Rasta_steve

OK. Well I thank you very, very much for looking this over and for answering all my questions. I really do appreciate your service and the peace of mind that you've given me. Have a great day THE! Steve

Ok, great thanks. So no worries about all the listed Application, System and Code Integrity errors? Also one thing that I failed to mention up front was that I was getting a very strange behavior from my keyboard. Of course, I'm paranoid, so I wondered if I'd possibly been hijacked by a keyboard logger. In an attempt to fix this problem and in advance of reaching out to you for help, I did the following: Ran AdwCleaner which cleaned the following: ***** [ Files / Folders ] ***** Folder Deleted : C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\dajedkncpodkggklbegccjpmnglmnflmFolder Deleted : C:\Users\Steve\AppData\Local\Google\Chrome\User Data\Default\Extensions\niloccemoadcdkdjlinkgdfekeahmfljFile Deleted : C:\END ***** [ Registry ] ***** Key Deleted : HKCU\Software\ConduitKey Deleted : [x64] HKLM\SOFTWARE\DivX\Install\Setup\WizardLayout\ConduitToolbar Ran ESET which cleaned the following: sh=52F3182E4CD4058D14AFD9E40B14FED9D9B1494B ft=1 fh=aa14e09e22f2a50f vn="a variant of Win32/OpenCandy.C potentially unsafe application (deleted - quarantined)" ac=C fn="C:\Users\Steve\AppData\Local\Temp\utt3977.tmp" sh=205EA3A873C765FF2E0F78FB1834D6EB44C21BF3 ft=1 fh=a409751ddc77dac3 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (deleted - quarantined)" ac=C fn="D:\Downloads\ccsetup501.exe"sh=2A93C4E8DE1F8A733B86A8F5D543F32C903F5707 ft=1 fh=70f2756a9c6ef613 vn="Win32/Somoto.E potentially unwanted application (deleted - quarantined)" ac=C fn="D:\Downloads\DVDStyler-2.7-win32.exe" Then ran RogueKiller which cleaned the following: ¤¤¤ Processes : 2 ¤¤¤[suspicious.Path] explorer.exe(4568) -- C:\Users\Steve\AppData\Roaming\Copy\overlay\CopyShExt.dll[-] -> Unloaded[suspicious.Path] explorer.exe(4568) -- C:\Users\Steve\AppData\Roaming\Copy\overlay\Brt.dll[7] -> Unloaded ¤¤¤ Registry : 13 ¤¤¤[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\1aCopyShExtError | (default) : {83BEA36E-7680-4598-A4DF-994426F6E78D} -> Deleted[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\2aCopyShExtSynced | (default) : {845B7388-6F85-4F32-9FD5-F02DC7882B89} -> Deleted[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\3aCopyShExtSyncing | (default) : {F6378A7A-F753-449B-AE1B-997A96132E61} -> Deleted[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\4aCopyShExtSyncingProg1 | (default) : {3A511828-777D-46F8-82F4-5B530C1B3D9E} -> Deleted[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\5aCopyShExtSyncingProg2 | (default) : {C8C88204-5B14-40EC-BA72-8AEBC762047E} -> Deleted[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\6aCopyShExtSyncingProg3 | (default) : {ACFF45C3-3EEB-4351-86C2-6696BA264239} -> Deleted[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\7aCopyShExtSyncingProg4 | (default) : {29AF997F-488B-46F0-AE78-7146F1B89CC3} -> Deleted[suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\8aCopyShExtSyncingProg5 | (default) : {03F9AD29-1C78-4B66-8890-B177B5430C53} -> Deleted[Hidden.From.SCM] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UnlockerDriver5 (\??\C:\Program Files\Unlocker\UnlockerDriver5.sys) -> Not selected[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Replaced (0)[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0)[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Replaced (0)[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Replaced (0) Maybe that pretty much cured everything before I contacted you. Do you recognize anything above as being very bad, like a keylogger or anything? I'm now very nervous about all my passwords. Thanks so much for your opinions!

That sounds great. But I have a few questions, if you don't mind answering. On the "Addition.txt" document, is there any concern with regard to all the Application, System and Code Integrity errors? On the "FRST.txt" doc, are these lines problematic?: 1) ==================== Registry (Whitelisted) ================== HKU\S-1-5-18\...\Run: [CtxfiReg] => CTXFIREG.exe /FAIL1 2) Chrome: CHR HKU\S-1-5-21-3562024140-3034085581-2929970775-1001\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path Thanks.

Thank you. Both scans come up clean with the MB products.

TwinHeadedEagle! That's awesome. Here are the two files. Thank you very much for your assistance! Addition.txtFRST.txt

Hello. I just arrived home early from work to discover my son on my PC playing games- he has his own laptop and shouldn't be using mine. Though the PC seems to work fine, I'm afraid that something is wrong. I had loaded a program- PeerBlock- awhile ago to run whenever I left my PC on so I could stream PLEX videos when I was out of town. And I just noticed the PeerBlock app was going crazy blocking communications from my PC to several others in foreign countries. So now I'm very worried. Would anyone be so kind as to take a look to see if I have any reason to be concerned? Thank you very much for any help you can provide! Steve

Thanks buddy! You too. Steve

That is such good information! Kevin, I really can't thank you enough. I really need this PC to be in working order as I'm in job-search mode and don't have the luxury of time on my hands for trial-and-error (99% error). It may be a few weeks, but I'll at least show my appreciation with beer, or soda, or whatever money as soon as I'm able. You certainly deserve it. Bless you Kevin. Have a good sleep and a great day tomorrow!!!

Sorry I didn't answer your question..You're right, I'm going to turn off that CPU-intensive process until I need it, which is likely never. ;-)

Thanks Kevin. I've finished following your instructions and getting rid of all the tools. I also run Windows 8.1 Pro. I'll follow your advice and uninstall AVG while utilizing Windows 8 Firewall and Defender, along with WinPatrol. So if I use those tools, along with Malwarebytes, I shouldn't need Spybot, Spywareblaster or SuperAntiSpyware, should I? Would be nice to pare down the apps and simplify a little!

Your advice is fantastic and very much appreciated, Kevin! Thanks. OK, I'm proceeding with your last instructions...

I've been monitoring my performance in task manager to see if everything looks alright. For the last 20 minutes (as long as I've paid attention) the service "LVPrcSrv.exe" is consistently averaging 25% CPU on my i5- hasn't dropped below 20% yet. Seems very strange. I think this is a Logitech-camera related. I have one of these. The process resides here: C:\Program Files\Common Files\logishrd\LVMVFM. Could this be malware?

Wow- it's clean?!? Great! From the logs is it possible to tell what the major culprit was or what program it may have tagged along to get into my system? If not, no big deal- just don't want to see a repeat performance! As far as reconnecting my other internal hard drive (the one I backed everything up to then disconnected)...What's the best way to go about reconnecting that? I'd hate to reintroduce any malware. Most everything else is secure on my other drives, except for a little bit of data. I could possibly just reformat and wipe it clean. If I did reconnect, should I do so under Safemode, along with some sort of drive scan?

OK ESET finished. Here are those results: C:\ProgramData\Win7codecs\{33AA44E6-08F1-42B2-A511-B5C957214049}\Win7codecs.msi a variant of Win32/Bundled.Toolbar.Ask applicationC:\Users\All Users\Win7codecs\{33AA44E6-08F1-42B2-A511-B5C957214049}\Win7codecs.msi a variant of Win32/Bundled.Toolbar.Ask applicationD:\zBackups\Maxtor Backup\Max Bkup 8_7_2011\GZIP compression file\1501-1800\FILE1511.GZ a variant of Android/Walien.F applicationD:\zBackups\Maxtor Backup\Max Bkup 8_7_2011\GZIP compression file\1501-1800\FILE1592.GZ a variant of Android/Walien.F application

Hey Kevin- question while the ESET scanner is running: My PC protection software I've been running/using for years now consists of: AVG Antivirus, Spybot, Malwarebytes, SuperAntiSpyware and Spyware Blaster. Would you recommend I get rid of any of these? Overkill perhaps ? And would you suggest others to run on a daily basis? Thanks for your opinion?