Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Ad choices Malware [Solved]

Started by Starman28 , Jan 22 2014 11:55 AM

  • This topic is locked This topic is locked

#1
Starman28
Posted 22 January 2014 - 11:55 AM

Starman28

    Member

  • Member
  • PipPip
  • 14 posts
I think I have Malware as in the post

http://www.geekstogo...d-web-page-ads/

Should I just copy the instructions there?
  • 0

Advertisements

#2
pystryker
Posted 23 January 2014 - 08:17 PM

pystryker

    Trusted Helper

  • Malware Removal
  • 3,912 posts
Hello and welcome to Geeks to Go! My nickname is Pystryker :) , and I will be helping you with your issue today.

Please note: I am currently in training and all my fixes must be approved by my teacher before being posted. This gives you the advantage of having two people working to solve your problems.

Before we get started, I have a few things I need to go over with you

  • Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process.
  • Please subscribe to this topic. By subscribing, the board will notify you when a new reply is added to your topic. You can find instructions on how to do that by clicking here.
  • If any of your security programs give you a warning about any tool I ask you to use, please do not worry. All the links and tools I provide to you will be safe.
  • Please read through my instructions carefully and completely before executing them.
  • Please make sure that all the programs I ask you to download are downloaded to and run from your Desktop.
  • Please make sure you print out these instructions so that you will be able to refer to them while working on your machine. Part of the solution(s) to your problem may involve us working in Safe Mode and you will need them to go by.
  • Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  • Please read through my instructions carefully and make sure you complete them from start to finish. I will make sure that I lay the instructions out in a step by step order to make them easy to follow
  • This is a complicated process. It requires several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order.
  • Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. I promise to do the same for you.
  • Please make sure you reply within 3 days to my responses, if there is no reply within 3 days, the topic will be closed and you will need to request the topic be reopened.
  • Before we get started, please remember we will do our best to get your machine repaired. However, there are some cases where the only solution is a reformat and reinstall of the operating system. This is a worst case scenario though.
  • It is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine. Therefore, I highly recommend you backup any critical personal files on your machine before we start.
  • If possible, please have your original Windows installation disks handy, just in case.
  • If you have any questions at all, please don't hesitate to ask. There's no such thing as a stupid question when dealing with malware.
  • If you are unsure of an instruction I give you, or if something unexepected occurs, Do NOT proceed! Stop and ask for clarification of the instruction or tell me what occurred.
  • Please copy and paste the contents of any requested logs in your replies. Do not attach the log files in your replies unless requested to do so.
  • Please remember, the fixes are for your machine and your machine ONLY!



Once we have cleaned your machine, we'll have some cleanup and prevention steps to go through. We will also provide you with some information about how to reduce your chances of infection and get some protections in place to help defend you against this in the future

Please be patient while I am analyzing your logs. I know you are probably scared and very frustrated with this problem, but I am a volunteer and sometimes life does get in the way. :)

Now, let's get started, shall we? :thumbsup:


Should I just copy the instructions there?


No, definitely not. You may have symptoms that are very similar to what's going on there, but using a fix designed specifically for another user's machine can render your machine unbootable. We do use similar tools sometimes, but we'll need to tailor fixes specifically for your machine.


Now, let's get a look at what's going on with your machine. :thumbsup:



Step 1: OTL Scan


Download OTL

Download OTL to your desktop by clicking here. If for some reason, that link is not working, please click here for a secondary site.

  • Close any open windows and then double click (Vista, Windows 7, 8, right click and then click Run as Administrator) the icon to start OTL.
  • Please make sure the following boxes are checked.
  • Scan All Users
  • Use Company-Name WhiteList
  • Skip Microsoft Files
  • Use No-Company-Name Whitelist
  • LOP Check
  • Purity Check
  • Please check Use Safelist is checked under Extra Registry.
  • Copy the contents of the quote box below Do not copy the word quote! and paste them into the Custom Scans/Fixes box at the bottom of OTL's control panel.

    %SYSTEMDRIVE%\*.exe
    /md5start
    services.*
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    dir "%systemdrive%\*" /S /A:L /C

  • Click the Run Scan button.

Posted Image

  • Please do not interrupt the scanning process. It may take a while to complete the scan, so please be patient. :)
  • When the scan is finished, it will generate 2 logs, OTL.txt and Extras.txt, each in a Notepad window. Both of these logs are saved in the same location as OTL. In this case, on your desktop.
  • Please post each log in your next reply.



Step 2: aswMBR Scan


  • Please download aswMBR.exe to your desktop.
  • Double click the file to run it.
  • It will ask if you want to download the latest Avast! virus definitions, please answer yes.

Posted Image

  • Click the Scan button to begin the scan.

Posted Image

  • Once the scan has finished, click on Save Log, save it to your desktop as asw.txt, and please post it in your next reply.
  • Click Exit


Things I need to see in your next post:

OTL.txt log

Extras.txt log

aswMBR Log
  • 0

#3
Starman28
Posted 24 January 2014 - 02:25 AM

Starman28

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
This is great, thank you for helping :thumbsup:

Here are my logs.....

OTL logfile created on: 1/24/2014 7:54:14 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Sean\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.16476)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.75 Gb Total Physical Memory | 2.04 Gb Available Physical Memory | 74.29% Memory free
6.86 Gb Paging File | 5.67 Gb Available in Paging File | 82.71% Paging File free
Paging file location(s): c:\pagefile.sys 4215 4215 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 297.99 Gb Total Space | 94.55 Gb Free Space | 31.73% Space Free | Partition Type: NTFS

Computer Name: SEAN-PC | User Name: Sean | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/01/24 07:53:35 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Users\Sean\Downloads\aswmbr.exe
PRC - [2014/01/24 07:52:51 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Sean\Downloads\OTL.exe
PRC - [2014/01/15 22:32:53 | 006,118,400 | ---- | M] (Spotify Ltd) -- C:\Users\Sean\AppData\Roaming\Spotify\spotify.exe
PRC - [2014/01/15 22:32:51 | 001,171,968 | ---- | M] (Spotify Ltd) -- C:\Users\Sean\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
PRC - [2014/01/15 22:32:49 | 000,603,648 | ---- | M] () -- C:\Users\Sean\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
PRC - [2013/12/21 06:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2013/10/27 21:58:08 | 003,567,800 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\avastui.exe
PRC - [2013/10/27 09:51:45 | 001,141,328 | ---- | M] (BitTorrent Inc.) -- C:\Users\Sean\AppData\Roaming\uTorrent\uTorrent.exe
PRC - [2013/10/22 21:22:51 | 000,050,344 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2013/09/16 06:39:12 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2013/06/25 20:48:08 | 000,228,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
PRC - [2013/06/13 13:46:40 | 000,815,992 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
PRC - [2013/04/22 09:05:32 | 000,720,064 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
PRC - [2011/02/25 05:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/08/18 01:36:36 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009/08/18 01:36:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2008/11/05 06:00:00 | 000,199,680 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\spool\drivers\w32x86\3\E_FATIFDE.EXE
PRC - [2007/12/17 04:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
PRC - [2007/01/11 04:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE


========== Modules (No Company Name) ==========

MOD - [2014/01/23 18:33:49 | 002,166,272 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\14012301\algo.dll
MOD - [2014/01/15 22:32:52 | 036,967,424 | ---- | M] () -- C:\Users\Sean\AppData\Roaming\Spotify\Data\libcef.dll
MOD - [2014/01/15 22:32:50 | 000,887,808 | ---- | M] () -- C:\Users\Sean\AppData\Roaming\Spotify\Data\libGLESv2.dll
MOD - [2014/01/15 22:32:50 | 000,109,568 | ---- | M] () -- C:\Users\Sean\AppData\Roaming\Spotify\Data\libEGL.dll
MOD - [2014/01/15 22:32:49 | 000,603,648 | ---- | M] () -- C:\Users\Sean\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
MOD - [2013/10/22 21:23:05 | 019,336,120 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\libcef.dll
MOD - [2013/09/13 18:51:44 | 000,087,952 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2013/09/13 18:51:20 | 001,242,952 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2013/09/05 00:14:10 | 004,300,456 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/10/20 14:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll


========== Services (SafeList) ==========

SRV - [2013/12/21 06:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013/12/12 18:40:14 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/11/26 08:29:52 | 000,108,032 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV - [2013/10/22 21:22:51 | 000,050,344 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2013/09/24 05:40:24 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2013/05/27 04:57:27 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2013/03/08 23:10:32 | 030,798,512 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2009/08/18 01:36:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/07/14 01:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2007/12/17 04:00:00 | 000,143,872 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE -- (EPSON_EB_RPCV4_01)
SRV - [2007/01/11 04:02:00 | 000,113,664 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE -- (EPSON_PM_RPCV4_01)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Sean\AppData\Local\Temp\aswMBR.sys -- (aswMBR)
DRV - [2014/01/08 16:28:00 | 000,403,440 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswsp.sys -- (aswSP)
DRV - [2013/10/22 21:23:07 | 000,774,392 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2013/10/22 21:23:07 | 000,178,304 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswVmm.sys -- (aswVmm)
DRV - [2013/10/22 21:23:07 | 000,079,720 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr2.sys -- (aswRdr)
DRV - [2013/10/22 21:23:07 | 000,070,384 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2013/10/22 21:23:07 | 000,057,672 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2013/10/22 21:23:07 | 000,049,944 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\drivers\aswRvrt.sys -- (aswRvrt)
DRV - [2013/10/22 21:23:07 | 000,035,656 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2013/07/25 15:53:46 | 000,018,944 | ---- | M] (Apple Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\netaapl.sys -- (Netaapl)
DRV - [2011/04/19 01:50:40 | 000,069,232 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C62x86.sys -- (L1C)
DRV - [2010/11/20 21:29:24 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 21:29:03 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/11/20 21:29:03 | 000,027,264 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV - [2009/09/21 16:58:28 | 001,218,048 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/08/18 02:48:06 | 004,994,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2007/11/09 04:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TVALZ_O.SYS -- (TVALZ)
DRV - [2006/11/19 22:11:14 | 000,007,168 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\FwLnk.sys -- (FwLnk)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 3D AF 81 B1 43 AF CE 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...rchTerms}&r=249
IE - HKCU\..\SearchScopes\{D9D20441-61A8-401F-AB83-2903F43CF115}: "URL" = http://uk.search.yah...p={searchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf: C:\Program Files\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)


[2013/12/08 19:49:30 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\32.0.1700.76\PepperFlash\pepflashplayer.dll
CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\32.0.1700.76\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\32.0.1700.76\pdf.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll
CHR - Extension: Google Docs = C:\Users\Sean\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\
CHR - Extension: Google Drive = C:\Users\Sean\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Users\Sean\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Search = C:\Users\Sean\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: V-bates = C:\Users\Sean\AppData\Local\Google\Chrome\User Data\Default\Extensions\ljmibnagodajacnnbifpamhggcohblip\2.0.0.436_0\
CHR - Extension: Webproxy.net - Unblock any website = C:\Users\Sean\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpmikmnnnoacchojfpdgfdgpkfgajhim\1.0.18_0\
CHR - Extension: Google Wallet = C:\Users\Sean\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.0_1\
CHR - Extension: Gmail = C:\Users\Sean\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\

O1 HOSTS File: ([2009/06/10 21:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [AvastUI.exe] C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKCU..\Run: [] C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe Run File not found
O4 - HKCU..\Run: [EPSON SX210 Series] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_FATIFDE.EXE (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [OfficeSyncProcess] C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE (Microsoft Corporation)
O4 - HKCU..\Run: [Spotify] C:\Users\Sean\AppData\Roaming\Spotify\spotify.exe (Spotify Ltd)
O4 - HKCU..\Run: [Spotify Web Helper] C:\Users\Sean\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe (Spotify Ltd)
O4 - HKCU..\Run: [uTorrent] C:\Users\Sean\AppData\Roaming\uTorrent\uTorrent.exe (BitTorrent Inc.)
O4 - HKLM..\RunOnce: [20131224] C:\Program Files\AVAST Software\Avast\setup\emupdate\7e33b5ff-742d-4cf0-b95e-d0b6ed66965d.exe (AVAST Software)
O4 - Startup: C:\Users\Sean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A302138C-B097-407B-B2E1-FC2DA17BD0AA}: DhcpNameServer = 194.168.4.100 194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F10FA673-6D4E-43E1-BD4A-086D2091C4D8}: DhcpNameServer = 172.31.139.17 172.30.139.17
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 21:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{4cb6ce7b-446c-11e3-a1d3-00266c726c11}\Shell - "" = AutoRun
O33 - MountPoints2\{4cb6ce7b-446c-11e3-a1d3-00266c726c11}\Shell\AutoRun\command - "" = F:\AutoRun.exe {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A02 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2014/01/15 16:50:56 | 002,349,056 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2014/01/15 16:50:53 | 000,240,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\netio.sys
[2014/01/15 16:50:50 | 000,284,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\usbport.sys
[2014/01/15 16:50:49 | 000,006,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\usbd.sys
[2014/01/03 22:00:54 | 000,008,192 | ---- | C] (SEIKO EPSON CORP.) -- C:\Windows\System32\E_DCINST.DLL
[2014/01/03 22:00:53 | 000,078,848 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\E_FD4BFDE.DLL
[2014/01/03 17:31:29 | 000,000,000 | ---D | C] -- C:\Users\Sean\Documents\Laptop Printouts
[2014/01/03 17:19:27 | 000,342,016 | ---- | C] (Seiko Epson Corporation) -- C:\Windows\System32\eswiaud.dll
[2014/01/03 17:19:27 | 000,128,392 | ---- | C] (Seiko Epson Corporation) -- C:\Windows\System32\esdevapp.exe
[2014/01/03 17:19:27 | 000,015,872 | ---- | C] (SEIKO EPSON CORP.) -- C:\Windows\System32\escdev.dll
[2014/01/03 17:19:26 | 000,000,000 | ---D | C] -- C:\Program Files\epson
[2014/01/03 17:18:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EPSON
[2014/01/03 17:17:11 | 000,086,528 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\E_FLBFDE.DLL
[2014/01/03 17:16:53 | 000,000,000 | ---D | C] -- C:\ProgramData\EPSON
[2014/01/03 16:58:55 | 000,000,000 | ---D | C] -- C:\Users\Sean\AppData\Local\ElevatedDiagnostics
[2013/12/28 09:45:41 | 002,724,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/12/28 09:45:40 | 000,208,896 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ie4uinit.exe
[2013/12/28 09:45:38 | 000,043,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/12/28 09:45:37 | 000,440,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/12/28 09:45:37 | 000,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieetwcollectorres.dll
[2013/12/28 09:45:36 | 000,703,488 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2013/12/28 09:45:36 | 000,061,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iesetup.dll
[2013/12/28 09:45:35 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iernonce.dll
[2013/12/28 09:45:33 | 000,553,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9diag.dll
[2013/12/28 09:45:32 | 000,112,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/12/28 09:45:30 | 000,108,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieetwcollector.exe
[2013/12/28 09:45:30 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieetwproxystub.dll
[2013/12/28 09:45:25 | 001,928,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/12/28 09:45:17 | 004,243,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll

========== Files - Modified Within 30 Days ==========

[2014/01/24 07:50:00 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014/01/24 07:48:48 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/01/24 07:48:35 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/01/23 22:09:54 | 000,021,872 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/01/23 22:09:54 | 000,021,872 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/01/23 22:04:56 | 000,000,878 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/01/21 22:35:39 | 2210,578,432 | -HS- | M] () -- C:\hiberfil.sys
[2014/01/17 16:55:34 | 000,002,129 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2014/01/16 19:35:02 | 003,846,840 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2014/01/15 22:14:43 | 000,001,989 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2014/01/08 21:23:17 | 000,664,780 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2014/01/08 21:23:17 | 000,125,484 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2014/01/08 16:31:12 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_Kernel_netaapl_01009.Wdf
[2014/01/08 16:28:02 | 000,002,047 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2014/01/08 16:28:00 | 000,403,440 | ---- | M] (AVAST Software) -- C:\Windows\System32\drivers\aswsp.sys
[2014/01/03 17:19:27 | 000,000,926 | ---- | M] () -- C:\Users\Public\Desktop\EPSON Scan.lnk
[2014/01/03 16:43:50 | 000,001,258 | ---- | M] () -- C:\Users\Sean\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk

========== Files Created - No Company Name ==========

[2014/01/15 22:14:43 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
[2014/01/15 22:14:43 | 000,001,989 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader XI.lnk
[2014/01/08 16:31:12 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_Kernel_netaapl_01009.Wdf
[2014/01/03 17:19:27 | 000,000,926 | ---- | C] () -- C:\Users\Public\Desktop\EPSON Scan.lnk
[2013/10/30 12:06:54 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll
[2013/10/30 12:06:54 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll
[2013/10/30 12:06:54 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll
[2013/10/30 12:06:54 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll
[2013/09/11 23:56:38 | 000,178,304 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys
[2013/09/11 23:56:37 | 000,049,944 | ---- | C] () -- C:\Windows\System32\drivers\aswRvrt.sys
[2013/09/11 23:25:18 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin

========== ZeroAccess Check ==========

[2009/07/14 04:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013/07/26 01:55:59 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 21:29:20 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 01:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >


OTL Extras logfile created on: 1/24/2014 7:54:14 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Sean\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.16476)
Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.75 Gb Total Physical Memory | 2.04 Gb Available Physical Memory | 74.29% Memory free
6.86 Gb Paging File | 5.67 Gb Available in Paging File | 82.71% Paging File free
Paging file location(s): c:\pagefile.sys 4215 4215 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 297.99 Gb Total Space | 94.55 Gb Free Space | 31.73% Space Free | Partition Type: NTFS

Computer Name: SEAN-PC | User Name: Sean | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [print] -- "%systemroot%\system32\rundll32.exe" "%systemroot%\system32\mshtml.dll",PrintHTML "%1"
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" (VideoLAN)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" (VideoLAN)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0752C31D-B20C-4943-BA8A-B1993A310035}" = lport=2869 | protocol=6 | dir=in | app=system |
"{27A2AC5D-722D-4C6A-96F4-0F921DD3E8F4}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{2B569582-D3F1-4913-9023-F3D2019A8AC1}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{30B98816-6012-436D-863C-A4CB9C6516EE}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework\v4.0.30319\smsvchost.exe |
"{37ECA0FC-67FD-48A3-A90E-EF01E54A686E}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{40CD6F0F-FE4E-446B-854D-52D414FD756C}" = rport=139 | protocol=6 | dir=out | app=system |
"{517BCED0-8C57-4934-9738-E44EA2FEF4D7}" = lport=10243 | protocol=6 | dir=in | app=system |
"{619CD3F7-2492-405C-88E9-1B13B9FB41D4}" = rport=445 | protocol=6 | dir=out | app=system |
"{7381D38C-14C0-42A2-A292-5D10B620CA6A}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | [email protected],-28539 |
"{760EDF26-B1B9-41CB-AB95-A77D0422F9E0}" = rport=10243 | protocol=6 | dir=out | app=system |
"{86AD4D1E-416F-4A23-BBDC-20C01F82E94E}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{9B75C6B9-A739-4328-A7F6-DBED6ECDAE83}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{A00DCB91-A708-4113-9101-B15F4D601797}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{BF485181-90E0-43C3-B842-DED9888F73BF}" = rport=138 | protocol=17 | dir=out | app=system |
"{C816412E-435F-49B4-BD56-43D3E2A1FCB1}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{CD6DB2CB-FEEC-4690-B002-621681BE23D4}" = rport=137 | protocol=17 | dir=out | app=system |
"{D446B40E-2C37-4B9F-ACD6-02AB56545F8F}" = lport=138 | protocol=17 | dir=in | app=system |
"{DC7ADE22-B19B-4E1E-A697-4EA05D956CD6}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{DF02180D-6DC2-4AA0-919F-01B414355964}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{DFA3EA5E-6230-459B-A8AB-1AB61AD5D144}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{EE8BB1EC-3BAB-420B-8819-8BBAB733E3CD}" = lport=137 | protocol=17 | dir=in | app=system |
"{EEF39301-9980-4FB9-AEA9-0FE15ABF7008}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office14\outlook.exe |
"{EF33E5AF-CBAF-4DBA-9164-CE5675E77A50}" = lport=139 | protocol=6 | dir=in | app=system |
"{F9EABDA1-95A3-4E58-9763-631AD2898C75}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{FD882A47-8684-4FC9-8D29-B03A2DD66227}" = lport=445 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{00654E3B-93C3-44E8-91EE-6BC3FE75CD34}" = protocol=58 | dir=in | [email protected],-28545 |
"{065C368D-902C-4C1E-BE65-D2AFC32D244E}" = protocol=17 | dir=in | app=c:\windows\system32\muzapp.exe |
"{1626563F-C6FE-45A2-B2AE-405524EA8FF9}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{16FE5EEB-3E60-4C5D-8D89-04E2A52F7BB5}" = protocol=17 | dir=in | app=c:\users\sean\appdata\roaming\utorrent\utorrent.exe |
"{26D58AC4-DE6C-4107-80C4-834224C320AF}" = protocol=1 | dir=in | [email protected],-28543 |
"{2F5244E7-8595-461F-8AC1-DB912874A896}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{31FF1979-AFB6-42DA-8E37-80B634034809}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{3C5DC261-4C92-4E1F-8C33-ABA937C6E922}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{3C8D915B-A75B-40AA-9DDB-784AABC56865}" = protocol=1 | dir=out | [email protected],-28544 |
"{429AECAC-9D0F-4E74-9A5B-871BB783BC6A}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{6C767140-F101-434F-812C-F1287200B087}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{709AA5BA-EE60-49F7-9B19-6FBAF536DCB6}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{75546F0A-E9C0-4519-AFB2-F5CFAC1BF050}" = dir=in | app=c:\program files\itunes\itunes.exe |
"{7E563326-605D-47E6-ABCC-6AD25BC888BC}" = protocol=6 | dir=out | app=system |
"{8AD9883E-C068-4568-89E7-AD1ECAE7B6D2}" = protocol=6 | dir=in | app=c:\users\sean\appdata\roaming\utorrent\utorrent.exe |
"{947C7A31-EF6B-4A0E-A271-57A6B7F07F20}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{94FB2C8C-590D-4361-A4B6-2E4F0FA36D64}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{952DECB3-9962-4F78-962F-3EFE1C21F245}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{96AA9AF7-5CA7-49FB-8A07-C0FE135540C2}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{9A009127-AD4D-42F7-BD2D-5A5ABF94B8B9}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{A491C11F-2B0B-40DB-B769-52552A151253}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{AD782CED-9C3E-4DC3-8ACB-E29B58065F9D}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{C781DD09-F94C-45F0-9C2B-5367CEAEA087}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{C90E5673-2B86-44B0-9A0A-F9E482A67550}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{DC340CDA-5372-4543-A21F-AD2967F0429B}" = protocol=58 | dir=out | [email protected],-28546 |
"{E38B8E74-DA31-4345-B1C4-D02AC17950E2}" = protocol=6 | dir=in | app=c:\windows\system32\muzapp.exe |
"{EA5AA299-A07C-4E82-86DD-3662196685DB}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{FF7664EA-7642-4678-BEE8-730637F66F01}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"TCP Query User{54D6B5BD-16E5-4833-BC05-8CDB896D894E}C:\users\sean\appdata\roaming\spotify\spotify.exe" = protocol=6 | dir=in | app=c:\users\sean\appdata\roaming\spotify\spotify.exe |
"TCP Query User{A9CA6A05-06B4-465E-8E84-41325275E126}C:\users\sean\desktop\ppöúêö\ihelper.exe" = protocol=6 | dir=in | app=c:\users\sean\desktop\ppöúêö\ihelper.exe |
"TCP Query User{F8A82C27-BE8C-46DB-BF7C-5E67A1EAF91C}C:\program files\microsoft office\office14\groove.exe" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"TCP Query User{FFE8B54B-2BB5-4C1F-BD75-E78D3CB23FF4}C:\program files\java\jre7\bin\javaw.exe" = protocol=6 | dir=in | app=c:\program files\java\jre7\bin\javaw.exe |
"UDP Query User{289AB7CE-7DC0-4826-A940-8D51FBA26B67}C:\users\sean\appdata\roaming\spotify\spotify.exe" = protocol=17 | dir=in | app=c:\users\sean\appdata\roaming\spotify\spotify.exe |
"UDP Query User{94579328-FDEA-4FDA-9DF8-B2FC2E20FCA6}C:\users\sean\desktop\ppöúêö\ihelper.exe" = protocol=17 | dir=in | app=c:\users\sean\desktop\ppöúêö\ihelper.exe |
"UDP Query User{A4D91D75-5AE2-416A-B23F-994D0C168BBD}C:\program files\java\jre7\bin\javaw.exe" = protocol=17 | dir=in | app=c:\program files\java\jre7\bin\javaw.exe |
"UDP Query User{D0729951-4752-4FB4-BBC6-F3AD97DDFB08}C:\program files\microsoft office\office14\groove.exe" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0592EF96-69D8-4E4B-9CC9-88F58EA86F01}" = Apple Mobile Device Support
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{1FBAE18D-4DE4-47AA-83EC-D1B046F262DC}" = PDF Settings CC
"{26A24AE4-039D-4CA4-87B4-2F83217045FF}" = Java 7 Update 45
"{2D99B50E-431D-4AA8-85C1-172A6F8BCF09}" = Adobe Photoshop CC
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{401879D1-AC26-43CD-BDDE-E0D5D5608083}" = TOSHIBA Supervisor Password
"{46F044A5-CE8B-4196-984E-5BD6525E361D}" = Apple Application Support
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7AF6603B-28B4-41FE-B862-D7D711645C80}" = calibre
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.06)
"{DF9C119C-7F26-45B9-93D4-7C372CBBBA11}" = iTunes
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"avast" = avast! Free Antivirus
"EPSON Scanner" = EPSON Scan
"EPSON SX210 Series" = EPSON SX210 Series Printer Uninstall
"Google Chrome" = Google Chrome
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"VLC media player" = VLC media player 2.1.0
"WinRAR archiver" = WinRAR 5.00 (32-bit)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Spotify" = Spotify
"uTorrent" = µTorrent

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 1/23/2014 7:27:21 PM | Computer Name = Sean-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 2091

Error - 1/23/2014 7:27:22 PM | Computer Name = Sean-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 1/23/2014 7:27:22 PM | Computer Name = Sean-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 3214

Error - 1/23/2014 7:27:22 PM | Computer Name = Sean-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 3214

Error - 1/23/2014 7:27:23 PM | Computer Name = Sean-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 1/23/2014 7:27:23 PM | Computer Name = Sean-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 4291

Error - 1/23/2014 7:27:23 PM | Computer Name = Sean-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 4291

Error - 1/23/2014 7:27:24 PM | Computer Name = Sean-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 1/23/2014 7:27:24 PM | Computer Name = Sean-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 5289

Error - 1/23/2014 7:27:24 PM | Computer Name = Sean-PC | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 5289

[ System Events ]
Error - 1/22/2014 6:05:51 PM | Computer Name = Sean-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 1/22/2014 6:08:28 PM | Computer Name = Sean-PC | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.0.2
with the system having network hardware address C0-3E-0F-0E-3F-EE. Network operations
on this system may be disrupted as a result.

Error - 1/23/2014 1:51:32 AM | Computer Name = Sean-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 1/23/2014 4:05:42 AM | Computer Name = Sean-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 1/23/2014 4:06:16 AM | Computer Name = Sean-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 1/23/2014 7:34:29 AM | Computer Name = Sean-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 1/23/2014 11:49:50 AM | Computer Name = Sean-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 1/23/2014 6:04:30 PM | Computer Name = Sean-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 1/23/2014 7:09:13 PM | Computer Name = Sean-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 1/24/2014 3:48:34 AM | Computer Name = Sean-PC | Source = atikmdag | ID = 43029
Description = Display is not active


< End of report >

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-01-24 07:53:44
-----------------------------
07:53:44.882 OS Version: Windows 6.1.7601 Service Pack 1
07:53:44.882 Number of processors: 1 586 0x603
07:53:44.884 ComputerName: SEAN-PC UserName: Sean
07:53:47.051 Initialize success
07:53:50.774 AVAST engine defs: 14012301
08:03:17.897 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
08:03:17.903 Disk 0 Vendor: TOSHIBA_MK3265GSXV GH011M Size: 305245MB BusType: 11
08:03:18.142 Disk 0 MBR read successfully
08:03:18.150 Disk 0 MBR scan
08:03:18.160 Disk 0 Windows 7 default MBR code
08:03:18.172 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305143 MB offset 206848
08:03:18.255 Disk 0 scanning sectors +625139712
08:03:18.464 Disk 0 scanning C:\Windows\system32\drivers
08:03:28.408 Service scanning
08:04:34.065 Modules scanning
08:04:56.718 Disk 0 trace - called modules:
08:04:56.746 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
08:04:56.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84df47d0]
08:04:57.110 3 CLASSPNP.SYS[8a9a159e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85af1030]
08:04:57.867 AVAST engine scan C:\Windows
08:04:59.900 AVAST engine scan C:\Windows\system32
08:07:22.616 AVAST engine scan C:\Windows\system32\drivers
08:07:36.972 AVAST engine scan C:\Users\Sean
08:10:34.796 File: C:\Users\Sean\AppData\Local\Temp\instloffer.exe **INFECTED** Win32:Dropper-gen [Drp]
08:14:32.148 AVAST engine scan C:\ProgramData
08:15:29.251 Scan finished successfully
08:16:02.796 Disk 0 MBR has been saved successfully to "C:\Users\Sean\Desktop\MBR.dat"
08:16:02.803 The log file has been saved successfully to "C:\Users\Sean\Desktop\aswMBR.txt"


Hope this is ok :confused:
  • 0

#4
pystryker
Posted 24 January 2014 - 06:48 AM

pystryker

    Trusted Helper

  • Malware Removal
  • 3,912 posts

This is great, thank you for helping :thumbsup:


My pleasure. :)

Hope this is ok :confused:


Thank you for the logs, I'll start working up a fix for approval. :thumbsup:
  • 0

#5
pystryker
Posted 25 January 2014 - 09:35 AM

pystryker

    Trusted Helper

  • Malware Removal
  • 3,912 posts
Hello :)

We have some work to do, so let's get started. :thumbsup:


The Dangers of P2P Programs

I noticed that you have a P2P file sharing program on your computer . I cannot stress highly enough the danger in using these types of programs. P2P programs are one of the major avenues of infection these days. The files downloaded with these programs are more likely than not infected with trojans, malware, rootkits, etc.

You run the risk of getting an infection that can compromise your sensitive data, such as financial records, personal information, etc. That is just the infection aspect of using P2P programs. You also run the risk of possible arrest, fines, or in severe cases, jail time for illegal downloading of copyrighted material.

Here are some information sources about the dangers of P2P programs:

FBI - Peer to Peer Scams

USA Today Artticle on P2P Programs

File Sharing Infects 500,000 Computers

I very much recommend you uninstall this program from your machine. If not, I can guarantee you will be back needing help with your machine again. The risks of infections from content downloaded with P2P programs far outweigh any benefit of using them.

It is, of course, your choice as to whether or not you remove the program from your machine. It is my duty though, to point out how dangerous it is to use these programs. However, I must request that you do not use it while we are cleaning your machine.


Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Step 1: OTL Fix


Let's run an OTL fix:

Warning: This fix is to be used on this system and this system ONLY. Using this fix on any other machine other than yours can seriously damage it.

Be advised that when the fix commences, it will shut down all running processes and you may lose the desktop and icons, they will return on reboot.

Run OTL by double clicking it (Windows Vista, Windows 7, and 8, right click and select "Run as Administrator)

  • Copy the text in the quote box below (do not copy the word "quote") and paste in the in the box marked Custom Scans/Fixes as shown in the graphic below.

Posted Image

:Commands
[createrestorepoint]

:OTL
O4 - HKCU..\Run: [] C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe Run File not found
O13 - gopher Prefix: missing
O33 - MountPoints2\{4cb6ce7b-446c-11e3-a1d3-00266c726c11}\Shell - "" = AutoRun
O33 - MountPoints2\{4cb6ce7b-446c-11e3-a1d3-00266c726c11}\Shell\AutoRun\command - "" = F:\AutoRun.exe {D2D77DC2-8299-11D1-8949-444553540000} 5.2088.1.A02 PID_0083 {01D42BF0-ED08-463f-8A28-99EB6FEE962B}
[2013/10/30 12:06:54 | 000,974,848 | ---- | C] () -- C:\Windows\System32\cis-2.4.dll
[2013/10/30 12:06:54 | 000,081,920 | ---- | C] () -- C:\Windows\System32\issacapi_bs-2.3.dll
[2013/10/30 12:06:54 | 000,065,536 | ---- | C] () -- C:\Windows\System32\issacapi_pe-2.3.dll
[2013/10/30 12:06:54 | 000,057,344 | ---- | C] () -- C:\Windows\System32\issacapi_se-2.3.dll

:Files
c:\users\sean\desktop\ppöúêö
netsh advfirewall reset /c
netsh advfirewall set allprofiles state on /c

:Commands
[emptytemp]
[resethosts]



  • Click the Run Fix button at the top of the OTL control panel.
  • Let the program run until it's finished and then reboot the computer.
  • Once your machine has rebooted, a log will open. Please post that log in your next reply.

If you have any problems, questions, or need further explanation, please post a message in this thread and I will get back to you asap.



Step 2: AdwCleaner


Download ADWcleaner by clicking here. Please save it to your Desktop


Posted Image

  • Double click (Vista and 7 Users)right click the adwcleaner.exe file and click Run as Adminstrator and accept the UAC prompt to run AdwCleaner
  • Close any open windows or browsers.
  • Pause your Anti-Virus program if it is running.
  • Once it starts, click on the Scan button.
  • Let the scan complete itself. This may take a few minutes.
  • Once the scan has finished, "Pending, uncheck elements you don't want to remove."
    click the Clean button. When finished, it will ask to reboot. Please reboot.
  • When the machine has rebooted, a log will be produced. Please copy/paste that in your next reply. Here's how:
  • Click the Report button and the log will open. Copy and Paste the contents of the log file into your next reply.
This report is also saved at C:\AdwCleaner[R0].txt

Step 3: Junkware Removal Tool


Posted Image Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


Step 4: OTL Quick Scan


  • Start OTL and this time click the Quick Scan button
  • OTL will scan your system and produce one log when finished.
  • Please post that log in your next reply.


Things I need to see in your next post:


OTL Fix Log

AdwCleaner Log

Junkware Removal Tool Log

OTL Quick Scan Log

How is the machine running now?
  • 0

#6
Starman28
Posted 26 January 2014 - 02:32 AM

Starman28

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Have major problem.
Laptop won't turn on.
When I press the power button I get ......
A blink of the caps lock light (normal), the disc drive runs for a moment (normal), and the laptop "on" lights up and STAYS ON (normal) but it won't boot.
I tried, removing the battery and holding down the power button for a minute fix, but it's just the same.
Is this the end?
  • 0

#7
pystryker
Posted 26 January 2014 - 07:34 AM

pystryker

    Trusted Helper

  • Malware Removal
  • 3,912 posts

Have major problem.
Laptop won't turn on.
When I press the power button I get ......
A blink of the caps lock light (normal), the disc drive runs for a moment (normal), and the laptop "on" lights up and STAYS ON (normal) but it won't boot.
I tried, removing the battery and holding down the power button for a minute fix, but it's just the same.
Is this the end?


Ok, let's try this: If you have another machine you can perform these steps on, we'll try a USB recovery console boot. If this doesn't work, we'll send you to the Hardware Support forum, and they might be able to help you get the machine booting. Then you can come back here and we'll get rid of the malware. :thumbsup:


Please follow the steps below if you have access to another machine:


Download the following three programmes to your desktop :


1. Rufus

For 64bit systems
2. Windows 8 64bit RC
2. Windows Vista 64bit RC
2. Windows 7 64bit RC
3. Farbar Recovery Scan Tool x64

For 32bit systems
2. Windows Vista RC
2. Windows 7 RC
3. Farbar Recovery Scan Tool


Insert the USB stick Then run Rufus
Posted Image
Select the ISO file on the desktop via the ISO icon.

Press Start Burn
Posted Image
Then copy FRST to the same USB

Posted Image



Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here


When you reboot you will see this although yours will say windows 7.
Click repair my computer
Posted Image

Select your operating system
Posted Image

Select Command prompt
Posted Image

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Posted Image
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Windows 8 screen shots

When you reboot you will see this.

Select the language on this screen and keyboard on the next

Posted Image

Select the Trouble shoot option

Posted Image

Select Advanced option

Posted Image

Select Command prompt

Posted Image

At the command prompt type the following :

Posted Image
  • 0

#8
Starman28
Posted 27 January 2014 - 12:17 PM

Starman28

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
I don't have another pc to do the above.

Took the laptop to a local shop who tested it and said it was a graphics chip problem.

They went on to replace the chip, without my consent, and wanted to charge me $150.00!

I told them that was too much, they were only meant to be having a look.

They are going to "put it back, to how it was".

I'll get it back tomorrow .

Thank you for your patience understanding and help.

Edited by Starman28, 27 January 2014 - 12:22 PM.

  • 0

#9
pystryker
Posted 27 January 2014 - 04:56 PM

pystryker

    Trusted Helper

  • Malware Removal
  • 3,912 posts

I don't have another pc to do the above.

Took the laptop to a local shop who tested it and said it was a graphics chip problem.

They went on to replace the chip, without my consent, and wanted to charge me $150.00!

I told them that was too much, they were only meant to be having a look.

They are going to "put it back, to how it was".

I'll get it back tomorrow .


Ah, I see then. Well, we can close the thread, and when you get the graphics chip replaced, come on back. You can private message a moderator to reopen the thread, and we'll get rid of the malware for you. :thumbsup:


Thank you for your patience understanding and help.


You're very welcome :) It's my pleasure. :thumbsup:
  • 0

#10
Essexboy
Posted 28 January 2014 - 08:00 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP