[hotdog_1984]

ADDITIONS:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:26-07-2015

Ran by Matt at 2015-07-27 21:32:21

Running from C:\Users\Matt\Downloads

Boot Mode: Normal

==========================================================

 

 

==================== Accounts: =============================

 

Administrator (S-1-5-21-1492825921-750369754-554371985-500 - Administrator - Disabled)

Guest (S-1-5-21-1492825921-750369754-554371985-501 - Limited - Disabled)

HomeGroupUser$ (S-1-5-21-1492825921-750369754-554371985-1002 - Limited - Enabled)

Jo (S-1-5-21-1492825921-750369754-554371985-1003 - Administrator - Enabled) => C:\Users\Jo

Matt (S-1-5-21-1492825921-750369754-554371985-1001 - Administrator - Enabled) => C:\Users\Matt

Mcx1-MATT-PC (S-1-5-21-1492825921-750369754-554371985-1004 - Limited - Enabled) => C:\Users\Mcx1-MATT-PC

 

==================== Security Center ========================

 

(If an entry is included in the fixlist, it will be removed.)

 

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}

AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AS: Spybot - Search and Destroy (Enabled - Out of date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

 

==================== Installed Programs ======================

 

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

 

7-Zip 9.21 (HKLM-x32\...\{23170F69-40C1-2701-0921-000001000000}) (Version: 9.21.00.0 - Igor Pavlov)

Acer Backup Manager (HKLM-x32\...\InstallShield_{72B776E5-4530-4C4B-9453-751DF87D9D93}) (Version: 2.0.0.68 - NewTech Infosystems)

Acer Crystal Eye webcam Ver:1.1.194.1021 (HKLM-x32\...\{D0ACE89D-EC7F-470F-80BE-4C98ED366B32}) (Version: 1.1.194.1021 - Chicony Electronics Co.,Ltd.)

Acer ePower Management (HKLM-x32\...\{3DB0448D-AD82-4923-B305-D001E521A964}) (Version: 5.00.3005 - Acer Incorporated)

Acer eRecovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 4.05.3013 - Acer Incorporated)

Acer GameZone Console (HKLM-x32\...\{58F4D244-314F-4D26-B5EF-C28AB32E22CB}_is1) (Version: 6.1.0.9 - Oberon Media, Inc.)

Acer Registration (HKLM-x32\...\Acer Registration) (Version: 1.03.3003 - Acer Incorporated)

Acer ScreenSaver (HKLM-x32\...\Acer Screensaver) (Version: 1.1.0707.2010 - Acer Incorporated)

Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated)

Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.0.7220 - Adobe Systems Inc.)

Adobe Flash Player 18 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 18.0.0.209 - Adobe Systems Incorporated)

Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated)

Adobe Reader XI (11.0.10) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)

Airport Mania First Flight (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11505173}) (Version:  - Oberon Media)

Amazonia (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11273477}) (Version:  - Oberon Media)

Apple Application Support (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)

Apple Mobile Device Support (HKLM\...\{2EF5D87E-B7BD-458F-8428-E4D0B8B4E65C}) (Version: 7.0.0.117 - Apple Inc.)

Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)

Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 10.2.2215 - AVAST Software)

Backup Manager Basic (x32 Version: 2.0.0.68 - NewTech Infosystems) Hidden

BitTorrent (HKLM-x32\...\BitTorrent) (Version: 7.2.0 - )

Broadcom Gigabit NetLink Controller (HKLM\...\{A84DB02B-9C2B-4272-9D2D-A80E00A56513}) (Version: 14.0.2.3 - Broadcom Corporation)

Cake Mania (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111199750}) (Version:  - Oberon Media)

CCleaner (HKLM\...\CCleaner) (Version: 5.04 - Piriform)

Celestix HOTPin Client 1.1 for Windows (HKLM-x32\...\{E74A64C6-F1A0-4729-B0B5-273471E81105}) (Version: 1.01.0000 - Celestix Networks, Inc.)

COWON Media Center - jetAudio Basic VX (HKLM-x32\...\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}) (Version: 8.0.16 - COWON)

CyberLink PowerDVD 9 (HKLM-x32\...\InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}) (Version: 9.0.3216.50 - CyberLink Corp.)

D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden

Dream Day First Home (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113832110}) (Version:  - Oberon Media)

eBay Worldwide (HKLM-x32\...\{E0B19DF7-B1C7-4937-82C4-0E4B1E346965}) (Version: 2.1.0901 - OEM)

EPSON Printer Software (HKLM\...\EPSON Printer and Utilities) (Version:  - SEIKO EPSON Corporation)

Galapago (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111307457}) (Version:  - Oberon Media)

Google Chrome (HKLM-x32\...\Google Chrome) (Version: 44.0.2403.107 - Google Inc.)

Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6710.2136 - Google Inc.)

Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden

Google Update Helper (x32 Version: 1.3.28.1 - Google Inc.) Hidden

Heroes of Hellas (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113786380}) (Version:  - Oberon Media)

Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3003 - Acer Incorporated)

Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)

Intel® Graphics Media Accelerator Driver (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2182 - Intel Corporation)

Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 6.0.0.1179 - Intel Corporation)

Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.2.1001 - Intel Corporation)

Intel® Turbo Boost Technology Monitor (HKLM\...\{39F4C6F9-618A-4E5B-8FB2-6BD661174E32}) (Version: 1.0.186.6 - Intel)

Internet TV for Windows Media Center (HKLM-x32\...\{9D318C86-AF4C-409F-A6AC-7183FF4CF424}) (Version: 4.2.2.0 - Microsoft Corporation)

iTunes (HKLM\...\{A04DCB25-7040-4935-A30D-8E0A893ABF2D}) (Version: 11.1.2.32 - Apple Inc.)

Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden

Launch Manager (HKLM-x32\...\LManager) (Version: 4.0.14 - Acer Inc.)

LeapFrog Connect (HKLM-x32\...\UPCShell) (Version: 6.0.19.19317 - LeapFrog)

LeapFrog Connect (x32 Version: 6.0.19.19317 - LeapFrog) Hidden

LeapFrog My Pals Plugin (x32 Version: 6.0.19.19317 - LeapFrog) Hidden

LG PC Suite III (HKLM-x32\...\{C0E18DC4-C74A-4889-AE3A-933471023787}) (Version: 1.0.0.0 - LG Electronics)

LG PC Suite III (x32 Version: 1.0.0.0 - LG Electronics) Hidden

LG USB Modem Drivers (HKLM-x32\...\{FA02ACAC-9E14-4878-A257-92A22A647C2C}) (Version: 4.9.4 - LG Electronics)

Merriam Websters Spell Jam (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112662477}) (Version:  - Oberon Media)

Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)

Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)

Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)

Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)

Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)

Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)

Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)

Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)

Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)

Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)

Microsoft Zoo Tycoon (HKLM-x32\...\Zoo Tycoon 1.0) (Version:  - )

Mozilla Firefox 10.0.2 (x86 en-GB) (HKLM-x32\...\Mozilla Firefox 10.0.2 (x86 en-GB)) (Version: 10.0.2 - Mozilla)

MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)

MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)

MyFreeCodec (HKU\S-1-5-21-1492825921-750369754-554371985-1001\...\MyFreeCodec) (Version:  - )

MyWinLocker (x32 Version: 3.1.212.0 - Egis Technology Inc.) Hidden

MyWinLocker Suite (HKLM-x32\...\InstallShield_{738BF5C3-AF7B-4BB0-B7EF-E505EFC756BE}) (Version: 3.1.212.0 - Egis Technology Inc.)

MyWinLocker Suite (x32 Version: 3.1.212.0 - Egis Technology Inc.) Hidden

NTI Media Maker 9 (HKLM-x32\...\InstallShield_{D3D5C4E8-040F-4C6F-8105-41D43CF94F44}) (Version: 9.0.2.8939 - NTI Corporation)

NTI Media Maker 9 (x32 Version: 9.0.2.8939 - NTI Corporation) Hidden

Poker Pop (HKLM-x32\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111355427}) (Version:  - Oberon Media)

QuickTime (HKLM-x32\...\{B67BAFBA-4C9F-48FA-9496-933E3B255044}) (Version: 7.74.80.86 - Apple Inc.)

Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6141 - Realtek Semiconductor Corp.)

Realtek USB 2.0 Card Reader (HKLM-x32\...\{96AE7E41-E34E-47D0-AC07-1091A8127911}) (Version: 6.1.7600.30122 - Realtek Semiconductor Corp.)

Samsung Kies (HKLM-x32\...\InstallShield_{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.6.1.13105_7 - Samsung Electronics Co., Ltd.)

Samsung Kies (x32 Version: 2.6.1.13105_7 - Samsung Electronics Co., Ltd.) Hidden

SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.29.0 - SAMSUNG Electronics Co., Ltd.)

Shredder (Version: 2.0.8.3 - Egis Technology Inc.) Hidden

Shredder (x32 Version: 2.0.8.3 - Egis Technology Inc.) Hidden

Skype™ 7.0 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)

Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)

Surfing Protection (HKLM-x32\...\IObit Surfing Protection_is1) (Version: 1.2 - IObit)

Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 14.0.19.0 - Synaptics Incorporated)

Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)

Use the entry named LeapFrog Connect to uninstall (LeapFrog My Pals Plugin) (HKLM-x32\...\MyPalsPlugin) (Version:  - LeapFrog)

Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)

Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)

Welcome Center (HKLM-x32\...\Acer Welcome Center) (Version: 1.02.3004 - Acer Incorporated)

Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net  (09/10/2009 02.03.05.012) (HKLM\...\8F14F2ECEDE68D26EA515B48DC25B39103C4FE8D) (Version: 09/10/2009 02.03.05.012 - Leapfrog)

Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)

Windows Live Sync (HKLM-x32\...\{B10914FD-8812-47A4-85A1-50FCDE7F1F33}) (Version: 14.0.8117.416 - Microsoft Corporation)

Windows Media Center Add-in for Silverlight (HKLM-x32\...\{0EDBEB2B-7C8D-42E6-8312-0F84394A3223}) (Version: 4.7.3.0 - Microsoft Corporation)

 

==================== Custom CLSID (Whitelisted): ==========================

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

 

==================== Restore Points =========================

 

11-06-2015 07:35:01 Scheduled Checkpoint

27-07-2015 00:59:01 Windows Update

27-07-2015 06:55:24 Removed Java™ 6 Update 26

27-07-2015 06:59:57 Removed Bonjour

27-07-2015 08:49:02 Windows Update

27-07-2015 09:30:00 Windows Update

27-07-2015 11:36:38 Windows Update

27-07-2015 21:19:04 JRT Pre-Junkware Removal

 

==================== Hosts content: ===============================

 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

 

2009-07-14 03:34 - 2015-07-27 20:25 - 00000035 ____A C:\Windows\system32\Drivers\etc\hosts

 

==================== Scheduled Tasks (Whitelisted) =============

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

Task: {07C5F1A7-B854-4AF5-B35F-768513EBAA39} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-07-24] (Adobe Systems Incorporated)

Task: {61BCD03D-7D1E-493D-8F18-A0DB53330E9D} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-06-20] (Avast Software s.r.o.)

Task: {62B1784B-E682-42A9-8E76-5E341EACF4C2} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-06-12] (Adobe Systems Incorporated)

Task: {6A4CADA4-F5DE-4105-912A-7D052B79AEBC} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)

Task: {95F8F8F1-96B6-4DC0-91D5-032998B9D8F4} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe [2014-06-27] (Safer-Networking Ltd.)

Task: {AB40CABE-83EE-42B4-9085-C5098D4FEF40} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe [2014-06-24] (Safer-Networking Ltd.)

Task: {D498279E-BBC3-4330-B02A-7F3532CD68F4} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-03-13] (Piriform Ltd)

Task: {E20D84A3-0BFC-4517-A56B-0F33EBB37F0D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-26] (Google Inc.)

Task: {E7F25E9D-5410-4311-BDB9-0111B64E1D62} - System32\Tasks\Microsoft\Windows\Media Center\Extender\Update media permissions for Mcx1-MATT-PC => C:\Windows\ehome\McxTask.exe [2009-07-14] (Microsoft Corporation)

Task: {FC3A4E01-D105-4779-A08B-54C04DCDE2B6} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-26] (Google Inc.)

 

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

 

 

==================== Loaded Modules (Whitelisted) ==============

 

2015-04-18 20:51 - 2015-04-18 20:51 - 00104400 _____ () C:\Program Files\AVAST Software\Avast\log.dll

2015-04-18 20:51 - 2015-04-18 20:51 - 00081728 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll

2015-07-27 20:32 - 2015-07-27 20:32 - 02960384 _____ () C:\Program Files\AVAST Software\Avast\defs\15072705\algo.dll

2015-04-18 20:51 - 2015-04-18 20:51 - 40540672 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll

2011-09-27 07:23 - 2011-09-27 07:23 - 00087912 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll

2011-09-27 07:22 - 2011-09-27 07:22 - 01242472 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll

2015-04-18 00:20 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl

2015-04-18 00:20 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl

2015-04-18 00:20 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl

2015-04-18 00:20 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll

2015-04-18 00:20 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll

2015-07-27 04:00 - 2015-07-23 23:39 - 01405768 _____ () C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.107\libglesv2.dll

2015-07-27 04:00 - 2015-07-23 23:39 - 00081224 _____ () C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.107\libegl.dll

2015-07-27 04:00 - 2015-07-23 23:39 - 16308040 _____ () C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.107\PepperFlash\pepflashplayer.dll

 

==================== Alternate Data Streams (Whitelisted) =========

 

(If an entry is included in the fixlist, only the ADS will be removed.)

 

 

==================== Safe Mode (Whitelisted) ===================

 

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

 

 

==================== EXE Association (Whitelisted) ===============

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

 

 

==================== Internet Explorer trusted/restricted ===============

 

(If an entry is included in the fixlist, it will be removed from the registry.)

 

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com

IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com

IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com

IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com

IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com

IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com

IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com

IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com

IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com

IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com

IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com

IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com

IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com

IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com

IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net

IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net

IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info

IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com

IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com

IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

 

There are 7866 more restricted sites.

 

==================== Other Areas ============================

 

(Currently there is no automatic fix for this section.)

 

HKU\S-1-5-21-1492825921-750369754-554371985-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Matt\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

DNS Servers: 192.168.1.254

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: )

Windows Firewall is enabled.

 

==================== MSCONFIG/TASK MANAGER disabled items ==

 

(Currently there is no automatic fix for this section.)

 

 

==================== FirewallRules (Whitelisted) ===============

 

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

FirewallRules: [{F4C0BA75-6C35-485E-9FE2-064F7F730F0F}] => (Allow) C:\Program Files (x86)\CyberLink\PowerDVD9\PowerDVD9.EXE

FirewallRules: [{60B083C3-3B8C-4269-A541-4124472619B1}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe

FirewallRules: [{6283E75F-40CB-404C-AB57-53A6DBDF2513}] => (Allow) svchost.exe

FirewallRules: [{416B6D9F-EF9B-4226-A373-1746B0D6DE39}] => (Allow) C:\Program Files (x86)\Windows Live\Sync\WindowsLiveSync.exe

FirewallRules: [{762CC632-91BB-4DFD-B9BB-6E8404C6CB63}] => (Allow) C:\Program Files (x86)\BitTorrent\BitTorrent.exe

FirewallRules: [{11E45FA5-D4CF-406A-BFFB-93DE09ECB5A4}] => (Allow) C:\Program Files (x86)\BitTorrent\BitTorrent.exe

FirewallRules: [{4AD1E25D-E860-46CB-A828-1528DE8FDEA8}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe

FirewallRules: [{2F3FD173-C279-4FD8-BFA4-C2B94527ACC9}] => (Allow) LPort=2869

FirewallRules: [{EB8B7112-5EB8-49C6-A27E-D5E6A3C7C618}] => (Allow) LPort=1900

FirewallRules: [{63FA221D-A17D-49C2-AE78-41F0A3FD3123}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe

FirewallRules: [{C2A4D703-A2F6-4060-9218-5DBDA438D592}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe

FirewallRules: [{D6ED9204-65DA-40F9-9539-E3A1994C0FDF}] => (Allow) C:\Program Files (x86)\iTunes\iTunes.exe

FirewallRules: [{A8AD10C7-0404-4442-ACBF-3028A4A9A3B2}] => (Allow) C:\Windows\SysWOW64\muzapp.exe

FirewallRules: [{178591AB-98F4-4EFC-9D84-372B37C41523}] => (Allow) C:\Windows\SysWOW64\muzapp.exe

FirewallRules: [{6C717DC4-10F1-44FE-ADB6-C473E0378738}] => (Allow) C:\Program Files (x86)\LeapFrog\LeapFrog Connect\LeapfrogConnect.exe

FirewallRules: [{861257E8-77DD-4882-99F0-5E15E5DD8E40}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe

FirewallRules: [{0E825599-375D-4975-9075-957DE6C19892}] => (Allow) C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe

FirewallRules: [{9C3E94EE-2ED8-4C19-916D-A2203EB51493}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access

StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service

StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater

StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service

 

==================== Faulty Device Manager Devices =============

 

Name: Teredo Tunneling Pseudo-Interface

Description: Microsoft Teredo Tunneling Adapter

Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}

Manufacturer: Microsoft

Service: tunnel

Problem: : This device cannot start. (Code10)

Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.

On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

 

 

==================== Event log errors: =========================

 

Application errors:

==================

Error: (07/27/2015 09:05:27 PM) (Source: MsiInstaller) (EventID: 1024) (User: Matt-PC)

Description: Product: Adobe Reader XI - Update '{AC76BA86-7AD7-0000-2550-7A8C40011012}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft....k/?LinkId=23127

 

Error: (07/27/2015 08:58:11 PM) (Source: .NET Runtime Optimization Service) (EventID: 1101) (User: )

Description: .NET Runtime Optimization Service (clr_optimization_v4.0.30319_64) - 1>Failed to compile: System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 . Error code = 0x80070020

 

Error: (07/27/2015 08:42:18 PM) (Source: MsiInstaller) (EventID: 1024) (User: Matt-PC)

Description: Product: Adobe Reader XI - Update '{AC76BA86-7AD7-0000-2550-7A8C40011012}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft....k/?LinkId=23127

 

Error: (07/27/2015 08:15:42 PM) (Source: MsiInstaller) (EventID: 1024) (User: Matt-PC)

Description: Product: Adobe Reader XI - Update '{AC76BA86-7AD7-0000-2550-7A8C40011012}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft....k/?LinkId=23127

 

Error: (07/27/2015 08:03:56 PM) (Source: Application Error) (EventID: 1000) (User: )

Description: Faulting application name: Kies.exe, version: 1.0.0.1521, time stamp: 0x52a83550

Faulting module name: KERNELBASE.dll, version: 6.1.7601.18869, time stamp: 0x556363bc

Exception code: 0xe0434352

Fault offset: 0x0000c42d

Faulting process id: 0x1dc4

Faulting application start time: 0xKies.exe0

Faulting application path: Kies.exe1

Faulting module path: Kies.exe2

Report Id: Kies.exe3

 

Error: (07/27/2015 08:03:53 PM) (Source: .NET Runtime) (EventID: 1026) (User: )

Description: Application: Kies.exe

Framework Version: v4.0.30319

Description: The process was terminated due to an unhandled exception.

Exception Info: System.ComponentModel.Win32Exception

Stack:

   at System.Diagnostics.ProcessManager.OpenProcess(Int32, Int32, Boolean)

   at System.Diagnostics.Process.GetProcessHandle(Int32, Boolean)

   at System.Diagnostics.Process.OpenProcessHandle(Int32)

   at System.Diagnostics.Process.get_Handle()

   at Kies.App.CheckExistenceTrayAgent()

   at Kies.App..ctor()

   at Kies.App.Main()

 

Error: (07/27/2015 02:00:20 PM) (Source: CVHSVC) (EventID: 100) (User: )

Description: Information only.

Error: BITS connection error Type: 150::InternetConnectionFailure.

 

Error: (07/27/2015 09:18:41 AM) (Source: MsiInstaller) (EventID: 1024) (User: Matt-PC)

Description: Product: Adobe Reader XI - Update '{AC76BA86-7AD7-0000-2550-7A8C40011012}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft....k/?LinkId=23127

 

Error: (07/27/2015 08:51:02 AM) (Source: MsiInstaller) (EventID: 11935) (User: NT AUTHORITY)

Description: Product: MSXML 4.0 SP2 (KB973688) -- Error 1935. An error occured during the installation of assembly component {7B2B4EA5-1028-B7E6-A06B-D6B9ABF34537}. HRESULT: 0x800736B3. assembly interface: IAssemblyCacheItem, function: Commit, assembly name: Microsoft.MSXML2,type="win32",version="4.20.9876.0",publicKeyToken="6bd6b9abf345378f",processorArchitecture="x86"

 

Error: (07/27/2015 07:47:33 AM) (Source: MsiInstaller) (EventID: 1024) (User: Matt-PC)

Description: Product: Adobe Reader XI - Update '{AC76BA86-7AD7-0000-2550-7A8C40011012}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft....k/?LinkId=23127

 

 

System errors:

=============

Error: (07/27/2015 09:20:33 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: The Windows Modules Installer service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

 

Error: (07/27/2015 09:20:33 PM) (Source: Service Control Manager) (EventID: 7034) (User: )

Description: The Intel® Management & Security Application User Notification Service service terminated unexpectedly.  It has done this 1 time(s).

 

Error: (07/27/2015 09:20:33 PM) (Source: Service Control Manager) (EventID: 7034) (User: )

Description: The Intel® Rapid Storage Technology service terminated unexpectedly.  It has done this 1 time(s).

 

Error: (07/27/2015 09:20:33 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: The Microsoft .NET Framework NGEN v4.0.30319_X86 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

 

Error: (07/27/2015 09:20:33 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: The Microsoft .NET Framework NGEN v4.0.30319_X64 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

 

Error: (07/27/2015 09:20:32 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

 

Error: (07/27/2015 09:20:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )

Description: The Application Virtualization Client service terminated unexpectedly.  It has done this 1 time(s).

 

Error: (07/27/2015 09:20:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )

Description: The iPod Service service terminated unexpectedly.  It has done this 1 time(s).

 

Error: (07/27/2015 09:20:32 PM) (Source: Service Control Manager) (EventID: 7034) (User: )

Description: The Client Virtualization Handler service terminated unexpectedly.  It has done this 1 time(s).

 

Error: (07/27/2015 09:20:31 PM) (Source: Service Control Manager) (EventID: 7031) (User: )

Description: The Spybot-S&D 2 Security Center Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 60000 milliseconds: Restart the service.

 

 

Microsoft Office:

=========================

 

CodeIntegrity Error:

===================================

  Date: 2014-08-25 10:54:50.726

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\345e40e9.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

  Date: 2014-08-25 10:54:50.242

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\drivers\345e40e9.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

  Date: 2013-09-15 09:25:07.912

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

  Date: 2013-09-15 09:25:07.760

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

  Date: 2013-09-15 09:25:05.286

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

  Date: 2013-09-15 09:25:05.044

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

  Date: 2013-09-15 09:25:02.717

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

  Date: 2013-09-15 09:25:02.448

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

  Date: 2013-09-15 09:24:59.984

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

  Date: 2013-09-15 09:24:59.736

  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

 

 

==================== Memory info =========================== 

 

Processor: Intel® Core™ i5 CPU M 480 @ 2.67GHz

Percentage of memory in use: 55%

Total physical RAM: 3766.71 MB

Available physical RAM: 1684.95 MB

Total Virtual: 7531.63 MB

Available Virtual: 5300.36 MB

 

==================== Drives ================================

 

Drive c: (Acer) (Fixed) (Total:452.66 GB) (Free:201.86 GB) NTFS

Drive d: (My Disc) (CDROM) (Total:0.14 GB) (Free:0 GB) CDFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: 01EF3CC9)

Partition 1: (Not Active) - (Size=13 GB) - (Type=27)

Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=452.7 GB) - (Type=07 NTFS)

 

==================== End of log ============================

[Advertisements]

Looks pretty good.  How is it running?

[RKinner]

Looks pretty good.  How is it running?

[hotdog_1984]

It seems to be running well. Updates and virus software are working properly. Computer is running quick enough. Boot scan is running now so will complete remaining tasks tomorrow. Going forward what's the best free anti virus to use? Also are there other pieces of security software you would recommend using on an ongoing basis?

Thanks

[hotdog_1984]

It seems to be running well. Updates and virus software are working properly. Computer is running quick enough. Boot scan is running now so will complete remaining tasks tomorrow. Going forward what's the best free anti virus to use? Also are there other pieces of security software you would recommend using on an ongoing basis?

Thanks

[hotdog_1984]

On the bootscan it has moved various infected files to chest automatically. It did however ask if a file in Windows\installer and then a long code then \syshost.exe which is infected by win32:genmalicious-kpe (trj) should be moved to chest and i selected yes. Hope this was right?

[RKinner]

If it's infected then the chest is the place for it.  I use Avast for all of my computers tho they are starting to annoy me with their popups.

 

 Some people object to the voice notification of updates.  To turn it off, click on the Avast ball then on Settings.  Then on Sounds and uncheck Automatic Updates OK.  (It will still update it just won't tell you about in a loud voice in the middle of the night.)

They have also started using their info popup to try and get you to upgrade so I go into Settings, Popups and change the first two to 1 second.

The registration is good for 12-14 months then you will need to register again.  They will, of course, try to talk you into buying the product but you can always register again for another year free.
 

 

  MBAM the free version is good to have. 

[hotdog_1984]

As you know I have Avast at the moment although doing some reading Panda Free Antivirus seemed to come out very strongly on reviews saying that it 's detect rate is up there with premium versions.  Have you considered it or is there any underlying reason not to?  In light of your comments around Spybot, should I uninstall it now?  I also have a piece of software called CCleaner.  As far as you know is this worthwhile?  I appreciate your help on this.  It's just now we have done a lot to clear out my system I want to make sure it doesn't happen again and take the right precautions.  I'll post the boot scan report now...

[hotdog_1984]

I have just gone into Avast and at the bottom of the scan tab, there is no option on mine to review previous scan history.  However, I have located the text file so this should hopefully be what you need:

 

07/27/2015 21:39

Scan of C:

 

Scan of *STARTUP

 

File C:\AdwCleaner\Quarantine\C\Program Files (x86)\bestadblocker\Yqxs4W1xQRqUMK.exe.vir is infected by Win32:Adware-CSA [PUP], Moved to chest

File C:\AdwCleaner\Quarantine\C\Program Files (x86)\SAlePlluis\1NmBY4bx6x7daq.exe.vir is infected by Win32:Adware-CSA [PUP], Moved to chest

File C:\AdwCleaner\Quarantine\C\Program Files (x86)\SalePlus\jL0Uh3CYkqGld0.exe.vir is infected by Win32:Adware-CSA [PUP], Moved to chest

File C:\AdwCleaner\Quarantine\C\Program Files (x86)\SalePluus\SalePluus.exe.vir is infected by Win32:Adware-CSA [PUP], Moved to chest

File C:\AdwCleaner\Quarantine\C\Program Files (x86)\SAlePPlus\K3S4tgsdstSpwY.exe.vir is infected by Win32:Adware-CSA [PUP], Moved to chest

File C:\Program Files (x86)\The Key for YouTube\The Key for YouTube.exe is infected by Win32:Adware-CSA [PUP], Moved to chest

File C:\Users\Matt\Downloads\Bit Torrent\Matt's Video Clips\Lesbian Cheerleaders_6.mpg is infected by WMA:Wimad [Susp], Moved to chest

File C:\Windows\Installer\{AF2D5F86-D09B-7E73-ED9A-F5BBCD4BFB88}\syshost.exe is infected by Win32:GenMalicious-KPE [Trj], Moved to chest

File C:\Windows\winsxs\amd64_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.16385_none_3de8def0db722996\autochk.exe is infected by Win32:Malware-gen, Moved to chest

Number of searched folders: 39073

Number of tested files: 1233834

Number of infected files: 9

 

How's it looking?

 

Thanks

[RKinner]

I think Spybot has passed its prime.  It was a good program for Windows 2000 but not for Win 7.

 

CCleaner has had some issues.  One version of it killed the task scheduler and it is sometimes too aggressive in removing stuff so I don't recommend using it especially its registry cleaner.

 

I like Avast's boot-time scan but they are starting to annoy me with their popup ads so if Panda works for you that's fine.  I may try them too.

 

The folder C:\Windows\Installer\{AF2D5F86-D09B-7E73-ED9A-F5BBCD4BFB88} should be removed.  If you Google syshost.exe you will see that it is probably the root of your problem and the folder name does not Google so it's a random name.   We may need to let FRST do it.  (You can just put

C:\Windows\Installer\{AF2D5F86-D09B-7E73-ED9A-F5BBCD4BFB88}

in a file called fixlist.txt and run a FRST Fix.

 

The last entry in the Avast list smells like a false positive.  Probably won't hurt anything to leave it in the chest tho. 

 

I like to clear the event logs, reboot and then check the logs for new errors to see if the infection (or the cure) has damaged anything.

 

Right click on (My) Computer and select Manage (Continue) Then click on the arrow in front of Event Viewer. Next Click on the arrow in front of Windows Logs Right click on System and Clear Log, Clear. Repeat for Application.

Reboot.

Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator.  Then type (with an Enter after each line).

sfc  /scannow

(This will check your critical system files. Does this finish without complaint?  IF it says it couldn't fix everything then:

Copy the next two lines:

findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \windows\logs\cbs\junk.txt
notepad \windows\logs\cbs\junk.txt

Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.
Hit Enter. Copy and paste the text from notepad or if it is too big, just attach the file.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

[hotdog_1984]

Hi,

 

I have removed SpyBot and CCleaner now.  When I removed Spybot, Avast popped up saying there were still files left behind, but you had to pay for some optimisation tool to clean it up.  Is there an issue there?

 

I wasn't exactly sure on your next instruction regarding the Fixlist.txt.  I literally copied the text you wrote into a notepad file and saved it as fixlist.txt then ran the FRST fix.  Is this correct?  Here is my log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:26-07-2015

Ran by Matt at 2015-07-28 14:30:00 Run:4

Running from C:\Users\Matt\Downloads

Loaded Profiles: Matt (Available Profiles: Matt & Jo & Mcx1-MATT-PC)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

C:\Windows\Installer\{AF2D5F86-D09B-7E73-ED9A-F5BBCD4BFB88}

*****************

 

C:\Windows\Installer\{AF2D5F86-D09B-7E73-ED9A-F5BBCD4BFB88} => moved successfully.

 

==== End of Fixlog 14:30:00 ====

 

- Command prompt scan then came back as not finding any integrity violations so I presume that's good and so didn't follow the next bit of corrective action there.

 

VINO EVENT VIEWER

 

Vino's Event Viewer v01c run on Windows 2008 in English

Report run at 28/07/2015 16:23:25

 

Note: All dates below are in the format dd/mm/yyyy

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'System' Log - Critical Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'System' Log - Error Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'System' Date/Time: 28/07/2015 13:38:48

Type: Error Category: 0

Event: 7022 Source: Service Control Manager

The Windows Update service hung on starting.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'System' Log - Warning Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'System' Date/Time: 28/07/2015 13:32:07

Type: Warning Category: 0

Event: 4 Source: k57nd60a

Broadcom NetLink ™ Gigabit Ethernet: The network link is down.  Check to make sure the network cable is properly connected.

 

Log: 'System' Date/Time: 28/07/2015 13:31:34

Type: Warning Category: 0

Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig

WLAN AutoConfig service has successfully stopped. 

 

 

APPLICATION - 

 

Vino's Event Viewer v01c run on Windows 2008 in English

Report run at 28/07/2015 16:30:28

 

Note: All dates below are in the format dd/mm/yyyy

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'Application' Log - Critical Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'Application' Log - Error Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

'Application' Log - Warning Type

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Log: 'Application' Date/Time: 28/07/2015 14:33:50

Type: Warning Category: 0

Event: 12348 Source: VSS

Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{2fb30f3f-7b32-11e0-b554-1c750844b90c}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly.  Check security on the volume, and try the operation again. 

 

Operation:

   Removing auto-release shadow copies

   Loading provider

 

Context:

   Execution Context: System Provider

 

Log: 'Application' Date/Time: 28/07/2015 13:44:54

Type: Warning Category: 1

Event: 100 Source: CVHSVC

Information only. C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.

 

Log: 'Application' Date/Time: 28/07/2015 13:43:45

Type: Warning Category: 1

Event: 100 Source: CVHSVC

Information only. CurrentSoftGridPrereq: Click2Run installation (version = 14.0.4763.1000) is found on the machine; skipping installation...

 

Log: 'Application' Date/Time: 28/07/2015 13:43:44

Type: Warning Category: 1

Event: 100 Source: CVHSVC

Information only. C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE is trusted.

 

Log: 'Application' Date/Time: 28/07/2015 13:39:50

Type: Warning Category: 0

Event: 12348 Source: VSS

Volume Shadow Copy Service warning: VSS was denied access to the root of volume \\?\Volume{2fb30f3f-7b32-11e0-b554-1c750844b90c}\. Denying administrators from accessing volume roots can cause many unexpected failures, and will prevent VSS from functioning properly.  Check security on the volume, and try the operation again. 

 

Operation:

   Removing auto-release shadow copies

   Loading provider

 

Context:

   Execution Context: System Provider

 

Log: 'Application' Date/Time: 28/07/2015 13:33:40

Type: Warning Category: 6

Event: 3057 Source: Application Virtualization Client

{tid=A30}

The Application Virtualization Client Core initialized correctly.  Installed Product:  Version: 4.6.3.24650 Install Path: C:\Program Files (x86)\Microsoft Application Virtualization Client Global Data Directory: C:\ProgramData\Microsoft\Application Virtualization Client\ Machine Name: MATT-PC Operating System: Windows 7 64-bit Service Pack 1.0 Build 7601 OSD Command: 

 

Log: 'Application' Date/Time: 28/07/2015 13:32:51

Type: Warning Category: 3

Event: 3191 Source: Application Virtualization Client

{tid=A30}

-------------------------------------------------------- Initialized client log (C:\ProgramData\Microsoft\Application Virtualization Client\sftlog.txt)

 

Log: 'Application' Date/Time: 28/07/2015 13:32:41

Type: Warning Category: 0

Event: 0 Source: L

The event description cannot be found.

 

Log: 'Application' Date/Time: 28/07/2015 13:31:16

Type: Warning Category: 0

Event: 1530 Source: Microsoft-Windows-User Profiles Service

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.     DETAIL -   16 user registry handles leaked from \Registry\User\S-1-5-21-1492825921-750369754-554371985-1001:

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001

Process 1336 (\Device\HarddiskVolume3\Program Files\AVAST Software\Avast\AvastSvc.exe) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001\Software\Microsoft\SystemCertificates\trust

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001\Software\Microsoft\SystemCertificates\Root

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001\Software\Microsoft\SystemCertificates\SmartCardRoot

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001\Software\Microsoft\SystemCertificates\Disallowed

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001\Software\Microsoft\SystemCertificates\TrustedPeople

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001\Software\Microsoft\SystemCertificates\My

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001\Software\Microsoft\SystemCertificates\CA

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001\Software\Policies\Microsoft\SystemCertificates

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001\Software\Policies\Microsoft\SystemCertificates

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001\Software\Policies\Microsoft\SystemCertificates

Process 3700 (\Device\HarddiskVolume3\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE) has opened key \REGISTRY\USER\S-1-5-21-1492825921-750369754-554371985-1001\Software\Policies\Microsoft\SystemCertificates

 

 

I have also run a full scan on Avast and it didn't pick up anything.  I also ran a full scan on the Malware removal tool you recommended and it picked up 27 items and successfully removed them.

 

How we looking now?   Computer feels like it's running nicely?  Is the Avast optimization tool worthwhile.  It says it can remove 850mb of stuff to speed up my comp, but I know this could easily be sales spiel to get me to sign up.

 

Thanks

 

 

[RKinner]

No that's just something Avast does to try and earn some extra money.  Kind of like a registry cleaner which we do not recommend.

 

Do you use Windows Live for anything?  If Not I would uninstall it as it is hanging on to the registry when it shouldn't.  If you do use it I would look for a newer version.

 

Let's see which drive VSS is complaining about:

 

Copy the next two lines

mountvol > \junk.txt
notepad \junk.txt


Start, All Programs, Accessories, (XP just click on Command Prompt, Vista and Win 7 must right click on Command Prompt and Run as Administrator, Continue.  )Right click and Paste or Edit then Paste and the copied lines should appear.
Hit Enter if notepad does not open.  Copy and paste the text from notepad into a reply.  Close notepad.  Close the Command Window.

 

Ron
 

[hotdog_1984]

I'm not sure if I use Windows Live for anything.  What's it for?  I have a Windows Live ID as I have Hotmail and Xbox Live.  Would it affect these?

 

I have followed the next instruction.  Here is the log:

 

Creates, deletes, or lists a volume mount point.

MOUNTVOL [drive:]path VolumeName
MOUNTVOL [drive:]path /D
MOUNTVOL [drive:]path /L
MOUNTVOL [drive:]path /P
MOUNTVOL /R
MOUNTVOL /N
MOUNTVOL /E

    path        Specifies the existing NTFS directory where the mount
                point will reside.
    VolumeName  Specifies the volume name that is the target of the mount
                point.
    /D          Removes the volume mount point from the specified directory.
    /L          Lists the mounted volume name for the specified directory.
    /P          Removes the volume mount point from the specified directory,
                dismounts the volume, and makes the volume not mountable.
                You can make the volume mountable again by creating a volume
                mount point.
    /R          Removes volume mount point directories and registry settings
                for volumes that are no longer in the system.
    /N          Disables automatic mounting of new volumes.
    /E          Re-enables automatic mounting of new volumes.

Possible values for VolumeName along with current mount points are:

    \\?\Volume{cfe337af-ff63-11df-85df-806e6f6e6963}\
        *** NO MOUNT POINTS ***

    \\?\Volume{cfe337b0-ff63-11df-85df-806e6f6e6963}\
        C:\

    \\?\Volume{cfe337ae-ff63-11df-85df-806e6f6e6963}\
        C:\OEM\Preload\OEM\Recovery\HPartition\

    \\?\Volume{2fb30f3f-7b32-11e0-b554-1c750844b90c}\
        Q:\

    \\?\Volume{cfe337b3-ff63-11df-85df-806e6f6e6963}\
        D:\

 

Thanks

[RKinner]

I don't think you have to have Windows Live to log in to hotmail or Xbox.  If it causes a problem when you uninstall you can always reinstall it.  I'm not really sure what it's good for.  Never met anyone that used it.

 

From the command we see that the error message is about Q:

 

\\?\Volume{2fb30f3f-7b32-11e0-b554-1c750844b90c}\
        Q:\

 

Q:\ is a fake drive used by Microsoft Office Click-to-Run 2010.  Go into Control Panel, System, System Protection.  Under System Restore is a list of drives.  I'm pretty sure you will find that Q is On.  Click on Q then on Configure and then on Turn Off System Protection.  OK.  It should now say Off.  Alternatively since it appears you have Microsoft Office Enterprise Installed and probably never use click to run you could just uninstall Microsoft Office Click-to-Run 2010 and drive Q: should disappear.

 

https://social.techn...pdeployprevious

 

if you are using a file backup program make sure it is not trying to backup the Q drive.

[hotdog_1984]

Hi,

 

The only drive appearing under System Restore in the System Protection area of the tab is Acer C:\.  There is no Q: drive showing.

 

I have now uninstalled Click to Run 2010.

 

Is there any diagnostics you want me to run again?  

 

I have left Windows Live Essentials on for now as the photo viewer I use I have established is part of the pack.

 

Please let me know if there is anything else I need to do now?

 

Thanks

[RKinner]

Picasa from Google is a good free photo viewer and editor. 

 

Good that you uninstalled Click to run.  I have seen it take over from a regular Office install and cause no end of problems.  If everything is running OK then I guess we can clean up.

 

 

You can uninstall or delete any tools we had you download and their logs.

he folder c:\_OTL.

Remove all but the last restore point:

    Open Disk Cleanup by clicking the Start button Picture of the Start button. In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup.

    If prompted, select the drive that you want to clean up, and then click OK.

    In the Disk Cleanup for (drive letter) dialog box, click Clean up system files. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

    If prompted, select the drive that you want to clean up, and then click OK.

    Click the More Options tab, under System Restore and Shadow Copies, click Clean up.

    In the Disk Cleanup dialog box, click Delete.

    Click Delete Files, and then click OK.


To hide hidden files again:

Vista or Win7

# Open the Control Panel menu and click Folder Options.
# After the new window appears select the View tab.
# Remove the check in the  checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and exit My Computer.

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.  

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program.  There is an exploit out there now that can use it to get on your PC.  For Adobe Reader:  Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript.  OK Close program.  It's the same for Foxit reader except you uncheck Enable Javascript Actions.

Unless you have the latest version of Avast which has its own update checker:  To help keep your programs up-to-date you should download and run the UpdateChecker:
http://www.filehippo.../updatechecker/
(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it.  Exception is MSN messenger which appears to be part of Windows.)
If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.
 Seems to work best if Firefox is the default browser.  Windows always hides its icon so you need to unhide it.  Click on the up arrow to the left of the clock.  Then click on Customize.  Maximize the window so you can see all of the options.  Scroll Down and find the File Hippo UpdateChecker and change its Behaviors to Show Icon and Notifications.  OK.  When you reboot you should see the icon.  It will take it a minute to finish checking then it will put up a bubble if you need to update something. Click on the bubble and it should open in your browser.  (Seems to work best if it uses Firefox.  If you do not use Firefox as your default browser then right click on the icon and click on Settings. Then on Results.  Change the Open Results in Default Browser to Custom Browser and then select the line that has Firefox.exe in it.  While there, also check Hide Beta Versions.  OK. )  You will see a list of programs that have updates with green down arrows next to them.  You do not need to download any Beta Versions.  There is an option Settings to Hide Beta Versions.  I do not advise updating Windows Messenger unless you really use it so I right click on the Icon and Customize Results then find Microsoft Messenger and change Show All Releases to Hide All Releases.  OK.


If you use Chrome/Firefox/IE then get the AdBlock Plus Add-on.  Go to adblockplus.org with each browser and get the add-on.  Also available now or IE tho it is a program and not an extension.

If Chrome/Firefox is slow loading make sure it only has the current Java add-on.  Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox.  Close Chrome/Firefox. Hit Optimize.   You can run it any time that Chrome/Firefox seems slow.

Be warned:  If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum.  If you must use P2P then submit any files you get to http://virustotal.combefore you open them.

Due to a recent rise in the number of Crytolocker infections I am now recommending you install:

CryptoPrevent

http://www.foolishIT.../cryptoprevent/

The free version does not update on its own so you should check for updated versions once in a while.  If it causes problems with legitimate software you can just uninstall it the usual way.



If you have a router, log on to it today and change the default password!  If using a Wireless router you really should be using encryption on the link.  Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business.  See http://www.king5.com...-120637284.htmland http://www.seattlepi...ted-1344185.php for why encryption is important.  If you don't know how, visit the router maker's website.  They all have detailed step by step instructions or a wizard you can download.

Special note on Java.  Old Java versions should be removed after first clearing the Java Cache by following the instructions in:
http://www.java.com/...lugin_cache.xml
Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better.  These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE.  Get the latest version from Java.com.  They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download.  Just uncheck the garbage before the download (or install) starts.  If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.
Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it.  IF that is the case then go to Control Panel, Java, Security and slide it up to the highest level.  OK.

Make sure Windows Updates is turned and that it works.  Go to Control panel, Windows Updates and see if it works.  


My help is free but if you wish to show your appreciation, please donate to Kwiaht instead of me. It's a local environmental organization that I volunteer with: http://www.kwiaht.org/donate.htm
(The name means something like "clean place" in one of the local native-American dialects)

Ron