Updateflashplayer virus

Solved
By fordmann
May 17, 2014
  1. I have apparently clicked on something I shouldn't have and now have several virus warnings on my AVG and continuously get pop-ups asking me if I want to allow flash player updates. I have run the AVG and the viruses are quarantined then I delete them but the pop up always comes back and more viruses are detected. A vicious cycle that never gets resolved. I have tried uninstalling anything recently downloaded but I still have it. I have done all the preliminary things this site says to do before contacting you. Can you help me clean up my computer, please?

    Thanks.
  2. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    I forgot to say, I use Windows 7, and Google Chrome if that matters.
  3. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Scan Date: 5/17/2014
    Scan Time: 1:34:41 PM
    Logfile:
    Administrator: Yes

    Version: 2.00.1.1004
    Malware Database: v2014.05.17.10
    Rootkit Database: v2014.03.27.01
    License: Trial
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Chameleon: Disabled

    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: Holly

    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 300958
    Time Elapsed: 14 min, 9 sec

    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Shuriken: Enabled
    PUP: Enabled
    PUM: Enabled

    Processes: 0
    (No malicious items detected)

    Modules: 0
    (No malicious items detected)

    Registry Keys: 3
    PUP.Optional.PriceGong.A, HKU\S-1-5-21-2387700919-4103196123-1702309283-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\PriceGong, Quarantined, [374722305b204bebcc946334f30f40c0],
    PUP.Optional.ValueApps.A, HKU\S-1-5-21-2387700919-4103196123-1702309283-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\CONDUIT\ValueApps, Quarantined, [3f3f282a9fdc79bde78b6f2e8979c937],
    PUP.Optional.Conduit.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\IECT3320244, Quarantined, [a3db5200d7a496a0f2ee6b0656ac936d],

    Registry Values: 1
    PUP.Optional.Conduit, HKU\S-1-5-21-2387700919-4103196123-1702309283-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|BackgroundContainer, "C:\Windows\SysWOW64\Rundll32.exe" "C:\Users\Holly\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll",DllRun, Quarantined, [b0ceaaa886f5290d2f05665b0102b44c]

    Registry Data: 0
    (No malicious items detected)

    Folders: 2
    PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE, Quarantined, [a3db5200d7a496a0f2ee6b0656ac936d],
    PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3320244, Quarantined, [a3db5200d7a496a0f2ee6b0656ac936d],

    Files: 36
    Spyware.Zbot.ED, C:\Users\Holly\AppData\Local\Temp\UpdateFlashPlayer_c06af72a.exe, Quarantined, [d3ab450df08bc670a662f980748d27d9],
    PUP.Adware.DomaIQ, C:\Users\Holly\Downloads\7-zip.exe, Quarantined, [413db69c0378bf7740e4b84cf60ba25e],
    PUP.Optional.Conduit.A, C:\Users\Holly\Downloads\Setup_brch.exe, Quarantined, [d8a6bc9687f4fd397293e06ac8394db3],
    Spyware.Zbot.ED, C:\Users\Holly\AppData\Local\htvuxkld.exe, Quarantined, [bcc21c365f1cf4423e44bcb7fe0307f9],
    Trojan.Agent.ED, C:\Users\Holly\AppData\Local\nmmvxnkv.exe, Quarantined, [6d11bd958bf0b87e66db093f5ba64db3],
    Spyware.Zbot.ED, C:\Users\Holly\AppData\Local\uiohidpe.exe, Quarantined, [1e6072e05d1e69cd3ed85527d22f05fb],
    PUP.Optional.Conduit.A, C:\Users\Holly\AppData\Local\Conduit\CT3320244\MessageViewer_3AutoUpdateHelper.exe, Quarantined, [96e80e44e39881b581ae78a6669aaa56],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 120661228.job, Quarantined, [4c32a7abfe7d4ee82ada8d1261a22fd1],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 1320074114.job, Quarantined, [9be33919007bdc5a8f75faa58281669a],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 1338660506.job, Quarantined, [3c42e270fe7df244689caff08c77ba46],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 1842325781.job, Quarantined, [0678232f8cefd0663ec63b640300ef11],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 2239993111.job, Quarantined, [e995fa586b10d36340c46d32d42f57a9],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 2319465856.job, Quarantined, [2b536ae866150531f014217e22e10cf4],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 2510351536.job, Quarantined, [1c620250dd9e4bebe91becb33fc4b050],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 2551898832.job, Quarantined, [7c02262c6c0f92a464a0e5baa1629967],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 2762813566.job, Quarantined, [5d21ba9828530234fd074c53dc2748b8],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 2947698746.job, Quarantined, [ed912e2455262e08659fe3bc25de18e8],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 3141716770.job, Quarantined, [7d0167ebf4879f97a064e2bd976cab55],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 3192341216.job, Quarantined, [ed917cd61c5f71c5e2221b84ab5844bc],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 321130532.job, Quarantined, [7c0290c2abd09c9a07fd811e857eb64a],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 3313625929.job, Quarantined, [2f4f460c39425cda0ef6089755aeb34d],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 3353303088.job, Quarantined, [235b69e91962f046af55c1dead566d93],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 3387020193.job, Quarantined, [c8b6371ba7d460d659ab415e996a3ec2],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 3408216698.job, Quarantined, [e896193917642115e91be2bdd2319967],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 3657746127.job, Quarantined, [582664eec8b3aa8c5aaa1c83dc27a858],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 4016708674.job, Quarantined, [007e95bd8eed93a334d0acf3a360738d],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 4130581147.job, Quarantined, [29551a38abd0270ffe06554ad0339967],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 4223862125.job, Quarantined, [7d01fd55b5c6b97d41c31a85f80b03fd],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 464223690.job, Quarantined, [502eafa3cfac989efc08623d28dbfb05],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 739104321.job, Quarantined, [3549163c512ae05662a2c4dbdb286d93],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 807508863.job, Quarantined, [4935cf832457181e16ee643b6c9759a7],
    Trojan.Agent.RvGen, C:\Windows\Tasks\Security Center Update - 880272521.job, Quarantined, [106ef260e19ac175c93b0a952bd8dc24],
    PUP.Optional.Conduit, C:\Windows\System32\Tasks\BackgroundContainer Startup Task, Quarantined, [681687cbd8a363d3cbc58c31d033d927],
    PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3320244\configutaion.json, Quarantined, [a3db5200d7a496a0f2ee6b0656ac936d],
    PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3320244\SetupIcon.ico, Quarantined, [a3db5200d7a496a0f2ee6b0656ac936d],
    PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3320244\UninstallerUI.exe, Quarantined, [a3db5200d7a496a0f2ee6b0656ac936d],

    Physical Sectors: 0
    (No malicious items detected)


    (end)
  4. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 9/6/2012 11:04:03 AM
    System Uptime: 5/17/2014 1:35:42 PM (1 hours ago)
    .
    Motherboard: Dell Inc. | | 04G65K
    Processor: Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz | U3E1 | 2501/100mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 912 GiB total, 799.021 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP152: 5/15/2014 10:26:47 AM - Removed DriverUpdate
    RP153: 5/15/2014 10:32:01 AM - Removed DriverUpdate
    RP154: 5/15/2014 5:15:05 PM - Windows Update
    RP155: 5/16/2014 5:44:05 PM - Removed Adobe Reader XI (11.0.07).
    RP156: 5/16/2014 5:45:42 PM - Removed Adobe Reader XI (11.0.07).
    RP157: 5/16/2014 5:46:38 PM - Removed Adobe Reader XI (11.0.07).
    RP158: 5/16/2014 5:47:04 PM - Removed Skype Click to Call
    RP159: 5/16/2014 6:21:05 PM - Removed DriverUpdate
    RP160: 5/16/2014 6:21:46 PM - Removed Skype™ 6.14
    RP161: 5/16/2014 6:23:03 PM - Removed H&R Block Deluxe + Efile + State 2012.
    RP162: 5/17/2014 7:52:30 AM - Removed DriverUpdate
    .
    ==== Installed Programs ======================
    .
    Accidental Damage Services Agreement
    Adobe AIR
    Adobe Community Help
    Adobe Photoshop Elements 9
    Adobe Premiere Elements 9
    Adobe Reader XI (11.0.07)
    Advanced Audio FX Engine
    AntiLogger SDK version 1.6.6.247
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft PhotoStudio 6
    AVG 2014
    Banctec Service Agreement
    Bonjour
    Canon Easy-PhotoPrint EX
    Canon Easy-PhotoPrint Pro - Pro9000 series Extention Data
    Canon Easy-PhotoPrint Pro - Pro9500 series Extention Data
    Canon Easy-WebPrint EX
    Canon IJ Network Scan Utility
    Canon IJ Network Scanner Selector EX
    Canon IJ Network Tool
    Canon MP Navigator EX 5.1
    Canon MX890 series MP Drivers
    Canon MX890 series On-screen Manual
    Canon MX890 series User Registration
    Canon My Printer
    Canon Solution Menu EX
    Canon Speed Dial Utility
    Canon Utilities Easy-PhotoPrint Pro
    Canon Utilities Solution Menu
    Complete Care Business Service Agreement
    Conexant SmartAudio HD
    Consumer In-Home Service Agreement
    Cozi
    D3DX10
    Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
    Dell DataSafe Local Backup
    Dell DataSafe Local Backup - Support Software
    Dell DataSafe Online
    Dell Edoc Viewer
    Dell Getting Started Guide
    Dell Home Systems Service Agreement
    Dell MusicStage
    Dell PhotoStage
    Dell Stage
    Dell Stage Remote
    Dell Touchpad
    Dell VideoStage
    Dell Webcam Central
    DING!
    DriverUpdate
    eBay
    Elements 9 Organizer
    Elements STI Installer
    Elevated Installer
    Facebook Video Calling 2.0.0.447
    Garmin City Navigator North America NT 2013.40 Update
    Garmin Communicator Plugin x64
    Garmin Express
    Garmin Express Tray
    Garmin Update Service
    Google Chrome
    Google Update Helper
    H&R Block Deluxe + Efile + State 2012
    H&R Block Maryland 2012
    iCloud
    Intel PROSet Wireless
    Intel(R) Control Center
    Intel(R) Management Engine Components
    Intel(R) Processor Graphics
    Intel(R) PROSet/Wireless for Bluetooth(R) 3.0 + High Speed
    Intel(R) PROSet/Wireless Software for Bluetooth(R) Technology
    Intel(R) Rapid Storage Technology
    Intel(R) Turbo Boost Technology Monitor 2.0
    Intel(R) USB 3.0 eXtensible Host Controller Driver
    Intel(R) WiDi
    Intel(R) Wireless Display
    Intel® PROSet/Wireless WiFi Software
    Intel® Trusted Connect Service Client
    iTunes
    Java 7 Update 9
    Junk Mail filter update
    Malwarebytes Anti-Malware version 2.0.1.1004
    Memeo AutoSync
    Memeo Instant Backup
    Mesh Runtime
    Microsoft .NET Framework 4.5.1
    Microsoft Application Error Reporting
    Microsoft Money 2006
    Microsoft Office 2010
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office Office 64-bit Components 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared 64-bit MUI (English) 2010
    Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319
    Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_CRT_x86
    MSVCRT
  5. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 11.0.9600.17041
    Run by Holly at 14:05:42 on 2014-05-17
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8094.5020 [GMT -4:00]
    .
    AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
    .
    ============== Running Processes ===============
    .
    c:\PROGRA~2\AVG\AVG2014\avgrsa.exe
    C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
    c:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
    C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
    C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
    C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
    C:\Program Files\Conexant\SA3\CxUtilSvc.exe
    C:\Program Files\Intel\WiFi\bin\EvtEng.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
    C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Elantech\ETDCtrl.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
    C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
    C:\Program Files\Conexant\SA3\SmartAudio3.exe
    C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe
    svchost.exe
    C:\Program Files (x86)\Southwest Airlines\Ding\Ding.exe
    c:\Program Files\Intel\iCLS Client\HeciServer.exe
    C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
    C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
    C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
    C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
    C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
    C:\Program Files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
    C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
    C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
    C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
    C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
    C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe
    C:\Program Files (x86)\AVG\AVG2014\avgui.exe
    C:\Program Files (x86)\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
    C:\Program Files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
    C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files (x86)\Seagate\Seagate Dashboard\MemeoDashboard.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
    C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
    C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\SysWOW64\ctfmon.exe
    C:\Program Files (x86)\Memeo\AutoBackup\InstantBackup.exe
    C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Elantech\ETDCtrlHelper.exe
    C:\Windows\splwow64.exe
    C:\Program Files\Elantech\ETDGesture.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files (x86)\Seagate\Seagate Dashboard\HipServAgent\HipServAgent.exe
    C:\Program Files (x86)\Canon\Solution Menu EX\CNSEUPDT.EXE
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
    C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
    C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
    C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
    C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    svchost.exe
  6. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =================================

    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2

    • Close all the running programs
    • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
  7. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Holly [Admin rights]
    Mode : Remove -- Date : 05/17/2014 17:15:55
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 8 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : AVG-Secure-Search-Update_1113a (C:\Users\Holly\AppData\Roaming\AVG 1113a Campaign\AVG-Secure-Search-Update-1113a.exe /PROMPT /mid=f733ef60792247d3a7c9b91405c3a15b-d625e72e9bf75e582594fd1d74c5f332a2e774d9 /CMPID=1113a [x][x]) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : uqabfoja ("C:\Users\Holly\AppData\Local\iwvtngpp.exe" [-]) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : qmaitnbx ("C:\Users\Holly\AppData\Local\pxohlmjr.exe" [-]) -> DELETED
    [RUN][SUSP PATH] HKUS\S-1-5-21-2387700919-4103196123-1702309283-1001\[...]\Run : AVG-Secure-Search-Update_1113a (C:\Users\Holly\AppData\Roaming\AVG 1113a Campaign\AVG-Secure-Search-Update-1113a.exe /PROMPT /mid=f733ef60792247d3a7c9b91405c3a15b-d625e72e9bf75e582594fd1d74c5f332a2e774d9 /CMPID=1113a [x][x]) -> [0x2] The system cannot find the file specified.
    [RUN][SUSP PATH] HKUS\S-1-5-21-2387700919-4103196123-1702309283-1001\[...]\Run : uqabfoja ("C:\Users\Holly\AppData\Local\iwvtngpp.exe" [-]) -> [0x2] The system cannot find the file specified.
    [RUN][SUSP PATH] HKUS\S-1-5-21-2387700919-4103196123-1702309283-1001\[...]\Run : qmaitnbx ("C:\Users\Holly\AppData\Local\pxohlmjr.exe" [-]) -> [0x2] The system cannot find the file specified.
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Browser Addons : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
  8. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
    mail : http://www.adlice.com/contact/
    Feedback : http://forum.adlice.com
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://www.adlice.com

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Holly [Admin rights]
    Mode : Remove -- Date : 05/17/2014 17:15:55
    | ARK || FAK || MBR |

    ¤¤¤ Bad processes : 0 ¤¤¤

    ¤¤¤ Registry Entries : 8 ¤¤¤
    [RUN][SUSP PATH] HKCU\[...]\Run : AVG-Secure-Search-Update_1113a (C:\Users\Holly\AppData\Roaming\AVG 1113a Campaign\AVG-Secure-Search-Update-1113a.exe /PROMPT /mid=f733ef60792247d3a7c9b91405c3a15b-d625e72e9bf75e582594fd1d74c5f332a2e774d9 /CMPID=1113a [x][x]) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : uqabfoja ("C:\Users\Holly\AppData\Local\iwvtngpp.exe" [-]) -> DELETED
    [RUN][SUSP PATH] HKCU\[...]\Run : qmaitnbx ("C:\Users\Holly\AppData\Local\pxohlmjr.exe" [-]) -> DELETED
    [RUN][SUSP PATH] HKUS\S-1-5-21-2387700919-4103196123-1702309283-1001\[...]\Run : AVG-Secure-Search-Update_1113a (C:\Users\Holly\AppData\Roaming\AVG 1113a Campaign\AVG-Secure-Search-Update-1113a.exe /PROMPT /mid=f733ef60792247d3a7c9b91405c3a15b-d625e72e9bf75e582594fd1d74c5f332a2e774d9 /CMPID=1113a [x][x]) -> [0x2] The system cannot find the file specified.
    [RUN][SUSP PATH] HKUS\S-1-5-21-2387700919-4103196123-1702309283-1001\[...]\Run : uqabfoja ("C:\Users\Holly\AppData\Local\iwvtngpp.exe" [-]) -> [0x2] The system cannot find the file specified.
    [RUN][SUSP PATH] HKUS\S-1-5-21-2387700919-4103196123-1702309283-1001\[...]\Run : qmaitnbx ("C:\Users\Holly\AppData\Local\pxohlmjr.exe" [-]) -> [0x2] The system cannot find the file specified.
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

    ¤¤¤ Startup Entries : 0 ¤¤¤

    ¤¤¤ Web browsers : 0 ¤¤¤

    ¤¤¤ Browser Addons : 0 ¤¤¤

    ¤¤¤ Particular Files / Folders: ¤¤¤

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

    ¤¤¤ External Hives: ¤¤¤

    ¤¤¤ Infection : ¤¤¤

    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts




    ¤¤¤ MBR Check: ¤¤¤

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD10JPVT-75A1YT0 +++++
    --- User ---
    [MBR] e8efc619c1e8a35b0730bc0f034ffb00
    [BSP] b325ad40e449de014c4a034df84f3707 : Windows Vista MBR Code
    Partition table:
    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 20286 MB
    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 41627648 | Size: 933542 MB
    User = LL1 ... OK!
    User = LL2 ... OK!

    Finished : << RKreport[0]_D_05172014_171555.txt >>
    RKreport[0]_S_05172014_165007.txt
  9. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Still waiting for MBAR logs.
  10. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    Sorry, I thought I was done. I'm running that now.
  11. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    Malwarebytes Anti-Rootkit BETA 1.07.0.1009
    www.malwarebytes.org

    Database version: v2014.05.18.01

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 11.0.9600.17107
    Holly :: HOLLY-LAPTOP2 [administrator]

    5/18/2014 12:05:27 AM
    mbar-log-2014-05-18 (00-05-27).txt

    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
    Scan options disabled:
    Objects scanned: 296537
    Time elapsed: 17 minute(s), 2 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    Physical Sectors Detected: 0
    (No malicious items detected)

    (end)
     
  12. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1009

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7601 Windows 7 Service Pack 1 x64

    Account is Administrative

    Internet Explorer version: 11.0.9600.17107

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 2.494000 GHz
    Memory total: 8487546880, free: 4529217536

    Downloaded database version: v2014.05.18.01
    Downloaded database version: v2014.03.27.01
    =======================================
    Initializing...
    Done!
    Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 216E4808

    Partition information:

    Partition 0 type is Other (0xde)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 80262

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 81920 Numsec = 41545728
    Partition file system is NTFS
    Partition is bootable

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 41627648 Numsec = 1911894016

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 1000204886016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-1953505168-1953525168)...
    Done!
    Scan finished
    =======================================


    Removal queue found; removal started
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-I.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\VBR-0-1-81920-I.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR-0-r.mbam...
    Removal finished
  13. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    Is this all I need to do? Nothing was found on this last scan. When all this is finished should I uninstall these programs you had me download?

    Thanks for your help.

    Holly
  14. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    We're not done...
    From my rules:
    Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
  15. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    I wasn't going to quit until you said so. I just thought we were done. My computer seems to be running well now.
    Do I have to uninstall the AVG on my computer to download the Combofix, or can I just disable it temporarily? Also the Malwarebytes anti malware program you had me install, do I need to disable or uninstall it before the Combofix? If so, can you tell me how I do that? Thanks.
  16. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    My AVG is 2014 version.
  17. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Yes, you have to uninstall AVG as my instructions say.
  18. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    ComboFix 14-05-16.01 - Holly 05/18/2014 19:53:38.1.4 - x64
    Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8094.5058 [GMT -4:00]
    Running from: c:\users\Holly\Downloads\ComboFix.exe
    SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\END
    c:\programdata\PCDr\6426\AddOnDownloaded\0bb0beb6-da93-477d-980d-15bb6e2df09c.dll
    c:\programdata\PCDr\6426\AddOnDownloaded\434373b7-17f4-4a5e-9e8f-2c1bb65cd9e5.dll
    c:\programdata\PCDr\6426\AddOnDownloaded\59be3af2-87f2-4d3a-b380-7509f3d47c40.dll
    c:\programdata\PCDr\6426\AddOnDownloaded\64882123-3c6f-4e15-8579-c6d1ba56c9de.dll
    c:\programdata\PCDr\6426\AddOnDownloaded\8745715d-dc8a-4b32-b6a6-89cd3d0cc3c5.dll
    c:\programdata\PCDr\6426\AddOnDownloaded\9c07cc30-4011-4e36-a63d-e59077a22429.dll
    c:\programdata\PCDr\6426\AddOnDownloaded\ad817bdc-639c-43e8-b06b-897bcb5b8f23.dll
    c:\programdata\PCDr\6426\AddOnDownloaded\aeffdb78-a789-4b6a-b2c2-f85f9b4863e6.dll
    c:\programdata\PCDr\6426\AddOnDownloaded\bc1b45ef-7c18-4b8a-95cd-f77c43d4f7df.dll
    c:\programdata\PCDr\6426\AddOnDownloaded\c6bf01ba-05a7-4930-b8dd-7c5fd03e97ac.dll
    c:\programdata\PCDr\6426\AddOnDownloaded\d114d5a6-2ec4-4056-a365-d6281d97c6b6.dll
    c:\programdata\PCDr\6426\AddOnDownloaded\d48ca7e0-0e31-445b-a98c-56b7318daa06.dll
    c:\programdata\PCDr\6426\AddOnDownloaded\e0db530c-27fc-4e55-af38-073796a09e9d.dll
    c:\programdata\PCDr\6426\AddOnDownloaded\e5847967-7dc8-4833-8ca6-09af078c1bcb.dll
    c:\programdata\Roaming
    c:\users\Holly\AppData\Local\iwvtngpp.exe
    c:\users\Holly\AppData\Local\Microsoft\Windows\Temporary Internet Files\{DA8AAF75-5D56-4202-8B36-F428D7629730}.xps
    c:\users\Holly\AppData\Local\pxohlmjr.exe
    c:\windows\RPSETUP.EXE.LOG
    .
    .
    ((((((((((((((((((((((((( Files Created from 2014-04-19 to 2014-05-19 )))))))))))))))))))))))))))))))
    .
    .
    2014-05-19 00:02 . 2014-05-19 00:02 -------- d-----w- c:\users\Default\AppData\Local\temp
    2014-05-19 00:02 . 2014-05-19 00:02 -------- d-----w- c:\users\Mike\AppData\Local\temp
    2014-05-18 04:05 . 2014-05-18 04:22 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
    2014-05-17 17:19 . 2014-05-18 23:48 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
    2014-05-17 17:19 . 2014-05-18 04:04 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
    2014-05-17 17:19 . 2014-05-17 17:19 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
    2014-05-17 17:19 . 2014-05-17 17:19 -------- d-----w- c:\programdata\Malwarebytes
    2014-05-17 17:19 . 2014-04-03 13:51 63192 ----a-w- c:\windows\system32\drivers\mwac.sys
    2014-05-17 17:19 . 2014-04-03 13:50 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
    2014-05-16 21:39 . 2014-05-16 21:40 -------- d-----w- c:\users\Holly\AppData\Roaming\Penumoas
    2014-05-16 20:59 . 2014-05-16 21:00 -------- d-----w- c:\users\Holly\AppData\Roaming\Efefem
    2014-05-15 21:19 . 2014-05-06 04:40 23544320 ----a-w- c:\windows\system32\mshtml.dll
    2014-05-15 21:19 . 2014-05-06 03:00 84992 ----a-w- c:\windows\system32\mshtmled.dll
    2014-05-15 21:19 . 2014-05-06 04:17 2724864 ----a-w- c:\windows\system32\mshtml.tlb
    2014-05-15 21:19 . 2014-05-06 03:07 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
    2014-05-15 20:43 . 2014-05-15 20:44 -------- d-----w- c:\users\Holly\AppData\Roaming\Nuebiw
    2014-05-14 22:44 . 2014-05-14 22:44 -------- d-----w- c:\users\Holly\AppData\Roaming\Nuwiziac
    2014-05-13 21:43 . 2014-05-13 21:44 -------- d-----w- c:\users\Holly\AppData\Roaming\Guxozak
    2014-05-13 17:41 . 2014-05-13 17:41 -------- d-----w- c:\users\Holly\AppData\Roaming\Ykavbim
    2014-05-13 13:45 . 2014-05-13 13:45 -------- d-----w- c:\users\Holly\AppData\Roaming\Ziuvlyys
    2014-05-12 21:49 . 2014-05-12 21:50 -------- d-----w- c:\users\Holly\AppData\Roaming\Azetvimu
    2014-05-12 19:51 . 2014-05-12 19:52 -------- d-----w- c:\users\Holly\AppData\Roaming\Etumafi
    2014-05-11 12:28 . 2014-05-11 12:28 -------- d-----w- c:\users\Holly\AppData\Roaming\Yhzeuwro
    2014-05-10 22:10 . 2014-05-10 22:10 -------- d-----w- c:\users\Holly\AppData\Roaming\Idmefyu
    2014-05-10 17:43 . 2014-05-10 17:43 -------- d-----w- c:\users\Holly\AppData\Roaming\Diuxecf
    2014-05-09 01:38 . 2014-05-09 01:39 -------- d-----w- c:\users\Holly\AppData\Roaming\Sofenym
    2014-05-08 23:52 . 2014-05-08 23:53 -------- d-----w- c:\users\Holly\AppData\Roaming\Nicoumoc
    2014-05-08 18:40 . 2014-05-08 23:41 -------- d-----w- c:\users\Holly\AppData\Roaming\Sypeolu
    2014-05-08 18:37 . 2014-05-08 18:37 -------- d-----w- c:\users\Holly\AppData\Roaming\Aslautug
    2014-05-08 13:48 . 2014-05-08 13:48 227704 ----a-w- c:\program files (x86)\Internet Explorer\Plugins\nppdf32.dll
    2014-05-07 17:40 . 2014-05-07 17:41 -------- d-----w- c:\users\Holly\AppData\Roaming\Yzheroan
    2014-05-07 11:27 . 2014-05-07 11:28 -------- d-----w- c:\users\Holly\AppData\Roaming\Ufimge
    2014-05-07 07:03 . 2014-05-07 07:03 -------- d-----w- c:\users\Holly\AppData\Roaming\Pyvaloe
    2014-05-07 07:00 . 2014-05-15 21:22 -------- d-s---w- c:\windows\system32\CompatTel
    2014-05-06 18:22 . 2014-05-06 18:23 -------- d-----w- c:\users\Holly\AppData\Roaming\Uqocigre
    2014-05-05 21:54 . 2014-05-05 21:55 -------- d-----w- c:\users\Holly\AppData\Roaming\Itniuny
    2014-05-05 17:42 . 2014-05-05 17:43 -------- d-----w- c:\users\Holly\AppData\Roaming\Avsoimu
    2014-05-05 13:39 . 2014-05-05 13:39 -------- d-----w- c:\users\Holly\AppData\Roaming\Irloihu
    2014-05-04 21:49 . 2014-05-04 21:49 -------- d-----w- c:\users\Holly\AppData\Roaming\Venihit
    2014-05-04 19:39 . 2014-05-04 19:39 -------- d-----w- c:\users\Holly\AppData\Roaming\Ypzyamo
    2014-05-04 12:51 . 2014-05-04 12:52 -------- d-----w- c:\users\Holly\AppData\Roaming\Laacyrac
    2014-05-04 07:03 . 2014-05-04 13:00 -------- d-----w- c:\users\Holly\AppData\Roaming\Fagayx
    2014-05-03 21:49 . 2014-05-04 12:51 -------- d-----w- c:\users\Holly\AppData\Roaming\Ommiydit
    2014-04-29 12:13 . 2014-03-06 09:19 8011776 ----a-w- c:\program files\Internet Explorer\F12Resources.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-05-18 23:46 . 2014-03-27 12:39 16152 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
    2014-05-15 21:16 . 2012-09-12 12:44 93223848 ----a-w- c:\windows\system32\MRT.exe
    2014-04-15 06:34 . 2014-04-15 06:34 1070232 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
    2014-03-04 09:44 . 2014-04-09 22:45 362496 ----a-w- c:\windows\system32\wow64win.dll
    2014-03-04 09:44 . 2014-04-09 22:45 243712 ----a-w- c:\windows\system32\wow64.dll
    2014-03-04 09:44 . 2014-04-09 22:45 13312 ----a-w- c:\windows\system32\wow64cpu.dll
    2014-03-04 09:44 . 2014-04-09 22:45 16384 ----a-w- c:\windows\system32\ntvdm64.dll
    2014-03-04 09:44 . 2014-04-09 22:45 1163264 ----a-w- c:\windows\system32\kernel32.dll
    2014-03-04 09:17 . 2014-04-09 22:45 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
    2014-03-04 09:17 . 2014-04-09 22:45 44032 ----a-w- c:\windows\apppatch\acwow64.dll
    2014-03-04 09:16 . 2014-04-09 22:45 25600 ----a-w- c:\windows\SysWow64\setup16.exe
    2014-03-04 09:16 . 2014-04-09 22:45 5120 ----a-w- c:\windows\SysWow64\wow32.dll
    2014-03-04 08:09 . 2014-04-09 22:45 7680 ----a-w- c:\windows\SysWow64\instnm.exe
    2014-03-04 08:09 . 2014-04-09 22:45 2048 ----a-w- c:\windows\SysWow64\user.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{e2ed319e-719c-474d-8236-dcc9bdc13bdb}"= "c:\program files (x86)\MessageViewer_3\prxtbMess.dll" [2013-12-24 226592]
    .
    [HKEY_CLASSES_ROOT\clsid\{e2ed319e-719c-474d-8236-dcc9bdc13bdb}]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\~\Browser Helper Objects\{e2ed319e-719c-474d-8236-dcc9bdc13bdb}]
    2013-12-24 08:47 226592 ----a-w- c:\program files (x86)\MessageViewer_3\prxtbMess.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
    "{e2ed319e-719c-474d-8236-dcc9bdc13bdb}"= "c:\program files (x86)\MessageViewer_3\prxtbMess.dll" [2013-12-24 226592]
    .
    [HKEY_CLASSES_ROOT\clsid\{e2ed319e-719c-474d-8236-dcc9bdc13bdb}]
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2013-03-27 1098072]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-11-30 284440]
    "USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-02-17 291608]
    "Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2011-04-13 503942]
    "AccuWeatherWidget"="c:\program files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe" [2011-11-03 957440]
    "Seagate Dashboard"="c:\program files (x86)\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2011-06-01 79112]
    "BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
    "ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
    "IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-05-19 136544]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-02-13 43848]
    "CanonSolutionMenuEx"="c:\program files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE" [2011-08-04 1637496]
    "IJNetworkScannerSelectorEX"="c:\program files (x86)\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2011-07-25 468112]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
    "Memeo AutoSync"="c:\program files (x86)\Memeo\AutoSync\MemeoLauncher2.exe" [2010-04-16 144608]
    "Memeo Instant Backup"="c:\program files (x86)\Memeo\AutoBackup\MemeoLauncher2.exe" [2010-01-12 169184]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-01-17 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-02-21 152392]
    .
    c:\users\Mike\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Intel(R) Turbo Boost Technology Monitor 2.0.lnk - c:\program files\Intel\TurboBoost\SignalIslandUi.exe [2010-11-29 204288]
    .
    c:\users\Holly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    DING!.lnk - c:\program files (x86)\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt32(3).dll
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
    "mixer3"=wdmaud.drv
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
    R2 IDVaultSvc;CGPS Service;c:\program files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe;c:\program files (x86)\Constant Guard Protection Suite\IDVaultSvc.exe [x]
    R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
    R3 AMPPALP;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Protocol;c:\windows\system32\DRIVERS\amppal.sys;c:\windows\SYSNATIVE\DRIVERS\amppal.sys [x]
    R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
    R3 intaud_WaveExtensible;Intel WiDi Audio Device;c:\windows\system32\drivers\intelaud.sys;c:\windows\SYSNATIVE\drivers\intelaud.sys [x]
    R3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe;c:\progra~1\mcafee\msc\mcawfwk.exe [x]
    R3 MyWiFiDHCPDNS;Wireless PAN DHCP Server;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe;c:\program files\Intel\WiFi\bin\PanDhcpDns.exe [x]
    R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys;c:\windows\SYSNATIVE\DRIVERS\SWDUMon.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
    R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
    R3 TurboBoost;Intel(R) Turbo Boost Technology Monitor 2.0;c:\program files\Intel\TurboBoost\TurboBoost.exe;c:\program files\Intel\TurboBoost\TurboBoost.exe [x]
    R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
    R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
    S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\drivers\iusb3hcs.sys;c:\windows\SYSNATIVE\drivers\iusb3hcs.sys [x]
    S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
    S1 AntiLog32;AntiLog32;c:\windows\system32\drivers\AntiLog64.sys;c:\windows\SYSNATIVE\drivers\AntiLog64.sys [x]
    S2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;c:\program files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe;c:\program files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [x]
    S2 AMPPALR3;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Service;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe;c:\program files\Intel\BluetoothHS\BTHSAmpPalService.exe [x]
    S2 Bluetooth Device Monitor;Bluetooth Device Monitor;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe;c:\program files (x86)\Intel\Bluetooth\devmonsrv.exe [x]
    S2 Bluetooth OBEX Service;Bluetooth OBEX Service;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe;c:\program files (x86)\Intel\Bluetooth\obexsrv.exe [x]
    S2 BTHSSecurityMgr;Intel(R) Centrino(R) Wireless Bluetooth(R) 3.0 + High Speed Security Service;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe;c:\program files\Intel\BluetoothHS\BTHSSecurityMgr.exe [x]
    S2 c2cautoupdatesvc;Skype Click to Call Updater;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe;c:\program files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [x]
    S2 c2cpnrsvc;Skype Click to Call PNR Service;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe;c:\program files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [x]
    S2 CxUtilSvc;CxUtilSvc;c:\program files\Conexant\SA3\CxUtilSvc.exe;c:\program files\Conexant\SA3\CxUtilSvc.exe [x]
    S2 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]
    S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
    S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
    S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
    S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
    S2 MemeoBackgroundService;MemeoBackgroundService;c:\program files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe;c:\program files (x86)\Memeo\AutoBackup\MemeoBackgroundService.exe [x]
    S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
    S2 SeagateDashboardService;Seagate Dashboard Service;c:\program files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe;c:\program files (x86)\Seagate\Seagate Dashboard\SeagateDashboardService.exe [x]
    S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [x]
    S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys;c:\windows\SYSNATIVE\DRIVERS\TurboB.sys [x]
    S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
    S2 ZeroConfigService;Intel(R) PROSet/Wireless Zero Configuration Service;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe;c:\program files\Intel\WiFi\bin\ZeroConfigService.exe [x]
    S3 AMPPAL;Intel® Centrino® Wireless Bluetooth® 3.0 + High Speed Virtual Adapter;c:\windows\system32\DRIVERS\AMPPAL.sys;c:\windows\SYSNATIVE\DRIVERS\AMPPAL.sys [x]
    S3 Bluetooth Media Service;Bluetooth Media Service;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe;c:\program files (x86)\Intel\Bluetooth\mediasrv.exe [x]
    S3 btmaux;Intel Bluetooth Auxiliary Service;c:\windows\system32\DRIVERS\btmaux.sys;c:\windows\SYSNATIVE\DRIVERS\btmaux.sys [x]
    S3 btmhsf;btmhsf;c:\windows\system32\DRIVERS\btmhsf.sys;c:\windows\SYSNATIVE\DRIVERS\btmhsf.sys [x]
    S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys [x]
    S3 ETD;Dell Touchpad;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys [x]
    S3 ibtfltcoex;ibtfltcoex;c:\windows\system32\DRIVERS\iBtFltCoex.sys;c:\windows\SYSNATIVE\DRIVERS\iBtFltCoex.sys [x]
    S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
    S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
    S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
    S3 iwdbus;IWD Bus Enumerator;c:\windows\system32\DRIVERS\iwdbus.sys;c:\windows\SYSNATIVE\DRIVERS\iwdbus.sys [x]
    S3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
    S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
    S3 RSUSBVSTOR;RtsUVStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTSUVSTOR.sys;c:\windows\SYSNATIVE\Drivers\RTSUVSTOR.sys [x]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
    .
    .
    --- Other Services/Drivers In Memory ---
  19. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    .
    *NewlyCreated* - MBAMSWISSARMY
    *NewlyCreated* - MBAMWEBACCESSCONTROL
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    2014-05-15 20:42 1077576 ----a-w- c:\program files (x86)\Google\Chrome\Application\34.0.1847.137\Installer\chrmstp.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2014-05-18 c:\windows\Tasks\DriverUpdate Startup.job
    - c:\program files (x86)\DriverUpdate\DriverUpdate.exe [2014-03-19 16:34]
    .
    2014-05-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2387700919-4103196123-1702309283-1001Core.job
    - c:\users\Holly\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-12-24 22:52]
    .
    2014-05-18 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-2387700919-4103196123-1702309283-1001UA.job
    - c:\users\Holly\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-12-24 22:52]
    .
    2014-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-11-06 20:25]
    .
    2014-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-11-06 20:25]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ETDCtrl"="c:\program files\Elantech\ETDCtrl.exe" [2012-01-17 2895656]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-31 170264]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-31 398616]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-31 440600]
    "IntelTBRunOnce"="wscript.exe" [2013-10-12 168960]
    "SmartAudio"="c:\program files\CONEXANT\SA3\SACpl.exe" [2011-09-08 1628288]
    "BTMTrayAgent"="c:\program files (x86)\Intel\Bluetooth\btmshell.dll" [2011-12-20 11406608]
    "Stage Remote"="c:\program files (x86)\Dell\Stage Remote\StageRemote.exe" [2011-06-28 2022976]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-29 497648]
    "DellStage"="c:\program files (x86)\Dell Stage\Dell Stage\stage_primary.exe" [2011-11-03 2190704]
    "CanonSolutionMenu"="c:\program files (x86)\Canon\SolutionMenu\CNSLMAIN.exe" [2009-03-18 767312]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2011-07-19 2780776]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=c:\progra~2\KEYCRY~1\KeyCrypt64(3).dll
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://www.google.com/ig
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 192.168.2.1
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-Locked - (no file)
    Wow6432Node-HKCU-Run-096C1621D44C6B000D2E0A4CD651AE54AD841217._service_run - c:\users\Holly\AppData\Local\Google\Chrome\Application\chrome.exe
    HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
    Toolbar-Locked - (no file)
    WebBrowser-{E2ED319E-719C-474D-8236-DCC9BDC13BDB} - (no file)
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
    @Denied: (A) (Everyone)
    "Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
    @Denied: (A) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
    "Key"="ActionsPane3"
    "Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    Completion time: 2014-05-18 20:07:16
    ComboFix-quarantined-files.txt 2014-05-19 00:07
    .
    Pre-Run: 856,194,236,416 bytes free
    Post-Run: 862,466,543,616 bytes free
    .
    - - End Of File - - F2CC6A276CC7715AE5885F36FA6BDFDE
  20. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    1. Please open Notepad (Start>All Programs>Accessories>Notepad).

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    c:\users\Holly\AppData\Roaming\Aslautug
    c:\users\Holly\AppData\Roaming\Sypeolu
    c:\users\Holly\AppData\Roaming\Nicoumoc
    c:\users\Holly\AppData\Roaming\Sofenym
    c:\users\Holly\AppData\Roaming\Diuxecf
    c:\users\Holly\AppData\Roaming\Idmefyu
    c:\users\Holly\AppData\Roaming\Yhzeuwro
    c:\users\Holly\AppData\Roaming\Etumafi
    c:\users\Holly\AppData\Roaming\Azetvimu
    c:\users\Holly\AppData\Roaming\Ziuvlyys
    c:\users\Holly\AppData\Roaming\Ykavbim
    c:\users\Holly\AppData\Roaming\Guxozak
    c:\users\Holly\AppData\Roaming\Nuwiziac
    c:\users\Holly\AppData\Roaming\Nuebiw
    c:\users\Holly\AppData\Roaming\Efefem
    c:\users\Holly\AppData\Roaming\Penumoas
    c:\users\Holly\AppData\Roaming\Ommiydit
    c:\users\Holly\AppData\Roaming\Fagayx
    c:\users\Holly\AppData\Roaming\Laacyrac
    c:\users\Holly\AppData\Roaming\Ypzyamo
    c:\users\Holly\AppData\Roaming\Venihit
    c:\users\Holly\AppData\Roaming\Irloihu
    c:\users\Holly\AppData\Roaming\Avsoimu
    c:\users\Holly\AppData\Roaming\Itniuny
    c:\users\Holly\AppData\Roaming\Uqocigre
    c:\users\Holly\AppData\Roaming\Pyvaloe
    c:\users\Holly\AppData\Roaming\Ufimge
    c:\users\Holly\AppData\Roaming\Yzheroan
    
    ClearJavaCache::
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  21. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    I'm sorry, I don't see Combofix.exe on my computer. I tried reloading it, but it runs then closes. what am I doing wrong? I have copied and pasted into notepad, but can not see Combofix to drop it into.
  22. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    We can remove those folders later with different tool.

    You can reinstall AVG now.

    [​IMG] Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Scan button.
    • When the scan has finished click on Clean button.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

    [​IMG] Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
  23. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    # AdwCleaner v3.209 - Report created 18/05/2014 at 23:04:21
    # Updated 18/05/2014 by Xplode
    # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
    # Username : Holly - HOLLY-LAPTOP2
    # Running from : C:\Users\Holly\Downloads\adwcleaner_3.209.exe
    # Option : Clean

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    Folder Deleted : C:\ProgramData\Conduit
    Folder Deleted : C:\Program Files (x86)\Conduit
    Folder Deleted : C:\Program Files (x86)\MessageViewer_3
    Folder Deleted : C:\Users\Holly\AppData\Local\Conduit
    Folder Deleted : C:\Users\Holly\AppData\Local\NativeMessaging
    Folder Deleted : C:\Users\Holly\AppData\LocalLow\Conduit
    Folder Deleted : C:\Users\Holly\AppData\LocalLow\PriceGong
    Folder Deleted : C:\Users\Holly\AppData\LocalLow\MessageViewer_3
    Folder Deleted : C:\Users\Holly\AppData\Roaming\targus
    File Deleted : C:\Windows\Tasks\driverupdate startup.job
    File Deleted : C:\Windows\System32\Tasks\driverupdate startup

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\conduit.com
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\conduitapps.com
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3320244
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E2ED319E-719C-474D-8236-DCC9BDC13BDB}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8DB082FB-C66C-4992-98D5-7F47217549F7}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E2ED319E-719C-474D-8236-DCC9BDC13BDB}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2ED319E-719C-474D-8236-DCC9BDC13BDB}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DB082FB-C66C-4992-98D5-7F47217549F7}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E2ED319E-719C-474D-8236-DCC9BDC13BDB}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8DB082FB-C66C-4992-98D5-7F47217549F7}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7B5CCD50-E5DB-42CD-B4E7-B74651A5B5F6}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{697A8EA0-5591-47E1-A363-293787072F49}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{E2ED319E-719C-474D-8236-DCC9BDC13BDB}]
    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E2ED319E-719C-474D-8236-DCC9BDC13BDB}]
    Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{E2ED319E-719C-474D-8236-DCC9BDC13BDB}]
    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{E2ED319E-719C-474D-8236-DCC9BDC13BDB}]
    Key Deleted : HKCU\Software\AVG SafeGuard toolbar
    Key Deleted : HKCU\Software\Conduit
    Key Deleted : HKCU\Software\AppDataLow\Toolbar
    Key Deleted : HKCU\Software\AppDataLow\Software\BackgroundContainer
    Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
    Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
    Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
    Key Deleted : HKCU\Software\AppDataLow\Software\MessageViewer_3
    Key Deleted : HKLM\Software\AVG SafeGuard toolbar
    Key Deleted : HKLM\Software\AVG Security Toolbar
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\Software\MessageViewer_3

    ***** [ Browsers ] *****

    -\\ Internet Explorer v11.0.9600.17041


    -\\ Google Chrome v34.0.1847.137

    [ File : C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\preferences ]

    Deleted [Search Provider] : hxxp://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
    Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
    Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
    Deleted [Search Provider] : hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YRxdm002YYus&ptb=B61D0F17-64D7-4D24-B934-E0318C28B482&psa=&ind=2011032510&ptnrS=YRxdm002YYus&si=&st=sb&n=77ddebbe&searchfor={searchTerms}

    *************************

    AdwCleaner[R0].txt - [4199 octets] - [18/05/2014 23:03:03]
    AdwCleaner[S0].txt - [4456 octets] - [18/05/2014 23:04:21]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4516 octets] ##########
  24. fordmann

    fordmann Newcomer, in training Topic Starter Posts: 31

    I reinstalled AVG. I don't see a way to disable it temporarily to load the Junkware Removal tool. Do I need to uninstall it again and load the tool?
  25. Broni

    Broni Malware Annihilator Posts: 46,433   +252

    Keep AVG on and run JRT anyway.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.