Hi,
Yesterday I had need of a screen capture utility with a little more capability than the windows snipping tool or alt/printscreen, so I downloaded a freeware program called picpick. At first it looks like quite a nice little program, but it comes bundled with a bunch of malware/unwanted programs, one of which seems to be some kind of browser hijack called 'default-search.net'. This changed my home page on Firefox, Chrome and IE to default-search.net, and changed the default search engine to this default-search.net.
I uninstalled everything I could find associated with the company behind this hijack software, who seem to be some outfit in Cyprus called Aztec Media, but although Firefox and Chrome no longer seem to be affected after reinstalling, IE is still showing default-search.net as the home page and default search engine. Nothing in the settings or anything else seems to be effective.
I'd be very grateful for some help to get rid of this hijack on IE.
Many thanks.
Logs:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:58:27, on 03/06/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17041)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
C:\Users\Steve\AppData\Local\FluxSoftware\Flux\flux.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
C:\Users\Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe
C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
C:\Users\Steve\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.default-search.net?sid=49...tm=366&src=hmp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: ContentBlockerBrowserHelperObject - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
O2 - BHO: VirtualKeyboardBrowserHelperObject - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: LastPass Vault - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
O2 - BHO: Safe Money Plugin - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll
O2 - BHO: Adblock Plus for IE Browser Helper Object - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll
O4 - HKLM\..\Run: [BATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
O4 - HKLM\..\Run: [LaunchHPOSIAPP] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe"
O4 - HKCU\..\Run: [F.lux] "C:\Users\Steve\AppData\Local\FluxSoftware\Flux\flux.exe" /noshow
O4 - HKCU\..\Run: [Google Update] "C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - Startup: Dropbox.lnk = Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: OpenOffice.org 3.4.1.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Install LastPass FF RunOnce.lnk = C:\Program Files (x86)\Common Files\lpuninstall.exe
O4 - Global Startup: Install LastPass IE RunOnce.lnk = C:\Program Files (x86)\Common Files\lpuninstall.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ie_banner_deny.htm
O8 - Extra context menu item: LastPass - file://C:\Users\Steve\AppData\LocalLow\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\Steve\AppData\LocalLow\LastPass\context.html?cmd=fillforms
O9 - Extra button: Virtual Keyboard - {0C4CC089-D306-440D-9772-464E226F6539} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll
O9 - Extra 'Tools' menuitem: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll
O9 - Extra button: URLs check - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A55B510-3878-4573-8F12-A693B05C58CC}: NameServer = 10.4.0.1,8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}: NameServer = 10.4.0.1,8.8.8.8
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
O23 - Service: Kaspersky Anti-Virus Service (avp) - Kaspersky Lab ZAO - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: OpenVPN Service (OpenVPNService) - The OpenVPN Project - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 11641 bytes
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17041 BrowserJavaVersion: 10.25.2
Run by Steve at 17:59:09 on 2014-06-03
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4095.2423 [GMT 1:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {179979E8-273D-D14E-0543-2861940E4886}
SP: Kaspersky Internet Security *Enabled/Updated* {ACF8980C-0107-DEC0-3FF3-1313EF89023B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security *Enabled* {2FA2F8CD-6D52-D016-2E1C-81546ADD0FFD}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
C:\Users\Steve\AppData\Local\FluxSoftware\Flux\flux.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
C:\Users\Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Users\Steve\Desktop\AirVPN.exe
C:\Program Files\OpenVPN\bin\openvpn.exe
C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.default-search.net?sid=498&aid=101&itype=a&ver=12791&tm=366&src=hmp
mWinlogon: Userinit = userinit.exe
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll
BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe"
uRun: [F.lux] "C:\Users\Steve\AppData\Local\FluxSoftware\Flux\flux.exe" /noshow
uRun: [Google Update] "C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [BATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
mRun: [LaunchHPOSIAPP] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe
mRun: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
dRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
StartupFolder: C:\Users\Steve\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\D ropbox.lnk - C:\Users\Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Steve\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\O PENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~2.LNK - C:\Program Files (x86)\Common Files\lpuninstall.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~1.LNK - C:\Program Files (x86)\Common Files\lpuninstall.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:28
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ie_banner_deny.htm
IE: LastPass - C:\Users\Steve\AppData\LocalLow\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - C:\Users\Steve\AppData\LocalLow\LastPass\context.html?cmd=fillforms
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 10.4.0.1
TCP: Interfaces\{6A55B510-3878-4573-8F12-A693B05C58CC} : NameServer = 10.4.0.1,8.8.4.4
TCP: Interfaces\{6A55B510-3878-4573-8F12-A693B05C58CC} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{D5453F4F-4A09-4E60-BB12-8C1FEB7DBDD0} : DHCPNameServer = 10.4.0.1
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84} : NameServer = 10.4.0.1,8.8.8.8
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\341626C65675962756C6563737 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\E6564777F627B62303 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\E6564777F627B62303 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\F42377962756C6563737134473645333 : NameServer = 10.4.0.1,8.8.8.8
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\F42377962756C6563737134473645333 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\F42377962756C6563737535353 : NameServer = 10.4.0.1,8.8.8.8
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\F42377962756C6563737535353 : DHCPNameServer = 192.168.1.254
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
IFEO: bitguard.exe - tasklist.exe
IFEO: bprotect.exe - tasklist.exe
IFEO: bpsvc.exe - tasklist.exe
IFEO: browserdefender.exe - tasklist.exe
IFEO: browserprotect.exe - tasklist.exe
x64-BHO: {4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47} - <orphaned>
x64-BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
x64-BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\OnlineBanking\online_banking_bho.dll
x64-BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll
x64-TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-Run: [Eraser] "C:\PROGRA~1\Eraser\Eraser.exe" --atRestart
x64-IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-SSODL: WebCheck - <orphaned>
x64-IFEO: bitguard.exe - tasklist.exe
x64-IFEO: bprotect.exe - tasklist.exe
x64-IFEO: bpsvc.exe - tasklist.exe
x64-IFEO: browserdefender.exe - tasklist.exe
x64-IFEO: browserprotect.exe - tasklist.exe
.
Note: multiple IFEO entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\0lk5lkf3.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\LastPass\nplastpass.dll
FF - plugin: C:\Program Files (x86)\LastPass\nplastpass64.dll
FF - plugin: C:\Users\Steve\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\System32\drivers\klim6.sys [2012-8-2 29792]
R1 klpd;klpd;C:\Windows\System32\drivers\klpd.sys [2013-4-12 15456]
R1 kltdi;kltdi;C:\Windows\System32\drivers\kltdi.sys [2013-5-14 55904]
R1 kneps;kneps;C:\Windows\System32\drivers\kneps.sys [2014-1-24 178272]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-12-19 240640]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-12-19 361984]
R2 AODDriver4.2;AODDriver4.2;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-4-9 57472]
R2 avp;Kaspersky Anti-Virus Service;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe [2014-1-24 214512]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-11-6 96256]
R3 AVER_H193;AVerMedia H193 Video Capture;C:\Windows\System32\drivers\AVer888RC_64.sys [2009-8-21 543872]
R3 CXCIR;AVerMedia Consumer Infrared Receiver;C:\Windows\System32\drivers\AVer888RCIR_64.sys [2009-8-21 39936]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;C:\Windows\System32\drivers\klkbdflt.sys [2014-1-24 29280]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\System32\drivers\klmouflt.sys [2014-1-24 29280]
R3 netr7364;RT73 USB Extensible Wireless LAN Card Driver;C:\Windows\System32\drivers\netr7364.sys [2009-5-20 716288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-5-6 111616]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-2 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-6-22 1255736]
S4 klflt;klflt;C:\Windows\System32\drivers\klflt.sys [2013-6-8 115296]
.
=============== Created Last 30 ================
.
2014-06-03 14:43:15 -------- d-----w- C:\Users\Steve\AppData\Local\FastStone
2014-06-03 14:34:06 -------- d-----w- C:\Users\Steve\AppData\Roaming\FastStone
2014-06-03 14:34:06 -------- d-----w- C:\Program Files (x86)\FastStone Capture
2014-06-03 13:40:58 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B908F519-5548-4529-96E7-22419A493619}\offreg.dll
2014-06-03 09:22:20 10702536 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B908F519-5548-4529-96E7-22419A493619}\mpengine.dll
2014-06-02 23:48:18 -------- d-----w- C:\ProgramData\Radsteroids
2014-06-02 23:45:32 -------- d-----w- C:\Program Files (x86)\PicPick
2014-06-02 21:10:43 -------- d-----w- C:\Users\Steve\AppData\Roaming\picpick
2014-06-02 21:10:43 -------- d-----w- C:\ProgramData\picpick
2014-05-22 19:33:13 -------- d-sh--w- C:\Users\Steve\AppData\Local\EmieUserList
2014-05-22 19:33:13 -------- d-sh--w- C:\Users\Steve\AppData\Local\EmieSiteList
2014-05-15 05:38:27 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-05-15 05:38:27 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-05-15 05:26:13 477184 ----a-w- C:\Windows\System32\aepdu.dll
2014-05-15 05:26:12 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-05-08 11:21:12 188272 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2014-05-07 07:48:07 -------- d-----w- C:\Users\Steve\AppData\Roaming\DropboxMaster
2014-05-06 15:55:46 -------- d-s---w- C:\Windows\System32\CompatTel
.
==================== Find3M ====================
.
2014-05-14 16:46:18 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-14 16:46:18 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-05-14 16:46:12 17938608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2014-04-14 12:01:52 29280 ----a-w- C:\Windows\System32\drivers\klkbdflt.sys
2014-04-14 12:01:52 115296 ----a-w- C:\Windows\System32\drivers\klflt.sys
2014-04-12 02:22:05 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05 155072 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38 136192 ----a-w- C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37 28160 ----a-w- C:\Windows\System32\secur32.dll
2014-04-12 02:19:32 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05 31232 ----a-w- C:\Windows\System32\lsass.exe
2014-04-12 02:12:06 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-03-31 08:35:08 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-03-06 09:31:33 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-06 08:59:04 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-06 08:57:34 548352 ----a-w- C:\Windows\System32\vbscript.dll
2014-03-06 08:57:20 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-06 08:29:40 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-06 08:29:14 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-06 08:28:15 752640 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-06 08:15:54 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-06 08:11:41 5784064 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-06 08:02:34 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-06 08:02:33 455168 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-03-06 08:01:01 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56:43 38400 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-03-06 07:46:36 4254720 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-06 07:38:13 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-06 07:36:40 592896 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-06 07:13:43 32256 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11:15 2043904 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-06 06:40:39 1967104 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-06 06:22:40 2260480 ----a-w- C:\Windows\System32\wininet.dll
2014-03-06 05:41:49 1789440 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-09-19 16:26:55 15641088 ----a-w- C:\Program Files (x86)\Common Files\lpuninstall.exe
.
============= FINISH: 17:59:49.16 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 18/04/2010 13:42:49
System Uptime: 03/06/2014 13:04:17 (4 hours ago)
.
Motherboard: PEGATRON CORPORATION | | Narra6
Processor: AMD Athlon(tm) II X4 630 Processor | CPU 1 | 2800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 919 GiB total, 327.817 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 12.38 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP484: 06/05/2014 08:42:54 - Windows Update
RP485: 06/05/2014 16:55:22 - Windows Update
RP486: 07/05/2014 09:12:39 - Windows Update
RP487: 13/05/2014 15:18:11 - Windows Update
RP488: 15/05/2014 06:35:12 - Windows Update
RP489: 21/05/2014 07:07:07 - Windows Update
RP490: 30/05/2014 08:47:46 - Windows Update
RP491: 03/06/2014 10:21:38 - Windows Update
.
==== Image File Execution Options =============
.
IFEO: bitguard.exe - tasklist.exe
IFEO: bprotect.exe - tasklist.exe
IFEO: bpsvc.exe - tasklist.exe
IFEO: browserdefender.exe - tasklist.exe
IFEO: browserprotect.exe - tasklist.exe
IFEO: browsersafeguard.exe - tasklist.exe
IFEO: dprotectsvc.exe - tasklist.exe
IFEO: jumpflip - tasklist.exe
IFEO: protectedsearch.exe - tasklist.exe
IFEO: searchinstaller.exe - tasklist.exe
IFEO: searchprotection.exe - tasklist.exe
IFEO: searchprotector.exe - tasklist.exe
IFEO: searchsettings.exe - tasklist.exe
IFEO: searchsettings64.exe - tasklist.exe
IFEO: snapdo.exe - tasklist.exe
IFEO: stinst32.exe - tasklist.exe
IFEO: stinst64.exe - tasklist.exe
IFEO: umbrella.exe - tasklist.exe
IFEO: utiljumpflip.exe - tasklist.exe
IFEO: volaro - tasklist.exe
IFEO: vonteera - tasklist.exe
IFEO: websteroids.exe - tasklist.exe
IFEO: websteroidsservice.exe - tasklist.exe
x64-IFEO: bitguard.exe - tasklist.exe
x64-IFEO: bprotect.exe - tasklist.exe
x64-IFEO: bpsvc.exe - tasklist.exe
x64-IFEO: browserdefender.exe - tasklist.exe
x64-IFEO: browserprotect.exe - tasklist.exe
x64-IFEO: browsersafeguard.exe - tasklist.exe
x64-IFEO: dprotectsvc.exe - tasklist.exe
x64-IFEO: jumpflip - tasklist.exe
x64-IFEO: protectedsearch.exe - tasklist.exe
x64-IFEO: searchinstaller.exe - tasklist.exe
x64-IFEO: searchprotection.exe - tasklist.exe
x64-IFEO: searchprotector.exe - tasklist.exe
x64-IFEO: searchsettings.exe - tasklist.exe
x64-IFEO: searchsettings64.exe - tasklist.exe
x64-IFEO: snapdo.exe - tasklist.exe
x64-IFEO: stinst32.exe - tasklist.exe
x64-IFEO: stinst64.exe - tasklist.exe
x64-IFEO: umbrella.exe - tasklist.exe
x64-IFEO: utiljumpflip.exe - tasklist.exe
x64-IFEO: volaro - tasklist.exe
x64-IFEO: vonteera - tasklist.exe
x64-IFEO: websteroids.exe - tasklist.exe
x64-IFEO: websteroidsservice.exe - tasklist.exe
.
==== Installed Programs ======================
.
7-Zip 4.65
Adblock Plus for IE
Adblock Plus for IE (32-bit and 64-bit)
Adobe AIR
Adobe Flash Player 13 ActiveX
Adobe Flash Player 13 Plugin
Adobe Reader X (10.1.10)
Amazon MP3 Downloader 1.0.9
AMD Accelerated Video Transcoding
AMD APP SDK Runtime
AMD Catalyst Install Manager
AMD Drag and Drop Transcoding
AMD Fuel
AMD Media Foundation Decoders
AMD VISION Engine Control Center
BBC iPlayer Desktop
BBC iPlayer Downloads
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
CyberLink Power2Go
dBpoweramp Music Converter
DNS Leak Fix for OpenVPN version 1.2
Dropbox
DVD Shrink 3.2
DVDFab 8.0.6.1 (18/12/2010)
Eraser 6.0.8.2273
Exact Audio Copy 1.0beta1
f.lux
FastStone Capture
FLAC 1.2.1b (remove only)
foobar2000 v1.1.11
FreeFileSync v3.16
GIMP 2.6.11
Google Chrome
Google Update Helper
HandBrake 0.9.8
HP MAINSTREAM KEYBOARD
HydraVision
ImgBurn
IrfanView (remove only)
Java 7 Update 25
Java(TM) 6 Update 22
JavaFX 2.1.1
Kaspersky Internet Security
KeePass Password Safe 2.26
LastPass (uninstall only)
MakeMKV v1.8.0
Medieval CUE Splitter
Microsoft .NET Framework 4.5.1
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Monkey's Audio
Mozilla Firefox 29.0.1 (x86 en-GB)
Mozilla Maintenance Service
Mp3tag v2.55
Music Manager
NVIDIA Drivers
OpenOffice.org 3.4.1
OpenVPN 2.3.2-I004
PowerISO
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
Security Update for Microsoft .NET Framework 4.5.1 (KB2931368)
Speccy
Stellarium 0.12.4
TAP-Windows 9.9.2
TrueCrypt
VLC media player 2.1.3
WinPcap 4.1.2
Wireshark 1.8.0 (64-bit)
.
==== Event Viewer Messages From Past Week ========
.
03/06/2014 12:48:21, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SCDEmu
03/06/2014 01:14:17, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the avp service.
03/06/2014 01:13:41, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000009f (0x0000000000000003, 0xfffffa8005028060, 0xfffff80004c3d518, 0xfffffa80042505e0). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 060314-14258-01.
03/06/2014 00:53:32, Error: Service Control Manager [7034] - The Radsteroids service terminated unexpectedly. It has done this 1 time(s).
03/06/2014 00:48:25, Error: Service Control Manager [7000] - The F06DEFF2-5B9C-490D-910F-35D3A91196222 service failed to start due to the following error: The system cannot find the file specified.
03/06/2014 00:48:24, Error: Service Control Manager [7030] - The Systemk Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
.
==== End Of File ===========================
GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-06-03 18:18:26
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000064 WDC_WD10 rev.05.0 931.51GB
Running: qjtec6it.exe; Driver: C:\Users\Steve\AppData\Local\Temp\axldypog.sys
---- Kernel code sections - GMER 2.1 ----
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031b6000 19 bytes [00, 00, 0C, 02, 46, 4D, 66, ...]
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 548 fffff800031b6014 43 bytes [00, 00, 00, 00, 00, 00, 00, ...]
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000770dfaa8 5 bytes JMP 00000001732518dd
.text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000770e0038 5 bytes JMP 0000000173251ed6
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 0000000076ee11f5 8 bytes {JMP 0xd}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000076ee1390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076ee143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 0000000076ee158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076ee191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000076ee1b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000076ee1bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076ee1d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000076ee1eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076ee1edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000076ee1f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000076ee1fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000076ee1fd7 8 bytes {JMP 0xb}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000076ee2272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000076ee2301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000076ee2792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076ee27b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000076ee27d2 8 bytes {JMP 0x10}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 0000000076ee282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000076ee2890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 2
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000076ee2d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000076ee2d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 3
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000076ee3023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 0000000076ee323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 0000000076ee33c0 16 bytes {JMP 0x4e}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000076ee3a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000076ee3ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000076ee3b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000076ee3d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000076ee4190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076f31380 8 bytes {JMP QWORD [RIP-0x4d4cf]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076f31500 8 bytes {JMP QWORD [RIP-0x4d498]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 8 bytes {JMP QWORD [RIP-0x4d9b1]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 8 bytes {JMP QWORD [RIP-0x4d7a7]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 8 bytes {JMP QWORD [RIP-0x4d9e3]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 8 bytes {JMP QWORD [RIP-0x4dba6]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f31f80 8 bytes {JMP QWORD [RIP-0x4de55]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 8 bytes {JMP QWORD [RIP-0x4e770]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000736c13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 00000000736c146b 8 bytes {JMP 0xffffffffffffffb0}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000736c16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000736c16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000736c19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000736c19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 00000000736c1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 00000000736c1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 00000000736c1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 00000000736c1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
---- Threads - GMER 2.1 ----
Thread C:\Windows\System32\svchost.exe [476:1336] 000007fefa2359a0
Thread C:\Windows\System32\svchost.exe [476:1924] 000007fefc741a70
Thread C:\Windows\System32\svchost.exe [476:2212] 000007fef9a620c0
Thread C:\Windows\System32\svchost.exe [476:2220] 000007fef9a626a8
Thread C:\Windows\System32\svchost.exe [476:2224] 000007fef9a714a0
Thread C:\Windows\System32\svchost.exe [476:2360] 000007fef671a2b0
Thread C:\Windows\System32\svchost.exe [476:2096] 000007fef76d44e0
Thread C:\Windows\System32\svchost.exe [476:3704] 000007fef7b388f8
Thread C:\Windows\System32\svchost.exe [476:5192] 000007fef9a629dc
Thread C:\Windows\System32\svchost.exe [476:6788] 000007fef9a629dc
Thread C:\Windows\System32\spoolsv.exe [1392:1784] 000007fef91810c8
Thread C:\Windows\System32\spoolsv.exe [1392:1796] 000007fef87e6144
Thread C:\Windows\System32\spoolsv.exe [1392:1804] 000007fef9265fd0
Thread C:\Windows\System32\spoolsv.exe [1392:1812] 000007fef9243438
Thread C:\Windows\System32\spoolsv.exe [1392:1820] 000007fef92663ec
Thread C:\Windows\System32\spoolsv.exe [1392:1876] 000007fef9345e5c
Thread C:\Windows\System32\spoolsv.exe [1392:1880] 000007fef93f5074
Thread C:\Windows\system32\taskhost.exe [1620:1808] 000007fef8f71f38
Thread C:\Windows\system32\taskhost.exe [1620:2808] 000007fef8ba5170
Thread C:\Windows\system32\Dwm.exe [1724:1852] 000007fef981f0d8
Thread C:\Windows\system32\Dwm.exe [1724:1868] 000007fef91eabf0
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:2604] 000007fef2fcaf30
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:2700] 000007fef26d2340
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:2572] 000007fef26d2340
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:3172] 000007feeaaecec4
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:3176] 000007feeaaecec4
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:3180] 000007feeaaecec4
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:3184] 000007feeaaecec4
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:3196] 000000006d52bccc
Thread C:\Windows\System32\svchost.exe [3536:1560] 000007fee0219688
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\KLIF\Parameters@LastProcessedRevisio n 127920853
---- EOF - GMER 2.1 ----
Yesterday I had need of a screen capture utility with a little more capability than the windows snipping tool or alt/printscreen, so I downloaded a freeware program called picpick. At first it looks like quite a nice little program, but it comes bundled with a bunch of malware/unwanted programs, one of which seems to be some kind of browser hijack called 'default-search.net'. This changed my home page on Firefox, Chrome and IE to default-search.net, and changed the default search engine to this default-search.net.
I uninstalled everything I could find associated with the company behind this hijack software, who seem to be some outfit in Cyprus called Aztec Media, but although Firefox and Chrome no longer seem to be affected after reinstalling, IE is still showing default-search.net as the home page and default search engine. Nothing in the settings or anything else seems to be effective.
I'd be very grateful for some help to get rid of this hijack on IE.
Many thanks.
Logs:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 17:58:27, on 03/06/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17041)
Boot mode: Normal
Running processes:
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
C:\Users\Steve\AppData\Local\FluxSoftware\Flux\flux.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
C:\Users\Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe
C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
C:\Users\Steve\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.default-search.net?sid=49...tm=366&src=hmp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: ContentBlockerBrowserHelperObject - {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
O2 - BHO: VirtualKeyboardBrowserHelperObject - {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: LastPass Vault - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
O2 - BHO: Safe Money Plugin - {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll
O2 - BHO: Adblock Plus for IE Browser Helper Object - {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll
O3 - Toolbar: LastPass Toolbar - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll
O4 - HKLM\..\Run: [BATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
O4 - HKLM\..\Run: [LaunchHPOSIAPP] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe"
O4 - HKCU\..\Run: [F.lux] "C:\Users\Steve\AppData\Local\FluxSoftware\Flux\flux.exe" /noshow
O4 - HKCU\..\Run: [Google Update] "C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Default user')
O4 - Startup: Dropbox.lnk = Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: OpenOffice.org 3.4.1.lnk = C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Install LastPass FF RunOnce.lnk = C:\Program Files (x86)\Common Files\lpuninstall.exe
O4 - Global Startup: Install LastPass IE RunOnce.lnk = C:\Program Files (x86)\Common Files\lpuninstall.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ie_banner_deny.htm
O8 - Extra context menu item: LastPass - file://C:\Users\Steve\AppData\LocalLow\LastPass\context.html?cmd=lastpass
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Users\Steve\AppData\LocalLow\LastPass\context.html?cmd=fillforms
O9 - Extra button: Virtual Keyboard - {0C4CC089-D306-440D-9772-464E226F6539} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
O9 - Extra button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll
O9 - Extra 'Tools' menuitem: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPToolbar.dll
O9 - Extra button: URLs check - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A55B510-3878-4573-8F12-A693B05C58CC}: NameServer = 10.4.0.1,8.8.4.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}: NameServer = 10.4.0.1,8.8.8.8
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
O23 - Service: Kaspersky Anti-Virus Service (avp) - Kaspersky Lab ZAO - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: OpenVPN Service (OpenVPNService) - The OpenVPN Project - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files (x86)\WinPcap\rpcapd.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
--
End of file - 11641 bytes
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17041 BrowserJavaVersion: 10.25.2
Run by Steve at 17:59:09 on 2014-06-03
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4095.2423 [GMT 1:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {179979E8-273D-D14E-0543-2861940E4886}
SP: Kaspersky Internet Security *Enabled/Updated* {ACF8980C-0107-DEC0-3FF3-1313EF89023B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Kaspersky Internet Security *Enabled* {2FA2F8CD-6D52-D016-2E1C-81546ADD0FFD}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\WUDFHost.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe
C:\Users\Steve\AppData\Local\FluxSoftware\Flux\flux.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe
C:\Users\Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
C:\Users\Steve\Desktop\AirVPN.exe
C:\Program Files\OpenVPN\bin\openvpn.exe
C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_13_0_0_214.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.default-search.net?sid=498&aid=101&itype=a&ver=12791&tm=366&src=hmp
mWinlogon: Userinit = userinit.exe
BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll
BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [HydraVisionDesktopManager] "C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe"
uRun: [F.lux] "C:\Users\Steve\AppData\Local\FluxSoftware\Flux\flux.exe" /noshow
uRun: [Google Update] "C:\Users\Steve\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [BATINDICATOR] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
mRun: [LaunchHPOSIAPP] C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe
mRun: [CLMLServer] "C:\Program Files (x86)\Cyberlink\Power2Go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [KeePass 2 PreLoad] "C:\Program Files (x86)\KeePass Password Safe 2\KeePass.exe" --preload
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
dRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
StartupFolder: C:\Users\Steve\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\D ropbox.lnk - C:\Users\Steve\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\Users\Steve\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\O PENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~2.LNK - C:\Program Files (x86)\Common Files\lpuninstall.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\INSTAL~1.LNK - C:\Program Files (x86)\Common Files\lpuninstall.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:28
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ie_banner_deny.htm
IE: LastPass - C:\Users\Steve\AppData\LocalLow\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - C:\Users\Steve\AppData\LocalLow\LastPass\context.html?cmd=fillforms
IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar.dll
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\IEExt\UrlAdvisor\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0025-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_25-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 10.4.0.1
TCP: Interfaces\{6A55B510-3878-4573-8F12-A693B05C58CC} : NameServer = 10.4.0.1,8.8.4.4
TCP: Interfaces\{6A55B510-3878-4573-8F12-A693B05C58CC} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{D5453F4F-4A09-4E60-BB12-8C1FEB7DBDD0} : DHCPNameServer = 10.4.0.1
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84} : NameServer = 10.4.0.1,8.8.8.8
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\341626C65675962756C6563737 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\E6564777F627B62303 : NameServer = 8.8.8.8,8.8.4.4
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\E6564777F627B62303 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\F42377962756C6563737134473645333 : NameServer = 10.4.0.1,8.8.8.8
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\F42377962756C6563737134473645333 : DHCPNameServer = 192.168.1.254
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\F42377962756C6563737535353 : NameServer = 10.4.0.1,8.8.8.8
TCP: Interfaces\{DF8FAF5C-BB40-4EAB-B13C-5939742E6C84}\F42377962756C6563737535353 : DHCPNameServer = 192.168.1.254
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
IFEO: bitguard.exe - tasklist.exe
IFEO: bprotect.exe - tasklist.exe
IFEO: bpsvc.exe - tasklist.exe
IFEO: browserdefender.exe - tasklist.exe
IFEO: browserprotect.exe - tasklist.exe
x64-BHO: {4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47} - <orphaned>
x64-BHO: Content Blocker Plugin: {5564CC73-EFA7-4CBF-918A-5CF7FBBFFF4F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\ContentBlocker\ie_content_blocker_plugin.dll
x64-BHO: Virtual Keyboard Plugin: {73455575-E40C-433C-9784-C78DC7761455} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-BHO: LastPass Vault: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-BHO: Safe Money Plugin: {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\OnlineBanking\online_banking_bho.dll
x64-BHO: URL Advisor Plugin: {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-BHO: Adblock Plus for IE Browser Helper Object: {FFCB3198-32F3-4E8B-9539-4324694ED664} - C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll
x64-TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-Run: [Eraser] "C:\PROGRA~1\Eraser\Eraser.exe" --atRestart
x64-IE: {0C4CC089-D306-440D-9772-464E226F6539} - {0BA14598-4178-4CE5-B1F1-B5C6408A3F2E} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\VirtualKeyboard\ie_virtual_keyboard_plugin.dll
x64-IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPToolbar_x64.dll
x64-IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\x64\IEExt\UrlAdvisor\klwtbbho.dll
x64-SSODL: WebCheck - <orphaned>
x64-IFEO: bitguard.exe - tasklist.exe
x64-IFEO: bprotect.exe - tasklist.exe
x64-IFEO: bpsvc.exe - tasklist.exe
x64-IFEO: browserdefender.exe - tasklist.exe
x64-IFEO: browserprotect.exe - tasklist.exe
.
Note: multiple IFEO entries found. Please refer to Attach.txt
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Steve\AppData\Roaming\Mozilla\Firefox\Profiles\0lk5lkf3.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\LastPass\nplastpass.dll
FF - plugin: C:\Program Files (x86)\LastPass\nplastpass64.dll
FF - plugin: C:\Users\Steve\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_214.dll
FF - plugin: C:\Windows\SysWOW64\npDeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\System32\drivers\klim6.sys [2012-8-2 29792]
R1 klpd;klpd;C:\Windows\System32\drivers\klpd.sys [2013-4-12 15456]
R1 kltdi;kltdi;C:\Windows\System32\drivers\kltdi.sys [2013-5-14 55904]
R1 kneps;kneps;C:\Windows\System32\drivers\kneps.sys [2014-1-24 178272]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2012-12-19 240640]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2012-12-19 361984]
R2 AODDriver4.2;AODDriver4.2;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2012-4-9 57472]
R2 avp;Kaspersky Anti-Virus Service;C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe [2014-1-24 214512]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2012-11-6 96256]
R3 AVER_H193;AVerMedia H193 Video Capture;C:\Windows\System32\drivers\AVer888RC_64.sys [2009-8-21 543872]
R3 CXCIR;AVerMedia Consumer Infrared Receiver;C:\Windows\System32\drivers\AVer888RCIR_64.sys [2009-8-21 39936]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;C:\Windows\System32\drivers\klkbdflt.sys [2014-1-24 29280]
R3 klmouflt;Kaspersky Lab KLMOUFLT;C:\Windows\System32\drivers\klmouflt.sys [2014-1-24 29280]
R3 netr7364;RT73 USB Extensible Wireless LAN Card Driver;C:\Windows\System32\drivers\netr7364.sys [2009-5-20 716288]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-5-6 111616]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-2 59392]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-6-22 1255736]
S4 klflt;klflt;C:\Windows\System32\drivers\klflt.sys [2013-6-8 115296]
.
=============== Created Last 30 ================
.
2014-06-03 14:43:15 -------- d-----w- C:\Users\Steve\AppData\Local\FastStone
2014-06-03 14:34:06 -------- d-----w- C:\Users\Steve\AppData\Roaming\FastStone
2014-06-03 14:34:06 -------- d-----w- C:\Program Files (x86)\FastStone Capture
2014-06-03 13:40:58 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B908F519-5548-4529-96E7-22419A493619}\offreg.dll
2014-06-03 09:22:20 10702536 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B908F519-5548-4529-96E7-22419A493619}\mpengine.dll
2014-06-02 23:48:18 -------- d-----w- C:\ProgramData\Radsteroids
2014-06-02 23:45:32 -------- d-----w- C:\Program Files (x86)\PicPick
2014-06-02 21:10:43 -------- d-----w- C:\Users\Steve\AppData\Roaming\picpick
2014-06-02 21:10:43 -------- d-----w- C:\ProgramData\picpick
2014-05-22 19:33:13 -------- d-sh--w- C:\Users\Steve\AppData\Local\EmieUserList
2014-05-22 19:33:13 -------- d-sh--w- C:\Users\Steve\AppData\Local\EmieSiteList
2014-05-15 05:38:27 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-05-15 05:38:27 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-05-15 05:26:13 477184 ----a-w- C:\Windows\System32\aepdu.dll
2014-05-15 05:26:12 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-05-08 11:21:12 188272 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2014-05-07 07:48:07 -------- d-----w- C:\Users\Steve\AppData\Roaming\DropboxMaster
2014-05-06 15:55:46 -------- d-s---w- C:\Windows\System32\CompatTel
.
==================== Find3M ====================
.
2014-05-14 16:46:18 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-14 16:46:18 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-05-14 16:46:12 17938608 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2014-04-14 12:01:52 29280 ----a-w- C:\Windows\System32\drivers\klkbdflt.sys
2014-04-14 12:01:52 115296 ----a-w- C:\Windows\System32\drivers\klflt.sys
2014-04-12 02:22:05 95680 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2014-04-12 02:22:05 155072 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-04-12 02:19:38 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2014-04-12 02:19:38 136192 ----a-w- C:\Windows\System32\sspicli.dll
2014-04-12 02:19:37 28160 ----a-w- C:\Windows\System32\secur32.dll
2014-04-12 02:19:32 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-04-12 02:19:05 31232 ----a-w- C:\Windows\System32\lsass.exe
2014-04-12 02:12:06 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-04-12 02:10:56 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-03-31 08:35:08 270496 ------w- C:\Windows\System32\MpSigStub.exe
2014-03-06 09:31:33 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-03-06 08:59:04 66048 ----a-w- C:\Windows\System32\iesetup.dll
2014-03-06 08:57:34 548352 ----a-w- C:\Windows\System32\vbscript.dll
2014-03-06 08:57:20 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-03-06 08:29:40 139264 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-03-06 08:29:14 111616 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-03-06 08:28:15 752640 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-03-06 08:15:54 940032 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-03-06 08:11:41 5784064 ----a-w- C:\Windows\System32\jscript9.dll
2014-03-06 08:02:34 61952 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-03-06 08:02:33 455168 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-03-06 08:01:01 51200 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-03-06 07:56:43 38400 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-03-06 07:46:36 4254720 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-03-06 07:38:13 112128 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-03-06 07:36:40 592896 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-03-06 07:13:43 32256 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-03-06 07:11:15 2043904 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-03-06 06:40:39 1967104 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-03-06 06:22:40 2260480 ----a-w- C:\Windows\System32\wininet.dll
2014-03-06 05:41:49 1789440 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-09-19 16:26:55 15641088 ----a-w- C:\Program Files (x86)\Common Files\lpuninstall.exe
.
============= FINISH: 17:59:49.16 ===============
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 18/04/2010 13:42:49
System Uptime: 03/06/2014 13:04:17 (4 hours ago)
.
Motherboard: PEGATRON CORPORATION | | Narra6
Processor: AMD Athlon(tm) II X4 630 Processor | CPU 1 | 2800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 919 GiB total, 327.817 GiB free.
D: is FIXED (NTFS) - 12 GiB total, 12.38 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP484: 06/05/2014 08:42:54 - Windows Update
RP485: 06/05/2014 16:55:22 - Windows Update
RP486: 07/05/2014 09:12:39 - Windows Update
RP487: 13/05/2014 15:18:11 - Windows Update
RP488: 15/05/2014 06:35:12 - Windows Update
RP489: 21/05/2014 07:07:07 - Windows Update
RP490: 30/05/2014 08:47:46 - Windows Update
RP491: 03/06/2014 10:21:38 - Windows Update
.
==== Image File Execution Options =============
.
IFEO: bitguard.exe - tasklist.exe
IFEO: bprotect.exe - tasklist.exe
IFEO: bpsvc.exe - tasklist.exe
IFEO: browserdefender.exe - tasklist.exe
IFEO: browserprotect.exe - tasklist.exe
IFEO: browsersafeguard.exe - tasklist.exe
IFEO: dprotectsvc.exe - tasklist.exe
IFEO: jumpflip - tasklist.exe
IFEO: protectedsearch.exe - tasklist.exe
IFEO: searchinstaller.exe - tasklist.exe
IFEO: searchprotection.exe - tasklist.exe
IFEO: searchprotector.exe - tasklist.exe
IFEO: searchsettings.exe - tasklist.exe
IFEO: searchsettings64.exe - tasklist.exe
IFEO: snapdo.exe - tasklist.exe
IFEO: stinst32.exe - tasklist.exe
IFEO: stinst64.exe - tasklist.exe
IFEO: umbrella.exe - tasklist.exe
IFEO: utiljumpflip.exe - tasklist.exe
IFEO: volaro - tasklist.exe
IFEO: vonteera - tasklist.exe
IFEO: websteroids.exe - tasklist.exe
IFEO: websteroidsservice.exe - tasklist.exe
x64-IFEO: bitguard.exe - tasklist.exe
x64-IFEO: bprotect.exe - tasklist.exe
x64-IFEO: bpsvc.exe - tasklist.exe
x64-IFEO: browserdefender.exe - tasklist.exe
x64-IFEO: browserprotect.exe - tasklist.exe
x64-IFEO: browsersafeguard.exe - tasklist.exe
x64-IFEO: dprotectsvc.exe - tasklist.exe
x64-IFEO: jumpflip - tasklist.exe
x64-IFEO: protectedsearch.exe - tasklist.exe
x64-IFEO: searchinstaller.exe - tasklist.exe
x64-IFEO: searchprotection.exe - tasklist.exe
x64-IFEO: searchprotector.exe - tasklist.exe
x64-IFEO: searchsettings.exe - tasklist.exe
x64-IFEO: searchsettings64.exe - tasklist.exe
x64-IFEO: snapdo.exe - tasklist.exe
x64-IFEO: stinst32.exe - tasklist.exe
x64-IFEO: stinst64.exe - tasklist.exe
x64-IFEO: umbrella.exe - tasklist.exe
x64-IFEO: utiljumpflip.exe - tasklist.exe
x64-IFEO: volaro - tasklist.exe
x64-IFEO: vonteera - tasklist.exe
x64-IFEO: websteroids.exe - tasklist.exe
x64-IFEO: websteroidsservice.exe - tasklist.exe
.
==== Installed Programs ======================
.
7-Zip 4.65
Adblock Plus for IE
Adblock Plus for IE (32-bit and 64-bit)
Adobe AIR
Adobe Flash Player 13 ActiveX
Adobe Flash Player 13 Plugin
Adobe Reader X (10.1.10)
Amazon MP3 Downloader 1.0.9
AMD Accelerated Video Transcoding
AMD APP SDK Runtime
AMD Catalyst Install Manager
AMD Drag and Drop Transcoding
AMD Fuel
AMD Media Foundation Decoders
AMD VISION Engine Control Center
BBC iPlayer Desktop
BBC iPlayer Downloads
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
ccc-utility64
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner
CyberLink Power2Go
dBpoweramp Music Converter
DNS Leak Fix for OpenVPN version 1.2
Dropbox
DVD Shrink 3.2
DVDFab 8.0.6.1 (18/12/2010)
Eraser 6.0.8.2273
Exact Audio Copy 1.0beta1
f.lux
FastStone Capture
FLAC 1.2.1b (remove only)
foobar2000 v1.1.11
FreeFileSync v3.16
GIMP 2.6.11
Google Chrome
Google Update Helper
HandBrake 0.9.8
HP MAINSTREAM KEYBOARD
HydraVision
ImgBurn
IrfanView (remove only)
Java 7 Update 25
Java(TM) 6 Update 22
JavaFX 2.1.1
Kaspersky Internet Security
KeePass Password Safe 2.26
LastPass (uninstall only)
MakeMKV v1.8.0
Medieval CUE Splitter
Microsoft .NET Framework 4.5.1
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Monkey's Audio
Mozilla Firefox 29.0.1 (x86 en-GB)
Mozilla Maintenance Service
Mp3tag v2.55
Music Manager
NVIDIA Drivers
OpenOffice.org 3.4.1
OpenVPN 2.3.2-I004
PowerISO
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4.5.1 (KB2898869)
Security Update for Microsoft .NET Framework 4.5.1 (KB2901126)
Security Update for Microsoft .NET Framework 4.5.1 (KB2931368)
Speccy
Stellarium 0.12.4
TAP-Windows 9.9.2
TrueCrypt
VLC media player 2.1.3
WinPcap 4.1.2
Wireshark 1.8.0 (64-bit)
.
==== Event Viewer Messages From Past Week ========
.
03/06/2014 12:48:21, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: SCDEmu
03/06/2014 01:14:17, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the avp service.
03/06/2014 01:13:41, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The bugcheck was: 0x0000009f (0x0000000000000003, 0xfffffa8005028060, 0xfffff80004c3d518, 0xfffffa80042505e0). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 060314-14258-01.
03/06/2014 00:53:32, Error: Service Control Manager [7034] - The Radsteroids service terminated unexpectedly. It has done this 1 time(s).
03/06/2014 00:48:25, Error: Service Control Manager [7000] - The F06DEFF2-5B9C-490D-910F-35D3A91196222 service failed to start due to the following error: The system cannot find the file specified.
03/06/2014 00:48:24, Error: Service Control Manager [7030] - The Systemk Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
.
==== End Of File ===========================
GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2014-06-03 18:18:26
Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000064 WDC_WD10 rev.05.0 931.51GB
Running: qjtec6it.exe; Driver: C:\Users\Steve\AppData\Local\Temp\axldypog.sys
---- Kernel code sections - GMER 2.1 ----
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031b6000 19 bytes [00, 00, 0C, 02, 46, 4D, 66, ...]
INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 548 fffff800031b6014 43 bytes [00, 00, 00, 00, 00, 00, 00, ...]
---- User code sections - GMER 2.1 ----
.text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000770dfaa8 5 bytes JMP 00000001732518dd
.text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe[1936] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000770e0038 5 bytes JMP 0000000173251ed6
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 5 0000000076ee11f5 8 bytes {JMP 0xd}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlWalkHeap + 416 0000000076ee1390 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 159 0000000076ee143f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlpEnsureBufferSize + 492 0000000076ee158c 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 126 0000000076ee191e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlDeleteAce + 636 0000000076ee1b1c 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!_vsnwprintf_s + 204 0000000076ee1bf0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 373 0000000076ee1d75 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateActivationContext + 691 0000000076ee1eb3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!isalpha + 31 0000000076ee1edf 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!_ui64toa + 84 0000000076ee1f64 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!_strnicmp + 81 0000000076ee1fbd 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelf + 7 0000000076ee1fd7 8 bytes {JMP 0xb}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 658 0000000076ee2272 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlImpersonateSelfEx + 801 0000000076ee2301 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlInstallFunctionTableCallback + 578 0000000076ee2792 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlIsGenericTableEmptyAvl + 16 0000000076ee27b0 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableAvl + 18 0000000076ee27d2 8 bytes {JMP 0x10}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 79 0000000076ee282f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlEnumerateGenericTableWithoutSplayingAvl + 176 0000000076ee2890 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 2
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 299 0000000076ee2d1b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlValidRelativeSecurityDescriptor + 367 0000000076ee2d5f 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text ... * 3
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlCutoverTimeToSystemTime + 483 0000000076ee3023 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 523 0000000076ee323b 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryRegistryValues + 912 0000000076ee33c0 16 bytes {JMP 0x4e}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 318 0000000076ee3a5e 16 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!_itow_s + 403 0000000076ee3ab3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 197 0000000076ee3b85 8 bytes [10, 6A, F8, 7E, 00, 00, 00, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlpCheckDynamicTimeZoneInformation + 611 0000000076ee3d23 8 bytes [00, 6A, F8, 7E, 00, 00, 00, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!RtlpGetLCIDFromLangInfoNode + 80 0000000076ee4190 8 bytes [A0, 69, F8, 7E, 00, 00, 00, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000076f31380 8 bytes {JMP QWORD [RIP-0x4d4cf]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000076f31500 8 bytes {JMP QWORD [RIP-0x4d498]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000076f31530 8 bytes {JMP QWORD [RIP-0x4d9b1]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076f31650 8 bytes {JMP QWORD [RIP-0x4d7a7]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076f31700 8 bytes {JMP QWORD [RIP-0x4d9e3]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076f31d30 8 bytes {JMP QWORD [RIP-0x4dba6]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 0000000076f31f80 8 bytes {JMP QWORD [RIP-0x4de55]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076f327e0 8 bytes {JMP QWORD [RIP-0x4e770]}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 312 00000000736c13cc 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuInitializeStartupContext + 471 00000000736c146b 8 bytes {JMP 0xffffffffffffffb0}
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessInit + 611 00000000736c16d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessTerm + 3 00000000736c16e3 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuGetStackPointer + 23 00000000736c19db 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetStackPointer + 23 00000000736c19fb 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuSetInstructionPointer + 23 00000000736c1a1b 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuNotifyAffinityChange + 3 00000000736c1a27 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuFlushInstructionCache + 23 00000000736c1a63 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
.text C:\Users\Steve\Desktop\qjtec6it.exe[604] C:\Windows\SYSTEM32\wow64cpu.dll!CpuProcessDebugEvent + 3 00000000736c1a6f 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...]
---- Threads - GMER 2.1 ----
Thread C:\Windows\System32\svchost.exe [476:1336] 000007fefa2359a0
Thread C:\Windows\System32\svchost.exe [476:1924] 000007fefc741a70
Thread C:\Windows\System32\svchost.exe [476:2212] 000007fef9a620c0
Thread C:\Windows\System32\svchost.exe [476:2220] 000007fef9a626a8
Thread C:\Windows\System32\svchost.exe [476:2224] 000007fef9a714a0
Thread C:\Windows\System32\svchost.exe [476:2360] 000007fef671a2b0
Thread C:\Windows\System32\svchost.exe [476:2096] 000007fef76d44e0
Thread C:\Windows\System32\svchost.exe [476:3704] 000007fef7b388f8
Thread C:\Windows\System32\svchost.exe [476:5192] 000007fef9a629dc
Thread C:\Windows\System32\svchost.exe [476:6788] 000007fef9a629dc
Thread C:\Windows\System32\spoolsv.exe [1392:1784] 000007fef91810c8
Thread C:\Windows\System32\spoolsv.exe [1392:1796] 000007fef87e6144
Thread C:\Windows\System32\spoolsv.exe [1392:1804] 000007fef9265fd0
Thread C:\Windows\System32\spoolsv.exe [1392:1812] 000007fef9243438
Thread C:\Windows\System32\spoolsv.exe [1392:1820] 000007fef92663ec
Thread C:\Windows\System32\spoolsv.exe [1392:1876] 000007fef9345e5c
Thread C:\Windows\System32\spoolsv.exe [1392:1880] 000007fef93f5074
Thread C:\Windows\system32\taskhost.exe [1620:1808] 000007fef8f71f38
Thread C:\Windows\system32\taskhost.exe [1620:2808] 000007fef8ba5170
Thread C:\Windows\system32\Dwm.exe [1724:1852] 000007fef981f0d8
Thread C:\Windows\system32\Dwm.exe [1724:1868] 000007fef91eabf0
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:2604] 000007fef2fcaf30
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:2700] 000007fef26d2340
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:2572] 000007fef26d2340
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:3172] 000007feeaaecec4
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:3176] 000007feeaaecec4
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:3180] 000007feeaaecec4
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:3184] 000007feeaaecec4
Thread C:\Program Files\Windows Sidebar\sidebar.exe [2624:3196] 000000006d52bccc
Thread C:\Windows\System32\svchost.exe [3536:1560] 000007fee0219688
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\KLIF\Parameters@LastProcessedRevisio n 127920853
---- EOF - GMER 2.1 ----