Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help requested with ridding a PC of Tuvaro... [Solved]


  • This topic is locked This topic is locked

#1
frobey

frobey

    Member

  • Member
  • PipPip
  • 67 posts

My neighbor had a "friend" of his helping with his computer and this "friend" installed Tuvaro on the computer, apparently he thought it would allow him to download MP3 files faster or something...it has caused my friend numerous issues with redirecting his browsers (he uses firefox and IE), popups, slowdowns on the computer and other things.

 

He asked me if I could help him rid these so I ran a couple programs that I know about, malwarebytes (found a couple hundred issues which were removed), hijack, found a few issues which were removed, Lavasoft Adware didn't find anything, and Microsoft malicious software removal tool didn't find anything.

 

I also did a remove the program from the Control panel, changed the default homepage on both browsers to bing (from tuvaro), and changed the default search engine to bing (from www-search.net).

 

It now seems "better", no more popups, but my homepage keeps reverting to www-search.net and it adds www-search.net back into the default search engine location so I'm concerned that it's still out there somewhere...

 

PC is a eMachines PC running Vista Home Basic SP2, with 2 GB of RAM. He has both MSFT Security Essentials and McAffee installed (will have to fix that later. 

 

Any help would be most appreciated!!!! I was going to try to follow a couple other Tuvaro postings that were on here but am always concerned about experimenting on other people's PCs...

 

Here is my OTL log

 

OTL logfile created on: 3/25/2014 4:53:17 PM - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = G:\
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.75 Gb Total Physical Memory | 0.96 Gb Available Physical Memory | 54.92% Memory free
3.74 Gb Paging File | 2.73 Gb Available in Paging File | 72.91% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.05 Gb Total Space | 77.46 Gb Free Space | 56.94% Space Free | Partition Type: NTFS
Drive G: | 29.81 Gb Total Space | 29.66 Gb Free Space | 99.52% Space Free | Partition Type: FAT32
 
Computer Name: D-PC | User Name: d | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2014/03/25 16:49:20 | 000,602,112 | ---- | M] (OldTimer Tools) -- G:\OTL (1).exe
PRC - [2014/03/04 04:39:32 | 001,751,912 | ---- | M] (Search Module Ltd.) -- C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe
PRC - [2014/01/20 22:07:30 | 000,025,600 | ---- | M] () -- C:\Program Files\pcreg\pcreg.exe
PRC - [2014/01/15 20:40:24 | 000,277,920 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe
PRC - [2013/10/23 16:01:10 | 000,300,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MpCmdRun.exe
PRC - [2013/10/23 16:01:10 | 000,280,288 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\NisSrv.exe
PRC - [2013/10/23 16:01:10 | 000,022,208 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/10/23 15:55:28 | 000,948,440 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2013/08/15 16:40:32 | 000,064,408 | ---- | M] (Malwarebytes Secure Backup) -- C:\Program Files\Malwarebytes Secure Backup\SMessaging.exe
PRC - [2013/08/15 16:40:32 | 000,039,832 | ---- | M] (Malwarebytes Secure Backup) -- C:\Program Files\Malwarebytes Secure Backup\SAgent.Service.exe
PRC - [2013/08/06 17:33:16 | 003,291,008 | ---- | M] (Skype Technologies S.A.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2013/04/04 14:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/04/11 02:28:15 | 000,117,248 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/06/11 14:18:30 | 000,024,576 | ---- | M] () -- C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
PRC - [2007/12/10 23:15:04 | 000,012,800 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2014/02/16 08:41:06 | 000,978,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\d17ceca243fabda73eefb21d9bd072df\System.Configuration.ni.dll
MOD - [2014/02/14 10:37:21 | 005,462,016 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f87e71868aedbc6c4e8fe7160d17c4ab\System.Xml.ni.dll
MOD - [2014/02/14 10:34:43 | 012,434,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d2b605fc7deda872727d1ed37710420e\System.Windows.Forms.ni.dll
MOD - [2014/02/14 10:22:40 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\8e6265a54260bddfc05951e764f5bc48\System.Drawing.ni.dll
MOD - [2014/02/14 10:21:15 | 002,295,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\bd996f730710dbbac36cba28f7214b29\System.Core.ni.dll
MOD - [2014/02/14 10:19:49 | 007,977,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\957628d9dd7b3bf370a56dca7835a997\System.ni.dll
MOD - [2014/02/14 10:19:36 | 011,497,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\694a37a84dee2cd2609a1dfab27c0433\mscorlib.ni.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2014/03/12 11:08:29 | 000,257,928 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014/03/04 04:39:32 | 001,751,912 | ---- | M] (Search Module Ltd.) [Auto | Running] -- C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe -- (SMUpd)
SRV - [2014/02/12 20:36:33 | 000,118,896 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2014/01/20 22:07:30 | 000,025,600 | ---- | M] () [Auto | Running] -- C:\Program Files\pcreg\pcreg.exe -- (pcregservice)
SRV - [2014/01/15 20:39:44 | 000,235,696 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.8.141\McCHSvc.exe -- (McComponentHostService)
SRV - [2013/10/23 16:01:10 | 000,280,288 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2013/10/23 16:01:10 | 000,022,208 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2013/10/23 09:15:08 | 000,172,192 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2013/08/15 16:40:32 | 000,039,832 | ---- | M] (Malwarebytes Secure Backup) [Auto | Running] -- C:\Program Files\Malwarebytes Secure Backup\SAgent.Service.exe -- (sagentservice)
SRV - [2013/08/06 17:33:16 | 003,291,008 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/06/11 14:18:30 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe -- (ETService)
SRV - [2008/01/20 22:33:00 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/10 23:15:04 | 000,012,800 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\NIS\1000000.07D\SRTSPX.SYS -- (SRTSPX)
DRV - File not found [File_System | System | Stopped] -- C:\Windows\system32\drivers\NIS\1000000.07D\SRTSP.SYS -- (SRTSP)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVEX15.SYS -- (NAVEX15)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVENG.SYS -- (NAVENG)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
DRV - [2014/03/25 16:43:47 | 000,039,464 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63131EAE-4662-4A5C-A8DB-D6CAB88CE14D}\MpKsl8f448e03.sys -- (MpKsl8f448e03)
DRV - [2014/03/04 04:39:28 | 000,031,592 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Goobzo\GBUpdate\smw.sys -- (SMUpdd)
DRV - [2013/09/27 10:53:06 | 000,104,768 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2013/04/04 14:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2013/02/19 21:32:54 | 010,919,200 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/08/12 12:07:50 | 000,292,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVNET)
DRV - [2010/08/12 12:07:50 | 000,292,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/06/11 14:13:24 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15)
DRV - [2008/06/06 07:13:10 | 000,145,440 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2008/03/07 19:31:52 | 000,062,570 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\jl2005c.sys -- (JL2005C)
DRV - [2008/03/05 01:10:54 | 001,203,808 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emac...=0509&m=el1300g
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,NewTabPageShow = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.google.com
IE - HKLM\..\SearchScopes,DefaultScope = {67C334C0-408D-4E6D-B5A7-0ADD6AFFA252}
IE - HKLM\..\SearchScopes\{67C334C0-408D-4E6D-B5A7-0ADD6AFFA252}: "URL" = http://www.google.co...utputEncoding?}
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emac...=0509&m=el1300g
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,NewTabPageShow = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.google.com
IE - HKCU\..\SearchScopes,DefaultScope = {483D440A-3A50-459C-93F3-2FCD071459AF}
IE - HKCU\..\SearchScopes\{483D440A-3A50-459C-93F3-2FCD071459AF}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js - File not found
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin: C:\Program Files\McAfee Security Scan\3.8.141\npMcAfeeMss.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@lightspark.github.com/Lightspark;version=1: C:\Program Files\Lightspark 0.5.3-git\nplightsparkplugin.dll File not found
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/12/24 11:34:42 | 000,000,000 | ---D | M]
 
[2009/07/29 16:29:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Extensions
[2014/03/25 16:49:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions
[2010/07/24 07:15:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2014/03/10 22:34:27 | 000,000,000 | ---D | M] ("iWebar") -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com
[2014/03/25 16:49:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\staged
[2014/03/23 15:19:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData
[2014/03/23 15:19:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData\plugins
[2014/03/23 15:19:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData\userCode
[2010/07/23 10:09:46 | 000,001,840 | ---- | M] () -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\searchplugins\bing.xml
[2014/02/17 19:46:32 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/08/14 08:01:50 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2014/02/17 19:46:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/08/14 08:01:50 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2014/02/17 19:46:34 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
Hosts file not found
O4 - HKLM..\Run: [EarthLink Installer] " /C File not found
O4 - HKLM..\Run: [eRecoveryService]  File not found
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SMessaging] C:\Program Files\Malwarebytes Secure Backup\SMessaging.exe (Malwarebytes Secure Backup)
O4 - HKLM..\Run: [SOSUAUI] C:\Program Files\Malwarebytes Secure Backup\sosuploadagent.exe (Malwarebytes Secure Backup)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2 ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.51.2)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.51.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8058310F-B522-4D7E-AD42-BB5315D9B153}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\d\AppData\Roaming\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\d\AppData\Roaming\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2012/11/27 18:30:30 | 000,000,100 | ---- | M] () - G:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2012/11/27 18:30:30 | 000,000,204 | ---- | M] () - G:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2012/11/27 18:30:30 | 000,017,542 | ---- | M] () - G:\autorun.ico -- [ FAT32 ]
O33 - MountPoints2\{a31009d3-82b8-11de-99db-001d72bb114f}\Shell - "" = AutoRun
O33 - MountPoints2\{a31009d3-82b8-11de-99db-001d72bb114f}\Shell\AutoRun\command - "" = G:\DPFMate.exe
O33 - MountPoints2\{e67ae022-d8d4-11e1-a592-001d72bb114f}\Shell - "" = AutoRun
O33 - MountPoints2\{e67ae022-d8d4-11e1-a592-001d72bb114f}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\drivers\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/03/23 17:50:14 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2014/03/23 17:36:44 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2014/03/23 17:34:44 | 009,988,304 | ---- | C] (SurfRight B.V.) -- C:\Users\d\Desktop\HitmanPro.exe
[2014/03/23 16:16:05 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\ElevatedDiagnostics
[2014/03/23 15:55:31 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014/03/23 15:23:50 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/03/23 14:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Microsoft
[2014/03/23 14:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Adware-Removal-Tool
[2014/03/19 08:52:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Oracle
[2014/03/19 08:51:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
[2014/03/11 09:02:09 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2014/03/11 08:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2014/03/10 21:25:56 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\Installer
[2014/03/10 21:25:50 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\ShopperPro
[2014/03/10 21:25:50 | 000,000,000 | ---D | C] -- C:\ProgramData\SearchModule
[2014/03/10 21:25:31 | 000,000,000 | ---D | C] -- C:\Program Files\YTDownloader
[2014/03/10 21:25:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Goobzo
[2014/03/10 21:24:25 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\CrashRpt
[2014/03/06 18:32:08 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\Kobo
[2014/03/06 18:31:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kobo
[2014/03/03 20:23:06 | 000,000,000 | ---D | C] -- C:\temp
[2014/03/02 08:44:02 | 000,000,000 | ---D | C] -- C:\Program Files\runonce
[2014/03/01 21:25:10 | 000,000,000 | ---D | C] -- C:\Windows\tmp
[2014/03/01 21:21:56 | 000,000,000 | ---D | C] -- C:\Program Files\pcreg
[2014/03/01 21:21:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Real
[2014/03/01 21:19:03 | 000,000,000 | ---D | C] -- C:\Program Files\Kobo
[2014/02/28 22:47:42 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Roaming\SharePod
[2014/02/28 21:52:12 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2014/02/28 21:49:15 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2014/02/28 21:49:05 | 000,000,000 | ---D | C] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2014/02/28 20:06:16 | 000,000,000 | R--D | C] -- C:\Users\d\Downloads
[2014/02/28 20:00:12 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Roaming\uTorrent
[2014/02/28 19:51:22 | 000,000,000 | ---D | C] -- C:\Program Files\Adblock Plus for IE
[2014/02/28 19:51:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Package Cache
[2014/02/28 18:51:27 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2014/02/28 08:32:17 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\Skype
[2014/02/28 08:32:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2014/02/28 08:32:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2014/02/28 05:40:45 | 000,000,000 | ---D | C] -- C:\Windows\Migration
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2014/03/25 16:53:15 | 000,655,380 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2014/03/25 16:53:15 | 000,124,006 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2014/03/25 16:53:00 | 000,000,466 | ---- | M] () -- C:\Windows\tasks\Online Backup Update Notifier.job
[2014/03/25 16:47:53 | 000,001,101 | ---- | M] () -- C:\Users\d\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2014/03/25 16:43:41 | 000,004,784 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2014/03/25 16:43:39 | 000,004,784 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2014/03/25 16:43:00 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml
[2014/03/25 16:42:55 | 000,000,270 | ---- | M] () -- C:\Windows\tasks\pcreg.job
[2014/03/25 16:42:44 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/03/25 16:42:40 | 1877,340,160 | -HS- | M] () -- C:\hiberfil.sys
[2014/03/25 15:08:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/03/23 17:50:14 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2014/03/23 17:35:47 | 009,988,304 | ---- | M] (SurfRight B.V.) -- C:\Users\d\Desktop\HitmanPro.exe
[2014/03/19 08:44:54 | 000,714,464 | ---- | M] () -- C:\Users\d\Desktop\Adware-Removal-Tool-v3.8(1).exe
[2014/03/19 08:42:12 | 000,108,944 | ---- | M] () -- C:\Users\d\Desktop\Java.exe
[2014/03/19 08:37:22 | 000,714,464 | ---- | M] () -- C:\Users\d\Desktop\Adware-Removal-Tool-v3.8.exe
[2014/03/13 21:18:17 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At1.job
[2014/03/13 19:06:15 | 000,000,680 | ---- | M] () -- C:\Users\d\AppData\Local\d3d9caps.dat
[2014/03/13 19:02:55 | 000,304,040 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2014/03/11 18:45:15 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2014/03/10 21:26:10 | 000,001,696 | ---- | M] () -- C:\Users\d\Desktop\YTDownloader.lnk
[2014/03/06 18:31:54 | 000,000,762 | ---- | M] () -- C:\Users\Public\Desktop\Kobo.lnk
[2014/03/01 21:18:52 | 026,017,384 | ---- | M] () -- C:\Users\d\Desktop\kobo-setup.exe
[2014/02/28 08:32:01 | 000,001,878 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2014/03/23 17:08:56 | 1877,340,160 | -HS- | C] () -- C:\hiberfil.sys
[2014/03/19 08:44:11 | 000,714,464 | ---- | C] () -- C:\Users\d\Desktop\Adware-Removal-Tool-v3.8(1).exe
[2014/03/19 08:42:03 | 000,108,944 | ---- | C] () -- C:\Users\d\Desktop\Java.exe
[2014/03/19 08:36:55 | 000,714,464 | ---- | C] () -- C:\Users\d\Desktop\Adware-Removal-Tool-v3.8.exe
[2014/03/11 07:00:30 | 000,001,113 | ---- | C] () -- C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2014/03/10 21:26:10 | 000,001,696 | ---- | C] () -- C:\Users\d\Desktop\YTDownloader.lnk
[2014/03/06 18:31:54 | 000,000,762 | ---- | C] () -- C:\Users\Public\Desktop\Kobo.lnk
[2014/03/03 09:12:06 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2014/03/01 21:23:00 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At1.job
[2014/03/01 21:22:59 | 000,000,270 | ---- | C] () -- C:\Windows\tasks\pcreg.job
[2014/03/01 21:17:47 | 026,017,384 | ---- | C] () -- C:\Users\d\Desktop\kobo-setup.exe
[2014/02/28 08:32:01 | 000,001,878 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2012/04/15 18:02:51 | 000,000,316 | ---- | C] () -- C:\Users\d\AppData\Roaming\wklnhst.dat
[2010/11/09 20:59:28 | 000,029,239 | ---- | C] () -- C:\Users\d\AppData\Roaming\UserTile.png
[2010/08/31 06:46:48 | 000,000,680 | ---- | C] () -- C:\Users\d\AppData\Local\d3d9caps.dat
[2009/08/04 20:18:22 | 000,032,768 | ---- | C] () -- C:\Users\d\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
========== ZeroAccess Check ==========
 
[2006/11/02 08:51:16 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 02:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 02:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2012/08/07 00:31:18 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\.minecraft
[2013/09/20 07:58:19 | 000,000,000 | -HSD | M] -- C:\Users\d\AppData\Roaming\dwthtiwg
[2010/11/09 20:59:27 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\PeerNetworking
[2014/02/28 22:47:42 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\SharePod
[2012/04/15 18:07:42 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\Template
[2013/05/26 15:05:18 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\TuneUp Software
[2014/03/02 16:26:03 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\uTorrent
[2012/10/05 07:12:38 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\Windows Live Writer
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 147 bytes -> C:\ProgramData\Temp:AD022376
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:373E1720
 
< End of report >

Edited by frobey, 25 March 2014 - 03:18 PM.

  • 0

Advertisements


#2
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hello frobey, :wave: Welcome to the forums!
:welcome:. My name is godawgs and I will be assisting you with your Virus / Malware issues.
I will start working on your Malware issues. This may, or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for this issue on this machine!

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.
If you have not, please adhere to the guidelines below and then carefully follow all future instructions:

You must reply to posts within four days. If you haven't replied within that time, the topic will be closed! If you need additional time to complete things, just let me know.
If you're not sure, or if something unexpected happens, Do NOT continue! Stop and ask!

This board can notify you when a new reply is added to a topic. Please read this topic to find out how to do that.

Please do not run any tools unless instructed to do so.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability. Do as the instructions ask, nothing extra. Do Not run things twice unless instructed.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • If I ask a Question just answer it, don't run anything unless directed to.
Please read every post completely before doing anything.
  • Pay special attention to the NOTE: lines, or anything in red. These entries identify an individual issue or important step in the cleanup process.
  • Please make sure you are saving and printing the instructions out prior to each fix, this way you will have them on hand just in case you are unable to access this site. Some of the steps I will be asking you to do may require you to boot into Safe Mode and this process will be much easier for you to perform if the instructions are printed out for you to follow.
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
Logs from malware diagnostic or removal programs (OTL is one of them) can take some time to analyze.
  • I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes :lol: )
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
Lastly, Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. Some infections are so severe that we might encounter situations where the only recourse is to re-format and re-install your operating system. Don't worry, this only happens in severe cases, but, sadly, it does happen.
In light of this be prepared to back up your data. Have means of backing up your data available.

IMPORTANT:Change your browser(s) to download any tools to the desktop.
Follow the directions here
For FireFox check the dot beside "Always ask me where to save files."
For Chrome, check the box beside "Ask where to save each file before downloading"
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.




Any help would be most appreciated!!!! I was going to try to follow a couple other Tuvaro postings that were on here but am always concerned about experimenting on other people's PCs...

Good call. :) We always caution our members that the fixes are specific for the member who posted and that all other members shouldn't use that fix on their machine.

I do see a lot of issues here. The system does have the Microsoft Security Essentials and McAfee Security scan on it but the McAfee program is more of an on line scan and not an antivirus program. We will be uninstalling it. There is also evidence that the Norton Internet Security program was once installed on the system ans some remnants remain. We will be cleaning that up.
Also, when MSE is installed on a Vista machine it is supposed to turn the Windows Defender Program off, but it is still running so MSE might not have installed properly.

The first thing we need to address is the location of the OTL program. OTL is designed to be run from the hard drive containing the operating system, in this case the C:\ drive. I want you to delete the OTL.txt and Extras.txt files from the G:\ drive and move the OTL.exe file (the program) from the G:\ drive to the desktop of the C:\ drive. Then we will get a more in depth scan and a new Extras.txt log.


Step-1.
  • Click the Start Orb. Then click Computer.
  • Double click the G:\ drive to open it.
  • Right click the OTL.txt file and click Delete.
  • Repeat for the Extras.txt file.
  • Right click the OTL icon and click Copy
  • Close the G:\ drive. You should now be back to the desktop.
  • Right click on an empty space on the desktop and click Paste. This should put the OTL file on the desktop.
Step-2.

NOTE: I have changed the settings so please read carefully.

otlicon.pngOTL Custom Scan

1. Please copy the text in the Quote box below, (Do Not copy the word Quote), and paste it in the customFix.png box in OTL. To do that:
  • Highlight everything inside the quote box, (except the word Quote), right click the mouse and click Copy.

createrestorepoint
netsvcs
systemservices
/md5start
rpcss.dll
/md5stop
c:\program files (x86)\Google\Desktop
c:\program files\Google\Desktop
dir "%systemdrive%\*" /S /A:L /C


2. Re-open otlicon.pngon the desktop. To do that:
  • Vista / 7 Users: Right click on the icon and click Run as Administrator)
Make sure all other windows are closed.
  • You will see a console like the one below:

    OTL_Main_Tutorial.gif
  • Click the box beside Scan All Users at the top of the console<---Very Important
  • Make sure the Output box at the top is set to Standard Output.
  • In the Extra Registry section, click the radio button beside Use Safelist<---Very Important. This will get us the new Extras.txt file.
  • Check the boxes beside LOP Check and Purity Check.
  • Place the mouse pointer inside thecustomFix.png box, right click and click Paste. This will put the above script inside OTL
  • Click the runscanbutton.png button. Do not change any settings unless otherwise told to do so.
  • Let the scan run uninterrupted.
  • When the scan completes, it will open OTL.Txt on the desktop. The Extras.txt file will be minimized on the taskbar. These files are also saved in the same location as OTL (it should be on your desktop).
  • Please copy the contents of these files and paste them into your reply. To do that:
    • On the OTL.txt file Menu Bar click Edit then click Select All. This will highlight the contents of the file. Then click Copy.
    • Right click inside the forum post window then click Paste. This will paste the contents of the OTL.txt file in the in the post window.
    Repeat for the Extras.txt file.


    Step-3.

    Run aswMBR
    • Download aswMBR.exe to your desktop.
    • Right click the file and click Run as Administrator. If you get a UAC window, allow the file to run.
    • If it asks you if you want to download the latest virus definitions, click "No"
    • aswmbr1.jpg
    • Be sure the A/V Scan: is set to QuickScan
    • Click the "Scan" button to start the scan
      AswMBR%20scan.JPG
    • On completion of the scan click save log. Save it to your desktop and post in your next reply.
      aswMBR2.png
    NOTE: When you run aswMBR, if it is shutdown automatically, then it is most likely the infection detecting that aswMBR is running and terminating it. In this situation you should rename the executable (aswMBR.exe) to iexplore.exe and try it again.


    Things For Your Next Post:
    Please post the logs in the order requested. Please don't attach the logs unless I request it.
    1. The new OTL.txt log
    2. The Extras.txt log
    3. The aswMBR log

  • 0

#3
frobey

frobey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

Hi godawgs,

 

Thanks so much for your help!! Couple things before I post the log files. One thing I forgot was that when you open a browser on the PC a "taskeng.exe" window occasionally opens up but it is blank.

 

On OTL.exe there was no "Include 64bit scans" as shown in your picture so I couldn't check that and ran it without it checked.

On aswMBR there was no "A/V Quickscan" dropdown so I ran it as I guess a Full Scan.

 

Here's the OTL.Txt log

 

OTL logfile created on: 3/26/2014 7:03:29 PM - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\d\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.75 Gb Total Physical Memory | 1.05 Gb Available Physical Memory | 60.07% Memory free
3.74 Gb Paging File | 2.68 Gb Available in Paging File | 71.65% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.05 Gb Total Space | 77.47 Gb Free Space | 56.94% Space Free | Partition Type: NTFS
Drive G: | 29.81 Gb Total Space | 29.66 Gb Free Space | 99.50% Space Free | Partition Type: FAT32
 
Computer Name: D-PC | User Name: d | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2014/03/25 16:49:20 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\d\Desktop\OTL (1).exe
PRC - [2014/03/04 04:39:32 | 001,751,912 | ---- | M] (Search Module Ltd.) -- C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe
PRC - [2014/01/20 22:07:30 | 000,025,600 | ---- | M] () -- C:\Program Files\pcreg\pcreg.exe
PRC - [2014/01/15 20:40:24 | 000,277,920 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe
PRC - [2013/10/23 16:01:10 | 000,300,552 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MpCmdRun.exe
PRC - [2013/10/23 16:01:10 | 000,280,288 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\NisSrv.exe
PRC - [2013/10/23 16:01:10 | 000,022,208 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/10/23 15:55:28 | 000,948,440 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2013/08/15 16:40:32 | 000,064,408 | ---- | M] (Malwarebytes Secure Backup) -- C:\Program Files\Malwarebytes Secure Backup\SMessaging.exe
PRC - [2013/08/15 16:40:32 | 000,039,832 | ---- | M] (Malwarebytes Secure Backup) -- C:\Program Files\Malwarebytes Secure Backup\SAgent.Service.exe
PRC - [2013/08/15 16:40:24 | 000,090,520 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes Secure Backup\mbsbscan.exe
PRC - [2013/08/06 17:33:16 | 003,291,008 | ---- | M] (Skype Technologies S.A.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2013/04/04 14:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/06/11 14:18:30 | 000,024,576 | ---- | M] () -- C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
PRC - [2007/12/10 23:15:04 | 000,012,800 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2014/02/16 08:41:06 | 000,978,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\d17ceca243fabda73eefb21d9bd072df\System.Configuration.ni.dll
MOD - [2014/02/14 10:37:21 | 005,462,016 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f87e71868aedbc6c4e8fe7160d17c4ab\System.Xml.ni.dll
MOD - [2014/02/14 10:34:43 | 012,434,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d2b605fc7deda872727d1ed37710420e\System.Windows.Forms.ni.dll
MOD - [2014/02/14 10:22:40 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\8e6265a54260bddfc05951e764f5bc48\System.Drawing.ni.dll
MOD - [2014/02/14 10:21:15 | 002,295,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\bd996f730710dbbac36cba28f7214b29\System.Core.ni.dll
MOD - [2014/02/14 10:19:49 | 007,977,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\957628d9dd7b3bf370a56dca7835a997\System.ni.dll
MOD - [2014/02/14 10:19:36 | 011,497,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\694a37a84dee2cd2609a1dfab27c0433\mscorlib.ni.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2014/03/12 11:08:29 | 000,257,928 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014/03/04 04:39:32 | 001,751,912 | ---- | M] (Search Module Ltd.) [Auto | Running] -- C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe -- (SMUpd)
SRV - [2014/02/12 20:36:33 | 000,118,896 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2014/01/20 22:07:30 | 000,025,600 | ---- | M] () [Auto | Running] -- C:\Program Files\pcreg\pcreg.exe -- (pcregservice)
SRV - [2014/01/15 20:39:44 | 000,235,696 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.8.141\McCHSvc.exe -- (McComponentHostService)
SRV - [2013/10/23 16:01:10 | 000,280,288 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2013/10/23 16:01:10 | 000,022,208 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2013/10/23 09:15:08 | 000,172,192 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2013/08/15 16:40:32 | 000,039,832 | ---- | M] (Malwarebytes Secure Backup) [Auto | Running] -- C:\Program Files\Malwarebytes Secure Backup\SAgent.Service.exe -- (sagentservice)
SRV - [2013/08/06 17:33:16 | 003,291,008 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/06/11 14:18:30 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe -- (ETService)
SRV - [2008/01/20 22:33:00 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/10 23:15:04 | 000,012,800 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\NIS\1000000.07D\SRTSPX.SYS -- (SRTSPX)
DRV - File not found [File_System | System | Stopped] -- C:\Windows\system32\drivers\NIS\1000000.07D\SRTSP.SYS -- (SRTSP)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVEX15.SYS -- (NAVEX15)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVENG.SYS -- (NAVENG)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
DRV - [2014/03/26 18:51:09 | 000,039,464 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63131EAE-4662-4A5C-A8DB-D6CAB88CE14D}\MpKsl68b17769.sys -- (MpKsl68b17769)
DRV - [2014/03/26 18:50:58 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2014/03/04 04:39:28 | 000,031,592 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Goobzo\GBUpdate\smw.sys -- (SMUpdd)
DRV - [2013/09/27 10:53:06 | 000,104,768 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2013/04/04 14:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2013/02/19 21:32:54 | 010,919,200 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/08/12 12:07:50 | 000,292,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVNET)
DRV - [2010/08/12 12:07:50 | 000,292,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/06/11 14:13:24 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15)
DRV - [2008/06/06 07:13:10 | 000,145,440 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2008/03/07 19:31:52 | 000,062,570 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\jl2005c.sys -- (JL2005C)
DRV - [2008/03/05 01:10:54 | 001,203,808 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emac...=0509&m=el1300g
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,NewTabPageShow = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.google.com
IE - HKLM\..\SearchScopes,DefaultScope = {67C334C0-408D-4E6D-B5A7-0ADD6AFFA252}
IE - HKLM\..\SearchScopes\{67C334C0-408D-4E6D-B5A7-0ADD6AFFA252}: "URL" = http://www.google.co...utputEncoding?}
 
 
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emac...=0509&m=el1300g
IE - HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\SOFTWARE\Microsoft\Internet Explorer\Main,NewTabPageShow = 1
IE - HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.google.com
IE - HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\..\SearchScopes,DefaultScope = {483D440A-3A50-459C-93F3-2FCD071459AF}
IE - HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\..\SearchScopes\{483D440A-3A50-459C-93F3-2FCD071459AF}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js - File not found
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin: C:\Program Files\McAfee Security Scan\3.8.141\npMcAfeeMss.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@lightspark.github.com/Lightspark;version=1: C:\Program Files\Lightspark 0.5.3-git\nplightsparkplugin.dll File not found
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/12/24 11:34:42 | 000,000,000 | ---D | M]
 
[2009/07/29 16:29:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Extensions
[2014/03/25 16:49:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions
[2010/07/24 07:15:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2014/03/10 22:34:27 | 000,000,000 | ---D | M] ("iWebar") -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com
[2014/03/25 16:49:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\staged
[2014/03/23 15:19:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData
[2014/03/23 15:19:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData\plugins
[2014/03/23 15:19:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData\userCode
[2010/07/23 10:09:46 | 000,001,840 | ---- | M] () -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\searchplugins\bing.xml
[2014/02/17 19:46:32 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/08/14 08:01:50 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2014/02/17 19:46:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/08/14 08:01:50 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2014/02/17 19:46:34 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
Hosts file not found
O4 - HKLM..\Run: [EarthLink Installer] " /C File not found
O4 - HKLM..\Run: [eRecoveryService]  File not found
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SMessaging] C:\Program Files\Malwarebytes Secure Backup\SMessaging.exe (Malwarebytes Secure Backup)
O4 - HKLM..\Run: [SOSUAUI] C:\Program Files\Malwarebytes Secure Backup\sosuploadagent.exe (Malwarebytes Secure Backup)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - Startup: C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2 ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O7 - HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.51.2)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.51.2)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8058310F-B522-4D7E-AD42-BB5315D9B153}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img25.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img25.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2012/11/27 18:30:30 | 000,000,100 | ---- | M] () - G:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2012/11/27 18:30:30 | 000,000,204 | ---- | M] () - G:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2012/11/27 18:30:30 | 000,017,542 | ---- | M] () - G:\autorun.ico -- [ FAT32 ]
O33 - MountPoints2\{a31009d3-82b8-11de-99db-001d72bb114f}\Shell - "" = AutoRun
O33 - MountPoints2\{a31009d3-82b8-11de-99db-001d72bb114f}\Shell\AutoRun\command - "" = G:\DPFMate.exe
O33 - MountPoints2\{e67ae022-d8d4-11e1-a592-001d72bb114f}\Shell - "" = AutoRun
O33 - MountPoints2\{e67ae022-d8d4-11e1-a592-001d72bb114f}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\drivers\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
CREATERESTOREPOINT
Restore point Set: OTL Restore Point
 
NetSvcs: FastUserSwitchingCompatibility -  File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla -  File not found
NetSvcs: Ntmssvc -  File not found
NetSvcs: NWCWorkstation -  File not found
NetSvcs: Nwsapagent -  File not found
NetSvcs: SRService -  File not found
NetSvcs: WmdmPmSp -  File not found
NetSvcs: LogonHours -  File not found
NetSvcs: PCAudit -  File not found
NetSvcs: helpsvc -  File not found
NetSvcs: uploadmgr -  File not found
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/03/26 18:58:21 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\d\Desktop\OTL (1).exe
[2014/03/26 18:58:09 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Users\d\Desktop\aswmbr (1).exe
[2014/03/26 18:50:57 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2014/03/23 17:50:14 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2014/03/23 17:36:44 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2014/03/23 17:34:44 | 009,988,304 | ---- | C] (SurfRight B.V.) -- C:\Users\d\Desktop\HitmanPro.exe
[2014/03/23 16:16:05 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\ElevatedDiagnostics
[2014/03/23 15:55:31 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014/03/23 15:23:50 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/03/23 14:27:23 | 000,290,304 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\subinacl.exe
[2014/03/23 14:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Microsoft
[2014/03/23 14:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Adware-Removal-Tool
[2014/03/19 08:52:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Oracle
[2014/03/19 08:51:56 | 000,264,616 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2014/03/19 08:51:38 | 000,175,016 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2014/03/19 08:51:38 | 000,174,504 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2014/03/19 08:51:38 | 000,094,632 | ---- | C] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2014/03/19 08:51:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
[2014/03/12 17:53:47 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2014/03/12 17:53:45 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2014/03/12 17:53:44 | 000,065,536 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2014/03/12 17:53:43 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2014/03/12 17:53:43 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2014/03/12 17:53:41 | 001,806,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2014/03/12 17:53:41 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2014/03/12 17:53:38 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2014/03/12 09:54:18 | 002,050,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2014/03/12 09:54:16 | 000,505,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\qedit.dll
[2014/03/12 09:54:15 | 000,876,032 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wer.dll
[2014/03/12 09:54:11 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2014/03/11 09:02:09 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2014/03/11 08:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2014/03/11 07:31:56 | 000,921,512 | ---- | C] (Oracle Corporation) -- C:\Users\d\Desktop\jre-7u51-windows-i586-iftw.exe
[2014/03/10 21:25:56 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\Installer
[2014/03/10 21:25:50 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\ShopperPro
[2014/03/10 21:25:50 | 000,000,000 | ---D | C] -- C:\ProgramData\SearchModule
[2014/03/10 21:25:31 | 000,000,000 | ---D | C] -- C:\Program Files\YTDownloader
[2014/03/10 21:25:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Goobzo
[2014/03/10 21:24:25 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\CrashRpt
[2014/03/06 18:32:08 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\Kobo
[2014/03/06 18:31:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kobo
[2014/03/03 20:23:06 | 000,000,000 | ---D | C] -- C:\temp
[2014/03/02 08:44:02 | 000,000,000 | ---D | C] -- C:\Program Files\runonce
[2014/03/01 21:25:10 | 000,000,000 | ---D | C] -- C:\Windows\tmp
[2014/03/01 21:21:56 | 000,000,000 | ---D | C] -- C:\Program Files\pcreg
[2014/03/01 21:21:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Real
[2014/03/01 21:19:03 | 000,000,000 | ---D | C] -- C:\Program Files\Kobo
[2014/02/28 22:47:42 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Roaming\SharePod
[2014/02/28 21:52:12 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2014/02/28 21:49:15 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2014/02/28 21:49:05 | 000,000,000 | ---D | C] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2014/02/28 20:06:16 | 000,000,000 | R--D | C] -- C:\Users\d\Downloads
[2014/02/28 20:00:12 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Roaming\uTorrent
[2014/02/28 19:51:22 | 000,000,000 | ---D | C] -- C:\Program Files\Adblock Plus for IE
[2014/02/28 19:51:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Package Cache
[2014/02/28 18:51:27 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2014/02/28 08:32:17 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\Skype
[2014/02/28 08:32:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2014/02/28 08:32:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2014/02/28 05:40:45 | 000,000,000 | ---D | C] -- C:\Windows\Migration
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2014/03/26 19:00:35 | 000,000,466 | ---- | M] () -- C:\Windows\tasks\Online Backup Update Notifier.job
[2014/03/26 19:00:32 | 000,001,101 | ---- | M] () -- C:\Users\d\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2014/03/26 18:59:11 | 000,655,380 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2014/03/26 18:59:11 | 000,124,006 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2014/03/26 18:56:16 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Users\d\Desktop\aswmbr (1).exe
[2014/03/26 18:51:11 | 000,004,784 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2014/03/26 18:51:11 | 000,004,784 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2014/03/26 18:50:58 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2014/03/26 18:50:33 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml
[2014/03/26 18:50:32 | 000,000,270 | ---- | M] () -- C:\Windows\tasks\pcreg.job
[2014/03/26 18:50:18 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/03/26 18:50:12 | 1877,458,944 | -HS- | M] () -- C:\hiberfil.sys
[2014/03/25 18:08:00 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/03/25 16:49:20 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\d\Desktop\OTL (1).exe
[2014/03/23 17:50:14 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2014/03/23 17:35:47 | 009,988,304 | ---- | M] (SurfRight B.V.) -- C:\Users\d\Desktop\HitmanPro.exe
[2014/03/23 17:03:33 | 000,290,304 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\subinacl.exe
[2014/03/19 08:51:23 | 000,094,632 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\WindowsAccessBridge.dll
[2014/03/19 08:51:18 | 000,264,616 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaws.exe
[2014/03/19 08:51:18 | 000,175,016 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\javaw.exe
[2014/03/19 08:51:17 | 000,174,504 | ---- | M] (Oracle Corporation) -- C:\Windows\System32\java.exe
[2014/03/19 08:44:54 | 000,714,464 | ---- | M] () -- C:\Users\d\Desktop\Adware-Removal-Tool-v3.8(1).exe
[2014/03/19 08:42:12 | 000,108,944 | ---- | M] () -- C:\Users\d\Desktop\Java.exe
[2014/03/19 08:37:22 | 000,714,464 | ---- | M] () -- C:\Users\d\Desktop\Adware-Removal-Tool-v3.8.exe
[2014/03/13 21:18:17 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At1.job
[2014/03/13 19:06:15 | 000,000,680 | ---- | M] () -- C:\Users\d\AppData\Local\d3d9caps.dat
[2014/03/13 19:02:55 | 000,304,040 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2014/03/12 11:08:29 | 000,692,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2014/03/12 11:08:28 | 000,071,048 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2014/03/11 18:45:15 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2014/03/11 07:32:11 | 000,921,512 | ---- | M] (Oracle Corporation) -- C:\Users\d\Desktop\jre-7u51-windows-i586-iftw.exe
[2014/03/10 21:26:10 | 000,001,696 | ---- | M] () -- C:\Users\d\Desktop\YTDownloader.lnk
[2014/03/06 18:31:54 | 000,000,762 | ---- | M] () -- C:\Users\Public\Desktop\Kobo.lnk
[2014/03/01 21:18:52 | 026,017,384 | ---- | M] () -- C:\Users\d\Desktop\kobo-setup.exe
[2014/02/28 08:32:01 | 000,001,878 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2014/03/23 17:08:56 | 1877,458,944 | -HS- | C] () -- C:\hiberfil.sys
[2014/03/19 08:44:11 | 000,714,464 | ---- | C] () -- C:\Users\d\Desktop\Adware-Removal-Tool-v3.8(1).exe
[2014/03/19 08:42:03 | 000,108,944 | ---- | C] () -- C:\Users\d\Desktop\Java.exe
[2014/03/19 08:36:55 | 000,714,464 | ---- | C] () -- C:\Users\d\Desktop\Adware-Removal-Tool-v3.8.exe
[2014/03/11 07:00:30 | 000,001,113 | ---- | C] () -- C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2014/03/10 21:26:10 | 000,001,696 | ---- | C] () -- C:\Users\d\Desktop\YTDownloader.lnk
[2014/03/06 18:31:54 | 000,000,762 | ---- | C] () -- C:\Users\Public\Desktop\Kobo.lnk
[2014/03/03 09:12:06 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2014/03/01 21:23:00 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At1.job
[2014/03/01 21:22:59 | 000,000,270 | ---- | C] () -- C:\Windows\tasks\pcreg.job
[2014/03/01 21:17:47 | 026,017,384 | ---- | C] () -- C:\Users\d\Desktop\kobo-setup.exe
[2014/02/28 08:32:01 | 000,001,878 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2012/04/15 18:02:51 | 000,000,316 | ---- | C] () -- C:\Users\d\AppData\Roaming\wklnhst.dat
[2010/11/09 20:59:28 | 000,029,239 | ---- | C] () -- C:\Users\d\AppData\Roaming\UserTile.png
[2010/08/31 06:46:48 | 000,000,680 | ---- | C] () -- C:\Users\d\AppData\Local\d3d9caps.dat
[2009/08/04 20:18:22 | 000,032,768 | ---- | C] () -- C:\Users\d\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
========== ZeroAccess Check ==========
 
[2006/11/02 08:51:16 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 02:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 02:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2012/08/07 00:31:18 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\.minecraft
[2013/09/20 07:58:19 | 000,000,000 | -HSD | M] -- C:\Users\d\AppData\Roaming\dwthtiwg
[2010/11/09 20:59:27 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\PeerNetworking
[2014/02/28 22:47:42 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\SharePod
[2012/04/15 18:07:42 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\Template
[2013/05/26 15:05:18 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\TuneUp Software
[2014/03/02 16:26:03 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\uTorrent
[2012/10/05 07:12:38 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\Windows Live Writer
[2013/06/10 10:01:38 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\TuneUp Software
[2013/06/10 10:01:38 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\TuneUp Software
 
========== Purity Check ==========
 
 
 
========== Custom Scans ==========
 
< systemservices >
[2006/11/02 08:58:10 | 000,000,006 | -H-- | C] () -- C:\Windows\Tasks\SA.DAT
[2006/11/02 08:58:10 | 000,032,646 | ---- | C] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2012/08/05 10:37:12 | 000,000,830 | ---- | C] () -- C:\Windows\Tasks\Adobe Flash Player Updater.job
[2013/09/25 19:42:42 | 000,000,466 | ---- | C] () -- C:\Windows\Tasks\Online Backup Update Notifier.job
[2014/03/01 21:22:59 | 000,000,270 | ---- | C] () -- C:\Windows\Tasks\pcreg.job
[2014/03/01 21:23:00 | 000,000,354 | ---- | C] () -- C:\Windows\Tasks\At1.job
 
< MD5 for: RPCSS.DLL  >
[2009/03/03 00:39:32 | 000,551,424 | ---- | M] (Microsoft Corporation) MD5=301AE00E12408650BADDC04DBC832830 -- C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18226_none_69bb41ac3deac876\rpcss.dll
[2008/01/20 22:33:42 | 000,547,328 | ---- | M] (Microsoft Corporation) MD5=33FB1F0193EE2051067441492D56113C -- C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.18000_none_69cadbfc3ddffe3c\rpcss.dll
[2009/04/11 02:28:24 | 000,550,400 | ---- | M] (Microsoft Corporation) MD5=3B5B4D53FEC14F7476CA29A20CC31AC9 -- C:\Windows\System32\rpcss.dll
[2009/04/11 02:28:24 | 000,550,400 | ---- | M] (Microsoft Corporation) MD5=3B5B4D53FEC14F7476CA29A20CC31AC9 -- C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6002.18005_none_6bb655083b01c988\rpcss.dll
[2009/03/03 00:32:23 | 000,551,424 | ---- | M] (Microsoft Corporation) MD5=4DFCBDEF3CCAA98F99038DED78945253 -- C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6001.22389_none_6a06ffcd57365beb\rpcss.dll
[2009/03/03 00:19:41 | 000,549,888 | ---- | M] (Microsoft Corporation) MD5=7B981222A257D076885BFFB66F19B7CE -- C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.16830_none_67c4315e40d1bb6c\rpcss.dll
[2009/03/03 00:17:45 | 000,550,400 | ---- | M] (Microsoft Corporation) MD5=B1BB45E24717A7F790B4411C4446EF5E -- C:\Windows\winsxs\x86_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.0.6000.21023_none_685b771559e4be8c\rpcss.dll
 
< c:\program files (x86)\Google\Desktop >
 
< c:\program files\Google\Desktop >
 
< dir "%systemdrive%\*" /S /A:L /C >
 Volume in drive C is OS
 Volume Serial Number is D07F-F80B
 Directory of C:\
11/02/2006  08:59 AM    <JUNCTION>     Documents and Settings [C:\Users]
               0 File(s)              0 bytes
 Directory of C:\ProgramData
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\ProgramData\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\ProgramData\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\ProgramData\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\ProgramData\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users
11/02/2006  08:59 AM    <SYMLINKD>     All Users [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Default User [C:\Users\Default]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data
07/29/2009  04:15 PM    <JUNCTION>     Application Data [C:\ProgramData]
11/02/2006  08:59 AM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
11/02/2006  08:59 AM    <JUNCTION>     Documents [C:\Users\Public\Documents]
11/02/2006  08:59 AM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\d
07/29/2009  04:13 PM    <JUNCTION>     Application Data [C:\Users\d\AppData\Roaming]
07/29/2009  04:13 PM    <JUNCTION>     Cookies [C:\Users\d\AppData\Roaming\Microsoft\Windows\Cookies]
07/29/2009  04:13 PM    <JUNCTION>     Local Settings [C:\Users\d\AppData\Local]
07/29/2009  04:13 PM    <JUNCTION>     My Documents [C:\Users\d\Documents]
07/29/2009  04:13 PM    <JUNCTION>     NetHood [C:\Users\d\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
07/29/2009  04:13 PM    <JUNCTION>     PrintHood [C:\Users\d\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
07/29/2009  04:13 PM    <JUNCTION>     Recent [C:\Users\d\AppData\Roaming\Microsoft\Windows\Recent]
07/29/2009  04:13 PM    <JUNCTION>     SendTo [C:\Users\d\AppData\Roaming\Microsoft\Windows\SendTo]
07/29/2009  04:13 PM    <JUNCTION>     Start Menu [C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu]
07/29/2009  04:13 PM    <JUNCTION>     Templates [C:\Users\d\AppData\Roaming\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\d\AppData\Local
07/29/2009  04:13 PM    <JUNCTION>     Application Data [C:\Users\d\AppData\Local]
07/29/2009  04:13 PM    <JUNCTION>     History [C:\Users\d\AppData\Local\Microsoft\Windows\History]
07/29/2009  04:13 PM    <JUNCTION>     Temporary Internet Files [C:\Users\d\AppData\Local\Microsoft\Windows\Temporary Internet Files]
               0 File(s)              0 bytes
 Directory of C:\Users\d\Documents
07/29/2009  04:13 PM    <JUNCTION>     My Music [C:\Users\d\Music]
07/29/2009  04:13 PM    <JUNCTION>     My Pictures [C:\Users\d\Pictures]
07/29/2009  04:13 PM    <JUNCTION>     My Videos [C:\Users\d\Videos]
               0 File(s)              0 bytes
 Directory of C:\Users\Default
11/02/2006  08:59 AM    <JUNCTION>     Application Data [C:\Users\Default\AppData\Roaming]
11/02/2006  08:59 AM    <JUNCTION>     Cookies [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies]
11/02/2006  08:59 AM    <JUNCTION>     Local Settings [C:\Users\Default\AppData\Local]
11/02/2006  08:59 AM    <JUNCTION>     My Documents [C:\Users\Default\Documents]
11/02/2006  08:59 AM    <JUNCTION>     NetHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
11/02/2006  08:59 AM    <JUNCTION>     PrintHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
11/02/2006  08:59 AM    <JUNCTION>     Recent [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent]
11/02/2006  08:59 AM    <JUNCTION>     SendTo [C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo]
11/02/2006  08:59 AM    <JUNCTION>     Start Menu [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu]
11/02/2006  08:59 AM    <JUNCTION>     Templates [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates]
               0 File(s)              0 bytes
 Directory of C:\Users\Default\AppData\Local
11/02/2006  08:59 AM    <JUNCTION>     Application Data [C:\Users\Default\AppData\Local]
11/02/2006  08:59 AM    <JUNCTION>     History [C:\Users\Default\AppData\Local\Microsoft\Windows\History]
11/02/2006  08:59 AM    <JUNCTION>     Temporary Internet Files [C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files]
               0 File(s)              0 bytes
 Directory of C:\Users\Default\Documents
11/02/2006  08:59 AM    <JUNCTION>     My Music [C:\Users\Default\Music]
11/02/2006  08:59 AM    <JUNCTION>     My Pictures [C:\Users\Default\Pictures]
11/02/2006  08:59 AM    <JUNCTION>     My Videos [C:\Users\Default\Videos]
               0 File(s)              0 bytes
     Total Files Listed:
               0 File(s)              0 bytes
             203 Dir(s)  83,306,061,824 bytes free
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 147 bytes -> C:\ProgramData\Temp:AD022376
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:373E1720
 
< End of report >
 
Here's the Extras.Txt log
 

OTL Extras logfile created on: 3/26/2014 7:03:29 PM - Run 2
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\d\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.75 Gb Total Physical Memory | 1.05 Gb Available Physical Memory | 60.07% Memory free
3.74 Gb Paging File | 2.68 Gb Available in Paging File | 71.65% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.05 Gb Total Space | 77.47 Gb Free Space | 56.94% Space Free | Partition Type: NTFS
Drive G: | 29.81 Gb Total Space | 29.66 Gb Free Space | 99.50% Space Free | Partition Type: FAT32
 
Computer Name: D-PC | User Name: d | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Extra Registry (SafeList) ==========
 
 
========== File Associations ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
 
========== Shell Spawning ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- "%1" %*
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
 
========== Security Center Settings ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]
 
========== Firewall Settings ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
 
========== Authorized Applications List ==========
 
 
========== Vista Active Open Ports Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1CDC16B7-4841-4C00-B644-28CF05D52728}" = rport=80 | protocol=6 | dir=out | app=c:\program files\common files\intuit\update service\intuitupdateservice.exe | 
"{35214426-22C4-4260-AB8F-017CC34BD634}" = rport=80 | protocol=6 | dir=out | app=c:\program files\common files\intuit\update service\intuitupdater.exe | 
"{6A1E2D30-1333-47C7-9341-0A4B3A056316}" = lport=2869 | protocol=6 | dir=in | app=system | 
"{BB775252-C9C5-40C3-A86D-D2969B5473D5}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe | 
 
========== Vista Active Application Exception List ==========
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0CF50C69-945A-49E8-A7CF-C1BAF87EF373}" = dir=out | app=c:\users\d\appdata\local\temp\file_to_run55636.exe | 
"{1FAF5641-7F8B-4459-9FF0-D8916FF597F3}" = dir=out | app=c:\program files\pcreg\pcreg.exe | 
"{478070A1-87CE-4CE5-8463-4628B1759C1F}" = dir=in | app=c:\users\d\appdata\local\temp\speedmax.exe | 
"{51449D6A-8097-4E64-94BF-0CEC936F4020}" = dir=in | app=c:\users\d\appdata\local\temp\file_to_run551629.exe | 
"{5986F901-4CDD-4759-8194-31C62D79F546}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{70A09165-B145-4F88-ADA6-D79C207A6704}" = dir=out | app=c:\program files\pcreg\service.exe | 
"{7289680E-A604-4356-BC9C-697BC0022320}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{772F9862-5D42-43DB-A4C3-9217E153ACEA}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe | 
"{83D6A168-8BA0-4254-9F3B-768968C6EB7D}" = dir=out | app=c:\users\d\appdata\local\temp\speedmax.exe | 
"{90B5D4D3-A8EA-4748-B865-A4BE92424BC8}" = dir=in | app=c:\windows\temp\file_to_run551726.exe | 
"{91D86EF1-4FA2-403F-A5BC-45E62D4088C3}" = dir=in | app=c:\program files\itunes\itunes.exe | 
"{A8D3249B-3A66-41A7-9170-99C578DE77A3}" = dir=in | app=c:\program files\pcreg\pcreg.exe | 
"{C20854BE-EE88-4BC0-BE61-0E7950B974A7}" = dir=in | app=c:\users\d\appdata\local\temp\file_to_run55636.exe | 
"{C2B3BD1B-B297-41CD-B2C6-0F77B9824CC2}" = dir=out | app=c:\users\d\appdata\local\temp\file_to_run551629.exe | 
"{CD3BE919-BF98-43C3-8C53-E95F345EC4D7}" = dir=in | app=c:\program files\pcreg\service.exe | 
"{D1FDD9AE-9C46-4FBD-AC7E-0ECAEEF14BBE}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe | 
"{DB1371C4-D114-49D7-AF72-81C5AD019804}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | 
"{EE213794-1CF2-41B7-9F9D-B926C2831352}" = dir=in | app=c:\users\d\appdata\local\temp\file_to_run55728.exe | 
"{EE6A6DE5-DD02-4F7D-A9E8-E2B475458E48}" = dir=in | app=c:\program files\cyberlink\powerdvd\powerdvd.exe | 
"{EF9028E4-855C-4FDB-8E64-EB0625265336}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe | 
"{F333DB84-4F6D-4689-AA3A-446411EEE1C5}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe | 
"{FA15F526-CE0B-4726-8BEA-3BB47978D267}" = dir=out | app=c:\users\d\appdata\local\temp\file_to_run55728.exe | 
"{FA936468-DB32-4AF4-9A9F-70F80B6A3649}" = dir=out | app=c:\windows\temp\file_to_run551726.exe | 
"{FD19A28E-F42B-4AFB-ABF7-8E931B3B7CB7}" = dir=in | app=c:\program files\skype\phone\skype.exe | 
 
========== HKEY_LOCAL_MACHINE Uninstall List ==========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{020D8396-D6D9-4B53-A9A1-83C47E2E27AA}" = Windows Live Call
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{0CD47142-BA4F-46B0-AA92-2675864928B8}" = Microsoft Security Client
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{18D47FA1-0440-48D3-A7E0-DA09537FF471}" = Apple Mobile Device Support
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{21B632E1-4B3D-4AC2-9ABD-E00544F67D48}" = Adblock Plus for IE (32-bit)
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java™ 6 Update 21
"{26A24AE4-039D-4CA4-87B4-2F83217051FF}" = Java 7 Update 51
"{2F21564D-DE05-4C6D-B21E-08B9D313FAB3}" = iTunes
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"{4903D172-DCCB-392F-93A3-34CA9D47FE3D}" = Microsoft .NET Framework 4.5.1
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4AB8B41B-3AF1-46BE-99B0-0ACD3B300C0A}" = Junk Mail filter update
"{4F524A2D-5637-4300-76A7-A758B70C0A03}" = Ask Toolbar
"{5228274E-59DC-4B9B-AF72-97AC81C09C8A}" = Malwarebytes Secure Backup
"{5FF27D65-35E5-4855-B7ED-59BCFBC85776}" = AVG 2013
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{67E03279-F703-408F-B4BF-46B5FC8D70CD}" = Microsoft Works
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = CyberLink PowerDVD
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{6FBC610C-94CD-4EC3-A322-74BB07AA2D6C}" = Brother HL-2140
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}" = Skype™ 6.14
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = eMachines Recovery Management
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" = Microsoft .NET Framework 4.5.1
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb" = Internet Explorer (Enable DEP)
"{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.5
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B67BAFBA-4C9F-48FA-9496-933E3B255044}" = QuickTime
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D9D754A1-EAC5-406C-A28B-C49B1E846711}" = Windows Live Essentials
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F69E83CF-B440-43F8-89E6-6EA80712109B}" = Windows Live Communications Platform
"{F73A5B18-EB75-4B2C-B32D-9457576E2417}" = Windows Live Photo Gallery
"{fd97d1e2-368a-4cd9-af63-8eeff938044a}" = Adblock Plus for IE
"{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}" = Windows Live Sync
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 12 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 12 Plugin
"Agere Systems Soft Modem" = Agere Systems PCI-SV92EX Soft Modem
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dual Mode Camera_is1" = Uninstall Dual Mode Camera
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = CyberLink Power2Go
"Kobo" = Kobo
"Lightspark" = Lightspark 0.5.3-git
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.75.0.1300
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Security Client" = Microsoft Security Essentials
"Mozilla Firefox 27.0.1 (x86 en-US)" = Mozilla Firefox 27.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"NVIDIA Drivers" = NVIDIA Drivers
"Search module" = Search module
"TurboTax 2009" = TurboTax 2009
"ValueApps" = ValueApps
"WinLiveSuite_Wave3" = Windows Live Essentials
"YTDownloader" = YTDownloader
 
========== Last 20 Event Log Errors ==========
 
[ Application Events ]
Error - 3/25/2014 9:21:50 AM | Computer Name = d-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 3/25/2014 9:26:13 AM | Computer Name = d-PC | Source = Application Error | ID = 1000
Description = Faulting application rundll32.exe, version 6.0.6000.16386, time stamp
 0x4549b0e1, faulting module SysMenu.dll, version 1.0.0.5, time stamp 0x52b449c7,
 exception code 0xc0000005, fault offset 0x0006ce5c,  process id 0xe38, application
 start time 0x01cf482daad47c95.
 
Error - 3/25/2014 4:44:24 PM | Computer Name = d-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 3/25/2014 4:49:19 PM | Computer Name = d-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksCal.exe".
Dependent
 Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"
 could not be found.  Please use sxstrace.exe for detailed diagnosis.
 
Error - 3/25/2014 4:49:19 PM | Computer Name = d-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksdb.exe".
Dependent
 Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"
 could not be found.  Please use sxstrace.exe for detailed diagnosis.
 
Error - 3/25/2014 4:49:19 PM | Computer Name = d-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksss.exe".
Dependent
 Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"
 could not be found.  Please use sxstrace.exe for detailed diagnosis.
 
Error - 3/25/2014 4:49:19 PM | Computer Name = d-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksWP.exe".
Dependent
 Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"
 could not be found.  Please use sxstrace.exe for detailed diagnosis.
 
Error - 3/25/2014 4:53:04 PM | Computer Name = d-PC | Source = Application Hang | ID = 1002
Description = The program OTL (1).exe version 3.2.69.0 stopped interacting with 
Windows and was closed. To see if more information about the problem is available,
 check the problem history in the Problem Reports and Solutions control panel.  Process
 ID: 1590  Start Time: 01cf486c14cd03d1  Termination Time: 8
 
Error - 3/26/2014 6:51:56 PM | Computer Name = d-PC | Source = WinMgmt | ID = 10
Description = 
 
Error - 3/26/2014 6:55:31 PM | Computer Name = d-PC | Source = Application Error | ID = 1000
Description = Faulting application rundll32.exe, version 6.0.6000.16386, time stamp
 0x4549b0e1, faulting module SysMenu.dll, version 1.0.0.5, time stamp 0x52b449c7,
 exception code 0xc0000005, fault offset 0x0006ce5c,  process id 0x1ae4, application
 start time 0x01cf49467c241658.
 
[ System Events ]
Error - 3/23/2014 5:41:40 PM | Computer Name = d-PC | Source = nvstor32 | ID = 262149
Description = A parity error was detected on \Device\RaidPort1.
 
Error - 3/23/2014 5:41:43 PM | Computer Name = d-PC | Source = nvstor32 | ID = 262149
Description = A parity error was detected on \Device\RaidPort1.
 
Error - 3/23/2014 5:43:10 PM | Computer Name = d-PC | Source = nvstor32 | ID = 262149
Description = A parity error was detected on \Device\RaidPort1.
 
Error - 3/23/2014 6:56:05 PM | Computer Name = d-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 3/23/2014 10:00:44 PM | Computer Name = d-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 3/24/2014 6:40:47 AM | Computer Name = d-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 3/25/2014 9:21:51 AM | Computer Name = d-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 3/25/2014 4:44:24 PM | Computer Name = d-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 3/26/2014 6:51:56 PM | Computer Name = d-PC | Source = Service Control Manager | ID = 7026
Description = 
 
Error - 3/26/2014 7:01:16 PM | Computer Name = d-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures.     New Signature
 Version:      Previous Signature Version: 1.169.762.0     Update Source: %%859     Update Stage:
 %%852     Source Path: http://www.microsoft.com     Signature Type: %%800     Update Type: %%803
 
User:
 NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 1.1.10401.0
 
Error
 code: 0x8024402c     Error description: An unexpected problem occurred while checking
 for updates. For information on installing or troubleshooting updates, see Help
 and Support. 
 
 
< End of report >
 
Here's the aswMBR.txt log
 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2014-03-26 19:20:59
-----------------------------
19:20:59.803    OS Version: Windows 6.0.6002 Service Pack 2
19:20:59.803    Number of processors: 1 586 0x7F02
19:20:59.805    ComputerName: D-PC  UserName: d
19:21:00.363    Initialize success
19:21:10.779    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000051
19:21:10.782    Disk 0 Vendor: ST316081 4.AA Size: 152627MB BusType: 3
19:21:10.933    Disk 0 MBR read successfully
19:21:10.937    Disk 0 MBR scan
19:21:10.942    Disk 0 unknown MBR code
19:21:10.973    Disk 0 Partition 1 00     27 Hidden NTFS WinRE NTFS        13312 MB offset 2048
19:21:10.987    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS       139313 MB offset 27265024
19:21:11.002    Disk 0 scanning sectors +312579760
19:21:11.187    Disk 0 scanning C:\Windows\system32\drivers
19:21:17.441    Service scanning
19:21:22.278    Service MpKsl68b17769 c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{63131EAE-4662-4A5C-A8DB-D6CAB88CE14D}\MpKsl68b17769.sys **LOCKED** 32
19:21:30.811    Modules scanning
19:21:37.241    Disk 0 trace - called modules:
19:21:37.265    ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll storport.sys nvstor32.sys tcpip.sys NETIO.SYS 
19:21:37.275    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8565fac8]
19:21:37.284    3 CLASSPNP.SYS[875a28b3] -> nt!IofCallDriver -> [0x84c37688]
19:21:37.295    5 acpi.sys[806146bc] -> nt!IofCallDriver -> \Device\00000051[0x84c37920]
19:21:37.305    Scan finished successfully
19:21:46.883    Disk 0 MBR has been saved successfully to "C:\Users\d\Desktop\MBR.dat"
19:21:46.894    The log file has been saved successfully to "C:\Users\d\Desktop\aswMBR.txt"
 
Thanks again!!!
 
Frank

 


  • 0

#4
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts
Hi Frank,

Thanks for the logs. The 64-bit scan box wasn't there because this is a 32-bit system. The aswMBR scan ran just fine and it is clean.
I told you that there were remnants of the Norton antivirus program left on the system. The AVG 2013 program is listed in the installed programs list so it was once on the system but nothing shows up in the OTL log. We're gonna try to uninstall the AVG program. Since I don't see anything in the log you may get a message that the program can't be uninstalled and it may ask you if you want to remove it from the list. Tell it yes. Then we will run the removal tools for AVG and Norton.
You also have SpyBot S&D and MalwareBytes antimalware on the machine. You don't need both. We will uninstall SpyBot to make sure it doesn't interfere with our fixes and because we will be using MalwareBytes later on.

I see that HitmanPro is installed on the computer. This program has been known to render systems unbootable if a bad infection is present. Please don't use this program while we are cleaning the system.

It might be helpful to print these instructions or save them to a text file so you will have them when you are running the steps. It will also be helpful to download all of the files we need at one time. Then close the browser and all open windows.


Step-1.

A.
Click here to download the AVG Remover tool and save it to the desktop.
B.
Click here to download the Norton Removal Tool and save it to the desktop.
C.
Click here and then click the Download Now @ BleepingComputer button to download AdwCleaner and save the file to the desktop.


Step-2

Uninstall Programs

1. Please click the Start Orb, click Control Panel. Under the Programs or Programs and Features heading click Uninstall a program
2. In the list of programs installed, locate the following program(s):

Java 6 Update 21
Java 6 Update 5
AVG 2013
Spybot - Search & Destroy
McAfee Security Scan Plus
ValueApps

3. Right click each program and click Uninstall
4. After the programs have been uninstalled, close the Installed Programs window and the Control Panel.
5. Reboot the computer.


Step-3

AVG Remover Tool:
  • Save all your work and close all documents! Your computer will be restarted during the procedure.
  • Double click the downloaded avg_remover_stf_x86_2012_2125.exe file to run it and follow the instructions displayed on your screen.
  • Your computer will be restarted automatically. After the restart, allow the tool to remove the remaining AVG files.
Step-4

Run the Norton Removal Tool

The Norton Removal Tool uninstalls Norton AntiVirus, Norton Internet Security, Norton 360, and Norton SystemWorks from your computer.
  • On the Windows desktop, double-click the Norton Removal Tool icon.
  • Follow the on-screen instructions.
  • Restart your computer.
  • Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts.
  • Step-5.

    otlicon.pngOTL Fix
    Please close all open windows and browsers
    Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

    1. Please copy all of the text in the quote box below (Do Not copy the word Quote. To do this, highlight everything
    inside the quote box (except the word Quote) , right click and click Copy.

    :COMMANDS
    [createrestorepoint]

    :OTL
    PRC - [2014/03/04 04:39:32 | 001,751,912 | ---- | M] (Search Module Ltd.) -- C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe
    PRC - [2014/01/20 22:07:30 | 000,025,600 | ---- | M] () -- C:\Program Files\pcreg\pcreg.exe
    SRV - [2014/03/04 04:39:32 | 001,751,912 | ---- | M] (Search Module Ltd.) [Auto | Running] -- C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe -- (SMUpd)
    SRV - [2014/01/20 22:07:30 | 000,025,600 | ---- | M] () [Auto | Running] -- C:\Program Files\pcreg\pcreg.exe -- (pcregservice)
    SRV - [2014/01/15 20:39:44 | 000,235,696 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.8.141\McCHSvc.exe -- (McComponentHostService)
    DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\NIS\1000000.07D\SRTSPX.SYS -- (SRTSPX)
    DRV - File not found [File_System | System | Stopped] -- C:\Windows\system32\drivers\NIS\1000000.07D\SRTSP.SYS -- (SRTSP)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVEX15.SYS -- (NAVEX15)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVENG.SYS -- (NAVENG)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll File not found
    FF - HKLM\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin: C:\Program Files\McAfee Security Scan\3.8.141\npMcAfeeMss.dll (McAfee, Inc.)
    [2014/03/10 22:34:27 | 000,000,000 | ---D | M] ("iWebar") -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com
    [2014/03/25 16:49:25 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\staged
    [2014/03/23 15:19:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData
    [2014/03/23 15:19:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData\plugins
    [2014/03/23 15:19:49 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData\userCode
    O4 - HKLM..\Run: [EarthLink Installer] " /C File not found
    O4 - HKLM..\Run: [eRecoveryService] File not found
    O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
    O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
    O33 - MountPoints2\{a31009d3-82b8-11de-99db-001d72bb114f}\Shell - "" = AutoRun
    O33 - MountPoints2\{a31009d3-82b8-11de-99db-001d72bb114f}\Shell\AutoRun\command - "" = G:\DPFMate.exe
    O33 - MountPoints2\{e67ae022-d8d4-11e1-a592-001d72bb114f}\Shell - "" = AutoRun
    O33 - MountPoints2\{e67ae022-d8d4-11e1-a592-001d72bb114f}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\drivers\setup.exe
    [2014/03/10 21:25:50 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\ShopperPro
    [2014/03/10 21:25:50 | 000,000,000 | ---D | C] -- C:\ProgramData\SearchModule
    [2014/03/10 21:25:29 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Goobzo
    [2014/03/01 21:21:56 | 000,000,000 | ---D | C] -- C:\Program Files\pcreg
    [2014/02/28 20:00:12 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Roaming\uTorrent
    [2014/03/26 19:00:35 | 000,000,466 | ---- | M] () -- C:\Windows\tasks\Online Backup Update Notifier.job
    [2014/03/26 18:50:32 | 000,000,270 | ---- | M] () -- C:\Windows\tasks\pcreg.job
    [2014/03/13 21:18:17 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At1.job
    [2013/09/20 07:58:19 | 000,000,000 | -HSD | M] -- C:\Users\d\AppData\Roaming\dwthtiwg
    [2013/05/26 15:05:18 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\TuneUp Software
    [2013/06/10 10:01:38 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\TuneUp Software
    [2013/06/10 10:01:38 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\TuneUp Software

    :REG
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0CF50C69-945A-49E8-A7CF-C1BAF87EF373}" = -
    "{1FAF5641-7F8B-4459-9FF0-D8916FF597F3}" = -
    "{478070A1-87CE-4CE5-8463-4628B1759C1F}" = -
    "{51449D6A-8097-4E64-94BF-0CEC936F4020}" = -
    "{70A09165-B145-4F88-ADA6-D79C207A6704}" = -
    "{83D6A168-8BA0-4254-9F3B-768968C6EB7D}" = -
    "{90B5D4D3-A8EA-4748-B865-A4BE92424BC8}" = -
    "{A8D3249B-3A66-41A7-9170-99C578DE77A3}" = -
    "{C20854BE-EE88-4BC0-BE61-0E7950B974A7}" = -
    "{C2B3BD1B-B297-41CD-B2C6-0F77B9824CC2}" = -
    "{CD3BE919-BF98-43C3-8C53-E95F345EC4D7}" = -
    "{EE213794-1CF2-41B7-9F9D-B926C2831352}" = -
    "{FA15F526-CE0B-4726-8BEA-3BB47978D267}" = -
    "{FA936468-DB32-4AF4-9A9F-70F80B6A3649}" = -

    :FILES
    ipconfig /flushdns /c
    netsh advfirewall reset /c
    netsh advfirewall set allprofiles state ON /c
    C:\Program Files\Common Files\Goobzo
    C:\Program Files\McAfee Security Scan
    C:\ProgramData\Norton
    C:\Program Files\Spybot - Search & Destroy
    c:\users\d\appdata\local\temp\file_to_run55636.exe
    c:\users\d\appdata\local\temp\speedmax.exe
    c:\users\d\appdata\local\temp\file_to_run551629.exe
    c:\windows\temp\file_to_run551726.exe
    c:\users\d\appdata\local\temp\file_to_run55728.exe
    c:\windows\temp\file_to_run551726.exe

    :COMMANDS
    [emptytemp]

    Warning: This fix is relevant for this system and no other. If you are not this user, DO NOT follow these directions as they could damage the workings of your system.

    2. Please re-open otlicon.png on your desktop. To do that:
    • Vista and 7 users: Right click the icon and click Run as Administrator
    3. Place the mouse pointer inside the customFix.png textbox, right click and click Paste. This will put the above script inside the textbox.
    4. Click the runFixbutton.png button.
    5. Let the program run unhindered.
    6. OTL may ask to reboot the machine. Please do so if asked.
    7. Click the btnOK.png button.
    8. A report will open. Copy and Paste that report in your next reply.
    9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).
Step-6.

AdwCleaner by Xplode

Close all open windows and browsers.
  • Right click the AdwCleaner icon RightClickonAdwCleanerIcon.jpg on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.

    AdwCleaner.GIF
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above the progress bar you will see Pending. Please uncheck elements you don't want to remove. Please don't delete anything at this time.
  • Click the Report button to get the log.
  • Copy and Paste it into your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[R0].txt.
  • Click the X in the upper right corner of the program or click the File menu and click Exit to close the program.
  • NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.


    Things For Your Next Post:
    Please post the logs in the order requested. Please don't attach the logs unless I request it.
    1. Let me know how the uninstalls went.
    2. The OTL fixes log
    3. The AdwCleaner[R0].txt log

  • 0

#5
frobey

frobey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

Good morning,

 

AVG 2013 did not appear in the Programs window so I couldn't uninstall it.

 

I got the following error message when I tried to uninstall Spybot 

 

Service "SBSD Security Center Service" failed to uninstall with error: "System Error Code:1060. The specified service does not exist as an installed service"

 

I'm noticing that the hard drive in the computer is constantly running since we started this process...

 

Here is the OTL log

 

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
Process smu.exe killed successfully!
Process pcreg.exe killed successfully!
Service SMUpd stopped successfully!
Service SMUpd deleted successfully!
C:\Program Files\Common Files\Goobzo\GBUpdate\smu.exe moved successfully.
Service pcregservice stopped successfully!
Service pcregservice deleted successfully!
C:\Program Files\pcreg\pcreg.exe moved successfully.
Error: No service named McComponentHostService was found to stop!
Service\Driver key McComponentHostService not found.
File C:\Program Files\McAfee Security Scan\3.8.141\McCHSvc.exe not found.
Error: No service named SRTSPX was found to stop!
Service\Driver key SRTSPX not found.
File C:\Windows\system32\drivers\NIS\1000000.07D\SRTSPX.SYS not found.
Error: No service named SRTSP was found to stop!
Service\Driver key SRTSP not found.
File C:\Windows\system32\drivers\NIS\1000000.07D\SRTSP.SYS not found.
Error: No service named NAVEX15 was found to stop!
Service\Driver key NAVEX15 not found.
File C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVEX15.SYS not found.
Error: No service named NAVENG was found to stop!
Service\Driver key NAVENG not found.
File C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20080829.024\NAVENG.SYS not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin\ not found.
File C:\Program Files\McAfee Security Scan\3.8.141\npMcAfeeMss.dll not found.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\skin folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\locale\en-US folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\locale folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData\userCode folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData\plugins folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\defaults\preferences folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\defaults folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\chrome\content\core folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\chrome\content\api folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\chrome\content folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\chrome folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\staged\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com folder moved successfully.
C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\staged folder moved successfully.
Folder C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData\ not found.
Folder C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData\plugins\ not found.
Folder C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData\userCode\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\EarthLink Installer deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\eRecoveryService deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\ not found.
File C:\Program Files\Spybot - Search & Destroy\SDHelper.dll not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a31009d3-82b8-11de-99db-001d72bb114f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a31009d3-82b8-11de-99db-001d72bb114f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a31009d3-82b8-11de-99db-001d72bb114f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a31009d3-82b8-11de-99db-001d72bb114f}\ not found.
File G:\DPFMate.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e67ae022-d8d4-11e1-a592-001d72bb114f}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e67ae022-d8d4-11e1-a592-001d72bb114f}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e67ae022-d8d4-11e1-a592-001d72bb114f}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e67ae022-d8d4-11e1-a592-001d72bb114f}\ not found.
File C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL G:\drivers\setup.exe not found.
C:\Users\Public\Documents\ShopperPro\JsDriver folder moved successfully.
C:\Users\Public\Documents\ShopperPro folder moved successfully.
C:\ProgramData\SearchModule folder moved successfully.
C:\Program Files\Common Files\Goobzo\GBUpdate folder moved successfully.
C:\Program Files\Common Files\Goobzo folder moved successfully.
C:\Program Files\pcreg folder moved successfully.
C:\Users\d\AppData\Roaming\uTorrent folder moved successfully.
C:\Windows\Tasks\Online Backup Update Notifier.job moved successfully.
C:\Windows\Tasks\pcreg.job moved successfully.
C:\Windows\Tasks\At1.job moved successfully.
Folder C:\Users\d\AppData\Roaming\dwthtiwg\ not found.
C:\Users\d\AppData\Roaming\TuneUp Software\TU2012\Backups folder moved successfully.
C:\Users\d\AppData\Roaming\TuneUp Software\TU2012 folder moved successfully.
C:\Users\d\AppData\Roaming\TuneUp Software folder moved successfully.
C:\Users\Default\AppData\Roaming\TuneUp Software\TU2012\Backups folder moved successfully.
C:\Users\Default\AppData\Roaming\TuneUp Software\TU2012 folder moved successfully.
C:\Users\Default\AppData\Roaming\TuneUp Software folder moved successfully.
Folder C:\Users\Default User\AppData\Roaming\TuneUp Software\ not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0CF50C69-945A-49E8-A7CF-C1BAF87EF373} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0CF50C69-945A-49E8-A7CF-C1BAF87EF373}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1FAF5641-7F8B-4459-9FF0-D8916FF597F3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1FAF5641-7F8B-4459-9FF0-D8916FF597F3}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{478070A1-87CE-4CE5-8463-4628B1759C1F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{478070A1-87CE-4CE5-8463-4628B1759C1F}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{51449D6A-8097-4E64-94BF-0CEC936F4020} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{51449D6A-8097-4E64-94BF-0CEC936F4020}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{70A09165-B145-4F88-ADA6-D79C207A6704} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{70A09165-B145-4F88-ADA6-D79C207A6704}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{83D6A168-8BA0-4254-9F3B-768968C6EB7D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{83D6A168-8BA0-4254-9F3B-768968C6EB7D}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{90B5D4D3-A8EA-4748-B865-A4BE92424BC8} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90B5D4D3-A8EA-4748-B865-A4BE92424BC8}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A8D3249B-3A66-41A7-9170-99C578DE77A3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A8D3249B-3A66-41A7-9170-99C578DE77A3}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C20854BE-EE88-4BC0-BE61-0E7950B974A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C20854BE-EE88-4BC0-BE61-0E7950B974A7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C2B3BD1B-B297-41CD-B2C6-0F77B9824CC2} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2B3BD1B-B297-41CD-B2C6-0F77B9824CC2}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CD3BE919-BF98-43C3-8C53-E95F345EC4D7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CD3BE919-BF98-43C3-8C53-E95F345EC4D7}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EE213794-1CF2-41B7-9F9D-B926C2831352} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EE213794-1CF2-41B7-9F9D-B926C2831352}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FA15F526-CE0B-4726-8BEA-3BB47978D267} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FA15F526-CE0B-4726-8BEA-3BB47978D267}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FA936468-DB32-4AF4-9A9F-70F80B6A3649} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FA936468-DB32-4AF4-9A9F-70F80B6A3649}\ not found.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\d\Desktop\cmd.bat deleted successfully.
C:\Users\d\Desktop\cmd.txt deleted successfully.
< netsh advfirewall reset /c >
Ok.
C:\Users\d\Desktop\cmd.bat deleted successfully.
C:\Users\d\Desktop\cmd.txt deleted successfully.
< netsh advfirewall set allprofiles state ON /c >
Ok.
C:\Users\d\Desktop\cmd.bat deleted successfully.
C:\Users\d\Desktop\cmd.txt deleted successfully.
File\Folder C:\Program Files\Common Files\Goobzo not found.
File\Folder C:\Program Files\McAfee Security Scan not found.
C:\ProgramData\Norton folder moved successfully.
C:\Program Files\Spybot - Search & Destroy folder moved successfully.
File\Folder c:\users\d\appdata\local\temp\file_to_run55636.exe not found.
File\Folder c:\users\d\appdata\local\temp\speedmax.exe not found.
File\Folder c:\users\d\appdata\local\temp\file_to_run551629.exe not found.
File\Folder c:\windows\temp\file_to_run551726.exe not found.
File\Folder c:\users\d\appdata\local\temp\file_to_run55728.exe not found.
File\Folder c:\windows\temp\file_to_run551726.exe not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: d
->Temp folder emptied: 26870365 bytes
->Temporary Internet Files folder emptied: 31620723 bytes
->Java cache emptied: 1422101 bytes
->FireFox cache emptied: 39833633 bytes
->Flash cache emptied: 3807914 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1319412 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 155440 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 100.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 03272014_090513
 
Files\Folders moved on Reboot...
 
PendingFileRenameOperations files...
 
Registry entries deleted on Reboot...
 
Here is the Adwcleaner Report
 

# AdwCleaner v3.022 - Report created 27/03/2014 at 09:23:21
# Updated 13/03/2014 by Xplode
# Operating System : Windows Vista ™ Home Basic Service Pack 2 (32 bits)
# Username : d - D-PC
# Running from : C:\Users\d\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{7F4EFF06-7032-458E-AE16-1C1D8255C28A}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16540
 
 
-\\ Mozilla Firefox v27.0.1 (en-US)
 
*************************
 
AdwCleaner[R0].txt - [7435 octets] - [23/03/2014 15:23:55]
AdwCleaner[R1].txt - [698 octets] - [27/03/2014 09:23:21]
AdwCleaner[S0].txt - [7698 octets] - [23/03/2014 15:26:06]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [817 octets] ##########
 
Thanks!!!
 
Frank

 


  • 0

#6
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts

Did the Spybot program uninstall or is it still on the system?


Step 1.

 

Re-run AdwCleaner

Close all open windows and browsers.

Re-open AdwCleaner

  • Double click the AdwCleaner icon to run AdwCleaner. (Vista and 7 users) Right click the AdwCleaner icon, click Run as administrator and accept the UAC prompt to run AdwCleaner.
  • Click the Scan button and wait for the scan to complete.
  • When the Scan has finished the Scan button will be grayed out and the Clean button will be activated.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

 

Step 2.

 

Scan with JRT:

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

NOTE: Temporarily shut down your protection software now to avoid potential conflicts, how to do so can be read here.
 

  • Right click the JRT icon thisisujrt.gif and click Run as Administrator to run the application.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

NOTE: Reboot the machine and ensure that all security software is now enabled.
 

 

Step 3.

Run OTL again and click the qscan.png button. Post the log it produces in your next reply.
 

 

Things For Your Next Post:
Please post the logs in the order requested. Please don't attach the logs unless I request it.
1. Answer my question above.
2. The AdwCleaner[S0].txt log
3. The JRT.txt log
4. The new OTL.txt log
 


  • 0

#7
frobey

frobey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

Hi,

 

Spybot appears to be gone, I don't see it in Control Panel -> Programs or under Start -> Programs...

 

Here is the Adwcleaner log file

 

# AdwCleaner v3.022 - Report created 27/03/2014 at 17:29:03
# Updated 13/03/2014 by Xplode
# Operating System : Windows Vista ™ Home Basic Service Pack 2 (32 bits)
# Username : d - D-PC
# Running from : C:\Users\d\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{7F4EFF06-7032-458E-AE16-1C1D8255C28A}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v9.0.8112.16540
 
 
-\\ Mozilla Firefox v27.0.1 (en-US)
 
*************************
 
AdwCleaner[R0].txt - [7435 octets] - [23/03/2014 15:23:55]
AdwCleaner[R1].txt - [896 octets] - [27/03/2014 09:23:21]
AdwCleaner[R2].txt - [955 octets] - [27/03/2014 17:27:57]
AdwCleaner[S0].txt - [7698 octets] - [23/03/2014 15:26:06]
AdwCleaner[S1].txt - [879 octets] - [27/03/2014 17:29:03]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [938 octets] ##########
 
JRT log file
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.3 (03.23.2014:1)
OS: Windows Vista ™ Home Basic x86
Ran by d on Thu 03/27/2014 at 17:39:23.84
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 03/27/2014 at 17:42:40.82
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
OTL log file
 

OTL logfile created on: 3/27/2014 5:49:17 PM - Run 3
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Users\d\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
1.75 Gb Total Physical Memory | 0.88 Gb Available Physical Memory | 50.25% Memory free
3.74 Gb Paging File | 2.70 Gb Available in Paging File | 72.10% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.05 Gb Total Space | 77.47 Gb Free Space | 56.94% Space Free | Partition Type: NTFS
Drive G: | 29.81 Gb Total Space | 29.65 Gb Free Space | 99.47% Space Free | Partition Type: FAT32
 
Computer Name: D-PC | User Name: d | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - [2014/03/25 16:49:20 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\d\Desktop\OTL (1).exe
PRC - [2013/10/23 16:01:10 | 000,280,288 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\NisSrv.exe
PRC - [2013/10/23 16:01:10 | 000,022,208 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/10/23 15:55:28 | 000,948,440 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2013/08/15 16:40:38 | 000,045,464 | ---- | M] (Malwarebytes Secure Backup) -- C:\Program Files\Malwarebytes Secure Backup\SUpdateNotifier.exe
PRC - [2013/08/15 16:40:32 | 000,064,408 | ---- | M] (Malwarebytes Secure Backup) -- C:\Program Files\Malwarebytes Secure Backup\SMessaging.exe
PRC - [2013/08/15 16:40:32 | 000,039,832 | ---- | M] (Malwarebytes Secure Backup) -- C:\Program Files\Malwarebytes Secure Backup\SAgent.Service.exe
PRC - [2013/08/15 16:40:24 | 000,090,520 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes Secure Backup\mbsbscan.exe
PRC - [2013/08/06 17:33:16 | 003,291,008 | ---- | M] (Skype Technologies S.A.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2013/04/04 14:50:32 | 000,532,040 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/06/11 14:18:30 | 000,024,576 | ---- | M] () -- C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
PRC - [2007/12/10 23:15:04 | 000,012,800 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
 
 
========== Modules (No Company Name) ==========
 
MOD - [2014/02/16 08:41:06 | 000,978,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\d17ceca243fabda73eefb21d9bd072df\System.Configuration.ni.dll
MOD - [2014/02/14 10:37:21 | 005,462,016 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f87e71868aedbc6c4e8fe7160d17c4ab\System.Xml.ni.dll
MOD - [2014/02/14 10:34:43 | 012,434,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d2b605fc7deda872727d1ed37710420e\System.Windows.Forms.ni.dll
MOD - [2014/02/14 10:22:40 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\8e6265a54260bddfc05951e764f5bc48\System.Drawing.ni.dll
MOD - [2014/02/14 10:21:15 | 002,295,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\bd996f730710dbbac36cba28f7214b29\System.Core.ni.dll
MOD - [2014/02/14 10:19:49 | 007,977,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\957628d9dd7b3bf370a56dca7835a997\System.ni.dll
MOD - [2014/02/14 10:19:36 | 011,497,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\694a37a84dee2cd2609a1dfab27c0433\mscorlib.ni.dll
 
 
========== Services (SafeList) ==========
 
SRV - [2014/03/12 11:08:29 | 000,257,928 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014/02/12 20:36:33 | 000,118,896 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2013/10/23 16:01:10 | 000,280,288 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2013/10/23 16:01:10 | 000,022,208 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2013/10/23 09:15:08 | 000,172,192 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2013/08/15 16:40:32 | 000,039,832 | ---- | M] (Malwarebytes Secure Backup) [Auto | Running] -- C:\Program Files\Malwarebytes Secure Backup\SAgent.Service.exe -- (sagentservice)
SRV - [2013/08/06 17:33:16 | 003,291,008 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2013/04/04 14:50:32 | 000,701,512 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008/06/11 14:18:30 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe -- (ETService)
SRV - [2008/01/20 22:33:00 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/12/10 23:15:04 | 000,012,800 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
 
 
========== Driver Services (SafeList) ==========
 
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Goobzo\GBUpdate\smw.sys -- (SMUpdd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys -- (esgiguard)
DRV - [2014/03/27 17:46:21 | 000,040,776 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2013/09/27 10:53:06 | 000,104,768 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2013/04/04 14:50:32 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2013/02/19 21:32:54 | 010,919,200 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010/08/12 12:07:50 | 000,292,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVNET)
DRV - [2010/08/12 12:07:50 | 000,292,712 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2008/06/11 14:13:24 | 000,015,392 | ---- | M] (Acer, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15)
DRV - [2008/06/06 07:13:10 | 000,145,440 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\nvstor32.sys -- (nvstor32)
DRV - [2008/03/07 19:31:52 | 000,062,570 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\jl2005c.sys -- (JL2005C)
DRV - [2008/03/05 01:10:54 | 001,203,808 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emac...=0509&m=el1300g
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,NewTabPageShow = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.google.com
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...ms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{67C334C0-408D-4E6D-B5A7-0ADD6AFFA252}: "URL" = http://www.google.co...utputEncoding?}
 
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emac...=0509&m=el1300g
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,NewTabPageShow = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.google.com
IE - HKCU\..\SearchScopes,DefaultScope = 
IE - HKCU\..\SearchScopes\{483D440A-3A50-459C-93F3-2FCD071459AF}: "URL" = http://www.bing.com/...rc=IE-SearchBox
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js - File not found
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.51.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@lightspark.github.com/Lightspark;version=1: C:\Program Files\Lightspark 0.5.3-git\nplightsparkplugin.dll File not found
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 27.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/12/24 11:34:42 | 000,000,000 | ---D | M]
 
[2009/07/29 16:29:21 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Extensions
[2014/03/27 09:05:54 | 000,000,000 | ---D | M] (No name found) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions
[2010/07/24 07:15:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/23 10:09:46 | 000,001,840 | ---- | M] () -- C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\searchplugins\bing.xml
[2014/02/17 19:46:32 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/08/14 08:01:50 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2014/02/17 19:46:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/08/14 08:01:50 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2014/02/17 19:46:34 | 000,000,000 | ---D | M] (Default) -- C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
Hosts file not found
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SMessaging] C:\Program Files\Malwarebytes Secure Backup\SMessaging.exe (Malwarebytes Secure Backup)
O4 - HKLM..\Run: [SOSUAUI] C:\Program Files\Malwarebytes Secure Backup\sosuploadagent.exe (Malwarebytes Secure Backup)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - Startup: C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2 ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HideSCAHealth = 1
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 10.51.2)
O16 - DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_51)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.7.0_51)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8058310F-B522-4D7E-AD42-BB5315D9B153}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img25.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img25.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 17:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2012/11/27 18:30:30 | 000,000,100 | ---- | M] () - G:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2012/11/27 18:30:30 | 000,000,204 | ---- | M] () - G:\autorun.inf -- [ FAT32 ]
O32 - AutoRun File - [2012/11/27 18:30:30 | 000,017,542 | ---- | M] () - G:\autorun.ico -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2014/03/27 17:33:55 | 001,038,974 | ---- | C] (Thisisu) -- C:\Users\d\Desktop\JRT.exe
[2014/03/27 09:05:13 | 000,000,000 | ---D | C] -- C:\_OTL
[2014/03/27 08:44:02 | 001,973,368 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Users\d\Desktop\avg_remover_stf_x86_2012_2125.exe
[2014/03/27 08:30:20 | 003,386,520 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Users\d\Desktop\avg_remover_stf_x86_2014_4116.exe
[2014/03/26 18:58:21 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\d\Desktop\OTL (1).exe
[2014/03/26 18:58:09 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Users\d\Desktop\aswmbr (1).exe
[2014/03/26 18:50:57 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2014/03/23 17:50:14 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2014/03/23 17:36:44 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2014/03/23 17:34:44 | 009,988,304 | ---- | C] (SurfRight B.V.) -- C:\Users\d\Desktop\HitmanPro.exe
[2014/03/23 16:16:05 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\ElevatedDiagnostics
[2014/03/23 15:55:31 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014/03/23 15:23:50 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/03/23 14:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Microsoft
[2014/03/23 14:27:20 | 000,000,000 | ---D | C] -- C:\Program Files\Adware-Removal-Tool
[2014/03/19 08:52:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Oracle
[2014/03/19 08:51:38 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
[2014/03/11 09:02:09 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2014/03/11 08:43:17 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2014/03/10 21:25:56 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\Installer
[2014/03/10 21:25:31 | 000,000,000 | ---D | C] -- C:\Program Files\YTDownloader
[2014/03/10 21:24:25 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\CrashRpt
[2014/03/06 18:32:08 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\Kobo
[2014/03/06 18:31:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Kobo
[2014/03/03 20:23:06 | 000,000,000 | ---D | C] -- C:\temp
[2014/03/02 08:44:02 | 000,000,000 | ---D | C] -- C:\Program Files\runonce
[2014/03/01 21:25:10 | 000,000,000 | ---D | C] -- C:\Windows\tmp
[2014/03/01 21:21:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Real
[2014/03/01 21:19:03 | 000,000,000 | ---D | C] -- C:\Program Files\Kobo
[2014/02/28 22:47:42 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Roaming\SharePod
[2014/02/28 21:52:12 | 000,000,000 | ---D | C] -- C:\Windows\System32\DRVSTORE
[2014/02/28 21:49:15 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2014/02/28 21:49:05 | 000,000,000 | ---D | C] -- C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
[2014/02/28 20:06:16 | 000,000,000 | R--D | C] -- C:\Users\d\Downloads
[2014/02/28 19:51:22 | 000,000,000 | ---D | C] -- C:\Program Files\Adblock Plus for IE
[2014/02/28 19:51:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Package Cache
[2014/02/28 18:51:27 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2014/02/28 08:32:17 | 000,000,000 | ---D | C] -- C:\Users\d\AppData\Local\Skype
[2014/02/28 08:32:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
[2014/02/28 08:32:00 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Skype
[2014/02/28 05:40:45 | 000,000,000 | ---D | C] -- C:\Windows\Migration
 
========== Files - Modified Within 30 Days ==========
 
[2014/03/27 17:46:39 | 000,004,784 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2014/03/27 17:46:39 | 000,004,784 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2014/03/27 17:46:21 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2014/03/27 17:46:00 | 000,000,000 | ---- | M] () -- C:\Windows\System32\LogConfigTemp.xml
[2014/03/27 17:45:46 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/03/27 17:45:42 | 1877,446,656 | -HS- | M] () -- C:\hiberfil.sys
[2014/03/27 17:36:42 | 000,655,380 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2014/03/27 17:36:42 | 000,124,006 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2014/03/27 17:30:26 | 001,038,974 | ---- | M] (Thisisu) -- C:\Users\d\Desktop\JRT.exe
[2014/03/27 09:08:29 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/03/27 08:46:29 | 000,001,101 | ---- | M] () -- C:\Users\d\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2014/03/27 08:41:02 | 001,973,368 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Users\d\Desktop\avg_remover_stf_x86_2012_2125.exe
[2014/03/27 08:25:30 | 003,386,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Users\d\Desktop\avg_remover_stf_x86_2014_4116.exe
[2014/03/27 08:24:38 | 000,869,456 | ---- | M] () -- C:\Users\d\Desktop\Norton_Removal_Tool.exe
[2014/03/27 08:24:26 | 001,950,720 | ---- | M] () -- C:\Users\d\Desktop\AdwCleaner.exe
[2014/03/26 19:21:46 | 000,000,512 | ---- | M] () -- C:\Users\d\Desktop\MBR.dat
[2014/03/26 18:56:16 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Users\d\Desktop\aswmbr (1).exe
[2014/03/25 16:49:20 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\d\Desktop\OTL (1).exe
[2014/03/23 17:50:14 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2014/03/23 17:35:47 | 009,988,304 | ---- | M] (SurfRight B.V.) -- C:\Users\d\Desktop\HitmanPro.exe
[2014/03/19 08:44:54 | 000,714,464 | ---- | M] () -- C:\Users\d\Desktop\Adware-Removal-Tool-v3.8(1).exe
[2014/03/19 08:42:12 | 000,108,944 | ---- | M] () -- C:\Users\d\Desktop\Java.exe
[2014/03/19 08:37:22 | 000,714,464 | ---- | M] () -- C:\Users\d\Desktop\Adware-Removal-Tool-v3.8.exe
[2014/03/13 19:06:15 | 000,000,680 | ---- | M] () -- C:\Users\d\AppData\Local\d3d9caps.dat
[2014/03/13 19:02:55 | 000,304,040 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2014/03/11 18:45:15 | 000,000,258 | RHS- | M] () -- C:\ProgramData\ntuser.pol
[2014/03/10 21:26:10 | 000,001,696 | ---- | M] () -- C:\Users\d\Desktop\YTDownloader.lnk
[2014/03/06 18:31:54 | 000,000,762 | ---- | M] () -- C:\Users\Public\Desktop\Kobo.lnk
[2014/03/01 21:18:52 | 026,017,384 | ---- | M] () -- C:\Users\d\Desktop\kobo-setup.exe
[2014/02/28 08:32:01 | 000,001,878 | ---- | M] () -- C:\Users\Public\Desktop\Skype.lnk
 
========== Files Created - No Company Name ==========
 
[2014/03/27 08:35:55 | 000,000,426 | ---- | C] () -- C:\AVScanner.ini
[2014/03/27 08:30:20 | 001,950,720 | ---- | C] () -- C:\Users\d\Desktop\AdwCleaner.exe
[2014/03/27 08:30:20 | 000,869,456 | ---- | C] () -- C:\Users\d\Desktop\Norton_Removal_Tool.exe
[2014/03/26 19:21:46 | 000,000,512 | ---- | C] () -- C:\Users\d\Desktop\MBR.dat
[2014/03/23 17:08:56 | 1877,446,656 | -HS- | C] () -- C:\hiberfil.sys
[2014/03/19 08:44:11 | 000,714,464 | ---- | C] () -- C:\Users\d\Desktop\Adware-Removal-Tool-v3.8(1).exe
[2014/03/19 08:42:03 | 000,108,944 | ---- | C] () -- C:\Users\d\Desktop\Java.exe
[2014/03/19 08:36:55 | 000,714,464 | ---- | C] () -- C:\Users\d\Desktop\Adware-Removal-Tool-v3.8.exe
[2014/03/11 07:00:30 | 000,001,113 | ---- | C] () -- C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
[2014/03/10 21:26:10 | 000,001,696 | ---- | C] () -- C:\Users\d\Desktop\YTDownloader.lnk
[2014/03/06 18:31:54 | 000,000,762 | ---- | C] () -- C:\Users\Public\Desktop\Kobo.lnk
[2014/03/03 09:12:06 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2014/03/01 21:17:47 | 026,017,384 | ---- | C] () -- C:\Users\d\Desktop\kobo-setup.exe
[2014/02/28 08:32:01 | 000,001,878 | ---- | C] () -- C:\Users\Public\Desktop\Skype.lnk
[2012/04/15 18:02:51 | 000,000,316 | ---- | C] () -- C:\Users\d\AppData\Roaming\wklnhst.dat
[2010/11/09 20:59:28 | 000,029,239 | ---- | C] () -- C:\Users\d\AppData\Roaming\UserTile.png
[2010/08/31 06:46:48 | 000,000,680 | ---- | C] () -- C:\Users\d\AppData\Local\d3d9caps.dat
[2009/08/04 20:18:22 | 000,032,768 | ---- | C] () -- C:\Users\d\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
 
========== ZeroAccess Check ==========
 
[2006/11/02 08:51:16 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 13:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 02:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 02:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
========== LOP Check ==========
 
[2012/08/07 00:31:18 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\.minecraft
[2013/09/20 07:58:19 | 000,000,000 | -HSD | M] -- C:\Users\d\AppData\Roaming\dwthtiwg
[2010/11/09 20:59:27 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\PeerNetworking
[2014/02/28 22:47:42 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\SharePod
[2012/04/15 18:07:42 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\Template
[2012/10/05 07:12:38 | 000,000,000 | ---D | M] -- C:\Users\d\AppData\Roaming\Windows Live Writer
 
========== Purity Check ==========
 
 
 
========== Alternate Data Streams ==========
 
@Alternate Data Stream - 147 bytes -> C:\ProgramData\Temp:AD022376
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:373E1720
 
< End of report >
 
Thanks!!
 
Frank

 


  • 0

#8
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts

Thanks for the logs. Lets turn Windows Defender off. Then I want you to make sure that MSE is up to date and that real-time protection is on (the little castle in the system tray will be green). Then run a Quick scan and let me know if it found anything.
 

Step-1.
 
Turn Windows Defender Off

  • Open Windows Defender by clicking the Start button 4f6cbd09-148c-4dd8-b1f2-48f232a2fd33_47., clicking All Programs, and then clicking Windows Defender.
  • Click Tools, and then click Options.
  • Under Administrator options, select or clear the Use Windows Defender check box, and then click Save. 18abb370-ac1e-4b6b-b663-e028a75bf05b_41. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

 

Step-2.

Fabar Recovery Scan

A.
Download the Tool

  • Please click here to go to the Farbar Recovery Scan Tool download page.
  • Click the Download Now(32bit Version) button and save it to your desktop.

B.
Run the Tool
Close all open Windows and browsers

  • Right click the FRST icon on the desktop and click Run as Administrator to run the tool.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Things For Your Next Post:
Please post the logs in the order requested. Please don't attach the logs unless I request it.

1. Let me know if MSE found anything

2. The FRST.txt log

3. The Addition.txt log


  • 0

#9
frobey

frobey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

Hi,

 

Windows Defender was already turned off (it said so when I clicked on it), I tried to turn it on just so I could follow your instructions and turn it off but it wouldn't turn back on, I got an error Windows Host Process (Rundll32) has stopped working. I clicked cancel and continued...

 

I updated and ran MSE and it didn't find anything on a Quick Scan. Attached below you will find the FRST and Additions logs.

 

Also, there is still a TYLoader icon on the desktop but I didn't see the program installed...I beleive this is one of the programs the "friend" installed when he was putting music on the PC for the owner to download onto his MP3 player...

 

FRST Log file

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-03-2014  01
Ran by d (administrator) on D-PC on 28-03-2014 11:35:51
Running from C:\Users\d\Desktop
Microsoft® Windows Vista™ Home Basic  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal
 
The only official download link for FRST:
Download link from any site other than Bleeping Computer is unpermitted or outdated.
 
==================== Processes (Whitelisted) =================
 
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(Microsoft Corporation) C:\Windows\system32\SLsvc.exe
(Malwarebytes Secure Backup) C:\Program Files\Malwarebytes Secure Backup\SUpdateNotifier.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Adobe Systems Incorporated) C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
(Malwarebytes Secure Backup) C:\Program Files\Malwarebytes Secure Backup\SMessaging.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Agere Systems) C:\Windows\system32\agrsmsvc.exe
() C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
() C:\Program Files\CyberLink\Shared files\RichVideo.exe
(Malwarebytes Secure Backup) C:\Program Files\Malwarebytes Secure Backup\SAgent.Service.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\NisSrv.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Secure Backup\mbsbscan.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\IELowutil.exe
(Intuit Inc.) C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
(Microsoft Corporation) C:\Windows\system32\wuauclt.exe
(Farbar) C:\Users\d\Desktop\FRST (1).exe
(Microsoft Corporation) C:\Windows\system32\wbem\WMIADAP.EXE
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [948440 2013-10-23] (Microsoft Corporation)
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [SOSUAUI] - C:\Program Files\Malwarebytes Secure Backup\sosuploadagent.exe [55192 2013-08-15] (Malwarebytes Secure Backup)
HKLM\...\Run: [SMessaging] - C:\Program Files\Malwarebytes Secure Backup\SMessaging.exe [64408 2013-08-15] (Malwarebytes Secure Backup)
HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\.DEFAULT\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\...\Run: [Skype] - C:\Program Files\Skype\Phone\Skype.exe [20922016 2014-02-10] (Skype Technologies S.A.)
HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-20] (Microsoft Corporation)
HKU\S-1-5-21-3730493371-2978618540-1370544531-1000\...\Policies\Explorer: [HideSCAHealth] 1
Startup: C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote Table Of Contents.onetoc2 ()
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emac...=0509&m=el1300g
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emac...=0509&m=el1300g
SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKCU - {67C334C0-408D-4E6D-B5A7-0ADD6AFFA252} URL = 
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-0017-0000-0051-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8050.1202.dll (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
 
Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
 
FireFox:
========
FF ProfilePath: C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin - C:\Program Files\Java\jre7\bin\new_plugin\npjp2.dll No File
FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=14.0.8051.1204 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @lightspark.github.com/Lightspark;version=1 - C:\Program Files\Lightspark 0.5.3-git\nplightsparkplugin.dll No File
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Extension: Microsoft .NET Framework Assistant - C:\Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010-07-24]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2012-08-19]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2013-04-26]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ []
 
========================== Services (Whitelisted) =================
 
R2 ETService; C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [24576 2008-06-11] ()
R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-10-23] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [280288 2013-10-23] (Microsoft Corporation)
R2 RichVideo; C:\Program Files\CyberLink\Shared files\RichVideo.exe [272024 2007-05-13] ()
R2 sagentservice; C:\Program Files\Malwarebytes Secure Backup\SAgent.Service.exe [39832 2013-08-15] (Malwarebytes Secure Backup)
R2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3291008 2013-08-06] (Skype Technologies S.A.)
 
==================== Drivers (Whitelisted) ====================
 
S3 JL2005C; C:\Windows\System32\Drivers\jl2005c.sys [62570 2008-03-07] (Windows ® 2000 DDK provider)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2014-03-28] (Malwarebytes Corporation)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [214696 2013-09-27] (Microsoft Corporation)
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 SMUpdd; \??\C:\Program Files\Common Files\Goobzo\GBUpdate\smw.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-03-28 11:35 - 2014-03-28 11:36 - 00011282 _____ () C:\Users\d\Desktop\FRST.txt
2014-03-28 11:35 - 2014-03-28 11:35 - 00000000 ____D () C:\FRST
2014-03-28 11:34 - 2014-03-28 11:15 - 01145856 _____ (Farbar) C:\Users\d\Desktop\FRST (1).exe
2014-03-27 17:42 - 2014-03-27 17:42 - 00000636 _____ () C:\Users\d\Desktop\JRT.txt
2014-03-27 17:33 - 2014-03-27 17:30 - 01038974 _____ (Thisisu) C:\Users\d\Desktop\JRT.exe
2014-03-27 09:24 - 2014-03-27 09:24 - 00000896 _____ () C:\Users\d\Desktop\AdwCleaner[dave].txt
2014-03-27 09:21 - 2014-03-27 09:21 - 00016308 _____ () C:\Users\d\Desktop\otlfix.txt
2014-03-27 09:05 - 2014-03-27 09:05 - 00000000 ____D () C:\_OTL
2014-03-27 08:44 - 2014-03-27 08:44 - 00136870 _____ () C:\Users\d\Desktop\avgremover.log
2014-03-27 08:44 - 2014-03-27 08:43 - 00006159 _____ () C:\Users\d\Desktop\OTL update1.txt
2014-03-27 08:44 - 2014-03-27 08:41 - 01973368 _____ (AVG Technologies CZ, s.r.o.) C:\Users\d\Desktop\avg_remover_stf_x86_2012_2125.exe
2014-03-27 08:35 - 2014-02-15 07:45 - 00000426 _____ () C:\AVScanner.ini
2014-03-27 08:30 - 2014-03-27 08:25 - 03386520 _____ (AVG Technologies CZ, s.r.o.) C:\Users\d\Desktop\avg_remover_stf_x86_2014_4116.exe
2014-03-27 08:30 - 2014-03-27 08:24 - 01950720 _____ () C:\Users\d\Desktop\AdwCleaner.exe
2014-03-27 08:30 - 2014-03-27 08:24 - 00869456 _____ () C:\Users\d\Desktop\Norton_Removal_Tool.exe
2014-03-26 19:21 - 2014-03-26 19:21 - 00001768 _____ () C:\Users\d\Desktop\aswMBR.txt
2014-03-26 19:21 - 2014-03-26 19:21 - 00000512 _____ () C:\Users\d\Desktop\MBR.dat
2014-03-26 19:18 - 2014-03-27 18:00 - 00057030 _____ () C:\Users\d\Desktop\OTL.Txt
2014-03-26 19:18 - 2014-03-26 19:18 - 00041646 _____ () C:\Users\d\Desktop\Extras.Txt
2014-03-26 18:58 - 2014-03-26 18:56 - 04745728 _____ (AVAST Software) C:\Users\d\Desktop\aswmbr (1).exe
2014-03-26 18:58 - 2014-03-26 18:55 - 00000181 _____ () C:\Users\d\Desktop\OTL update.txt
2014-03-26 18:58 - 2014-03-25 16:49 - 00602112 _____ (OldTimer Tools) C:\Users\d\Desktop\OTL (1).exe
2014-03-26 18:50 - 2014-03-28 11:31 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2014-03-23 17:50 - 2014-03-23 17:50 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2014-03-23 17:36 - 2014-03-23 17:50 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-03-23 17:34 - 2014-03-23 17:35 - 09988304 _____ (SurfRight B.V.) C:\Users\d\Desktop\HitmanPro.exe
2014-03-23 15:55 - 2014-03-23 15:55 - 00000000 ____D () C:\Windows\ERUNT
2014-03-23 15:23 - 2014-03-27 17:29 - 00000000 ____D () C:\AdwCleaner
2014-03-23 14:27 - 2014-03-23 17:07 - 00000000 ____D () C:\Program Files\Adware-Removal-Tool
2014-03-23 14:27 - 2014-03-23 17:03 - 00290304 _____ (Microsoft Corporation) C:\Windows\system32\subinacl.exe
2014-03-19 08:52 - 2014-03-19 08:52 - 00000000 ____D () C:\ProgramData\Oracle
2014-03-19 08:51 - 2014-03-19 08:51 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-03-19 08:51 - 2014-03-19 08:51 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-03-19 08:51 - 2014-03-19 08:51 - 00174504 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-03-19 08:51 - 2014-03-19 08:51 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-03-19 08:44 - 2014-03-19 08:44 - 00714464 _____ () C:\Users\d\Desktop\Adware-Removal-Tool-v3.8(1).exe
2014-03-19 08:42 - 2014-03-19 08:42 - 00108944 _____ () C:\Users\d\Desktop\Java.exe
2014-03-19 08:36 - 2014-03-19 08:37 - 00714464 _____ () C:\Users\d\Desktop\Adware-Removal-Tool-v3.8.exe
2014-03-12 17:53 - 2014-02-23 01:50 - 12347904 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-03-12 17:53 - 2014-02-23 01:47 - 01806848 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-03-12 17:53 - 2014-02-23 01:43 - 09739264 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-03-12 17:53 - 2014-02-23 01:41 - 01105408 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-03-12 17:53 - 2014-02-23 01:40 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-03-12 17:53 - 2014-02-23 01:39 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-03-12 17:53 - 2014-02-23 01:38 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2014-03-12 17:53 - 2014-02-23 01:38 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-03-12 17:53 - 2014-02-23 01:38 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-03-12 17:53 - 2014-02-23 01:37 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-03-12 17:53 - 2014-02-23 01:37 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-03-12 17:53 - 2014-02-23 01:37 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-03-12 17:53 - 2014-02-23 01:37 - 00421376 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-03-12 17:53 - 2014-02-23 01:36 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-03-12 17:53 - 2014-02-23 01:36 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-03-12 17:53 - 2014-02-23 01:35 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-03-12 09:54 - 2014-02-07 06:38 - 02050560 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-03-12 09:54 - 2014-02-03 06:37 - 00505344 _____ (Microsoft Corporation) C:\Windows\system32\qedit.dll
2014-03-12 09:54 - 2014-01-30 03:46 - 00876032 _____ (Microsoft Corporation) C:\Windows\system32\wer.dll
2014-03-12 09:54 - 2013-11-12 20:30 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-03-11 09:02 - 2014-03-11 09:02 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-03-11 08:57 - 2014-03-11 08:54 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\d\Downloads\SpyHunter-Installer.exe
2014-03-11 08:43 - 2014-03-11 08:43 - 00000000 ____D () C:\Program Files\Common Files\Wise Installation Wizard
2014-03-11 08:31 - 2014-03-25 16:52 - 00001590 _____ () C:\Windows\setupact.log
2014-03-11 08:31 - 2014-03-11 08:31 - 00000000 _____ () C:\Windows\setuperr.log
2014-03-11 07:31 - 2014-03-11 07:32 - 00921512 _____ (Oracle Corporation) C:\Users\d\Desktop\jre-7u51-windows-i586-iftw.exe
2014-03-10 22:45 - 2014-03-27 09:02 - 00042534 _____ () C:\Windows\PFRO.log
2014-03-10 21:26 - 2014-03-10 21:26 - 00001696 _____ () C:\Users\d\Desktop\YTDownloader.lnk
2014-03-10 21:25 - 2014-03-23 18:52 - 00000000 ____D () C:\Program Files\YTDownloader
2014-03-10 21:24 - 2014-03-10 21:24 - 00000000 ____D () C:\Users\d\AppData\Local\CrashRpt
2014-03-06 18:32 - 2014-03-06 18:32 - 00000000 ____D () C:\Users\d\AppData\Local\Kobo
2014-03-06 18:31 - 2014-03-06 18:31 - 00000762 _____ () C:\Users\Public\Desktop\Kobo.lnk
2014-03-03 09:12 - 2014-03-11 18:45 - 00000258 __RSH () C:\ProgramData\ntuser.pol
2014-03-02 08:44 - 2014-03-02 08:44 - 00000000 ____D () C:\Program Files\runonce
2014-03-01 21:25 - 2014-03-06 18:32 - 00000000 ____D () C:\Windows\tmp
2014-03-01 21:21 - 2014-03-01 21:21 - 00000000 ____D () C:\ProgramData\Real
2014-03-01 21:19 - 2014-03-06 18:31 - 00000000 ____D () C:\Program Files\Kobo
2014-03-01 21:17 - 2014-03-01 21:18 - 26017384 _____ () C:\Users\d\Desktop\kobo-setup.exe
2014-02-28 22:47 - 2014-02-28 22:47 - 00000000 ____D () C:\Users\d\AppData\Roaming\SharePod
2014-02-28 21:52 - 2012-08-21 14:01 - 00026840 _____ (GEAR Software Inc.) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2014-02-28 21:49 - 2014-02-28 21:52 - 00000000 ____D () C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-02-28 21:49 - 2014-02-28 21:49 - 00000000 ____D () C:\Program Files\iPod
2014-02-28 19:51 - 2014-02-28 19:51 - 00000000 ____D () C:\ProgramData\Package Cache
2014-02-28 19:51 - 2014-02-28 19:51 - 00000000 ____D () C:\Program Files\Adblock Plus for IE
2014-02-28 18:51 - 2014-02-28 18:51 - 00000000 ____D () C:\Program Files\Bonjour
2014-02-28 08:32 - 2014-02-28 08:32 - 00001878 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-02-28 08:32 - 2014-02-28 08:32 - 00000000 ____D () C:\Users\d\AppData\Local\Skype
2014-02-28 08:32 - 2014-02-28 08:32 - 00000000 ____D () C:\Program Files\Common Files\Skype
 
==================== One Month Modified Files and Folders =======
 
2014-03-28 11:36 - 2014-03-28 11:35 - 00011282 _____ () C:\Users\d\Desktop\FRST.txt
2014-03-28 11:36 - 2006-11-02 06:33 - 00776628 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-03-28 11:35 - 2014-03-28 11:35 - 00000000 ____D () C:\FRST
2014-03-28 11:35 - 2009-05-04 19:42 - 01554811 _____ () C:\Windows\WindowsUpdate.log
2014-03-28 11:32 - 2012-08-19 17:41 - 00000000 ____D () C:\Users\d\AppData\Roaming\Skype
2014-03-28 11:32 - 2006-11-02 08:45 - 00004784 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-03-28 11:32 - 2006-11-02 08:45 - 00004784 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-03-28 11:31 - 2014-03-26 18:50 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2014-03-28 11:31 - 2009-05-04 19:46 - 00000000 _____ () C:\Windows\system32\LogConfigTemp.xml
2014-03-28 11:31 - 2006-11-02 08:58 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-03-28 11:15 - 2014-03-28 11:34 - 01145856 _____ (Farbar) C:\Users\d\Desktop\FRST (1).exe
2014-03-27 18:11 - 2006-11-02 08:58 - 00032652 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-03-27 18:08 - 2012-08-05 10:37 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-03-27 18:00 - 2014-03-26 19:18 - 00057030 _____ () C:\Users\d\Desktop\OTL.Txt
2014-03-27 17:42 - 2014-03-27 17:42 - 00000636 _____ () C:\Users\d\Desktop\JRT.txt
2014-03-27 17:30 - 2014-03-27 17:33 - 01038974 _____ (Thisisu) C:\Users\d\Desktop\JRT.exe
2014-03-27 17:29 - 2014-03-23 15:23 - 00000000 ____D () C:\AdwCleaner
2014-03-27 09:24 - 2014-03-27 09:24 - 00000896 _____ () C:\Users\d\Desktop\AdwCleaner[dave].txt
2014-03-27 09:21 - 2014-03-27 09:21 - 00016308 _____ () C:\Users\d\Desktop\otlfix.txt
2014-03-27 09:05 - 2014-03-27 09:05 - 00000000 ____D () C:\_OTL
2014-03-27 09:02 - 2014-03-10 22:45 - 00042534 _____ () C:\Windows\PFRO.log
2014-03-27 08:46 - 2012-07-27 04:04 - 00001107 _____ () C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-03-27 08:44 - 2014-03-27 08:44 - 00136870 _____ () C:\Users\d\Desktop\avgremover.log
2014-03-27 08:44 - 2013-05-26 15:00 - 00000000 ____D () C:\ProgramData\MFAData
2014-03-27 08:43 - 2014-03-27 08:44 - 00006159 _____ () C:\Users\d\Desktop\OTL update1.txt
2014-03-27 08:41 - 2014-03-27 08:44 - 01973368 _____ (AVG Technologies CZ, s.r.o.) C:\Users\d\Desktop\avg_remover_stf_x86_2012_2125.exe
2014-03-27 08:37 - 2012-07-31 10:03 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-03-27 08:34 - 2009-03-12 17:42 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-03-27 08:25 - 2014-03-27 08:30 - 03386520 _____ (AVG Technologies CZ, s.r.o.) C:\Users\d\Desktop\avg_remover_stf_x86_2014_4116.exe
2014-03-27 08:24 - 2014-03-27 08:30 - 01950720 _____ () C:\Users\d\Desktop\AdwCleaner.exe
2014-03-27 08:24 - 2014-03-27 08:30 - 00869456 _____ () C:\Users\d\Desktop\Norton_Removal_Tool.exe
2014-03-26 19:21 - 2014-03-26 19:21 - 00001768 _____ () C:\Users\d\Desktop\aswMBR.txt
2014-03-26 19:21 - 2014-03-26 19:21 - 00000512 _____ () C:\Users\d\Desktop\MBR.dat
2014-03-26 19:18 - 2014-03-26 19:18 - 00041646 _____ () C:\Users\d\Desktop\Extras.Txt
2014-03-26 18:56 - 2014-03-26 18:58 - 04745728 _____ (AVAST Software) C:\Users\d\Desktop\aswmbr (1).exe
2014-03-26 18:55 - 2014-03-26 18:58 - 00000181 _____ () C:\Users\d\Desktop\OTL update.txt
2014-03-25 16:52 - 2014-03-11 08:31 - 00001590 _____ () C:\Windows\setupact.log
2014-03-25 16:49 - 2014-03-26 18:58 - 00602112 _____ (OldTimer Tools) C:\Users\d\Desktop\OTL (1).exe
2014-03-23 18:54 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\PLA
2014-03-23 18:52 - 2014-03-10 21:25 - 00000000 ____D () C:\Program Files\YTDownloader
2014-03-23 17:50 - 2014-03-23 17:50 - 00012872 _____ (SurfRight B.V.) C:\Windows\system32\bootdelete.exe
2014-03-23 17:50 - 2014-03-23 17:36 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-03-23 17:35 - 2014-03-23 17:34 - 09988304 _____ (SurfRight B.V.) C:\Users\d\Desktop\HitmanPro.exe
2014-03-23 17:07 - 2014-03-23 14:27 - 00000000 ____D () C:\Program Files\Adware-Removal-Tool
2014-03-23 17:03 - 2014-03-23 14:27 - 00290304 _____ (Microsoft Corporation) C:\Windows\system32\subinacl.exe
2014-03-23 16:25 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\Provisioning
2014-03-23 15:55 - 2014-03-23 15:55 - 00000000 ____D () C:\Windows\ERUNT
2014-03-23 14:57 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\LiveKernelReports
2014-03-19 08:52 - 2014-03-19 08:52 - 00000000 ____D () C:\ProgramData\Oracle
2014-03-19 08:51 - 2014-03-19 08:51 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-03-19 08:51 - 2014-03-19 08:51 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-03-19 08:51 - 2014-03-19 08:51 - 00174504 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-03-19 08:51 - 2014-03-19 08:51 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2014-03-19 08:44 - 2014-03-19 08:44 - 00714464 _____ () C:\Users\d\Desktop\Adware-Removal-Tool-v3.8(1).exe
2014-03-19 08:42 - 2014-03-19 08:42 - 00108944 _____ () C:\Users\d\Desktop\Java.exe
2014-03-19 08:37 - 2014-03-19 08:36 - 00714464 _____ () C:\Users\d\Desktop\Adware-Removal-Tool-v3.8.exe
2014-03-14 11:41 - 2013-08-14 06:30 - 00000000 ____D () C:\Windows\system32\MRT
2014-03-13 22:05 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\Branding
2014-03-13 19:57 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\rescache
2014-03-13 19:06 - 2010-08-31 06:46 - 00000680 _____ () C:\Users\d\AppData\Local\d3d9caps.dat
2014-03-13 19:02 - 2006-11-02 08:44 - 00304040 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-03-13 19:00 - 2012-08-07 02:23 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2014-03-12 11:08 - 2012-07-28 07:44 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-03-12 11:08 - 2012-07-28 07:44 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-03-11 18:45 - 2014-03-03 09:12 - 00000258 __RSH () C:\ProgramData\ntuser.pol
2014-03-11 09:02 - 2014-03-11 09:02 - 00000000 ____D () C:\Program Files\Enigma Software Group
2014-03-11 08:54 - 2014-03-11 08:57 - 00728960 _____ (Enigma Software Group USA, LLC.) C:\Users\d\Downloads\SpyHunter-Installer.exe
2014-03-11 08:43 - 2014-03-11 08:43 - 00000000 ____D () C:\Program Files\Common Files\Wise Installation Wizard
2014-03-11 08:31 - 2014-03-11 08:31 - 00000000 _____ () C:\Windows\setuperr.log
2014-03-11 07:32 - 2014-03-11 07:31 - 00921512 _____ (Oracle Corporation) C:\Users\d\Desktop\jre-7u51-windows-i586-iftw.exe
2014-03-11 07:00 - 2012-10-03 16:31 - 00000000 ____D () C:\Windows\pss
2014-03-10 21:26 - 2014-03-10 21:26 - 00001696 _____ () C:\Users\d\Desktop\YTDownloader.lnk
2014-03-10 21:26 - 2006-11-02 07:18 - 00000000 ____D () C:\Program Files\Common Files\System
2014-03-10 21:24 - 2014-03-10 21:24 - 00000000 ____D () C:\Users\d\AppData\Local\CrashRpt
2014-03-06 18:32 - 2014-03-06 18:32 - 00000000 ____D () C:\Users\d\AppData\Local\Kobo
2014-03-06 18:32 - 2014-03-01 21:25 - 00000000 ____D () C:\Windows\tmp
2014-03-06 18:31 - 2014-03-06 18:31 - 00000762 _____ () C:\Users\Public\Desktop\Kobo.lnk
2014-03-06 18:31 - 2014-03-01 21:19 - 00000000 ____D () C:\Program Files\Kobo
2014-03-03 09:12 - 2006-11-02 07:18 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2014-03-02 14:03 - 2006-11-02 06:24 - 87350280 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2014-03-02 09:12 - 2006-11-02 07:18 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-03-02 08:44 - 2014-03-02 08:44 - 00000000 ____D () C:\Program Files\runonce
2014-03-01 21:21 - 2014-03-01 21:21 - 00000000 ____D () C:\ProgramData\Real
2014-03-01 21:20 - 2009-07-29 16:13 - 00000000 ____D () C:\Users\d
2014-03-01 21:18 - 2014-03-01 21:17 - 26017384 _____ () C:\Users\d\Desktop\kobo-setup.exe
2014-03-01 21:17 - 2006-11-02 07:18 - 00000000 ___RD () C:\Users\Public
2014-02-28 22:47 - 2014-02-28 22:47 - 00000000 ____D () C:\Users\d\AppData\Roaming\SharePod
2014-02-28 22:05 - 2012-08-02 03:28 - 00000000 ____D () C:\Users\d\AppData\Roaming\Apple Computer
2014-02-28 21:53 - 2009-08-04 20:16 - 00000000 ____D () C:\Users\d\AppData\Local\Apple Computer
2014-02-28 21:52 - 2014-02-28 21:49 - 00000000 ____D () C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1
2014-02-28 21:49 - 2014-02-28 21:49 - 00000000 ____D () C:\Program Files\iPod
2014-02-28 21:49 - 2010-02-26 07:00 - 00000000 ____D () C:\ProgramData\Apple Computer
2014-02-28 21:49 - 2010-02-26 07:00 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-02-28 19:51 - 2014-02-28 19:51 - 00000000 ____D () C:\ProgramData\Package Cache
2014-02-28 19:51 - 2014-02-28 19:51 - 00000000 ____D () C:\Program Files\Adblock Plus for IE
2014-02-28 18:57 - 2009-07-29 20:24 - 00000000 ____D () C:\ProgramData\Apple
2014-02-28 18:51 - 2014-02-28 18:51 - 00000000 ____D () C:\Program Files\Bonjour
2014-02-28 08:32 - 2014-02-28 08:32 - 00001878 _____ () C:\Users\Public\Desktop\Skype.lnk
2014-02-28 08:32 - 2014-02-28 08:32 - 00000000 ____D () C:\Users\d\AppData\Local\Skype
2014-02-28 08:32 - 2014-02-28 08:32 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-02-28 08:32 - 2012-08-19 17:41 - 00000000 ___RD () C:\Program Files\Skype
2014-02-28 08:32 - 2012-08-19 17:40 - 00000000 ____D () C:\ProgramData\Skype
 
Some content of TEMP:
====================
C:\Users\d\AppData\Local\Temp\Quarantine.exe
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\system32\winlogon.exe => MD5 is legit
C:\Windows\system32\wininit.exe => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\services.exe => MD5 is legit
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
C:\Windows\system32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-03-28 11:37
 
==================== End Of Log ============================
 
Addition log
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-03-2014  01
Ran by d at 2014-03-28 11:37:38
Running from C:\Users\d\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
AV: Microsoft Security Essentials (Enabled - Up to date) {641105E6-77ED-3F35-A304-765193BCB75F}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Microsoft Security Essentials (Enabled - Up to date) {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
 
==================== Installed Programs ======================
 
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1.377 - Adobe Systems Incorporated)
Acrobat.com (Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Adblock Plus for IE (32-bit) (HKLM\...\{21B632E1-4B3D-4AC2-9ABD-E00544F67D48}) (Version: 1.1 - Eyeo GmbH)
Adblock Plus for IE (HKLM\...\{fd97d1e2-368a-4cd9-af63-8eeff938044a}) (Version: 1.1 - )
Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
Adobe AIR (Version: 1.0.8.4990 - Adobe Systems Inc.) Hidden
Adobe Flash Player 12 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Flash Player 12 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 12.0.0.77 - Adobe Systems Incorporated)
Adobe Reader 9.5.5 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A95000000001}) (Version: 9.5.5 - Adobe Systems Incorporated)
Agere Systems PCI-SV92EX Soft Modem (HKLM\...\Agere Systems Soft Modem) (Version:  - Agere Systems)
Apple Application Support (HKLM\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{18D47FA1-0440-48D3-A7E0-DA09537FF471}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Ask Toolbar (HKLM\...\{4F524A2D-5637-4300-76A7-A758B70C0A03}) (Version: 12.10.3.34 - APN, LLC) <==== ATTENTION
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Brother HL-2140 (HKLM\...\{6FBC610C-94CD-4EC3-A322-74BB07AA2D6C}) (Version: 1.00 - Brother)
CCleaner (HKLM\...\CCleaner) (Version: 4.06 - Piriform)
Choice Guard (Version: 1.2.87.0 - Microsoft Corporation) Hidden
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CyberLink DVD Suite (HKLM\...\InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}) (Version: 6.0.2110 - CyberLink Corp.)
CyberLink DVD Suite (Version: 6.0.2110 - CyberLink Corp.) Hidden
CyberLink Power2Go (HKLM\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.0.2115 - CyberLink Corp.)
CyberLink Power2Go (Version: 6.0.2115 - CyberLink Corp.) Hidden
CyberLink PowerDVD (HKLM\...\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}) (Version: 7.0.3409.a - PowerDVDCorp.)
eMachines Recovery Management (HKLM\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 3.1.3003 - Acer Incorporated)
Internet Explorer (Enable DEP) (HKLM\...\{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb) (Version:  - )
iTunes (HKLM\...\{2F21564D-DE05-4C6D-B21E-08B9D313FAB3}) (Version: 11.1.5.5 - Apple Inc.)
Java 7 Update 51 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83217051FF}) (Version: 7.0.510 - Oracle)
Java Auto Updater (Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden
JavaFX 2.1.1 (HKLM\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
Junk Mail filter update (Version: 14.0.8050.1202 - Microsoft Corporation) Hidden
Kobo (HKLM\...\Kobo) (Version: 3.0.4 - Kobo Inc.)
Lightspark 0.5.3-git (HKLM\...\Lightspark) (Version: 0.5.3-git - Lightspark Team)
Malwarebytes Anti-Malware version 1.75.0.1300 (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version: 1.75.0.1300 - Malwarebytes Corporation)
Malwarebytes Secure Backup (HKLM\...\{5228274E-59DC-4B9B-AF72-97AC81C09C8A}) (Version: 5.9.1.4720 - Malwarebytes Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6012.5000 - Microsoft Corporation) Hidden
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (Version:  - Microsoft) Hidden
Microsoft Office Excel MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Proof (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2007 (Version: 12.0.4518.1014 - Microsoft Corporation) Hidden
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) (Version:  - Microsoft) Hidden
Microsoft Office Shared MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Office Suite Activation Assistant (HKLM\...\{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}) (Version: 2.9 - Microsoft Corporation)
Microsoft Office Word MUI (English) 2007 (Version: 12.0.6612.1000 - Microsoft Corporation) Hidden
Microsoft Security Client (Version: 4.4.0304.0 - Microsoft Corporation) Hidden
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.4.304.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Works (HKLM\...\{67E03279-F703-408F-B4BF-46B5FC8D70CD}) (Version: 9.7.0621 - Microsoft Corporation)
Mozilla Firefox 27.0.1 (x86 en-US) (HKLM\...\Mozilla Firefox 27.0.1 (x86 en-US)) (Version: 27.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 27.0.1 - Mozilla)
MSVCRT (Version: 14.0.1468.721 - Microsoft) Hidden
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version:  - )
QuickTime (HKLM\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5628 - Realtek Semiconductor Corp.)
Search module (HKLM\...\Search module) (Version:  - Search Module)
Skype Click to Call (HKLM\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.11.13307 - Skype Technologies S.A.)
Skype™ 6.14 (HKLM\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.14.104 - Skype Technologies S.A.)
Spelling Dictionaries Support For Adobe Reader 9 (HKLM\...\{AC76BA86-7AD7-5464-3428-900000000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
TurboTax 2009 (HKLM\...\TurboTax 2009) (Version:  - Intuit, Inc)
TurboTax 2009 WinPerFedFormset (Version: 009.000.0620 - Intuit Inc.) Hidden
TurboTax 2009 WinPerReleaseEngine (Version: 009.000.0236 - Intuit Inc.) Hidden
TurboTax 2009 WinPerTaxSupport (Version: 009.000.0170 - Intuit Inc.) Hidden
TurboTax 2009 wrapper (Version: 009.000.0142 - Intuit Inc.) Hidden
Uninstall Dual Mode Camera (HKLM\...\Dual Mode Camera_is1) (Version:  - )
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (HKLM\...\{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}.KB963707) (Version: 1 - Microsoft Corporation)
Update for Microsoft Office 2007 Help for Common Features (KB963673) (HKLM\...\{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AB365889-0395-4FAD-B702-CA5985D53D42}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{A024FC7B-77DE-45DE-A058-1C049A17BFB3}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2687493) 32-Bit Edition (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6FAA03BD-2B51-4029-9AD9-64A3B8E3C84C}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{CB68A5B0-3508-4193-AEB9-AF636DAECE0F}) (Version:  - Microsoft)
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{E9A82945-BA29-4EE8-8F2A-2F49545E9CF2}) (Version:  - Microsoft)
Update for Microsoft Office Excel 2007 Help (KB963678) (HKLM\...\{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{199DF7B6-169C-448C-B511-1054101BE9C9}) (Version:  - Microsoft)
Update for Microsoft Office OneNote 2007 Help (KB963670) (HKLM\...\{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2744EF05-38E1-4D5D-B333-E021EDAEA245}) (Version:  - Microsoft)
Update for Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM\...\{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{397B1D4F-ED7B-4ACA-A637-43B670843876}) (Version:  - Microsoft)
Update for Microsoft Office Script Editor Help (KB963671) (HKLM\...\{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{CD11C6A2-FFC6-4271-8EAB-79C3582F505C}) (Version:  - Microsoft)
Update for Microsoft Office Word 2007 Help (KB963665) (HKLM\...\{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{80E762AA-C921-4839-9D7D-DB62A72C0726}) (Version:  - Microsoft)
Windows Live Call (Version: 14.0.8050.1202 - Microsoft Corporation) Hidden
Windows Live Communications Platform (Version: 14.0.8050.1202 - Microsoft Corporation) Hidden
Windows Live Essentials (HKLM\...\WinLiveSuite_Wave3) (Version: 14.0.8050.1202 - Microsoft Corporation)
Windows Live Essentials (Version: 14.0.8050.1202 - Microsoft Corporation) Hidden
Windows Live ID Sign-in Assistant (HKLM\...\{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}) (Version: 6.500.3165.0 - Microsoft Corporation)
Windows Live Mail (Version: 14.0.8050.1202 - Microsoft Corporation) Hidden
Windows Live Messenger (Version: 14.0.8050.1202 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (Version: 14.0.8051.1204 - Microsoft Corporation) Hidden
Windows Live Sync (HKLM\...\{FDD810CA-D5E3-40E9-AB7B-36440B0D41EF}) (Version: 14.0.8050.1202 - Microsoft Corporation)
Windows Live Upload Tool (HKLM\...\{205C6BDD-7B73-42DE-8505-9A093F35A238}) (Version: 14.0.8014.1029 - Microsoft Corporation)
Windows Live Writer (Version: 14.0.8050.1202 - Microsoft Corporation) Hidden
YTDownloader (HKLM\...\YTDownloader) (Version:  - YTDownloader)
 
==================== Restore Points  =========================
 
11-03-2014 12:09:41 Windows Update
11-03-2014 13:01:35 Installed SpyHunter
11-03-2014 14:26:31 Removed SpyHunter
11-03-2014 17:33:58 Windows Update
11-03-2014 17:39:49 Windows Update
12-03-2014 14:31:23 Scheduled Checkpoint
12-03-2014 21:51:14 Windows Update
14-03-2014 01:54:13 Scheduled Checkpoint
14-03-2014 15:36:27 Windows Update
18-03-2014 20:06:13 Windows Update
18-03-2014 20:29:27 Windows Update
19-03-2014 12:49:40 Installed Java 7 Update 51
22-03-2014 12:30:42 Windows Update
23-03-2014 20:22:09 Installed Microsoft Fix it 50195
24-03-2014 11:16:59 Scheduled Checkpoint
25-03-2014 13:45:12 Windows Update
26-03-2014 23:05:00 OTL Restore Point - 3/26/2014 7:05:00 PM
27-03-2014 12:33:12 Removed Java™ 6 Update 5
27-03-2014 12:34:34 Removed Java™ 6 Update 21
27-03-2014 13:05:25 OTL Restore Point - 3/27/2014 9:05:25 AM
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {18DFD9FC-082E-4E9B-8285-5F21D2B4EDAE} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {26CC33F4-0231-4A81-8A44-5334C5ABCD52} - System32\Tasks\{A9F98CA4-15A7-4A35-B1BA-796504BEF522} => Chrome.exe http://ui.skype.com/...e=tsProgressBar
Task: {4CAB832F-9963-4C6A-966E-599204CC18CC} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe
Task: {5916F864-469C-4391-8604-E4EA141A2699} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2008-01-20] ()
Task: {6084C9AB-B6D1-4171-8AC6-677D1E1EF187} - System32\Tasks\Smp => C:\Program Files\Common Files\Goobzo\GBUpdate\smp.exe
Task: {624AC534-5BCA-41E3-A385-32417352C941} - System32\Tasks\Microsoft\Windows\Maintenance\SMupdate2 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update2
Task: {6771DEA0-1736-43AA-8185-3485FF9F442F} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {7C5A51E8-1AD7-48C6-8879-257A8A9609F5} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {8B0E6FAB-F43A-4988-AF0A-A21646C212F0} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {91CCCF3C-6A3E-4D9E-9742-9A974009AEB2} - System32\Tasks\Online Backup Update Notifier => C:\Program Files\Malwarebytes Secure Backup\SUpdateNotifier.exe [2013-08-15] (Malwarebytes Secure Backup)
Task: {99906352-89F5-484B-9D7E-67D61419A81E} - System32\Tasks\At1 => c:\Program Files\pcreg\service.exe
Task: {9ED703A9-5FFD-40D5-895A-4385EE1509DE} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-20] (Microsoft Corporation)
Task: {A958D3A6-A075-4CC6-BFC6-79122B3984AD} - System32\Tasks\ShopperPro => C:\Program Files\ShopperPro\ShopperPro.exe
Task: {ACE759D3-FEA7-49EA-8C95-74795787A892} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-09-19] (Piriform Ltd)
Task: {B23A77E0-3ADB-4BE7-949F-7267E77C8A72} - System32\Tasks\SMupdate1 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update1
Task: {BF326A37-EB17-4696-874B-2488EE9F4010} - System32\Tasks\{67912435-2658-4A89-9BEF-E31FA079265B} => Chrome.exe http://ui.skype.com/...#38;page=tsBing
Task: {BF70D891-B11F-4C28-88C5-058618AA7D31} - System32\Tasks\YTDownloaderUpd => C:\Program Files\YTDownloader\updater.exe
Task: {C76A8E75-71C8-467E-BD8A-71CC3736F5B0} - System32\Tasks\ShopperProJSUpd => C:\Program Files\ShopperPro\updater.exe
Task: {CA2E1FCE-1C55-4B5C-ADF7-99D7396B60E8} - System32\Tasks\SMW_UpdateTask_Time_313234323230313636332d3437415a556c2a3223346c41 => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0
Task: {D8C49797-DD8C-4FC6-8825-6C4FEA0D83F4} - System32\Tasks\pcreg => C:\Program Files\pcreg\service.exe
Task: {DF100C33-678C-4E77-B29A-C858F4F0A83F} - System32\Tasks\Microsoft\Windows\Multimedia\SMupdate3 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update3
Task: {EF73847A-18E6-43C7-819A-6BA46AB00F57} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-03-12] (Adobe Systems Incorporated)
Task: {FB7BD407-9520-49EA-AF00-3CF5F69AD7FB} - System32\Tasks\Microsoft\Windows\Tcpip\WSHReset => C:\Windows\system32\netsh.exe [2006-11-02] (Microsoft Corporation)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
 
==================== Loaded Modules (whitelisted) =============
 
2009-05-04 19:46 - 2008-06-11 14:18 - 00024576 _____ () C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
2009-05-04 19:46 - 2009-05-04 19:46 - 00032768 _____ () C:\Windows\assembly\GAC_MSIL\Framework.Model.Controller\3.0.3009.0__14bcaafdb44b5951\Framework.Model.Controller.dll
2009-05-04 19:46 - 2009-05-04 19:46 - 00009216 _____ () C:\Windows\assembly\GAC_MSIL\Framework.Model.ControllerInterface\3.0.3009.0__d842b71b4d6ed079\Framework.Model.ControllerInterface.dll
2009-05-04 19:46 - 2009-05-04 19:46 - 00061440 _____ () C:\Windows\assembly\GAC_MSIL\Framework.Library\3.0.3009.0__3036420f80dd6947\Framework.Library.dll
2009-05-04 19:46 - 2009-05-04 19:46 - 00015360 _____ () C:\Windows\assembly\GAC_MSIL\Framework.Host\3.0.3009.0__672b450de5a7e94a\Framework.Host.dll
2009-05-04 19:46 - 2009-05-04 19:46 - 00006144 _____ () C:\Windows\assembly\GAC_MSIL\Framework.PluginInterface\3.0.3009.0__9ecdf03bb2054f94\Framework.PluginInterface.dll
2009-05-04 19:46 - 2009-05-04 19:46 - 00036864 _____ () C:\Windows\assembly\GAC_MSIL\Framework.Utility\3.0.3009.0__4df5dcab8860d239\Framework.Utility.dll
2009-05-04 19:50 - 2007-05-13 23:54 - 00272024 ____N () C:\Program Files\CyberLink\Shared files\RichVideo.exe
2010-02-24 14:13 - 2010-02-24 14:13 - 00854016 _____ () C:\Windows\assembly\GAC_32\System.Data.SQLite\1.0.61.0__db937bc2d44ff139\System.Data.SQLite.dll
2010-02-24 14:13 - 2010-02-24 14:13 - 00471040 _____ () C:\Windows\assembly\GAC_MSIL\Intuit.Spc.Map.Reporter\5.0.104.0__7ce6deabcb36a8ea\Intuit.Spc.Map.Reporter.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
AlternateDataStreams: C:\ProgramData\Temp:373E1720
AlternateDataStreams: C:\ProgramData\Temp:AD022376
 
==================== Safe Mode (whitelisted) ===================
 
 
==================== Disabled items from MSCONFIG ==============
 
MSCONFIG\Services: Apple Mobile Device => 2
MSCONFIG\Services: Bonjour Service => 2
MSCONFIG\Services: CltMngSvc => 2
MSCONFIG\Services: iPod Service => 3
MSCONFIG\startupfolder: C:^Users^d^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ctfmon.lnk => C:\Windows\pss\ctfmon.lnk.Startup
MSCONFIG\startupreg: APSDaemon => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: BrStsWnd => C:\Program Files\Brownie\BrstsWnd.exe Autorun
MSCONFIG\startupreg: Google Update => "C:\Users\d\AppData\Local\Google\Update\GoogleUpdate.exe" /c
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: LanguageShortcut => "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
MSCONFIG\startupreg: Optimizer Pro => C:\Program Files\Optimizer Pro\OptProLauncher.exe
MSCONFIG\startupreg: pcreg => C:\Program Files\pcreg\service.exe
MSCONFIG\startupreg: RemoteControl => "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
MSCONFIG\startupreg: RtHDVCpl => RtHDVCpl.exe
MSCONFIG\startupreg: Skytel => Skytel.exe
MSCONFIG\startupreg: SpybotSD TeaTimer => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
MSCONFIG\startupreg: UpdateP2GoShortCut => "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
MSCONFIG\startupreg: UpdatePSTShortCut => "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
MSCONFIG\startupreg: uTorrent => "C:\Users\d\AppData\Roaming\uTorrent\uTorrent.exe"  /MINIMIZED
MSCONFIG\startupreg: YTDownloader => "C:\Program Files\YTDownloader\YTDownloader.exe" /boot
 
==================== Faulty Device Manager Devices =============
 
Name: Compact Flash   
Description: Compact Flash   
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Generic-
Service: WUDFRd
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.
 
Name: SM/xD/SD/MMC/MS 
Description: SM/xD/SD/MMC/MS 
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Generic-
Service: WUDFRd
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.
 
Name: 30GB
Description: DataTraveler C10
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Kingston
Service: WUDFRd
Problem: : Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19)
Resolution: A registry problem was detected.
 This can occur when more than one service is defined for a device, if there is a failure opening the service subkey, or if the driver name cannot be obtained from the service subkey. Try these options:
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
Click "Uninstall", and then click "Scan for hardware changes" to load a usable driver.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (03/28/2014 11:36:30 AM) (Source: Application Error) (User: )
Description: Faulting application rundll32.exe, version 6.0.6000.16386, time stamp 0x4549b0e1, faulting module SysMenu.dll, version 1.0.0.5, time stamp 0x52b449c7, exception code 0xc0000005, fault offset 0x0006ce5c,
process id 0x3c4, application start time 0xrundll32.exe0.
 
Error: (03/28/2014 11:32:49 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/27/2014 05:47:26 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (03/27/2014 06:00:51 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.169.762.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.4.0304.00
 
Source Path: 4.4.0304.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
Error: (03/27/2014 05:43:11 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.
 
New Signature Version: 
 
Previous Signature Version: 1.169.762.0
 
Update Source: %NT AUTHORITY59
 
Update Stage: 4.4.0304.00
 
Source Path: 4.4.0304.01
 
Signature Type: %NT AUTHORITY602
 
Update Type: %NT AUTHORITY604
 
User: NT AUTHORITY\SYSTEM
 
Current Engine Version: %NT AUTHORITY605
 
Previous Engine Version: %NT AUTHORITY606
 
Error code: %NT AUTHORITY607
 
Error description: %NT AUTHORITY608
 
 
Microsoft Office Sessions:
=========================
 
CodeIntegrity Errors:
===================================
  Date: 2014-03-25 10:49:18.012
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-25 10:49:17.373
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-25 10:49:16.736
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-25 10:49:16.099
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-25 10:49:15.415
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-25 10:49:14.556
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-25 10:49:13.784
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22665_none_b36bda857faff8dc\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-25 10:49:13.140
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22665_none_b36bda857faff8dc\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-25 10:49:12.494
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22665_none_b36bda857faff8dc\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-03-25 10:49:11.859
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22665_none_b36bda857faff8dc\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 75%
Total physical RAM: 1789.76 MB
Available physical RAM: 436.05 MB
Total Pagefile: 3829.95 MB
Available Pagefile: 2035.89 MB
Total Virtual: 2047.88 MB
Available Virtual: 1911.48 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:136.05 GB) (Free:77.26 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive g: (30GB) (Removable) (Total:29.81 GB) (Free:29.65 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 149 GB) (Disk ID: 15265156)
Partition 1: (Not Active) - (Size=13 GB) - (Type=27)
Partition 2: (Active) - (Size=136 GB) - (Type=07 NTFS)
 
========================================================
Disk: 3 (MBR Code: Windows 7 or 8) (Size: 30 GB) (Disk ID: 44CF4321)
Partition 1: (Active) - (Size=30 GB) - (Type=0C)
 
==================== End Of Log ============================
 
Thanks as always!!!
 
Frank

 


  • 0

#10
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts

Also, there is still a TYLoader icon on the desktop but I didn't see the program installed...I beleive this is one of the programs the "friend" installed when he was putting music on the PC for the owner to download onto his MP3 player...

Are you sure it says TY and not YT? If it does say TYLoader then right click the icon and click Properties. Then post a screen shot in your next reply. To do that:

 

 

Capture a Screen Shot

 

  • When you have the screen up that you want to capture...click on the ALT key + PRT SCR key. This will put the screen shot in the clipboard.
  • Click on Start>> All Programs>> Accessories>> Paint. A Paint window will open up.
  • Left click in the white area  and press the CTRL + V keys. This will paste the screen shot from the clipboard into the Paint window.
  • On the Menu bar at the top of the Paint window, click on File, click on Save and save it to your desktop.
  • In the File Name box, name it something related to the screen your capturing.
  • In the Save as type: box, BE SURE TO SAVE IT AS A .JPG ...otherwise it may be to big to upload.

 

Upload a file or Screen Shot and put it in a post:

 

  • Click the More Reply Options button below the post editor box. That will load the Full Editor.
    • Type or copy and past any text you need in the post. When you get to the point where you want to attach a file:
  • Scroll down and click the Browse... button. A new window will open where you can browse your computer for the file to upload..

    a. Select the file. This will put the file in the File Name box on the File Upload window.
    b. Click Open. The File Upload window will close and the file name will be put next to the Browse... button in the forum post.

  • Click the Attach This File button. This will open a new box with the file in it .
  • Under the file name you will see Add to Post | Delete
  • Click on Add to Post. This will attach the file to the post.
  • Once you have completed your post and are ready to submit it, click the Add Reply button.

  • 0

Advertisements


#11
frobey

frobey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

I'm sorry, it does say YTDownloader, not TYDownloader....A look at the Properties shows it pointing to

C:\Program Files\YTDownloader\YTDownloader.exe

 

I just checked and at that location is the YTDownloader folder with a bunch of files in it including YTDownloader.exe

 

I also just checked and there is a YTDownloader under Control Panel -> Programs that I swear wasn't there the last time I sent in a report...

 

Frank


  • 0

#12
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts

Hi,
 
All of the OTL logs have shown the YTDownloader link on the desktop. The last OTL log run on March 27th shows YTDownloader in the Program Files folder:
[2014/03/10 21:25:31 | 000,000,000 | ---D | C] -- C:\Program Files\YTDownloader
 
It also shows in the FRST scan. We will uninstall the program and delete the remnants.


Step-1.

Uninstall Program

1. Please click the Start Orb 4f6cbd09-148c-4dd8-b1f2-48f232a2fd33_47., click Control Panel. Under the Programs or Programs and Features heading click Uninstall a program
2. In the list of programs installed, locate the following program(s):

YTDownloader

3. Right click each program and click Uninstall
4. After the programs have been uninstalled, close the Installed Programs window and the Control Panel.
5. Reboot the computer.
 
 
Step-2.
otlicon.pngOTL Fix
Please close all open windows and browsers
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
 

1. Please copy all of the text in the quote box below (Do Not copy the word Quote. To do this, highlight everything
inside the quote box (except the word Quote) , right click and click Copy.

:COMMANDS
[createrestorepoint]
:COMMANDS
[resethosts]
[emptytemp]

 
Warning: This fix is relevant for this system and no other. If you are not this user, DO NOT follow these directions as they could damage the workings of your system.
2. Please re-open otlicon.png on your desktop. To do that:

  • Vista and 7 users: Right click the icon and click Run as Administrator

3. Place the mouse pointer inside the customFix.png textbox, right click and click Paste. This will put the above script inside the textbox.
4. Click the runFixbutton.png button.
5. Let the program run unhindered.
6. OTL may ask to reboot the machine. Please do so if asked.
7. Click the btnOK.png button.
8. A report will open. Copy and Paste that report in your next reply.
9. If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, (where mmddyyyy_hhmmss is the date of the tool run).

 
Step-3.
 

Remove YTDownloader from Browsers
 

Internet Explorer:
Click Tools,  select Manage Add-ons and search for the entries that could be related to YTDownloader. Disable them. Don't forget to change your start page if it has been altered by this adware.
 

Mozilla Firefox:
Click the down arrow beside Firefox in the upper left corner. Click Add-ons
On the Add-Ons page, click Extensions and look for any YTDownloader related entries. If you find one click the Remove button to the right of it.
Click Plugins and look for any YTDownloader related entries. If you find one click the down arrow in the box to the right and click Never Activate
Close the Add-Ons page.
Also change your start page if it has been altered by this adware.
 

Google Chrome:
Click on the Menu icon -> select "Tools" and click on "Extensions".  Locate YTDownloader, select it and click on a trash can icon. Don't forget to change your start page if it has been altered by this adware.
 

Step-4.
 

Farbar Fix
Warning: This fix is relevant for this system and no other. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  • Download the attached fixlist.txt file and save it to the same location where the program is. (It should be the desktop) [attachment=69838:fixlist.txt]
  • Please re-open the Farbar Scan tool. To do that:
  • Right click the FRST.exe file and click Run as Administrator to run the program.
  • Press the Fix button just once and wait. The tool will make a log (Fixlog.txt). Please post it in your next reply.
    The Fixlog.txt file can also be found in the same location that the program was run from.

 

Things For Your Next Post:
Please post the logs in the order requested. Please don't attach the logs unless I request it.
1. Let me know how the program uninstall went.
2. The OTL fixes log
3. The Fixlog.txt log


  • 0

#13
frobey

frobey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

Good morning,

 

YTLoader was removed successfully from Control Panel -> Programs

 

There were no instances of YTLoader in either IE or Firefox. When I started IE upto check for YTLoader Tuvaro (www-search.net) came up as the splashscreen just as before.

 

The homepage for IE is www.bing.com and for Firefox it is Firefox. www-search.net was listed as one of the search engines in IE, I removed it.

 

Before I had posted here I had been doing a little poking around and found this site http://malwaretips.c...ch-net-removal/.

 

Under Step 3 it talks about tuvaro (www-search.net) being in the Target field, I checked and it is in fact in the Target field of IE on this PC.

 

I did not remove it but wanted to mention that just in case it isn't picked up by these tools that we've been running.

 

Here is the OTLfix log

 

All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== COMMANDS ==========
HOSTS file reset successfully
 
[EMPTYTEMP]
 
User: All Users
 
User: d
->Temp folder emptied: 3032648 bytes
->Temporary Internet Files folder emptied: 1746662 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 30454 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 5.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 03302014_083205
 
Files\Folders moved on Reboot...
 
PendingFileRenameOperations files...
 
Registry entries deleted on Reboot...
 
Here is the fixlog
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-03-2014  01
Ran by d at 2014-03-30 08:54:34 Run:1
Running from C:\Users\d\Desktop
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation)
S3 SMUpdd; \??\C:\Program Files\Common Files\Goobzo\GBUpdate\smw.sys [X]
2014-03-27 08:35 - 2014-02-15 07:45 - 00000426 _____ () C:\AVScanner.ini
Task: {6084C9AB-B6D1-4171-8AC6-677D1E1EF187} - System32\Tasks\Smp => C:\Program Files\Common Files\Goobzo\GBUpdate\smp.exe
Task: {624AC534-5BCA-41E3-A385-32417352C941} - System32\Tasks\Microsoft\Windows\Maintenance\SMupdate2 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update2
Task: {A958D3A6-A075-4CC6-BFC6-79122B3984AD} - System32\Tasks\ShopperPro => C:\Program Files\ShopperPro\ShopperPro.exe
Task: {B23A77E0-3ADB-4BE7-949F-7267E77C8A72} - System32\Tasks\SMupdate1 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update1
Task: {BF70D891-B11F-4C28-88C5-058618AA7D31} - System32\Tasks\YTDownloaderUpd => C:\Program Files\YTDownloader\updater.exe
Task: {C76A8E75-71C8-467E-BD8A-71CC3736F5B0} - System32\Tasks\ShopperProJSUpd => C:\Program Files\ShopperPro\updater.exe
Task: {CA2E1FCE-1C55-4B5C-ADF7-99D7396B60E8} - System32\Tasks\SMW_UpdateTask_Time_313234323230313636332d3437415a556c2a3223346c41 => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0
Task: {D8C49797-DD8C-4FC6-8825-6C4FEA0D83F4} - System32\Tasks\pcreg => C:\Program Files\pcreg\service.exe
Task: {DF100C33-678C-4E77-B29A-C858F4F0A83F} - System32\Tasks\Microsoft\Windows\Multimedia\SMupdate3 => Rundll32.exe C:\PROGRA~1\COMMON~1\System\SysMenu.dll ,Command701 update3
C:\Program Files\Common Files\Goobzo
C:\PROGRA~1\COMMON~1\System\SysMenu.dll
C:\Program Files\ShopperPro
C:\Program Files\YTDownloader
C:\ProgramData\SearchModule\smhe.js
C:\Program Files\pcreg
stop
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\Windows Defender => Value deleted successfully.
SMUpdd => Service deleted successfully.
C:\AVScanner.ini => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6084C9AB-B6D1-4171-8AC6-677D1E1EF187} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6084C9AB-B6D1-4171-8AC6-677D1E1EF187} => Key deleted successfully.
C:\Windows\System32\Tasks\Smp => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Smp => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{624AC534-5BCA-41E3-A385-32417352C941} => Key not found.
C:\Windows\System32\Tasks\Microsoft\Windows\Maintenance\SMupdate2 not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Maintenance\SMupdate2 => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{A958D3A6-A075-4CC6-BFC6-79122B3984AD} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A958D3A6-A075-4CC6-BFC6-79122B3984AD} => Key deleted successfully.
C:\Windows\System32\Tasks\ShopperPro => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ShopperPro => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B23A77E0-3ADB-4BE7-949F-7267E77C8A72} => Key not found.
C:\Windows\System32\Tasks\SMupdate1 not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SMupdate1 => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BF70D891-B11F-4C28-88C5-058618AA7D31} => Key not found.
C:\Windows\System32\Tasks\YTDownloaderUpd not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\YTDownloaderUpd => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C76A8E75-71C8-467E-BD8A-71CC3736F5B0} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C76A8E75-71C8-467E-BD8A-71CC3736F5B0} => Key deleted successfully.
C:\Windows\System32\Tasks\ShopperProJSUpd => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ShopperProJSUpd => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CA2E1FCE-1C55-4B5C-ADF7-99D7396B60E8} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA2E1FCE-1C55-4B5C-ADF7-99D7396B60E8} => Key deleted successfully.
C:\Windows\System32\Tasks\SMW_UpdateTask_Time_313234323230313636332d3437415a556c2a3223346c41 => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SMW_UpdateTask_Time_313234323230313636332d3437415a556c2a3223346c41 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D8C49797-DD8C-4FC6-8825-6C4FEA0D83F4} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D8C49797-DD8C-4FC6-8825-6C4FEA0D83F4} => Key deleted successfully.
C:\Windows\System32\Tasks\pcreg => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\pcreg => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DF100C33-678C-4E77-B29A-C858F4F0A83F} => Key not found.
C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia\SMupdate3 not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Multimedia\SMupdate3 => Key not found.
"C:\Program Files\Common Files\Goobzo" => File/Directory not found.
"C:\PROGRA~1\COMMON~1\System\SysMenu.dll" => File/Directory not found.
"C:\Program Files\ShopperPro" => File/Directory not found.
"C:\Program Files\YTDownloader" => File/Directory not found.
"C:\ProgramData\SearchModule\smhe.js" => File/Directory not found.
"C:\Program Files\pcreg" => File/Directory not found.
 
==== End of Fixlog ====
 
Thanks!!
 
Frank

 

 

 

 


  • 0

#14
godawgs

godawgs

    Teacher

  • Retired Staff
  • 8,228 posts

You are most welcome.
 

The homepage for IE is www.bing.com and for Firefox it is Firefox. www-search.net was listed as one of the search engines in IE, I removed it.
Before I had posted here I had been doing a little poking around and found this site http://malwaretips.c...h-net-removal/.
Under Step 3 it talks about tuvaro (www-search.net) being in the Target field, I checked and it is in fact in the Target field of IE on this PC.
I did not remove it but wanted to mention that just in case it isn't picked up by these tools that we've been running.

The tools we have used so far will clean the main Tuvaro hijacker but sometimes they don't clear all of the www-search.net argument from the browser' shortcut links.

You can go ahead and follow Step 3. in the instructions in the link that you posted above to clear the argument or we can download a program that will clean all shortcuts. I will list instructions for downloading / running the program in Step1 below. If you don't want to download another program just follow the directions in Step3. from the link you posted above.


Step-1.

Run Shortcut Cleaner

Please download Shortcut Cleaner and save it to the desktop.
Right click the sc-cleaner.exe file and click Run as Administrator to run the application. Follow the prompts and post the contents of sc-cleaner.txt in your next reply.

Please disable any screen saver you have running before starting steps 2 and 3.

 

Step-2.

bf_new.gifMalwarebytes' Anti-Malware
Close all programs and browsers on your computer and disable any screen saver you might have running.
 

  • Right  click the MalwareBytes icon on the desktop and click Run As Administrator, then click the Continue button on the UAC window.
    NOTE: If you get a message tp update the database files, clicl Yes
  • You will now be at the main program as shown below.

    malwarebytes-quick-scan.jpg
  • On the Scanner tab, make sure the the Quick scan option is selected and then click on the Scan button to start scanning your computer.
    MBAM will now start scanning your computer for malware. This process can take quite a while, so I suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.

    malwarebytes-scan.jpg
  • When the scan is finished a message box will appear as shown in the image below.

    malwarebytes-scan-results.jpg

    You should click on the OK button to close the message box and continue with the  removal process.
  • You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
  • A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

    malwarebytes-virus-removal.jpg
  • Make sure that everything is checked EXCEPT items in System Restore (see the image below), and click Remove Selected<---Very Important.

    MBAM_SR.png
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Step-3.

Run ESET Online Scanner:

Note: Optimized for Internet Explorer but you can use Chrome or Mozilla FireFox for this scan.

Important! You will need to disable your currently installed Anti-Virus program, how to do so can be read here.

Vista / 7 users: You will need to to right-click on either the Internet Explorer or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.


  • Please go here then click on:

    realrunesetscannerbutton.jpg

    Note: If using Mozilla Firefox a window will open telling you that you will need to download the ESET Smart Installer. Click on esetsmartinstaller_enu.exe to download the Smart Installer. Save it to the desktop.
    When prompted double click on the esetsmartinstaller_enu.png icon on the desktop. After successful installation of ESET Smart Installer ESET Online Scanner is launched in a new window.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • A new window will open:
     
    eseteula.jpg
  • Select the option YES, I accept the Terms of Use then click on:

    esetstartaftereulaapproval.jpg
         
  • When prompted allow the Add-On/Active X to install. The following window will open:

    esetdirectionalchecks.jpg
    • Uncheck the box beside Remove Found Threats
    • Check the box Scan archives.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: esetstartaftersettingsmade.jpg
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Wait for the scan to finish. Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.

When The Scan is Complete:

A.
If No Threats Were Found:

  • Put a checkmark in Uninstall application on close
  • Close the program
  • Report to me that nothing was found

B.
If Threats Were Found:

  • Click on list of threats found
  • Click on export to text file and save it to the desktop as ESET SCAN.txt
  • Click on Back
  • Put a checkmark in Uninstall application on close Be sure you have saved the file first
  • Click on Finish
  • Close the program

Don't forget to enable your Antivirus program and screen saver.


Step-4.

Run Security Check

Download Security Check from here or here and save it to the Desktop.

  • Right click the SecurityCheck icon SecurityCheckIcon2.png and click Run as Administrator to run the application. Allow any UAC warnings.
  • Follow the onscreen instructions inside of the black box.

    securitycheck.jpg
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.


Things For Your Next Post:
Please post the logs in the order requested. Please don't attach the logs unless I request it.
1. Let me know how the computer is running now.
2. The sc-cleaner.txt log (IF you ran the Shortcut Cleaner program)
3. The MalwareBytes log
4. The ESET log (IF it found anything). If it didn't just tell me.
5. The checkup.txt log

 


  • 0

#15
frobey

frobey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 67 posts

Hi,

 

Computer seems to be running OK...tuvaro doesn't appear when you start the browsers up now. Hard drive still seems to run constantly but maybe that's normal for this machine?

 

I ran the sc-check program, as you can see below it didn't find anything, but as I said earlier IE (and Firefox) both had tuvaro in their Target, not sure why the program didn't find that, but I've removed tuvaro and both open fine now to bing.com

 

Malwarebytes didn't find anything. Question if I may, why did you want to remove the checks besides the System Information Volume folder?

 

ESET found a bunch of things, looks many of them are in quarantine (didn't realize how long that program was going to take...it got to 75% in like 10 minutes then took another 1 hour 20 minutes to complete...

 

sc-check log

 

Shortcut Cleaner 1.3.0 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Shortcut Cleaner can be found at this link:
 
Windows Version: Windows Vista ™ Home Basic Service Pack 2
Program started at: 03/30/2014 11:49:07 AM.
 
Scanning for registry hijacks:
 
 * No issues found in the Registry.
 
Searching for Hijacked Shortcuts:
 
Searching C:\Users\d\AppData\Roaming\Microsoft\Windows\Start Menu\
 
Searching C:\ProgramData\Microsoft\Windows\Start Menu\
 
Searching C:\Users\d\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\
 
Searching C:\Users\Public\Desktop\
 
Searching C:\Users\d\Desktop
 
 
0 bad shortcuts found.
 
Program finished at: 03/30/2014 11:49:11 AM
Execution time: 0 hours(s), 0 minute(s), and 3 seconds(s)
 
MBAM log
 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.03.30.03
 
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
d :: D-PC [administrator]
 
3/30/2014 11:31:46 AM
mbam-log-2014-03-30 (11-31-46).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214756
Time elapsed: 12 minute(s), 2 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
ESET log
 

C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\APNSetup.exe.vir a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\UpdateManager.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\apnmcp.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\searchhook.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\ServiceLocator.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\SO.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\toolbar.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\Toolbar.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\ToolbarPS.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\toolbar_x64.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\UpdateManager.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\{PartnerID}\Passport.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\AskPartnerNetwork\Toolbar\{PartnerID}\Passport_x64.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\AskPartnerNetwork\Toolbar\ORJ-V7C\Source\program files\VNT\vntldr.exe.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\AdwCleaner\Quarantine\C\Program Files\Optimizer Pro\OptimizerPro.exe.vir a variant of Win32/SpeedingUpMyPC application
C:\AdwCleaner\Quarantine\C\Program Files\Optimizer Pro\OptProCrash.dll.vir a variant of Win32/SProtector.E potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files\Optimizer Pro\OptProCrashSvc.dll.vir a variant of Win32/SProtector.F potentially unwanted application
C:\Users\d\AppData\Local\Installer\Install_16273\cr.exe a variant of Win32/Packed.ScrambleWrapper.K potentially unwanted application
C:\Users\d\AppData\Local\Installer\Install_16273\ytdownloader_setup_20140203.exe a variant of Win32/SpeedBit.A potentially unwanted application
C:\Users\d\Desktop\ccsetup406.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\d\Desktop\Java.exe Win32/OutBrowse.M potentially unwanted application
C:\_OTL\MovedFiles\03272014_090513\C_Program Files\Common Files\Goobzo\GBUpdate\smci32.dll a variant of Win32/SBWatchman.A potentially unwanted application
C:\_OTL\MovedFiles\03272014_090513\C_Program Files\Common Files\Goobzo\GBUpdate\smei32.dll probably a variant of Win32/SBWatchman.A potentially unwanted application
C:\_OTL\MovedFiles\03272014_090513\C_Program Files\Common Files\Goobzo\GBUpdate\smfi32.dll a variant of Win32/SBWatchman.A potentially unwanted application
C:\_OTL\MovedFiles\03272014_090513\C_Program Files\Common Files\Goobzo\GBUpdate\smi32.exe a variant of Win32/SBWatchman.A potentially unwanted application
C:\_OTL\MovedFiles\03272014_090513\C_Users\d\AppData\Roaming\Mozilla\Firefox\Profiles\6gn3gsks.default\extensions\2eb528f3-950d-48a3-be4b-5d7de6c8331e@a41e199b-6ca4-4d23-ab87-73f2d1973314.com\extensionData\plugins\91_monetizationLoader.js.js JS/Toolbar.Crossrider.B potentially unwanted application
 
Checkup log
 

 Results of screen317's Security Check version 0.99.81  
 Windows Vista Service Pack 2 x86 (UAC is enabled)  
 Internet Explorer 9  
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Security Center service is not running! This report may not be accurate! 
 Windows Firewall Enabled!  
 Windows Firewall Disabled!  
Microsoft Security Essentials   
  (On Access scanning disabled!) 
 Error obtaining update status for antivirus!  
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner     
 JavaFX 2.1.1    
 Java 7 Update 51  
 Adobe Flash Player 12.0.0.77  
 Adobe Reader 9 Adobe Reader out of Date! 
 Mozilla Firefox 27.0.1 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes Secure Backup SUpdateNotifier.exe   
 Malwarebytes Secure Backup SMessaging.exe   
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 Malwarebytes Secure Backup SAgent.Service.exe   
 Malwarebytes Secure Backup mbsbscan.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 1 % 
````````````````````End of Log`````````````````````` 
 
 
Thanks!! 
 
Frank

 


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP