may be infected, advice please

cer0 · Oct 3, 2014

Code:

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 12:03:10 PM, on 10/1/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.16518)

FIREFOX: 32.0.3 (x86 en-US)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAEMON Tools Pro\DTShellHlp.exe
C:\Windows\system32\taskeng.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
C:\Program Files\VideoLAN\VLC\vlc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Opera\21.0.1432.67\opera.exe
C:\Program Files\Opera\21.0.1432.67\opera_crashreporter.exe
C:\Program Files\Opera\21.0.1432.67\opera.exe
C:\Program Files\Opera\21.0.1432.67\opera.exe
C:\Program Files\Opera\21.0.1432.67\opera.exe
C:\Program Files\Opera\21.0.1432.67\opera.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
C:\Users\nots0\Downloads\HijackThis.exe
C:\Program Files\Opera\21.0.1432.67\opera.exe
C:\Program Files\Opera\21.0.1432.67\opera.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: ExplorerWnd Helper - {10921475-03CE-4E04-90CE-E2E7EF20C814} - (no file)
O2 - BHO: Drop Pad Web Backup - {25DA541F-6ACF-4052-A8AA-1D58284729C7} - mscoree.dll (file missing)
O2 - BHO: Lync Click to Call BHO - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~3\Office15\URLREDIR.DLL
O2 - BHO: Microsoft SkyDrive Pro Browser Helper - {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - C:\PROGRA~1\MICROS~3\Office15\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [AdobeCEPServiceManager] "C:\Program Files\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTAgent.exe" -autorun
O4 - Startup: CurseClientStartup.ccip
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office15\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~3\Office15\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office15\ONBttnIE.dll
O9 - Extra button: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
O9 - Extra 'Tools' menuitem: Lync Click to Call - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Office\Office15\OCHelper.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office15\ONBttnIELinkedNotes.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.clonewarsadventures.com
O15 - Trusted Zone: *.freerealms.com
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O18 - Protocol: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O18 - Filter hijack: text/xml - {807583E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE15\MSOXMLMF.DLL
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @comres.dll,-947 (COMSysApp) - Unknown owner - C:\Windows\system32\dllhost.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PP Assistant Service - Unknown owner - C:\Program Files\PP??2.0\adevicehelpersvr.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--
End of file - 7226 bytes

Code:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-09-2014
Ran by nots0 (administrator) on NOTS0-PC on 01-10-2014 11:20:15
Running from C:\Users\nots0\Downloads
Loaded Profile: nots0 (Available profiles: nots0)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Brio) C:\Program Files\FolderSize\FolderSizeSvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
() C:\Program Files\PP助手2.0\adevicehelpersvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(广州铁人网络科技有限公司) C:\Program Files\PP助手2.0\adevicehelpermon.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(DT Soft Ltd) C:\Program Files\DAEMON Tools Pro\DTShellHlp.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(VideoLAN) C:\Program Files\VideoLAN\VLC\vlc.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Opera Software) C:\Program Files\Opera\21.0.1432.67\opera.exe
() C:\Program Files\Opera\21.0.1432.67\opera_crashreporter.exe
(Opera Software) C:\Program Files\Opera\21.0.1432.67\opera.exe
(Opera Software) C:\Program Files\Opera\21.0.1432.67\opera.exe
(Opera Software) C:\Program Files\Opera\21.0.1432.67\opera.exe
(Opera Software) C:\Program Files\Opera\21.0.1432.67\opera.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
(Adobe Systems, Inc.) C:\Windows\System32\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
() C:\Users\nots0\Downloads\RogueKiller.exe
(Symantec Corporation) C:\Users\nots0\Downloads\FixWelch.exe
(Opera Software) C:\Program Files\Opera\21.0.1432.67\opera.exe
(Trend Micro Inc.) C:\Users\nots0\Downloads\HijackThis.exe
(Microsoft Corporation) C:\Windows\regedit.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [951576 2014-03-11] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [472992 2013-03-21] (Adobe Systems Incorporated)
HKLM\...\Run: [AdobeCEPServiceManager] => C:\Program Files\Common Files\Adobe\CEPServiceManager4\CEPServiceManager.exe [1039248 2013-03-13] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-2709076479-299211639-3247174901-1000\...\Run: [DAEMON Tools Pro Agent] => C:\Program Files\DAEMON Tools Pro\DTAgent.exe [3108480 2012-10-23] (DT Soft Ltd)
Startup: C:\Users\nots0\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip ()
ShellIconOverlayIdentifiers: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
ShellIconOverlayIdentifiers: [EnhancedStorageShell] -> {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} => C:\Windows\system32\EhStorShell.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [Offline Files] -> {4E77131D-3629-431c-9818-C5679DC83E81} => C:\Windows\System32\cscui.dll (Microsoft Corporation)
ShellIconOverlayIdentifiers: [SharingPrivate] -> {08244EE6-92F0-47f2-9FC9-929BAA2E7235} => C:\Windows\system32\ntshrui.dll (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xF2D628CCF41CCE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
SearchScopes: HKLM - DefaultScope {17C35237-2C6F-452E-B85E-66267434CAB2} URL = 
SearchScopes: HKLM - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3281675&CUI=UN40636566492054128
SearchScopes: HKCU - DefaultScope {1BD93CF8-CB61-4E9C-BF3C-395BAB0FDB65} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
SearchScopes: HKCU - {1BD93CF8-CB61-4E9C-BF3C-395BAB0FDB65} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
BHO: No Name -> {10921475-03CE-4E04-90CE-E2E7EF20C814} ->  No File
BHO: Drop Pad Web Backup -> {25DA541F-6ACF-4052-A8AA-1D58284729C7} -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF ProfilePath: C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default
FF Homepage: hxxp://www.google.com
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~3\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin HKCU: ubisoft.com/uplaypc -> C:\Program Files\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll (Ubisoft)
FF user.js: detected! => C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\user.js
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npMeetingJoinPluginOC.dll (Microsoft Corporation)
FF SearchPlugin: C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\searchplugins\google-ssl.xml
FF SearchPlugin: C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\searchplugins\yahoo_ff.xml
FF Extension: Ant Video Downloader - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\anttoolbar@ant.com [2014-08-02]
FF Extension: Flash Video Downloader - YouTube Full HD Download - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\artur.dubovoy@gmail.com [2014-07-31]
FF Extension: DoNotTrackMe: Online Privacy Protection - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\donottrackplus@abine.com [2014-07-10]
FF Extension: LastPass - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\support@lastpass.com [2014-08-22]
FF Extension: Flash and Video Download - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a} [2014-09-20]
FF Extension: Custom New Tab - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\CNT@ednovak.net.xpi [2014-04-05]
FF Extension: ImageBlock - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\imageblock@hemantvats.com.xpi [2013-09-28]
FF Extension: InstantFox - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\searchy@searchy.xpi [2013-03-09]
FF Extension: YouTube to MP3 - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\youtube2mp3@mondayx.de.xpi [2014-01-27]
FF Extension: Gmail S/MIME - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\{4c197c8f-a50f-4b49-a2d2-ed922c95612f}.xpi [2013-03-12]
FF Extension: Encrypted Communication - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\{52a7f893-d228-412e-9b28-bc61491462f6}.xpi [2013-03-12]
FF Extension: Quick Translator - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\{5C655500-E712-41e7-9349-CE462F844B19}.xpi [2013-12-08]
FF Extension: Downloads Window - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\{a7213cf2-fa1e-4373-88ff-255d0abd3020}.xpi [2014-01-27]
FF Extension: Adblock Plus - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-04-25]
FF Extension: Google Privacy - C:\Users\nots0\AppData\Roaming\Mozilla\Firefox\Profiles\tz0ans2l.default\Extensions\{ea61041c-1e22-4400-99a0-aea461e69d04}.xpi [2013-03-12]

Chrome: 
=======
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter}
CHR CustomProfile: C:\Users\nots0\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\nots0\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-04-17]
CHR Extension: (Google Drive) - C:\Users\nots0\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-04-17]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\nots0\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-07-11]
CHR Extension: (YouTube) - C:\Users\nots0\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-04-17]
CHR Extension: (Google Search) - C:\Users\nots0\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-04-17]
CHR Extension: (Google Wallet) - C:\Users\nots0\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-17]
CHR Extension: (Gmail) - C:\Users\nots0\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-04-17]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 FolderSize; C:\Program Files\FolderSize\FolderSizeSvc.exe [114688 2013-02-13] (Brio) [File not signed]
S4 LiveUpdateSvc; C:\Program Files\IObit\LiveUpdate\LiveUpdate.exe [2151200 2013-12-03] (IObit)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22216 2014-03-11] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [279776 2014-03-11] (Microsoft Corporation)
R2 PP Assistant Service; C:\Program Files\PP助手2.0\adevicehelpersvr.exe [118496 2014-08-14] () [File not signed]
R2 Themes; C:\Windows\system32\themeservice.dll [37376 2014-01-27] (Microsoft Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\System32\drivers\AsIO.sys [11296 2009-08-04] ()
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [242240 2013-03-09] (DT Soft Ltd)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-10-01] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-05-12] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231960 2014-01-25] (Microsoft Corporation)
R1 MpKsld5c8bc61; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{3AC102B6-99F5-4BDC-878F-6A6946893CD0}\MpKsld5c8bc61.sys [39464 2014-10-01] (Microsoft Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [13216 2009-07-16] ()
S3 taphss; C:\Windows\System32\DRIVERS\taphss.sys [33512 2012-07-24] (AnchorFree Inc)
S3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [37064 2013-04-24] (Anchorfree Inc.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [34808 2014-10-01] ()
R3 VIAHdAudAddService; C:\Windows\System32\drivers\viahduaa.sys [1150880 2013-03-09] (VIA Technologies, Inc.)
R1 WinFLAdrv; C:\Windows\System32\WinFLAdrv.sys [29184 2013-03-10] ()
S1 AntiLog32; \??\C:\Windows\system32\drivers\AntiLog32.sys [X]
S3 catchme; \??\C:\Users\nots0\AppData\Local\Temp\catchme.sys [X]
S3 keycrypt; system32\DRIVERS\KeyCrypt32.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-01 11:20 - 2014-10-01 11:21 - 00017767 _____ () C:\Users\nots0\Downloads\FRST.txt
2014-10-01 11:19 - 2014-10-01 11:20 - 00000000 ____D () C:\FRST
2014-10-01 11:19 - 2014-10-01 11:19 - 01100288 _____ (Farbar) C:\Users\nots0\Downloads\FRST.exe
2014-10-01 11:07 - 2014-10-01 11:07 - 00007180 _____ () C:\Users\nots0\Downloads\hijackthis.log
2014-10-01 11:01 - 2014-10-01 11:01 - 00388608 _____ (Trend Micro Inc.) C:\Users\nots0\Downloads\HijackThis.exe
2014-10-01 10:45 - 2014-10-01 10:45 - 00000000 _____ () C:\Users\nots0\Downloads\FixWelch.log
2014-10-01 10:44 - 2014-10-01 10:44 - 00175256 _____ (Symantec Corporation) C:\Users\nots0\Downloads\FixWelch.exe
2014-10-01 10:38 - 2014-10-01 10:38 - 00034808 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-10-01 10:38 - 2014-10-01 10:38 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-10-01 10:37 - 2014-10-01 10:42 - 183376808 _____ (BeyondTrust, Inc.) C:\Users\nots0\Downloads\RetinaNetworkCommunity_EN.exe
2014-10-01 10:31 - 2014-10-01 10:31 - 04893784 _____ () C:\Users\nots0\Downloads\RogueKiller.exe
2014-10-01 08:48 - 2014-10-01 13:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TuneUp Utilities 2014
2014-10-01 08:48 - 2014-10-01 13:53 - 00000000 ____D () C:\Program Files\TuneUp Utilities 2014
2014-10-01 08:48 - 2014-10-01 08:48 - 00000000 ____D () C:\Users\nots0\AppData\Local\TuneUp Software
2014-10-01 08:29 - 2014-10-01 08:29 - 00000000 ____D () C:\ProgramData\Martau
2014-10-01 08:28 - 2014-10-01 13:53 - 00000000 ____D () C:\Program Files\Total Uninstall 6
2014-10-01 08:16 - 2014-10-01 08:16 - 00347816 _____ (Microsoft Corporation) C:\Users\nots0\Downloads\MicrosoftFixit.ProgramInstallUninstall.MATSKB.Run(1).exe
2014-09-28 06:54 - 2014-09-28 06:54 - 00001571 _____ () C:\Users\Public\Desktop\sine mora.lnk
2014-09-28 06:53 - 2014-09-28 06:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kalypso Media
2014-09-27 21:55 - 2014-09-27 21:55 - 00000000 ____D () C:\ProgramData\RELOADED
2014-09-27 20:52 - 2014-09-27 20:52 - 00001853 _____ () C:\Users\Public\Desktop\mark of the ninja.lnk
2014-09-27 20:52 - 2014-09-27 20:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Studios
2014-09-27 20:47 - 2014-09-27 20:47 - 00000587 _____ () C:\Users\Public\Desktop\torchlight 2.lnk
2014-09-27 20:35 - 2014-09-27 20:35 - 00001104 _____ () C:\Users\nots0\Desktop\dust an elysian tail.lnk
2014-09-27 16:45 - 2014-09-27 16:45 - 00000703 _____ () C:\Users\nots0\Desktop\metal slug.lnk
2014-09-27 16:44 - 2014-09-27 16:44 - 00000000 ____D () C:\Users\nots0\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SNK PLAYMORE
2014-09-27 14:16 - 2014-09-27 14:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PP助手2.0
2014-09-27 14:16 - 2014-09-27 14:16 - 00000000 ____D () C:\Program Files\PP助手2.0
2014-09-27 14:15 - 2014-09-27 14:15 - 19521328 _____ (广州铁人网络科技有限公司) C:\Users\nots0\Downloads\ppsetup(1).exe
2014-09-27 14:05 - 2014-09-27 14:05 - 21933992 _____ () C:\Users\nots0\Downloads\Tongbu_Setup_2.19.2_zsgw.exe
2014-09-27 10:48 - 2014-09-27 10:48 - 00000000 ____D () C:\ProgramData\FaceOnBody2
2014-09-27 10:43 - 2014-09-27 10:45 - 00000000 ____D () C:\Program Files\FaceOnBody2
2014-09-27 10:43 - 2014-09-27 10:43 - 00000000 ____D () C:\Users\nots0\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FaceOnBody2
2014-09-27 10:43 - 2014-09-27 10:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FaceOnBody2
2014-09-26 23:21 - 2014-09-26 23:21 - 00402696 _____ () C:\Users\nots0\Downloads\setup(1).exe
2014-09-25 20:32 - 2014-10-01 13:53 - 00000000 ____D () C:\Users\nots0\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SaveSense
2014-09-25 20:32 - 2014-09-25 20:34 - 00000000 ____D () C:\Program Files\SaveSense
2014-09-25 20:30 - 2014-09-25 20:30 - 00699016 _____ (CNET Download.com) C:\Users\nots0\Downloads\cbsidlm-cbsi213-Always_On_Top-SEO-10674027.exe
2014-09-24 21:02 - 2014-09-27 16:46 - 00000895 _____ () C:\Users\nots0\Desktop\btd 5.lnk
2014-09-24 21:01 - 2014-09-24 21:01 - 00000000 ____D () C:\Users\nots0\AppData\Roaming\com.ninjakiwi.BloonsTD5Deluxe
2014-09-24 21:00 - 2014-09-24 21:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Bloons TD 5 Deluxe
2014-09-04 14:26 - 2014-09-04 14:26 - 00000663 _____ () C:\Users\nots0\Desktop\left 4 dead 2.lnk
2014-09-04 11:31 - 2014-09-04 11:31 - 00000008 _____ () C:\Users\nots0\Desktop\toysrus.txt

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-01 13:53 - 2014-03-22 11:57 - 00000000 ____D () C:\NVIDIA
2014-10-01 13:53 - 2013-03-10 00:49 - 00000000 ____D () C:\Program Files\Microsoft Baseline Security Analyzer 2
2014-10-01 13:53 - 2013-03-09 18:31 - 00000000 ____D () C:\Users\nots0\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Curse
2014-10-01 13:53 - 2013-03-09 14:36 - 00000000 ____D () C:\Users\nots0\AppData\Roaming\uTorrent
2014-10-01 13:53 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\system32\wfp
2014-10-01 13:53 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\registration
2014-10-01 13:53 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\AppCompat
2014-10-01 13:52 - 2013-12-19 17:35 - 00000000 ____D () C:\ProgramData\Apple Computer
2014-10-01 13:52 - 2013-12-19 17:34 - 00000000 ____D () C:\Users\nots0\AppData\Local\Apple
2014-10-01 13:52 - 2013-12-19 17:34 - 00000000 ____D () C:\ProgramData\Apple
2014-10-01 11:01 - 2014-03-18 09:57 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-01 10:48 - 2014-04-17 19:33 - 00000884 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-01 10:43 - 2009-07-14 00:34 - 00010016 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-01 10:43 - 2009-07-14 00:34 - 00010016 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-01 10:05 - 2013-03-09 14:27 - 01566723 _____ () C:\Windows\WindowsUpdate.log
2014-10-01 09:58 - 2014-07-06 06:33 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-01 09:58 - 2014-04-17 19:33 - 00000880 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-01 09:58 - 2013-03-09 14:28 - 00000000 ____D () C:\Users\nots0
2014-10-01 09:55 - 2014-04-08 09:25 - 00009234 _____ () C:\Windows\setupact.log
2014-10-01 09:55 - 2013-03-09 14:40 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-10-01 09:55 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-01 08:57 - 2014-01-26 08:10 - 00000000 __SHD () C:\ProgramData\{FE8D473A-6F06-4F99-B5F4-BED72B2A038C}
2014-10-01 08:49 - 2013-03-09 18:27 - 00000000 ____D () C:\Users\nots0\AppData\Local\Deployment
2014-09-30 10:17 - 2014-04-06 19:10 - 00000000 ____D () C:\Users\nots0\AppData\Local\Battle.net
2014-09-30 08:29 - 2014-04-08 09:24 - 00019192 _____ () C:\Windows\PFRO.log
2014-09-30 08:29 - 2013-05-06 00:36 - 00000000 ____D () C:\Windows\pss
2014-09-30 08:29 - 2013-04-11 21:54 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-09-29 08:04 - 2013-07-12 13:37 - 00000000 ____D () C:\Users\nots0\My Books
2014-09-28 17:36 - 2014-07-30 04:12 - 00000000 ____D () C:\Users\nots0\AppData\Local\CrashDumps
2014-09-28 17:36 - 2014-04-29 17:41 - 00000000 ____D () C:\Users\nots0\Documents\ihelper
2014-09-28 09:05 - 2013-03-14 15:57 - 00000000 ____D () C:\Users\nots0\AppData\Roaming\mIRC
2014-09-28 06:55 - 2013-06-29 14:41 - 00000000 ___RD () C:\Users\nots0\Desktop\incoming
2014-09-28 06:50 - 2013-05-22 12:52 - 00000000 ____D () C:\Games
2014-09-27 22:55 - 2013-03-10 09:04 - 00000000 ____D () C:\Users\nots0\AppData\Roaming\vlc
2014-09-27 21:55 - 2013-06-19 16:28 - 00000000 ____D () C:\Users\nots0\Documents\My Games
2014-09-27 20:56 - 2013-09-14 20:48 - 00000000 ____D () C:\Users\nots0\AppData\Local\SKIDROW
2014-09-27 16:37 - 2013-03-09 22:11 - 00000000 ____D () C:\Users\nots0\AppData\Roaming\DAEMON Tools Pro
2014-09-27 14:08 - 2014-08-26 17:52 - 00000000 ____D () C:\Users\nots0\Documents\Tongbu
2014-09-27 10:50 - 2014-03-31 14:08 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-09-24 11:01 - 2013-03-09 14:44 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-09-24 11:01 - 2013-03-09 14:44 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-09-19 21:36 - 2014-08-08 15:28 - 00000000 ____D () C:\Users\nots0\AppData\Roaming\.minecraft
2014-09-12 15:09 - 2014-04-06 19:09 - 00000000 ____D () C:\Program Files\Battle.net
2014-09-04 18:10 - 2013-03-09 14:34 - 00782578 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-09-01 13:41 - 2014-04-06 19:22 - 00000000 ____D () C:\Program Files\Diablo III
2014-09-01 13:41 - 2013-03-09 17:36 - 00000000 ____D () C:\Program Files\Common Files\Blizzard Entertainment

Files to move or delete:
====================
C:\ProgramData\win_mpwd_sys.dat


Some content of TEMP:
====================
C:\Users\nots0\AppData\Local\Temp\GLF53D9.tmp.dll
C:\Users\nots0\AppData\Local\Temp\SkypeSetup.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-09-27 04:21

==================== End Of Log ============================

chaslang · Oct 3, 2014

Welcome to Major Geeks!

Please see the information in the below pinned/sticky link:

Forum Rules and Guidelines - Do not post HijackThis logs

We do not want any logs posed inline with messages like you post. However there are no issues in those logs. If you are having malware problems you need to tell us what they are and you need to follow proper instructions for this forum to provide the correct logs that we need to check your PC for malware. See the below which is another of the pinned/sticky threads in the forum.

READ & RUN ME FIRST. Malware Removal Guide

Log in or Sign up

may be infected, advice please

cer0 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member