[Solved] Apparent malware problem.

daveleonard · Jul 31, 2015

All four of my browsers have been taken over by some sort of malware. On all the browsers my search page is, http://www.oursurfing.com/? I cannot set my start page to default on any of them. I ran my virus/malware soft wear (Herd Protect) and it did find over ten items which have been addressed/deleted. But the browser problem remains. I also ran mbar but it found nothing.
Thanks for any help you all can give me.
Dave
Blessings From
Camiguin Island Philippines

starbuck · Aug 1, 2015

Hi Dave,

We can use FRST to sort this:

Note:
There are both 32-bit and 64-bit versions of Farbar Recovery Scan Tool available. Please pick the version that matches your operating system's bit type.

If you are unsure what you're system bit type is..... click Here for help.

For x32 bit systems download Farbar Recovery Scan Tool and save it to your Desktop.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to your Desktop.

Double-click the downloaded icon to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator

When the tool opens click Yes to disclaimer.

Make sure that Addition.txt is selected at the bottom

Press Scan button.

It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply also.

Please post both reports.

I'll move this post if required later.

Thanks.

daveleonard · Aug 1, 2015

Hi Starbuck, I did as directed and the results are below.
Additional scan result of Farbar Recovery Scan Tool (x64) Version:30-07-2015
Ran by dave (2015-08-01 19:11:50)
Running from C:\Users\dave\Desktop
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-4207466264-2533654200-306421317-500 - Administrator - Disabled)
dave (S-1-5-21-4207466264-2533654200-306421317-1001 - Administrator - Enabled) => C:\Users\dave
Guest (S-1-5-21-4207466264-2533654200-306421317-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-4207466264-2533654200-306421317-1003 - Limited - Enabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (HKLM-x32\...\7-Zip) (Version: - )
Ad-Aware Web Companion (x32 Version: 1.1.987.2028 - Lavasoft) Hidden
Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated)
BibleDesktop 1.6 (HKLM-x32\...\BibleDesktop) (Version: 1.6 - CrossWire Bible Society)
Boost (HKU\S-1-5-21-4207466264-2533654200-306421317-1001\...\Boost 1.0.2) (Version: 1.0.2 - Reason Software Company Inc.)
Boost (Version: 1.0.2 - Reason Software Company Inc.) Hidden
Evernote v. 5.8.8 (HKLM-x32\...\{CD252A60-0965-11E5-B3A2-00505695D7B0}) (Version: 5.8.8.7837 - Evernote Corp.)
File Shredder 2.5 (HKLM\...\File Shredder_is1) (Version: - Pow Tools)
Freemake Audio Converter version 1.1.0 (HKLM-x32\...\Freemake Audio Converter_is1) (Version: 1.1.0 - Ellora Assets Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 44.0.2403.107 - Google Inc.)
Google Update Helper (x32 Version: 1.3.21.169 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.28.1 - Google Inc.) Hidden
herdProtect Anti-Malware Scanner (HKLM-x32\...\herdProtectScan) (Version: 1.0 - Reason Company Software Inc.)
Java 8 Update 51 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218051F0}) (Version: 8.0.510 - Oracle Corporation)
LavasoftTcpService (x32 Version: 2.3.4.2 - Lavasoft) Hidden
Microsoft OneDrive (HKU\S-1-5-21-4207466264-2533654200-306421317-1001\...\OneDriveSetup.exe) (Version: 17.3.5860.0512 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Mozilla Firefox 40.0 (x64 en-US) (HKLM\...\Mozilla Firefox 40.0 (x64 en-US)) (Version: 40.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 40.0.0.5689 - Mozilla)
MP3 Editor for Free v9.2.5 (HKLM-x32\...\MP3 Editor for Free_is1) (Version: - meMedia Co., Ltd.)
Opera Stable 30.0.1835.125 (HKLM-x32\...\Opera 30.0.1835.125) (Version: 30.0.1835.125 - Opera Software)
Perfect Uninstaller v6.3.3.9 (HKLM\...\Perfect Uninstaller_is1) (Version: - www.PerfectUninstaller.com)
Prey Anti-Theft (x32 Version: 1.3.8 - Prey, Inc.) Hidden
Privacy Mantra 3.00 (HKLM-x32\...\Privacy Mantra 3.00) (Version: - )
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Should I Remove It (HKU\S-1-5-21-4207466264-2533654200-306421317-1001\...\Should I Remove It 1.0.4) (Version: 1.0.4 - Reason Software Company Inc.)
Should I Remove It (x32 Version: 1.0.4 - Reason Software Company Inc.) Hidden
Skype™ 7.3 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.3.101 - Skype Technologies S.A.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
WinPcap 4.1.2 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2001 - CACE Technologies)
Yahoo Search Set (HKLM-x32\...\Yahoo! SearchSet) (Version: - Yahoo Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-4207466264-2533654200-306421317-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5907.0716\amd64\FileSyncShell64.dll No File
CustomCLSID: HKU\S-1-5-21-4207466264-2533654200-306421317-1001_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32 -> C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\amd64\FileSyncShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4207466264-2533654200-306421317-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5907.0716\amd64\FileSyncShell64.dll No File
CustomCLSID: HKU\S-1-5-21-4207466264-2533654200-306421317-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5907.0716\amd64\FileSyncShell64.dll No File
CustomCLSID: HKU\S-1-5-21-4207466264-2533654200-306421317-1001_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\amd64\FileSyncShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4207466264-2533654200-306421317-1001_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32 -> C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\amd64\FileSyncShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4207466264-2533654200-306421317-1001_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\amd64\FileSyncShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4207466264-2533654200-306421317-1001_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\amd64\FileSyncShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4207466264-2533654200-306421317-1001_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\amd64\FileSyncShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-4207466264-2533654200-306421317-1001_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\amd64\FileSyncApi64.dll (Microsoft Corporation)

==================== Restore Points =========================

19-07-2015 18:17:25 Windows Update
23-07-2015 20:04:46 Windows Update
28-07-2015 08:11:46 Revo Uninstaller's restore point - Microsoft OneDrive
30-07-2015 08:04:02 Revo Uninstaller's restore point - Adobe Flash Player 18 PPAPI
31-07-2015 11:30:22 Revo Uninstaller's restore point - Microsoft OneDrive
01-08-2015 11:59:08 Revo Uninstaller's restore point - SpringFiles

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2012-07-26 13:26 - 2012-07-26 13:26 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {08E645B1-5878-4CB1-B879-C89E13E2AEB2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-05-05] (Google Inc.)
Task: {27AF42A4-7070-4DD6-AF1F-888FCF3D32EB} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-07-17] (Adobe Systems Incorporated)
Task: {C1512FE8-1BA3-4F55-8DEF-FBAF7AC7F7C1} - System32\Tasks\Boost => C:\Users\dave\AppData\Roaming\Reason\Boost\boost.exe [2013-12-28] (Reason Software Company Inc.)
Task: {F301E15B-39C3-4FEF-8CFA-3BBECCF3AFBB} - System32\Tasks\Opera scheduled Autoupdate 1432611044 => C:\Program Files (x86)\Opera\launcher.exe [2015-07-10] (Opera Software)
Task: {F487E584-587C-4A8A-9855-E1A4786A810B} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2015-07-03] (Microsoft Corporation)
Task: {FAD8AEB2-BB52-4532-9DC5-EC0924579A9B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-05-05] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2015-05-06 01:07 - 2012-04-01 07:06 - 02689536 _____ () C:\Program Files\File Shredder\fsshell.dll
2015-05-06 02:13 - 2015-05-06 02:28 - 00176048 _____ () C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe\ModernShared\ErrorReporting\ErrorReporting.dll
2015-07-17 07:46 - 2015-07-17 07:46 - 23809712 _____ () C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\dave\Desktop\Sermon Files:com.dropbox.attributes

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4207466264-2533654200-306421317-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\dave\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4207466264-2533654200-306421317-1001\...\StartupApproved\StartupFolder: => "EvernoteClipper.lnk"
HKU\S-1-5-21-4207466264-2533654200-306421317-1001\...\StartupApproved\StartupFolder: => "Aquarius Soft PC Alarm Clock Pro.lnk"
HKU\S-1-5-21-4207466264-2533654200-306421317-1001\...\StartupApproved\Run: => "OneDrive"
HKU\S-1-5-21-4207466264-2533654200-306421317-1001\...\StartupApproved\Run: => "Skype"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{B9112D78-56AB-4B4B-AE2F-84997270BE17}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{3309DEFE-1F01-494E-8AF9-066698DD9627}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{6159013C-E833-4EE8-9D30-D8D72D849999}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{11B3E06F-E229-4A07-9E0B-24BE6E9FC8AE}] => (Allow) C:\Users\dave\AppData\Local\Chromium\Application\chrome.exe
FirewallRules: [{25C413FB-3841-4531-981E-089C782831E6}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{76183947-4642-4BA2-99B4-B0B3F3E58968}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{2AC6B8DE-6FA0-4096-A2B8-FF6EBDE0A6D4}] => (Allow) C:\Users\dave\AppData\Local\Microsoft\OneDrive\OneDrive.exe
FirewallRules: [{4636C40B-5DEA-4EB3-A9EB-49A4471F19DE}] => (Allow) C:\Windows\Prey\versions\1.4.1\bin\node.exe

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (08/01/2015 11:37:47 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: herdProtectScan.exe, version: 1.0.3.9, time stamp: 0x542a3c80
Faulting module name: LSASRV.dll, version: 6.2.9200.17231, time stamp: 0x54b76fb5
Exception code: 0xc0000005
Fault offset: 0x0000000000051f20
Faulting process ID: 0x170c
Faulting application start time: 0xherdProtectScan.exe0
Faulting application path: herdProtectScan.exe1
Faulting module path: herdProtectScan.exe2
Report ID: herdProtectScan.exe3
Faulting package full name: herdProtectScan.exe4
Faulting package-relative application ID: herdProtectScan.exe5

Error: (08/01/2015 08:11:14 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: alarm.exe, version: 3.9.0.5, time stamp: 0x47d0a840
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process ID: 0x49c
Faulting application start time: 0xalarm.exe0
Faulting application path: alarm.exe1
Faulting module path: alarm.exe2
Report ID: alarm.exe3
Faulting package full name: alarm.exe4
Faulting package-relative application ID: alarm.exe5

Error: (08/01/2015 08:10:42 AM) (Source: Desktop Window Manager) (EventID: 9020) (User: )
Description: The Desktop Window Manager has encountered a fatal error (0x8898008d)

Error: (07/31/2015 05:24:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: herdProtectScan.exe, version: 1.0.3.9, time stamp: 0x542a3c80
Faulting module name: LSASRV.dll, version: 6.2.9200.17231, time stamp: 0x54b76fb5
Exception code: 0xc0000005
Fault offset: 0x0000000000051f20
Faulting process ID: 0x700
Faulting application start time: 0xherdProtectScan.exe0
Faulting application path: herdProtectScan.exe1
Faulting module path: herdProtectScan.exe2
Report ID: herdProtectScan.exe3
Faulting package full name: herdProtectScan.exe4
Faulting package-relative application ID: herdProtectScan.exe5

Error: (07/31/2015 04:00:37 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: herdProtectScan.exe, version: 1.0.3.9, time stamp: 0x542a3c80
Faulting module name: LSASRV.dll, version: 6.2.9200.17231, time stamp: 0x54b76fb5
Exception code: 0xc0000005
Fault offset: 0x0000000000051f20
Faulting process ID: 0x700
Faulting application start time: 0xherdProtectScan.exe0
Faulting application path: herdProtectScan.exe1
Faulting module path: herdProtectScan.exe2
Report ID: herdProtectScan.exe3
Faulting package full name: herdProtectScan.exe4
Faulting package-relative application ID: herdProtectScan.exe5

Error: (07/31/2015 12:05:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: alarm.exe, version: 3.9.0.5, time stamp: 0x47d0a840
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process ID: 0xd28
Faulting application start time: 0xalarm.exe0
Faulting application path: alarm.exe1
Faulting module path: alarm.exe2
Report ID: alarm.exe3
Faulting package full name: alarm.exe4
Faulting package-relative application ID: alarm.exe5

Error: (07/31/2015 07:27:56 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: alarm.exe, version: 3.9.0.5, time stamp: 0x47d0a840
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process ID: 0x51c
Faulting application start time: 0xalarm.exe0
Faulting application path: alarm.exe1
Faulting module path: alarm.exe2
Report ID: alarm.exe3
Faulting package full name: alarm.exe4
Faulting package-relative application ID: alarm.exe5

Error: (07/30/2015 08:02:09 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: alarm.exe, version: 3.9.0.5, time stamp: 0x47d0a840
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process ID: 0xc88
Faulting application start time: 0xalarm.exe0
Faulting application path: alarm.exe1
Faulting module path: alarm.exe2
Report ID: alarm.exe3
Faulting package full name: alarm.exe4
Faulting package-relative application ID: alarm.exe5

Error: (07/30/2015 07:57:48 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DaveLeonard)
Description: Activation of application winstore_cw5n1h2txyewy!Windows.Store failed with error: -2144927142 See the Microsoft-Windows-TWinUI/Operational log for additional information.

Error: (07/30/2015 07:57:48 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program WWAHost.exe version 6.2.9200.16420 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 18ac

Start Time: 01d0ca5a46248896

Termination Time: 4294967295

Application Path: C:\Windows\System32\WWAHost.exe

Report Id: 9b362768-364d-11e5-be90-002622822d46

Faulting package full name: winstore_1.0.0.0_neutral_neutral_cw5n1h2txyewy

Faulting package-relative application ID: Windows.Store

System errors:
=============
Error: (08/01/2015 07:07:21 PM) (Source: DCOM) (EventID: 10016) (User: DaveLeonard)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DaveLeonarddaveS-1-5-21-4207466264-2533654200-306421317-1001LocalHost (Using LRPC)Farlex.581429F59E1D8_1.5.1.9_neutral__wyegy4e46y996S-1-15-2-1267739591-1137297291-83386112-1979864472-959024908-3354412519-3889419757

Error: (08/01/2015 03:27:11 PM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 137) (User: )
Description: 4

Error: (08/01/2015 03:26:55 PM) (Source: DCOM) (EventID: 10016) (User: NT AUTHORITY)
Description: application-specificLocalActivation{D63B10C5-BB46-4990-A94F-E40B9D520160}{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}NT AUTHORITYSYSTEMS-1-5-18LocalHost (Using LRPC)UnavailableUnavailable

Error: (08/01/2015 03:16:36 PM) (Source: DCOM) (EventID: 10016) (User: DaveLeonard)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DaveLeonarddaveS-1-5-21-4207466264-2533654200-306421317-1001LocalHost (Using LRPC)Farlex.581429F59E1D8_1.5.1.9_neutral__wyegy4e46y996S-1-15-2-1267739591-1137297291-83386112-1979864472-959024908-3354412519-3889419757

Error: (08/01/2015 01:16:32 PM) (Source: DCOM) (EventID: 10016) (User: DaveLeonard)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DaveLeonarddaveS-1-5-21-4207466264-2533654200-306421317-1001LocalHost (Using LRPC)Farlex.581429F59E1D8_1.5.1.9_neutral__wyegy4e46y996S-1-15-2-1267739591-1137297291-83386112-1979864472-959024908-3354412519-3889419757

Error: (08/01/2015 11:57:45 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WindowsMangerProtect service.

Error: (08/01/2015 11:55:39 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IHProtect Service service.

Error: (08/01/2015 11:27:04 AM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The LuckyBrowse service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (08/01/2015 11:16:24 AM) (Source: DCOM) (EventID: 10016) (User: DaveLeonard)
Description: machine-defaultLocalActivation{C2F03A33-21F5-47FA-B4BB-156362A2F239}{316CDED5-E4AE-4B15-9113-7055D84DCC97}DaveLeonarddaveS-1-5-21-4207466264-2533654200-306421317-1001LocalHost (Using LRPC)Farlex.581429F59E1D8_1.5.1.9_neutral__wyegy4e46y996S-1-15-2-1267739591-1137297291-83386112-1979864472-959024908-3354412519-3889419757

Error: (08/01/2015 09:47:48 AM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureCommand with the following error:
%%5

Microsoft Office:
=========================
Error: (08/01/2015 11:37:47 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: herdProtectScan.exe1.0.3.9542a3c80LSASRV.dll6.2.9200.1723154b76fb5c00000050000000000051f20170c01d0cc0b5036578eC:\Program Files\Reason\herdProtect\Scanner\herdProtectScan.exeC:\Windows\SYSTEM32\LSASRV.dllacfd4f94-37fe-11e5-be92-002622822d46

Error: (08/01/2015 08:11:14 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: alarm.exe3.9.0.547d0a840unknown0.0.0.000000000c00000050000000049c01d0cbee91f03e2fC:\Program Files (x86)\Aquarius Soft\PC Alarm Clock Pro\alarm.exeunknownd1c2a797-37e1-11e5-be92-002622822d46

Error: (08/01/2015 08:10:42 AM) (Source: Desktop Window Manager) (EventID: 9020) (User: )
Description: 0x8898008d

Error: (07/31/2015 05:24:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: herdProtectScan.exe1.0.3.9542a3c80LSASRV.dll6.2.9200.1723154b76fb5c00000050000000000051f2070001d0cb66dfc63224C:\Program Files\Reason\herdProtect\Scanner\herdProtectScan.exeC:\Windows\SYSTEM32\LSASRV.dllffbd792e-3765-11e5-be92-002622822d46

Error: (07/31/2015 04:00:37 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: herdProtectScan.exe1.0.3.9542a3c80LSASRV.dll6.2.9200.1723154b76fb5c00000050000000000051f2070001d0cb66dfc63224C:\Program Files\Reason\herdProtect\Scanner\herdProtectScan.exeC:\Windows\SYSTEM32\LSASRV.dll39dad99e-375a-11e5-be92-002622822d46

Error: (07/31/2015 12:05:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: alarm.exe3.9.0.547d0a840unknown0.0.0.000000000c000000500000000d2801d0cb461a990d81C:\Program Files (x86)\Aquarius Soft\PC Alarm Clock Pro\alarm.exeunknown591bd388-3739-11e5-be92-002622822d46

Error: (07/31/2015 07:27:56 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: alarm.exe3.9.0.547d0a840unknown0.0.0.000000000c00000050000000051c01d0cb1f5afc3ebdC:\Program Files (x86)\Aquarius Soft\PC Alarm Clock Pro\alarm.exeunknown9b2de008-3712-11e5-be91-002622822d46

Error: (07/30/2015 08:02:09 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: alarm.exe3.9.0.547d0a840unknown0.0.0.000000000c000000500000000c8801d0ca5af8d0e4aeC:\Program Files (x86)\Aquarius Soft\PC Alarm Clock Pro\alarm.exeunknown3822c41a-364e-11e5-be91-002622822d46

Error: (07/30/2015 07:57:48 AM) (Source: Microsoft-Windows-Immersive-Shell) (EventID: 5973) (User: DaveLeonard)
Description: winstore_cw5n1h2txyewy!Windows.Store-2144927142

Error: (07/30/2015 07:57:48 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: WWAHost.exe6.2.9200.1642018ac01d0ca5a462488964294967295C:\Windows\System32\WWAHost.exe9b362768-364d-11e5-be90-002622822d46winstore_1.0.0.0_neutral_neutral_cw5n1h2txyewyWindows.Store

==================== Memory info ===========================

Processor: Pentium(R) Dual-Core CPU T4400 @ 2.20GHz
Percentage of memory in use: 62%
Total physical RAM: 1977.97 MB
Available physical RAM: 737.89 MB
Total Virtual: 3689.58 MB
Available Virtual: 1969.43 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:97.66 GB) (Free:48.16 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: () (Removable) (Total:7.27 GB) (Free:1.84 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 391C3C0A)
Partition 1: (Active) - (Size=97.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7.3 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End of log ============================
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:30-07-2015
Ran by dave (administrator) on DAVELEONARD (01-08-2015 19:10:33)
Running from C:\Users\dave\Desktop
Loaded Profiles: dave (Available Profiles: dave)
Platform: Windows 8 Single Language (X64) Language: English (United Kingdom)
Internet Explorer Version 10 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Fork, Ltd.) C:\Windows\Prey\wpxsvc.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Lavasoft Limited) C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.4.2\LavasoftTcpService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.0.1119.516_x64__8wekyb3d8bbwe\LiveComm.exe
(Yahoo Inc.) C:\Program Files (x86)\Yahoo!\yset\{516D9C20-709E-5E4E-9634-0C9398060304}\YSearchUtilSvc.exe
(Joyent, Inc) C:\Windows\Prey\versions\1.4.1\bin\node.exe
(Fork, Ltd.) C:\Windows\Prey\versions\1.4.1\node_modules\triggers\bin\lightevt.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ClocX] => "C:\Program Files\ClocX\ClocX.exe"
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-06-08] (Oracle Corporation)
HKU\S-1-5-21-4207466264-2533654200-306421317-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31682144 2015-03-25] (Skype Technologies S.A.)
HKU\S-1-5-21-4207466264-2533654200-306421317-1001\...\Run: [OneDrive] => C:\Users\dave\AppData\Local\Microsoft\OneDrive\OneDrive.exe [382664 2015-07-31] (Microsoft Corporation)
Startup: C:\Users\dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Aquarius Soft PC Alarm Clock Pro.lnk [2015-07-06]
ShortcutTarget: Aquarius Soft PC Alarm Clock Pro.lnk -> C:\Program Files (x86)\Aquarius Soft\PC Alarm Clock Pro\alarm.exe (Aquarius Soft)
Startup: C:\Users\dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EvernoteClipper.lnk [2015-06-09]
ShortcutTarget: EvernoteClipper.lnk -> C:\Program Files (x86)\Evernote\Evernote\EvernoteClipper.exe (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\amd64\FileSyncShell64.dll [2015-07-31] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\amd64\FileSyncShell64.dll [2015-07-31] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\amd64\FileSyncShell64.dll [2015-07-31] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\amd64\FileSyncShell64.dll [2015-07-31] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\amd64\FileSyncShell64.dll [2015-07-31] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\FileSyncShell.dll [2015-07-31] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\FileSyncShell.dll [2015-07-31] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\FileSyncShell.dll [2015-07-31] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\FileSyncShell.dll [2015-07-31] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => C:\Users\dave\AppData\Local\Microsoft\OneDrive\17.3.5860.0512_3\FileSyncShell.dll [2015-07-31] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oursurfing.com/?type=hp&...rom=exp1&uid=ST9250315AS_6VC14481XXXX6VC14481
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.oursurfing.com/?type=hp&...rom=exp1&uid=ST9250315AS_6VC14481XXXX6VC14481
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oursurfing.com/web/?type...250315AS_6VC14481XXXX6VC14481&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.oursurfing.com/web/?type...250315AS_6VC14481XXXX6VC14481&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oursurfing.com/?type=hp&...rom=exp1&uid=ST9250315AS_6VC14481XXXX6VC14481
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oursurfing.com/?type=hp&...rom=exp1&uid=ST9250315AS_6VC14481XXXX6VC14481
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oursurfing.com/web/?type...250315AS_6VC14481XXXX6VC14481&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oursurfing.com/web/?type...250315AS_6VC14481XXXX6VC14481&q={searchTerms}
HKU\S-1-5-21-4207466264-2533654200-306421317-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://ph.yahoo.com/?fr=yset_ie_syc_oracle&type=orcl_hpset
HKU\S-1-5-21-4207466264-2533654200-306421317-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/en-ph/?ocid=iehp
HKU\S-1-5-21-4207466264-2533654200-306421317-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.oursurfing.com/?type=hp&...rom=exp1&uid=ST9250315AS_6VC14481XXXX6VC14481
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?type...250315AS_6VC14481XXXX6VC14481&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?type...250315AS_6VC14481XXXX6VC14481&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?type...250315AS_6VC14481XXXX6VC14481&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?type...250315AS_6VC14481XXXX6VC14481&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4207466264-2533654200-306421317-1001 -> DefaultScope {EE68EDC1-152A-46CB-8A72-94737E0F1707} URL = https://ph.search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
SearchScopes: HKU\S-1-5-21-4207466264-2533654200-306421317-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.oursurfing.com/web/?utm_...81&ts=1438399688&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4207466264-2533654200-306421317-1001 -> {2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0} URL = http://www.oursurfing.com/web/?utm_...81&ts=1438399688&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4207466264-2533654200-306421317-1001 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = http://www.oursurfing.com/web/?utm_...81&ts=1438399688&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4207466264-2533654200-306421317-1001 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.oursurfing.com/web/?utm_...81&ts=1438399688&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4207466264-2533654200-306421317-1001 -> {C0C3A6C6-03BC-4195-8FCB-AEA091301353} URL = http://www.oursurfing.com/web/?utm_...81&ts=1438399688&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4207466264-2533654200-306421317-1001 -> {E733165D-CBCF-4FDA-883E-ADEF965B476C} URL = http://www.oursurfing.com/web/?utm_...81&ts=1438399688&type=default&q={searchTerms}
SearchScopes: HKU\S-1-5-21-4207466264-2533654200-306421317-1001 -> {EE68EDC1-152A-46CB-8A72-94737E0F1707} URL = https://ph.search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\ssv.dll [2015-08-01] (Oracle Corporation)
BHO-x32: Evernote extension -> {92EF2EAD-A7CE-4424-B0DB-499CF856608E} -> C:\Program Files (x86)\Evernote\Evernote\EvernoteIE.dll [2015-06-02] (Evernote Corp., 305 Walnut Street, Redwood City, CA 94063)
BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\jp2ssv.dll [2015-08-01] (Oracle Corporation)
Winsock: Catalog9 01 C:\Windows\SysWOW64\LavasoftTcpService.dll [347976 2015-05-26] (Lavasoft Limited)
Winsock: Catalog9 02 C:\Windows\SysWOW64\LavasoftTcpService.dll [347976 2015-05-26] (Lavasoft Limited)
Winsock: Catalog9 03 C:\Windows\SysWOW64\LavasoftTcpService.dll [347976 2015-05-26] (Lavasoft Limited)
Winsock: Catalog9 04 C:\Windows\SysWOW64\LavasoftTcpService.dll [347976 2015-05-26] (Lavasoft Limited)
Winsock: Catalog9 15 C:\Windows\SysWOW64\LavasoftTcpService.dll [347976 2015-05-26] (Lavasoft Limited)
Winsock: Catalog9-x64 01 C:\Windows\system32\LavasoftTcpService64.dll [429392 2015-05-26] (Lavasoft Limited)
Winsock: Catalog9-x64 02 C:\Windows\system32\LavasoftTcpService64.dll [429392 2015-05-26] (Lavasoft Limited)
Winsock: Catalog9-x64 03 C:\Windows\system32\LavasoftTcpService64.dll [429392 2015-05-26] (Lavasoft Limited)
Winsock: Catalog9-x64 04 C:\Windows\system32\LavasoftTcpService64.dll [429392 2015-05-26] (Lavasoft Limited)
Winsock: Catalog9-x64 15 C:\Windows\system32\LavasoftTcpService64.dll [429392 2015-05-26] (Lavasoft Limited)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 192.168.0.1
Tcpip\..\Interfaces\{1B67A607-20DA-4915-BE53-1E42074291FB}: [DhcpNameServer] 192.168.0.1 192.168.0.1
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://www.oursurfing.com/?type=sc&...rom=exp1&uid=ST9250315AS_6VC14481XXXX6VC14481

FireFox:
========
FF ProfilePath: C:\Users\dave\AppData\Roaming\Mozilla\Firefox\Profiles\4ijuscoz.default
FF NewTab: https://ph.yahoo.com/?fr=vmn&type=vmn__webcompa__1_0__ya__hp_WCYID10099_swoc_campaign_150526__yaff
FF SelectedSearchEngine: Yahoo
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll [2015-07-17] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-17] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\dtplugin\npDeployJava1.dll [2015-08-01] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.51.2 -> C:\Program Files (x86)\Java\jre1.8.0_51\bin\plugin2\npjp2.dll [2015-08-01] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Extension: No Name - C:\Users\dave\AppData\Roaming\Mozilla\Firefox\Profiles\4ijuscoz.default\Extensions\trash [2015-06-04]
FF HKLM-x32\...\Firefox\Extensions: [fdm_ffext@freedownloadmanager.org] - C:\Program Files (x86)\Free Download Manager\Firefox\Extension
StartMenuInternet: FIREFOX.EXE - C:\Program Files\Mozilla Firefox\firefox.exe http://www.oursurfing.com/?type=sc&...rom=exp1&uid=ST9250315AS_6VC14481XXXX6VC14481

Chrome:
=======
CHR Profile: C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-05]
CHR Extension: (Google Drive) - C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-05-05]
CHR Extension: (YouTube) - C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-05-05]
CHR Extension: (Google Search) - C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-05-05]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-05-16]
CHR Extension: (Google Wallet) - C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-05-19]
CHR Extension: (Gmail) - C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-05]
CHR HKLM-x32\...\Chrome\Extension: [npdicihegicnhaangkdmcgbjceoemeoo] - https://clients2.google.com/service/update2/crx
StartMenuInternet: Google Chrome - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe http://www.oursurfing.com/?type=sc&...rom=exp1&uid=ST9250315AS_6VC14481XXXX6VC14481

Opera:
=======
StartMenuInternet: (HKLM) OperaStable - C:\Program Files (x86)\Opera\Launcher.exe http://www.oursurfing.com/?type=sc&...rom=exp1&uid=ST9250315AS_6VC14481XXXX6VC14481

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 CronService; C:\Windows\Prey\wpxsvc.exe [611854 2015-05-06] (Fork, Ltd.) [File not signed]
S2 Freemake Improver; C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [108032 2014-08-20] (Freemake) [File not signed]
R2 LavasoftTcpService; C:\Program Files (x86)\Lavasoft\Web Companion\TcpService\2.3.4.2\LavasoftTcpService.exe [2748720 2015-04-30] (Lavasoft Limited)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16024 2015-01-31] (Microsoft Corporation)
R2 YSearchUtilSvc; C:\Program Files (x86)\Yahoo!\yset\{516D9C20-709E-5E4E-9634-0C9398060304}\YSearchUtilSvc.exe [152344 2015-06-30] (Yahoo Inc.)
S2 IHProtect Service; C:\Program Files (x86)\MiuiTab\ProtectService.exe [X]
S2 WindowsMangerProtect; C:\ProgramData\4WinManPro4\ProtectWindowsManager.exe -service [X] <==== ATTENTION

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 npf; C:\Windows\System32\drivers\npf.sys [35344 2010-07-16] (CACE Technologies, Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-01 19:10 - 2015-08-01 19:11 - 00017648 _____ C:\Users\dave\Desktop\FRST.txt
2015-08-01 19:10 - 2015-08-01 19:10 - 00000000 ____D C:\FRST
2015-08-01 19:09 - 2015-08-01 19:09 - 02168832 _____ (Farbar) C:\Users\dave\Desktop\FRST64.exe
2015-08-01 18:15 - 2015-08-01 18:27 - 00028992 _____ C:\Windows\WindowsUpdate.log
2015-08-01 14:43 - 2015-08-01 14:43 - 00003732 _____ C:\Users\dave\Documents\10499338_955119794521175_2311914814354337643_o(1) - Shortcut.lnk
2015-08-01 14:07 - 2015-08-01 14:07 - 00000000 ____D C:\Users\dave\AppData\Local\YSearchUtil
2015-08-01 14:07 - 2015-08-01 14:07 - 00000000 ____D C:\Program Files (x86)\Yahoo!
2015-08-01 14:05 - 2015-08-01 14:04 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-08-01 14:04 - 2015-08-01 14:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-08-01 13:57 - 2015-08-01 13:57 - 00562784 _____ (Oracle Corporation) C:\Users\dave\Downloads\jxpiinstall.exe
2015-08-01 13:38 - 2015-08-01 13:38 - 00001103 _____ C:\Users\dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start Tor Browser.lnk
2015-08-01 13:38 - 2015-08-01 13:38 - 00001055 _____ C:\Users\dave\Desktop\Start Tor Browser.lnk
2015-08-01 13:00 - 2015-08-01 13:32 - 35912896 _____ C:\Users\dave\Downloads\torbrowser-install-4.5.3_en-US.exe
2015-08-01 11:28 - 2015-08-01 11:57 - 00000000 ____D C:\Program Files (x86)\MiuiTab
2015-08-01 11:28 - 2015-08-01 11:28 - 00000000 ____D C:\ProgramData\IHProtectUpDate
2015-08-01 11:27 - 2015-08-01 12:08 - 00000000 ____D C:\ProgramData\LuckyBrowse
2015-08-01 11:27 - 2015-08-01 11:58 - 00000000 ____D C:\ProgramData\4WinManPro4
2015-08-01 11:27 - 2015-08-01 11:56 - 00000000 ____D C:\Users\dave\AppData\Roaming\oursurfing
2015-08-01 11:27 - 2015-08-01 11:27 - 00000000 _____ C:\Windows\prleth.sys
2015-08-01 11:27 - 2015-08-01 11:27 - 00000000 _____ C:\Windows\hgfs.sys
2015-08-01 11:13 - 2015-08-01 11:17 - 03832984 _____ (http://spring-files.com) C:\Users\dave\Downloads\Player_downloader.exe
2015-08-01 09:42 - 2015-08-01 11:00 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-07-31 12:50 - 2015-07-31 12:50 - 07676608 _____ (Microsoft Corporation) C:\Users\dave\Downloads\OneDriveSetup(2).exe
2015-07-31 12:36 - 2015-07-31 12:50 - 00002257 _____ C:\Users\dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2015-07-31 12:06 - 2015-07-31 12:06 - 00002201 _____ C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2015-07-31 12:06 - 2015-07-31 12:06 - 00002201 _____ C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2015-07-31 07:44 - 2015-07-31 07:44 - 00000614 _____ C:\Users\dave\Desktop\BibleDesktop - Shortcut (2).lnk
2015-07-23 20:04 - 2015-06-09 21:09 - 00411133 _____ C:\Windows\system32\ApnDatabase.xml
2015-07-21 08:06 - 2015-07-15 04:11 - 00035328 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2015-07-21 08:06 - 2015-07-15 04:09 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-07-21 08:06 - 2015-07-15 03:43 - 00366592 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-07-21 08:06 - 2015-07-15 03:43 - 00304128 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2015-07-20 08:09 - 2015-07-20 08:09 - 00000000 ___HD C:\OneDriveTemp
2015-07-19 18:19 - 2015-07-19 18:19 - 00000000 ____D C:\Users\dave\AppData\Local\Skype
2015-07-19 18:18 - 2015-07-19 18:29 - 00000000 ____D C:\Users\dave\AppData\Roaming\Skype
2015-07-19 18:18 - 2015-07-19 18:18 - 00002697 _____ C:\Users\Public\Desktop\Skype.lnk
2015-07-19 18:18 - 2015-07-19 18:18 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-07-19 18:18 - 2015-07-19 18:18 - 00000000 ____D C:\ProgramData\Skype
2015-07-19 18:18 - 2015-07-19 18:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2015-07-16 14:29 - 2015-07-16 14:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-07-16 14:29 - 2015-07-16 14:29 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-07-16 14:26 - 2015-07-16 14:29 - 06962912 _____ (Microsoft Corporation) C:\Users\dave\Downloads\Silverlight.exe
2015-07-16 00:11 - 2015-06-15 23:22 - 13771264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-07-16 00:11 - 2015-06-15 23:22 - 02056704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-07-16 00:11 - 2015-06-15 23:22 - 01763328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-07-16 00:11 - 2015-06-15 23:22 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-07-16 00:11 - 2015-06-15 23:22 - 00737280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll
2015-07-16 00:11 - 2015-06-15 23:22 - 00690176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-07-16 00:11 - 2015-06-15 23:22 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-07-16 00:11 - 2015-06-15 23:22 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-07-16 00:11 - 2015-06-15 23:22 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-07-16 00:11 - 2015-06-15 23:22 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-07-16 00:11 - 2015-06-15 23:22 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-07-16 00:11 - 2015-06-15 23:22 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-07-16 00:11 - 2015-06-15 23:20 - 15415296 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-07-16 00:11 - 2015-06-15 23:20 - 02656768 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-07-16 00:11 - 2015-06-15 23:20 - 02237440 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-07-16 00:11 - 2015-06-15 23:20 - 01409024 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-07-16 00:11 - 2015-06-15 23:20 - 00949760 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll
2015-07-16 00:11 - 2015-06-15 23:20 - 00856064 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-07-16 00:11 - 2015-06-15 23:20 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-07-16 00:11 - 2015-06-15 23:20 - 00601600 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-07-16 00:11 - 2015-06-15 23:20 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-07-16 00:11 - 2015-06-15 23:20 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-07-16 00:11 - 2015-06-15 23:19 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-07-16 00:11 - 2015-06-15 23:19 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-07-15 22:25 - 2015-07-03 04:31 - 19291136 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-07-15 22:25 - 2015-07-03 03:15 - 14384640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-07-15 20:30 - 2015-06-27 21:55 - 02865152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-07-15 20:30 - 2015-06-27 21:46 - 03960320 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-07-15 08:19 - 2015-06-28 00:36 - 00171352 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-07-15 08:19 - 2015-06-27 21:56 - 00452608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SHCore.dll
2015-07-15 08:19 - 2015-06-27 21:55 - 00668160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-07-15 08:19 - 2015-06-27 21:55 - 00273920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-07-15 08:19 - 2015-06-27 21:46 - 01314816 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll
2015-07-15 08:19 - 2015-06-27 21:46 - 00829952 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-07-15 08:19 - 2015-06-27 21:46 - 00588800 _____ (Microsoft Corporation) C:\Windows\system32\SHCore.dll
2015-07-15 08:19 - 2015-06-27 21:46 - 00318464 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-07-15 08:19 - 2015-06-27 21:23 - 00694784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rpcrt4.dll
2015-07-15 08:19 - 2015-06-26 02:29 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys
2015-07-15 08:19 - 2015-06-26 02:27 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys
2015-07-15 08:18 - 2015-07-15 08:18 - 00003836 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1432611044
2015-07-15 08:18 - 2015-01-07 12:25 - 00403456 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys
2015-07-15 08:17 - 2015-08-01 11:27 - 00001333 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2015-07-15 08:10 - 2015-06-17 22:13 - 01150264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll
2015-07-15 08:10 - 2015-06-17 21:44 - 01567560 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll
2015-07-15 08:10 - 2015-06-09 21:57 - 03248640 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2015-07-15 08:09 - 2015-06-15 23:22 - 08858112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.dll
2015-07-15 08:09 - 2015-06-15 23:22 - 02416640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2015-07-15 08:09 - 2015-06-15 23:22 - 02037760 _____ (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2015-07-15 08:09 - 2015-06-15 23:22 - 00062976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe
2015-07-15 08:09 - 2015-06-15 23:21 - 00124416 _____ (Microsoft Corporation) C:\Windows\system32\msiexec.exe
2015-07-15 08:09 - 2015-06-15 23:20 - 10116608 _____ (Microsoft Corporation) C:\Windows\system32\twinui.dll
2015-07-15 08:09 - 2015-06-15 23:20 - 02886144 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2015-07-15 08:09 - 2015-06-15 23:19 - 02307072 _____ (Microsoft Corporation) C:\Windows\system32\authui.dll
2015-07-15 08:05 - 2015-06-12 04:29 - 01302528 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2015-07-15 08:05 - 2015-06-12 00:27 - 01024000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2015-07-15 07:58 - 2015-06-25 09:54 - 04064768 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-07-10 08:11 - 2015-07-17 08:15 - 19198128 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2015-07-08 16:48 - 2015-06-30 00:18 - 00026288 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe
2015-07-08 16:48 - 2015-06-29 21:28 - 00726528 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-07-08 16:48 - 2015-06-29 21:27 - 01084928 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-07-08 16:48 - 2015-06-29 21:27 - 00764928 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-07-08 16:48 - 2015-06-29 21:27 - 00433152 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-07-08 16:48 - 2015-06-29 21:27 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-07-08 16:48 - 2015-06-29 21:27 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-07-08 16:48 - 2015-06-26 21:07 - 01145856 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-07-06 20:39 - 2015-07-06 20:40 - 00967153 _____ (clock-creator.co.uk ) C:\Users\dave\Downloads\cc_setup.exe
2015-07-06 20:32 - 2015-07-06 20:32 - 00000000 ____D C:\Users\Public\Documents\Aquarius Soft
2015-07-06 20:32 - 2015-07-06 20:32 - 00000000 ____D C:\Users\dave\AppData\Roaming\Aquarius Soft
2015-07-06 20:32 - 2015-07-06 20:32 - 00000000 ____D C:\ProgramData\Aquarius Soft
2015-07-06 20:32 - 2015-07-06 20:32 - 00000000 ____D C:\Program Files (x86)\Aquarius Soft
2015-07-06 20:31 - 2015-07-06 20:32 - 00955704 _____ (Aquarius Soft Pte Ltd ) C:\Users\dave\Downloads\asacpro.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-01 19:08 - 2015-05-08 17:30 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-08-01 15:26 - 2015-05-05 19:53 - 00000926 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-01 15:00 - 2012-07-26 16:12 - 00000000 ____D C:\Windows\system32\sru
2015-08-01 14:43 - 2015-05-07 16:01 - 01106432 ___SH C:\Users\dave\Desktop\Thumbs.db
2015-08-01 14:04 - 2015-06-01 12:13 - 00000000 ____D C:\Program Files (x86)\Java
2015-08-01 12:56 - 2015-05-27 11:45 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-08-01 12:35 - 2015-06-13 09:49 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-08-01 12:33 - 2015-06-13 09:45 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-08-01 12:18 - 2015-06-21 08:28 - 00000000 ___RD C:\Users\dave\OneDrive
2015-08-01 11:27 - 2015-05-05 22:09 - 00001218 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-08-01 11:27 - 2015-05-05 12:08 - 00001712 _____ C:\Users\dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-08-01 11:00 - 2015-05-05 22:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-08-01 09:34 - 2015-05-06 23:59 - 00000000 ____D C:\Windows\Prey
2015-07-31 21:41 - 2015-05-05 23:15 - 00000000 ____D C:\Users\dave\AppData\Roaming\vlc
2015-07-31 21:14 - 2015-05-25 21:37 - 00000000 ____D C:\Users\dave\AppData\Roaming\MP3 Editor for Free
2015-07-31 18:18 - 2015-05-16 20:14 - 00003934 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{B9F16B4C-59BA-4B09-96F4-CC65F5822FA2}
2015-07-31 12:42 - 2015-05-05 19:12 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-4207466264-2533654200-306421317-1001
2015-07-31 12:06 - 2015-06-21 08:28 - 00000000 ____D C:\Program Files (x86)\Microsoft OneDrive
2015-07-31 12:05 - 2015-06-21 08:26 - 00000000 ____D C:\ProgramData\Microsoft OneDrive
2015-07-31 12:04 - 2012-07-26 15:22 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-31 12:03 - 2012-07-26 13:26 - 00262144 ___SH C:\Windows\system32\config\BBI
2015-07-31 11:54 - 2014-10-18 01:33 - 00003567 _____ C:\Users\dave\Documents\Email and Facebook id's and passwords.txt
2015-07-30 08:05 - 2012-07-26 16:12 - 00000000 ____D C:\Windows\AUInstallAgent
2015-07-30 08:04 - 2015-05-05 12:07 - 00000000 ____D C:\Users\dave\AppData\Local\Packages
2015-07-25 20:40 - 2015-06-04 22:27 - 00000000 ____D C:\Users\dave\SermonIndex_Sermons
2015-07-23 20:05 - 2012-07-26 15:59 - 00000000 ____D C:\Windows\CbsTemp
2015-07-22 15:50 - 2015-05-08 00:29 - 00281624 _____ C:\Windows\system32\FNTCACHE.DAT
2015-07-22 09:05 - 2015-05-08 17:17 - 00934912 ___SH C:\Users\dave\Downloads\Thumbs.db
2015-07-21 19:11 - 2015-06-07 11:15 - 00000000 ____D C:\Users\dave\Desktop\Sermon Files
2015-07-18 08:44 - 2015-05-26 11:04 - 00000000 ____D C:\Program Files (x86)\Opera
2015-07-17 08:16 - 2015-05-08 17:30 - 00003718 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-07-16 14:36 - 2015-05-05 19:53 - 00003902 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-07-16 14:36 - 2015-05-05 19:53 - 00003666 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-07-16 14:36 - 2015-05-05 19:53 - 00000930 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-16 14:13 - 2015-05-07 19:05 - 00000000 ____D C:\Windows\system32\MRT
2015-07-16 08:13 - 2012-07-26 16:12 - 00000000 ____D C:\Windows\rescache
2015-07-16 06:59 - 2012-07-26 16:12 - 00000000 ___RD C:\Windows\ToastData
2015-07-15 08:08 - 2015-06-01 12:14 - 00000000 ____D C:\ProgramData\Oracle
2015-07-14 14:21 - 2015-06-04 22:13 - 00000000 ____D C:\Users\dave\SermonIndex_Cache
2015-07-14 05:22 - 2015-05-07 21:48 - 00792032 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-07-14 05:22 - 2015-05-07 21:48 - 00177632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-07-13 21:02 - 2015-05-29 13:44 - 00000000 ____D C:\Users\dave\Documents\Wave Pad Tutorials
2015-07-13 21:02 - 2015-05-08 23:34 - 00000000 ___RD C:\Users\dave\Documents\Notes
2015-07-09 18:21 - 2015-05-05 22:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-07-09 11:55 - 2015-07-01 08:44 - 00000000 ____D C:\Users\dave\Desktop\Scriptures
2015-07-08 16:48 - 2015-05-07 21:38 - 00000000 ___SD C:\Windows\system32\CompatTel
2015-07-08 16:48 - 2015-05-07 21:38 - 00000000 ____D C:\Windows\system32\appraiser
2015-07-07 07:35 - 2015-06-01 09:18 - 00000000 ____D C:\Program Files (x86)\CrossWire
2015-07-05 18:08 - 2015-05-08 17:14 - 00300704 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-07-03 08:43 - 2015-05-07 19:04 - 130333168 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-07-03 08:01 - 2015-05-15 09:41 - 00000000 ____D C:\Program Files (x86)\Total PDF Converter
2015-07-02 12:31 - 2015-06-19 07:04 - 00000000 ____D C:\Users\dave\Documents\Compass

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-08-01 09:30

==================== End of log ============================

Just in case I didn't do it right, I am attaching the results by upload file. Probably unnecessary but here it is.
Thanks again.

starbuck · Aug 1, 2015

Hi Dave,

Step 1
Please download the attached fixlist.txt file (bottom of this post) and save it to the Desktop.
NOTE.
It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system

Re-run FRST/FRST64 (which ever is installed ) and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post this in your next reply.

Step 2
There was quite a bit of Adware in the report... let's check for any leftovers.

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Post the contents of JRT.txt into your next message.

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.

Double click on adwcleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.

Click on the Scan button.

AdwCleaner will begin to scan your computer.

After the scan has finished...

Click on the Clean button.

Press OK when asked to close all programs and follow the onscreen prompts.

Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.

Copy and paste the contents of that logfile in your next reply.

A copy of that logfile will also be saved in the C:\AdwCleaner folder.

In your next reply, please submit:
Fixlog.txt
JRT.txt
AdwCleaner report

Thanks.

daveleonard · Aug 1, 2015

# AdwCleaner v4.208 - Logfile created 02/08/2015 at 08:36:05
# Updated 09/07/2015 by Xplode
# Database : 2015-08-01.1 [Server]
# Operating system : Windows 8 Single Language (x64)
# Username : dave - DAVELEONARD
# Running from : C:\Users\dave\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

[#] Service Deleted : YSearchUtilSvc

***** [ Files / Folders ] *****

Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil
Folder Deleted : C:\Users\dave\AppData\Local\jZip
Folder Deleted : C:\Users\dave\AppData\Roaming\RHEng
Folder Deleted : C:\Users\dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Boost
Folder Deleted : C:\Users\dave\Documents\Uninstaller
File Deleted : C:\Users\dave\AppData\Roaming\Mozilla\Firefox\Profiles\4ijuscoz.default\searchplugins\yahoo.xml

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk
Shortcut Disinfected : C:\Users\dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
Shortcut Disinfected : C:\Users\dave\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
Shortcut Disinfected : C:\Users\dave\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
Shortcut Disinfected : C:\Users\dave\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
Shortcut Disinfected : C:\Users\dave\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
Shortcut Disinfected : C:\Users\dave\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox (2).lnk
Shortcut Disinfected : C:\Users\dave\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera.lnk

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1F91A9A1-01BA-4C81-863D-3BA0751E1419}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{7D3C47ED-E0BE-4940-9DDA-A7A097AEBD88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3614D305-2DBB-4991-9297-750DD60FFC73}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{917CAAE9-DD47-4025-936E-1414F07DF5B8}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\HomeTab
Key Deleted : HKCU\Software\simplytech
Key Deleted : HKCU\Software\WajIEnhance
Key Deleted : HKCU\Software\TNT2
Key Deleted : HKCU\Software\WajIntEnhance
Key Deleted : HKCU\Software\SearchProtectWS
Key Deleted : HKCU\Software\Linkey
Key Deleted : HKCU\Software\PRODUCTSETUP
Key Deleted : HKCU\Software\Kromtech
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\Iminent
Key Deleted : HKLM\SOFTWARE\SearchProtect
Key Deleted : HKLM\SOFTWARE\SimpleFiles
Key Deleted : HKLM\SOFTWARE\SupDp
Key Deleted : HKLM\SOFTWARE\SupTab
Key Deleted : HKLM\SOFTWARE\supWindowsMangerProtect
Key Deleted : HKLM\SOFTWARE\IHProtect
Key Deleted : HKLM\SOFTWARE\WajIntEnhance
Key Deleted : HKLM\SOFTWARE\SpeedBit
Key Deleted : HKLM\SOFTWARE\AIM Toolbar
Key Deleted : HKLM\SOFTWARE\oursurfingSoftware
Key Deleted : HKLM\SOFTWARE\searchult
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\IMBoosterARP
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\IminentToolbar
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\WajIntEnhance
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Vosteran.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IMBoosterARP
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IminentToolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WajIntEnhance
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Vosteran.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Linkey

***** [ Web browsers ] *****

-\\ Internet Explorer v10.0.9200.17377

-\\ Mozilla Firefox v

-\\ Google Chrome v44.0.2403.107

[C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://ph.yhs4.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wncy_ir_15_20&param1=1&param2=f%3D4%26b%3DChrome%26cc%3Dph%26pa%3DWincy%26cd%3D2XzuyEtN2Y1L1QzutCtBtCyB0CyE0CtByC0C0Fzyzy0A0DyEtN0D0Tzu0StCtBtAtCtN1L2XzutAtFtCtDtFyCtFtCtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyD0F0EyDzztBzz0AtGyEyCyEyCtG0ByDyDyEtGzytAyC0DtGyB0B0D0D0DtC0AzzyEtCyBtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0FzyzztBtB0BtBtG0CzytAyCtGyEtCyBtDtGzztAyCtCtGyByC0C0CtDtCtDzztD0CzytC2QtN0A0LzutBtN1B2Z1V1T1S1NzuyByDyB%26cr%3D1391950150%26a%3Dwncy_ir_15_20%26os%3DWindows 8 Single Language&p={searchTerms}
[C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.oursurfing.com/web/?type=ds&ts=1438399629&z=d919dd52f55658b6ac7acd3g9z6c1b8c7t2t2q6odw&from=exp1&uid=ST9250315AS_6VC14481XXXX6VC14481&q={searchTerms}
[C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Homepage] : hxxp://www.oursurfing.com/?type=hp&ts=1438399629&z=d919dd52f55658b6ac7acd3g9z6c1b8c7t2t2q6odw&from=exp1&uid=ST9250315AS_6VC14481XXXX6VC14481
[C:\Users\dave\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Startup_URLs] : 70439F48B64DDEBF0151A04675AA6F2198AF29B1097486DB7FDBE4FEFF6E345E"},"software_reporter":{"prompt_reason":"FC1928F434330B031F537F35409FED032D540514ECADA4E191AF8B17A56858F8","prompt_seed":"2F8AD800C2BD568F0933AAB4937FE89AF91F695C2A04B3D608BC07FB09D2D1D2","prompt_version":"A66E7A6B0BA1BF15842EE61EC83C67DEC5C06D50782828567CEFB9A50F7714F4"},"sync":{"remaining_rollback_tries":"A8E8A46501AF3E2CE290A43474872DF17F4D08D83E5ECC344C3A2E4B36B4F8E7"}},"super_mac":"58C51CCEDA390BE3CE50F5FD284FAB09AFFF2236FFAA1441FBDB4B54CFB4E179"},"session":{"restore_on_startup":4,"startup_urls":["hxxp://www.oursurfing.com/?type=hp&ts=1438399629&z=d919dd52f55658b6ac7acd3g9z6c1b8c7t2t2q6odw&from=exp1&uid=ST9250315AS_6VC14481XXXX6VC14481

-\\ Chromium v44.0.2386.0

-\\ Opera v30.0.1835.125

*************************

AdwCleaner[R0].txt - [8738 bytes] - [02/08/2015 08:35:02]
AdwCleaner[S0].txt - [8274 bytes] - [02/08/2015 08:36:05]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [8333 bytes] ##########
Ok, Thanks Starbuck. Looks like it worked as I got my Firefox search back. Thanks so much, Dave

starbuck · Aug 1, 2015

Hi Dave,

Reports look good.

If everything is back to normal we can remove the tools we used:

Download Delfix and save it to your desktop.

Ensure Remove disinfection tools is checked.

Also place a checkmark next to:

Create registry backup

Purge system restore

.

Click the Run button.

When the tool has finished, a log will open in notepad.... but i don't actually need this report

Glad I was able to help.

Safe surfing.

Log in or Sign up

[Solved] Apparent malware problem.

daveleonard Registered Members

starbuck Rest In Peace Pete Administrator

daveleonard Registered Members

Attached Files:

FRST.txt

Addition.txt

starbuck Rest In Peace Pete Administrator

Attached Files:

fixlist.txt

daveleonard Registered Members

Attached Files:

Fixlog.txt

JRT.txt

starbuck Rest In Peace Pete Administrator

Share This Page

Log in or Sign up

[Solved] Apparent malware problem.

daveleonard Registered Members

starbuck Rest In Peace Pete Administrator

daveleonard Registered Members

Attached Files:

FRST.txt

Addition.txt

starbuck Rest In Peace Pete Administrator

Attached Files:

fixlist.txt

daveleonard Registered Members

Attached Files:

Fixlog.txt

JRT.txt

starbuck Rest In Peace Pete Administrator

Share This Page

Useful Searches