Solved Linkbucks, new tab ads, and "update media" popups

Renee LaCombe

Renee LaCombe

Posts: 31   +1
Hello! I've been trying to get rid of linkbucks for several weeks now (it affects my PC, my laptop, and my Galaxy Legend). Recently I started getting these "update now" popups and new tabs with ads such as casino, etc. (PC only). I guess I'm in over my head. I'm happy to have found your forum and can't wait to find out what you think.
I'm not sure what you need to know at first, but my desktop is Win 7 Home Premium; AMD Athlon II x2 235e Processor, 2.70 Ghz; 6.0 GB RAM.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17041
Run by Renee at 15:58:52 on 2014-05-03
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5887.3752 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: avast! Antivirus *Enabled* {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\EaseUS\EaseUS Partition Master 9.2.1 Home Edition\bin\EpmNews.exe
C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
C:\Program Files (x86)\SmarThru Office\BackUpSvr.exe
C:\Program Files (x86)\SmarThru Office\x64\LegacyLauncher.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\splwow64.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mWinlogon: Userinit = userinit.exe,
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [Google Update] "C:\Users\Renee\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [EaseUS EPM tray] C:\Program Files (x86)\EaseUS\EaseUS Partition Master 9.2.1 Home Edition\bin\EpmNews.exe
mRun: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
mRun: [STO Backup Service] C:\Program Files (x86)\SmarThru Office\BackUpSvr.exe
mRun: [STO Launcher Service] C:\Program Files (x86)\SmarThru Office\x64\LegacyLauncher.exe /autorun
mRun: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mRun: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
mRun: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 199.182.166.168 199.182.166.169
TCP: Interfaces\{6C7E7903-C920-44F1-97EB-A52955DDB94A} : DHCPNameServer = 199.182.166.168 199.182.166.169
TCP: Interfaces\{6C7E7903-C920-44F1-97EB-A52955DDB94A}\348627F6D65636163747079636F6 : DHCPNameServer = 192.168.255.249
TCP: Interfaces\{6C7E7903-C920-44F1-97EB-A52955DDB94A}\65562796A7F6E602D494649443531303C4020373133302355636572756 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{6C7E7903-C920-44F1-97EB-A52955DDB94A}\74275656E644F6C6078696E6 : DHCPNameServer = 192.168.17.1
TCP: Interfaces\{6C7E7903-C920-44F1-97EB-A52955DDB94A}\C41636F6D62602C4255434 : DHCPNameServer = 69.27.130.50 69.27.130.51
TCP: Interfaces\{A3FB63F2-7C93-4B29-81EC-E43BC1EE2743} : DHCPNameServer = 192.168.17.1
TCP: Interfaces\{F064039E-8EFB-46D4-B015-AAC9A7CE95D5} : DHCPNameServer = 62.113.218.34 8.8.8.8
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\34.0.1847.131\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdisFlt;Avast! Firewall Driver;C:\Windows\System32\drivers\aswNdisFlt.sys [2014-4-20 447888]
R0 aswRvrt;avast! Revert;C:\Windows\System32\drivers\aswRvrt.sys [2014-1-9 65776]
R0 aswVmm;avast! VM Monitor;C:\Windows\System32\drivers\aswVmm.sys [2014-1-9 208416]
R0 vididr;Acronis Virtual Disk;C:\Windows\System32\drivers\vididr.sys [2013-2-9 210016]
R0 vidsflt53;Acronis Disk Storage Filter (53);C:\Windows\System32\drivers\vsflt53.sys [2013-2-9 141920]
R1 aswKbd;aswKbd;C:\Windows\System32\drivers\aswKbd.sys [2014-4-20 28184]
R1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2014-1-9 1039096]
R1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2014-1-9 423240]
R2 aswHwid;avast! HardwareID;C:\Windows\System32\drivers\aswHwid.sys [2014-4-20 29208]
R2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2014-1-9 79184]
R2 aswStm;aswStm;C:\Windows\System32\drivers\aswstm.sys [2014-1-9 85328]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2014-4-20 50344]
R2 avast! Firewall;avast! Firewall;C:\Program Files\AVAST Software\Avast\afwServ.exe [2014-4-20 109048]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-5-3 1809720]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-5-3 857912]
R2 SSPORT;SSPORT;C:\Windows\System32\drivers\SSPORT.sys [2011-3-14 11576]
R3 Linksys_adapter_H;Linksys Adapter Network Driver;C:\Windows\System32\drivers\AE2500w764.sys [2011-3-29 1254464]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-11-10 25816]
R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-5-3 119512]
R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-5-3 63192]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-3-1 161384]
S3 epmntdrv;epmntdrv;C:\Windows\System32\epmntdrv.sys [2013-1-24 17480]
S3 EuGdiDrv;EuGdiDrv;C:\Windows\System32\EuGdiDrv.sys [2013-1-24 9800]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2013-12-8 57840]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2014-3-31 1512640]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-5-3 111616]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2012-12-13 54784]
S3 USBTINSP;TI-Nspire(TM) Handheld or TI Network Bridge Device Driver;C:\Windows\System32\drivers\tinspusb.sys [2013-2-17 142848]
.
=============== Created Last 30 ================
.
2014-05-03 16:35:29 -------- d-----w- C:\Windows\Migration
2014-05-03 15:36:12 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-05-03 15:36:12 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-05-03 15:29:04 96768 ----a-w- C:\Windows\System32\fsutil.exe
2014-05-03 15:29:04 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe
2014-05-03 15:29:04 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys
2014-05-03 15:29:04 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys
2014-05-03 15:29:04 2565632 ----a-w- C:\Windows\System32\esent.dll
2014-05-03 15:29:04 1699328 ----a-w- C:\Windows\SysWow64\esent.dll
2014-05-03 15:29:04 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys
2014-05-03 15:29:04 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys
2014-05-03 15:29:04 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys
2014-05-03 15:21:21 67072 ----a-w- C:\Windows\splwow64.exe
2014-05-03 15:21:21 559104 ----a-w- C:\Windows\System32\spoolsv.exe
2014-05-03 11:22:01 119512 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-05-03 11:21:23 88280 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-05-03 11:21:23 63192 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-05-03 11:21:20 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-05-02 23:08:45 -------- d-----w- C:\Tom2014
2014-04-30 13:13:06 -------- d-----w- C:\Users\Renee\Prezi
2014-04-30 13:13:06 -------- d-----w- C:\Users\Renee\AppData\Roaming\com.prezi.PreziDesktop
2014-04-30 12:52:56 536576 ----a-w- C:\Windows\SysWow64\sqlite3.dll
2014-04-30 12:52:05 -------- d-----w- C:\AdwCleaner
2014-04-27 13:32:46 -------- d-----w- C:\Windows\en
2014-04-27 13:23:27 6081224 -c--a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\df703ea01cf621b01\onedrivesetup.exe
2014-04-20 13:15:04 29208 ----a-w- C:\Windows\System32\drivers\aswHwid.sys
2014-04-20 13:15:00 28184 ----a-w- C:\Windows\System32\drivers\aswKbd.sys
2014-04-20 13:14:49 43152 ----a-w- C:\Windows\avastSS.scr
2014-04-20 13:14:06 447888 ----a-w- C:\Windows\System32\drivers\aswNdisFlt.sys
2014-04-15 20:50:59 -------- d-----w- C:\Database
.
==================== Find3M ====================
.
2014-04-20 18:02:07 70832 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-20 18:02:07 692400 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-04-20 13:14:50 85328 ----a-w- C:\Windows\System32\drivers\aswstm.sys
2014-04-20 13:14:50 79184 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2014-04-20 13:14:50 65776 ----a-w- C:\Windows\System32\drivers\aswRvrt.sys
2014-04-20 13:14:50 208416 ----a-w- C:\Windows\System32\drivers\aswVmm.sys
2014-04-20 13:14:50 1039096 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2014-04-20 13:14:49 93568 ----a-w- C:\Windows\System32\drivers\aswRdr2.sys
2014-04-03 14:50:58 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-04-01 02:41:40 58568 ----a-w- C:\Windows\SysWow64\sirenacm.dll
2014-04-01 02:34:22 322248 ----a-w- C:\Windows\WLXPGSS.SCR
2014-03-04 09:44:21 362496 ----a-w- C:\Windows\System32\wow64win.dll
2014-03-04 09:44:21 243712 ----a-w- C:\Windows\System32\wow64.dll
2014-03-04 09:44:21 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2014-03-04 09:44:03 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2014-03-04 09:17:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2014-03-04 09:17:05 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2014-03-04 09:16:54 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2014-03-04 09:16:18 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2014-03-04 08:09:30 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2014-03-04 08:09:29 2048 ----a-w- C:\Windows\SysWow64\user.exe
2014-02-07 01:23:30 3156480 ----a-w- C:\Windows\System32\win32k.sys
2014-02-04 02:35:56 190912 ----a-w- C:\Windows\System32\drivers\storport.sys
2014-02-04 02:35:49 274880 ----a-w- C:\Windows\System32\drivers\msiscsi.sys
2014-02-04 02:35:35 27584 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2014-02-04 02:32:12 624128 ----a-w- C:\Windows\System32\qedit.dll
2014-02-04 02:28:36 2048 ----a-w- C:\Windows\System32\iologmsg.dll
2014-02-04 02:04:11 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2014-02-04 02:00:39 2048 ----a-w- C:\Windows\SysWow64\iologmsg.dll
.
============= FINISH: 16:00:04.45 ===============
 

Attachments

  • attach.zip
    2.8 KB · Views: 0
Oh! Also, I removed some programs from my Startup folder several days ago, and now the sound no longer works, and the Startup folder says "empty". :confused:
 
Welcome aboard

Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=============================

redtarget.gif
Please observe forum rules.
All logs have to be pasted not attached or zipped.
I expect Attach.txt log from DDS to be pasted into your next reply.

redtarget.gif
I still need MBAM log.
 
Okay - I misunderstood the instructions about attaching that file. Thanks for checking out my question.
Here is the contents of attach.txt, and below it is the contents of MBAM log:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 24-Jan-13 7:37:02 PM
System Uptime: 03-May-14 1:58:07 PM (3 hours ago)
.
Motherboard: eMachines | | MCP61PM-GM
Processor: AMD Athlon(tm) II X2 235e Processor | CPU 1 | 2700/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 892 GiB total, 657.285 GiB free.
D: is FIXED (NTFS) - 39 GiB total, 38.957 GiB free.
E: is CDROM ()
F: is FIXED (NTFS) - 0 GiB total, 0.069 GiB free.
G: is FIXED (NTFS) - 10 GiB total, 9.654 GiB free.
H: is FIXED (NTFS) - 223 GiB total, 51.017 GiB free.
J: is Removable
K: is Removable
L: is Removable
M: is Removable
N: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP128: 03-May-14 8:01:51 AM - Restore Point May 3 2014 rl
RP129: 03-May-14 10:42:12 AM - Windows Update
.
==== Installed Programs ======================
.
Acronis True Image WD Edition
Adobe Flash Player 13 ActiveX
Adobe Reader XI (11.0.06)
Airport Design Editor 9x Version 1.50.18.197
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Internet Security
Bonjour
Canadair Argonaut and North Star for FSX
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 3.0
Canon MP640 series MP Drivers
ChromecastApp
Classic Stars Screensaver 1.0
Common Desktop Agent
D3DX10
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
EaseUS Partition Master 9.2.1 Home Edition
Google Chrome
Google Update Helper
Hugin 2013.0.0
iCloud
iDRS(tm) OCR Software by I.R.I.S
Inkscape 0.48.4
IrfanView (remove only)
iTunes
Junk Mail filter update
Malwarebytes Anti-Malware version 2.0.1.1004
Microsoft .NET Framework 4.5.1
Microsoft Application Error Reporting
Microsoft Camera Codec Pack
Microsoft Flight Simulator X
Microsoft Flight Simulator X SDK
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Home and Student 2010
Microsoft Office Office 64-bit Components 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook Connector
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared 64-bit MUI (English) 2010
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Single Image 2010
Microsoft Office Word MUI (English) 2010
Microsoft OneDrive
Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable (x64)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.51106
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.51106
MiniTool Power Data Recovery
Movie Maker
MSVCRT
MSVCRT_amd64
MSVCRT110
MSVCRT110_amd64
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Neat Image v7.3.0 Demo Standalone
NVIDIA Control Panel 307.83
NVIDIA Graphics Driver 307.83
NVIDIA Install Application
NVIDIA Update 1.10.8
NVIDIA Update Components
Photo Common
Photo Gallery
Prezi
progeCAD 2009 Smart! ENG
PTGui Pro Trial 9.1.9
QuickTime
RealFlight 6.5 R/C Simulator
Samsung Easy Printer Manager
Samsung Printer Live Update
Samsung Scan Assistant
Samsung SCX-3400 Series
Scribus 1.4.3 (64bit)
SeaTools for Windows
Security Update for Microsoft Excel 2010 (KB2826033) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553284) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2687423) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826023) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2826035) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2850016) 32-Bit Edition
Security Update for Microsoft Word 2010 (KB2863926) 32-Bit Edition
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition
Skype™ 6.3
SmarThru Office
Team Manager 7.0 for Swimming
TI-Nspire™ CAS Student Software
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2837594) 32-Bit Edition
Update for Microsoft InfoPath 2010 (KB2817369) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft Office 2010 (KB2863818) 32-Bit Edition
Update for Microsoft Office 2010 (KB2878225) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2837595) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687567) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2837579) 32-Bit Edition
Update for Microsoft SharePoint Workspace 2010 (KB2760601) 32-Bit Edition
Update for Microsoft Visio 2010 (KB2553444) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
.
==== Event Viewer Messages From Past Week ========
.
30-Apr-14 9:00:14 PM, Error: Microsoft-Windows-WMPNSS-Service [14365] - Proximity detection failed due to unknown error '0x80004004'. The best proximity time detected was -1 milliseconds.
03-May-14 7:19:34 AM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
03-May-14 2:02:55 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Security Update for Internet Explorer 10 for Windows 7 for x64-based Systems (KB2909210).
03-May-14 2:02:55 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Cumulative Update for Internet Explorer 10 for Windows 7 Service Pack 1 for x64-based Systems (KB2936068).
03-May-14 2:02:55 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80242016: Cumulative Security Update for Internet Explorer 10 for Windows 7 Service Pack 1 for x64-based Systems (KB2925418).
03-May-14 11:22:19 AM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package (KB2538243).
01-May-14 3:45:16 PM, Error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{6C7E7903-C920-44F1-97EB-A52955DDB94A} because another computer on the network has the same name. The server could not start.
.
==== End Of File ===========================
Malwarebytes Anti-Malware
www.malwarebytes.org



Scan Date: 03-May-14
Scan Time: 9:26:04 AM
Logfile: scanlog 3may2014.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.05.03.04
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Renee

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 355682
Time Elapsed: 13 min, 13 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)
 
redtarget.gif
Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2

  • Close all the running programs
  • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

redtarget.gif
Create new restore point before proceeding with the next step....
How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

Download Malwarebytes Anti-Rootkit (MBAR) from HERE
  • Unzip downloaded file.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
 
RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Renee [Admin rights]
Mode : Scan -- Date : 05/04/2014 14:13:00
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[SHELLSPWN] HKLM\[...]\command : ("C:\Program Files (x86)\Prezi\Prezi.exe" "%1") -> FOUND
[SHELLSPWN] HKCR\[...]\command : ("C:\Program Files (x86)\Prezi\Prezi.exe" "%1") -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V2][SUSP PATH] {1C9AE1C9-073E-4BD7-BF4F-BB8BCE648C5E} : C:\Users\Renee\Desktop\Tristan\Games\Racer\racer9\racer_nocg.exe [-] -> FOUND
[V2][SUSP PATH] {287EEA91-1FEB-4249-B304-E79B4871A5CA} : C:\Users\Renee\Desktop\CAD\pcad2009smarteng.exe [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤
-> H:\windows\system32\config\SYSTEM | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\windows\system32\config\SOFTWARE | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\windows\system32\config\SECURITY | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\Users\Administrator King\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\Users\Default\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> H:\Users\Renee\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\Documents and Settings\Administrator King\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\Documents and Settings\Default\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> H:\Documents and Settings\Grumblub\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\Documents and Settings\Renee\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> H:\Documents and Settings\UpdatusUser\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts




¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) WDC WD10 EARX-32N0YB0 SCSI Disk Device +++++
--- User ---
[MBR] b4303b990c51be12feaca03dc241034c
[BSP] 836199e98876ac60da355cf4e2b50dc8 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 156 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 321300 | Size: 40021 MB
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 82284930 | Size: 101 MB
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 82493775 | Size: 913587 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ SCSI) WDC WD25 00AAJS-75B4A SCSI Disk Device +++++
--- User ---
[MBR] 537877d9d770ab7584a97d8dde4298dd
[BSP] 40a0a02561cd526ef00253f61bde5499 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 10000 MB
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20561920 | Size: 100 MB
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 20766720 | Size: 228277 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) Generic- Compact Flash USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive3: (\\.\PHYSICALDRIVE3 @ USB) Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive4: (\\.\PHYSICALDRIVE4 @ USB) Generic- SD/MMC USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive5: (\\.\PHYSICALDRIVE5 @ USB) Generic- MS/MS-Pro/HG USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive6: (\\.\PHYSICALDRIVE6 @ USB) Generic- SD/MMC/MS/MSPRO USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_S_05042014_141300.txt >>





RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Renee [Admin rights]
Mode : Remove -- Date : 05/04/2014 14:13:56
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[SHELLSPWN] HKLM\[...]\command : ("C:\Program Files (x86)\Prezi\Prezi.exe" "%1") -> REPLACED ("%1" %*)
[SHELLSPWN] HKCR\[...]\command : ("C:\Program Files (x86)\Prezi\Prezi.exe" "%1") -> REPLACED ("%1" %*)

¤¤¤ Scheduled tasks : 2 ¤¤¤
[V2][SUSP PATH] {1C9AE1C9-073E-4BD7-BF4F-BB8BCE648C5E} : C:\Users\Renee\Desktop\Tristan\Games\Racer\racer9\racer_nocg.exe [-] -> DELETED
[V2][SUSP PATH] {287EEA91-1FEB-4249-B304-E79B4871A5CA} : C:\Users\Renee\Desktop\CAD\pcad2009smarteng.exe [x] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤
-> H:\windows\system32\config\SYSTEM | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\windows\system32\config\SOFTWARE | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\windows\system32\config\SECURITY | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\Users\Administrator King\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\Users\Default\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> H:\Users\Renee\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\Documents and Settings\Administrator King\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\Documents and Settings\Default\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> H:\Documents and Settings\Grumblub\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> H:\Documents and Settings\Renee\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]
-> H:\Documents and Settings\UpdatusUser\NTUSER.DAT | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - NOT_FOUND]

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts



I only ran MBAR once because it said "Scan finished: No malware found" at the completion of the first run. Here is the log:

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ SCSI) WDC WD10 EARX-32N0YB0 SCSI Disk Device +++++
--- User ---
[MBR] b4303b990c51be12feaca03dc241034c
[BSP] 836199e98876ac60da355cf4e2b50dc8 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 156 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 321300 | Size: 40021 MB
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 82284930 | Size: 101 MB
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 82493775 | Size: 913587 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ SCSI) WDC WD25 00AAJS-75B4A SCSI Disk Device +++++
--- User ---
[MBR] 537877d9d770ab7584a97d8dde4298dd
[BSP] 40a0a02561cd526ef00253f61bde5499 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 10000 MB
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 20561920 | Size: 100 MB
3 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 20766720 | Size: 228277 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x1] Incorrect function. )

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ USB) Generic- Compact Flash USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive3: (\\.\PHYSICALDRIVE3 @ USB) Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive4: (\\.\PHYSICALDRIVE4 @ USB) Generic- SD/MMC USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive5: (\\.\PHYSICALDRIVE5 @ USB) Generic- MS/MS-Pro/HG USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

+++++ PhysicalDrive6: (\\.\PHYSICALDRIVE6 @ USB) Generic- SD/MMC/MS/MSPRO USB Device +++++
Error reading User MBR! ([0x15] The device is not ready. )
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_D_05042014_141356.txt >>
RKreport[0]_S_05042014_141300.txt

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2014.05.04.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17041
Renee :: LIBRARY-PC [administrator]

04-May-14 2:21:05 PM
mbar-log-2014-05-04 (14-21-05).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 350281
Time elapsed: 18 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 
Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
 
Yikes. Malwarebytes just told me it blocked a malicious website at "onclickads.net" :(

Here's the Combofix log:


ComboFix 14-04-30.01 - Renee 04-May-14 16:53:05.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.5887.4108 [GMT -5:00]
Running from: c:\users\Renee\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
FW: avast! Antivirus *Disabled* {2F96FC65-F07D-9D1E-5A6E-3DA5C487EAF0}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Renee\AppData\Local\Microsoft\Windows\Temporary Internet Files\{A4CBEDE3-C57C-4AF4-86F8-740574DF4FC9}.xps
c:\users\Renee\AppData\Roaming\Microsoft\Windows\Recent\Thumbs.db
c:\users\Renee\FSViewerSetup48.exe
c:\windows\SSFM1032.DLL
c:\windows\usp10.dll
.
.
((((((((((((((((((((((((( Files Created from 2014-04-04 to 2014-05-04 )))))))))))))))))))))))))))))))
.
.
2014-05-04 22:54 . 2014-05-04 22:54 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-05-04 22:54 . 2014-05-04 22:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-05-04 22:54 . 2014-05-04 22:54 -------- d-----w- c:\users\Grumblub\AppData\Local\temp
2014-05-04 22:54 . 2014-05-04 22:54 -------- d-----w- c:\users\Administrator King\AppData\Local\temp
2014-05-04 19:20 . 2014-05-04 19:40 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-05-03 16:35 . 2014-05-03 16:35 -------- d-----w- c:\windows\Migration
2014-05-03 16:31 . 2013-10-14 23:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE
2014-05-03 16:01 . 2014-05-03 16:01 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2014-05-03 15:38 . 2014-03-04 09:44 1163264 ----a-w- c:\windows\system32\kernel32.dll
2014-05-03 15:36 . 2014-02-04 02:32 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-05-03 15:36 . 2014-02-04 02:04 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2014-05-03 15:29 . 2011-03-11 06:41 166272 ----a-w- c:\windows\system32\drivers\nvstor.sys
2014-05-03 15:29 . 2011-03-11 06:41 148352 ----a-w- c:\windows\system32\drivers\nvraid.sys
2014-05-03 15:29 . 2011-03-11 06:41 410496 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2014-05-03 15:29 . 2011-03-11 06:41 27008 ----a-w- c:\windows\system32\drivers\amdxata.sys
2014-05-03 15:29 . 2011-03-11 06:41 107904 ----a-w- c:\windows\system32\drivers\amdsata.sys
2014-05-03 15:29 . 2011-03-11 06:33 2565632 ----a-w- c:\windows\system32\esent.dll
2014-05-03 15:29 . 2011-03-11 06:30 96768 ----a-w- c:\windows\system32\fsutil.exe
2014-05-03 15:29 . 2011-03-11 05:33 1699328 ----a-w- c:\windows\SysWow64\esent.dll
2014-05-03 15:29 . 2011-03-11 05:31 74240 ----a-w- c:\windows\SysWow64\fsutil.exe
2014-05-03 15:29 . 2011-03-11 04:37 91648 ----a-w- c:\windows\system32\drivers\USBSTOR.SYS
2014-05-03 15:21 . 2012-02-11 06:36 559104 ----a-w- c:\windows\system32\spoolsv.exe
2014-05-03 15:21 . 2012-02-11 06:36 67072 ----a-w- c:\windows\splwow64.exe
2014-05-03 11:22 . 2014-05-04 21:03 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-03 11:21 . 2014-05-04 19:19 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-03 11:21 . 2014-04-03 14:51 63192 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-05-03 11:21 . 2014-05-03 11:21 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-05-02 23:08 . 2014-05-02 23:12 -------- d-----w- C:\Tom2014
2014-04-30 13:13 . 2014-04-30 13:13 -------- d-----w- c:\users\Renee\AppData\Roaming\com.prezi.PreziDesktop
2014-04-30 13:13 . 2014-04-30 13:13 -------- d-----w- c:\users\Renee\Prezi
2014-04-30 12:52 . 2010-08-30 13:34 536576 ----a-w- c:\windows\SysWow64\sqlite3.dll
2014-04-30 12:52 . 2014-04-30 13:01 -------- d-----w- C:\AdwCleaner
2014-04-27 13:32 . 2014-04-27 13:32 -------- d-----w- c:\windows\en
2014-04-27 13:23 . 2014-04-27 13:23 6081224 -c--a-w- c:\program files (x86)\Common Files\Windows Live\.cache\df703ea01cf621b01\onedrivesetup.exe
2014-04-20 13:15 . 2014-04-20 13:14 29208 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-04-20 13:15 . 2014-04-20 13:14 28184 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2014-04-20 13:14 . 2014-04-20 13:14 43152 ----a-w- c:\windows\avastSS.scr
2014-04-20 13:14 . 2014-04-20 13:14 447888 ----a-w- c:\windows\system32\drivers\aswNdisFlt.sys
2014-04-15 20:50 . 2014-04-15 20:50 -------- d-----w- C:\Database
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-04-20 18:02 . 2013-02-01 02:54 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-04-20 18:02 . 2013-02-01 02:54 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-04-20 13:14 . 2014-01-09 12:27 85328 ----a-w- c:\windows\system32\drivers\aswstm.sys
2014-04-20 13:14 . 2014-01-09 12:27 208416 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-04-20 13:14 . 2014-01-09 12:27 65776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-04-20 13:14 . 2014-01-09 12:27 1039096 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-04-20 13:14 . 2014-01-09 12:26 423240 ----a-w- c:\windows\system32\drivers\aswSP.sys
2014-04-20 13:14 . 2014-01-09 12:26 79184 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-04-20 13:14 . 2014-01-09 12:26 334648 ----a-w- c:\windows\system32\aswBoot.exe
2014-04-20 13:14 . 2014-01-09 12:26 93568 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-04-03 14:50 . 2013-11-10 13:51 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-04-01 02:41 . 2014-04-01 02:41 58568 ----a-w- c:\windows\SysWow64\sirenacm.dll
2014-04-01 02:34 . 2014-04-01 02:34 322248 ----a-w- c:\windows\WLXPGSS.SCR
2014-03-31 08:51 . 2014-01-09 14:29 90655440 ----a-w- c:\windows\system32\MRT.exe
2014-03-04 09:17 . 2014-05-03 15:38 44032 ----a-w- c:\windows\apppatch\acwow64.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-04-27 13:25 223432 ----a-w- c:\users\Renee\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-04-27 13:25 223432 ----a-w- c:\users\Renee\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-04-27 13:25 223432 ----a-w- c:\users\Renee\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"EaseUS EPM tray"="c:\program files (x86)\EaseUS\EaseUS Partition Master 9.2.1 Home Edition\bin\EpmNews.exe" [2012-11-29 2086984]
"IJNetworkScanUtility"="c:\program files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-08-23 206240]
"STO Backup Service"="c:\program files (x86)\SmarThru Office\BackUpSvr.exe" [2012-01-13 199760]
"STO Launcher Service"="c:\program files (x86)\SmarThru Office\x64\LegacyLauncher.exe" [2012-01-13 405584]
"TrueImageMonitor.exe"="c:\program files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [2012-04-27 2637784]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-04-20 3873704]
"Wondershare Helper Compact.exe"="c:\program files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" [2013-07-25 1985824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys;c:\windows\SYSNATIVE\epmntdrv.sys [x]
R3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys;c:\windows\SYSNATIVE\EuGdiDrv.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 USBTINSP;TI-Nspire(TM) Handheld or TI Network Bridge Device Driver;c:\windows\system32\DRIVERS\tinspusb.sys;c:\windows\SYSNATIVE\DRIVERS\tinspusb.sys [x]
S0 aswNdisFlt;Avast! Firewall Driver;c:\windows\system32\DRIVERS\aswNdisFlt.sys;c:\windows\SYSNATIVE\DRIVERS\aswNdisFlt.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 vididr;Acronis Virtual Disk;c:\windows\system32\DRIVERS\vididr.sys;c:\windows\SYSNATIVE\DRIVERS\vididr.sys [x]
S0 vidsflt53;Acronis Disk Storage Filter (53);c:\windows\system32\DRIVERS\vsflt53.sys;c:\windows\SYSNATIVE\DRIVERS\vsflt53.sys [x]
S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys;c:\windows\SYSNATIVE\drivers\aswKbd.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe;c:\program files\AVAST Software\Avast\afwServ.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys;c:\windows\SYSNATIVE\Drivers\SSPORT.sys [x]
S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\DRIVERS\AE2500w764.sys;c:\windows\SYSNATIVE\DRIVERS\AE2500w764.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
S3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMSWISSARMY
*NewlyCreated* - MBAMWEBACCESSCONTROL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-04-25 12:08 1078088 ----a-w- c:\program files (x86)\Google\Chrome\Application\34.0.1847.131\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-27 21:29]
.
2014-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-01-27 21:29]
.
2014-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4111083629-4137538892-1715785686-1000Core.job
- c:\users\Renee\AppData\Local\Google\Update\GoogleUpdate.exe [2014-02-03 23:26]
.
2014-05-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4111083629-4137538892-1715785686-1000UA.job
- c:\users\Renee\AppData\Local\Google\Update\GoogleUpdate.exe [2014-02-03 23:26]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2014-04-27 13:25 262344 ----a-w- c:\users\Renee\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2014-04-27 13:25 262344 ----a-w- c:\users\Renee\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2014-04-27 13:25 262344 ----a-w- c:\users\Renee\AppData\Local\Microsoft\SkyDrive\17.0.4035.0328\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-04-20 13:14 290888 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis Scheduler2 Service"="c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2012-04-27 395384]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 199.182.166.168 199.182.166.169
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_182_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_182_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_182.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.13"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_182.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_182.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_182.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-05-04 17:58:52
ComboFix-quarantined-files.txt 2014-05-04 22:58
.
Pre-Run: 702,620,790,784 bytes free
Post-Run: 703,819,354,112 bytes free
.
- - End Of File - - 239595E28F0C6D4466CDAC0FF322BB85
A36C5E4F47E84449FF07ED3517B43A31
 
I don't need it.
We're not done here.

redtarget.gif
Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

redtarget.gif
Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

redtarget.gif
Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan All Users checkbox.
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
# AdwCleaner v3.207 - Report created 05/05/2014 at 13:56:34
# Updated 05/05/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Renee - LIBRARY-PC
# Running from : C:\Users\Renee\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\WinterSoft
Folder Deleted : C:\ProgramData\suRf and keep

***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17041


-\\ Google Chrome v34.0.1847.131

[ File : C:\Users\Administrator King\AppData\Local\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Users\Grumblub\AppData\Local\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [2923 octets] - [30/04/2014 07:52:16]
AdwCleaner[R1].txt - [1312 octets] - [05/05/2014 13:49:10]
AdwCleaner[S0].txt - [2955 octets] - [30/04/2014 07:57:44]
AdwCleaner[S1].txt - [1241 octets] - [05/05/2014 13:56:34]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1301 octets] ##########
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Renee on 05-May-14 at 14:16:04.79
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Program Files (x86)\beemp3"



~~~ Chrome

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Policies\Google [Blacklisted Policy]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 05-May-14 at 14:25:44.28
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
OTL logfile created on: 05-May-14 2:29:27 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Renee\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17041)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd-MMM-yy

5.75 Gb Total Physical Memory | 4.39 Gb Available Physical Memory | 76.40% Memory free
11.75 Gb Paging File | 10.31 Gb Available in Paging File | 87.76% Paging File free
Paging file location(s): c:\pagefile.sys 6144 12288 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 892.17 Gb Total Space | 654.81 Gb Free Space | 73.40% Space Free | Partition Type: NTFS
Drive D: | 39.08 Gb Total Space | 38.96 Gb Free Space | 99.68% Space Free | Partition Type: NTFS
Drive F: | 100.00 Mb Total Space | 70.27 Mb Free Space | 70.27% Space Free | Partition Type: NTFS
Drive G: | 9.77 Gb Total Space | 9.65 Gb Free Space | 98.86% Space Free | Partition Type: NTFS
Drive H: | 222.93 Gb Total Space | 51.01 Gb Free Space | 22.88% Space Free | Partition Type: NTFS

Computer Name: LIBRARY-PC | User Name: Renee | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014-05-05 14:28:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Renee\Desktop\OTL.exe
PRC - [2014-04-20 08:14:44 | 003,873,704 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2014-04-20 08:14:44 | 000,050,344 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2014-04-20 08:14:06 | 000,109,048 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\afwServ.exe
PRC - [2014-04-03 09:49:12 | 001,809,720 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
PRC - [2014-04-03 09:49:12 | 000,857,912 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
PRC - [2014-04-03 09:49:06 | 006,963,512 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
PRC - [2013-12-21 01:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2013-07-25 18:47:00 | 001,985,824 | ---- | M] (Wondershare) -- C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
PRC - [2013-02-19 23:32:20 | 001,259,296 | ---- | M] (NVIDIA Corporation) -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
PRC - [2012-11-29 11:32:16 | 002,086,984 | ---- | M] (CHENGDU YIWO Tech Development Co., Ltd) -- C:\Program Files (x86)\EaseUS\EaseUS Partition Master 9.2.1 Home Edition\bin\EpmNews.exe
PRC - [2012-04-27 13:37:00 | 000,395,384 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2012-04-27 13:35:30 | 002,637,784 | ---- | M] (Acronis) -- C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2012-01-13 18:10:38 | 000,199,760 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Program Files (x86)\SmarThru Office\BackUpSvr.exe
PRC - [2010-08-23 10:11:28 | 000,206,240 | ---- | M] (CANON INC.) -- C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe


========== Modules (No Company Name) ==========

MOD - [2014-01-09 07:26:22 | 019,336,120 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\libcef.dll
MOD - [2013-07-24 10:24:52 | 000,137,728 | ---- | M] () -- C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll
MOD - [2009-10-07 16:42:48 | 000,061,440 | ---- | M] () -- C:\Windows\SysWOW64\wintab32.dll


========== Services (SafeList) ==========

SRV:64bit: - [2014-05-03 11:27:34 | 000,111,616 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\IEEtwCollector.exe -- (IEEtwCollectorService)
SRV:64bit: - [2014-04-20 08:14:44 | 000,050,344 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV:64bit: - [2014-04-20 08:14:06 | 000,109,048 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\afwServ.exe -- (avast! Firewall)
SRV:64bit: - [2013-05-27 00:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2014-04-03 09:49:12 | 001,809,720 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2014-04-03 09:49:12 | 000,857,912 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2013-12-21 01:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013-09-11 21:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2013-03-01 13:11:32 | 000,161,384 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files (x86)\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2013-02-19 23:32:20 | 001,259,296 | ---- | M] (NVIDIA Corporation) [Auto | Running] -- C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe -- (nvUpdatusService)
SRV - [2012-04-27 13:38:24 | 001,191,648 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2009-06-10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2014-05-05 14:03:45 | 000,119,512 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys -- (MBAMSwissArmy)
DRV:64bit: - [2014-04-20 08:14:50 | 001,039,096 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSnx.sys -- (aswSnx)
DRV:64bit: - [2014-04-20 08:14:50 | 000,423,240 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswSP.sys -- (aswSP)
DRV:64bit: - [2014-04-20 08:14:50 | 000,208,416 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswVmm.sys -- (aswVmm)
DRV:64bit: - [2014-04-20 08:14:50 | 000,085,328 | ---- | M] (AVAST Software) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\aswstm.sys -- (aswStm)
DRV:64bit: - [2014-04-20 08:14:50 | 000,079,184 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV:64bit: - [2014-04-20 08:14:50 | 000,065,776 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswRvrt.sys -- (aswRvrt)
DRV:64bit: - [2014-04-20 08:14:50 | 000,029,208 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\aswHwid.sys -- (aswHwid)
DRV:64bit: - [2014-04-20 08:14:49 | 000,093,568 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr)
DRV:64bit: - [2014-04-20 08:14:14 | 000,028,184 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswKbd.sys -- (aswKbd)
DRV:64bit: - [2014-04-20 08:14:06 | 000,447,888 | ---- | M] (AVAST Software) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswNdisFlt.sys -- (aswNdisFlt)
DRV:64bit: - [2014-04-03 09:51:16 | 000,063,192 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\mwac.sys -- (MBAMWebAccessControl)
DRV:64bit: - [2014-04-03 09:50:58 | 000,025,816 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - [2013-02-17 19:40:45 | 000,142,848 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tinspusb.sys -- (USBTINSP)
DRV:64bit: - [2013-02-09 14:15:40 | 000,971,360 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\timntr.sys -- (timounter)
DRV:64bit: - [2013-02-09 14:15:34 | 000,210,016 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vididr.sys -- (vididr)
DRV:64bit: - [2013-02-09 14:15:33 | 000,141,920 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vsflt53.sys -- (vidsflt53)
DRV:64bit: - [2013-02-09 14:15:29 | 000,275,552 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\snapman.sys -- (snapman)
DRV:64bit: - [2013-02-05 23:06:06 | 000,057,840 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2013-01-24 21:44:51 | 001,254,464 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AE2500w764.sys -- (Linksys_adapter_H)
DRV:64bit: - [2012-12-21 14:53:58 | 000,017,480 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\epmntdrv.sys -- (epmntdrv)
DRV:64bit: - [2012-12-21 14:53:58 | 000,009,800 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\EuGdiDrv.sys -- (EuGdiDrv)
DRV:64bit: - [2012-12-13 13:50:36 | 000,054,784 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaapl64.sys -- (USBAAPL64)
DRV:64bit: - [2012-08-21 14:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012-03-01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2011-03-14 01:36:08 | 000,011,576 | ---- | M] (Samsung Electronics) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\SSPORT.sys -- (SSPORT)
DRV:64bit: - [2011-03-11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011-03-11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010-11-20 22:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010-11-20 22:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010-11-20 22:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2009-07-13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009-07-13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009-07-13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009-06-10 15:35:35 | 000,408,960 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\nvm62x64.sys -- (NVENETFD)
DRV:64bit: - [2009-06-10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009-06-10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009-06-10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009-06-10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2012-12-21 14:54:00 | 000,014,920 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\epmntdrv.sys -- (epmntdrv)
DRV - [2012-12-21 14:53:58 | 000,009,160 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2009-07-13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE:64bit: - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={sea...putEncoding}&oe={outputEncoding}&sourceid=ie7


IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-4111083629-4137538892-1715785686-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-4111083629-4137538892-1715785686-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-4111083629-4137538892-1715785686-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 40 4F 61 C1 AB FA CD 01 [binary data]
IE - HKU\S-1-5-21-4111083629-4137538892-1715785686-1000\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-4111083629-4137538892-1715785686-1000\..\SearchScopes\{059481F4-6F6E-4FFA-87DC-03B0C0687F70}: "URL" = http://www.google.com/search?q={sea...ng?}&oe={outputEncoding?}&rlz=1I7IRFG_enUS521
IE - HKU\S-1-5-21-4111083629-4137538892-1715785686-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR
IE - HKU\S-1-5-21-4111083629-4137538892-1715785686-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-4111083629-4137538892-1715785686-1005\..\SearchScopes,DefaultScope =


========== FireFox ==========

FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=16.4.3528.0331: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Renee\AppData\Local\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Renee\AppData\Local\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)



========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:eek:riginalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:eek:mniboxStartMarginParameter}ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},
CHR - homepage: http://vz.hotspot/
CHR - plugin: Tom (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.123\npGoogleUpdate3.dll
CHR - plugin: Error reading preferences file
CHR - Extension: Google Docs = C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0\
CHR - Extension: Google Drive = C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0\
CHR - Extension: YouTube = C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
CHR - Extension: Google Cast = C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd\14.402.0.5_0\
CHR - Extension: Adblock Plus = C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\1.7.4_0\
CHR - Extension: Google Search = C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
CHR - Extension: Google Calendar = C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn\4.5.3_0\
CHR - Extension: avast! Online Security = C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki\9.0.2018.95_0\
CHR - Extension: TabJump - Intelligent Tab Navigator = C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\hokofmgcicpnjchllaccgedmmmbbnbmf\0.7.9.2_0\
CHR - Extension: Google Wallet = C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_0\
CHR - Extension: Gmail = C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2014-05-04 17:55:16 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3:64bit: - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found.
O3 - HKU\S-1-5-21-4111083629-4137538892-1715785686-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AvastUI.exe] C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [EaseUS EPM tray] C:\Program Files (x86)\EaseUS\EaseUS Partition Master 9.2.1 Home Edition\bin\EpmNews.exe (CHENGDU YIWO Tech Development Co., Ltd)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files (x86)\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [STO Backup Service] C:\Program Files (x86)\SmarThru Office\BackUpSvr.exe (Samsung Electronics Co., Ltd.)
O4 - HKLM..\Run: [STO Launcher Service] C:\Program Files (x86)\SmarThru Office\x64\LegacyLauncher.exe (Samsung Electronics Co., Ltd.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKLM..\Run: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe (Wondershare)
O4 - HKU\S-1-5-21-4111083629-4137538892-1715785686-1005..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-4111083629-4137538892-1715785686-1005..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4111083629-4137538892-1715785686-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4111083629-4137538892-1715785686-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-4111083629-4137538892-1715785686-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 199.182.166.168 199.182.166.169
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6C7E7903-C920-44F1-97EB-A52955DDB94A}: DhcpNameServer = 199.182.166.168 199.182.166.169
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A3FB63F2-7C93-4B29-81EC-E43BC1EE2743}: DhcpNameServer = 192.168.17.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F064039E-8EFB-46D4-B015-AAC9A7CE95D5}: DhcpNameServer = 62.113.218.34 8.8.8.8
O18:64bit: - Protocol\Handler\livecall - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\msnim - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18:64bit: - Protocol\Handler\wlmailhtml - No CLSID value found
O18:64bit: - Protocol\Handler\wlpg - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2014-05-05 14:28:28 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Renee\Desktop\OTL.exe
[2014-05-05 14:16:00 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014-05-05 14:14:17 | 001,016,261 | ---- | C] (Thisisu) -- C:\Users\Renee\Desktop\JRT.exe
[2014-05-04 17:59:01 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2014-05-04 16:50:13 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2014-05-04 16:50:13 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2014-05-04 16:50:13 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2014-05-04 16:49:59 | 000,000,000 | ---D | C] -- C:\Qoobox
[2014-05-04 16:49:28 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2014-05-04 15:57:09 | 005,197,895 | R--- | C] (Swearware) -- C:\Users\Renee\Desktop\ComboFix.exe
[2014-05-04 14:20:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2014-05-04 14:19:51 | 000,000,000 | ---D | C] -- C:\Users\Renee\Desktop\mbar
[2014-05-04 14:19:34 | 012,589,848 | ---- | C] (Malwarebytes Corp.) -- C:\Users\Renee\Desktop\mbar-1.07.0.1009.exe
[2014-05-04 14:02:16 | 000,000,000 | ---D | C] -- C:\Users\Renee\Desktop\RK_Quarantine
[2014-05-03 11:35:29 | 000,000,000 | ---D | C] -- C:\Windows\Migration
[2014-05-03 10:54:45 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2014-05-03 06:22:01 | 000,119,512 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014-05-03 06:21:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
[2014-05-03 06:21:23 | 000,091,352 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2014-05-03 06:21:23 | 000,063,192 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mwac.sys
[2014-05-03 06:21:20 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes Anti-Malware
[2014-05-02 18:08:45 | 000,000,000 | ---D | C] -- C:\Tom2014
[2014-04-30 08:13:06 | 000,000,000 | ---D | C] -- C:\Users\Renee\Prezi
[2014-04-30 08:13:06 | 000,000,000 | ---D | C] -- C:\Users\Renee\AppData\Roaming\com.prezi.PreziDesktop
[2014-04-30 07:52:56 | 000,536,576 | ---- | C] (SQLite Development Team) -- C:\Windows\SysWow64\sqlite3.dll
[2014-04-30 07:52:05 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014-04-27 08:32:46 | 000,000,000 | ---D | C] -- C:\Windows\en
[2014-04-20 08:15:00 | 000,028,184 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswKbd.sys
[2014-04-20 08:14:49 | 000,043,152 | ---- | C] (AVAST Software) -- C:\Windows\avastSS.scr
[2014-04-20 08:14:06 | 000,447,888 | ---- | C] (AVAST Software) -- C:\Windows\SysNative\drivers\aswNdisFlt.sys
[2014-04-19 05:55:11 | 000,000,000 | ---D | C] -- C:\Users\Renee\Desktop\Pics of Tristan
[2014-04-15 15:50:59 | 000,000,000 | ---D | C] -- C:\Database
[2013-12-08 07:56:37 | 001,239,536 | ---- | C] (Microsoft Corporation) -- C:\Users\Renee\wlsetup-web.exe
[2 C:\Users\Renee\Desktop\*.tmp files -> C:\Users\Renee\Desktop\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014-05-05 14:28:32 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Renee\Desktop\OTL.exe
[2014-05-05 14:14:18 | 001,016,261 | ---- | M] (Thisisu) -- C:\Users\Renee\Desktop\JRT.exe
[2014-05-05 14:10:30 | 000,022,336 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014-05-05 14:10:30 | 000,022,336 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014-05-05 14:07:18 | 000,782,470 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2014-05-05 14:07:18 | 000,662,384 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2014-05-05 14:07:18 | 000,122,252 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2014-05-05 14:07:00 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014-05-05 14:03:45 | 000,119,512 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\MBAMSwissArmy.sys
[2014-05-05 14:02:39 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014-05-05 14:02:10 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014-05-05 14:02:03 | 335,044,607 | -HS- | M] () -- C:\hiberfil.sys
[2014-05-05 13:48:22 | 001,316,991 | ---- | M] () -- C:\Users\Renee\Desktop\adwcleaner.exe
[2014-05-05 13:43:01 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4111083629-4137538892-1715785686-1000UA.job
[2014-05-05 01:43:03 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4111083629-4137538892-1715785686-1000Core.job
[2014-05-04 19:00:01 | 000,137,572 | ---- | M] () -- C:\Users\Renee\Desktop\Nasty Popups.jpg
[2014-05-04 17:55:16 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2014-05-04 15:57:56 | 005,197,895 | R--- | M] (Swearware) -- C:\Users\Renee\Desktop\ComboFix.exe
[2014-05-04 14:19:56 | 000,091,352 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbamchameleon.sys
[2014-05-04 14:19:35 | 012,589,848 | ---- | M] (Malwarebytes Corp.) -- C:\Users\Renee\Desktop\mbar-1.07.0.1009.exe
[2014-05-04 14:02:06 | 003,972,608 | ---- | M] () -- C:\Users\Renee\Desktop\RogueKiller.exe
[2014-05-03 17:39:22 | 000,002,877 | ---- | M] () -- C:\Users\Renee\Desktop\attach.zip
[2014-05-03 15:46:43 | 000,013,931 | ---- | M] () -- C:\Users\Renee\Desktop\mbam.exe - Shortcut.lnk
[2014-05-03 13:59:05 | 000,464,656 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2014-05-03 11:38:20 | 000,774,592 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2014-05-03 11:27:34 | 000,016,284 | ---- | M] () -- C:\Windows\SysWow64\ieuinit.inf
[2014-05-03 11:27:34 | 000,016,284 | ---- | M] () -- C:\Windows\SysNative\ieuinit.inf
[2014-05-02 08:19:39 | 000,003,101 | ---- | M] () -- C:\Users\Renee\Desktop\TM 7.0.lnk
[2014-04-28 17:25:26 | 000,007,610 | ---- | M] () -- C:\Users\Renee\AppData\Local\Resmon.ResmonCfg
[2014-04-24 10:14:55 | 000,118,149 | ---- | M] () -- C:\Users\Renee\wmpChrome.crx
[2014-04-20 08:15:36 | 000,002,024 | ---- | M] () -- C:\Users\Public\Desktop\avast! Internet Security.lnk
[2014-04-20 08:14:50 | 001,039,096 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSnx.sys
[2014-04-20 08:14:50 | 000,423,240 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswSP.sys
[2014-04-20 08:14:50 | 000,334,648 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\aswBoot.exe
[2014-04-20 08:14:50 | 000,208,416 | ---- | M] () -- C:\Windows\SysNative\drivers\aswVmm.sys
[2014-04-20 08:14:50 | 000,085,328 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswstm.sys
[2014-04-20 08:14:50 | 000,079,184 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswMonFlt.sys
[2014-04-20 08:14:50 | 000,065,776 | ---- | M] () -- C:\Windows\SysNative\drivers\aswRvrt.sys
[2014-04-20 08:14:50 | 000,029,208 | ---- | M] () -- C:\Windows\SysNative\drivers\aswHwid.sys
[2014-04-20 08:14:49 | 000,093,568 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswRdr2.sys
[2014-04-20 08:14:49 | 000,043,152 | ---- | M] (AVAST Software) -- C:\Windows\avastSS.scr
[2014-04-20 08:14:14 | 000,028,184 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswKbd.sys
[2014-04-20 08:14:06 | 000,447,888 | ---- | M] (AVAST Software) -- C:\Windows\SysNative\drivers\aswNdisFlt.sys
[2014-04-20 08:04:17 | 643,759,224 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2 C:\Users\Renee\Desktop\*.tmp files -> C:\Users\Renee\Desktop\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2014-05-05 13:48:21 | 001,316,991 | ---- | C] () -- C:\Users\Renee\Desktop\adwcleaner.exe
[2014-05-04 18:49:13 | 000,137,572 | ---- | C] () -- C:\Users\Renee\Desktop\Nasty Popups.jpg
[2014-05-04 16:50:13 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2014-05-04 16:50:13 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2014-05-04 16:50:13 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2014-05-04 16:50:13 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2014-05-04 16:50:13 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2014-05-04 14:01:58 | 003,972,608 | ---- | C] () -- C:\Users\Renee\Desktop\RogueKiller.exe
[2014-05-03 17:39:22 | 000,002,877 | ---- | C] () -- C:\Users\Renee\Desktop\attach.zip
[2014-05-03 15:46:43 | 000,013,931 | ---- | C] () -- C:\Users\Renee\Desktop\mbam.exe - Shortcut.lnk
[2014-05-03 11:27:34 | 000,016,284 | ---- | C] () -- C:\Windows\SysWow64\ieuinit.inf
[2014-05-03 11:27:34 | 000,016,284 | ---- | C] () -- C:\Windows\SysNative\ieuinit.inf
[2014-04-27 08:31:44 | 000,001,359 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Movie Maker.lnk
[2014-04-27 08:30:19 | 000,002,540 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live Messenger.lnk
[2014-04-24 10:14:55 | 000,118,149 | ---- | C] () -- C:\Users\Renee\wmpChrome.crx
[2014-04-20 08:15:36 | 000,002,024 | ---- | C] () -- C:\Users\Public\Desktop\avast! Internet Security.lnk
[2014-04-20 08:15:04 | 000,029,208 | ---- | C] () -- C:\Windows\SysNative\drivers\aswHwid.sys
[2014-04-15 15:51:05 | 000,003,101 | ---- | C] () -- C:\Users\Renee\Desktop\TM 7.0.lnk
[2014-01-07 14:57:37 | 000,000,120 | ---- | C] () -- C:\Users\Renee\AppData\Roaming\.ptbt0
[2013-12-12 07:52:07 | 000,201,483 | ---- | C] () -- C:\Users\Renee\YL Spoons.jpg
[2013-11-22 14:50:25 | 000,003,550 | ---- | C] () -- C:\Users\Renee\AppData\Local\recently-used.xbel
[2013-10-21 10:20:16 | 000,000,018 | ---- | C] () -- C:\Windows\ka.ini
[2013-06-05 16:30:28 | 000,166,338 | ---- | C] () -- C:\Users\Renee\Evan's 2013 Birthday wish list.jpg
[2013-05-01 22:29:50 | 000,000,159 | ---- | C] () -- C:\Users\Renee\AppData\Roaming\gmic_sources.cimgz
[2013-03-24 22:02:25 | 000,000,207 | ---- | C] () -- C:\Users\Renee\AppData\Roaming\PropCalc Preferences
[2013-03-02 21:01:54 | 000,061,440 | ---- | C] () -- C:\Windows\SysWow64\wintab32.dll
[2013-02-08 16:55:03 | 000,950,585 | ---- | C] () -- C:\Windows\SysWow64\libiconv-2.dll
[2013-02-08 16:51:58 | 000,150,904 | ---- | C] () -- C:\Windows\Wiainst64.exe
[2013-02-08 16:51:28 | 001,571,160 | ---- | C] () -- C:\Windows\TotalUninstaller.exe
[2013-01-27 15:17:40 | 000,007,610 | ---- | C] () -- C:\Users\Renee\AppData\Local\Resmon.ResmonCfg
[2013-01-24 22:54:58 | 002,468,520 | ---- | C] () -- C:\Windows\SysWow64\BootMan.exe
[2013-01-24 22:54:58 | 000,087,112 | ---- | C] () -- C:\Windows\SysWow64\setupempdrv03.exe
[2013-01-24 22:54:58 | 000,019,840 | ---- | C] () -- C:\Windows\SysWow64\EuEpmGdi.dll
[2013-01-24 22:54:58 | 000,014,920 | ---- | C] () -- C:\Windows\SysWow64\epmntdrv.sys
[2013-01-24 22:54:58 | 000,009,160 | ---- | C] () -- C:\Windows\SysWow64\EuGdiDrv.sys
[2013-01-24 21:49:49 | 000,774,592 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI

========== ZeroAccess Check ==========

[2009-07-13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
"" = C:\Windows\SysNative\shell32.dll -- [2013-07-25 21:24:57 | 014,172,672 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2013-07-25 20:55:59 | 012,872,704 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\fastprox.dll -- [2009-07-13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010-11-20 22:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
"" = C:\Windows\SysNative\wbem\wbemess.dll -- [2009-07-13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== LOP Check ==========

[2014-02-09 10:18:01 | 000,000,000 | ---D | M] -- C:\Users\Administrator King\AppData\Roaming\AVAST Software
[2013-02-03 07:57:44 | 000,000,000 | ---D | M] -- C:\Users\Administrator King\AppData\Roaming\IrfanView
[2013-03-17 08:08:26 | 000,000,000 | ---D | M] -- C:\Users\Administrator King\AppData\Roaming\Samsung
[2013-02-09 15:31:37 | 000,000,000 | ---D | M] -- C:\Users\Grumblub\AppData\Roaming\Samsung
[2013-02-09 14:17:04 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\Acronis
[2014-01-09 07:28:05 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\AVAST Software
[2013-02-05 22:16:10 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\Canon
[2014-04-30 08:13:25 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\com.prezi.PreziDesktop
[2013-11-12 08:24:32 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\inkscape
[2013-01-30 09:35:28 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\IrfanView
[2013-04-29 00:32:19 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\NeatImage SL 64
[2013-11-11 07:22:19 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\Oracle
[2013-11-06 16:00:28 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\PictureCutoutGuide
[2013-03-02 21:04:06 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\progeSOFT
[2014-01-07 12:34:46 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\PTGui
[2013-02-08 16:56:52 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\Samsung
[2013-11-13 08:06:40 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\Scribus
[2013-02-17 19:43:21 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\Texas Instruments
[2013-02-17 19:48:10 | 000,000,000 | ---D | M] -- C:\Users\Renee\AppData\Roaming\TI-Nspire

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:69E87FA2
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:838D4792
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:3F30E778
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DEDD192D

< End of report >
 
OTL Extras logfile created on: 05-May-14 2:29:27 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Renee\Desktop
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.17041)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd-MMM-yy

5.75 Gb Total Physical Memory | 4.39 Gb Available Physical Memory | 76.40% Memory free
11.75 Gb Paging File | 10.31 Gb Available in Paging File | 87.76% Paging File free
Paging file location(s): c:\pagefile.sys 6144 12288 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 892.17 Gb Total Space | 654.81 Gb Free Space | 73.40% Space Free | Partition Type: NTFS
Drive D: | 39.08 Gb Total Space | 38.96 Gb Free Space | 99.68% Space Free | Partition Type: NTFS
Drive F: | 100.00 Mb Total Space | 70.27 Mb Free Space | 70.27% Space Free | Partition Type: NTFS
Drive G: | 9.77 Gb Total Space | 9.65 Gb Free Space | 98.86% Space Free | Partition Type: NTFS
Drive H: | 222.93 Gb Total Space | 51.01 Gb Free Space | 22.88% Space Free | Partition Type: NTFS

Computer Name: LIBRARY-PC | User Name: Renee | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan | Include 64bit Scans
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html[@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-4111083629-4137538892-1715785686-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with &IrfanView] -- "C:\Program Files (x86)\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with &IrfanView] -- "C:\Program Files (x86)\IrfanView\i_view32.exe" "%1 /thumbs" (Irfan Skiljan)
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Value error.

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{01919E47-22EF-4ADA-8A91-57F1CE728DEE}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{123A3E17-9241-44F2-9B1D-482E9CB32B22}" = lport=6004 | protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\outlook.exe |
"{1846069C-880E-4AC4-8C4A-D5DA9D96BE51}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{21032576-29BB-4AEC-817C-01950E53DC74}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{285632A5-8917-4DDC-A6B7-85A8A82E8DAD}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{289480B6-6E60-4C23-84CD-97CCDF9A4EB2}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{2F9413C3-AA46-482C-BB62-908770E1B4F4}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{34145056-8085-4DF4-B11D-5E06698AEDE4}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{40EC7598-DF90-491E-B8F8-B6ACF4777F70}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{411A2FBA-5976-432E-B89E-0CF94AB8F9B2}" = lport=2869 | protocol=6 | dir=in | app=system |
"{420FEDF4-0F89-4467-9D2C-9034562400C6}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{4C4751B2-DB80-42B2-B5D5-5D98BBEC332E}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{53F118FC-271E-468F-9700-BC77EA9E99F0}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{5CBD5309-B01C-4FD5-BB92-B4945FEAFC97}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{5F5F118D-AA09-4482-8C5B-EADF20BA1223}" = rport=138 | protocol=17 | dir=out | app=system |
"{723F7152-7A95-4A5C-A297-7245D9B23AC6}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{76749C76-0E47-4AA4-B5E9-91EC09077BA0}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe |
"{78D2984F-2C02-452C-9EA0-1EF9B4B77960}" = lport=10243 | protocol=6 | dir=in | app=system |
"{8C070038-00F4-4BE4-832B-4A47074D2846}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{95F6CF10-0254-42E2-8C00-676547413A60}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe |
"{9977F2CF-E3E4-411E-97CB-F10471AB5EB6}" = rport=445 | protocol=6 | dir=out | app=system |
"{99D4064F-0C36-4205-9547-FB080FF2B5D7}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{9C27E255-A8C8-4ECD-8212-9E4111981EC3}" = rport=10243 | protocol=6 | dir=out | app=system |
"{9EB48203-C1E4-4E06-AEC6-28F338E94A02}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{A16E3605-CFD2-4B0F-A0D9-4019B0B37414}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe |
"{B4E286FF-E683-46C8-9FFA-C385B03A289F}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{BA3032D2-6BF7-4DA7-9C66-8978C4F83C87}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{CF056099-5906-4F60-9EB0-185331F2DF7A}" = lport=138 | protocol=17 | dir=in | app=system |
"{D005CE2C-4986-469E-A771-F99ADFC81C00}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{D252A494-D983-48BC-88FC-9A334D0AF6B8}" = rport=137 | protocol=17 | dir=out | app=system |
"{D2B6CE14-267F-4F7A-8F72-0F66C89ED49F}" = lport=139 | protocol=6 | dir=in | app=system |
"{E034245A-F89C-4355-A007-D3783EE1207E}" = lport=445 | protocol=6 | dir=in | app=system |
"{E2BF4CBE-E34B-4DA0-8868-D26CB04BE1E1}" = rport=139 | protocol=6 | dir=out | app=system |
"{EB68AB93-E2B7-4FFA-AB06-20F268A59D6E}" = lport=137 | protocol=17 | dir=in | app=system |
"{F95682FC-3FD6-4E4B-BC86-5571BDE96F4E}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{FEE7A56B-1A49-444A-9068-BDD600BCEC20}" = lport=10245 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02048576-352E-440E-932F-AAE9026E2F4A}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{035440AF-126C-40F1-9513-20F33F8F315C}" = protocol=17 | dir=in | app=c:\program files (x86)\ti education\ti-nspire cas student software\jre\bin\java.exe |
"{0AD25D34-4F22-44F8-AD59-557782B131DC}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe |
"{0BB6693B-04E4-4697-8F2F-6A3E32477CE1}" = protocol=17 | dir=in | app=c:\program files (x86)\scan assistant\usdagent.exe |
"{0ED05C06-94B4-4CC7-BC3B-BF867444BB29}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{1711D5A5-9B70-438A-B274-440897428CC4}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{17E4252F-CBB4-4277-A9CE-48177AD44F1C}" = dir=in | app=c:\users\renee\appdata\local\temp\ins2b0\setup.exe |
"{17E5DE11-8DC5-47FD-B38F-54F466BFAED7}" = protocol=6 | dir=in | app=c:\program files (x86)\ti education\ti-nspire cas student software\ti-nspire cas student software.exe |
"{1835CD36-E8E2-4503-8809-1958D3E35A6C}" = protocol=17 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer9\racer.exe |
"{1CF713CC-CE0B-49C0-9889-254C4217D09B}" = protocol=17 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\ids.application.exe |
"{20E5C643-D2BD-4CCE-9C2F-CE67A6D37F6C}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{23231559-0021-43C7-B265-443BBDF78BC6}" = protocol=6 | dir=in | app=c:\recovered seagate\users\renee\downloads\racer\racer.exe |
"{26900806-24F3-48DC-80C4-9D8488D4F878}" = dir=in | app=c:\program files (x86)\itunes\itunes.exe |
"{2D5D9376-FC76-4D95-8CEB-66A530C3045D}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{30853D27-2077-43D7-9B45-2521C64518A3}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{3348F9C2-C662-49F5-8A3B-FD62ACEEC435}" = protocol=6 | dir=in | app=c:\program files\common files\common desktop agent\cdasrv.exe |
"{3525CC3F-CC39-4877-ABF9-5CB8ED7AABBB}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{35EAEB42-EA46-4402-B6E2-224F3817ED52}" = protocol=17 | dir=in | app=c:\recovered seagate\users\renee\downloads\racer0655\racer0655\racer.exe |
"{36478586-D7BE-434A-9CFB-CED749DC820B}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office14\onenote.exe |
"{380CBD40-1B50-485C-9F7C-DA10F1AE5C8F}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |
"{39EAD497-6B3E-423C-A980-692E87642234}" = dir=in | app=c:\users\renee\appdata\local\microsoft\skydrive\skydrive.exe |
"{402E3700-C91F-471B-B37B-2D048A5E9115}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{4756A085-F39E-4917-8BC3-B31A8E30B908}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{4ED5C05B-7DAE-4A68-B31E-4C75AD94B179}" = protocol=6 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer9\racer_nocg.exe |
"{510963ED-D32F-4AED-BFF9-083E51705030}" = protocol=6 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\ordersupplies.exe |
"{51C2B264-3F8E-4333-BDC7-E94A1A74E834}" = protocol=6 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer9\racer.exe |
"{612253E3-BF6A-47AC-ACB8-E3B7EF308F47}" = protocol=6 | dir=in | app=c:\recovered seagate\users\renee\downloads\racer0655\racer0655\racer.exe |
"{62ABA21F-8E8B-4CC0-9FB4-BD658FEAF0A9}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{6411F9FD-DE3C-4D64-B2F6-726F6585260E}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{6F3D7467-95DE-4FD8-A7C9-2FAAA525A257}" = protocol=17 | dir=in | app=p:\stuff\games\racer\racer0655\racer0655\racer.exe |
"{70915DA4-4098-4B25-ABA4-D14204B0E38D}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft games\microsoft flight simulator x\fsx.exe |
"{7DC14382-813F-4A5C-AFD2-F48FF439663D}" = protocol=6 | dir=in | app=g:\stuff\games\racer\racer0655\racer0655\racer.exe |
"{81B4B50A-B52E-408D-85C1-F6238F9D670D}" = dir=in | app=c:\program files (x86)\common files\apple\apple application support\webkit2webprocess.exe |
"{82EA415E-333E-4155-B13A-9605325E0470}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{85218C44-C535-4118-9D8D-689EBD02063C}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{873AC607-CF22-4328-B52F-1F9E4DE56125}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{8982E4A7-12F5-413E-82AF-FB47C116D5C8}" = protocol=6 | dir=in | app=c:\program files (x86)\ti education\ti-nspire cas student software\jre\bin\java.exe |
"{9164AD44-3A81-4850-BEC6-3372ED99CA0F}" = protocol=6 | dir=out | app=system |
"{9374936D-44E1-4D73-A782-5154795BC6FF}" = protocol=17 | dir=in | app=g:\stuff\games\racer\racer0655\racer0655\racer.exe |
"{953EE038-4E78-48B7-B891-559C6FCE5130}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{95A73A7B-7EFF-46F2-B8B5-45CF38BCB672}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{9872D0F5-7A8D-46F7-8198-F0218694A052}" = protocol=17 | dir=in | app=c:\windows\twain_32\samsung\scx3400\scnsearch\usdagent.exe |
"{988970B9-D350-4C7E-A3BF-E509BE7669C4}" = protocol=17 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\cdas2pc\cdas2pc.exe |
"{9EFD4891-A593-4471-B328-D4DD684C2020}" = dir=in | app=c:\users\renee\appdata\local\temp\ins9cae\setup\bin\maininst.exe |
"{9F2BCA13-5267-46C5-98A3-5C665820CC14}" = protocol=6 | dir=in | app=c:\program files (x86)\scan assistant\usdagent.exe |
"{A0B30EAE-8DD7-4D49-95C8-7DEBA2715EAF}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{A22F7727-C87E-442D-99BC-9AA2F7ABC014}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{A5D3350F-7A9F-40D6-A87A-1C0DBB4A04FA}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{AAAE6EFE-F603-4B4A-A359-D18378B9794C}" = protocol=6 | dir=in | app=p:\stuff\games\racer\racer0655\racer0655\racer.exe |
"{ABB14E21-A3E0-4E1F-9601-0EAB40E14D0E}" = protocol=17 | dir=in | app=c:\program files\common files\common desktop agent\cdasrv.exe |
"{ADB259CE-98C3-423A-BD12-6C473FAAC178}" = protocol=6 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\idsalert.exe |
"{B03B6E35-EA01-409F-8B52-AB081136D786}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{BA0E5E17-EED0-4FFF-B003-D9EB8861BD6C}" = protocol=17 | dir=in | app=c:\recovered seagate\users\renee\downloads\racer\racer.exe |
"{BEFF57AB-CB87-46CC-B22C-AC9C4F466F01}" = protocol=17 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\idsalert.exe |
"{C6FD8750-6942-4093-86C5-D9DE31D9888F}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |
"{C828CE1C-0EFC-4D88-A4F1-6207B3C98075}" = protocol=17 | dir=in | app=c:\program files (x86)\ti education\ti-nspire cas student software\ti-nspire cas student software.exe |
"{D4F940B0-9FA8-4AAD-8ABD-3B48A2C08624}" = protocol=6 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\cdas2pc\cdas2pc.exe |
"{D53B4EE1-9583-43CD-87EB-C98DD069309E}" = protocol=17 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer9\racer_nocg.exe |
"{E0B90AAE-EFD7-473F-9A0B-1958C22418C1}" = dir=in | app=c:\program files (x86)\windows live\contacts\wlcomm.exe |
"{E2B8BB8C-41E5-4C26-9C82-E159CC10157E}" = dir=in | app=c:\users\renee\appdata\local\temp\ins4216\setup\bin\maininst.exe |
"{E82B4002-740A-4D44-B116-A9E03B5522B6}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |
"{EC5618AD-5955-4B4B-82D9-15122849ABE8}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft games\microsoft flight simulator x\fsx.exe |
"{F1B84A7A-EE76-44DB-A33F-BCA2AC3A4323}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |
"{F4F70653-077C-49E3-A152-50BCF61A9803}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F9196993-00B5-43E5-A988-A800CED5544F}" = protocol=6 | dir=in | app=c:\windows\twain_32\samsung\scx3400\scnsearch\usdagent.exe |
"{FE5471B8-72AD-49B5-80B7-30A961CC56BA}" = protocol=6 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\ids.application.exe |
"{FFE2F3E0-C02E-4A6B-BC22-AF33F2FA24D0}" = protocol=17 | dir=in | app=c:\program files (x86)\samsung\easy printer manager\ordersupplies.exe |
"TCP Query User{0B21EAE2-587F-4192-9F9A-2F535C9A3D58}C:\program files (x86)\ti education\ti-nspire cas student software\ti-nspire cas student software.exe" = protocol=6 | dir=in | app=c:\program files (x86)\ti education\ti-nspire cas student software\ti-nspire cas student software.exe |
"TCP Query User{35851CA1-ED87-4BC0-B2F8-BBF1F0B7160D}C:\users\renee\desktop\tristan\games\racer\racer9\racer_nocg.exe" = protocol=6 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer9\racer_nocg.exe |
"TCP Query User{39332B90-E33A-4750-BBE5-CF8D58860DC0}C:\users\renee\desktop\tristan\games\racer\racer9\racer.exe" = protocol=6 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer9\racer.exe |
"TCP Query User{5F287A18-51AE-4692-9AF4-4E5837182F18}C:\recovered seagate\users\renee\downloads\racer0655\racer0655\racer.exe" = protocol=6 | dir=in | app=c:\recovered seagate\users\renee\downloads\racer0655\racer0655\racer.exe |
"TCP Query User{6907A965-CA09-4A1E-A907-4408488C2166}C:\users\renee\desktop\tristan\games\racer\racer0834\racer.exe" = protocol=6 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer0834\racer.exe |
"TCP Query User{6E6304BF-8C68-44A7-A257-5148A4FEDE12}P:\stuff\games\racer\racer0655\racer0655\racer.exe" = protocol=6 | dir=in | app=p:\stuff\games\racer\racer0655\racer0655\racer.exe |
"TCP Query User{76DFB4ED-4239-4D94-AE79-1DE6F9DC685A}C:\program files (x86)\microsoft games\microsoft flight simulator x\fsx.exe" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft games\microsoft flight simulator x\fsx.exe |
"TCP Query User{8137340C-0D66-4C65-A35C-19CDCB2946E8}G:\stuff\games\racer\racer0655\racer0655\racer.exe" = protocol=6 | dir=in | app=g:\stuff\games\racer\racer0655\racer0655\racer.exe |
"TCP Query User{8CE409A3-D66D-44FB-AA58-5401EC8CA8E1}C:\recovered seagate\users\renee\downloads\racer\racer.exe" = protocol=6 | dir=in | app=c:\recovered seagate\users\renee\downloads\racer\racer.exe |
"TCP Query User{9CB893BF-5AF9-420E-86A7-37FCC8A2BEE2}C:\users\renee\desktop\tristan\games\racer\racer0655\racer0655\racer.exe" = protocol=6 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer0655\racer0655\racer.exe |
"TCP Query User{BA665033-4A50-4B54-99A8-CA180FF2490A}C:\users\renee\desktop\tristan\games\racer\racer9\udpterm.exe" = protocol=6 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer9\udpterm.exe |
"TCP Query User{BCF972D3-59A1-43E4-B69A-E42BDDD69357}C:\users\renee\desktop\tristan\games\racer\racer0834\racer_nocg.exe" = protocol=6 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer0834\racer_nocg.exe |
"UDP Query User{0A368BE9-FACB-4D19-A161-328FC6BB602E}C:\users\renee\desktop\tristan\games\racer\racer9\racer.exe" = protocol=17 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer9\racer.exe |
"UDP Query User{2AE6786F-9E53-4B3C-92EB-30505F72D686}C:\program files (x86)\ti education\ti-nspire cas student software\ti-nspire cas student software.exe" = protocol=17 | dir=in | app=c:\program files (x86)\ti education\ti-nspire cas student software\ti-nspire cas student software.exe |
"UDP Query User{4FAB7A83-986E-46E5-A20B-7C7E2CDB94C9}C:\users\renee\desktop\tristan\games\racer\racer9\udpterm.exe" = protocol=17 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer9\udpterm.exe |
"UDP Query User{633665C1-C72A-497B-A233-82254CF570F4}C:\users\renee\desktop\tristan\games\racer\racer9\racer_nocg.exe" = protocol=17 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer9\racer_nocg.exe |
"UDP Query User{6595C885-A20F-4BB8-A509-FBA4C91DF8D7}G:\stuff\games\racer\racer0655\racer0655\racer.exe" = protocol=17 | dir=in | app=g:\stuff\games\racer\racer0655\racer0655\racer.exe |
"UDP Query User{BBFBBFBA-B9AB-478C-975E-525E8BF5D02F}C:\recovered seagate\users\renee\downloads\racer0655\racer0655\racer.exe" = protocol=17 | dir=in | app=c:\recovered seagate\users\renee\downloads\racer0655\racer0655\racer.exe |
"UDP Query User{BE461779-2ED3-4AE4-B26D-E9BE105F3488}C:\users\renee\desktop\tristan\games\racer\racer0655\racer0655\racer.exe" = protocol=17 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer0655\racer0655\racer.exe |
"UDP Query User{C61F6B26-D4AA-4A2B-82F1-1F8D4B164ADC}C:\users\renee\desktop\tristan\games\racer\racer0834\racer_nocg.exe" = protocol=17 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer0834\racer_nocg.exe |
"UDP Query User{DF6F4ED9-5A75-41DC-8509-5EED0378CA61}C:\program files (x86)\microsoft games\microsoft flight simulator x\fsx.exe" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft games\microsoft flight simulator x\fsx.exe |
"UDP Query User{E6536EE0-3AFE-4474-80FC-3ED3AE360CAE}P:\stuff\games\racer\racer0655\racer0655\racer.exe" = protocol=17 | dir=in | app=p:\stuff\games\racer\racer0655\racer0655\racer.exe |
"UDP Query User{EF0D3BDC-B4C7-4CA5-887D-1815A59812AD}C:\recovered seagate\users\renee\downloads\racer\racer.exe" = protocol=17 | dir=in | app=c:\recovered seagate\users\renee\downloads\racer\racer.exe |
"UDP Query User{EFE9C51A-FB09-4282-A753-327E1A43A7B8}C:\users\renee\desktop\tristan\games\racer\racer0834\racer.exe" = protocol=17 | dir=in | app=c:\users\renee\desktop\tristan\games\racer\racer0834\racer.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{031A0E14-0413-4C97-9772-2639B782F46F}" = Common Desktop Agent
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP640_series" = Canon MP640 series MP Drivers
"{25058321-C33E-496B-8915-6FD64D362CAF}" = Windows Live MIME IFilter
"{2F72F540-1F60-4266-9506-952B21D6640D}" = Apple Mobile Device Support
"{3C28BFD4-90C7-3138-87EF-418DC16E9598}" = Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.51106
"{427174C0-096E-40D9-9684-9C109BEE2CBF}" = iTunes
"{5AF4E09F-5C9B-3AAF-B731-544D3DC821DD}" = Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.51106
"{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}" = Bonjour
"{704C0303-D20C-45AF-BD2B-556EAF31BE09}" = iCloud
"{7DEBE4EB-6B40-3766-BB35-5CBBC385DA37}" = Microsoft .NET Framework 4.5.1
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{90140000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2010
"{90140000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2010
"{90140000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010
"{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" = Microsoft .NET Framework 4.5.1
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 307.83
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 307.83
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 1.10.8
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{CB3CA48C-95CB-412B-B7AE-6F2EA8F89907}" = Windows Live Family Safety
"{CE52672C-A0E9-4450-8875-88A221D5CD50}" = Windows Live ID Sign-in Assistant
"{E9FA781F-3E80-4399-825A-AD3E11C28C77}" = MSVCRT110_amd64
"Neat Image Standalone_is1" = Neat Image v7.3.0 Demo Standalone
"Scribus 1.4.3" = Scribus 1.4.3 (64bit)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00F9DB8C-65D7-4D47-AB5F-F698EE38580D}" = Windows Live UX Platform
"{04BE4035-3C8E-4B48-BFB8-1655849C0C8B}" = Windows Live Writer
"{07AAB66E-4718-422D-9218-4AFB3C922A71}" = Photo Gallery
"{0BE9E708-5DC0-4963-9CFD-0AA519090E79}" = Junk Mail filter update
"{0F974770-76EB-4C38-986E-E7BDD9C0DFC4}" = Windows Live Writer Resources
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{1A962AC2-BBFA-4D83-9273-2746AFB908DD}" = Team Manager 7.0 for Swimming
"{1CF6F3A4-ECEF-42F5-8166-655D699BC1F0}" = TI-Nspire™ CAS Student Software
"{1D6432B4-E24D-405E-A4AB-D7E6D088CBC9}" = Windows Live Photo Common
"{33571E15-3EB4-4190-BA74-C6CA97288461}" = Microsoft Flight Simulator X SDK
"{38F03569-A636-4CF3-BDDE-032C8C251304}" = Movie Maker
"{41C61308-6CFD-4D54-AB6A-7136ED08A18E}" = Windows Live Communications Platform
"{4E76FF7E-AEBA-4C87-B788-CD47E5425B9D}" = Skype™ 6.3
"{5D09C772-ECB3-442B-9CC6-B4341C78FDC2}" = Apple Application Support
"{6152DEA9-EA0C-4013-9DBF-4A8881A7F722}" = Windows Live Family Safety
"{6522F5F9-411B-4513-A75B-CEA00395F032}" = Windows Live UX Platform Language Pack
"{659CB81C-B54E-4DF1-B618-F35777393A54}" = Windows Live Installer
"{66B5819D-DE70-42BE-B40F-978FBA12452E}" = Windows Live Essentials
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{714E162E-CD4F-4F1B-8302-7F5179409C25}" = Windows Live Writer
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{82C03CC5-4335-40D5-8380-FC98D181718C}" = Canadair Argonaut and North Star for FSX
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{8E14DDC8-EA60-4E18-B3E3-1937104D5BDA}" = MSVCRT110
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-003D-0000-0000-0000000FF1CE}" = Microsoft Office Single Image 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{95140000-007A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{95140000-007D-0409-0000-0000000FF1CE}" = Microsoft Outlook Social Connector Provider for Windows Live Messenger 32-bit
"{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{9B683A28-2172-4CF1-B85D-41375E80652A}" = Acronis True Image WD Edition
"{9BC1E722-AE07-46A3-B7A6-556DBE18E22A}" = SmarThru Office
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A2DC527D-FA79-46E9-973F-920897CA55E9}" = Windows Live Writer
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.06)
"{B2611F8A-EFE7-4E88-875D-19F0EFAE87E4}" = Windows Live PIMT Platform
"{B67BAFBA-4C9F-48FA-9496-933E3B255044}" = QuickTime
"{B775C26B-EAA8-4A11-ACBF-76E52DF6B805}" = Windows Live Mail
"{BAD27F0E-5165-49A5-BE66-AF5BF73F2FEE}" = Windows Live Mail
"{BAD984EE-790E-4513-A428-3BE2D426DCA7}" = Windows Live Messenger
"{BD44409B-A691-4B97-B33D-F07E1DE791F3}" = Prezi
"{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update
"{C992FFE0-AC32-4FA9-BC9A-F1637B9E655D}" = Photo Gallery
"{CAA0F57A-BA8C-4AD8-AA03-F32B0E4F5623}" = Photo Common
"{cb41fc68-4442-4f7f-b22f-8f31c74897ac}" = Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106
"{CDC1AB00-01FF-4FC7-816A-16C67F0923C0}" = Windows Live SOXE
"{D0B44725-3666-492D-BEF6-587A14BD9BD9}" = MSVCRT_amd64
"{D1893000-EA77-493C-8DDD-E262436E959B}" = Windows Live SOXE Definitions
"{DD67BE4B-7E62-4215-AFA3-F123A800A389}" = Movie Maker
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E703613B-BDAB-433E-A66A-DE0263E3D35D}" = Windows Live Messenger
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F55AF1BB-B493-4D78-80DA-828958B9098C}" = Microsoft Camera Codec Pack
"ADE9xSetup_is1" = Airport Design Editor 9x Version 1.50.18.197
"Adobe Flash Player ActiveX" = Adobe Flash Player 13 ActiveX
"Avast" = avast! Internet Security
"Canon_IJ_Network_Scan_UTILITY" = Canon IJ Network Scan Utility
"Canon_IJ_Network_UTILITY" = Canon IJ Network Tool
"Classic Stars Screensaver_is1" = Classic Stars Screensaver 1.0
"EaseUS Partition Master Home Edition_is1" = EaseUS Partition Master 9.2.1 Home Edition
"Google Chrome" = Google Chrome
"Hugin" = Hugin 2013.0.0
"iDRS(tm) OCR Software by I.R.I.S" = iDRS(tm) OCR Software by I.R.I.S
"Inkscape" = Inkscape 0.48.4
"InstallShield_{33571E15-3EB4-4190-BA74-C6CA97288461}" = Microsoft Flight Simulator X SDK
"InstallShield_{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"IrfanView" = IrfanView (remove only)
"Malwarebytes Anti-Malware_is1" = Malwarebytes Anti-Malware version 2.0.1.1004
"MiniTool Power Data Recovery_is1" = MiniTool Power Data Recovery
"MP Navigator EX 3.0" = Canon MP Navigator EX 3.0
"Office14.SingleImage" = Microsoft Office Home and Student 2010
"progeCAD 2009 Smart! ENG" = progeCAD 2009 Smart! ENG
"PTGui" = PTGui Pro Trial 9.1.9
"RealFlight6Pro" = RealFlight 6.5 R/C Simulator
"Samsung Easy Printer Manager" = Samsung Easy Printer Manager
"Samsung Printer Live Update" = Samsung Printer Live Update
"Samsung Scan Assistant" = Samsung Scan Assistant
"Samsung SCX-3400 Series" = Samsung SCX-3400 Series
"WinLiveSuite" = Windows Live Essentials

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-4111083629-4137538892-1715785686-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{079ede36-133d-44b0-8053-c7c1fa8d2e0d}_is1" = ChromecastApp
"OneDriveSetup.exe" = Microsoft OneDrive

< End of report >
 
redtarget.gif

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
Code: 
:OTL
O3:64bit: - HKLM\..\Toolbar: (no name) - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No CLSID value found.
O3 - HKU\S-1-5-21-4111083629-4137538892-1715785686-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKU\S-1-5-21-4111083629-4137538892-1715785686-1005..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe File not found
@Alternate Data Stream - 143 bytes -> C:\ProgramData\TEMP:69E87FA2
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:838D4792
@Alternate Data Stream - 128 bytes -> C:\ProgramData\TEMP:3F30E778
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:DEDD192D

:Services

:Reg

:Files
C:\FRST

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

Last scans...

redtarget.gif
Download Security Check from here or here and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.


redtarget.gif
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

redtarget.gif
Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.

redtarget.gif
Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Click on "Run ESET Online Scanner" button.
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
I ran the OTL fix, and am pasting the log below. Security Check seems to be hung up on "Performing System Health Check" though. Does it usually take a while? Should Avast be disabled during that check?


All processes killed
========== OTL ==========
64bit-Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F}\ not found.
Registry value HKEY_USERS\S-1-5-21-4111083629-4137538892-1715785686-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-4111083629-4137538892-1715785686-1005\Software\Microsoft\Windows\CurrentVersion\RunOnce\\mctadmin deleted successfully.
ADS C:\ProgramData\TEMP:69E87FA2 deleted successfully.
ADS C:\ProgramData\TEMP:838D4792 deleted successfully.
ADS C:\ProgramData\TEMP:3F30E778 deleted successfully.
ADS C:\ProgramData\TEMP:DEDD192D deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File\Folder C:\FRST not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator King
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 20206182 bytes
->Google Chrome cache emptied: 35646890 bytes
->Flash cache emptied: 492 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Grumblub
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33076398 bytes
->Google Chrome cache emptied: 6399083 bytes
->Flash cache emptied: 996 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Renee
->Temp folder emptied: 2191230 bytes
->Temporary Internet Files folder emptied: 263286627 bytes
->Java cache emptied: 196989 bytes
->Google Chrome cache emptied: 134286966 bytes
->Flash cache emptied: 506 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 29280 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33298 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 77606 bytes
RecycleBin emptied: 19296386 bytes

Total Files Cleaned = 491.00 mb


[EMPTYJAVA]

User: Administrator King

User: All Users

User: Default

User: Default User

User: Grumblub

User: Public

User: Renee
->Java cache emptied: 0 bytes

User: UpdatusUser

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator King
->Flash cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Grumblub
->Flash cache emptied: 0 bytes

User: Public

User: Renee
->Flash cache emptied: 0 bytes

User: UpdatusUser

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 05052014_160038

Files\Folders moved on Reboot...
C:\Users\Renee\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Renee\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\temp\_avast_\AvastLock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 
Nope... I was just being impatient. :)

Results of screen317's Security Check version 0.99.82
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Adobe Reader XI
Google Chrome 34.0.1847.116
Google Chrome 34.0.1847.131
Google Chrome plugins...
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbam.exe
Malwarebytes Anti-Malware mbamscheduler.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast afwServ.exe
AVAST Software Avast AvastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 
Farbar Service Scanner Version: 03-05-2014
Ran by Renee (administrator) on 05-05-2014 at 16:24:38
Running from "C:\Users\Renee\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****
 
Hi. Yeah, it's been running for about 51/2 hours now. It's on step 3 of 4. 339,000 files scanned, 1 infection (win32/agent.RQD.Gen trojan)
The progress bar is about 1/5 full.
 
C:\Recovered Seagate\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\24kj3wfm.Tom\extensions\personas@christopher.beard\defaults\preferences\prefs.js Win32/Agent.RQD.Gen trojan cleaned by deleting - quarantined
H:\Recovered Seagate\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\24kj3wfm.Tom\extensions\personas@christopher.beard\defaults\preferences\prefs.js Win32/Agent.RQD.Gen trojan cleaned by deleting - quarantined
 
Shoot. You've helped SO much already, and I still just got that "codec performer update" garbage in a new tab after I clicked "post reply." Then I got the "Malware bytes.... has blocked a malicious website" notice.
:(
 
You must log in or register to reply here.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
2K
uber_beetle
uber_beetle
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
3K
Broni
Broni
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
3K
adidaman27
A

Latest posts

Back