Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Laptop Settings Suddenly Changed [Solved]


  • This topic is locked This topic is locked

#1
Beatriceswiss

Beatriceswiss

    Member

  • Member
  • PipPip
  • 12 posts

Hello there, my wife's laptop seems to be experiencing a maleware attack.  It's an HP laptop, Windows 8, 64 bit, one year old.  Windows firewall and AVG free edition are used.  Up until yesterday, it ran without any problems.  It seems that all programs still run normally, but the appearance and a few other things have changed overnight.  When the laptop was booted, this is what was found:

 

  • picture at login changed from her personal picture to something that looks like a hand drawn earth globe, with curvy lines of latitude and longitude.
  • Windows task bar colour changed to black (It was the Windows default colour before, not sure what, but it wasn't black).
  • Anywhere on screen where there should normally be white background is now black.  For example, icons have a black background.
  • When Word 2007 is opened, the new blank template is black instead of white.
  • At bottom right of taskbar, to the right of the clock, there is a new icon which we have no idea what it is.

Last night we ran Malewarebytes, Junkware Removal Tool and AdwCleaner.  Maleware was found and removed, but after every reboot, the problems remain.

 

Your help in fixing this is greatly appreciated.  Thank you.


  • 0

Advertisements


#2
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hi! My name is zep516 and Welcome to Geekstogo!
I'll do the best I can to resolve your computer issue
Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, don't continue Stop and ask! Never be afraid to ask questions! :)

Nothing you describe appears to be Malware related, but we can take a look with a diagnostics scan. Please download it to the desktop only.
Please provide any other log files you may have

Please download Farbar Recovery Scan Tool and save it to your Desktop. 64 Bit for you.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

  • 0

#3
Beatriceswiss

Beatriceswiss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Thanks for your assistancd zep516.  I'm having a bit of difficulty in saving the Farbar tool to the desktop.  How do I select the desktop as the download location?  It downloads but doesn't go to the desktop.  A small box in the lower left of the screen appears that has the executable file.  Also, I'm trying to make this forum a shortcut on the desktop, but when I right click, there is no option to create a shortcut.  Thanks.

 

I managed to get the tool to the desktop by a roundabout way, but I would still appreciate knowing how to download these things to the desktop.  I also figured out how to make website desktop shortcuts with Windows 8.

 

I ran the tool and it produced both logs.  However, the logs were white letters on a black background.  When I copied and pasted into this reply, it took about 30 seconds before each post appeared in the reply as black letters on a white background.  Then when I went to save changes, but it wouldn't.  So I have the logs, but they won't post.  Is there any way I can make black letters on a white background while in Notepad, and then post them?


Edited by Beatriceswiss, 30 March 2015 - 04:23 PM.

  • 0

#4
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts

saving files to your desktop.


It's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.
IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
  • 0

#5
Beatriceswiss

Beatriceswiss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

OK, thank you. Download business is now sorted out.  But what about the problem I'm now having posting the logs (see Post #3)?  I think the black background is too large to post.


  • 0

#6
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hello,

Windows 8, 8.1 sometimes has an issue posting because the logs are to big, can you just try attaching the logs, do you need instruction on how to to that. I'm not sure about the black background you're experiencing.

Joe
  • 0

#7
Beatriceswiss

Beatriceswiss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

OK, here are the two attached log files.  This is how they look on the laptop in Notepad after the scan.Attached File  FRST.txt   476.13KB   100 downloadsAttached File  Addition.txt   21.82KB   108 downloads


  • 0

#8
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
I'm going to paste them in so everything is in 1 place. I took out the Microsoft files so it fits.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 11-03-2015
Ran by Beatrice (administrator) on BEATRICE on 30-03-2015 18:05:29
Running from C:\Users\Beatrice\Desktop
Loaded Profiles: Beatrice (Available profiles: Beatrice)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
() C:\Program Files\ATI Technologies\ATI.ACE\a4\AdaptiveSleepService.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Garmin Ltd or its subsidiaries) C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
(Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
(Nero AG) C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
(BitTorrent Inc.) C:\Users\Beatrice\AppData\Roaming\uTorrent\uTorrent.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet 4620 series\Bin\ScanToPCActivationApp.exe
(Garmin Ltd or its subsidiaries) C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe
(Dropbox, Inc.) C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerSt.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
(Adobe Systems Inc.) C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Officejet 4620 series\Bin\HPNetworkCommunicator.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7194840 2013-07-26] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2771184 2013-07-26] (Synaptics Incorporated)
HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-01-18] (IvoSoft)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-02-13] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-08-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AccelerometerSysTrayApplet] => C:\Program Files (x86)\Hewlett-Packard\HP 3D DriveGuard\AccelerometerST.exe [77088 2013-07-24] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [1045304 2013-07-23] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3723728 2015-03-06] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [Adobe Acrobat Speed Launcher] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe [37232 2008-06-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Acrobat Assistant 8.0] => C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe [640376 2008-06-11] (Adobe Systems Inc.)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [1985824 2013-07-25] (Wondershare)
HKU\S-1-5-21-3281177217-869368764-2006139627-1002\...\Run: [AVG-Secure-Search-Update_0214c] => C:\Users\Beatrice\AppData\Roaming\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=866453ef907a47d2a1e59913f05f23cd-7b0c96f9aa992d7393c82dd82ae949bc32978813 /CMPID=0214c
HKU\S-1-5-21-3281177217-869368764-2006139627-1002\...\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] => C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [153136 2007-03-12] (Nero AG)
HKU\S-1-5-21-3281177217-869368764-2006139627-1002\...\Run: [uTorrent] => C:\Users\Beatrice\AppData\Roaming\uTorrent\uTorrent.exe [1374032 2015-01-15] (BitTorrent Inc.)
HKU\S-1-5-21-3281177217-869368764-2006139627-1002\...\Run: [BlackBerryLink.exe] => "C:\Program Files (x86)\Research In Motion\BlackBerry Link\BlackBerryLink.exe" /minimize
HKU\S-1-5-21-3281177217-869368764-2006139627-1002\...\Run: [HP Officejet 4620 series (NET)] => C:\Program Files\HP\HP Officejet 4620 series\Bin\ScanToPCActivationApp.exe [2573416 2012-10-17] (Hewlett-Packard Co.)
HKU\S-1-5-21-3281177217-869368764-2006139627-1002\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [688984 2014-12-31] (Garmin Ltd or its subsidiaries)
AppInit_DLLs: acaptuser64.dll => C:\Windows\system32\acaptuser64.dll [119160 2008-06-12] (Adobe Systems, Inc.)
AppInit_DLLs-x32: acaptuser32.dll => "acaptuser32.dll" File Not Found
Startup: C:\Users\Beatrice\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:59220;https=127.0.0.1:59220
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPCON14/4
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPCON14/4
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPCON14/4
HKU\S-1-5-21-3281177217-869368764-2006139627-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPCON14/4
SearchScopes: HKLM -> {4A033BE2-44B8-4954-BB49-126C850FAF6E} URL = http://www.amazon.ca...s={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...56705-11896-0/4?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3281177217-869368764-2006139627-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-01-18] (IvoSoft)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2014-01-18] (IvoSoft)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11] (Adobe Systems Incorporated)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-01-18] (IvoSoft)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11] (Adobe Systems Incorporated)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-01-18] (IvoSoft)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11] (Adobe Systems Incorporated)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-01-18] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-01-18] (IvoSoft)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll [2008-06-11] (Adobe Systems Incorporated)
Hosts: Hosts file not detected in the default directory
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1203133.dll [2013-06-26] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2013-02-06] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-06] (Google Inc.)

Chrome:
=======
CHR Profile: C:\Users\Beatrice\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Beatrice\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-02-24]
CHR Extension: (Google Drive) - C:\Users\Beatrice\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-02-24]
CHR Extension: (YouTube) - C:\Users\Beatrice\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-02-24]
CHR Extension: (Google Search) - C:\Users\Beatrice\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-02-24]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Beatrice\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-14]
CHR Extension: (Google Wallet) - C:\Users\Beatrice\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-02-24]
CHR Extension: (Gmail) - C:\Users\Beatrice\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-02-24]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AdaptiveSleepService; C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe [99328 2013-08-19] () [File not signed]
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2013-08-19] (Advanced Micro Devices, Inc.) [File not signed]
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3416016 2015-03-06] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [309232 2015-03-06] (AVG Technologies CZ, s.r.o.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-10-28] (Microsoft Corporation)
S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2014-02-26] (Macrovision Europe Ltd.) [File not signed]
R2 Garmin Core Update Service; C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [451416 2014-12-31] (Garmin Ltd or its subsidiaries)
R2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [1039160 2013-07-23] (Hewlett-Packard Development Company, L.P.)
R3 NMIndexingService; C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe [271920 2007-03-12] (Nero AG)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [246488 2013-06-18] (Realtek Semiconductor)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2013-08-26] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)
S2 mcbootdelaystartsvc; "C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 AmdAS4; C:\Windows\System32\drivers\AmdAS4.sys [17504 2013-02-07] (Advanced Micro Devices, INC.)
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [138240 2013-06-23] (Advanced Micro Devices)
S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [20496 2013-09-04] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [280544 2015-02-24] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [203544 2014-11-18] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [341472 2015-02-03] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [133088 2015-02-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [289248 2015-02-20] (AVG Technologies CZ, s.r.o.)
R3 BthLEEnum; C:\Windows\System32\drivers\BthLEEnum.sys [226304 2013-12-04] (Microsoft Corporation)
S3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-10-19] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [27040 2012-10-19] (Windows ® Win 7 DDK provider)
S3 libusb0; C:\Windows\system32\DRIVERS\libusb0.sys [44480 2013-09-23] (http://libusb-win32.sourceforge.net)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [79872 2013-12-02] (BlackBerry Limited)
S3 rimvndis; C:\Windows\System32\Drivers\rimvndis6_AMD64.sys [17920 2014-06-23] (Research in Motion Limited)
S3 RimVSerPort; C:\Windows\system32\DRIVERS\RimSerial_AMD64.sys [44544 2012-12-10] (Research in Motion Ltd)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [290008 2013-07-05] (Realtek Semiconductor Corp.)
R3 rtbth; C:\Windows\System32\drivers\rtbth.sys [1204424 2013-12-02] (Ralink Technology, Corp.)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [30448 2013-07-26] (Synaptics Incorporated)
S3 SmbDrvI; C:\Windows\System32\drivers\Smb_driver_Intel.sys [34544 2013-07-26] (Synaptics Incorporated)
S3 SWDUMon; C:\Windows\system32\DRIVERS\SWDUMon.sys [16152 2014-09-20] ()
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2013-07-22] (Hewlett-Packard Development Company, L.P.)
S3 clwvd; \SystemRoot\system32\DRIVERS\clwvd.sys [X]
U3 McMPFSvc; No ImagePath
U3 McNaiAnn; No ImagePath
U3 mcpltsvc; No ImagePath
U3 McProxy; No ImagePath
U3 mfecore; No ImagePath
U3 MSK80Service; No ImagePath
S0 nbsx; System32\drivers\qhjejf.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-30 18:03 - 2015-03-30 18:03 - 00003217 _____ () C:\Users\Beatrice\Desktop\Virus, Spyware, Malware Removal - Geeks to Go Forum.lnk
2015-03-30 17:43 - 2015-03-30 17:44 - 00022346 _____ () C:\Users\Beatrice\Desktop\Addition.txt
2015-03-30 17:39 - 2015-03-30 18:05 - 00019512 _____ () C:\Users\Beatrice\Desktop\FRST.txt
2015-03-30 17:38 - 2015-03-30 18:05 - 00000000 ____D () C:\FRST
2015-03-30 17:36 - 2015-03-30 17:36 - 02095616 _____ (Farbar) C:\Users\Beatrice\Desktop\FRST64.exe
2015-03-30 17:19 - 2015-03-30 17:20 - 02095616 _____ (Farbar) C:\Users\Beatrice\Downloads\FRST64.exe
2015-03-29 22:42 - 2015-03-29 22:42 - 02208768 _____ () C:\Users\Beatrice\Downloads\AdwCleaner (2).exe
2015-03-29 22:41 - 2015-03-29 22:41 - 02208768 _____ () C:\Users\Beatrice\Downloads\AdwCleaner (1).exe
2015-03-29 22:27 - 2015-03-29 22:27 - 01389240 _____ (Thisisu) C:\Users\Beatrice\Downloads\JRT (3).exe
2015-03-29 22:26 - 2015-03-29 22:27 - 01389240 _____ (Thisisu) C:\Users\Beatrice\Downloads\JRT (2).exe
2015-03-25 23:40 - 2015-03-25 23:40 - 00250637 _____ () C:\Users\Beatrice\Downloads\flyer.zip
2015-03-20 14:13 - 2015-03-30 00:39 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-03-14 15:10 - 2012-07-04 11:55 - 01354240 _____ (CANON INC.) C:\Windows\system32\CNQ2414C.dll
2015-03-14 15:10 - 2012-07-04 11:55 - 00112128 _____ (CANON INC.) C:\Windows\system32\CNQ2414I.dll
2015-03-14 15:10 - 2012-07-04 11:29 - 00106496 _____ (CANON INC.) C:\Windows\SysWOW64\CNQ2414U.dll
2015-03-14 15:10 - 2010-12-17 14:49 - 00515072 _____ (CANON INC.) C:\Windows\system32\CNQ2414L.dll
2015-03-14 15:10 - 2010-12-17 14:49 - 00438272 _____ (CANON INC.) C:\Windows\SysWOW64\CNQ2414L.dll
2015-03-14 15:10 - 2010-03-19 10:04 - 00393256 _____ () C:\Windows\SysWOW64\CNQ2414N.DAT
2015-03-14 15:10 - 2008-08-25 18:02 - 00017920 _____ (CANON INC.) C:\Windows\system32\CNHMCA6.dll
2015-03-14 15:10 - 2008-08-25 18:02 - 00015872 _____ (CANON INC.) C:\Windows\SysWOW64\CNHMCA.dll

2015-03-11 21:58 - 2015-03-14 05:50 - 00000000 ____D () C:\Users\Beatrice\Desktop\2014 pics
2015-03-11 08:43 - 2015-03-11 08:43 - 00001772 _____ () C:\Users\Public\Desktop\iTunes.lnk
2015-03-11 08:43 - 2015-03-11 08:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2015-03-11 08:42 - 2015-03-11 08:43 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2015-03-11 08:42 - 2015-03-11 08:43 - 00000000 ____D () C:\Program Files\iTunes
2015-03-11 08:42 - 2015-03-11 08:42 - 00000000 ____D () C:\Program Files\iPod
2015-03-11 08:42 - 2015-03-11 08:42 - 00000000 ____D () C:\Program Files (x86)\iTunes
2015-03-11 08:23 - 2015-03-05 22:53 - 00430080 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-03-11 08:23 - 2015-03-05 22:33 - 00358912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-03-11 08:23 - 2015-02-25 19:26 - 04178944 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-03-11 08:23 - 2015-01-30 19:42 - 03097600 _____ (Microsoft Corporation) C:\Windows\system32\msftedit.dll
2015-03-11 08:23 - 2015-01-30 19:29 - 02484224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msftedit.dll
2015-03-11 08:23 - 2015-01-28 21:58 - 00347136 _____ (Microsoft Corporation) C:\Windows\system32\photowiz.dll
2015-03-11 08:23 - 2015-01-28 21:29 - 00290816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\photowiz.dll
2015-03-11 08:23 - 2015-01-26 23:44 - 00933888 _____ (Microsoft Corporation) C:\Windows\system32\calc.exe
2015-03-11 08:23 - 2015-01-23 21:51 - 00816128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\calc.exe
2015-03-11 08:23 - 2015-01-23 03:17 - 00723072 _____ (Microsoft Corporation) C:\Windows\system32\SHCore.dll
2015-03-11 08:23 - 2015-01-23 01:02 - 00560392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SHCore.dll
2015-03-11 08:22 - 2015-02-19 23:03 - 00358912 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-03-11 08:22 - 2015-02-19 22:58 - 00044032 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-03-11 08:22 - 2015-02-19 22:20 - 00301056 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2015-03-11 08:22 - 2015-02-19 22:15 - 00035840 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2015-03-11 08:22 - 2015-02-06 19:09 - 00396419 _____ () C:\Windows\system32\ApnDatabase.xml

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-30 18:04 - 2014-04-04 21:48 - 00000000 ____D () C:\Users\Beatrice\AppData\Roaming\uTorrent
2015-03-30 17:31 - 2014-04-06 09:50 - 00000924 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-03-30 17:20 - 2014-02-24 22:32 - 01105538 _____ () C:\Windows\WindowsUpdate.log
2015-03-30 17:13 - 2014-02-24 22:57 - 00000000 ____D () C:\Users\Beatrice\AppData\Roaming\ClassicShell
2015-03-30 17:03 - 2014-02-24 22:49 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3281177217-869368764-2006139627-1002
2015-03-30 17:02 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\system32\sru
2015-03-30 17:00 - 2014-06-10 22:36 - 00000000 ___RD () C:\Users\Beatrice\Dropbox
2015-03-30 17:00 - 2014-06-10 22:34 - 00000000 ____D () C:\Users\Beatrice\AppData\Roaming\Dropbox
2015-03-30 16:58 - 2014-04-06 09:50 - 00000920 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-03-30 16:58 - 2014-02-24 22:39 - 00000000 ____D () C:\Users\Beatrice
2015-03-30 05:45 - 2013-10-07 03:40 - 00065536 _____ () C:\Windows\system32\spu_storage.bin
2015-03-30 00:51 - 2013-08-26 02:09 - 00956476 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-30 00:46 - 2013-08-22 11:36 - 00000000 ____D () C:\Program Files\Windows Defender
2015-03-30 00:46 - 2013-08-22 10:46 - 00045730 _____ () C:\Windows\setupact.log
2015-03-30 00:46 - 2013-08-22 10:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-30 00:45 - 2014-03-31 20:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-03-30 00:45 - 2014-02-25 17:53 - 00000000 ____D () C:\ProgramData\MFAData
2015-03-30 00:45 - 2013-08-22 11:36 - 00000000 ___HD () C:\Windows\ELAMBKUP
2015-03-30 00:39 - 2013-08-22 11:36 - 00000000 ___SD () C:\Windows\system32\dsc
2015-03-30 00:39 - 2013-08-22 11:36 - 00000000 ___SD () C:\Windows\system32\Configuration
2015-03-30 00:39 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\SysWOW64\InputMethod
2015-03-30 00:39 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\SysWOW64\IME
2015-03-30 00:39 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\system32\migwiz
2015-03-30 00:39 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\system32\InputMethod
2015-03-30 00:39 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\system32\IME
2015-03-30 00:39 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\registration
2015-03-30 00:39 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\system32\Sysprep
2015-03-30 00:39 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\servicing
2015-03-30 00:38 - 2014-10-18 23:55 - 00000000 ____D () C:\ProgramData\AVG2015
2015-03-30 00:38 - 2014-04-07 20:20 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-03-30 00:38 - 2014-04-07 20:20 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-03-30 00:38 - 2014-02-25 18:02 - 00000000 ____D () C:\Program Files (x86)\AVG
2015-03-30 00:38 - 2013-08-22 11:36 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-30 00:38 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\rescache
2015-03-30 00:38 - 2013-08-22 11:36 - 00000000 ____D () C:\Program Files\Common Files\System
2015-03-30 00:33 - 2014-10-18 23:49 - 00000000 ____D () C:\Users\Beatrice\AppData\Local\Avg2015
2015-03-30 00:29 - 2013-08-22 09:25 - 00262144 ___SH () C:\Windows\system32\config\ELAM
2015-03-30 00:28 - 2014-02-25 18:03 - 00000000 ___HD () C:\$AVG
2015-03-29 22:46 - 2014-04-07 19:24 - 00000000 ____D () C:\AdwCleaner
2015-03-29 22:38 - 2013-08-26 02:01 - 00138560 _____ () C:\Windows\PFRO.log
2015-03-29 22:23 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\MediaViewer
2015-03-29 22:23 - 2013-08-22 09:25 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-03-29 21:39 - 2014-04-07 20:20 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-29 21:39 - 2014-04-07 20:20 - 00001081 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-03-29 00:19 - 2014-02-24 22:43 - 00003938 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{E86B3FDE-7E6F-4AC9-87C7-512C4E67B12B}
2015-03-24 06:24 - 2015-01-20 23:44 - 00000000 ____D () C:\Users\Beatrice\Documents\2015 registrations
2015-03-21 15:32 - 2014-04-06 09:51 - 00002170 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-03-20 14:23 - 2013-08-22 11:37 - 00006055 _____ () C:\Windows\DtcInstall.log
2015-03-20 14:17 - 2013-08-22 15:12 - 00000000 ____D () C:\Program Files\Windows Journal
2015-03-20 14:17 - 2013-08-22 11:36 - 00000000 ___RD () C:\Windows\ToastData
2015-03-20 14:17 - 2013-08-22 11:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-03-20 14:17 - 2013-08-22 11:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-20 14:17 - 2013-08-22 11:36 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-03-20 14:17 - 2013-08-22 11:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools
2015-03-20 14:17 - 2013-08-22 11:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-03-20 14:17 - 2013-08-22 11:36 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-03-20 14:17 - 2013-08-22 11:36 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools
2015-03-20 14:17 - 2013-08-22 11:36 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility
2015-03-20 14:17 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\FileManager
2015-03-20 14:17 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\Camera
2015-03-20 14:17 - 2013-08-22 11:36 - 00000000 ____D () C:\Program Files\Windows Portable Devices
2015-03-20 14:17 - 2013-08-22 11:36 - 00000000 ____D () C:\Program Files\Windows Multimedia Platform
2015-03-20 14:16 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\SysWOW64\sppui
2015-03-20 14:16 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\SysWOW64\setup
2015-03-20 14:16 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\SysWOW64\migwiz
2015-03-20 14:16 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\SysWOW64\inetsrv
2015-03-20 14:16 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\SysWOW64\Com
2015-03-20 14:16 - 2013-08-22 11:36 - 00000000 ____D () C:\Program Files\Windows Photo Viewer
2015-03-20 14:16 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\SysWOW64\oobe
2015-03-20 14:16 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\SysWOW64\Dism
2015-03-20 14:15 - 2013-08-22 11:36 - 00000000 ___RD () C:\Windows\ImmersiveControlPanel
2015-03-20 14:15 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\system32\WinBioPlugIns
2015-03-20 14:15 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\system32\SystemResetPlatform
2015-03-20 14:15 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\system32\sppui
2015-03-20 14:15 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\system32\setup
2015-03-20 14:15 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\system32\inetsrv
2015-03-20 14:15 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\system32\Com
2015-03-20 14:15 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\IME
2015-03-20 14:15 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\system32\oobe
2015-03-20 14:15 - 2013-08-22 09:36 - 00000000 ____D () C:\Windows\system32\Dism
2015-03-20 14:13 - 2013-08-22 11:36 - 00000000 ____D () C:\Program Files\WindowsPowerShell
2015-03-20 14:13 - 2013-08-22 11:36 - 00000000 ____D () C:\Program Files (x86)\Windows Portable Devices
2015-03-20 14:13 - 2013-08-22 11:36 - 00000000 ____D () C:\Program Files (x86)\Windows Photo Viewer
2015-03-20 14:13 - 2013-08-22 11:36 - 00000000 ____D () C:\Program Files (x86)\Windows Multimedia Platform
2015-03-20 08:51 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\system32\NDF
2015-03-20 08:43 - 2014-10-18 23:58 - 00000948 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2015-03-16 10:00 - 2014-07-05 11:17 - 00000000 ____D () C:\Users\Beatrice\Documents\ladies trips
2015-03-15 18:36 - 2013-08-22 11:20 - 00000000 ____D () C:\Windows\CbsTemp
2015-03-15 18:32 - 2013-08-22 11:36 - 00215552 _____ (Microsoft Corporation) C:\Windows\system32\msclmd.dll
2015-03-15 18:32 - 2013-08-22 11:36 - 00195072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
2015-03-14 15:11 - 2013-08-22 11:36 - 00000000 __RSD () C:\Windows\Media
2015-03-14 03:24 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\AppReadiness
2015-03-13 17:37 - 2014-06-10 22:36 - 00001084 _____ () C:\Users\Beatrice\Desktop\Dropbox.lnk
2015-03-13 17:37 - 2014-06-10 22:35 - 00000000 ____D () C:\Users\Beatrice\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2015-03-13 03:44 - 2014-02-26 17:49 - 00000000 ____D () C:\Users\Beatrice\AppData\Local\Microsoft Help
2015-03-12 07:09 - 2014-02-24 22:47 - 00000000 ___RD () C:\Users\Beatrice\SkyDrive
2015-03-12 07:06 - 2013-08-22 10:44 - 00489376 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-11 23:39 - 2013-08-22 11:36 - 00000000 ____D () C:\Program Files (x86)\Windows Defender
2015-03-11 23:38 - 2013-08-22 11:36 - 00000000 ____D () C:\Windows\WinStore
2015-03-11 22:45 - 2014-02-26 17:49 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-03-11 22:35 - 2014-02-26 18:21 - 00000000 ____D () C:\Windows\system32\MRT
2015-03-11 22:25 - 2014-02-26 18:20 - 122905848 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-03-11 22:21 - 2014-02-26 17:58 - 00000039 _____ () C:\Windows\vbaddin.ini
2015-03-11 21:56 - 2014-07-01 15:43 - 00275456 ___SH () C:\Users\Beatrice\Desktop\Thumbs.db
2015-03-11 08:42 - 2014-06-23 22:29 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2015-03-11 08:42 - 2014-04-04 22:12 - 00000000 ____D () C:\Program Files\Common Files\Apple
2015-03-04 17:24 - 2014-12-12 23:19 - 00792032 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-03-04 17:24 - 2014-12-12 23:19 - 00178144 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-03-02 00:07 - 2014-03-30 14:01 - 00000000 ____D () C:\Users\Beatrice\Documents\2014 registrations

==================== Files in the root of some directories =======

2014-04-06 09:24 - 2014-04-06 09:24 - 0000000 _____ () C:\Users\Beatrice\AppData\Roaming\bitlord_log.txt
2014-09-29 23:04 - 2014-10-05 22:22 - 0000385 _____ () C:\Users\Beatrice\AppData\Roaming\Rim.Desktop.Exception.log
2014-09-29 23:03 - 2014-10-19 05:53 - 0001937 _____ () C:\Users\Beatrice\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
2014-09-29 23:04 - 2014-10-05 22:22 - 0000385 _____ () C:\Users\Beatrice\AppData\Roaming\Rim.DesktopHelper.Exception.log
2015-01-25 19:37 - 2015-01-25 19:37 - 0003584 _____ () C:\Users\Beatrice\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-03-01 21:59 - 2014-03-01 21:59 - 0000057 _____ () C:\ProgramData\Ament.ini

Some content of TEMP:
====================
C:\Users\Beatrice\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpc_xnve.dll
C:\Users\Beatrice\AppData\Local\Temp\ose00000.exe
C:\Users\Beatrice\AppData\Local\Temp\Quarantine.exe
C:\Users\Beatrice\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-28 08:06

==================== End Of Log ============================
  • 0

#9
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Additions.txt file to follow,

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 11-03-2015
Ran by Beatrice at 2015-03-30 18:07:42
Running from C:\Users\Beatrice\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: AVG AntiVirus Free Edition 2015 (Disabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2015 (Disabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-3281177217-869368764-2006139627-1002\...\uTorrent) (Version: 3.4.2.37754 - BitTorrent Inc.)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch (HKLM-x32\...\{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}) (Version: 9.0.0 - Adobe Systems)
Adobe Acrobat 9 Pro Extended 64-bit Add-On (HKLM\...\{AC76BA86-1033-0000-0064-0003D0000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.3.133 - Adobe Systems, Inc.)
AMD Catalyst Install Manager (HKLM\...\{E825A27F-01E0-1BB8-6A7D-DD769D57E4B0}) (Version: 8.0.915.0 - Advanced Micro Devices, Inc.)
ANT Drivers Installer x64 (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden
Apple Application Support (32-bit) (HKLM-x32\...\{447CDCE5-F555-429B-BFA6-642C3C6D684F}) (Version: 3.1.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{0DF7096B-715A-4233-8633-C7A16ED6D616}) (Version: 3.1.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{C4123106-B685-48E6-B9BD-E4F911841EB4}) (Version: 8.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5856 - AVG Technologies)
AVG 2015 (Version: 15.0.4315 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5856 - AVG Technologies) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Classic Shell (HKLM\...\{2368907C-E8F6-4750-A023-254C3E2B5E8D}) (Version: 4.0.4 - IvoSoft)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DriverUpdate (HKLM-x32\...\{E2A3A216-9DFE-4EC1-AA69-162588FEF014}) (Version: 2.2.36929 - SlimWare Utilities, Inc.)
Dropbox (HKU\S-1-5-21-3281177217-869368764-2006139627-1002\...\Dropbox) (Version: 3.2.9 - Dropbox, Inc.)
Elevated Installer (x32 Version: 3.2.27.0 - Garmin Ltd or its subsidiaries) Hidden
Energy Star (HKLM-x32\...\{FC0ADA4D-8FA5-4452-8AFF-F0A0BAC97EF7}) (Version: 1.0.9 - Hewlett-Packard Company)
Galerie de photos (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Garmin Express (HKLM-x32\...\{855d8086-4275-4bd3-a7a8-b44da3a56d7a}) (Version: 3.2.27.0 - Garmin Ltd or its subsidiaries)
Garmin Express (x32 Version: 3.2.27.0 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express Tray (x32 Version: 3.2.27.0 - Garmin Ltd or its subsidiaries) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 41.0.2272.101 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
HP 3D DriveGuard (HKLM-x32\...\{07F6DC37-0857-4B68-A675-4E35989E85E3}) (Version: 6.0.15.1 - Hewlett-Packard Company)
HP CoolSense (HKLM-x32\...\{59F8C5AA-91BD-423D-BF05-09A80F39898F}) (Version: 2.10.62 - Hewlett-Packard Company)
HP Officejet 4620 series Basic Device Software (HKLM\...\{B411AD10-1BC9-4939-8848-BC5E66F662B7}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.7045.4591 - Hewlett-Packard)
HP System Event Utility (HKLM-x32\...\{23EF407B-E7D0-4CB6-8916-43E5B9EEFDED}) (Version: 1.0.9 - Hewlett-Packard Company)
HP Utility Center (HKLM\...\{AED1C141-3AFC-47FE-AE90-C820AA60B103}) (Version: 2.2.5 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{30B2D1D8-0A07-4B71-9553-0710C5D31E35}) (Version: 1.1.2.1 - Hewlett-Packard Company)
iTunes (HKLM\...\{D227565A-0033-40AD-89BA-653A205CDC11}) (Version: 12.1.1.4 - Apple Inc.)
K-Lite Mega Codec Pack 10.3.0 (HKLM-x32\...\KLiteCodecPack_is1) (Version: 10.3.0 - )
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Project 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-003B-0000-0000-0000000FF1CE}_PRJPRO_{8446EB22-A746-46DC-B1BD-E0DFA1F3CDDA}) (Version: - Microsoft)
Microsoft Office Project Professional 2007 (HKLM-x32\...\PRJPRO) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Visio 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{CE144BF4-4950-4CDB-A5F7-CCE1888F49CB}) (Version: - Microsoft)
Microsoft Office Visio Professional 2007 (HKLM-x32\...\VISPRO) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Nero 7 Ultra Edition (HKLM-x32\...\{43FFE159-3199-4188-A1CD-629166AD1033}) (Version: 7.02.6445 - Nero AG)
OEM Application Profile (HKLM-x32\...\{70D5F822-F4C4-33D9-7EEC-2A4AF4EA7BDC}) (Version: 1.00.0000 - Advanced Micro Devices, Inc.)
Ralink Bluetooth Stack64 (HKLM\...\{8A2E2A41-B814-407E-2F96-4E433C42AB78}) (Version: 11.0.739.0 - Mediatek)
Ralink RT3290 802.11bgn Wi-Fi Adapter (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309AF}) (Version: 5.0.29.8105 - Mediatek)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.29068 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.20.815.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7004 - Realtek Semiconductor Corp.)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 17.0.6.2 - Synaptics Incorporated)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-003B-0000-0000-0000000FF1CE}_PRJPRO_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Windows Driver Package - Dynastream Innovations, Inc. ANT LibUSB Drivers (04/11/2012 1.2.40.201) (HKLM\...\F9D2A789F9CFF8CEC36B544F53877C80F1F73C46) (Version: 04/11/2012 1.2.40.201 - Dynastream Innovations, Inc.)
Windows Driver Package - Silicon Labs Software (DSI_SiUSBXp_3_1) USB (02/06/2007 3.1) (HKLM\...\D1506E0025B5A3F9EB8270FE81C1EEDD9388B8A2) (Version: 02/06/2007 3.1 - Silicon Labs Software)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3508.0205 - Microsoft Corporation)
WinRAR archiver (HKLM-x32\...\WinRAR archiver) (Version: - )

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3281177217-869368764-2006139627-1002_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3281177217-869368764-2006139627-1002_Classes\CLSID\{ECD97DE5-3C8F-4ACB-AEEE-CCAB78F7711C}\InprocServer32 -> C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3281177217-869368764-2006139627-1002_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3281177217-869368764-2006139627-1002_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3281177217-869368764-2006139627-1002_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3281177217-869368764-2006139627-1002_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3281177217-869368764-2006139627-1002_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3281177217-869368764-2006139627-1002_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3281177217-869368764-2006139627-1002_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-3281177217-869368764-2006139627-1002_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)

==================== Restore Points =========================

16-02-2015 22:07:32 Windows Update
11-03-2015 08:55:25 Windows Update
15-03-2015 18:13:23 Windows Update
29-03-2015 23:33:59 Restore Operation

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {2851BE0E-70F2-4659-B15D-B2FAD39288E8} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe
Task: {41F9C459-FC08-4265-8E17-BFA27BBCA914} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-06] (Google Inc.)
Task: {4B6CA124-0ECD-4915-B22D-AD4B41713B39} - System32\Tasks\GarminUpdaterTask => C:\Program Files (x86)\Garmin\Express Self Updater\ExpressSelfUpdater.exe [2014-12-31] ()
Task: {5DA8520C-8C9E-4F90-BAC2-03C92A80859C} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2013-07-26] (Synaptics Incorporated)
Task: {BBF4AC2F-7854-45DB-85D7-B7A22AA481D8} - System32\Tasks\Hewlett-Packard\HP CoolSense\HP CoolSense Start at Logon => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [2013-06-07] (Hewlett-Packard Development Company, L.P.)
Task: {C4D270E8-969C-47BC-8CE3-5D319649DA5D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-06] (Google Inc.)
Task: {D1652D6B-C41C-4626-B9B1-1C978164734D} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\Windows\system32\MRT.exe [2015-03-11] (Microsoft Corporation)
Task: {D7C72A49-D133-4565-BA67-093A259286C0} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: C:\Windows\Tasks\0215avUpdateInfo.job => C:\ProgramData\Avg_Update_0215av\0215av_AVG-Secure-Search-Update.exe
Task: C:\Windows\Tasks\0814avUpdateInfo.job => C:\ProgramData\Avg_Update_0814av\0814av_AVG-Secure-Search-Update.exe
Task: C:\Windows\Tasks\1114avUpdateInfo.job => C:\ProgramData\Avg_Update_1114av\1114av_AVG-Secure-Search-Update.exe
Task: C:\Windows\Tasks\1214avUpdateInfo.job => C:\ProgramData\Avg_Update_1214av\1214av_AVG-Secure-Search-Update.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2013-08-19 16:48 - 2013-08-19 16:48 - 00099328 _____ () C:\Program Files\ATI Technologies\ATI.ACE\A4\AdaptiveSleepService.exe
2013-08-19 16:47 - 2013-08-19 16:47 - 00127488 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Container.Wlan.dll
2015-02-13 04:20 - 2015-02-13 04:20 - 00085832 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-02-13 04:20 - 2015-02-13 04:20 - 01346344 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2014-02-26 20:55 - 2006-12-11 03:14 - 00043008 _____ () C:\Program Files (x86)\WinRar\rarext64.dll
2013-08-19 16:47 - 2013-08-19 16:47 - 00102400 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
2013-08-19 16:48 - 2013-08-19 16:48 - 00016896 _____ () C:\Program Files\ATI Technologies\ATI.ACE\a4\AS4.NativeProxy.dll
2015-03-04 18:08 - 2015-03-04 18:08 - 00750080 _____ () C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\libGLESv2.dll
2015-03-30 16:59 - 2015-03-30 16:59 - 00043008 _____ () c:\users\beatrice\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpc_xnve.dll
2015-03-04 18:08 - 2015-03-04 18:08 - 00047616 _____ () C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\libEGL.dll
2015-03-04 18:08 - 2015-03-04 18:08 - 00865280 _____ () C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\plugins\platforms\qwindows.dll
2015-03-04 18:07 - 2015-03-04 18:07 - 00200704 _____ () C:\Users\Beatrice\AppData\Roaming\Dropbox\bin\plugins\imageformats\qjpeg.dll
2015-03-21 15:32 - 2015-03-14 06:12 - 01174856 _____ () C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\libglesv2.dll
2015-03-21 15:32 - 2015-03-14 06:12 - 00080200 _____ () C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\libegl.dll
2015-03-21 15:32 - 2015-03-14 06:12 - 09278792 _____ () C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\pdf.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Beatrice\SkyDrive:ms-properties

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-3281177217-869368764-2006139627-1002\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.2.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\Run32: => "Wondershare Helper Compact.exe"

==================== Accounts: =============================

Administrator (S-1-5-21-3281177217-869368764-2006139627-500 - Administrator - Disabled)
Beatrice (S-1-5-21-3281177217-869368764-2006139627-1002 - Administrator - Enabled) => C:\Users\Beatrice
Guest (S-1-5-21-3281177217-869368764-2006139627-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3281177217-869368764-2006139627-1004 - Limited - Enabled)

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (03/30/2015 00:06:51 AM) (Source: System Restore) (EventID: 8210) (User: )
Description: An unspecified error occurred during System Restore: (Windows Update). Additional information: 0x80070005.


System errors:
=============
Error: (03/30/2015 04:57:49 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.

Error: (03/30/2015 04:57:49 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.

Error: (03/30/2015 00:47:14 AM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.

Error: (03/30/2015 00:47:13 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee Boot Delay Start Service service failed to start due to the following error:
%%2

Error: (03/30/2015 00:47:02 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The AVGIDSAgent service terminated with the following service-specific error:
%%3758213659

Error: (03/30/2015 00:05:39 AM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.

Error: (03/30/2015 00:05:37 AM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.

Error: (03/30/2015 00:05:37 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee Boot Delay Start Service service failed to start due to the following error:
%%2

Error: (03/29/2015 10:48:22 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.

Error: (03/29/2015 10:48:22 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The McAfee Boot Delay Start Service service failed to start due to the following error:
%%2


Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Processor: AMD A6-5200 APU with Radeon™ HD Graphics
Percentage of memory in use: 23%
Total physical RAM: 7643.95 MB
Available physical RAM: 5820.52 MB
Total Pagefile: 9819.95 MB
Available Pagefile: 7871.02 MB
Total Virtual: 131072 MB
Available Virtual: 131071.82 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:677.33 GB) (Free:613.71 GB) NTFS
Drive d: (RECOVERY) (Fixed) (Total:20.54 GB) (Free:2.03 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 698.6 GB) (Disk ID: 3A472083)

Partition: GPT Partition Type.

==================== End Of Log ============================
  • 0

#10
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hello,

A few items / issues to fix;

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.
CloseProcesses:
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
AppInit_DLLs-x32: acaptuser32.dll => "acaptuser32.dll" File Not Found
SearchScopes: HKLM -> {4A033BE2-44B8-4954-BB49-126C850FAF6E} URL = http://www.amazon.ca...s={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...56705-11896-0/4?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3281177217-869368764-2006139627-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
S2 mcbootdelaystartsvc; "C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
S3 clwvd; \SystemRoot\system32\DRIVERS\clwvd.sys [X]
U3 McMPFSvc; No ImagePath
U3 McNaiAnn; No ImagePath
U3 mcpltsvc; No ImagePath
U3 McProxy; No ImagePath
U3 mfecore; No ImagePath
U3 MSK80Service; No ImagePath
S0 nbsx; System32\drivers\qhjejf.sys [X]
C:\Users\Beatrice\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpc_xnve.dll
C:\Users\Beatrice\AppData\Local\Temp\ose00000.exe
C:\Users\Beatrice\AppData\Local\Temp\Quarantine.exe
C:\Users\Beatrice\AppData\Local\Temp\sqlite3.dll
AlternateDataStreams: C:\Users\Beatrice\SkyDrive:ms-properties
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
CMD: ipconfig /flushdns
RemoveProxy:
hosts:
Emptytemp:
Click Format and ensure Wordwrap is unchecked.
Save as Fixlist.txt to your Desktop (Must be in this location)
Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

After the Fix runs, frst will create a Fixlog.txt on your desktop. You should be able to paste that directly in to the forum please do so.

Thanks
Joe :)
  • 0

Advertisements


#11
Beatriceswiss

Beatriceswiss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Hi zep516.  The log created by the fix is also white letters on black background, so I have attached it to this post.Attached File  Fixlog.txt   5.58KB   93 downloads


  • 0

#12
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Let me paste it in so it's all in the same place.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Beatrice at 2015-03-30 21:27:41 Run:1
Running from C:\Users\Beatrice\Desktop
Loaded Profiles: Beatrice (Available profiles: Beatrice)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CloseProcesses:
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
AppInit_DLLs-x32: acaptuser32.dll => "acaptuser32.dll" File Not Found
SearchScopes: HKLM -> {4A033BE2-44B8-4954-BB49-126C850FAF6E} URL = http://www.amazon.ca...s={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...d={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3281177217-869368764-2006139627-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
S2 mcbootdelaystartsvc; "C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe" /McCoreSvc [X]
C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
S3 clwvd; \SystemRoot\system32\DRIVERS\clwvd.sys [X]
U3 McMPFSvc; No ImagePath
U3 McNaiAnn; No ImagePath
U3 mcpltsvc; No ImagePath
U3 McProxy; No ImagePath
U3 mfecore; No ImagePath
U3 MSK80Service; No ImagePath
S0 nbsx; System32\drivers\qhjejf.sys [X]
C:\Users\Beatrice\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpc_xnve.dll
C:\Users\Beatrice\AppData\Local\Temp\ose00000.exe
C:\Users\Beatrice\AppData\Local\Temp\Quarantine.exe
C:\Users\Beatrice\AppData\Local\Temp\sqlite3.dll
AlternateDataStreams: C:\Users\Beatrice\SkyDrive:ms-properties
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
CMD: ipconfig /flushdns
RemoveProxy:
hosts:
Emptytemp:
*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
"acaptuser32.dll" => Value Data removed successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4A033BE2-44B8-4954-BB49-126C850FAF6E}" => Key deleted successfully.
HKCR\CLSID\{4A033BE2-44B8-4954-BB49-126C850FAF6E} => Key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-3281177217-869368764-2006139627-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => Key deleted successfully.
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found.
mcbootdelaystartsvc => Service deleted successfully.
"C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe" => File/Directory not found.
clwvd => Service deleted successfully.
McMPFSvc => Service deleted successfully.
McNaiAnn => Service deleted successfully.
mcpltsvc => Service deleted successfully.
McProxy => Service deleted successfully.
mfecore => Service deleted successfully.
MSK80Service => Service deleted successfully.
nbsx => Service deleted successfully.
"C:\Users\Beatrice\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpc_xnve.dll" => File/Directory not found.
C:\Users\Beatrice\AppData\Local\Temp\ose00000.exe => Moved successfully.
C:\Users\Beatrice\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Beatrice\AppData\Local\Temp\sqlite3.dll => Moved successfully.
"C:\Users\Beatrice\SkyDrive" => ":ms-properties" ADS not found.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc" => Key deleted successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= RemoveProxy: =========

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully.
HKU\S-1-5-21-3281177217-869368764-2006139627-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully.
HKU\S-1-5-21-3281177217-869368764-2006139627-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully.


========= End of RemoveProxy: =========

Hosts was reset successfully.
EmptyTemp: => Removed 1.3 GB temporary data.


The system needed a reboot.

==== End of Fixlog 21:30:26 ====
  • 0

#13
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
So notepad has white letters on black background ?
  • 0

#14
Beatriceswiss

Beatriceswiss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Correct, notepad has white letters on black background.  Same for the fixlog that was produced.


  • 0

#15
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts

Last night we ran Malewarebytes, Junkware Removal Tool and AdwCleaner.


Do you have any of those logs, AdwCleaner would be found at C:\Adwcleaner. I would like to see the SO.TXT from that and any other logs you have to get an idea on what was removed.

Thanks
Joe :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP