That was a tough one. Thanks for your patience. I guess we can clean up now.
To delete the Quarantine Folder used by FRST create a fixlist.txt file with just the following line:
Save the fixlist.txt to the same folder as FRST then run FRST and hit Fix. You can easily delete any other folders and logs.
If we installed Speccy it needs to be uninstalled. Process Explorer, VEW, AdwCleaner, JRT and their logs and Speccy's log can just be deleted. (as well as Process Monitor's giant logs. Be sure to empty your Reycle Bin)
Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Flash is now the most malware targeted program so it must be kept up to date. Be careful with Adobe. They are fond of offering optional downloads like yahoo or Ask toolbars or that worthless McAfee Security Scan. Go slow and uncheck the optional stuff.
If you use Chrome/Firefox/IE then get the AdBlock Plus Add-on. Go to adblockplus.org with each browser and get the add-on. (It's actually a program for IE)
If Chrome/Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
If you are a Facebook user get the FB Purity extension for your browser:
This will stop all of the suggested pages and ads so that Facebook loads much quicker.
Be warned: If you use Limewire, utorrent or any of the other P2P programs you will probably be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.combefore
you open them.
Due to a recent rise in the number of Crytolocker infections I am now recommending you install:
The free version does not update on its own so you should check for updated versions once in a while. When you install it the default is NONE which is kind of worthless so change it to Standard or default. If you have problems after installing CryptoPrevent you can just uninstall it.
If you have a router, log on to it today and change the default password! If using a Wireless router you really should be using encryption on the link. Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business. See http://www.king5.com...0637284.htmlandhttp://www.seattlepi...ted-1344185.php
for why encryption is important. If you don't know how, visit the router maker's website. They all have detailed step by step instructions or a wizard you can download.
Special note on Java. Old Java versions should be removed after first clearing the Java Cache by following the instructions in:
Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better. These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE. Get the latest version from Java.com. They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download. Just uncheck the garbage before the download (or install) starts. If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.
Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it. IF that is the case then go to Control Panel, Java, Security and slide it up to the highest level. OK.
PS. Thanks again for submitting the first file for the developer. He was able to quickly isolate the problem and has already made a change in the tool so that it won't happen again. This is what he said,
This particular and the similar cases are fixed. Should there be other cases please upload the "Software" hive from FRST back ups.
Just for your information, the mwlDaemon entry contained many trailing null characters following by many spaces. I have no idea if this is intended by the vendor or a bug in the software. I see no logical purpose for this. You would not see this if you open regedit to see the value data or if your export it. Regedit.exe breaks the data entry from the first trailing null character.
The presence of those null characters triggered a rare bug in one of the basic Autoit functions (StringRegExpReplace). It happened when FRST attempted to parse the whitelisted entries. Running FRST without whitelisting registry, would not trigger the bug.
I have no access to the the function and can't debug it. To overcome this and similar cases when a value data of REG_SZ type contains null characters, FRST replaces them with star "*" character. In this case you see the following entry in the log:
HKLM\...\Run: [mwlDaemon] => C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe************************************************************** (the data entry has 65 more characters).