzoomL64.dll
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\shost.bin->webzoomL32.dll
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\shost.bin->cozwdhost.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\shost.bin->cozahost.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\shost.bin->cozaghost.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\shost.bin->coz64host.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\WINDOWS\shost.bin->coz32host.exe
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\TrayIcons\logo.ico
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\jquery4toolbar.js
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\dgmain_app_cs.js
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\dgmain_app_bg.js
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\dgmain.js
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\dgapi.js
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\f549b5fe5415a60b55613d504ecb75f6_gb
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\f549b5fe5415a60b55613d504ecb75f6_expire
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\f549b5fe5415a60b55613d504ecb75f6
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\e8882aa44ad634f346a0b72f049c2e4c_gb
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\e8882aa44ad634f346a0b72f049c2e4c_expire
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\e8882aa44ad634f346a0b72f049c2e4c
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\b5b28719cb3fef1dcf3665a0fa5e467c_gb
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\b5b28719cb3fef1dcf3665a0fa5e467c_expire
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\b5b28719cb3fef1dcf3665a0fa5e467c
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\8f43b50088266b9870b42ce6ef7ffbde_gb
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\8f43b50088266b9870b42ce6ef7ffbde_expire
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\8f43b50088266b9870b42ce6ef7ffbde
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\7c0022298b948a99e406a6310bffea7f_gb
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\7c0022298b948a99e406a6310bffea7f_expire
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\7c0022298b948a99e406a6310bffea7f
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\73f82623658278cf03c2acf12426f916_gb
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\73f82623658278cf03c2acf12426f916_expire
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\73f82623658278cf03c2acf12426f916
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\5353fe618a525cf84c7c3e117446f2d5_gb
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\5353fe618a525cf84c7c3e117446f2d5_expire
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\5353fe618a525cf84c7c3e117446f2d5
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_gb
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_expire
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\3ab6cfcad30baf81fac23ae3890bffc8
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\2d455ce3c6c24563563a9d5d01ef3156_gb
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\2d455ce3c6c24563563a9d5d01ef3156_expire
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\2d455ce3c6c24563563a9d5d01ef3156
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\29c726c70fa66389578f5986eedd9ce4_gb
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\29c726c70fa66389578f5986eedd9ce4_expire
Operation succeeded !

Start 'remove' for file://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\29c726c70fa66389578f5986eedd9ce4
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\webzoomutil32.dll
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\webzoomL64.dll
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\webzoomL32.dll
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\webzoom.xpi
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\Uninstaller.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\logo.ico
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\cozwdhost.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\cozahost.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\cozaghost.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\coz64host.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\coz32host.exe
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\content\jquery4toolbar.js
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\content\dgmain_app_cs.js
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\content\dgmain_app_bg.js
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\content\dgmain.js
Operation succeeded !

Start 'remove' for file://\\?\C:\ProgramData\webzoom\1.1.0.29\content\dgapi.js
Operation succeeded !

Start 'remove' for taskscheduler://\\?\C:\WINDOWS\Tasks\Tempo Runner coz64host.job
Operation succeeded !

Start 'remove' for taskscheduler://\\?\C:\WINDOWS\System32\Tasks\Tempo Runner coz64host
Operation succeeded !

Start 'remove' for taskscheduler://\\?\C:\WINDOWS\System32\Tasks\Tempo Runner coz32host
Operation succeeded !

Start 'remove' for folder://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\TrayIcons\
Operation succeeded !

Start 'remove' for folder://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\cache\
Operation succeeded !

Start 'remove' for folder://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\content\
Operation succeeded !

Start 'remove' for folder://\\?\c:\users\j1977_000\AppData\LocalLow\webzoom\
Operation succeeded !

Start 'remove' for folder://\\?\C:\ProgramData\webzoom\1.1.0.29\content\
Operation succeeded !

Start 'remove' for folder://\\?\C:\ProgramData\webzoom\1.1.0.29\
Operation succeeded !

Start 'remove' for folder://\\?\C:\ProgramData\webzoom\
Operation succeeded !


Results Summary:
----------------
Found Adware:Win32/ZoomyLib and Removed!
Microsoft Safety Scanner Finished On Mon Feb 09 07:46:12 2015


Return code: 6 (0x6)
jprzybilla
Active Member
 
Posts: 13
Joined: February 7th, 2015, 9:20 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 126 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware