[Jasmyne]

Jasmyne,

Before we start off fixing, can I get to understand what does the problem seem like and what are we doing to fix it?
Are we going to loose any existing data in the process of clean up?

Completely understandable. The first step is actually another scan that will hopefully confirm our suspicion that it is a rootkit that is causing the audio issue. If aswMBR confirms the rootkit, after submitting for approval, I'll post removal instructions specifically for it. The removal and scan are done in two steps because sometimes scans have false positives and automatically choosing to remove can cause the system to become unbootable. The second step is just removing a few things that can cause search redirects and slow down your browser. None of these current instructions should cause the loss of any of the personal data on your computer, but malware removal is a tricky undertaking so it isn't 100% out of the realm of possibilities, so if you'd feel more comfortable backing it up first, please do so.

If you have any other questions, feel free to ask.

Jasmyne

[Advertisements]

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-07-18 15:13:40
-----------------------------
15:13:40.862 OS Version: Windows x64 6.0.6002 Service Pack 2
15:13:40.862 Number of processors: 2 586 0x170A
15:13:40.862 ComputerName: MONVISHI UserName:
15:13:47.293 Initialize success
15:14:13.192 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:14:13.194 Disk 0 Vendor: WDC_WD5000AAJS-55A8B0 01.03B01 Size: 476940MB BusType: 3
15:14:13.197 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000005e
15:14:13.200 Disk 1 Vendor: RICOH 01 Size: 476940MB BusType: 0
15:14:13.338 Disk 2 \Device\Harddisk2\DR2 -> \Device\0000005f
15:14:13.342 Disk 2 Vendor: RICOH 02 Size: 476940MB BusType: 0
15:14:13.346 Device \Driver\atapi -> MajorFunction fffffa80051980a8
15:14:13.383 Disk 0 MBR read successfully
15:14:13.388 Disk 0 MBR scan
15:14:13.392 Disk 0 Windows VISTA default MBR code found via API
15:14:13.401 Disk 0 unknown MBR code
15:14:13.405 Disk 0 MBR hidden
15:14:13.418 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10064 MB offset 2048
15:14:13.444 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 466874 MB offset 20613120
15:14:13.807 Disk 0 MBR [possible unknown bootkit@MBR] **ROOTKIT**
15:14:13.815 Scan finished successfully
15:14:49.192 Disk 0 MBR has been saved successfully to "C:\Users\Fry's Electronics\Desktop\MBR.dat"
15:14:49.197 The log file has been saved successfully to "C:\Users\Fry's Electronics\Desktop\aswMBR.txt"

[Monvishi]

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-07-18 15:13:40
-----------------------------
15:13:40.862 OS Version: Windows x64 6.0.6002 Service Pack 2
15:13:40.862 Number of processors: 2 586 0x170A
15:13:40.862 ComputerName: MONVISHI UserName:
15:13:47.293 Initialize success
15:14:13.192 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:14:13.194 Disk 0 Vendor: WDC_WD5000AAJS-55A8B0 01.03B01 Size: 476940MB BusType: 3
15:14:13.197 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000005e
15:14:13.200 Disk 1 Vendor: RICOH 01 Size: 476940MB BusType: 0
15:14:13.338 Disk 2 \Device\Harddisk2\DR2 -> \Device\0000005f
15:14:13.342 Disk 2 Vendor: RICOH 02 Size: 476940MB BusType: 0
15:14:13.346 Device \Driver\atapi -> MajorFunction fffffa80051980a8
15:14:13.383 Disk 0 MBR read successfully
15:14:13.388 Disk 0 MBR scan
15:14:13.392 Disk 0 Windows VISTA default MBR code found via API
15:14:13.401 Disk 0 unknown MBR code
15:14:13.405 Disk 0 MBR hidden
15:14:13.418 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10064 MB offset 2048
15:14:13.444 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 466874 MB offset 20613120
15:14:13.807 Disk 0 MBR [possible unknown bootkit@MBR] **ROOTKIT**
15:14:13.815 Scan finished successfully
15:14:49.192 Disk 0 MBR has been saved successfully to "C:\Users\Fry's Electronics\Desktop\MBR.dat"
15:14:49.197 The log file has been saved successfully to "C:\Users\Fry's Electronics\Desktop\aswMBR.txt"

[Monvishi]

All processes killed
========== COMMANDS ==========
Unable to start System Restore Service. Error code 1084
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4DAA3263-3B55-4875-88D7-859A1283470B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4DAA3263-3B55-4875-88D7-859A1283470B}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{00000000-0000-0000-0000-000000000000} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000000-0000-0000-0000-000000000000}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{1BB22D38-A411-4B13-A746-C2A4F4EC7344} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1BB22D38-A411-4B13-A746-C2A4F4EC7344}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: AppData

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 41620 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Fry's Electronics
->Temp folder emptied: 332844636 bytes
->Temporary Internet Files folder emptied: 23971184 bytes
->Java cache emptied: 33189276 bytes
->Google Chrome cache emptied: 463518075 bytes
->Flash cache emptied: 4262534 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 74507639 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 22278947 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 155488736 bytes
RecycleBin emptied: 1777546610 bytes

Total Files Cleaned = 2,754.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 07182013_151827

[Monvishi]

OTL logfile created on: 7/18/2013 3:49:13 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Fry's Electronics\Downloads
64bit-Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.81 Gb Total Physical Memory | 2.08 Gb Available Physical Memory | 54.49% Memory free
9.41 Gb Paging File | 7.80 Gb Available in Paging File | 82.98% Paging File free
Paging file location(s): c:\pagefile.sys 5850 5850 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 455.93 Gb Total Space | 159.49 Gb Free Space | 34.98% Space Free | Partition Type: NTFS
Drive F: | 0.46 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

Computer Name: MONVISHI | User Name: Fry's Electronics | Logged in as Administrator.
Boot Mode: SafeMode with Networking | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/07/18 15:48:57 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Fry's Electronics\Downloads\OTL (3).exe


========== Modules (No Company Name) ==========


========== Services (SafeList) ==========

SRV:64bit: - File not found [Auto | Stopped] -- C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe -- (Amsp)
SRV:64bit: - [2013/01/25 19:39:36 | 007,975,720 | ---- | M] (Trend Micro Inc.) [On_Demand | Stopped] -- C:\Program Files\Trend Micro SafeSync\hrfscore.exe -- (OnlineStorageService)
SRV:64bit: - [2008/08/06 18:06:48 | 000,407,392 | ---- | M] (Sony Corporation) [Auto | Stopped] -- C:\Program Files\Sony\VAIO Power Management\SPMService.exe -- (VAIO Power Management)
SRV:64bit: - [2008/06/11 23:13:24 | 000,337,184 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe -- (VcmIAlzMgr)
SRV:64bit: - [2008/06/11 23:10:46 | 000,107,808 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe -- (VcmXmlIfHelper)
SRV:64bit: - [2008/01/20 19:47:32 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2013/07/08 04:09:10 | 004,153,184 | ---- | M] (TeamViewer GmbH) [Auto | Stopped] -- C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe -- (TeamViewer8)
SRV - [2013/06/12 12:20:51 | 000,256,904 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/18 07:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/06/21 05:01:58 | 000,092,632 | ---- | M] (TomTom) [Auto | Stopped] -- C:\Program Files (x86)\TomTom HOME 2\TomTomHOMEService.exe -- (TomTomHOMEService)
SRV - [2009/03/29 21:42:14 | 000,066,368 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/28 17:45:42 | 000,182,112 | ---- | M] (Sony Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe -- (VAIO Event Service)
SRV - [2008/07/11 04:51:19 | 000,133,120 | ---- | M] (Realtek Semiconductor) [Auto | Stopped] -- C:\Windows\RTKAUDIOSERVICE.EXE -- (RtkAudioService)
SRV - [2008/06/20 08:56:44 | 000,415,744 | ---- | M] (Sony Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe -- (VCFw)
SRV - [2008/06/19 08:55:48 | 000,279,848 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe -- (Vcsw)
SRV - [2008/05/22 14:23:10 | 000,192,512 | ---- | M] (Sony Corporation) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe -- (VzCdbSvc)
SRV - [2008/05/22 14:21:44 | 000,073,728 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Sony Shared\VAIO Entertainment Platform\VzHardwareResourceManager\VzHardwareResourceManager\VzHardwareResourceManager.exe -- (VAIO Entertainment TV Device Arbitration Service)
SRV - [2008/05/20 19:05:40 | 000,353,568 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Sony\VAIO Media plus\SOHDms.exe -- (SOHDms)
SRV - [2008/05/20 19:05:40 | 000,103,712 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Sony\VAIO Media plus\SOHCImp.exe -- (SOHCImp)
SRV - [2008/05/20 19:05:40 | 000,062,752 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Sony\VAIO Media plus\SOHDs.exe -- (SOHDs)
SRV - [2008/05/20 01:51:34 | 000,077,824 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2008/05/20 01:49:04 | 000,053,248 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2008/05/20 01:29:06 | 000,053,248 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2008/03/25 14:32:18 | 000,104,960 | ---- | M] (ArcSoft, Inc.) [Auto | Stopped] -- C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects\uCamMonitor.exe -- (uCamMonitor)
SRV - [2007/01/04 19:48:50 | 000,112,152 | ---- | M] (InterVideo) [Auto | Stopped] -- C:\Program Files (x86)\Common Files\InterVideo\RegMgr\iviRegMgr.exe -- (IviRegMgr)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2013/02/21 18:53:00 | 000,042,184 | ---- | M] (Anchorfree Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\taphss6.sys -- (taphss6)
DRV:64bit: - [2012/12/13 13:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012/09/24 23:01:12 | 000,107,048 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\Windows\SysNative\DRIVERS\tmactmon.sys -- (tmactmon)
DRV:64bit: - [2012/09/24 23:00:36 | 000,077,184 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\Windows\SysNative\DRIVERS\tmevtmgr.sys -- (tmevtmgr)
DRV:64bit: - [2012/09/24 23:00:00 | 000,173,504 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\Windows\SysNative\DRIVERS\tmcomm.sys -- (tmcomm)
DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/02/29 06:52:46 | 000,016,384 | ---- | M] (Microsoft Corporation) [Recognizer | System | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011/08/02 13:58:38 | 000,105,744 | ---- | M] (Trend Micro Inc.) [Kernel | System | Stopped] -- C:\Windows\SysNative\DRIVERS\tmtdi.sys -- (tmtdi)
DRV:64bit: - [2009/08/05 20:24:16 | 000,061,280 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2009/04/10 22:43:06 | 000,019,456 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\usb8023x.sys -- (usb_rndisx)
DRV:64bit: - [2008/08/13 17:01:16 | 000,021,032 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\btwrchid.sys -- (btwrchid)
DRV:64bit: - [2008/08/13 17:01:15 | 000,132,136 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwavdt.sys -- (btwavdt)
DRV:64bit: - [2008/08/13 17:01:15 | 000,095,272 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\btwaudio.sys -- (btwaudio)
DRV:64bit: - [2008/08/13 17:00:47 | 000,036,392 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\btwl2cap.sys -- (btwl2cap)
DRV:64bit: - [2008/08/12 17:01:41 | 007,907,872 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx)
DRV:64bit: - [2008/07/17 17:02:44 | 000,064,512 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\risdsn64.sys -- (risdptsk)
DRV:64bit: - [2008/06/25 17:13:33 | 000,085,504 | ---- | M] (REDC) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\rimssn64.sys -- (rimsptsk)
DRV:64bit: - [2008/06/19 17:37:17 | 000,056,344 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\HECIx64.sys -- (HECIx64)
DRV:64bit: - [2008/06/02 17:05:24 | 001,133,568 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\athrx.sys -- (athr)
DRV:64bit: - [2008/05/28 03:23:40 | 000,154,168 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wimfltr.sys -- (WimFltr)
DRV:64bit: - [2008/05/26 17:06:28 | 000,315,008 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\e1y60x64.sys -- (e1yexpress)
DRV:64bit: - [2008/04/08 03:00:00 | 000,055,024 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\SysNative\Drivers\PxHlpa64.sys -- (PxHlpa64)
DRV:64bit: - [2008/03/10 04:01:26 | 000,011,392 | ---- | M] (Sony Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\SFEP.sys -- (SFEP)
DRV:64bit: - [2008/01/30 17:33:30 | 000,019,456 | ---- | M] (ArcSoft, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\ArcSoftKsUFilter.sys -- (ArcSoftKsUFilter)
DRV:64bit: - [2008/01/20 19:47:28 | 000,046,080 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - [2008/01/20 19:46:55 | 000,111,104 | ---- | M] (Microsoft Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\DRIVERS\sdbus.sys -- (sdbus)
DRV - [2008/09/19 08:28:44 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2008/09/19 08:28:43 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2008/07/11 16:42:58 | 000,010,216 | ---- | M] (Sony Corporation) [Kernel | System | Stopped] -- C:\Windows\SysWOW64\drivers\DMICall.sys -- (DMICall)
DRV - [2004/11/22 15:36:39 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5)
DRV - [2004/11/22 15:36:34 | 000,019,345 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Motive\MREMPR5.sys -- (MREMPR5)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople_f08
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = Reg Error: Value error.
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = Reg Error: Value error.
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sony.com/vaiopeople_f08
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?ilc=8
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html
IE - HKLM\..\URLSearchHook: {e9911ec6-1bcc-40b0-9993-e0eea7f6953f} - No CLSID value found
IE - HKLM\..\SearchScopes,DefaultScope = {9C8D44A2-4C05-4FF6-B6D6-F44921CAB055}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople_f08
IE - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\..\SearchScopes\{B4C2B5BA-DA2E-41B4-8553-DAE2372B7559}: "URL" =
IE - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=4.0: C:\Program Files (x86)\Virtual Earth 3D\ [2013/02/07 18:39:37 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.9.2: C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.9.2: C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/VirtualEarth3D,version=4.0: C:\Program Files (x86)\Virtual Earth 3D\ [2013/02/07 18:39:37 | 000,000,000 | ---D | M]
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.149\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@TrendMicro.com/FFExtension: C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension\components\npToolbarChrome.dll (Trend Micro Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.3: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.1: C:\Users\Fry's Electronics\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll ( )
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Fry's Electronics\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\Fry's Electronics\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O1DPlugin: C:\Users\Fry's Electronics\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\Fry's Electronics\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Fry's Electronics\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=6: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=7: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=8: File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Fry's Electronics\AppData\Local\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{6E19037A-12E3-4295-8915-ED48BC341614}: C:\Program Files (x86)\RelevantKnowledge [2011/01/07 19:40:16 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\FFExt\[email protected]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 2011\FFExt\[email protected]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/06/04 08:59:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{38783831-6098-4faa-A9C9-1EE1E343F4D2}: C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1104\7.1.1104\firefoxextension [2012/11/15 11:56:22 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22181a4d-af90-4ca3-a569-faed9118d6bc}: C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension [2012/09/10 12:04:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22C7F6C6-8D67-4534-92B5-529A0EC09405}: C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension\ [2012/11/15 11:57:05 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/06/04 08:59:57 | 000,000,000 | ---D | M]

[2010/10/03 21:17:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Fry's Electronics\AppData\Roaming\mozilla\Extensions
[2010/10/03 21:17:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Fry's Electronics\AppData\Roaming\mozilla\Extensions\[email protected]

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://search.condui...SearchSource=48
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Fry's Electronics\AppData\Local\Google\Chrome\Application\28.0.1500.71\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Fry's Electronics\AppData\Local\Google\Chrome\Application\28.0.1500.71\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Fry's Electronics\AppData\Local\Google\Chrome\Application\28.0.1500.71\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java™ Platform SE 6 U20 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Coupons Inc., Coupon Printer Manager (Enabled) = C:\Users\Fry's Electronics\AppData\Local\Google\Chrome\Application\plugins\npMozCouponPrinter.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Users\Fry's Electronics\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Users\Fry's Electronics\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: Picasa (Enabled) = C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
CHR - plugin: Windows Live\u00AE Photo Gallery (Enabled) = C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: Facebook Plugin (Enabled) = C:\Users\Fry's Electronics\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Users\Fry's Electronics\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Users\Fry's Electronics\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: AutocompletePro plugin for chrome = C:\Users\Fry's Electronics\AppData\Local\Google\Chrome\User Data\Default\Extensions\defdhglnppeioeflggkmglipcecffkhk\1.0_0\
CHR - Extension: Trend Micro Toolbar = C:\Users\Fry's Electronics\AppData\Local\Google\Chrome\User Data\Default\Extensions\heoldelcflnigdllmlopiefhkkobendj\5.4.0.1034_0\
CHR - Extension: WhiteSmoke New = C:\Users\Fry's Electronics\AppData\Local\Google\Chrome\User Data\Default\Extensions\klibnahbojhkanfgaglnlalfkgpcppfi\10.16.4.512_1\
CHR - Extension: Gmail = C:\Users\Fry's Electronics\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\

O1 HOSTS File: ([2006/09/18 14:37:24 | 000,000,761 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2:64bit: - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1361\6.8.1078\TmIEPlg.dll (Trend Micro Inc.)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1104\7.1.1104\TmBpIe64.dll (Trend Micro Inc.)
O2 - BHO: (TmIEPlugInBHO Class) - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1361\6.8.1078\TmIEPlg32.dll (Trend Micro Inc.)
O2 - BHO: (TSToolbarBHO) - {43C6D902-A1C5-45c9-91F6-FD9E90337E18} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (TmBpIeBHO Class) - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1104\7.1.1104\TmBpIe32.dll (Trend Micro Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Trend Micro Toolbar) - {CCAC5586-44D7-4c43-B64A-F042461A97D2} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)
O3:64bit: - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000\..\Toolbar\WebBrowser: (AOL Toolbar) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files (x86)\AOL\AOL Toolbar 5.0\aoltb.dll File not found
O4:64bit: - HKLM..\Run: [OE] C:\Program Files\Trend Micro\Titanium\Plugin\TMAS\TMAS_OE\TMAS_OEMon.exe (Trend Micro Inc.)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Windows\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Trend Micro Client Framework] C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe (Trend Micro Inc.)
O4:64bit: - HKLM..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe (Trend Micro Inc.)
O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [WLM] C:\Program Files\Trend Micro\Titanium\Plugin\TMAS\TMAS_WLM\TMAS_WLMMon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [APSDaemon] C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [VAIORegistration] C:\Program Files\Sony\First Experience\WelcomeLauncher.exe (Sony Electronics, Inc.)
O4 - HKLM..\Run: [VWLASU] C:\Program Files\Sony\VAIO Wireless Wizard\AutoLaunchWLASU.exe (Sony Electronics, Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000..\Run: [Facebook Update] C:\Users\Fry's Electronics\AppData\Local\Facebook\Update\FacebookUpdate.exe (Facebook Inc.)
O4 - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000..\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe File not found
O4 - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000..\Run: [TomTomHOME.exe] C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe (TomTom)
O4 - HKU\S-1-5-21-4265550052-2847090512-4221517141-1000..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe File not found
O4 - Startup: C:\Users\Fry's Electronics\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Fry's Electronics\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 28
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O8:64bit: - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200 File not found
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\SysWow64\GPhotos.scr (Google Inc.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.9.2)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{60978BA2-A574-416B-A2A2-FEEDA5DC83C9}: NameServer = 8.8.8.8
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A97872AB-22A2-4BD1-8CFC-BD03A2683FFC}: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1104\7.1.1104\TmBpIe64.dll (Trend Micro Inc.)
O18:64bit: - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1361\6.8.1078\TmIEPlg.dll (Trend Micro Inc.)
O18:64bit: - Protocol\Handler\tmtb - No CLSID value found
O18:64bit: - Protocol\Handler\tmtbim - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18 - Protocol\Handler\tmbp {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1104\7.1.1104\TmBpIe32.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmpx {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1361\6.8.1078\TmIEPlg32.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmtb {04EAF3FB-4BAC-4B5A-A37D-A1CF210A5A42} - C:\Program Files\Trend Micro\Titanium\UIFramework\ToolbarIE.dll (Trend Micro Inc.)
O18 - Protocol\Handler\tmtbim {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.)
O18:64bit: - Protocol\Filter\application/x-microsoft-rpmsg-message - No CLSID value found
O18 - Protocol\Filter\application/x-microsoft-rpmsg-message - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\VESWinlogon: DllName - (VESWinlogon.dll) - C:\Windows\SysWow64\VESWinlogon.dll (Sony Corporation)
O21:64bit: - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\Windows\SysNative\wpdshserviceobj.dll (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img2.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img2.jpg
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{bd4091bc-bbb3-11dd-b24a-001dba800086}\Shell\AutoRun\command - "" = G:\PStart.exe
O33 - MountPoints2\{dc898b79-03df-11df-8b70-001dba800086}\Shell\AutoRun\command - "" = G:\Setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/07/18 15:18:27 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/07/16 19:30:17 | 000,000,000 | ---D | C] -- C:\Users\Fry's Electronics\AppData\Roaming\TeamViewer
[2013/07/16 19:22:59 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\TeamViewer
[2013/06/21 21:27:17 | 000,000,000 | ---D | C] -- C:\Users\Fry's Electronics\AppData\Roaming\Nico Mak Computing
[2013/06/21 21:27:04 | 000,019,840 | ---- | C] (WinZip Computing, S.L.(WinZip Computing)) -- C:\Windows\SysNative\roboot64.exe
[2013/06/21 21:26:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinZip Registry Optimizer
[2010/05/15 17:26:18 | 000,082,816 | ---- | C] (VSO Software) -- C:\Users\Fry's Electronics\AppData\Roaming\pcouffin.sys
[2009/03/27 13:17:40 | 009,849,589 | ---- | C] (DVDVideoSoft Limited. ) -- C:\Users\Fry's Electronics\FreeVideoToDVDConverter.exe

========== Files - Modified Within 30 Days ==========

[2013/07/18 15:37:01 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/07/18 15:14:49 | 000,000,512 | ---- | M] () -- C:\Users\Fry's Electronics\Desktop\MBR.dat
[2013/07/18 12:41:48 | 000,000,732 | ---- | M] () -- C:\Users\Fry's Electronics\AppData\Local\d3d9caps64.dat
[2013/07/18 11:18:47 | 000,000,680 | ---- | M] () -- C:\Users\Fry's Electronics\AppData\Local\d3d9caps.dat
[2013/07/18 10:50:22 | 000,406,248 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2013/07/18 10:48:10 | 541,133,841 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2013/07/16 19:23:05 | 000,000,997 | ---- | M] () -- C:\Users\Public\Desktop\TeamViewer 8.lnk
[2013/07/16 14:29:26 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2013/07/16 14:28:48 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/07/16 14:28:48 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/07/15 10:59:48 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2013/07/12 14:00:16 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/07/12 13:54:53 | 000,002,104 | ---- | M] () -- C:\Users\Fry's Electronics\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/07/12 13:54:50 | 000,000,956 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4265550052-2847090512-4221517141-1000UA.job
[2013/07/12 13:52:19 | 000,000,920 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2013/07/12 13:46:08 | 000,000,904 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4265550052-2847090512-4221517141-1000Core.job
[2013/07/11 11:41:05 | 000,000,976 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-4265550052-2847090512-4221517141-1000UA.job
[2013/07/11 11:41:01 | 000,000,954 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-4265550052-2847090512-4221517141-1000Core.job
[2013/06/24 19:23:12 | 000,710,676 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2013/06/24 19:23:12 | 000,609,762 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2013/06/24 19:23:12 | 000,105,740 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2013/06/21 21:31:05 | 000,896,350 | ---- | M] () -- C:\Windows\SysWow64\Inkaar.avi
[2013/06/21 21:18:03 | 000,001,687 | ---- | M] () -- C:\Users\Fry's Electronics\Application Data\Microsoft\Internet Explorer\Quick Launch\Vuze.lnk
[2013/06/21 21:18:02 | 000,001,687 | ---- | M] () -- C:\Users\Public\Desktop\Vuze.lnk
[2013/06/21 21:17:05 | 000,000,000 | ---- | M] () -- C:\END

========== Files Created - No Company Name ==========

[2013/07/18 15:14:49 | 000,000,512 | ---- | C] () -- C:\Users\Fry's Electronics\Desktop\MBR.dat
[2013/07/16 19:23:05 | 000,001,009 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 8.lnk
[2013/07/16 19:23:05 | 000,000,997 | ---- | C] () -- C:\Users\Public\Desktop\TeamViewer 8.lnk
[2013/07/15 14:14:28 | 000,000,680 | ---- | C] () -- C:\Users\Fry's Electronics\AppData\Local\d3d9caps.dat
[2013/07/15 12:09:41 | 000,000,732 | ---- | C] () -- C:\Users\Fry's Electronics\AppData\Local\d3d9caps64.dat
[2013/07/15 11:38:23 | 541,133,841 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2013/06/24 19:27:03 | 000,405,581 | ---- | C] () -- C:\Users\Fry's Electronics\Desktop\HEMDEVMONISHA 000208757906172013.pdf
[2013/06/21 21:30:51 | 000,896,350 | ---- | C] () -- C:\Windows\SysWow64\Inkaar.avi
[2013/06/21 21:18:02 | 000,001,687 | ---- | C] () -- C:\Users\Public\Desktop\Vuze.lnk
[2013/06/16 19:49:55 | 000,004,096 | -H-- | C] () -- C:\Users\Fry's Electronics\AppData\Local\keyfile3.drm
[2012/09/10 12:03:06 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2012/06/27 10:32:11 | 000,013,794 | ---- | C] () -- C:\Users\Fry's Electronics\bsnlrect.pdf
[2012/06/26 10:40:58 | 000,180,236 | ---- | C] () -- C:\Windows\SysWow64\mlfcache.dat
[2010/06/04 06:37:07 | 000,004,370 | ---- | C] () -- C:\Program Files (x86)\hyperlinks.bat
[2010/05/15 17:26:18 | 000,007,859 | ---- | C] () -- C:\Users\Fry's Electronics\AppData\Roaming\pcouffin.cat
[2010/05/15 17:26:18 | 000,001,167 | ---- | C] () -- C:\Users\Fry's Electronics\AppData\Roaming\pcouffin.inf
[2010/03/16 20:16:05 | 000,009,598 | -HS- | C] () -- C:\ProgramData\JbFeVbi1v
[2008/11/29 08:35:23 | 001,263,689 | ---- | C] () -- C:\Users\Fry's Electronics\AppData\Roaming\UserTile.png
[2008/11/29 08:34:49 | 000,000,000 | ---- | C] () -- C:\Users\Fry's Electronics\AppData\Roaming\wklnhst.dat
[2008/11/13 14:10:42 | 000,024,576 | ---- | C] () -- C:\Users\Fry's Electronics\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2006/11/02 08:30:40 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2011/01/21 09:50:13 | 012,899,840 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2011/01/21 09:35:22 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/04/11 00:11:14 | 000,891,392 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/10 23:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2008/01/20 19:50:58 | 000,513,024 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2013/06/17 20:17:35 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\Allvoi Softphone
[2013/06/22 21:06:00 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\Azureus
[2013/07/16 14:06:55 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\Dropbox
[2011/05/18 14:11:33 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\DVDVideoSoftIEHelpers
[2010/02/09 13:17:40 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\Facebook
[2009/03/16 19:43:33 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\InterVideo
[2010/03/26 15:17:25 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\NCH Swift Sound
[2013/06/22 11:57:47 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\Nico Mak Computing
[2013/07/16 19:30:17 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\TeamViewer
[2008/11/29 16:07:12 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\Template
[2010/05/12 15:17:02 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\Tific
[2010/10/03 21:17:34 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\TomTom
[2013/06/26 13:12:06 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\TuneUpMedia
[2012/06/21 18:03:57 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\uTorrent
[2010/05/15 17:26:29 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\Vso
[2010/04/16 04:38:31 | 000,000,000 | ---D | M] -- C:\Users\Fry's Electronics\AppData\Roaming\webex

========== Purity Check ==========



< End of report >

[Monvishi]

Jasmyne,

Per your instructions have posted the logs above. I am planning to step out for a couple of hours, not sure if you would be around then.

What would you recommend next?

[Jasmyne]

Jasmyne,

Per your instructions have posted the logs above. I am planning to step out for a couple of hours, not sure if you would be around then.

What would you recommend next?

I will probably still be here. It will take me a little time to go over the logs, but any recommendations I have will have to be submitted to my instructor first. I'm not sure what time zone you are in, but it is after midnight in his time zone so he will not be online for a while to approve them.

[Monvishi]

I am in MST (Mountain Standard Time). It is 16:20hrs now and I will be back by 19:00hrs.

Will come back and take your steps further then. Hoping to get to the resolution at the earliest with you and your team.

Thank you.

[Monvishi]

Hi Jasmyne,

I am ready for next steps with u...

[Jasmyne]

Hi Jasmyne,

I am ready for next steps with u...

I have my next post made to my instructor, it is about 3:00 am in his time zone. I'm CST (2 hours ahead of you), so at this point it will be tomorrow morning before I have an approval and am able to post back to you. I appreciate your patience.

Thank you,

Jasmyne

[Monvishi]

No problem. I will shut my system at this time and we could connect tomorrow morning.

[Jasmyne]

Sounds like a plan. Have a good evening and I'll be back in the morning.

[Jasmyne]

Good Morning! First a few warnings about some of the things on your machine and then we'll move on to getting you running correctly again!

!! Registry Cleaner Warning !!

You have WinZip Registry Optimizer on your computer. This is actually a rogue (fake) program, but it is attempting to pass itself off as a legitimate registry cleaner.

A registry cleaner will not increase your system's speed or performance, and has the potential to break your registry to the point that your PC is no longer bootable. At Geeks to Go we strongly advise that people stay away from any of the registry cleaners out there. Go here to get more information about why registry cleaners aren't needed. Technet blog also discusses this issue as well as Ed Bott.
P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Azureus/Vuze
uTorrent

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

Cyber Education Letter
File sharing infects 500,000 computers
USAToday

I would recommend that you uninstall the above, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you decide to keep the program in spite of the risks involved, do not use it until I have finished cleaning your computer and have given you the all clear.
[/list]
----------------------------
Now that's out of the way, lets kill this guy.

Step 1 - Run TDSSKiller

Please download the latest version of TDSSKiller from here and save it to your Desktop.

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  
  
• Put a checkmark beside loaded modules.
  
  
  
• A reboot will be needed to apply the changes. Do it.
• TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
• Then click on Change parameters in TDSSKiller.
• Check all boxes then click OK.
  
  
  
• Click the Start Scan button.
  
  
  
• The scan should take no longer than 2 minutes.
• If a suspicious object is detected, the default action will be Skip, click on Continue.
  
  
  
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  
  
  
  Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
• A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 2 - Run AdwCleaner

• Download AdwCleaner from here or here and save it to your desktop.
• Run AdwCleaner and select Delete
  
  
  
• Once it has completed it will ask to reboot the computer, please allow it to so.
• After the computer reboots, a log will be produced. Please attach that log to your next post.

Step 3 - OTL Fix

Warning: This fix is relevant for this system and no other. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

1. Please copy all of the text in the code box below. To do this, highlight everything inside the code box, right click and click Copy.

:Commands
[createrestorepoint]

:OTL
[2013/06/21 21:27:04 | 000,019,840 | ---- | C] (WinZip Computing, S.L.(WinZip Computing)) -- C:\Windows\SysNative\roboot64.exe
[2013/06/21 21:26:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinZip Registry Optimizer
[2010/03/16 20:16:05 | 000,009,598 | -HS- | C] () -- C:\ProgramData\JbFeVbi1v

:Commands
[emptytemp]

2. Please re-open on your desktop.
3. Place the mouse pointer inside the textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the button.
8. A report will open. Copy and Paste that report in your next reply.
9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).
10. Run OTL again and click the button. Post the log it produces in your next reply.

~~~~~~~~~~~~~~~~~~~~ Things Needed for Your Next Post ~~~~~~~~~~~~~~~~~~~~
1. TDSSKiller Log
2. adwCleaner Log
3. OTL Fix Log
4. New OTL Log
5. How is your computer running?

[Monvishi]

Morning,

A few things before we get started:
- We have been using Vuze for a very long time now ( abt 5+ years). Do you think the removal of this program can be avoided? We download and watch international movies and have found ths as our source. Is there any other safe source over P2P?

- will go ahead and get WinRegistry out of our way.

- I was performing all actions on safe mode with networking. Should I be continuing on the same mode or switch to normal to perorm the above steps listed by you?

Thanks!

[Jasmyne]

Morning,

A few things before we get started:
- We have been using Vuze for a very long time now ( abt 5+ years). Do you think the removal of this program can be avoided? We download and watch international movies and have found ths as our source. Is there any other safe source over P2P?

The removal of the program is strictly up to you, I do not remove those in the malware removal process unless asked to do so. The program itself isn't the problem, it's the sites that people use for file sharing that most people do with those. Many of those sites have extra goodies packaged with the downloads and many times people are downloading pirated software. It's a warning we give to make people more aware of the potential dangers of file sharing.

- I was performing all actions on safe mode with networking. Should I be continuing on the same mode or switch to normal to perorm the above steps listed by you?

If you can run TDSSKiller in normal mode, that's great, if not that's okay too. You can't always know for sure as every computer and infection are different, but TDSSKiller should be able to remove the rootkit and normal mode should be much more stable after the run.

Thanks!

You're welcome!

[Monvishi]

I am not able to locate WinZip Registry Optimizer in my list of programs. How can I delete this?