just_apparently_stupid

About a month ago I started getting a Mircosoft certificate error on my Facebook page.. I just clicked on show content without thinking about it (dumb).. Then a week ago I got a pop up saying they needed to check if the name I use there is valid. I clicked "ask again". Tonight it did. And I am shocked at what they are asking for. This must be a hack and scam but I've not found anything on the net. I ran Malbyte and it did remove one Trojan. I restarted but am still getting the same pop up. Here is what it looks like. Anyone know if this is legit or can help me? Thank You. **** Submit Your Documents We ask everyone on Facebook to use the name they go by in everyday life so friends know who they're connecting with. Please provide identification that displays the name you'd like to confirm and use publicly on Facebook. Keep in mind that if you confirm a name other than the one currently on your profile, the name on your profile may be automatically updated with the name you confirm. Learn more about why we require ID verification and the different types of ID we accept below. What types of ID does Facebook accept?. You can confirm your identity in 1 of 3 ways. When submitting documentation, please cover up any personal information we don't need to verify your identity (ex: credit card number, Social Security number). We encrypt people’s connections to Facebook by default, including IDs you send to us. We delete your ID information after verification is complete. Option 1 We will accept any government-issued ID that contains your name and date of birth. Examples include: ■ Birth certificate ■ Driver’s license ■ Passport ■ Marriage certificate ■ Official name change paperwork ■ Personal or vehicle insurance card ■ Non-driver's government ID (ex: disability, SNAP card, national ID card) ■ Green card, residence permit or immigration papers ■ Tribal identification or status card ■ Voter ID card Option 2 You can provide two different forms of ID from the following list (ex: a bank statement and a library card, but not two bank statements). The names on your IDs must match each other, and one of the IDs must include a photo or date of birth that matches the information on your profile. Below are some examples of IDs we'll accept: ■ Bank statement ■ Bus card ■ Check ■ Credit card ■ Employment verification ■ Library card ■ Mail ■ Magazine subscription stub ■ Medical record ■ Membership ID (ex: pension card, union membership, work ID, professional ID) ■ Paycheck stub ■ Permit ■ School card ■ School record ■ Social Security card ■ Utility bill ■ Yearbook photo (actual scan or photograph of the page in your yearbook) Option 3 If you don’t have an ID that shows your authentic name as well as your photo or date of birth, you can provide two forms of ID from Option 2 above, and then provide a government ID that includes a date of birth or photo that matches the information on your profile. We won't add the name or other information from the government ID to your account. Last edited about 2 months ago **** Thanks again for help!

I deleted the programs I did not want in the "Safe Zone". The SecurityCheck program seemed to run fine. No abort message. Here is the report. ******** Results of screen317's Security Check version 0.99.73 Windows Vista Service Pack 2 x86 (UAC is enabled) Internet Explorer 9 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! AVG AntiVirus Free Edition 2013 Antivirus up to date! `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 CCleaner Java 6 Update 22 Java SE Runtime Environment 6 Update 1 Java 6 Update 3 Java 6 Update 7 Java version out of Date! Adobe Flash Player 11.6.602.171 Adobe Reader 9 Adobe Reader out of Date! Mozilla Firefox 19.0 Firefox out of Date! Google Chrome 29.0.1547.57 Google Chrome 29.0.1547.62 ````````Process Check: objlist.exe by Laurent```````` Malwarebytes Anti-Malware mbamservice.exe Malwarebytes Anti-Malware mbamgui.exe AVG avgwdsvc.exe AVG avgrsx.exe AVG avgnsx.exe AVG avgemc.exe Malwarebytes' Anti-Malware mbamscheduler.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 0 % ````````````````````End of Log``````````````````````

Here are the two reports from AdwCleaner....I did run clean.. there was just one process discovered and the first scan took less than a minute... more to follow after the report posts.... ***** # AdwCleaner v3.001 - Report created 28/08/2013 at 19:29:57 # Updated 24/08/2013 by Xplode # Operating System : Windows Vista Home Basic Service Pack 2 (32 bits) # Username : od - OD-PC # Running from : C:\Users\od\Desktop\AdwCleaner.exe # Option : Scan ***** [ Services ] ***** Service Found : RadioRage_4jService ***** [ Files / Folders ] ***** File Found : C:\END File Found : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk File Found : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\Extensions\plugin@yontoo.com.xpi File Found : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\searchplugins\Conduit.xml File Found : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\user.js File Found : C:\Windows\system32\roboot.exe Folder Found : C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla Folder Found : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\Extensions\knllpfimimccdfnihbikigiagifmllol Folder Found : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\Extensions\knllpfimimccdfnihbikigiagifmllol Folder Found : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\Extensions\{5373a31d-9410-45e2-b299-4f61428f0be4} Folder Found C:\Program Files\Conduit Folder Found C:\Program Files\MyPC Backup Folder Found C:\Program Files\MyPC Backup Folder Found C:\Program Files\Yontoo Layers Runtime Folder Found C:\ProgramData\Tarma Installer Folder Found C:\Users\Jim\AppData\LocalLow\AVG Secure Search Folder Found C:\Users\Jim\AppData\LocalLow\AVG Security Toolbar Folder Found C:\Users\od\AppData\Local\Conduit Folder Found C:\Users\od\AppData\Local\cre Folder Found C:\Users\od\AppData\Local\visi_coupon Folder Found C:\Users\od\AppData\LocalLow\Conduit Folder Found C:\Users\od\AppData\LocalLow\PriceGong Folder Found C:\Users\od\AppData\Roaming\file scout Folder Found C:\Users\od\AppData\Roaming\iWin Folder Found C:\Users\od\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Ride Games Folder Found C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\CT3279415 Folder Found C:\Users\od\AppData\Roaming\PerformerSoft Folder Found C:\Users\od\AppData\Roaming\SpeedAnalysis2 ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\AppDataLow\Software\Conduit Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes Key Found : HKCU\Software\AppDataLow\Software\PriceGong Key Found : HKCU\Software\AppDataLow\Software\RadioRage_4j Key Found : HKCU\Software\AppDataLow\Software\SmartBar Key Found : HKCU\Software\Conduit Key Found : HKCU\Software\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol Key Found : HKCU\Software\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol Key Found : HKCU\Software\InstallCore Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9638B7D6-11F5-4406-B387-327642A11FFB} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706} Key Found : HKCU\Software\YahooPartnerToolbar Key Found : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0} Key Found : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Found : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4} Key Found : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D} Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468} Key Found : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Found : HKLM\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Found : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93} Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Found : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5} Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Found : HKLM\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA} Key Found : HKLM\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE} Key Found : HKLM\Software\Classes\popcaploader.popcaploaderctrl2 Key Found : HKLM\Software\Classes\popcaploader.popcaploaderctrl2.1 Key Found : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1} Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api Key Found : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1 Key Found : HKLM\Software\Conduit Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44DB423D-A0DB-4664-9477-CCDCEB7CD666} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{53855564-CF81-410C-9C1C-321C7E067816} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A25AA6E2-1CDE-4D0F-A5D4-4898D7FB3C86} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5C9CB1C-1C0A-45A2-81CC-1DD342D0A478} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A661D4DC-4BD8-48FC-964B-A24AB8157DE6} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B5731AB1-8566-4441-AEFB-9AFB2EEA63D9} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{434FA5E9-253E-4BD0-ADB6-7CE4CEA114CA} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{581C7D7D-F809-4E03-A631-74C069D5F04A} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{68122F44-3A4A-4EDB-B28F-0C0E07F89BD0} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9638B7D6-11F5-4406-B387-327642A11FFB} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F706E19B-6C14-4272-BA98-2F16636A898D} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} Key Found : HKLM\SOFTWARE\MozillaPlugins\@RadioRage_4j.com/Plugin Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}] Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [4jffxtbr@RadioRage_4j.com] ***** [ Browsers ] ***** -\\ Internet Explorer v9.0.8112.16502 -\\ Mozilla Firefox v19.0 (en-US) [ File : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\prefs.js ] Line Found : user_pref("CT3279415.FF19Solved", "true"); Line Found : user_pref("CT3279415.UserID", "UN19129399441273304"); Line Found : user_pref("CT3279415.addressUrlXPETakeover", "true"); Line Found : user_pref("CT3279415.autoDisableScopes", 0); Line Found : user_pref("CT3279415.browser.search.defaultthis.engineName", "true"); Line Found : user_pref("CT3279415.defaultSearchXPETakeover", "true"); Line Found : user_pref("CT3279415.fullUserID", "UN19129399441273304.IN.2013063031324"); Line Found : user_pref("CT3279415.installDate", "30/06/2013 3:13:23"); Line Found : user_pref("CT3279415.installSessionId", "{BDA88354-ECF8-4E88-A782-3B43812DE4A7}"); Line Found : user_pref("CT3279415.installSp", "TRUE"); Line Found : user_pref("CT3279415.installerVersion", "1.5.4.1"); Line Found : user_pref("CT3279415.keyword", "true"); Line Found : user_pref("CT3279415.originalHomepage", "about:home"); Line Found : user_pref("CT3279415.originalSearchAddressUrl", ""); Line Found : user_pref("CT3279415.originalSearchEngine", ""); Line Found : user_pref("CT3279415.searchRevert", "false"); Line Found : user_pref("CT3279415.searchUserMode", "2"); Line Found : user_pref("CT3279415.smartbar.homepage", "true"); Line Found : user_pref("CT3279415.startPageXPETakeover", "true"); Line Found : user_pref("CT3279415.versionFromInstaller", "10.16.4.19"); Line Found : user_pref("Smartbar.SearchFromAddressBarSavedUrl", ""); Line Found : user_pref("browser.search.defaultthis.engineName", "appbario16 Customized Web Search"); Line Found : user_pref("browser.search.selectedEngine", "appbario16 Customized Web Search"); Line Found : user_pref("extentions.y2layers.defaultEnableAppsList", "PageRage,PageRageGlobal,Buzzdock,BuzzdockTease,PageRage,PageRageGlobal,"); Line Found : user_pref("extentions.y2layers.installId", "ebdc91c5-079c-4400-a0af-2db967a641b1"); Line Found : user_pref("extentions.y2layers.lastDnsTest", 370955); Line Found : user_pref("smartbar.addressBarOwnerCTID", "CT3279415"); Line Found : user_pref("smartbar.defaultSearchOwnerCTID", "CT3279415"); Line Found : user_pref("smartbar.homePageOwnerCTID", "CT3279415"); Line Found : user_pref("smartbar.machineId", "G0D2Z+61BXF3N1INIK1X6GFI44S5NAGGGEELVCC+DHLCNZWRQQSCZ9MPVONVBPN0BJXBBBDBP7EA+GR5OFUZSW"); -\\ Google Chrome v29.0.1547.62 [ File : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\preferences ] Found : homepage Found : icon_url Found : search_url Found : suggest_url Found : keyword Found : urls_to_restore_on_startup Found : homepage Found : icon_url Found : search_url Found : suggest_url Found : keyword Found : urls_to_restore_on_startup Found : homepage Found : icon_url Found : search_url Found : suggest_url Found : keyword Found : urls_to_restore_on_startup [ File : C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\preferences ] [ File : C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [12641 octets] - [28/08/2013 19:29:57] ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [12702 octets] ########## SECOND REPORT AFTER CLEANING... ****** # AdwCleaner v3.001 - Report created 29/08/2013 at 22:43:58 # Updated 24/08/2013 by Xplode # Operating System : Windows Vista Home Basic Service Pack 2 (32 bits) # Username : od - OD-PC # Running from : C:\Users\od\Desktop\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** [#] Service Deleted : RadioRage_4jService ***** [ Files / Folders ] ***** Folder Deleted : C:\ProgramData\Tarma Installer Folder Deleted : C:\Program Files\Conduit Folder Deleted : C:\Program Files\MyPC Backup Folder Deleted : C:\Program Files\Yontoo Layers Runtime Folder Deleted : C:\Users\od\AppData\Local\Conduit Folder Deleted : C:\Users\od\AppData\Local\cre Folder Deleted : C:\Users\od\AppData\Local\visi_coupon Folder Deleted : C:\Users\od\AppData\LocalLow\Conduit Folder Deleted : C:\Users\od\AppData\LocalLow\PriceGong Folder Deleted : C:\Users\od\AppData\Roaming\file scout Folder Deleted : C:\Users\od\AppData\Roaming\iWin Folder Deleted : C:\Users\od\AppData\Roaming\PerformerSoft Folder Deleted : C:\Users\od\AppData\Roaming\SpeedAnalysis2 Folder Deleted : C:\Users\od\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Free Ride Games Folder Deleted : C:\Users\Jim\AppData\LocalLow\AVG Secure Search Folder Deleted : C:\Users\Jim\AppData\LocalLow\AVG Security Toolbar Folder Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\CT3279415 Folder Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\Extensions\{5373a31d-9410-45e2-b299-4f61428f0be4} Folder Deleted : C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla Folder Deleted : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\Extensions\knllpfimimccdfnihbikigiagifmllol [!] Folder Deleted : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\Extensions\knllpfimimccdfnihbikigiagifmllol File Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\Extensions\plugin@yontoo.com.xpi File Deleted : C:\END File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk File Deleted : C:\Windows\system32\roboot.exe File Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml File Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\searchplugins\Conduit.xml File Deleted : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\user.js ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [4jffxtbr@RadioRage_4j.com] Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc Key Deleted : HKCU\Software\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\knllpfimimccdfnihbikigiagifmllol Key Deleted : HKLM\SOFTWARE\Classes\AppID\YontooIEClient.DLL Key Deleted : HKLM\Software\Classes\popcaploader.popcaploaderctrl2 Key Deleted : HKLM\Software\Classes\popcaploader.popcaploaderctrl2.1 Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api Key Deleted : HKLM\SOFTWARE\Classes\YontooIEClient.Api.1 Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@RadioRage_4j.com/Plugin Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFDAFE39-20CE-451D-BD45-A37452F39CF0} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E84186E-B5DE-4226-8A66-6E49C6B511B4} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{80922EE0-8A76-46AE-95D5-BD3C3FE0708D} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E4E3E0F8-CD30-4380-8CE9-B96904BDEFCA} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE8A736F-4124-4D9C-B4B1-3B12381EFABE} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C9C5DEAF-0A1F-4660-8279-9EDFAD6FEFE1} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9638B7D6-11F5-4406-B387-327642A11FFB} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{434FA5E9-253E-4BD0-ADB6-7CE4CEA114CA} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{581C7D7D-F809-4E03-A631-74C069D5F04A} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{68122F44-3A4A-4EDB-B28F-0C0E07F89BD0} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9638B7D6-11F5-4406-B387-327642A11FFB} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88} Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F706E19B-6C14-4272-BA98-2F16636A898D} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44DB423D-A0DB-4664-9477-CCDCEB7CD666} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{53855564-CF81-410C-9C1C-321C7E067816} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A25AA6E2-1CDE-4D0F-A5D4-4898D7FB3C86} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5C9CB1C-1C0A-45A2-81CC-1DD342D0A478} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A661D4DC-4BD8-48FC-964B-A24AB8157DE6} Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B5731AB1-8566-4441-AEFB-9AFB2EEA63D9} Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}] Key Deleted : HKCU\Software\Conduit Key Deleted : HKCU\Software\InstallCore Key Deleted : HKCU\Software\YahooPartnerToolbar Key Deleted : HKCU\Software\AppDataLow\Software\Conduit Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong Key Deleted : HKCU\Software\AppDataLow\Software\RadioRage_4j Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar Key Deleted : HKLM\Software\Conduit Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{889DF117-14D1-44EE-9F31-C5FB5D47F68B} ***** [ Browsers ] ***** -\\ Internet Explorer v9.0.8112.16502 -\\ Mozilla Firefox v19.0 (en-US) [ File : C:\Users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\prefs.js ] Line Deleted : user_pref("CT3279415.FF19Solved", "true"); Line Deleted : user_pref("CT3279415.UserID", "UN19129399441273304"); Line Deleted : user_pref("CT3279415.addressUrlXPETakeover", "true"); Line Deleted : user_pref("CT3279415.autoDisableScopes", 0); Line Deleted : user_pref("CT3279415.browser.search.defaultthis.engineName", "true"); Line Deleted : user_pref("CT3279415.defaultSearchXPETakeover", "true"); Line Deleted : user_pref("CT3279415.fullUserID", "UN19129399441273304.IN.2013063031324"); Line Deleted : user_pref("CT3279415.installDate", "30/06/2013 3:13:23"); Line Deleted : user_pref("CT3279415.installSessionId", "{BDA88354-ECF8-4E88-A782-3B43812DE4A7}"); Line Deleted : user_pref("CT3279415.installSp", "TRUE"); Line Deleted : user_pref("CT3279415.installerVersion", "1.5.4.1"); Line Deleted : user_pref("CT3279415.keyword", "true"); Line Deleted : user_pref("CT3279415.originalHomepage", "about:home"); Line Deleted : user_pref("CT3279415.originalSearchAddressUrl", ""); Line Deleted : user_pref("CT3279415.originalSearchEngine", ""); Line Deleted : user_pref("CT3279415.searchRevert", "false"); Line Deleted : user_pref("CT3279415.searchUserMode", "2"); Line Deleted : user_pref("CT3279415.smartbar.homepage", "true"); Line Deleted : user_pref("CT3279415.startPageXPETakeover", "true"); Line Deleted : user_pref("CT3279415.versionFromInstaller", "10.16.4.19"); Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", ""); Line Deleted : user_pref("browser.search.defaultthis.engineName", "appbario16 Customized Web Search"); Line Deleted : user_pref("browser.search.selectedEngine", "appbario16 Customized Web Search"); Line Deleted : user_pref("extentions.y2layers.defaultEnableAppsList", "PageRage,PageRageGlobal,Buzzdock,BuzzdockTease,PageRage,PageRageGlobal,"); Line Deleted : user_pref("extentions.y2layers.installId", "ebdc91c5-079c-4400-a0af-2db967a641b1"); Line Deleted : user_pref("extentions.y2layers.lastDnsTest", 370955); Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3279415"); Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3279415"); Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3279415"); Line Deleted : user_pref("smartbar.machineId", "G0D2Z+61BXF3N1INIK1X6GFI44S5NAGGGEELVCC+DHLCNZWRQQSCZ9MPVONVBPN0BJXBBBDBP7EA+GR5OFUZSW"); -\\ Google Chrome v29.0.1547.62 [ File : C:\Users\od\AppData\Local\Google\Chrome\User Data\Default\preferences ] Deleted : homepage Deleted : icon_url [ File : C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\preferences ] [ File : C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\preferences ] ************************* AdwCleaner[R0].txt - [12783 octets] - [28/08/2013 19:29:57] AdwCleaner[R1].txt - [12844 octets] - [29/08/2013 22:42:47] AdwCleaner[s0].txt - [12501 octets] - [29/08/2013 22:43:58] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [12562 octets] ########## Now for the continuation of my comments..... I am able to log on to OD in a normal fashion without the dos screen popping up. There is one thing though that I noticed in the report on COMBOFIX under supplement scan in trusted zone .... Trusted Zone: chatropolis.com\cs12 Trusted Zone: chatrpolis.com\cs10 ... these should not be in trusted zone.. how do I fix that? Thank you again for all of your help!

Ran the combofix.. here is the log... did not have the warning sign... I do need to browse on what I think are safe sites to get some local info, so I am turning back on the antivirus/ AVG security. ****** ComboFix 13-08-28.02 - od 08/27/2013 23:16:44.1.2 - x86 Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1918.983 [GMT -7:00] Running from: c:\users\od\Downloads\ComboFix.exe AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9} SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\RadioRage_4j c:\program files\RadioRage_4j\bar\1.bin\4jbarsvc.exe c:\program files\RadioRage_4j\bar\1.bin\4jbrmon.exe c:\program files\RadioRage_4j\bar\1.bin\4jSrchMn.exe c:\program files\RadioRage_4j\bar\1.bin\BOOTSTRAP.JS c:\program files\RadioRage_4j\bar\1.bin\CHROME.MANIFEST c:\program files\RadioRage_4j\bar\1.bin\INSTALL.RDF c:\program files\RadioRage_4j\bar\1.bin\LOGO.BMP c:\program files\RadioRage_4j\bar\1.bin\T8RES.DLL c:\users\Test\FRST.exe c:\windows\system32\Cache c:\windows\system32\Cache\272512937d9e61a4.fb c:\windows\system32\Cache\287204568329e189.fb c:\windows\system32\Cache\28bc8f716fd76a47.fb c:\windows\system32\Cache\2c53092c95605355.fb c:\windows\system32\Cache\31a0997e9a5b5eb3.fb c:\windows\system32\Cache\32c84fe32bb74d60.fb c:\windows\system32\Cache\3917078cb68ec657.fb c:\windows\system32\Cache\5142874a43f06635.fb c:\windows\system32\Cache\590ba23ce359fd0c.fb c:\windows\system32\Cache\610289e025a3ee9a.fb c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb c:\windows\system32\Cache\6d03dad1035885d3.fb c:\windows\system32\Cache\7df74c042f504fad.fb c:\windows\system32\Cache\a4c5e725589b342d.fb c:\windows\system32\Cache\a8556537add6dfc5.fb c:\windows\system32\Cache\aa3e8c0b95e00f5a.fb c:\windows\system32\Cache\ad10a52aff5e038d.fb c:\windows\system32\Cache\add035168815d9eb.fb c:\windows\system32\Cache\b62ff061e7da00f5.fb c:\windows\system32\Cache\beb06e9fa40e2201.fb c:\windows\system32\Cache\c1fa887b03019701.fb c:\windows\system32\Cache\c4d28dca2e7648be.fb c:\windows\system32\Cache\d201ef9910cd39de.fb c:\windows\system32\Cache\d2e94710a5708128.fb c:\windows\system32\Cache\d79b9dfe81484ec4.fb c:\windows\system32\Cache\e0de16f883bea794.fb c:\windows\system32\Cache\e1ebcc1892aa776d.fb c:\windows\system32\Cache\eb6556dbbaf6672c.fb c:\windows\system32\Cache\f998975c9cc711ee.fb . . ((((((((((((((((((((((((( Files Created from 2013-07-28 to 2013-08-28 ))))))))))))))))))))))))))))))) . . 2013-08-20 23:30 . 2013-08-22 20:54 -------- d-----w- C:\FRST 2013-08-20 10:42 . 2013-08-20 10:42 -------- d-----w- c:\users\Test\AppData\Local\WinZip 2013-08-20 09:44 . 2013-08-28 05:51 -------- d-----w- c:\program files\MyPC Backup 2013-08-20 09:43 . 2013-08-25 08:01 -------- d-----w- c:\program files\SearchProtect 2013-08-14 03:38 . 2013-07-10 09:47 783360 ----a-w- c:\windows\system32\rpcrt4.dll 2013-08-14 03:38 . 2013-07-17 19:41 2048 ----a-w- c:\windows\system32\tzres.dll 2013-08-14 03:38 . 2013-06-15 13:22 15872 ----a-w- c:\windows\system32\icaapi.dll 2013-08-14 03:38 . 2013-06-15 11:23 24064 ----a-w- c:\windows\system32\drivers\tssecsrv.sys 2013-08-14 03:38 . 2013-07-05 04:53 905664 ----a-w- c:\windows\system32\drivers\tcpip.sys 2013-08-14 03:38 . 2013-07-09 12:10 1205168 ----a-w- c:\windows\system32\ntdll.dll 2013-08-14 03:38 . 2013-07-08 04:55 3603904 ----a-w- c:\windows\system32\ntkrnlpa.exe 2013-08-14 03:38 . 2013-07-08 04:55 3551680 ----a-w- c:\windows\system32\ntoskrnl.exe 2013-08-14 03:37 . 2013-07-08 04:16 992768 ----a-w- c:\windows\system32\crypt32.dll 2013-08-14 03:37 . 2013-07-08 04:20 172544 ----a-w- c:\windows\system32\wintrust.dll 2013-08-14 03:37 . 2013-07-08 04:16 98304 ----a-w- c:\windows\system32\cryptnet.dll 2013-08-14 03:37 . 2013-07-08 04:16 133120 ----a-w- c:\windows\system32\cryptsvc.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-07-20 08:51 . 2013-07-20 08:51 246072 ----a-w- c:\windows\system32\drivers\avglogx.sys 2013-07-20 08:50 . 2013-07-20 08:50 60216 ----a-w- c:\windows\system32\drivers\avgidshx.sys 2013-07-20 08:50 . 2013-07-20 08:50 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys 2013-07-20 08:50 . 2013-07-20 08:50 171320 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2013-07-10 08:32 . 2013-07-10 08:32 39224 ----a-w- c:\windows\system32\drivers\avgrkx86.sys 2013-07-10 05:01 . 2012-04-30 00:16 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-07-10 05:01 . 2011-05-27 22:42 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-07-01 08:45 . 2013-07-01 08:45 96568 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2013-06-04 01:50 . 2013-07-10 04:10 2049024 ----a-w- c:\windows\system32\win32k.sys 2013-06-01 04:06 . 2013-07-10 04:10 505344 ----a-w- c:\windows\system32\qedit.dll 2013-02-27 10:15 . 2013-02-27 10:15 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll 2010-06-19 11:43 . 2013-02-27 10:15 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] "{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn11\yt.dll" [2013-08-07 1561880] . [HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1] [HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}] [HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin] . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 39408] "SansaDispatch"="c:\users\od\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2011-01-02 79872] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704] "DPService"="c:\program files\HP\DVDPlay\DPService.exe" [2008-06-12 90112] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152] "Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-09-09 623880] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-19 30192] "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888] "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-12-13 135536] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2013-05-08 41056] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] "AVG_UI"="c:\program files\AVG\AVG2013\avgui.exe" [2013-07-01 4411440] . c:\users\od\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] . c:\users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520] Personal Coach.lnk - c:\program files\Broderbund\Mavis Beacon Teaches Typing 15\MiniMavis.exe main [2010-10-13 2392064] PictureMover.lnk - c:\program files\PictureMover\Bin\PictureMover.exe -det [2008-6-3 413696] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-3-11 984352] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK32.EXE [2013-1-15 685936] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4064688261-3020506512-3484179790-1000] "EnableNotificationsRef"=dword:00000001 . --- Other Services/Drivers In Memory --- . *Deregistered* - MBAMSwissArmy *Deregistered* - TrueSight . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2013-08-22 15:37 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.57\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2013-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:00] . 2013-08-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 06:00] . 2013-08-24 c:\windows\Tasks\HPCeeScheduleForJim.job - c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-08-28 03:03] . 2013-08-18 c:\windows\Tasks\HPCeeScheduleForod.job - c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2008-08-28 03:03] . . ------- Supplementary Scan ------- . Trusted Zone: chatropolis.com\cs12 Trusted Zone: chatrpolis.com\cs10 Trusted Zone: intuit.com\accounts Trusted Zone: intuit.com\ttlc Trusted Zone: microsoft.com\www.update Trusted Zone: real.com\rhap-app-4-0 Trusted Zone: real.com\rhapreg Trusted Zone: rhapsody.com\rhap-app-4-0 Trusted Zone: rhapsody.com\rhapreg TCP: DhcpNameServer = 24.113.32.29 24.113.32.30 24.113.0.30 FF - ProfilePath - c:\users\od\AppData\Roaming\Mozilla\Firefox\Profiles\3n51itv5.default\ FF - prefs.js: browser.search.selectedEngine - appbario16 Customized Web Search FF - ExtSQL: !HIDDEN! 2009-09-02 03:01; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - ExtSQL: !HIDDEN! 2010-03-12 04:19; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extentions.y2layers.installId, ebdc91c5-079c-4400-a0af-2db967a641b1 FF - user.js: extentions.y2layers.defaultEnableAppsList - PageRage,PageRageGlobal,Buzzdock,BuzzdockTease,PageRage,PageRageGlobal, . - - - - ORPHANS REMOVED - - - - . WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) HKLM-Run-hpqSRMon - (no file) SafeBoot-WudfPf SafeBoot-WudfRd AddRemove-WinZip Packages - c:\users\od\AppData\Roaming\0T1F0D1F2W1G1I1F1T1Q\WinZip Packages\uninstaller.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-08-27 23:26 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . HKCU\Software\Microsoft\Windows\CurrentVersion\Run SansaDispatch = c:\users\od\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe?on%2fSansaDispatch_1_011.txt&certificate-url=https%3a%2f%2ff?ible-me . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}] "ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2013-08-27 23:28:28 ComboFix-quarantined-files.txt 2013-08-28 06:28 . Pre-Run: 156,167,000,064 bytes free Post-Run: 156,155,584,512 bytes free . - - End Of File - - EA5AB09859F19CA9C68CBBB685552600 81CD5EC01DB0CE57EDD853F82462EF27

Thank you, MrC. I will try this. Sorry I didn't respond within a reasonable amout of time. Real life issues prevented me from getting to my computer. I will do my best to shut all down and reboot. Will let you know what happened as soon as possible.

Here is the report. *** RogueKiller V8.6.6 [Aug 19 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : od [Admin rights] Mode : Scan -- Date : 08/25/2013 20:52:01 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 2 ¤¤¤ [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDP725025GLA SCSI Disk Device +++++ --- User --- [MBR] 28f6c2f2d417a54f50a656fbe901e9e8 [bSP] cbe1a3892920c024e3e7b9efc684338e : MBR Code unknown Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 227239 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465386985 | Size: 11232 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[0]_S_08252013_205201.txt >> RKreport[0]_D_08232013_161223.txt;RKreport[0]_D_08232013_191518.txt;RKreport[0]_S_08222013_185930.txt RKreport[0]_S_08222013_191642.txt;RKreport[0]_S_08222013_193419.txt;RKreport[0]_S_08222013_194408.txt RKreport[0]_S_08232013_160229.txt;RKreport[0]_S_08232013_162959.txt;RKreport[0]_S_08232013_185313.txt RKreport[0]_S_08232013_191427.txt;RKreport[0]_S_08252013_004805.txt

okay.. when I typed explorer and hit enter the od screen came up all seemed normal.. with the message that my previous IE session was interrupted and did I want to continue... I said "no". I'll just shut this login down until I hear back from you, MrC. Should I do the rstrui in the dos box when i enter again or should I try to run RogueKiller from this login? thank you again! I can at least copy my emails now!

okay, will try.. have spent the day doing round about ways of backing up files incase this restore just does not work and I crash. So, am trying it now. If you don't hear from me for a while you'll know I'm have troubles.

that should be: c:\Windows\system32>

Has the same Microsoft stuff but then it says c:\Windows\system32

I ran it and rebooted. Still cannot access User OD. And I want to be clear.... I click on that login.. I get the welcome screen then a black full screen with a box about one third the size of the space of the screen. That box contains the dos prompt. Also, I'm still getting warnings that my Windows security center is turned off.

I'm assessing the Jim login now.. I ran RogueKiller there. It seems to be the same results as when I cleared from the Test account. Here is the report incase I'm wrong. RogueKiller V8.6.6 [Aug 19 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : od [Admin rights] Mode : Scan -- Date : 08/23/2013 18:53:13 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 3 ¤¤¤ [RUN][sUSP PATH] HKLM\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDP725025GLA SCSI Disk Device +++++ --- User --- [MBR] 28f6c2f2d417a54f50a656fbe901e9e8 [bSP] cbe1a3892920c024e3e7b9efc684338e : MBR Code unknown Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 227239 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465386985 | Size: 11232 Mo User = LL1 ... OK! Error reading LL2 MBR! +++++ PhysicalDrive1: Hitachi HDP725025GLA SCSI Disk Device +++++ --- User --- [MBR] bfc2508142cb31e56488e57ad8f80c9c [bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 30532 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[0]_S_08232013_185313.txt >> RKreport[0]_D_08232013_161223.txt;RKreport[0]_S_08222013_185930.txt;RKreport[0]_S_08222013_191642.txt RKreport[0]_S_08222013_193419.txt;RKreport[0]_S_08222013_194408.txt;RKreport[0]_S_08232013_160229.txt RKreport[0]_S_08232013_162959.txt

I'm assuming you mean in the file description in the box to the right. I find no auto runs.

No, I still cannot access that account. It takes me to the DOS prompt. There is no message, just the system32> prompt. If you can get me in there through typing iexplorer something something like i was able to before when I had this issue I can probably run it from there. Thank you.

I did as you said and deleted the file (there was only one). I rebooted and reran RogueKiller and that file was gone. I'll attach the report I ran afterwards. It was odd, after I shutdown the test account I had to wait for RogueKiller to shut down.. so I went away from the computer and when I came back the user Jim account was up and running... This was the first account I went to when user OD got infected.. then it jumped to Jim so I switched to test user. So I can get into both of those but when I go to the OD account I get sent to the dos screen though there is no messages just the system32 prompt. Maybe I didn't correctly follow your instructions. Here is the log file I ran after the delete and reboot. ***** RogueKiller V8.6.6 [Aug 19 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : od [Admin rights] Mode : Remove -- Date : 08/23/2013 16:12:23 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤ [RUN][sUSP PATH] HKLM\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> NOT SELECTED [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> NOT SELECTED [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> NOT SELECTED [AUTORUN] HKCU\[...]\Command Processor : AutoRun ("C:\Users\od\AppData\Local\Temp\nghynqbcqlsfogvga.exe") -> REPLACED () ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDP725025GLA SCSI Disk Device +++++ --- User --- [MBR] 28f6c2f2d417a54f50a656fbe901e9e8 [bSP] cbe1a3892920c024e3e7b9efc684338e : MBR Code unknown Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 227239 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465386985 | Size: 11232 Mo User = LL1 ... OK! Error reading LL2 MBR! +++++ PhysicalDrive1: Hitachi HDP725025GLA SCSI Disk Device +++++ --- User --- [MBR] bfc2508142cb31e56488e57ad8f80c9c [bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 30532 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[0]_D_08232013_161223.txt >> RKreport[0]_S_08222013_185930.txt;RKreport[0]_S_08222013_191642.txt;RKreport[0]_S_08222013_193419.txt RKreport[0]_S_08222013_194408.txt;RKreport[0]_S_08232013_160229.txt Thanks for all of the progress and time you are making and taking!

copied here as is... RogueKiller V8.6.6 [Aug 19 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version Started in : Normal mode User : od [Admin rights] Mode : Scan -- Date : 08/22/2013 19:44:08 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 4 ¤¤¤ [RUN][sUSP PATH] HKLM\[...]\RunOnce : Malwarebytes Anti-Malware (cleanup) (rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [x][7][x]) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND [AUTORUN] HKCU\[...]\Command Processor : AutoRun ("C:\Users\od\AppData\Local\Temp\nghynqbcqlsfogvga.exe") -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [LOADED] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDP725025GLA SCSI Disk Device +++++ --- User --- [MBR] 28f6c2f2d417a54f50a656fbe901e9e8 [bSP] cbe1a3892920c024e3e7b9efc684338e : MBR Code unknown Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 227239 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 465386985 | Size: 11232 Mo User = LL1 ... OK! Error reading LL2 MBR! +++++ PhysicalDrive1: Hitachi HDP725025GLA SCSI Disk Device +++++ --- User --- [MBR] bfc2508142cb31e56488e57ad8f80c9c [bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 32 | Size: 30532 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[0]_S_08222013_194408.txt >> RKreport[0]_S_08222013_185930.txt;RKreport[0]_S_08222013_191642.txt;RKreport[0]_S_08222013_193419.txt Unfortunately I couldn't post without an AVG Virus threat popping up. I had to click on protect before I could post this. It was the same file that was in my OD user login in DOS

Should have it in a few minutes.

Okay, I was able to run it again. No report has shown up on my desktop. I do have an ntuser.dat.LOG1 item located in my test file.

I think I got it running on desktop now. keeping fingers crossed

I messed up! Instead of downloading it I hit "run" by mistake I guess... it popped up and i did the scan and i went to find the log and of course it wasn't there. So I went back and down loaded it to my desktop and tried to start it but it said it is already running and I can't find where it is... gawd I am soo soo sorry. You have been so patient with me and I think we are so close! Any idea where I might find it? Thank you thank you thank you!

I had to switch to the Test Account and when I did I'm still getting the warning about Windows security settings (I won't click on THAT again for a while). I tried to log in to the OD account. It took me into DOS... I wrote down exactly what it said.. it is as follows: ********* '"c:\users\od\AppData\Local\Temp\nghynqbcqlsfogvga (then the dot and exe) - i'm afraid to type the dot exe in here incase the system does something wierd- is not recognized as an operable program or batch file"'. the next line is c:\windows\system32>

It looks like it's gone... right? Let me know. Thanks! **************** Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-08-2013 Ran by Test at 2013-08-22 17:19:04 Run:4 Running from F:\ Boot Mode: Normal ============================================== Content of fixlist: ***************** C:\Users\od\AppData\Roaming\2433f433 C:\ProgramData\2433f433 C:\Users\od\AppData\Local\2433f433 ***************** "C:\Users\od\AppData\Roaming\2433f433" => File/Directory not found. "C:\ProgramData\2433f433" => File/Directory not found. "C:\Users\od\AppData\Local\2433f433" => File/Directory not found. ==== End of Fixlog ====

I went to Roaming first and it allowed the delete. I went to Local next it did not allow it. I went to ProgramData it did allow the delete. I went back to Local and it allowed the delete. They are not, however, showing up in my recycle bin. I'd expect that at least the ProgramDate file would show up, and I wrong? Should I run the fixlist again to see if it's gone?

Here it is. ******** Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 21-08-2013 Ran by Test at 2013-08-22 13:51:15 Run:3 Running from F:\ Boot Mode: Normal ============================================== Content of fixlist: ***************** C:\Users\od\AppData\Roaming\2433f433 C:\ProgramData\2433f433 C:\Users\od\AppData\Local\2433f433 ***************** Could not move "C:\Users\od\AppData\Roaming\2433f433" => Scheduled to move on reboot. Could not move "C:\ProgramData\2433f433" => Scheduled to move on reboot. Could not move "C:\Users\od\AppData\Local\2433f433" => Scheduled to move on reboot. =========== Result of Scheduled Files to move =========== "C:\Users\od\AppData\Roaming\2433f433" => File could not move. "C:\ProgramData\2433f433" => File could not move. "C:\Users\od\AppData\Local\2433f433" => File could not move. ==== End of Fixlog ====

I'm sorry, I thought that was the one you wanted. Sorry I misunderstood. Here is the other log. ****** Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-08-2013 02 Ran by Test (ATTENTION: The logged in user is not administrator) on 21-08-2013 12:00:02 Running from C:\Users\Test Microsoft® Windows Vista™ Home Basic Service Pack 2 (X86) OS Language: English(US) Internet Explorer Version 9 Boot Mode: Normal ==================== Processes (Whitelisted) =================== (Hewlett-Packard Company) C:\hp\support\hpsysdrv.exe (Hewlett-Packard Co.) C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Google) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Microsoft Corporation) C:\Program Files\Microsoft LifeCam\LifeExp.exe (Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe (AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2013\avgui.exe (Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe (Google Inc.) C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (TLC Education Properties LLC) C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\MiniMavis.exe (Hewlett-Packard Company) C:\Program Files\PictureMover\Bin\PictureMover.exe (WinZip Computing, S.L.) C:\Program Files\WinZip\WZQKPICK32.EXE (Conduit) C:\PROGRA~1\SearchProtect\SearchProtect\bin\cltmng.exe (Conduit) C:\PROGRA~1\SearchProtect\UI\bin\cltmngui.exe (Microsoft Corporation) C:\Windows\System32\mobsync.exe (Google) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe (Microsoft Corporation) C:\Windows\system32\sdclt.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corp.) C:\Program Files\MSN\Toolbar\3.0.1203.0\msntask.exe (Google Inc.) C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe (Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe (Adobe Systems Incorporated) C:\Windows\system32\Macromed\Flash\FlashUtil32_11_8_800_94_ActiveX.exe (Yahoo! Inc.) C:\Program Files\Yahoo!\Companion\Installs\cpn11\ytbb.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-20] (Microsoft Corporation) HKLM\...\Run: [hpsysdrv] - c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company) HKLM\...\Run: [NvCplDaemon] - C:\Windows\system32\NvCpl.dll [13539872 2008-05-22] (NVIDIA Corporation) HKLM\...\Run: [NvMediaCenter] - C:\Windows\system32\NvMcTray.dll [92704 2008-05-22] (NVIDIA Corporation) HKLM\...\Run: [DPService] - C:\Program Files\HP\DVDPlay\DPService.exe [90112 2008-06-11] (CyberLink Corp.) HKLM\...\Run: [HP Software Update] - C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2007-03-11] (Hewlett-Packard Co.) HKLM\...\Run: [hpqSRMon] - [x] HKLM\...\Run: [intuit SyncManager] - C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [623880 2008-09-09] (Intuit Inc. All rights reserved.) HKLM\...\Run: [Google Desktop Search] - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-06-19] (Google) HKLM\...\Run: [HP Health Check Scheduler] - c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-10-09] (Hewlett-Packard) HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.) HKLM\...\Run: [LifeCam] - C:\Program Files\Microsoft LifeCam\LifeExp.exe [135536 2010-12-13] (Microsoft Corporation) HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-10-11] (Apple Inc.) HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [421736 2011-12-08] (Apple Inc.) HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated) HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated) HKLM\...\Run: [AVG_UI] - C:\Program Files\AVG\AVG2013\avgui.exe [4411440 2013-07-01] (AVG Technologies CZ, s.r.o.) HKLM\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation) HKLM\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] - rundll32.exe "C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll",ProcessCleanupScript [1127496 2013-04-04] (Malwarebytes Corporation) HKCU\...\Run: [HPADVISOR] - [x] HKCU\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2009-02-15] (Google Inc.) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Personal Coach.lnk ShortcutTarget: Personal Coach.lnk -> C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 15\MiniMavis.exe (TLC Education Properties LLC) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PictureMover.lnk ShortcutTarget: PictureMover.lnk -> C:\Program Files\PictureMover\Bin\PictureMover.exe (Hewlett-Packard Company) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk ShortcutTarget: QuickBooks Update Agent.lnk -> C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe (Intuit Inc.) Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk ShortcutTarget: WinZip Quick Pick.lnk -> C:\Program Files\WinZip\WZQKPICK32.EXE (WinZip Computing, S.L.) Startup: C:\Users\od\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyPC Backup.lnk ShortcutTarget: MyPC Backup.lnk -> C:\Program Files\MyPC Backup\MyPC Backup.exe (MyPCBackup.com) Startup: C:\Users\od\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk ShortcutTarget: OpenOffice.org 3.3.lnk -> C:\Program Files\OpenOffice.org 3\program\quickstart.exe () ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.king5.com/ HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=EIE9HP&PC=UP50 HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com SearchScopes: HKLM - DefaultScope {51EEC4A8-05B7-44A1-89F5-51ADBC3730C2} URL = SearchScopes: HKLM - {BB67E9B4-E19D-4753-A3FB-5C52509D3BF9} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-psdt SearchScopes: HKLM - {D20B6448-844F-44E8-96EB-AEDDA205B403} URL = http://www.ask.com/web?q={searchTerms}&l=dis&o=uscqd SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=OCId7wqOldUTFnlOuAop5JcDKi8?q={searchTerms} SearchScopes: HKCU - {BB67E9B4-E19D-4753-A3FB-5C52509D3BF9} URL = SearchScopes: HKCU - {D20B6448-844F-44E8-96EB-AEDDA205B403} URL = BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn11\yt.dll (Yahoo! Inc.) BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.) BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated) BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation) BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_22\bin\ssv.dll (Sun Microsystems, Inc.) BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation) BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.) BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.6.0_22\bin\jp2ssv.dll (Sun Microsystems, Inc.) BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll (Yahoo! Inc) BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.) Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn11\yt.dll (Yahoo! Inc.) Toolbar: HKLM - MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.) Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) Toolbar: HKCU -No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File Toolbar: HKCU -Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {226ACC34-3194-70E2-5AE7-864FCFE9E80D} http://zone.msn.com/bingame/mosi/default/msi.1.0.0.9.cab DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx DPF: {49E67060-2C0D-415E-94C7-52A49F73B2F1} http://zone.msn.com/bingame/pppp/default/PiratePoppers.1.0.0.39.cab DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} http://zone.msn.com/bingame/dsh2/default/DinerDash2.1.0.0.68.cab DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} http://zone.msn.com/bingame/luxr/default/mjolauncher.cab DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} http://zone.msn.com/bingame/burg/default/GoBitGamesPlayer_v6.cab DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} http://zone.msn.com/bingame/feed/default/SproutLauncher.cab DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} http://zone.msn.com/bingame/dash/default/DinerDash.1.0.0.98.cab DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.popcap.com/webgames/popcaploader_v10.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab DPF: {E9B80D94-D8BC-43DE-9138-75605A8D9666} http://zone.msn.com/bingame/wedd/default/WeddingDash.1.0.0.50.cab Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll (Intuit, Inc.) Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - No File Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation) Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - C:\Windows\System32\mscoree.dll (Microsoft Corporation) Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies) Tcpip\Parameters: [DhcpNameServer] 24.113.32.29 24.113.32.30 24.113.0.30 Chrome: ======= CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}ie={inputEncoding} CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&q={searchTerms}&{google:cursorPosition}sugkey={google:suggestAPIKeyParameter} CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\27.0.1453.94\PepperFlash\pepflashplayer.dll No File CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\27.0.1453.94\ppGoogleNaClPluginChrome.dll No File CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\27.0.1453.94\pdf.dll No File CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.) CHR Plugin: (Java Platform SE 6 U22) - C:\Program Files\Java\jre1.6.0_22\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.) CHR Plugin: (Shockwave for Director) - C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll (Adobe Systems, Inc.) CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll (Apple Inc.) CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll (Apple Inc.) CHR Plugin: (RealJukebox NS Plugin) - C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll (RealNetworks, Inc.) CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll No File CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_6_602_171.dll () CHR Plugin: (Java Deployment Toolkit 7.0.130.20) - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation) CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) CHR Extension: (Docs) - C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0 CHR Extension: (Google Drive) - C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0 CHR Extension: (YouTube) - C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0 CHR Extension: (Google Search) - C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0 CHR Extension: (Gmail) - C:\Users\Test\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0 CHR HKLM\...\Chrome\Extension: [knllpfimimccdfnihbikigiagifmllol] - C:\Users\od\AppData\Local\CRE\knllpfimimccdfnihbikigiagifmllol.crx CHR HKLM\...\Chrome\Extension: [niapdbllcanepiiimjjndipklodoedlc] - C:\Users\od\AppData\Local\Temp\YontooLayers.crx ========================== Services (Whitelisted) ================= R2 AVGIDSAgent; C:\Program Files\AVG\AVG2013\avgidsagent.exe [4939312 2013-07-04] (AVG Technologies CZ, s.r.o.) R2 avgwd; C:\Program Files\AVG\AVG2013\avgwdsvc.exe [283136 2013-07-23] (AVG Technologies CZ, s.r.o.) R2 BackupStack; C:\Program Files\MyPC Backup\BackupStack.exe [32808 2013-07-01] (Just Develop It) R2 CltMngSvc; C:\PROGRA~1\SearchProtect\Main\bin\CltMngSvc.exe [1733920 2013-08-11] (Conduit) S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-06-19] (Google) R2 HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [94208 2008-10-09] (Hewlett-Packard) R2 iphlpsvc; C:\Windows\System32\svchost.exe [21504 2008-01-20] (Microsoft Corporation) R2 lmhosts; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation) R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation) R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation) R2 NlaSvc; C:\Windows\System32\svchost.exe [21504 2008-01-20] (Microsoft Corporation) R2 nsi; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation) R2 RadioRage_4jService; C:\PROGRA~1\RADIOR~2\bar\1.bin\4jbarsvc.exe [42504 2013-06-30] (COMPANYVERS_NAME) S2 PhotoshopElementsDeviceConnect; C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [x] ==================== Drivers (Whitelisted) ==================== R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208184 2013-07-20] (AVG Technologies CZ, s.r.o.) R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [60216 2013-07-20] (AVG Technologies CZ, s.r.o.) R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22328 2013-03-01] (AVG Technologies CZ, s.r.o.) R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [171320 2013-07-20] (AVG Technologies CZ, s.r.o.) R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [246072 2013-07-20] (AVG Technologies CZ, s.r.o.) R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [96568 2013-07-01] (AVG Technologies CZ, s.r.o.) R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [39224 2013-07-10] (AVG Technologies CZ, s.r.o.) R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [182072 2013-03-21] (AVG Technologies CZ, s.r.o.) R0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-10] (Microsoft Corporation) R3 HSXHWBS3; C:\Windows\System32\DRIVERS\HSXHWBS3.sys [207360 2008-02-12] (Conexant Systems, Inc.) R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation) S3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2013-08-20] (Malwarebytes Corporation) S3 IpInIp; system32\DRIVERS\ipinip.sys [x] S2 MCSTRM; No ImagePath S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x] S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x] S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000}; \??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms [x] S3 PcdrNdisuio; system32\DRIVERS\pcdrndisuio.sys [x] S0 PxHelp20; System32\Drivers\PxHelp20.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-08-20 23:58 - 2013-08-20 23:58 - 00001370 _____ C:\Users\Test\Documents\HP pop up 2.txt 2013-08-20 23:56 - 2013-08-20 23:56 - 00001370 _____ C:\Users\Test\Documents\HP pop up.txt 2013-08-20 17:14 - 2013-08-20 17:14 - 00034918 _____ C:\Users\Test\Documents\FRST.txt 2013-08-20 16:30 - 2013-08-20 19:38 - 00000000 ____D C:\FRST 2013-08-20 16:13 - 2013-08-20 16:13 - 00000795 _____ C:\Windows\setupact.log 2013-08-20 16:13 - 2013-08-20 16:13 - 00000000 _____ C:\Windows\setuperr.log 2013-08-20 03:42 - 2013-08-20 03:42 - 00000000 ____D C:\Users\Test\AppData\Local\WinZip 2013-08-20 03:06 - 2013-08-20 03:06 - 00000000 ____D C:\Users\Test\AppData\Local\SearchProtect 2013-08-20 03:05 - 2013-08-20 03:05 - 00000558 _____ C:\Windows\PFRO.log 2013-08-20 02:49 - 2013-08-20 02:51 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys 2013-08-20 02:44 - 2013-08-20 03:06 - 00000000 ____D C:\Program Files\MyPC Backup 2013-08-20 02:44 - 2013-08-20 02:44 - 00000850 _____ C:\Users\od\Desktop\MyPC Backup.lnk 2013-08-20 02:43 - 2013-08-20 03:20 - 00000000 ____D C:\Users\od\AppData\Local\SearchProtect 2013-08-20 02:43 - 2013-08-20 02:43 - 00001710 _____ C:\Users\od\Desktop\Install HitmanPro 3 (32-bit).lnk 2013-08-20 02:43 - 2013-08-20 02:43 - 00000000 ____D C:\Program Files\SearchProtect 2013-08-20 02:38 - 2013-08-20 02:38 - 01097723 _____ C:\Users\od\AppData\Roaming\2433f433 2013-08-20 02:38 - 2013-08-20 02:38 - 01097721 _____ C:\ProgramData\2433f433 2013-08-20 02:38 - 2013-08-20 02:38 - 01097711 _____ C:\Users\od\AppData\Local\2433f433 2013-08-19 00:42 - 2013-08-19 00:42 - 00000133 _____ C:\Users\od\Documents\literotica links.txt 2013-08-18 22:50 - 2013-08-18 22:50 - 00000000 ____D C:\Users\od\AppData\Local\{3E960398-3241-47DD-9799-F21FECB594CA} 2013-08-16 01:18 - 2013-08-16 02:41 - 00000083 _____ C:\Users\od\stories to read.txt 2013-08-14 21:01 - 2013-08-14 21:01 - 00000000 ____D C:\Users\od\AppData\Local\{E8700723-F6BF-426B-8882-1CEB3F88B862} 2013-08-13 21:31 - 2013-08-13 21:31 - 00000000 ____D C:\Users\od\AppData\Local\{883C7E49-D402-4CE8-B1BE-FEEC490AD55D} 2013-08-13 20:40 - 2013-07-24 19:40 - 12334080 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2013-08-13 20:40 - 2013-07-24 19:32 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2013-08-13 20:40 - 2013-07-24 19:30 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2013-08-13 20:40 - 2013-07-24 19:26 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2013-08-13 20:40 - 2013-07-24 19:26 - 01104384 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2013-08-13 20:40 - 2013-07-24 19:25 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2013-08-13 20:40 - 2013-07-24 19:24 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll 2013-08-13 20:40 - 2013-07-24 19:24 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2013-08-13 20:40 - 2013-07-24 19:23 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2013-08-13 20:40 - 2013-07-24 19:23 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll 2013-08-13 20:40 - 2013-07-24 19:23 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2013-08-13 20:40 - 2013-07-24 19:23 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2013-08-13 20:40 - 2013-07-24 19:23 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2013-08-13 20:40 - 2013-07-24 19:22 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2013-08-13 20:40 - 2013-07-24 19:22 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2013-08-13 20:40 - 2013-07-24 19:22 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll 2013-08-13 20:38 - 2013-07-17 12:41 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll 2013-08-13 20:38 - 2013-07-10 02:47 - 00783360 _____ (Microsoft Corporation) C:\Windows\system32\rpcrt4.dll 2013-08-13 20:38 - 2013-07-09 05:10 - 01205168 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll 2013-08-13 20:38 - 2013-07-07 21:55 - 03603904 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe 2013-08-13 20:38 - 2013-07-07 21:55 - 03551680 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe 2013-08-13 20:38 - 2013-07-04 21:53 - 00905664 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tcpip.sys 2013-08-13 20:38 - 2013-06-15 06:22 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\icaapi.dll 2013-08-13 20:38 - 2013-06-15 04:23 - 00024064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys 2013-08-13 20:37 - 2013-07-07 21:20 - 00172544 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll 2013-08-13 20:37 - 2013-07-07 21:16 - 00992768 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll 2013-08-13 20:37 - 2013-07-07 21:16 - 00133120 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll 2013-08-13 20:37 - 2013-07-07 21:16 - 00098304 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll 2013-08-12 13:03 - 2013-08-13 12:34 - 00024177 _____ C:\Users\od\Documents\Catherine Office resume.odt 2013-08-12 13:01 - 2013-08-12 13:01 - 00012107 _____ C:\Users\od\Documents\nordic email.odt 2013-08-12 02:40 - 2013-08-12 02:40 - 00000022 _____ C:\Users\od\rob artist west seattle.txt 2013-08-12 02:07 - 2013-08-12 02:07 - 00000383 _____ C:\Users\od\manning street.txt 2013-08-06 02:17 - 2013-08-06 02:17 - 00000325 _____ C:\Users\od\BDSM gatherin.txt 2013-08-06 01:18 - 2013-08-06 01:18 - 00000030 _____ C:\Users\od\mrmutantstories.txt 2013-08-04 03:53 - 2013-08-04 03:53 - 00000000 ____D C:\Users\od\AppData\Local\{ADF7A7C8-8098-48BB-88A8-FDAFE1C4CD62} 2013-08-01 01:25 - 2013-08-01 01:26 - 00000000 ____D C:\Users\od\AppData\Local\{CB29C3B1-49C5-4A27-AB22-AE491F3B77B3} 2013-07-28 00:49 - 2013-07-28 00:49 - 00000059 _____ C:\Users\od\Bucky.txt ==================== One Month Modified Files and Folders ======= 2013-08-21 11:59 - 2013-08-21 11:59 - 01070315 _____ (Farbar) C:\Users\Test\FRST.exe 2013-08-21 11:59 - 2013-05-31 23:13 - 00000000 ____D C:\Users\Test 2013-08-21 11:37 - 2010-01-28 23:00 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-08-21 11:37 - 2010-01-28 23:00 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-08-21 10:28 - 2006-11-02 05:45 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 2013-08-21 10:28 - 2006-11-02 05:45 - 00003616 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 2013-08-21 09:19 - 2010-10-28 17:46 - 00000000 ____D C:\ProgramData\MFAData 2013-08-21 04:21 - 2008-10-24 01:12 - 01966410 _____ C:\Windows\WindowsUpdate.log 2013-08-21 01:39 - 2013-01-24 10:42 - 00000342 _____ C:\Windows\Tasks\ROC_JAN2013_TB_rmv.job 2013-08-21 00:32 - 2006-11-02 03:33 - 00703516 _____ C:\Windows\system32\PerfStringBackup.INI 2013-08-21 00:28 - 2006-11-02 05:58 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2013-08-20 23:58 - 2013-08-20 23:58 - 00001370 _____ C:\Users\Test\Documents\HP pop up 2.txt 2013-08-20 23:56 - 2013-08-20 23:56 - 00001370 _____ C:\Users\Test\Documents\HP pop up.txt 2013-08-20 19:47 - 2008-12-12 20:45 - 00000000 ____D C:\ProgramData\Yahoo! Companion 2013-08-20 19:38 - 2013-08-20 16:30 - 00000000 ____D C:\FRST 2013-08-20 19:36 - 2006-11-02 05:58 - 00032548 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2013-08-20 17:14 - 2013-08-20 17:14 - 00034918 _____ C:\Users\Test\Documents\FRST.txt 2013-08-20 16:13 - 2013-08-20 16:13 - 00000795 _____ C:\Windows\setupact.log 2013-08-20 16:13 - 2013-08-20 16:13 - 00000000 _____ C:\Windows\setuperr.log 2013-08-20 03:42 - 2013-08-20 03:42 - 00000000 ____D C:\Users\Test\AppData\Local\WinZip 2013-08-20 03:20 - 2013-08-20 02:43 - 00000000 ____D C:\Users\od\AppData\Local\SearchProtect 2013-08-20 03:06 - 2013-08-20 03:06 - 00000000 ____D C:\Users\Test\AppData\Local\SearchProtect 2013-08-20 03:06 - 2013-08-20 02:44 - 00000000 ____D C:\Program Files\MyPC Backup 2013-08-20 03:05 - 2013-08-20 03:05 - 00000558 _____ C:\Windows\PFRO.log 2013-08-20 02:51 - 2013-08-20 02:49 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys 2013-08-20 02:49 - 2013-05-31 14:29 - 00000872 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk 2013-08-20 02:49 - 2013-05-31 14:29 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware 2013-08-20 02:44 - 2013-08-20 02:44 - 00000850 _____ C:\Users\od\Desktop\MyPC Backup.lnk 2013-08-20 02:43 - 2013-08-20 02:43 - 00001710 _____ C:\Users\od\Desktop\Install HitmanPro 3 (32-bit).lnk 2013-08-20 02:43 - 2013-08-20 02:43 - 00000000 ____D C:\Program Files\SearchProtect 2013-08-20 02:42 - 2013-01-29 05:21 - 00000000 _____ C:\end 2013-08-20 02:41 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\Resources 2013-08-20 02:38 - 2013-08-20 02:38 - 01097723 _____ C:\Users\od\AppData\Roaming\2433f433 2013-08-20 02:38 - 2013-08-20 02:38 - 01097721 _____ C:\ProgramData\2433f433 2013-08-20 02:38 - 2013-08-20 02:38 - 01097711 _____ C:\Users\od\AppData\Local\2433f433 2013-08-19 00:42 - 2013-08-19 00:42 - 00000133 _____ C:\Users\od\Documents\literotica links.txt 2013-08-18 22:50 - 2013-08-18 22:50 - 00000000 ____D C:\Users\od\AppData\Local\{3E960398-3241-47DD-9799-F21FECB594CA} 2013-08-18 22:50 - 2009-01-21 16:54 - 00000000 ____D C:\Users\od\Tracing 2013-08-17 23:08 - 2008-12-10 16:59 - 00000310 _____ C:\Windows\Tasks\HPCeeScheduleForod.job 2013-08-16 02:41 - 2013-08-16 01:18 - 00000083 _____ C:\Users\od\stories to read.txt 2013-08-16 01:18 - 2008-12-10 16:56 - 00000000 ____D C:\Users\od 2013-08-14 21:01 - 2013-08-14 21:01 - 00000000 ____D C:\Users\od\AppData\Local\{E8700723-F6BF-426B-8882-1CEB3F88B862} 2013-08-13 21:42 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\rescache 2013-08-13 21:42 - 2006-11-02 04:18 - 00000000 ____D C:\Windows\Microsoft.NET 2013-08-13 21:31 - 2013-08-13 21:31 - 00000000 ____D C:\Users\od\AppData\Local\{883C7E49-D402-4CE8-B1BE-FEEC490AD55D} 2013-08-13 21:25 - 2011-11-20 18:59 - 00000314 _____ C:\Windows\Tasks\HPCeeScheduleForJim.job 2013-08-13 20:53 - 2013-07-10 22:23 - 00000000 ____D C:\Windows\system32\MRT 2013-08-13 20:49 - 2006-11-02 03:24 - 75778376 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe 2013-08-13 12:34 - 2013-08-12 13:03 - 00024177 _____ C:\Users\od\Documents\Catherine Office resume.odt 2013-08-13 00:36 - 2009-05-16 21:18 - 00087040 ____H C:\Users\od\Documents\photothumb.db 2013-08-12 13:01 - 2013-08-12 13:01 - 00012107 _____ C:\Users\od\Documents\nordic email.odt 2013-08-12 02:40 - 2013-08-12 02:40 - 00000022 _____ C:\Users\od\rob artist west seattle.txt 2013-08-12 02:07 - 2013-08-12 02:07 - 00000383 _____ C:\Users\od\manning street.txt 2013-08-10 02:01 - 2008-12-10 18:55 - 00000052 _____ C:\Windows\system32\DOErrors.log 2013-08-06 02:17 - 2013-08-06 02:17 - 00000325 _____ C:\Users\od\BDSM gatherin.txt 2013-08-06 01:18 - 2013-08-06 01:18 - 00000030 _____ C:\Users\od\mrmutantstories.txt 2013-08-04 03:53 - 2013-08-04 03:53 - 00000000 ____D C:\Users\od\AppData\Local\{ADF7A7C8-8098-48BB-88A8-FDAFE1C4CD62} 2013-08-04 01:23 - 2010-06-26 23:22 - 00000000 ___RD C:\Users\od\Documents\HOVER[1] 2013-08-04 01:14 - 2009-07-30 00:22 - 00000000 ____D C:\Users\od\Documents\Job 2013-08-04 01:11 - 2012-07-24 18:08 - 00014336 ____H C:\Users\od\photothumb.db 2013-08-04 01:01 - 2009-01-21 13:05 - 00000000 ____D C:\Users\od\Documents\My Scans 2013-08-01 03:42 - 2011-08-02 03:42 - 00001893 _____ C:\Users\Public\Desktop\Google Chrome.lnk 2013-08-01 01:26 - 2013-08-01 01:25 - 00000000 ____D C:\Users\od\AppData\Local\{CB29C3B1-49C5-4A27-AB22-AE491F3B77B3} 2013-07-30 09:40 - 2012-10-15 19:11 - 00000764 _____ C:\Users\Public\Desktop\AVG 2013.lnk 2013-07-30 01:40 - 2011-08-02 03:42 - 00000770 _____ C:\Users\Public\Desktop\CCleaner.lnk 2013-07-30 01:39 - 2009-03-09 21:32 - 00000000 ____D C:\Program Files\CCleaner 2013-07-28 00:49 - 2013-07-28 00:49 - 00000059 _____ C:\Users\od\Bucky.txt 2013-07-24 19:40 - 2013-08-13 20:40 - 12334080 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2013-07-24 19:32 - 2013-08-13 20:40 - 01800704 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2013-07-24 19:30 - 2013-08-13 20:40 - 09738752 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2013-07-24 19:26 - 2013-08-13 20:40 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2013-07-24 19:26 - 2013-08-13 20:40 - 01104384 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2013-07-24 19:25 - 2013-08-13 20:40 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl 2013-07-24 19:24 - 2013-08-13 20:40 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll 2013-07-24 19:24 - 2013-08-13 20:40 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2013-07-24 19:23 - 2013-08-13 20:40 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2013-07-24 19:23 - 2013-08-13 20:40 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll 2013-07-24 19:23 - 2013-08-13 20:40 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2013-07-24 19:23 - 2013-08-13 20:40 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll 2013-07-24 19:23 - 2013-08-13 20:40 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe 2013-07-24 19:22 - 2013-08-13 20:40 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2013-07-24 19:22 - 2013-08-13 20:40 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2013-07-24 19:22 - 2013-08-13 20:40 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll Files to move or delete: ==================== C:\Users\Test\FRST.exe ==================== Bamital & volsnap Check ================= C:\Windows\explorer.exe => MD5 is legit C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== End Of Log ============================