Corrine Help please

ComboFix 14-04-30.01 - lee 05/02/2014 20:35:12.1.4 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.8190.6099 [GMT -4:00]
Running from: c:\users\lee\Desktop\ComboFix.exe
AV: Emsisoft Anti-Malware *Disabled/Updated* {8504DEEF-CC04-1F76-2137-F1A5F4A659DA}
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Emsisoft Anti-Malware *Disabled/Updated* {3E653F0B-EA3E-10F8-1B87-CAD78F211367}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\programdata\ZeoBIT
c:\programdata\ZeoBIT\PCKeeper\history.xml
c:\users\lee\AppData\Roaming\Adobe\plugs
c:\users\lee\AppData\Roaming\Adobe\shed
c:\users\lee\AppData\Roaming\chrtmp
c:\users\lee\AppData\Roaming\inst.exe
c:\users\lee\AppData\Roaming\Microsoft\AdjMmsVista.dll
c:\users\lee\AppData\Roaming\vso_ts_preview.xml
c:\users\lee\GoToAssistDownloadHelper.exe
c:\windows\MICROSOFT
c:\windows\MICROSOFT\System Update kb70007\Installer.dll
c:\windows\MICROSOFT\System Update kb70007\InstallerLibrary.dll
c:\windows\MICROSOFT\System Update kb70007\win32.reg
c:\windows\MICROSOFT\System Update kb70007\WindowsUpdater.exe
c:\windows\SysWow64\drivers\npf.sys
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\pthreadVC.dll
c:\windows\SysWow64\wpcap.dll
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NPF
-------\Service_System Update kb70007
-------\Service_System Update kb70007
.
.
((((((((((((((((((((((((( Files Created from 2014-04-03 to 2014-05-03 )))))))))))))))))))))))))))))))
.
.
2014-05-03 00:46 . 2014-05-03 00:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-05-03 00:46 . 2014-05-03 00:46 -------- d-----w- c:\users\AppData\AppData\Local\temp
2014-05-03 00:20 . 2014-04-16 07:22 10651704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{5F130446-1135-48B0-8234-0EAA74776B09}\mpengine.dll
2014-05-02 19:25 . 2014-05-02 19:28 -------- d-----w- C:\ANTIVIRUS NEW JUNKWARE REMOVE TOOL
2014-05-02 13:51 . 2014-04-16 07:22 10651704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-05-02 01:58 . 2014-05-02 02:39 -------- d-----w- C:\AdwCleaner
2014-05-02 01:42 . 2014-05-02 01:42 1031560 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{29A5DB2B-E07B-4ECC-BD4F-C0D183236427}\gapaengine.dll
2014-05-02 01:39 . 2014-05-02 01:39 -------- d-----w- c:\windows\ERUNT
2014-05-02 01:30 . 2014-05-02 01:30 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2014-05-02 01:18 . 2014-05-02 01:18 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2014-05-02 01:18 . 2014-05-02 01:18 -------- d-----w- c:\program files\Microsoft Security Client
2014-05-02 00:47 . 2014-05-02 00:45 313256 ----a-w- c:\windows\system32\javaws.exe
2014-05-02 00:46 . 2014-05-02 00:46 108968 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2014-05-02 00:46 . 2014-05-02 00:45 189352 ----a-w- c:\windows\system32\javaw.exe
2014-05-02 00:46 . 2014-05-02 00:45 189352 ----a-w- c:\windows\system32\java.exe
2014-05-02 00:45 . 2014-05-02 00:45 -------- d-----w- c:\program files\Java
2014-05-02 00:01 . 2014-05-02 00:01 0 ----a-w- c:\windows\SysWow64\RENBC87.tmp
2014-05-02 00:01 . 2014-05-02 00:01 0 ----a-w- c:\windows\SysWow64\RENBC86.tmp
2014-05-02 00:01 . 2014-05-02 00:01 0 ----a-w- c:\windows\SysWow64\RENBC85.tmp
2014-05-01 23:50 . 2014-05-01 23:50 -------- d-----w- c:\users\lee\AppData\Local\Avg2013
2014-05-01 15:59 . 2014-05-01 15:59 -------- d-----w- c:\programdata\Immunet
2014-05-01 15:58 . 2014-05-02 01:04 -------- d-----w- c:\program files\Immunet
2014-05-01 15:48 . 2013-09-02 07:58 175528 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2014-05-01 15:24 . 2014-05-01 15:24 -------- d-----w- c:\program files\Pale Moon
2014-05-01 15:17 . 2014-05-02 02:16 -------- d-----w- C:\download 5
2014-04-30 19:13 . 2014-04-30 19:13 -------- d-----w- c:\users\lee\AppData\Roaming\MiniGet
2014-04-30 19:13 . 2014-04-30 23:02 -------- d-----w- c:\program files (x86)\MiniGet
2014-04-30 19:12 . 2014-04-30 19:12 -------- d-----w- c:\program files (x86)\Worldwide Web Research
2014-04-30 19:12 . 2014-04-30 19:12 -------- d-----w- c:\program files (x86)\MSR
2014-04-28 02:55 . 2014-04-28 02:55 -------- d-----w- c:\windows\system32\SRSLabs
2014-04-28 02:53 . 2014-04-28 02:53 154840 ----a-w- c:\windows\system32\RCoInstII64.dll
2014-04-28 02:53 . 2014-04-28 02:53 2770976 ----a-w- c:\windows\system32\FMAPO64.dll
2014-04-28 02:53 . 2014-04-28 02:53 113576 ----a-w- c:\windows\system32\CONEQMSAPOGUILibrary.dll
2014-04-28 02:53 . 2014-04-28 02:53 209096 ----a-w- c:\windows\system32\AERTAC64.dll
2014-04-28 02:53 . 2014-04-28 02:53 108640 ----a-w- c:\windows\system32\AERTAR64.dll
2014-04-28 01:28 . 2014-04-28 01:28 -------- d-----w- C:\found.000
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-02 18:51 . 2012-04-06 19:03 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-05-02 18:51 . 2011-05-27 22:28 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-28 22:17 . 2009-08-20 03:15 281288 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2014-04-28 22:17 . 2009-08-20 03:15 281288 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2014-04-28 02:54 . 2009-08-18 04:28 2787032 ----a-w- c:\windows\system32\RtkAPO64.dll
2014-04-26 01:05 . 2009-08-20 03:15 290776 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2014-03-11 13:52 . 2014-03-11 13:52 133928 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2014-03-10 22:17 . 2013-12-23 21:40 128288 ----a-w- c:\windows\system32\IObitSmartDefragExtension.dll
2014-02-03 21:14 . 2014-02-03 21:14 12872 ----a-w- c:\windows\system32\bootdelete.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files (x86)\Common Files\AOL\1250564758\ee\AOLSoftware.exe" [2010-03-08 41800]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files (x86)\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files (x86)\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 7ByteIo;7ByteIo;c:\program files (x86)\Hot CPU Tester Pro 4 LE\SysInfoX64.sys;c:\program files (x86)\Hot CPU Tester Pro 4 LE\SysInfoX64.sys [x]
R3 a2acc;a2acc;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys;c:\program files (x86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [x]
R4 a2AntiMalware;Emsisoft Anti-Malware 8.0 - Service;c:\program files (x86)\Emsisoft Anti-Malware\a2service.exe;c:\program files (x86)\Emsisoft Anti-Malware\a2service.exe [x]
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys;c:\program files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [x]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2011-06-20 20:05 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-09-28 11:03]
.
2013-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-09-28 11:03]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvBackend"="c:\program files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe" [2013-12-10 2279712]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:8118;https=127.0.0.1:8118
uSearchAssistant = Google
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\lee\AppData\Roaming\Mozilla\Firefox\Profiles\g84aw4dt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.sysnative.com/forums/security-arena/9693-corrine-help-please.html#post72139
FF - prefs.js: network.proxy.http - 119.110.73.23
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-EfficientReminderFree - (no file)
SafeBoot-CleanHlp
SafeBoot-CleanHlp.sys
AddRemove-Coupon Printer for Windows5.0.0.1 - c:\program files (x86)\Coupons\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4d,53,f2,a0,d0,d2,6e,4c,aa,e6,2c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4d,53,f2,a0,d0,d2,6e,4c,aa,e6,2c,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,4d,53,f2,a0,d0,d2,6e,4c,aa,e6,2c,\
.
[HKEY_USERS\S-1-5-21-4147492450-2785938924-1459033839-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:80,59,9b,da,d1,bc,68,a2,1a,39,bb,61,34,61,83,89,5a,4c,2c,54,23,
10,19,f0,a8,42,bb,26,56,f6,23,58,43,49,b8,ea,28,68,82,47,aa,8f,da,c9,da,54,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_206_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.13"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_206.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG12.00.00.01PROFESSIONAL"="70DD9C885D1A5FDA04FC1F07BC0AFC74BC2C4A216464E0B4E7DDABEAD7E40FF2C7F888212866B26CFA9D8C2A073CAC86367D3F1927077823C9BE57CE67A86502FD75D21E5A4194B2BB29E58B123C539700EA36944372BC7A297CE98D33562F288D8700077B308D2EE4E1FECC197159927F66F06E499012AB505BB35AC1766F03C3E40E8829FE5D44E91121B26D8759C36CEBA623E18C910F5BA4F68BADD6DA0FC1C7EB7112BC753B10800B26F5EFA2DCD1F47FFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3D5D575E7D6A3B9808A6171C11EC38DE3D58C5257B1FFE081C09E16DE1DFB9C751CD2A07AF752D45DBF6EACA075BAF3026D09286424281C1129BBBCC7ED58892ED1913CF878BD802472483500C088FAC835D381F1A8EF272CAE5EFAA7E07F68DCD289899628E79B743324100411765E2D4A4E0162EA393FD3DA6D98E69FB084DCF736A6F400E77CBBE764D034845A0A9367446565D04F6CD51C26D45F923956ACC19CF9DDC038F281A66E0C876B1825C393ABA0EB81B804AE3C4AD5EA1CCC9018EDCA2B4A247D3BAAF1DCB0357DE2158E00CA0320AB36E66C65835AE82AFA4B2D123D28A3318277448D972A7A6B46601A4217278C77E4E133E4EAFCD74637A2449F4E038639943CBA4FE4AF0D6FE0F3C71543BDBA38F024A039C60188367F2FC1B82E49ABAD035397693E05C8CEB2DF526271B9DFDDF4186C2DA1BAE6E1B896A619B075276295C3B65C253ADA190279B19BCC63E6E4B96461F464AF3A8C58D1D2AB78646076FEF538B5BD5E823E2372110DC0706BF136190AB406A115B10244AF66F359E10587607F850305AD3BFE97C48F3B601705AD3E872CD8DF1DE86C3AABD81FAC76CF8CD60B0383D8EA8E421A7F091C7FDB22A74DE701858C6C69A3878694FCFF3A5CBA66C29CEEA584A7713A22F693D0FEBEF1EFD966A8383D2A3A2F7575FC3977E2F053ECDF1BECE18FCCAEE1953308BB8F9005E4A37DCE07D59F56B5ADA78EC6AE54369FDA5CE4A226223933DCB4C8FE67E1D14E29246D970D9799CB710246F13168C898B0FC6E9ADF5D01B9A7351F97794CB3CAF3635308C2749D629F19061D2C9E23ABE7BE58F366CD794A40C95EC23B93676F07DB16763A4D56BDC141EC7BCEF1A1F525700E167DB1213C37E7F51544E5D67D96B59473E9C62B0F5B23CEB93DB5C5C74377A4A23BF2E2C53D70CD0A71611B416A3DDDC98BC06FB89A9F2DAD041249CC952D1777FF82DF9A4C54B5BF0B9F90B416E8476A1972E2D21FC5BE520BCC38DE702955CC5C9E51D7B9EE123B644121A6DBA262A3C2019233C50A5A162CCE0DF5A46692DF25901378ED887A0B3A829959E97314F80325BC2CB6F12672D52F1CA9FC183E5B8B3"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\windows\system32\hasplms.exe
c:\hp\HPEZBTN\HPBtnSrv.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\windows\SysWOW64\nlssrv32.exe
c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe
c:\program files (x86)\IObit\Driver Booster\DriverBooster.exe
.
**************************************************************************
.
Completion time: 2014-05-02 20:58:51 - machine was rebooted
ComboFix-quarantined-files.txt 2014-05-03 00:58
.
Pre-Run: 310,281,203,712 bytes free
Post-Run: 309,710,282,752 bytes free
.
- - End Of File - - E78C41D4C612124BBCB1DA37F9753C7A
03BA8F890B47C0BE359A4D5A636D214D
 
Ok here is my question:

1) Combo fix said there was a conflict with MSE. It did not give me a chance to stop Combo fix and turn off MSE. It started to run Combo fix. So as I was told I left it alone to run its course.

Should I turn off or Unistall MSE (since it is not in task bar anyway again!) and re run the Combo fix with MSE off?


OK Now I think you fixed it: No more virus

2) The doors forum posts just like normal. Even with Adblock plus off no more redirect.

3) The health grades website is no longer redirect or POP UP ADs or Bogus ads.

I really think this is it.

4) Can you tell me what Combo fix found and what it deleted? How to I read the log?


OMG tytytytyty:dance:
 
5) Are the files Combofix found in Quarantine or are they deleted? If in Quarantine how to find the Quarantine files and delete them
 
Hi, nd2121.

1. You posted while I was reviewing your log and proposing a suggestion about the Doors Forum, but appears that was resolved. The files removed by ComboFix are shown in the top of the log. We'll take care of the quarantine and the other tools after you respond to #2.

2. Please confirm that you uninstalled Immunet and Iobit Smart Defrag as there appears to be some fragments left over that can be removed with ComboFix.
 
Corrine said:
Hi, nd2121.

1. Regarding The Doors forum, from a post yesterday by the admin here, it appears there has been a problem with that forum, particularly since he mentions getting it cleaned up:

Just like you can't keep a good man down, you also can't keep a good message board down! We are most likely going to open this back up as the official message board again! I just opened up registrations again for the first time in YEARS. Once we get things cleaned up, we'll open the flood gates again and we'll be back in business. :)
Click to expand...

If you only have a problem at that site, I suggest you clear your cache and delete all cookies for that site. If you are still getting the popup to lpcloudbox327.com, I suggest you notify "Familiar Freak" that the site still has a problem. You may also want to add lpcloudbox327.com to your HOSTS file, redirecting it to 127.0.0.1. If you need instructions on how to do that, let me know.

2. Please confirm that you uninstalled Immunet and Iobit Smart Defrag as there appears to be some fragments left over that can be removed with ComboFix.
Click to expand...

When Dave said CLEANED UP. He meant trolls and problems integrating the fourm with the main website. Bottom line is you mis-understood. He did not mean virus or control problems. It seems that certin buttons got infected from different websites. Weird but true. After Combofix it is working Perfectly everywhere Including the doors forum. It was 100% the virus.
Also keep in mind I tried the same buttons in IE and Firefox and it was working just fine. The Virus for sure was in Palemoon some how


I like Iobit defrag. It is still on my system and why can't I keep it? I used it for years. It works and does not seem Combo fix deleted it at all.

Immunet, They say it is made to work together with MSE. Do you think I can keep it and run it at same time? I only installed it yesterday before I met you. Because I was trying anything. This was recommended to me


So I did not uninstall Defrag (did not know I had to) and Immunet I forget I installed it yesterday. Would like to keep them

Also you never answered if I should Unistall mse and run combofix again since it said there was a conflict? Did not give me a chance to stop MSE

Also what virus did Combofix find and is it in quarantine or deleted?
 
Hi, nd2121.

It is your computer so of course you can keep Immunet -- although only use it as a second opinion and do not run it at the same time as MSE. Remember only one antivirus software at a time. As to Iobit, again, it is your computer. The reason I asked about the two programs is because they were shown in the installed programs list so they appeared to be remnants.

No, you do not need to run ComboFix again. As to what ComboFix removed, as I said the files are shown in the log. One that stood out was wininit.ini because the legitimate file is located in System32, not in C:\Windows.

Ok, let's clean up! This will take care of the ComboFix quarantine file too.

1. Please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall

2. Double-click on AdwCleaner.exe to run the tool again.
  • Click on the Uninstall button.
  • Click Yes when asked are you sure you want to uninstall.
  • Both AdwCleaner.exe, its folder and all logs will be removed.

3. Delete Junkware Removal Tool from your desktop.

Having a firewall, anti-virus and anti-malware software are not enough. You also need to stay current with security updates. If you don't have your computer set to automatically install the Microsoft Security Updates, please check for updates now.

Please refer to the Safe Computing Practices and other recommendations in this updated copy of "So how did I get infected in the first place?".
 
Ok I did what you asked and also saved the combo fix log so I can look tomorrow. Getting tired.

1) Any windows updates I will do tomorrow. promise:smile9:

2) Since I need to get some sleep. Been a long 2 days. Please post any other instructions and I will gladly do it tomorrow.

3) It seems to be (what do i know) that although Malwarebytes and MSE found some of the virus. Combofix is the one that cleared it up. Are you convinced we got 100% of the virus now? Anything else we can do tomorrow?

4) Is there anyway of knowing what the main mother ship virus was (name)?

Saying Thank you for all your work and time and effort does not seem like enough. You really saved us.

Good night


PS I was smart enough to use the PMback up on a regular basis (before virus). It really saved my bookmarks and profile. What a great tool. Sort of like a tire jack. You never think it is important until you need it. One thing if you speak to Palemoon owner. Ask him if it is possible to incorporate an automatic backup scheduler? Once a month or week ect.
 
Hi, nd2121.

It no surprise that this was an exhausting process.

Addressing Question 3):

There are no guarantees. It was not only ComboFix that cleaned your computer. A lot of heavy lifting had already been done before running ComboFix.

Addressing Question 4):

Your computer had multiple trojans and PUPs. The trojans removed by Malwarebytes were identified as BHOs (browser hijack or helper objects). Microsoft describes Trojan:Win32/Bumat!rts that MSE found as being detected due to the generic nature because the malicious behaviors vary from one detection to the next. There were also a lot of PUPs (Potential Unwanted Programs), which are generally reputed to have trackware functionality and search redirects. PUPs and browser hijackers are usually bundled with various third party software.

Another source of malware is P2P software. Seeing bitRipper and BitTorrent installed on your computer, it does not surprise me that your computer was infected. P2P programs form a direct conduit on to your computer. They have always been a target of malware writers. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

With P2P file sharing, what means do you have of identifying or authenticating the source of the download? In addition, a file can be distributed among many hosts, and peers will provide for download the sections that they have already downloaded. This results in the distinct possibility of a distribution method in which malicious bits are mixed with with good files.



Regarding your P.S., although it wouldn't have removed the other problems on your computer, you could have reset Pale Moon as satrow suggested when you posted on the Pale Moon forum:

Reset Pale Moon - (Alt) > Help > Troubleshooting information > Reset Pale Moon button, top right.
Click to expand...
 
bitRipper and BitTorrent. I tried to see what it was. Someone told me to look at it. I never really used them at all. I forgot they were on my computer. I will delete them now. Thanks

So are we done with all the instructions?

What virus scanner would you recommend for the every week scan? And for protection? Anything better then MSE

I tried those website and everything is working fine as normal and my computer shut down in 10 seconds last night (super fast)
 
Hi, nd2121.

Yes, we are finished with the instructions. :smile:

You could probably ask five different people for their recommendations and get five different suggestions. For a free antivirus program, I like Microsoft Security Essentials and ESET for a paid/licensed antivirus.

Although the free version works exceptionally well for scanning/cleaning, my personal favorite anti-malware program is Malwarebytes Anti-Malware Premium. I particularly like the real-time protection provided by the "Malware and Malicious Website protection". If you are interested in a lifetime license for Malwarebytes (version 2 is an annual subscription), you can see if there are any lifetime licenses remaining here: Malwarebytes | Update Your Malwarebytes Internet Security & Protection Software.

I have also been a very long-time user of WinPatrol, having used it since Windows 95.

  • The Host-based Intrusion Prevention System(HIPS) of WinPatrol takes a snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • WinPatrol will allow you to lock your HOSTS file and will monitor changes.
  • Win Patrol is a powerful system monitor. Some of the features are described here (unofficial support site at WinPatrol Help & Information).

One thing I noticed in the cleanup of your computer is that there were a lot of temp files, some of which were "undesirable". So, something else you may want to do periodically is use TFC by Old Timer available from here (direct download): http://www.itxassociates.com/OT-Tools/TFC.exe

The standard instructions I provide for using TFC are as follows:

  • First, save any files as TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

More info:
TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB).

Before running, it will stop Explorer and all other running applications. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.
-- TFC only cleans temp folders.
-- TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail.

TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
 
Ok I just did TFC

Now my AOL stopped working, I know AOL is for amateurs, I like the email client. Any suggestions on a fix?


I guess it was all these programs I been using the last 3 days.:banghead: lol
 
TFC only cleans temp folders. It would not have touched your AOL software.

Comparing your first DDS log with the second DDS log the four files shown below were in the first log but the AOL Desktop 9.7a entries are not shown in the second log.

C:\Program Files (x86)\Common Files\aol\1250564758\ee\aolsoftware.exe
C:\Program Files (x86)\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files (x86)\AOL Desktop 9.7a\waol.exe
C:\Program Files (x86)\AOL Desktop 9.7a\shellmon.exe

Other than updating Java and Adobe software and uninstalling the extra antivirus programs, the only tool run during that time was JRT which didn't have anything to do with AOL. Perhaps the best thing is to reinstall it.
 
Yea I tried that, It just says stopped working pop up when I click on it. I uninstalled and reinstalled. Still no work. I might call them tomorrow. I just like the mail client. Do not use it for anything else


Thank you so much for all your help. You really saved us. You were so kind to spend all this time with me. The main issue is fixed. THE VIRUS

I will try to talk to AOL. I know most people hate it lol


What is that program called that removes (delete) programs completely? Shredder?
 
Well it took me uninstalling AOL 3 times. Then going through some steps. Fixing the connection. Nothing seemed to work.

THEN I shut down all process through AOL in task bar and uninstalled and reinstalled. THAT WORKED!

AOL makes it so hard when things go wrong. So touchy. People laugh when you say you use AOL. lol Hey just the mail and just through TCP/IP. I had AOL 1.1 when it first came out lol. Bad habit I guess

Well, I can not thank you enough. For the time you spent alone was to much to ask. I will make sure to tell the "boys" on palemoon board tomorrow how nice you are to help me. How much time you spent with me to fix it.

Believe it or not in my immediate family I am the computer guru ( don't laugh) compared. I have spent 20 hours helping family members. I know how frustrating it can be. My inlaw got the Crypto locker. That was fun, NOT. I did some basic virus scans. He had 300 virus. Ranging from the basic to the cryptolocker You have taught me some tricks and programs I did not know about.

I started to do the right steps,but fell way short. Without you I would be working on this for over a week.

If I can ever return the favor. Let me know.

PS I really tried to follow your steps to the letter. I guess the hard work paid off
 
You are welcome. I am happy I was able to help, nd2121.
 
Corrine said:
You are welcome. I am happy I was able to help, nd2121.
Click to expand...
Just a quick question followup

1) Why when I click palemoon or firefox right after computer reboot (at desktop) Does it take so long for the browser to open? Could take a minute or more. Then when the computer is all warmed up and the browsers are already open. I will click to open a duplicate Palemoon or firefox and it opens in 1 second. Why does the first one always take so long?

Once computer is running for awhile. Palemoon is always a little faster then firefox. I have helped so many friends and family with palemoon. It is faster on every computer I put it on.

Depending on the computers some longer then others.

The one I am using here is a quad 64 and sadly came with the maximum of 8 gigs of ram. Too bad I can not put in 16 gigs. I remember a couple of years ago upgrading video card to Geforce 512 ram. That has helped the speed.
Anything else I can do that is worth it to do to a aging computer?

Is upgrade to Wiz 7 worth it? Vista is so close and I remember going from win 3.1 to win 95 WHAT A NIGHTMARE! So I am cautious.
 
Hi, nd2121.

There are priorities at start up which need to happen first before the browser can launch. Certainly performance will differ between computers, particularly depending not only on the age and specs of the computer but also depending on what is in startup programs.

As to your computer, the OS was installed almost five years ago, 8/17/2009. Unlike many people, I liked Windows Vista but definitely like Windows 7 better. As long as the hardware is working well, an upgrade will provide the benefits of longer support and a more secure OS. However, a clean install rather than an upgrade would most likely provide greater benefits. You would want to run the Windows 7 Upgrade Advisor, available from here: Download Windows 7 Upgrade Advisor from Official Microsoft Download Center.

If you have a new computer in mind but aren't ready for the Windows 8 path, there are still refurbished Windows 7 computers available (not sure about new Windows 7, haven't checked).
 
also new win 7's are out there. Just got one for my in-laws. They could never use win 8. I hope Win 9 goes back to the old format

Anything else could I Do?

Wonder if over clocking is more trouble then it is worth?

I have a
[h=3]Core 2 Quad Q9300 2.5 GHz - 8 GB - 750 GB[/h]
  • Front Side Bus 1333 MHz

    [h=2]Graphics Controller[/h]
    • Type
      plug-in card
    • Interface Type
      PCI Express x16
    • Graphics Processor
      NVIDIA GeForce 9800 GT
    • Video Memory
      512 MB GDDR3 SDRAM
    • Video Interfaces
      DVI


    Maybe a better video card? Well over 1 to 2 gig?

    I could of sworn I changed this computers video card. Must of been the one before.

    It comes down to age vrs money. Does not pay to spend too much on old computer
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top