slub

hi Charlie, Thanks for checking in. I still have the original issue, but if you're out of aces, I guess we're done.

> Look through all the tabs and see if you see any Command Processor or cmd I looked in drivers tab and found CMD, but not sure this is what you're talking about. I didn't want to delete wrong thing.

I ran autoruns and didn't find items, but I did find "catch me" which caught my eye. Seemed like an odd name and thought I'd pass it along to you. BTW - What is all that stuff in autoruns. Not all running I hope. No CMD in msconfig.exe startup

Charlie, It's still there after reboot. With all the scans and cleanup tools we used, is my system free of malware now? If you know answers to questions I posed in previous post, please share them with me. Stan

Do I still need help? Yes Although we cleaned up a bunch of other crap, I still have the original problem we started with. 1 I asked this earlier, but don't think you answered it directly. "In an effort to restore Firefox to earlier appearance I re-installed ClassicThemeRestorer addon. https://addons.mozil...cthemerestorer/ . Now I see it was removed on purpose. Does that mean I put crap back into system?" 2 In last post you mentioned there are a lot of errors. Do I need to be concerned with any of them? 3 "Restore points are created automatically every week," I poked my nose in System Restore and see there are no restore points before 8/22/14. Cool Timer was installed 8/21/14. Is crapware capable of eraing earlier restore points or is this coincidence? 4 Where do I go from here? Do I just live with it? Is this even a malware issue or is it something else? Is there anyone on forum or elsewhere that might know more about this sysWOW64 thing? Thanks for all the help. I appreciate you hanging in there.

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-08-2014 Ran by STAN at 2014-08-28 19:31:31 Run:2 Running from C:\Users\STAN\Desktop\MALWARE Boot Mode: Normal ============================================== Content of fixlist: ***************** SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKLM-x32 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = C:\Users\STAN\Desktop\Cool Timer.lnk C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cool Timer C:\Program Files (x86)\Cool Timer ***************** HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully. "C:\Users\STAN\Desktop\Cool Timer.lnk" => File/Directory not found. "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cool Timer" => File/Directory not found. "C:\Program Files (x86)\Cool Timer" => File/Directory not found. ==== End of Fixlog ==== MiniToolBox by Farbar Version: 21-07-2014 Ran by STAN (administrator) on 28-08-2014 at 19:33:20 Running from "C:\Users\STAN\Desktop\MALWARE" Microsoft Windows 7 Professional Service Pack 1 (X64) Boot Mode: Normal *************************************************************************** ========================= Flush DNS: =================================== Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========================= IE Proxy Settings: ============================== Proxy is not enabled. No Proxy Server is set. "Reset IE Proxy Settings": IE Proxy Settings were reset. ========================= FF Proxy Settings: ============================== "Reset FF Proxy Settings": Firefox Proxy settings were reset. ========================= Hosts content: ================================= 127.0.0.1 localhost ========================= IP Configuration: ================================ Qualcomm Atheros AR9485 802.11b/g/n WiFi Adapter = Wireless Network Connection (Connected) Realtek PCIe GBE Family Controller = Local Area Connection (Media disconnected) Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected) # ---------------------------------- # IPv4 Configuration # ---------------------------------- pushd interface ipv4 reset set global icmpredirects=enabled popd # End of IPv4 configuration Windows IP Configuration Host Name . . . . . . . . . . . . : STAN-HP Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Wireless LAN adapter Wireless Network Connection 2: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter Physical Address. . . . . . . . . : 26-DB-30-58-D7-D8 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Wireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Qualcomm Atheros AR9485 802.11b/g/n WiFi Adapter Physical Address. . . . . . . . . : A4-DB-30-58-D7-D8 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::3141:34a7:2389:de93%14(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.108(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Thursday, August 28, 2014 4:58:55 PM Lease Expires . . . . . . . . . . : Friday, August 29, 2014 4:58:55 PM Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DHCPv6 IAID . . . . . . . . . . . : 379902768 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EB-63-93-9C-B6-54-1C-CF-4C DNS Servers . . . . . . . . . . . : 192.168.2.1 NetBIOS over Tcpip. . . . . . . . : Enabled Ethernet adapter Local Area Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller Physical Address. . . . . . . . . : 9C-B6-54-1C-CF-4C DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Server: UnKnown Address: 192.168.2.1 Name: google.com Addresses: 2607:f8b0:4004:802::1007 74.125.228.70 74.125.228.69 74.125.228.78 74.125.228.67 74.125.228.73 74.125.228.64 74.125.228.71 74.125.228.68 74.125.228.72 74.125.228.66 74.125.228.65 Pinging google.com [74.125.228.71] with 32 bytes of data: Reply from 74.125.228.71: bytes=32 time=71ms TTL=55 Reply from 74.125.228.71: bytes=32 time=72ms TTL=55 Ping statistics for 74.125.228.71: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 71ms, Maximum = 72ms, Average = 71ms Server: UnKnown Address: 192.168.2.1 Name: yahoo.com Addresses: 98.138.253.109 206.190.36.45 98.139.183.24 Pinging yahoo.com [206.190.36.45] with 32 bytes of data: Reply from 206.190.36.45: bytes=32 time=124ms TTL=50 Reply from 206.190.36.45: bytes=32 time=123ms TTL=50 Ping statistics for 206.190.36.45: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 123ms, Maximum = 124ms, Average = 123ms Pinging 127.0.0.1 with 32 bytes of data: Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Reply from 127.0.0.1: bytes=32 time<1ms TTL=128 Ping statistics for 127.0.0.1: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms =========================================================================== Interface List 15...26 db 30 58 d7 d8 ......Microsoft Virtual WiFi Miniport Adapter 14...a4 db 30 58 d7 d8 ......Qualcomm Atheros AR9485 802.11b/g/n WiFi Adapter 11...9c b6 54 1c cf 4c ......Realtek PCIe GBE Family Controller 1...........................Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.108 25 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.1.0 255.255.255.0 On-link 192.168.1.108 281 192.168.1.108 255.255.255.255 On-link 192.168.1.108 281 192.168.1.255 255.255.255.255 On-link 192.168.1.108 281 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.1.108 281 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.1.108 281 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 14 281 fe80::/64 On-link 14 281 fe80::3141:34a7:2389:de93/128 On-link 1 306 ff00::/8 On-link 14 281 ff00::/8 On-link =========================================================================== Persistent Routes: None ========================= Winsock entries ===================================== Catalog5 01 C:\windows\SysWOW64\NLAapi.dll [52224] (Microsoft Corporation) Catalog5 02 C:\windows\SysWOW64\napinsp.dll [52224] (Microsoft Corporation) Catalog5 03 C:\windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation) Catalog5 04 C:\windows\SysWOW64\pnrpnsp.dll [65024] (Microsoft Corporation) Catalog5 05 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) Catalog5 06 C:\windows\SysWOW64\winrnr.dll [20992] (Microsoft Corporation) Catalog5 07 C:\windows\SysWOW64\wshbth.dll [36352] (Microsoft Corporation) Catalog5 08 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.) Catalog9 01 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) Catalog9 02 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) Catalog9 03 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) Catalog9 04 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) Catalog9 05 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) Catalog9 06 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) Catalog9 07 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) Catalog9 08 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) Catalog9 09 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) Catalog9 10 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) Catalog9 11 C:\windows\SysWOW64\mswsock.dll [231424] (Microsoft Corporation) x64-Catalog5 01 C:\Windows\System32\NLAapi.dll [70656] (Microsoft Corporation) x64-Catalog5 02 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation) x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation) x64-Catalog5 04 C:\Windows\System32\pnrpnsp.dll [86016] (Microsoft Corporation) x64-Catalog5 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation) x64-Catalog5 06 C:\Windows\System32\winrnr.dll [28672] (Microsoft Corporation) x64-Catalog5 07 C:\Windows\System32\wshbth.dll [47104] (Microsoft Corporation) x64-Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.) x64-Catalog9 01 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation) x64-Catalog9 02 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation) x64-Catalog9 03 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation) x64-Catalog9 04 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation) x64-Catalog9 05 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation) x64-Catalog9 06 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation) x64-Catalog9 07 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation) x64-Catalog9 08 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation) x64-Catalog9 09 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation) x64-Catalog9 10 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation) x64-Catalog9 11 C:\Windows\System32\mswsock.dll [327168] (Microsoft Corporation) ========================= Event log errors: =============================== Application errors: ================== Error: (08/28/2014 07:31:32 PM) (Source: Application Error) (User: ) Description: Faulting application name: plugin-container.exe, version: 31.0.0.5310, time stamp: 0x53c75e91 Faulting module name: mozalloc.dll, version: 31.0.0.5310, time stamp: 0x53c72e91 Exception code: 0x80000003 Fault offset: 0x0000141b Faulting process id: 0x4f8 Faulting application start time: 0xplugin-container.exe0 Faulting application path: plugin-container.exe1 Faulting module path: plugin-container.exe2 Report Id: plugin-container.exe3 Error: (08/28/2014 05:12:57 PM) (Source: Application Error) (User: ) Description: Faulting application name: thunderbird.exe, version: 24.6.0.5274, time stamp: 0x5396c4a8 Faulting module name: xul.dll, version: 24.6.0.5274, time stamp: 0x5396c38c Exception code: 0xc0000005 Fault offset: 0x00a4970d Faulting process id: 0x14f4 Faulting application start time: 0xthunderbird.exe0 Faulting application path: thunderbird.exe1 Faulting module path: thunderbird.exe2 Report Id: thunderbird.exe3 Error: (08/28/2014 04:59:01 PM) (Source: WinMgmt) (User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (08/28/2014 04:14:33 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 740115 Error: (08/28/2014 04:14:33 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: m->NextScheduledEvent 740115 Error: (08/28/2014 04:14:33 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: Continuously busy for more than a second Error: (08/28/2014 04:02:17 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 4165 Error: (08/28/2014 04:02:17 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: m->NextScheduledEvent 4165 Error: (08/28/2014 04:02:17 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: Continuously busy for more than a second Error: (08/28/2014 04:02:16 PM) (Source: Bonjour Service) (User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 3151 System errors: ============= Error: (08/28/2014 04:58:59 PM) (Source: Service Control Manager) (User: ) Description: The SessionLauncher service failed to start due to the following error: %%2 Error: (08/28/2014 04:58:48 PM) (Source: Service Control Manager) (User: ) Description: The Offline Files service terminated with the following error: %%3 Error: (08/28/2014 04:43:52 PM) (Source: DCOM) (User: ) Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} Error: (08/28/2014 03:00:41 PM) (Source: Service Control Manager) (User: ) Description: The SessionLauncher service failed to start due to the following error: %%2 Error: (08/28/2014 03:00:31 PM) (Source: Service Control Manager) (User: ) Description: The Offline Files service terminated with the following error: %%3 Error: (08/28/2014 02:19:00 PM) (Source: DCOM) (User: ) Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} Error: (08/28/2014 10:08:52 AM) (Source: Service Control Manager) (User: ) Description: The SessionLauncher service failed to start due to the following error: %%2 Error: (08/28/2014 10:08:40 AM) (Source: Service Control Manager) (User: ) Description: The Offline Files service terminated with the following error: %%3 Error: (08/28/2014 00:05:02 AM) (Source: DCOM) (User: ) Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} Error: (08/27/2014 11:45:00 PM) (Source: Service Control Manager) (User: ) Description: The SessionLauncher service failed to start due to the following error: %%2 Microsoft Office Sessions: ========================= Error: (08/28/2014 07:31:32 PM) (Source: Application Error)(User: ) Description: plugin-container.exe31.0.0.531053c75e91mozalloc.dll31.0.0.531053c72e91800000030000141b4f801cfc304a6a353daC:\PROGRAM FILES (X86)\MOZILLA FIREFOX\plugin-container.exeC:\PROGRAM FILES (X86)\MOZILLA FIREFOX\mozalloc.dll70d147ff-2f0b-11e4-a19c-9cb6541ccf4c Error: (08/28/2014 05:12:57 PM) (Source: Application Error)(User: ) Description: thunderbird.exe24.6.0.52745396c4a8xul.dll24.6.0.52745396c38cc000000500a4970d14f401cfc304d5f1652cC:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exeC:\Program Files (x86)\Mozilla Thunderbird\xul.dll14d2dabb-2ef8-11e4-a19c-9cb6541ccf4c Error: (08/28/2014 04:59:01 PM) (Source: WinMgmt)(User: ) Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003 Error: (08/28/2014 04:14:33 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 740115 Error: (08/28/2014 04:14:33 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: m->NextScheduledEvent 740115 Error: (08/28/2014 04:14:33 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: Continuously busy for more than a second Error: (08/28/2014 04:02:17 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 4165 Error: (08/28/2014 04:02:17 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: m->NextScheduledEvent 4165 Error: (08/28/2014 04:02:17 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: Continuously busy for more than a second Error: (08/28/2014 04:02:16 PM) (Source: Bonjour Service)(User: ) Description: Task Scheduling Error: m->NextScheduledSPRetry 3151 CodeIntegrity Errors: =================================== Date: 2014-08-26 13:32:57.068 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Date: 2014-08-26 13:32:57.021 Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. =========================== Installed Programs ============================ Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated) Adobe Flash Player 14 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 14.0.0.179 - Adobe Systems Incorporated) Aiseesoft DVD Creator 5.1.58 (HKLM-x32\...\{094BCE17-69CE-45ce-A131-F674CE996B3F}_is1) (Version: 5.1.58 - Aiseesoft Studio) Aiseesoft HD Video Converter 6.3.68 (HKLM-x32\...\{3039577D-975E-42fc-89FC-2F1FF42F3FCA}_is1) (Version: 6.3.68 - Aiseesoft Studio) Aiseesoft iPhone Transfer 7.0.30 (HKLM-x32\...\{ED0F3D85-995D-4605-88C5-226644C25DF1}_is1) (Version: 7.0.30 - Aiseesoft Studio) AllMyNotes Organizer (HKLM-x32\...\AllMyNotes Organizer) (Version: 2.80 - Vladonai Software) AMD Accelerated Video Transcoding (Version: 2.00.0002 - Advanced Micro Devices, Inc.) Hidden AMD APP SDK Runtime (Version: 10.0.898.1 - Advanced Micro Devices Inc.) Hidden AMD Catalyst Install Manager (HKLM\...\{8642397F-CF08-6B30-A477-A039BBAA511E}) (Version: 3.0.868.0 - Advanced Micro Devices, Inc.) AMD Media Foundation Decoders (Version: 1.0.70329.2315 - Advanced Micro Devices, Inc.) Hidden Aoao Video to GIF Converter (HKCU\...\AoaoVideotoGIF) (Version: - AoaoPhoto Digital Studio. All Rights Reserved.) AOMEI Backupper Professional Edition 2.0 (HKLM-x32\...\{A83692F5-3E9B-4E95-9E7E-B5DF55E6C09D}_is1) (Version: - AOMEI Technology Co., Ltd.) Atmosphere Deluxe v7.1 (HKLM-x32\...\Atmosphere Deluxe_is1) (Version: - Vectormedia Software) Audacity 2.0.5 (HKLM-x32\...\Audacity_is1) (Version: 2.0.5 - Audacity Team) Avidemux 2.6 - 64bits (HKLM-x32\...\Avidemux 2.6 - 64bits (64-bit)) (Version: 2.6.8.9046 - ) BackUp Maker (HKLM-x32\...\BackUp Maker_is1) (Version: 6.5.0.7 - ASCOMP Software GmbH) Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.) CamStudio 2.7.2 (HKLM\...\{04B83666-3A62-452B-85D3-70F8117F2329}_is1) (Version: 2.7.2 - CamStudio Open Source) Catalyst Control Center - Branding (x32 Version: 1.00.0000 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center (x32 Version: 2012.0329.2312.39738 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Graphics Previews Common (x32 Version: 2012.0329.2312.39738 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center InstallProxy (x32 Version: 2012.0329.2312.39738 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Localization All (x32 Version: 2012.0329.2312.39738 - Advanced Micro Devices, Inc.) Hidden Catalyst Control Center Profiles Mobile (x32 Version: 2012.0329.2312.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Chinese Standard (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Chinese Traditional (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Czech (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Danish (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Dutch (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help English (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Finnish (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help French (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help German (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Greek (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Hungarian (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Italian (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Japanese (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Korean (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Norwegian (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Polish (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Portuguese (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Russian (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Spanish (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Swedish (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Thai (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden CCC Help Turkish (x32 Version: 2012.0329.2311.39738 - Advanced Micro Devices, Inc.) Hidden ccc-utility64 (Version: 2012.0329.2312.39738 - Advanced Micro Devices, Inc.) Hidden CCleaner (HKLM\...\CCleaner) (Version: 4.15 - Piriform) Cisco EAP-FAST Module (HKLM-x32\...\{64BF0187-F3D2-498B-99EA-163AF9AE6EC9}) (Version: 2.2.14 - Cisco Systems, Inc.) Cisco LEAP Module (HKLM-x32\...\{51C7AD07-C3F6-4635-8E8A-231306D810FE}) (Version: 1.0.19 - Cisco Systems, Inc.) Cisco PEAP Module (HKLM-x32\...\{ED5776D5-59B4-46B7-AF81-5F2D94D7C640}) (Version: 1.1.6 - Cisco Systems, Inc.) Citrix Online Launcher (HKLM-x32\...\{3E7E6F1E-7376-475A-8BC9-E3126B20CF5F}) (Version: 1.0.198 - Citrix) CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.1.2106 - CyberLink Corp.) CyberLink Media Suite 10 (x32 Version: 10.0.1.2106 - CyberLink Corp.) Hidden CyberLink PhotoDirector (HKLM-x32\...\InstallShield_{4862344A-A39C-4897-ACD4-A1BED5163C5A}) (Version: 2.0.1.3317 - CyberLink Corp.) CyberLink PhotoDirector (x32 Version: 2.0.1.3317 - CyberLink Corp.) Hidden CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.2.2321 - CyberLink Corp.) CyberLink Power2Go 8 (x32 Version: 8.0.2.2321 - CyberLink Corp.) Hidden CyberLink PowerDirector 10 (HKLM-x32\...\InstallShield_{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}) (Version: 10.0.2.2531 - CyberLink Corp.) CyberLink PowerDirector 10 (x32 Version: 10.0.2.2531 - CyberLink Corp.) Hidden CyberLink PowerDVD (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.6.5101 - CyberLink Corp.) CyberLink PowerDVD (x32 Version: 10.0.6.5101 - CyberLink Corp.) Hidden CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 4.1.1.3423 - CyberLink Corp.) CyberLink YouCam (x32 Version: 4.1.1.3423 - CyberLink Corp.) Hidden Device Access Manager for HP ProtectTools (HKLM\...\{55B52830-024A-443E-AF61-61E1E71AFA1B}) (Version: 7.1.2.0 - Hewlett-Packard Company) DirectXInstallService (x32 Version: 9.0.0 - Roxio) Hidden Drive Encryption For HP ProtectTools (HKLM\...\{27F1E086-5691-4EB8-8BA1-5CBA87D67EB5}) (Version: 7.0.28.30376 - Hewlett-Packard Company) EMCGadgets64 (HKLM\...\{02AD9D20-03D2-4DE0-8793-E8253026AD86}) (Version: 1.0.020 - Sonic) Energy Star Digital Logo (HKLM-x32\...\{BD1A34C9-4764-4F79-AE1F-112F8C89D3D4}) (Version: 1.0.1 - Hewlett-Packard) Evernote v. 4.5.4 (HKLM-x32\...\{550BFF6E-7376-11E1-99EA-984BE15F174E}) (Version: 4.5.4.6487 - Evernote Corp.) Face Recognition for HP ProtectTools (HKLM\...\Face Recognition for HP ProtectTools) (Version: 7.2.2.4549 - Hewlett-Packard Company) Face Recognition for HP ProtectTools (Version: 7.2.2.4549 - Hewlett-Packard Company) Hidden FairStars CD Ripper 1.60 (HKLM-x32\...\FairStars CD Ripper_is1) (Version: - FairStars Soft) File Sanitizer For HP ProtectTools (HKLM-x32\...\{6D6ADF03-B257-4EA5-BBC1-1D145AF8D514}) (Version: 7.0.0.5 - Hewlett-Packard Company) FotoSketcher 2.85 (HKLM-x32\...\{E7C6D565-2E48-4303-A114-AFE7B2E561AF}_is1) (Version: - David THOIRON) Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 6.2.2.802 - Foxit Corporation) Freemake Video Converter version 4.1.4 (HKLM-x32\...\Freemake Video Converter_is1) (Version: 4.1.4 - Ellora Assets Corporation) FreeMind (HKLM-x32\...\B991B020-2968-11D8-AF23-444553540000_is1) (Version: 1.0.1 - ) Gadwin PrintScreen (HKLM-x32\...\Gadwin PrintScreen) (Version: 4.7 - Gadwin Systems, Inc.) Google Chrome (HKLM-x32\...\Google Chrome) (Version: 36.0.1985.143 - Google Inc.) Google Earth (HKLM-x32\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google) Google Update Helper (x32 Version: 1.3.24.15 - Google Inc.) Hidden GoToMeeting 6.4.0.1605 (HKCU\...\GoToMeeting) (Version: 6.4.0.1605 - CitrixOnline) Hewlett-Packard ACLM.NET v1.1.2.0 (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden HP 3D DriveGuard (HKLM\...\{5B4F3B85-83F0-4BBF-9052-7A38B6B09634}) (Version: 5.0.8.0 - Hewlett-Packard Company) HP Auto (Version: 1.0.12935.3667 - Hewlett-Packard Company) Hidden HP Connection Manager (HKLM-x32\...\{F5AEB2E2-F856-448F-8C32-46CA5C6149FE}) (Version: 4.5.27.1 - Hewlett-Packard Company) HP Customer Experience Enhancements (x32 Version: 6.0.1.8 - Hewlett-Packard) Hidden HP Documentation (HKLM-x32\...\{A351CC1B-C92C-4F37-8109-9F6D33ACF5EF}) (Version: 1.1.1.0 - Hewlett-Packard) HP ESU for Microsoft Windows 7 (HKLM-x32\...\{6357258D-2BF9-49E7-A9EF-0C609D52C46D}) (Version: 2.0.6.1 - Hewlett-Packard Company) HP HD Webcam Driver (HKLM-x32\...\{399C37FB-08AF-493B-BFED-20FBD85EDF7F}) (Version: 6.0.1113.1_WHQL - Sonix) HP Hotkey Support (HKLM-x32\...\{C97CC14E-4789-4FC5-BC75-79191F7CE009}) (Version: 4.6.11.2 - Hewlett-Packard Company) HP Postscript Converter (Version: 4.0.4100 - Hewlett-Packard) Hidden HP Power Assistant (HKLM\...\{84642787-58C0-44AE-8B26-E2F544E380A1}) (Version: 2.5.0.16 - Hewlett-Packard Company) HP ProtectTools Security Manager (HKLM\...\HPProtectTools) (Version: 7.0.0.1177 - Hewlett-Packard Company) HP ProtectTools Security Manager (Version: 7.0.0.1177 - Hewlett-Packard Company) Hidden HP Setup (HKLM-x32\...\{438363A8-F486-4C37-834C-4955773CB3D3}) (Version: 9.1.15453.4066 - Hewlett-Packard Company) HP SoftPaq Download Manager (HKLM-x32\...\{223AE3E8-4445-410F-8EDA-13EC137E3BDB}) (Version: 3.4.3.0 - Hewlett-Packard Company) HP Software Framework (HKLM-x32\...\{962CB079-85E6-405F-8704-1C62365AE46F}) (Version: 4.5.10.1 - Hewlett-Packard Company) HP Software Setup (HKLM-x32\...\{658A8756-7B1E-44FD-A434-D777DD906232}) (Version: 8.5.2.1 - Hewlett-Packard Company) HP Support Assistant (HKLM-x32\...\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}) (Version: 6.1.12.1 - Hewlett-Packard Company) HP System Default Settings (HKLM-x32\...\{C4E9E8A4-EEC4-4F9E-B140-520A8B75F430}) (Version: 2.4.1.2 - Hewlett-Packard Company) HP Wallpaper (HKLM-x32\...\{11C9A461-DD9D-4C71-85A4-6DCE7F99CC44}) (Version: 3.0.0.1 - Hewlett-Packard Company) IDT Audio (HKLM-x32\...\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}) (Version: 1.0.6392.0 - IDT) Intel® Display Audio Driver (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 6.14.00.3090 - Intel Corporation) Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.10.1464 - Intel Corporation) Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.1.0.1006 - Intel Corporation) Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 1.0.4.225 - Intel Corporation) Intel® Trusted Connect Service Client (Version: 1.23.943.1 - Intel Corporation) Hidden Java 7 Update 67 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle) Java Auto Updater (x32 Version: 2.1.67.1 - Oracle, Inc.) Hidden Jihosoft Mobile Recovery for iOS version 5.1.1.2 (HKLM-x32\...\{B7A5CDA9-8B68-43DA-AB17-8309E5246C55}_is1) (Version: 5.1.1.2 - Jihosoft Studio) Jing (HKLM-x32\...\{22800204-9E53-45C7-B6F3-5BB0F1C1A147}) (Version: 2.8.13007.1 - TechSmith Corporation) JMicron Flash Media Controller Driver (HKLM-x32\...\{26604C7E-A313-4D12-867F-7C6E7820BE4C}) (Version: 1.0.76.1 - JMicron Technology Corp.) KeyScrambler (HKLM-x32\...\KeyScrambler) (Version: 3.4.0.8 - QFX Software Corporation) LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version: - ) LAV Filters 0.55.3 (HKLM-x32\...\lavfilters_is1) (Version: 0.55.3 - Hendrik Leppkes) LeaderTask 8.2.2.1 (HKLM-x32\...\LeaderTask_is1) (Version: - Organizer LeaderTask LLC) Listary version 4.20 (HKLM\...\Listary_is1) (Version: 4.20 - ) Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation) Microsoft .NET Framework 1.1 (HKLM-x32\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft) Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation) Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation) Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4420.1017 - Microsoft Corporation) Microsoft Security Client (Version: 4.5.0216.0 - Microsoft Corporation) Hidden Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.5.216.0 - Microsoft Corporation) Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation) Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) MozBackup 1.5.1 (HKLM-x32\...\MozBackup) (Version: - Pavel Cvrcek) Mozilla Firefox 31.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 31.0 (x86 en-US)) (Version: 31.0 - Mozilla) Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla) Mozilla Thunderbird 24.6.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 24.6.0 (x86 en-US)) (Version: 24.6.0 - Mozilla) MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.5.3 - Notepad++ Team) opensource (x32 Version: 1.0.14960.3876 - Your Company Name) Hidden Oxynger KeyShield 1.1.0 (HKLM-x32\...\{100C4513-F98A-47E0-AEA0-A67B636D8F7A}_is1) (Version: 1.1.0 - Oxynger Technologies) PDF Complete Corporate Edition (HKLM-x32\...\PDF Complete) (Version: 4.0.93 - PDF Complete, Inc) Photo to Sketch Converter 1.4 (HKLM-x32\...\Photo to Sketch Converter_is1) (Version: 1.4 - SoftOrbits) Privacy Manager for HP ProtectTools (HKLM\...\{CA2F6FAD-D8CD-42C1-B04D-6E5B1B1CFDCC}) (Version: 7.0.0.865 - Hewlett-Packard Company) Process Lasso (HKLM-x32\...\ProcessLasso) (Version: 6.7.0.52 - Bitsum) PX Profile Update (x32 Version: 1.00.1. - AMD) Hidden Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.0.206 - Qualcomm Atheros Communications) Qualcomm Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 10.0 - Qualcomm Atheros) QuotePad 2.2 (HKLM-x32\...\QuotePad_is1) (Version: 2.2 - QuotePad.info) Realtek Ethernet Controller All-In-One Windows Driver (HKLM-x32\...\{F7E7F0CB-AA41-4D5A-B6F2-8E6738EB063F}) (Version: 7.50.1123.2011 - Realtek) Recuva (HKLM\...\Recuva) (Version: 1.51 - Piriform) Rosetta Stone Ltd Services (HKLM-x32\...\{3165E4A6-D5DE-46B0-8597-D55E2B826B84}) (Version: 3.2.21 - Rosetta Stone Ltd.) Rosetta Stone TOTALe (HKLM-x32\...\{6B6BC189-D606-4BC7-9758-E6C364F76A55}) (Version: 4.5.5.0 - Rosetta Stone, Ltd) Roxio Activation Module (x32 Version: 1.0 - Roxio) Hidden Roxio CinePlayer Decoder Pack (HKLM-x32\...\{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}) (Version: 4.3.0 - Roxio) Roxio File Backup (HKLM-x32\...\{60B2315F-680F-4EB3-B8DD-CCDC86A7CCAB}) (Version: 1.1.0 - Roxio) Screencast-O-Matic (HKCU\...\Screencast-O-Matic) (Version: - Screencast-O-Matic) Screenpresso (HKLM\...\{2c2a35a0-05e9-4f9f-bcca-5a1c2a5efb00}) (Version: 1.5.1 - Learnpulse) SDK (x32 Version: 2.30.042 - Portrait Displays, Inc.) Hidden Serif MoviePlus X5 (HKLM-x32\...\{93C40A12-0098-46B1-972E-E8083686A7A0}) (Version: 7.0.2.018 - Serif (Europe) Ltd) Serif PagePlus X2 (HKLM-x32\...\{B00B1355-DD54-4314-90B1-161C6A7D3FD3}) (Version: 12.0.3.017 - Serif (Europe) Ltd) Serif PagePlus X2 Resources (HKLM-x32\...\{A84FB24E-FEB4-4C93-A5F5-DE3B40B2B73D}) (Version: 12.0.0.006 - Serif (Europe) Ltd) Serif PhotoPlus 11 (HKLM-x32\...\{FAFC9FF9-56BE-414D-B637-537E7D06E7B9}) (Version: 11.1.1.019 - Serif (Europe) Ltd) Serif WebPlus 10 (HKLM-x32\...\{8C0DF485-DB3E-453C-BFB3-4C47E636ECF9}) (Version: 10.1.1.036 - Serif (Europe) Ltd) Skype™ 6.13 (HKLM-x32\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.13.104 - Skype Technologies S.A.) Speed Typing (HKCU\...\Speed Typing) (Version: - ) Sticki (HKLM-x32\...\ZhornStickies) (Version: - Zhorn S) Subliminal Messages (HKLM-x32\...\{5583D2D0-C960-441C-ACA7-3A0E06C471EC}) (Version: 1.0.2.0 - Mind of Winner) Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 16.0.3.0 - Synaptics Incorporated) Theft Recovery for HP ProtectTools (HKLM-x32\...\InstallShield_{10F5A72A-1E07-4FAE-A7E7-14B10CC66B17}) (Version: 7.0.0.10 - Hewlett-Packard Company) Theft Recovery for HP ProtectTools (x32 Version: 7.0.0.10 - Hewlett-Packard Company) Hidden Validity Fingerprint Sensor Driver (HKLM\...\{93581599-ECF1-4DCD-BE36-BD969A6C8DB5}) (Version: 4.4.213.0 - Validity Sensors, Inc.) Video to Video (HKLM-x32\...\{7F95A744-78DA-4AED-A8F0-A0AF330B8411}_is1) (Version: - Media Converters) VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN) WinPatrol (HKLM\...\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2}) (Version: 32.0.2014.5 - Ruiware) WinZip 15.0 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240CF}) (Version: 15.0.10039 - WinZip Computing, S.L. ) WonderFox DVD Video Converter (HKCU\...\WonderFoxDVDVideoConverter) (Version: - WonderFox Soft, Inc. All Rights Reserved.) WPS Office (9.1.0.4746) (HKCU\...\WPS Office) (Version: 9.1.0.4746 - Kingsoft Corp.) XMind 2013 (v3.4.1) (HKLM-x32\...\XMind_is1) (Version: 3.4.1.201401221918 - XMind Ltd.) xplorer² professional 64 bit (HKLM\...\xplorer2p64) (Version: 2.5.0.0 - Zabkat) ========================= Devices: ================================ Name: Qualcomm Atheros AR3012 Bluetooth 4.0 + HS Adapter Description: Qualcomm Atheros AR3012 Bluetooth 4.0 + HS Adapter Class Guid: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974} Manufacturer: Qualcomm Atheros Communications Service: BTHUSB Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. Name: Teredo Tunneling Pseudo-Interface Description: Microsoft Teredo Tunneling Adapter Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318} Manufacturer: Microsoft Service: tunnel Problem: : This device cannot start. (Code10) Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device. On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard. ========================= Memory info: =================================== Percentage of memory in use: 32% Total physical RAM: 8071.49 MB Available physical RAM: 5443.37 MB Total Pagefile: 16141.16 MB Available Pagefile: 13106.58 MB Total Virtual: 4095.88 MB Available Virtual: 3976.62 MB ========================= Partitions: ===================================== 1 Drive c: () (Fixed) (Total:444.03 GB) (Free:315.71 GB) NTFS 2 Drive e: (HP_TOOLS) (Fixed) (Total:1.99 GB) (Free:1.97 GB) FAT32 3 Drive f: (Nuevo) (CDROM) (Total:0.23 GB) (Free:0 GB) CDFS 4 Drive g: (HP_RECOVERY) (Fixed) (Total:19.44 GB) (Free:2.97 GB) NTFS ========================= Users: ======================================== User accounts for \\STAN-HP Administrator ASPNET Guest STAN ========================= Minidump Files ================================== No minidump file found ========================= Restore Points ================================== 17-08-2014 19:01:23 Windows Update 19-08-2014 13:31:42 Windows Update 22-08-2014 21:16:31 Windows Update 25-08-2014 22:34:04 Malwarebyte 27-08-2014 02:24:21 Windows Update **** End of log ****

see attached Addition.txt FRST.txt

The issue with the download is I downloaded it weeks ago and yesterday SOMETHING initiated download and it wasn't me. In an effort to restore Firefox to earlier appearance I re-installed ClassicThemeRestorer addon. https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/ Now I see it was removed on purpose. Does that mean I put crap back into system? >What does this mean. see attached - this is what prompted this whole witch hunt - and it's still there and won't go away.

Well.... Default browser was changed. Firefox caught that. But Firefox changed it's overall look. And my FF tabs add-on disappeared Win.logon.userint wants to install as a startup program in Windows/System 32 folder. Is this expected? And while trying to figure out what happened to my FF tabs I clumsily clicked on downloads and see two failed downloads that I never initiated - see attached. Where did these come from? And if that's not enough to happen all at once... sysWOW64 is still there blinking at me my head is spinning ps It might be a good idea to mention in your directions to turn anti-malware programs back ON after having turned them off. I rebooted, which reconnected internet access, but MSE remained OFF for a few minutes before I noticed it.

I see what I did earlier. I hit scan instead of fix. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-08-2014 Ran by STAN at 2014-08-26 13:52:54 Run:1 Running from C:\Users\STAN\Desktop\MALWARE Boot Mode: Normal ============================================== Content of fixlist: ***************** AppInit_DLLs: C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found AppInit_DLLs-x32: c:\program files (x86)\searchprotect\searchprotect\bin\spvc32loader.dll => "c:\program files (x86)\searchprotect\searchprotect\bin\spvc32loader.dll" File Not Found SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKLM-x32 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS FF Extension: No Name - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\staged [2014-01-16] FF Extension: No Name - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2014-05-11] FF HKLM-x32\...\Firefox\Extensions: [otis@digitalpersona.com] - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt FF Extension: DigitalPersona Extension - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt AlternateDataStreams: C:\Users\STAN\Documents\picked fresh.png:Roxio EMC Stream ***************** "C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll" => Value Data not found. "c:\program files (x86)\searchprotect\searchprotect\bin\spvc32loader.dll" => Value Data not found. HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully. "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully. "HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully. "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully. "HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found. HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully. "HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully. "HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found. C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\staged not found. C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi => Moved successfully. HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\otis@digitalpersona.com => value deleted successfully. FF Extension: DigitalPersona Extension - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt not found. C:\Users\STAN\Documents\picked fresh.png => ":Roxio EMC Stream" ADS removed successfully. ==== End of Fixlog ====

BTW - all this crap began with installing Menu\Programs\Cool Timer 2014-08-21 13:57 - 2014-08-21 13:57 - 00000000 ____D () C:\Program Files (x86)\Cool Timer I'm usually pretty adept at catching this stuff when installing programs, but this one got me. Cops and robbers. Fascinating stuff

ComboFix 14-08-26.02 - STAN 08/26/2014 13:29:10.1.4 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8071.6070 [GMT -4:00] Running from: c:\users\STAN\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F} SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2} SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\STAN\AppData\Roaming\Microsoft\Windows\Recent\Downloads page.url c:\users\STAN\AppData\Roaming\Microsoft\Windows\Recent\Pfoit Vault.url c:\windows\SysWow64\zip32.dll . . ((((((((((((((((((((((((( Files Created from 2014-07-26 to 2014-08-26 ))))))))))))))))))))))))))))))) . . 2014-08-26 17:33 . 2014-08-26 17:33 -------- d-----w- c:\users\Default\AppData\Local\temp 2014-08-26 11:08 . 2014-08-21 03:43 11319192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E8711252-301E-42DA-86F2-6F57654412B3}\mpengine.dll 2014-08-26 10:44 . 2010-08-30 12:34 536576 ----a-w- c:\windows\SysWow64\sqlite3.dll 2014-08-26 10:43 . 2014-08-26 10:49 -------- d-----w- C:\AdwCleaner 2014-08-26 10:37 . 2014-08-26 10:59 -------- d-----w- c:\windows\ERUNT 2014-08-25 22:04 . 2014-08-25 22:52 36456 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2014-08-25 22:04 . 2014-08-25 22:04 -------- d-----w- c:\programdata\RogueKiller 2014-08-24 19:25 . 2014-08-24 19:25 -------- d-----w- c:\users\STAN\AppData\Roaming\JihoiOSRecovery 2014-08-24 19:25 . 2014-08-24 19:25 -------- d-----w- c:\program files (x86)\Jihosoft 2014-08-24 15:14 . 2014-08-21 03:43 11319192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2014-08-23 16:07 . 2014-08-26 10:40 -------- d-----w- C:\FRST 2014-08-22 21:17 . 2014-03-09 21:47 99480 ----a-w- c:\windows\SysWow64\infocardapi.dll 2014-08-22 21:17 . 2014-03-09 21:48 171160 ----a-w- c:\windows\system32\infocardapi.dll 2014-08-22 21:17 . 2014-03-09 21:48 1389208 ----a-w- c:\windows\system32\icardagt.exe 2014-08-22 21:17 . 2014-03-09 21:47 619672 ----a-w- c:\windows\SysWow64\icardagt.exe 2014-08-22 21:17 . 2014-06-30 22:24 8856 ----a-w- c:\windows\system32\icardres.dll 2014-08-22 21:17 . 2014-06-30 22:14 8856 ----a-w- c:\windows\SysWow64\icardres.dll 2014-08-22 21:17 . 2014-06-06 06:16 35480 ----a-w- c:\windows\SysWow64\TsWpfWrp.exe 2014-08-22 21:17 . 2014-06-06 06:12 35480 ----a-w- c:\windows\system32\TsWpfWrp.exe 2014-08-22 21:13 . 2014-06-03 10:02 112064 ----a-w- c:\windows\system32\consent.exe 2014-08-22 21:13 . 2014-06-03 10:02 504320 ----a-w- c:\windows\system32\msihnd.dll 2014-08-22 21:13 . 2014-06-03 10:02 3241984 ----a-w- c:\windows\system32\msi.dll 2014-08-22 21:13 . 2014-06-03 10:02 1941504 ----a-w- c:\windows\system32\authui.dll 2014-08-22 21:13 . 2014-06-03 09:29 337408 ----a-w- c:\windows\SysWow64\msihnd.dll 2014-08-22 21:13 . 2014-06-03 09:29 2363392 ----a-w- c:\windows\SysWow64\msi.dll 2014-08-22 21:13 . 2014-06-03 09:29 1805824 ----a-w- c:\windows\SysWow64\authui.dll 2014-08-22 21:13 . 2014-07-16 03:23 2048 ----a-w- c:\windows\system32\tzres.dll 2014-08-22 21:13 . 2014-07-16 02:46 2048 ----a-w- c:\windows\SysWow64\tzres.dll 2014-08-22 21:13 . 2014-07-14 02:02 1216000 ----a-w- c:\windows\system32\rpcrt4.dll 2014-08-22 21:13 . 2014-07-14 01:40 664064 ----a-w- c:\windows\SysWow64\rpcrt4.dll 2014-08-22 21:13 . 2014-06-12 07:52 986560 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys 2014-08-22 20:13 . 2014-08-26 11:12 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2014-08-22 20:13 . 2014-05-12 11:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys 2014-08-22 20:13 . 2014-05-12 11:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2014-08-22 20:13 . 2014-05-12 11:25 25816 ----a-w- c:\windows\system32\drivers\mbam.sys 2014-08-22 20:13 . 2014-08-22 20:13 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware 2014-08-21 18:08 . 2014-08-21 18:08 -------- d-----w- c:\users\STAN\AppData\Local\Harmony_Hollow_Software 2014-08-21 17:58 . 2014-08-21 17:58 -------- d-----w- c:\users\STAN\AppData\Local\CTSounds 2014-08-21 17:57 . 2014-08-21 17:57 -------- d-----w- c:\program files (x86)\Cool Timer 2014-08-20 20:45 . 2014-08-20 20:45 -------- d-----w- c:\program files (x86)\FOXIT SOFTWARE 2014-08-20 15:17 . 2014-08-20 15:17 1169712 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B13BCD9E-CBD6-45F1-B473-FEDCD8452AB8}\gapaengine.dll 2014-08-19 13:32 . 2014-05-14 16:23 44512 ----a-w- c:\windows\system32\wups2.dll 2014-08-19 13:32 . 2014-05-14 16:23 58336 ----a-w- c:\windows\system32\wuauclt.exe 2014-08-19 13:32 . 2014-05-14 16:23 2477536 ----a-w- c:\windows\system32\wuaueng.dll 2014-08-19 13:32 . 2014-05-14 16:21 2620928 ----a-w- c:\windows\system32\wucltux.dll 2014-08-19 13:32 . 2014-05-14 16:23 38880 ----a-w- c:\windows\system32\wups.dll 2014-08-19 13:32 . 2014-05-14 16:23 36320 ----a-w- c:\windows\SysWow64\wups.dll 2014-08-19 13:32 . 2014-05-14 16:23 700384 ----a-w- c:\windows\system32\wuapi.dll 2014-08-19 13:32 . 2014-05-14 16:23 581600 ----a-w- c:\windows\SysWow64\wuapi.dll 2014-08-19 13:32 . 2014-05-14 16:20 97792 ----a-w- c:\windows\system32\wudriver.dll 2014-08-19 13:32 . 2014-05-14 16:17 92672 ----a-w- c:\windows\SysWow64\wudriver.dll 2014-08-19 13:31 . 2014-05-14 13:23 198600 ----a-w- c:\windows\system32\wuwebv.dll 2014-08-19 13:31 . 2014-05-14 13:23 179656 ----a-w- c:\windows\SysWow64\wuwebv.dll 2014-08-19 13:31 . 2014-05-14 13:20 36864 ----a-w- c:\windows\system32\wuapp.exe 2014-08-19 13:31 . 2014-05-14 13:17 33792 ----a-w- c:\windows\SysWow64\wuapp.exe 2014-08-18 22:03 . 2014-08-19 03:40 -------- d-----w- c:\users\STAN\AppData\Local\Screencast-O-Matic 2014-08-14 13:52 . 2014-08-14 13:52 -------- d-----w- c:\program files (x86)\Common Files\Java 2014-08-14 13:52 . 2014-08-14 13:52 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll 2014-08-14 13:52 . 2014-08-14 13:52 -------- d-----w- c:\program files (x86)\Java 2014-08-07 23:00 . 2014-08-07 23:00 -------- d-----w- c:\users\STAN\AppData\Local\Serif 2014-08-04 16:26 . 2014-08-04 16:26 -------- d-----w- c:\users\STAN\AppData\Roaming\QFX Software 2014-08-04 16:26 . 2014-08-04 16:26 -------- d-----w- c:\programdata\QFX Software 2014-08-04 16:24 . 2014-08-04 16:24 -------- d-----w- c:\program files (x86)\Ruiware 2014-08-04 15:55 . 2014-08-04 15:55 -------- d-----w- c:\programdata\Oxynger 2014-08-04 15:55 . 2014-08-04 15:55 -------- d-----w- c:\program files (x86)\Oxynger 2014-08-04 15:20 . 2013-05-31 14:53 222200 ----a-w- c:\windows\system32\drivers\keyscrambler.sys 2014-08-04 15:20 . 2014-08-05 13:10 -------- d-----w- c:\program files (x86)\KeyScrambler 2014-08-01 22:47 . 2014-08-01 22:52 -------- d-----w- c:\users\STAN\AppData\Roaming\XMind 2014-08-01 22:46 . 2014-08-01 22:47 -------- d-----w- c:\program files (x86)\XMind 2014-07-31 18:40 . 2014-08-01 02:16 -------- d-----w- c:\users\STAN\AppData\Local\Cyberlink . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2014-08-22 21:19 . 2014-01-19 21:50 99218768 ----a-w- c:\windows\system32\MRT.exe 2014-08-16 12:09 . 2013-04-17 08:23 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2014-08-16 12:09 . 2013-04-17 08:23 699568 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2014-07-09 07:47 . 2014-07-09 07:47 5659136 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe 2014-06-18 02:18 . 2014-07-18 12:38 692736 ----a-w- c:\windows\system32\osk.exe 2014-06-18 01:51 . 2014-07-18 12:38 646144 ----a-w- c:\windows\SysWow64\osk.exe 2014-06-18 01:10 . 2014-07-18 12:38 3157504 ----a-w- c:\windows\system32\win32k.sys 2014-06-17 13:00 . 2014-01-16 21:49 532 ----a-w- c:\windows\uninstallstickies.bat 2014-06-06 10:10 . 2014-07-18 12:38 624128 ----a-w- c:\windows\system32\qedit.dll 2014-06-06 09:44 . 2014-07-18 12:38 509440 ----a-w- c:\windows\SysWow64\qedit.dll 2014-06-05 14:45 . 2014-07-18 12:38 1460736 ----a-w- c:\windows\system32\lsasrv.dll 2014-06-05 14:26 . 2014-07-18 12:38 22016 ----a-w- c:\windows\SysWow64\secur32.dll 2014-06-05 14:25 . 2014-07-18 12:38 96768 ----a-w- c:\windows\SysWow64\sspicli.dll 2014-05-30 06:45 . 2014-07-18 12:38 497152 ----a-w- c:\windows\system32\drivers\afd.sys . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadwin PrintScreen"="c:\program files (x86)\Gadwin Systems\PrintScreen\PrintScreen.exe" [2012-05-30 1842384] "WinPatrol Change Detection"="c:\program files (x86)\BillP Studios\WinPatrol\WinPatrol.exe" [2014-06-03 1128000] "Listary"="c:\program files\Listary\Listary.exe" [2014-04-03 3802352] "Speed Typing"="c:\program files (x86)\Invention Pilot\Speed Typing\STyping.exe" [2002-12-12 101376] "WinPatrol"="c:\program files (x86)\BillP Studios\WinPatrol\winpatrol.exe" [2014-06-03 1128000] "xplorer2_64"="c:\program files\zabkat\xplorer2\xplorer2_64.exe" [2014-04-13 1762592] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "AMD AVT"="start AMD Accelerated Video Transcoding device initialization" [X] "IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" [2012-03-01 56088] "PDF Complete"="c:\program files (x86)\PDF Complete\pdfsty.exe" [2012-03-07 684024] "QLBController"="c:\program files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe" [2012-09-13 334240] "USB3MON"="c:\program files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-03-27 291608] "StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-03-30 636032] "YouCam Mirage"="c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe" [2012-10-24 139792] "YouCam Tray"="c:\program files (x86)\CyberLink\YouCam\YouCamTray.exe" [2012-10-24 168464] "RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2012-07-13 93296] "CLMLServer_For_P2G8"="c:\program files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe" [2012-11-21 111136] "CLVirtualDrive"="c:\program files (x86)\CyberLink\Power2Go8\VirtualDrive.exe" [2012-11-21 493088] "File Sanitizer"="c:\program files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe" [2012-03-22 12310616] "KeyScrambler"="c:\program files (x86)\KeyScrambler\keyscrambler.exe" [2014-07-30 508744] "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-07-25 256896] . c:\users\STAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ QuotePad.lnk - c:\program files (x86)\QuotePad\QuotePad.exe [2014-1-16 1522176] Stickies.lnk - c:\program files (x86)\Stickies\stickies.exe [2014-1-16 1549312] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) "DisableCAD"= 1 (0x1) "EnableLinkedConnections"= 1 (0x1) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP] 2012-11-19 17:12 75648 ------w- c:\windows\System32\DeviceNP.dll . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) . [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ DPPassFilter scecli . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe;c:\program files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [x] R2 SessionLauncher;SessionLauncher;c:\users\STAN\AppData\Local\Temp\DX9\SessionLauncher.exe;c:\users\STAN\AppData\Local\Temp\DX9\SessionLauncher.exe [x] R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x] R3 AthBTPort;Qualcomm Atheros Virtual Bluetooth Class;c:\windows\system32\DRIVERS\btath_flt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_flt.sys [x] R3 BTATH_A2DP;Bluetooth A2DP Audio Driver;c:\windows\system32\drivers\btath_a2dp.sys;c:\windows\SYSNATIVE\drivers\btath_a2dp.sys [x] R3 btath_avdt;Qualcomm Atheros Bluetooth AVDT Service;c:\windows\system32\drivers\btath_avdt.sys;c:\windows\SYSNATIVE\drivers\btath_avdt.sys [x] R3 BTATH_HCRP;Bluetooth HCRP Server driver;c:\windows\system32\DRIVERS\btath_hcrp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_hcrp.sys [x] R3 BTATH_LWFLT;Bluetooth LWFLT Device;c:\windows\system32\DRIVERS\btath_lwflt.sys;c:\windows\SYSNATIVE\DRIVERS\btath_lwflt.sys [x] R3 BTATH_RCP;Bluetooth AVRCP Device;c:\windows\system32\DRIVERS\btath_rcp.sys;c:\windows\SYSNATIVE\DRIVERS\btath_rcp.sys [x] R3 BtFilter;BtFilter;c:\windows\system32\DRIVERS\btfilter.sys;c:\windows\SYSNATIVE\DRIVERS\btfilter.sys [x] R3 DAMDrv;DAMDrv;c:\windows\system32\DRIVERS\DAMDrv64.sys;c:\windows\SYSNATIVE\DRIVERS\DAMDrv64.sys [x] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x] R3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\SysWOW64\flcdlock.exe;c:\windows\SysWOW64\flcdlock.exe [x] R3 hpCMSrv;HP Connection Manager 4 Service;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe;c:\program files (x86)\Hewlett-Packard\HP Connection Manager\hpCMSrv.exe [x] R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x] R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x] R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] R4 PdiService;Portrait Displays SDK Service;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe;c:\program files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [x] S0 ambakdrv;ambakdrv;c:\windows\system32\ambakdrv.sys;c:\windows\SYSNATIVE\ambakdrv.sys [x] S0 amdkmpfd;AMD PCI Root Bus Lower Filter;c:\windows\system32\DRIVERS\amdkmpfd.sys;c:\windows\SYSNATIVE\DRIVERS\amdkmpfd.sys [x] S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x] S0 MfeEpeOpal;MfeEpeOpal; [x] S0 MfeEpePc;MfeEpePc; [x] S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x] S1 CLVirtualDrive;CLVirtualDrive;c:\windows\system32\DRIVERS\CLVirtualDrive.sys;c:\windows\SYSNATIVE\DRIVERS\CLVirtualDrive.sys [x] S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x] S2 ammntdrv;ammntdrv;c:\windows\system32\ammntdrv.sys;c:\windows\SYSNATIVE\ammntdrv.sys [x] S2 amwrtdrv;amwrtdrv;c:\windows\system32\amwrtdrv.sys;c:\windows\SYSNATIVE\amwrtdrv.sys [x] S2 AtherosSvc;AtherosSvc;c:\program files (x86)\Bluetooth Suite\adminservice.exe;c:\program files (x86)\Bluetooth Suite\adminservice.exe [x] S2 Backupper Service;AOMEI Backupper Scheduler Service;c:\program files (x86)\AOMEI Backupper Professional Edition 2.0\ABService.exe;c:\program files (x86)\AOMEI Backupper Professional Edition 2.0\ABService.exe [x] S2 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [x] S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x] S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe;c:\program files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe [x] S2 hpHotkeyMonitor;hpHotkeyMonitor;c:\program files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe;c:\program files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe [x] S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe [x] S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x] S2 Intel® Capability Licensing Service Interface;Intel® Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x] S2 Intel® ME Service;Intel® ME Service;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [x] S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x] S2 ListaryService;ListaryService;c:\program files\Listary\ListaryService.exe;c:\program files\Listary\ListaryService.exe [x] S2 McAfee Endpoint Encryption Agent;McAfee Endpoint Encryption Agent;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe;c:\program files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [x] S2 pdfcDispatcher;PDF Document Manager;c:\program files (x86)\PDF Complete\pdfsvc.exe;c:\program files (x86)\PDF Complete\pdfsvc.exe [x] S2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe;c:\program files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe [x] S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x] S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe;c:\windows\SYSNATIVE\vcsFPService.exe [x] S2 ZAtheros Bt&Wlan Coex Agent;ZAtheros Bt&Wlan Coex Agent;c:\program files (x86)\Bluetooth Suite\Ath_CoexAgent.exe;c:\program files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [x] S3 BTATH_BUS;Qualcomm Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys;c:\windows\SYSNATIVE\DRIVERS\btath_bus.sys [x] S3 clwvd;CyberLink Webcam Sharing Manager;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x] S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x] S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd64.sys;c:\windows\SYSNATIVE\DRIVERS\igdpmd64.sys [x] S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x] S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x] S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys;c:\windows\SYSNATIVE\DRIVERS\jmcr.sys [x] S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys;c:\windows\SYSNATIVE\drivers\keyscrambler.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - 18354492 *Deregistered* - 18354492 . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}] 2014-08-13 06:15 1104200 ----a-w- c:\program files (x86)\Google\Chrome\Application\36.0.1985.143\Installer\chrmstp.exe . Contents of the 'Scheduled Tasks' folder . 2014-08-26 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-04-17 12:09] . 2014-08-26 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-2814820857-3032417316-13908079-1001.job - c:\users\STAN\AppData\Local\Citrix\GoToMeeting\1558\g2mupdate.exe [2014-08-14 16:05] . 2014-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-01-25 14:24] . 2014-08-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-01-25 14:24] . 2014-08-26 c:\windows\Tasks\WpsNotifyTask_STAN.job - c:\users\STAN\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\wtoolex\wpsnotify.exe [2014-08-07 12:57] . 2014-08-26 c:\windows\Tasks\WpsUpdateTask_STAN.job - c:\users\STAN\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\wtoolex\wpsupdate.exe [2014-08-07 12:57] . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2012-03-05 1425408] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-03-11 1271072] . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm TCP: DhcpNameServer = 192.168.2.1 FF - ProfilePath - c:\users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\ . - - - - ORPHANS REMOVED - - - - . SafeBoot-18354492.sys HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start HKLM_Wow6432Node-ActiveSetup-{438363A8-F486-4C37-834C-4955773CB3D3} - msiexec HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe AddRemove-ZhornStickies - c:\windows\unins AddRemove-{1B9604EE-B104-45C8-8551-5F63BA631E23} - c:\programdata\{E0A9340B-C01B-42C1-9910-C307D7BE4756}\WeatherBugSetup.exe AddRemove-{6F44AF95-3CDE-4513-AD3F-6D45F17BF324} - c:\program files (x86)\InstallShield Installation Information\{6F44AF95-3CDE-4513-AD3F-6D45F17BF324}\setup.exe . . . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher] "ImagePath"="c:\program files (x86)\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32] @="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.14" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}] @Denied: (A 2) (Everyone) @="IFlashBroker5" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Nico Mak Computing\WinZip] "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79, 00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\ . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security] @Denied: (Full) (Everyone) . Completion time: 2014-08-26 13:34:33 ComboFix-quarantined-files.txt 2014-08-26 17:34 . Pre-Run: 338,193,448,960 bytes free Post-Run: 338,849,017,856 bytes free . - - End Of File - - CC70F78B6AD98356AB647FBE2481DC24

FRST did not output a fixlog.txt file. Id did produce a FRST.txt file. I'll copy and paste below and attach Kaspersky files. I'll send Combofix separately. Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-08-2014 Ran by STAN (administrator) on STAN-HP on 26-08-2014 06:40:06 Running from C:\Users\STAN\Desktop\MALWARE Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States) Internet Explorer Version 11 Boot Mode: Normal The only official download link for FRST: Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Download link from any site other than Bleeping Computer is unpermitted or outdated. See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entry is included in the fixlist, the process will be closed. The file will not be moved.) (Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe (DigitalPersona, Inc.) C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe (AMD) C:\Windows\System32\atiesrxx.exe (IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe (Hewlett-Packard Company) C:\Windows\System32\hpservice.exe (AMD) C:\Windows\System32\atieclxx.exe (Validity Sensors, Inc.) C:\Windows\System32\vcsFPService.exe (Microsoft Corporation) C:\Windows\System32\wlanext.exe () C:\Program Files\Listary\ListaryService.exe (Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe (AOMEI Tech Co., Ltd.) C:\Program Files (x86)\AOMEI Backupper Professional Edition 2.0\ABService.exe (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe (Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\HPFSService.exe (Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe (Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe () C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe (PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe (Rosetta Stone Ltd.) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe (Atheros) C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe (Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe (Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe (Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler.exe (Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.15\GoogleCrashHandler64.exe (Bitsum LLC) C:\Program Files\Process Lasso\ProcessGovernor.exe (Bitsum LLC) C:\Program Files\Process Lasso\ProcessLasso.exe (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe (Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe (Gadwin Systems, Inc) C:\Program Files (x86)\Gadwin Systems\PrintScreen\PrintScreen.exe (BillP Studios) C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe (Microsoft Corporation) C:\Windows\splwow64.exe (Bopsoft) C:\Program Files\Listary\Listary.exe (Invention Pilot, Inc) C:\Program Files (x86)\Invention Pilot\Speed Typing\STyping.exe (ZabKat) C:\Program Files\zabkat\xplorer2\xplorer2_64.exe () C:\Program Files\Listary\ListaryHelper64.exe (Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe (CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe (CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe (CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe (Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\coreshredder.exe (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (QuotePad.info) C:\Program Files (x86)\QuotePad\QuotePad.exe (Zhorn Software) C:\Program Files (x86)\Stickies\stickies.exe (DigitalPersona, Inc.) C:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe (QFX Software Corporation) C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (QFX Software Corporation) C:\Program Files (x86)\KeyScrambler\x64\KeyScrambler.exe (DigitalPersona, Inc.) C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpAgent.exe (Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe (Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe () C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe (Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe (Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (Mozilla Corporation) C:\Program Files (x86)\MOZILLA FIREFOX\firefox.exe (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_14_0_0_179.exe (Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_14_0_0_179.exe () C:\Program Files (x86)\CLCL\CLCL.exe ==================== Registry (Whitelisted) ================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM\...\Run: [synTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2887440 2012-03-08] (Synaptics Incorporated) HKLM\...\Run: [sysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1425408 2012-03-05] (IDT, Inc.) HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1271072 2014-03-11] (Microsoft Corporation) HKLM-x32\...\Run: [iAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284440 2012-02-29] (Intel Corporation) HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [684024 2012-03-07] (PDF Complete Inc) HKLM-x32\...\Run: [QLBController] => C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\QLBController.exe [334240 2012-09-12] (Hewlett-Packard Company) HKLM-x32\...\Run: [uSB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-03-27] (Intel Corporation) HKLM-x32\...\Run: [startCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [636032 2012-03-30] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [AMD AVT] => C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [10752 2012-01-31] () HKLM-x32\...\Run: [YouCam Mirage] => c:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [139792 2012-10-24] (CyberLink) HKLM-x32\...\Run: [YouCam Tray] => c:\Program Files (x86)\CyberLink\YouCam\YouCamTray.exe [168464 2012-10-24] (CyberLink Corp.) HKLM-x32\...\Run: [RemoteControl10] => c:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [93296 2012-07-13] (CyberLink Corp.) HKLM-x32\...\Run: [CLMLServer_For_P2G8] => c:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [111136 2012-11-21] (CyberLink) HKLM-x32\...\Run: [CLVirtualDrive] => c:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [493088 2012-11-21] (CyberLink Corp.) HKLM-x32\...\Run: [File Sanitizer] => C:\Program Files (x86)\Hewlett-Packard\File Sanitizer\CoreShredder.exe [12310616 2012-03-21] (Hewlett-Packard) HKLM-x32\...\Run: [KeyScrambler] => C:\Program Files (x86)\KeyScrambler\keyscrambler.exe [508744 2014-07-30] (QFX Software Corporation) HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation) HKLM\...\Winlogon: [userinit] C:\Windows\system32\userinit.exe,c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DPAgent.exe, Winlogon\Notify\igfxcui: C:\windows\system32\igfxdev.dll (Intel Corporation) Winlogon\Notify\DeviceNP-x32: DeviceNP.dll [X] HKU\S-1-5-21-2814820857-3032417316-13908079-1001\...\Run: [Gadwin PrintScreen] => C:\Program Files (x86)\Gadwin Systems\PrintScreen\PrintScreen.exe [1842384 2012-05-30] (Gadwin Systems, Inc) HKU\S-1-5-21-2814820857-3032417316-13908079-1001\...\Run: [WinPatrol Change Detection] => C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe [1128000 2014-06-03] (BillP Studios) HKU\S-1-5-21-2814820857-3032417316-13908079-1001\...\Run: [Listary] => C:\Program Files\Listary\Listary.exe [3802352 2014-04-03] (Bopsoft) HKU\S-1-5-21-2814820857-3032417316-13908079-1001\...\Run: [speed Typing] => C:\Program Files (x86)\Invention Pilot\Speed Typing\STyping.exe [101376 2002-12-12] (Invention Pilot, Inc) HKU\S-1-5-21-2814820857-3032417316-13908079-1001\...\Run: [WinPatrol] => C:\Program Files (x86)\BillP Studios\WinPatrol\winpatrol.exe [1128000 2014-06-03] (BillP Studios) HKU\S-1-5-21-2814820857-3032417316-13908079-1001\...\Run: [xplorer2_64] => C:\Program Files\zabkat\xplorer2\xplorer2_64.exe [1762592 2014-04-13] (ZabKat) HKU\S-1-5-21-2814820857-3032417316-13908079-1001\...\MountPoints2: {051677bd-842d-11e3-a621-a4db30590e88} - D:\MI.exe AppInit_DLLs: C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found AppInit_DLLs-x32: c:\program files (x86)\searchprotect\searchprotect\bin\spvc32loader.dll => "c:\program files (x86)\searchprotect\searchprotect\bin\spvc32loader.dll" File Not Found Lsa: [Notification Packages] DPPassFilter scecli Startup: C:\Users\STAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QuotePad.lnk ShortcutTarget: QuotePad.lnk -> C:\Program Files (x86)\QuotePad\QuotePad.exe (QuotePad.info) Startup: C:\Users\STAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stickies.lnk ShortcutTarget: Stickies.lnk -> C:\Program Files (x86)\Stickies\stickies.exe (Zhorn Software) ==================== Internet (Whitelisted) ==================== (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.) HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPCOM13/1 SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKLM-x32 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll (Qualcomm Atheros Commnucations) BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation) BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation) Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies) Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 FireFox: ======== FF ProfilePath: C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default FF Plugin: @adobe.com/FlashPlayer -> C:\windows\system32\Macromed\Flash\NPSWF64_14_0_0_179.dll () FF Plugin: @microsoft.com/GENUINE -> disabled No File FF Plugin-x32: @adobe.com/FlashPlayer -> C:\windows\SysWOW64\Macromed\Flash\NPSWF32_14_0_0_179.dll () FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll (Foxit Corporation) FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\PROGRAM FILES (X86)\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll (Foxit Corporation) FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation) FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation) FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.) FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Users\STAN\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online) FF user.js: detected! => C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\user.js FF SearchPlugin: C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\searchplugins\bing-zugo.xml FF Extension: No Name - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\staged [2014-01-16] FF Extension: LastPass - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\support@lastpass.com [2014-08-20] FF Extension: Widevine Media Optimizer - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\{2d3fbcf7-be69-4433-8858-c621a8d0e58d} [2014-08-01] FF Extension: DownloadHelper - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-08-08] FF Extension: Flash and Video Download - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a} [2014-08-20] FF Extension: No Name - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2014-05-11] FF Extension: DblClicker - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\dblclicker@byo.co.il.xpi [2014-01-16] FF Extension: Restart Button - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\restartbutton@strk.jp.xpi [2014-01-16] FF Extension: SEO For Firefox - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\seo4firefox@seobook.com.xpi [2014-01-16] FF Extension: Session Manager - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2014-01-16] FF Extension: Back to Top - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\{3C9A65A6-9563-4485-BA4A-4BCD698BCFB4}.xpi [2014-01-16] FF Extension: Vyprázdnit vyrovnávací paměť - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\{563e4790-7e70-11da-a72b-0800200c9a66}.xpi [2014-01-16] FF Extension: Boomerang for GMail - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\{65e41d20-f092-41b7-bb83-c6e8a9ab0f57}.xpi [2014-01-16] FF Extension: Sothink Flash Downloader for Firefox - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\{BAEBEF65-9289-47c5-8524-C345CC5D860D}.xpi [2014-01-16] FF HKLM-x32\...\Firefox\Extensions: [otis@digitalpersona.com] - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt FF Extension: DigitalPersona Extension - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt [2013-10-12] Chrome: ======= CHR Extension: (Google Docs) - C:\Users\STAN\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-01-25] CHR Extension: (Google Drive) - C:\Users\STAN\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-01-25] CHR Extension: (YouTube) - C:\Users\STAN\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-01-25] CHR Extension: (Google Search) - C:\Users\STAN\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-01-25] CHR Extension: (Google Wallet) - C:\Users\STAN\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-01-25] CHR Extension: (Gmail) - C:\Users\STAN\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-01-25] ==================== Services (Whitelisted) ================= (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [211072 2012-08-07] (Qualcomm Atheros Commnucations) R2 Backupper Service; C:\Program Files (x86)\AOMEI Backupper Professional Edition 2.0\ABService.exe [29912 2014-04-08] (AOMEI Tech Co., Ltd.) R2 DpHost; c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\Bin\DpHostW.exe [493904 2012-03-15] (DigitalPersona, Inc.) S3 FLCDLOCK; c:\windows\SysWOW64\flcdlock.exe [477056 2012-11-19] (Hewlett-Packard Company) R2 hpHotkeyMonitor; C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe [523680 2012-09-12] (Hewlett-Packard Company) R2 Intel® ME Service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\FWService\IntelMeFWService.exe [128280 2012-03-28] () R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [165144 2012-03-28] (Intel Corporation) R2 ListaryService; C:\Program Files\Listary\ListaryService.exe [256752 2014-04-03] () R2 McAfee Endpoint Encryption Agent; C:\Program Files\Hewlett-Packard\Drive Encryption\EEAgent\MfeEpeHost.exe [1327104 2012-03-21] () [File not signed] R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2014-03-11] (Microsoft Corporation) R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [347872 2014-03-11] (Microsoft Corporation) R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1134584 2012-03-07] (PDF Complete Inc) R2 ZAtheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [323584 2012-08-07] (Atheros) [File not signed] S3 aspnet_state; %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [X] S2 RoxLiveShare10; "C:\Program Files (x86)\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe" [X] S2 SessionLauncher; C:\Users\STAN\AppData\Local\Temp\DX9\SessionLauncher.exe [X] ==================== Drivers (Whitelisted) ==================== (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.) R0 ambakdrv; C:\Windows\System32\ambakdrv.sys [30648 2013-05-07] () [File not signed] R0 amdkmpfd; C:\Windows\System32\DRIVERS\amdkmpfd.sys [32896 2012-03-19] (Advanced Micro Devices, Inc.) R2 ammntdrv; C:\windows\system32\ammntdrv.sys [151480 2013-05-07] () [File not signed] R2 amwrtdrv; C:\windows\system32\amwrtdrv.sys [17848 2013-02-06] () [File not signed] S3 BTATH_LWFLT; C:\Windows\System32\DRIVERS\btath_lwflt.sys [77464 2012-08-07] (Qualcomm Atheros) R1 CLVirtualDrive; C:\Windows\System32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink) S3 DAMDrv; C:\Windows\System32\DRIVERS\DAMDrv64.sys [64832 2012-11-09] (Hewlett-Packard Company) R3 KeyScrambler; C:\Windows\System32\drivers\keyscrambler.sys [222200 2013-05-31] (QFX Software Corporation) R0 MfeEpeOpal; C:\Windows\System32\Drivers\MfeEpeOpal.sys [93640 2012-03-21] (McAfee, Inc.) R0 MfeEpePc; C:\Windows\System32\Drivers\MfeEpePc.sys [158792 2012-03-21] (McAfee, Inc.) R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [268512 2014-01-25] (Microsoft Corporation) R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [133928 2014-03-11] (Microsoft Corporation) R3 SNP2UVC; C:\Windows\System32\DRIVERS\snp2uvc.sys [1866080 2012-11-20] () ==================== NetSvcs (Whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.) ==================== One Month Created Files and Folders ======== (If an entry is included in the fixlist, the file\folder will be moved.) 2014-08-26 06:37 - 2014-08-26 06:37 - 00000258 _____ () C:\DelFix.txt 2014-08-26 06:37 - 2014-08-26 06:37 - 00000000 ____D () C:\windows\ERUNT 2014-08-25 18:04 - 2014-08-25 18:52 - 00036456 _____ () C:\windows\system32\Drivers\TrueSight.sys 2014-08-25 18:04 - 2014-08-25 18:04 - 00000000 ____D () C:\ProgramData\RogueKiller 2014-08-24 15:25 - 2014-08-24 15:25 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\JihoiOSRecovery 2014-08-24 15:25 - 2014-08-24 15:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Jihosoft Mobile Recovery for iOS 2014-08-24 15:25 - 2014-08-24 15:25 - 00000000 ____D () C:\Program Files (x86)\Jihosoft 2014-08-23 12:14 - 2014-08-26 06:40 - 00000000 ____D () C:\Users\STAN\Desktop\MALWARE 2014-08-23 12:07 - 2014-08-26 06:40 - 00000000 ____D () C:\FRST 2014-08-22 17:17 - 2014-06-30 18:24 - 00008856 _____ (Microsoft Corporation) C:\windows\system32\icardres.dll 2014-08-22 17:17 - 2014-06-30 18:14 - 00008856 _____ (Microsoft Corporation) C:\windows\SysWOW64\icardres.dll 2014-08-22 17:17 - 2014-06-06 02:16 - 00035480 _____ (Microsoft Corporation) C:\windows\SysWOW64\TsWpfWrp.exe 2014-08-22 17:17 - 2014-06-06 02:12 - 00035480 _____ (Microsoft Corporation) C:\windows\system32\TsWpfWrp.exe 2014-08-22 17:17 - 2014-03-09 17:48 - 01389208 _____ (Microsoft Corporation) C:\windows\system32\icardagt.exe 2014-08-22 17:17 - 2014-03-09 17:48 - 00171160 _____ (Microsoft Corporation) C:\windows\system32\infocardapi.dll 2014-08-22 17:17 - 2014-03-09 17:47 - 00619672 _____ (Microsoft Corporation) C:\windows\SysWOW64\icardagt.exe 2014-08-22 17:17 - 2014-03-09 17:47 - 00099480 _____ (Microsoft Corporation) C:\windows\SysWOW64\infocardapi.dll 2014-08-22 17:16 - 2014-07-31 19:41 - 00348856 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll 2014-08-22 17:16 - 2014-07-31 19:16 - 00307384 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll 2014-08-22 17:16 - 2014-07-25 10:52 - 23645696 _____ (Microsoft Corporation) C:\windows\system32\mshtml.dll 2014-08-22 17:16 - 2014-07-25 10:02 - 02724864 _____ (Microsoft Corporation) C:\windows\system32\mshtml.tlb 2014-08-22 17:16 - 2014-07-25 10:01 - 00004096 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollectorres.dll 2014-08-22 17:16 - 2014-07-25 09:51 - 17524224 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.dll 2014-08-22 17:16 - 2014-07-25 09:30 - 00066048 _____ (Microsoft Corporation) C:\windows\system32\iesetup.dll 2014-08-22 17:16 - 2014-07-25 09:28 - 00548352 _____ (Microsoft Corporation) C:\windows\system32\vbscript.dll 2014-08-22 17:16 - 2014-07-25 09:28 - 00048640 _____ (Microsoft Corporation) C:\windows\system32\ieetwproxystub.dll 2014-08-22 17:16 - 2014-07-25 09:25 - 02774528 _____ (Microsoft Corporation) C:\windows\system32\iertutil.dll 2014-08-22 17:16 - 2014-07-25 09:25 - 00083968 _____ (Microsoft Corporation) C:\windows\system32\MshtmlDac.dll 2014-08-22 17:16 - 2014-07-25 09:11 - 00051200 _____ (Microsoft Corporation) C:\windows\system32\jsproxy.dll 2014-08-22 17:16 - 2014-07-25 09:10 - 00033792 _____ (Microsoft Corporation) C:\windows\system32\iernonce.dll 2014-08-22 17:16 - 2014-07-25 09:04 - 02724864 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtml.tlb 2014-08-22 17:16 - 2014-07-25 09:03 - 00598016 _____ (Microsoft Corporation) C:\windows\system32\ieui.dll 2014-08-22 17:16 - 2014-07-25 09:00 - 00139264 _____ (Microsoft Corporation) C:\windows\system32\ieUnatt.exe 2014-08-22 17:16 - 2014-07-25 09:00 - 00111616 _____ (Microsoft Corporation) C:\windows\system32\ieetwcollector.exe 2014-08-22 17:16 - 2014-07-25 08:59 - 00758272 _____ (Microsoft Corporation) C:\windows\system32\jscript9diag.dll 2014-08-22 17:16 - 2014-07-25 08:47 - 00940032 _____ (Microsoft Corporation) C:\windows\system32\MsSpellCheckingFacility.exe 2014-08-22 17:16 - 2014-07-25 08:40 - 00452096 _____ (Microsoft Corporation) C:\windows\system32\dxtmsft.dll 2014-08-22 17:16 - 2014-07-25 08:34 - 00455168 _____ (Microsoft Corporation) C:\windows\SysWOW64\vbscript.dll 2014-08-22 17:16 - 2014-07-25 08:34 - 00061952 _____ (Microsoft Corporation) C:\windows\SysWOW64\iesetup.dll 2014-08-22 17:16 - 2014-07-25 08:33 - 00051200 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieetwproxystub.dll 2014-08-22 17:16 - 2014-07-25 08:30 - 00061952 _____ (Microsoft Corporation) C:\windows\SysWOW64\MshtmlDac.dll 2014-08-22 17:16 - 2014-07-25 08:28 - 05824512 _____ (Microsoft Corporation) C:\windows\system32\jscript9.dll 2014-08-22 17:16 - 2014-07-25 08:28 - 00072704 _____ (Microsoft Corporation) C:\windows\system32\JavaScriptCollectionAgent.dll 2014-08-22 17:16 - 2014-07-25 08:21 - 02184704 _____ (Microsoft Corporation) C:\windows\SysWOW64\iertutil.dll 2014-08-22 17:16 - 2014-07-25 08:19 - 00195584 _____ (Microsoft Corporation) C:\windows\system32\msrating.dll 2014-08-22 17:16 - 2014-07-25 08:18 - 00043008 _____ (Microsoft Corporation) C:\windows\SysWOW64\jsproxy.dll 2014-08-22 17:16 - 2014-07-25 08:17 - 00085504 _____ (Microsoft Corporation) C:\windows\system32\mshtmled.dll 2014-08-22 17:16 - 2014-07-25 08:17 - 00032768 _____ (Microsoft Corporation) C:\windows\SysWOW64\iernonce.dll 2014-08-22 17:16 - 2014-07-25 08:12 - 00438784 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieui.dll 2014-08-22 17:16 - 2014-07-25 08:10 - 00292864 _____ (Microsoft Corporation) C:\windows\system32\dxtrans.dll 2014-08-22 17:16 - 2014-07-25 08:10 - 00112128 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieUnatt.exe 2014-08-22 17:16 - 2014-07-25 08:08 - 00597504 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9diag.dll 2014-08-22 17:16 - 2014-07-25 08:06 - 04204032 _____ (Microsoft Corporation) C:\windows\SysWOW64\jscript9.dll 2014-08-22 17:16 - 2014-07-25 07:52 - 00367104 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtmsft.dll 2014-08-22 17:16 - 2014-07-25 07:47 - 00631808 _____ (Microsoft Corporation) C:\windows\system32\msfeeds.dll 2014-08-22 17:16 - 2014-07-25 07:43 - 00060416 _____ (Microsoft Corporation) C:\windows\SysWOW64\JavaScriptCollectionAgent.dll 2014-08-22 17:16 - 2014-07-25 07:42 - 00692736 _____ (Microsoft Corporation) C:\windows\system32\ie4uinit.exe 2014-08-22 17:16 - 2014-07-25 07:39 - 02087936 _____ (Microsoft Corporation) C:\windows\system32\inetcpl.cpl 2014-08-22 17:16 - 2014-07-25 07:39 - 01249280 _____ (Microsoft Corporation) C:\windows\system32\mshtmlmedia.dll 2014-08-22 17:16 - 2014-07-25 07:36 - 00164864 _____ (Microsoft Corporation) C:\windows\SysWOW64\msrating.dll 2014-08-22 17:16 - 2014-07-25 07:34 - 00069632 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmled.dll 2014-08-22 17:16 - 2014-07-25 07:29 - 00239616 _____ (Microsoft Corporation) C:\windows\SysWOW64\dxtrans.dll 2014-08-22 17:16 - 2014-07-25 07:23 - 13547008 _____ (Microsoft Corporation) C:\windows\system32\ieframe.dll 2014-08-22 17:16 - 2014-07-25 07:13 - 00526336 _____ (Microsoft Corporation) C:\windows\SysWOW64\msfeeds.dll 2014-08-22 17:16 - 2014-07-25 07:07 - 02001920 _____ (Microsoft Corporation) C:\windows\SysWOW64\inetcpl.cpl 2014-08-22 17:16 - 2014-07-25 07:07 - 01068032 _____ (Microsoft Corporation) C:\windows\SysWOW64\mshtmlmedia.dll 2014-08-22 17:16 - 2014-07-25 07:03 - 11772928 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieframe.dll 2014-08-22 17:16 - 2014-07-25 06:52 - 02266624 _____ (Microsoft Corporation) C:\windows\system32\wininet.dll 2014-08-22 17:16 - 2014-07-25 06:26 - 01431040 _____ (Microsoft Corporation) C:\windows\system32\urlmon.dll 2014-08-22 17:16 - 2014-07-25 06:17 - 00846336 _____ (Microsoft Corporation) C:\windows\system32\ieapfltr.dll 2014-08-22 17:16 - 2014-07-25 06:09 - 00704512 _____ (Microsoft Corporation) C:\windows\SysWOW64\ieapfltr.dll 2014-08-22 17:16 - 2014-07-25 06:05 - 01792512 _____ (Microsoft Corporation) C:\windows\SysWOW64\wininet.dll 2014-08-22 17:16 - 2014-07-25 06:00 - 01169920 _____ (Microsoft Corporation) C:\windows\SysWOW64\urlmon.dll 2014-08-22 17:13 - 2014-07-15 23:23 - 00002048 _____ (Microsoft Corporation) C:\windows\system32\tzres.dll 2014-08-22 17:13 - 2014-07-15 22:46 - 00002048 _____ (Microsoft Corporation) C:\windows\SysWOW64\tzres.dll 2014-08-22 17:13 - 2014-07-13 22:02 - 01216000 _____ (Microsoft Corporation) C:\windows\system32\rpcrt4.dll 2014-08-22 17:13 - 2014-07-13 21:40 - 00664064 _____ (Microsoft Corporation) C:\windows\SysWOW64\rpcrt4.dll 2014-08-22 17:13 - 2014-06-12 03:52 - 00986560 _____ (Microsoft Corporation) C:\windows\system32\Drivers\dxgkrnl.sys 2014-08-22 17:13 - 2014-06-03 06:02 - 03241984 _____ (Microsoft Corporation) C:\windows\system32\msi.dll 2014-08-22 17:13 - 2014-06-03 06:02 - 01941504 _____ (Microsoft Corporation) C:\windows\system32\authui.dll 2014-08-22 17:13 - 2014-06-03 06:02 - 00504320 _____ (Microsoft Corporation) C:\windows\system32\msihnd.dll 2014-08-22 17:13 - 2014-06-03 06:02 - 00112064 _____ (Microsoft Corporation) C:\windows\system32\consent.exe 2014-08-22 17:13 - 2014-06-03 05:29 - 02363392 _____ (Microsoft Corporation) C:\windows\SysWOW64\msi.dll 2014-08-22 17:13 - 2014-06-03 05:29 - 01805824 _____ (Microsoft Corporation) C:\windows\SysWOW64\authui.dll 2014-08-22 17:13 - 2014-06-03 05:29 - 00337408 _____ (Microsoft Corporation) C:\windows\SysWOW64\msihnd.dll 2014-08-22 16:13 - 2014-08-25 17:52 - 00122584 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys 2014-08-22 16:13 - 2014-08-22 16:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2014-08-22 16:13 - 2014-08-22 16:13 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware 2014-08-22 16:13 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbamchameleon.sys 2014-08-22 16:13 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mwac.sys 2014-08-22 16:13 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\mbam.sys 2014-08-21 14:08 - 2014-08-21 14:08 - 00000000 ____D () C:\Users\STAN\AppData\Local\Harmony_Hollow_Software 2014-08-21 13:58 - 2014-08-21 13:58 - 00000000 ____D () C:\Users\STAN\AppData\Local\CTSounds 2014-08-21 13:57 - 2014-08-21 13:57 - 00001060 _____ () C:\Users\STAN\Desktop\Cool Timer.lnk 2014-08-21 13:57 - 2014-08-21 13:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cool Timer 2014-08-21 13:57 - 2014-08-21 13:57 - 00000000 ____D () C:\Program Files (x86)\Cool Timer 2014-08-20 16:45 - 2014-08-20 16:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foxit Reader 2014-08-20 16:45 - 2014-08-20 16:45 - 00000000 ____D () C:\Program Files (x86)\FOXIT SOFTWARE 2014-08-19 09:32 - 2014-05-14 12:23 - 02477536 _____ (Microsoft Corporation) C:\windows\system32\wuaueng.dll 2014-08-19 09:32 - 2014-05-14 12:23 - 00700384 _____ (Microsoft Corporation) C:\windows\system32\wuapi.dll 2014-08-19 09:32 - 2014-05-14 12:23 - 00581600 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapi.dll 2014-08-19 09:32 - 2014-05-14 12:23 - 00058336 _____ (Microsoft Corporation) C:\windows\system32\wuauclt.exe 2014-08-19 09:32 - 2014-05-14 12:23 - 00044512 _____ (Microsoft Corporation) C:\windows\system32\wups2.dll 2014-08-19 09:32 - 2014-05-14 12:23 - 00038880 _____ (Microsoft Corporation) C:\windows\system32\wups.dll 2014-08-19 09:32 - 2014-05-14 12:23 - 00036320 _____ (Microsoft Corporation) C:\windows\SysWOW64\wups.dll 2014-08-19 09:32 - 2014-05-14 12:21 - 02620928 _____ (Microsoft Corporation) C:\windows\system32\wucltux.dll 2014-08-19 09:32 - 2014-05-14 12:20 - 00097792 _____ (Microsoft Corporation) C:\windows\system32\wudriver.dll 2014-08-19 09:32 - 2014-05-14 12:17 - 00092672 _____ (Microsoft Corporation) C:\windows\SysWOW64\wudriver.dll 2014-08-19 09:31 - 2014-05-14 09:23 - 00198600 _____ (Microsoft Corporation) C:\windows\system32\wuwebv.dll 2014-08-19 09:31 - 2014-05-14 09:23 - 00179656 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuwebv.dll 2014-08-19 09:31 - 2014-05-14 09:20 - 00036864 _____ (Microsoft Corporation) C:\windows\system32\wuapp.exe 2014-08-19 09:31 - 2014-05-14 09:17 - 00033792 _____ (Microsoft Corporation) C:\windows\SysWOW64\wuapp.exe 2014-08-18 18:03 - 2014-08-18 23:40 - 00000000 ____D () C:\Users\STAN\AppData\Local\Screencast-O-Matic 2014-08-18 18:03 - 2014-08-18 18:03 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Screencast-O-Matic 2014-08-14 09:52 - 2014-08-14 09:52 - 00272808 _____ (Oracle Corporation) C:\windows\SysWOW64\javaws.exe 2014-08-14 09:52 - 2014-08-14 09:52 - 00175528 _____ (Oracle Corporation) C:\windows\SysWOW64\javaw.exe 2014-08-14 09:52 - 2014-08-14 09:52 - 00175528 _____ (Oracle Corporation) C:\windows\SysWOW64\java.exe 2014-08-14 09:52 - 2014-08-14 09:52 - 00098216 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll 2014-08-14 09:52 - 2014-08-14 09:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java 2014-08-14 09:52 - 2014-08-14 09:52 - 00000000 ____D () C:\Program Files (x86)\Java 2014-08-13 11:10 - 2014-08-13 11:10 - 00000000 ____D () C:\Users\STAN\Documents\My Phrases - Copy 2014-08-13 11:04 - 2014-08-13 11:04 - 00142870 _____ () C:\Users\STAN\Downloads\speed typing.exe 2014-08-07 19:00 - 2014-08-07 19:00 - 00000000 ____D () C:\Users\STAN\AppData\Local\Serif 2014-08-07 18:56 - 2014-08-07 18:56 - 00002511 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Serif MoviePlus X5.lnk 2014-08-07 17:06 - 2014-08-07 17:06 - 01054064 _____ (Amazon Services LLC) C:\Users\STAN\Downloads\Serif_MoviePlus_X5_Downloader.exe 2014-08-07 14:06 - 2014-08-07 14:06 - 00000000 ____D () C:\Users\STAN\Documents\Avatar 2014-08-07 08:57 - 2014-08-07 08:57 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WPS Office 2014-08-04 12:26 - 2014-08-04 12:26 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\QFX Software 2014-08-04 12:26 - 2014-08-04 12:26 - 00000000 ____D () C:\ProgramData\QFX Software 2014-08-04 12:24 - 2014-08-04 12:24 - 00000000 ____D () C:\Program Files (x86)\Ruiware 2014-08-04 12:05 - 2014-08-04 12:05 - 00000017 _____ () C:\Users\STAN\AppData\Local\resmon.resmoncfg 2014-08-04 11:55 - 2014-08-04 11:55 - 00000000 ____D () C:\ProgramData\Oxynger 2014-08-04 11:55 - 2014-08-04 11:55 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oxynger KeyShield 2014-08-04 11:55 - 2014-08-04 11:55 - 00000000 ____D () C:\Program Files (x86)\Oxynger 2014-08-04 11:20 - 2014-08-05 09:10 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeyScrambler 2014-08-04 11:20 - 2014-08-05 09:10 - 00000000 ____D () C:\Program Files (x86)\KeyScrambler 2014-08-04 11:20 - 2013-05-31 10:53 - 00222200 _____ (QFX Software Corporation) C:\windows\system32\Drivers\keyscrambler.sys 2014-08-01 18:47 - 2014-08-01 18:52 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\XMind 2014-08-01 18:47 - 2014-08-01 18:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XMind 2014-08-01 18:46 - 2014-08-01 18:47 - 00000000 ____D () C:\Program Files (x86)\XMind 2014-08-01 11:36 - 2014-08-01 11:36 - 00002987 _____ () C:\Users\STAN\Documents\notes.nth 2014-07-31 14:40 - 2014-07-31 22:16 - 00000000 ____D () C:\Users\STAN\AppData\Local\Cyberlink 2014-07-31 14:39 - 2014-07-31 14:39 - 00000000 ____D () C:\Users\STAN\Documents\CyberLink 2014-07-30 09:03 - 2014-07-30 09:03 - 00000000 ____D () C:\Program Files (x86)\MOZILLA FIREFOX ==================== One Month Modified Files and Folders ======= (If an entry is included in the fixlist, the file\folder will be moved.) 2014-08-26 06:40 - 2014-08-23 12:14 - 00000000 ____D () C:\Users\STAN\Desktop\MALWARE 2014-08-26 06:40 - 2014-08-23 12:07 - 00000000 ____D () C:\FRST 2014-08-26 06:37 - 2014-08-26 06:37 - 00000258 _____ () C:\DelFix.txt 2014-08-26 06:37 - 2014-08-26 06:37 - 00000000 ____D () C:\windows\ERUNT 2014-08-26 06:37 - 2014-01-16 18:27 - 00000394 _____ () C:\windows\Tasks\WpsUpdateTask_STAN.job 2014-08-26 06:14 - 2014-01-25 10:24 - 00000894 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineUA.job 2014-08-26 06:08 - 2009-07-14 00:45 - 00031536 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2014-08-26 06:08 - 2009-07-14 00:45 - 00031536 ____H () C:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2014-08-26 06:07 - 2014-01-15 16:47 - 00003918 _____ () C:\windows\System32\Tasks\User_Feed_Synchronization-{CBFD06BF-46D7-47E1-B07B-4E84EA902994} 2014-08-26 06:05 - 2014-01-22 21:19 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\vlc 2014-08-26 06:02 - 2014-01-25 10:24 - 00000890 _____ () C:\windows\Tasks\GoogleUpdateTaskMachineCore.job 2014-08-26 06:02 - 2014-01-16 17:49 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\stickies 2014-08-26 06:01 - 2013-04-17 04:22 - 00000000 ____D () C:\ProgramData\PDFC 2014-08-26 06:01 - 2009-07-14 01:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT 2014-08-26 06:01 - 2009-07-14 00:51 - 00096401 _____ () C:\windows\setupact.log 2014-08-25 23:44 - 2013-10-12 16:08 - 01159693 _____ () C:\windows\WindowsUpdate.log 2014-08-25 23:42 - 2014-03-26 13:34 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\Audacity 2014-08-25 23:41 - 2014-06-18 15:36 - 00000556 _____ () C:\windows\Tasks\G2MUpdateTask-S-1-5-21-2814820857-3032417316-13908079-1001.job 2014-08-25 22:47 - 2014-03-04 13:35 - 00000830 _____ () C:\windows\Tasks\Adobe Flash Player Updater.job 2014-08-25 22:47 - 2014-01-16 18:27 - 00000394 _____ () C:\windows\Tasks\WpsNotifyTask_STAN.job 2014-08-25 21:55 - 2014-02-16 09:59 - 00000000 ____D () C:\Users\STAN\AppData\Local\CrashDumps 2014-08-25 18:52 - 2014-08-25 18:04 - 00036456 _____ () C:\windows\system32\Drivers\TrueSight.sys 2014-08-25 18:04 - 2014-08-25 18:04 - 00000000 ____D () C:\ProgramData\RogueKiller 2014-08-25 17:52 - 2014-08-22 16:13 - 00122584 _____ (Malwarebytes Corporation) C:\windows\system32\Drivers\MBAMSwissArmy.sys 2014-08-24 15:25 - 2014-08-24 15:25 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\JihoiOSRecovery 2014-08-24 15:25 - 2014-08-24 15:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Jihosoft Mobile Recovery for iOS 2014-08-24 15:25 - 2014-08-24 15:25 - 00000000 ____D () C:\Program Files (x86)\Jihosoft 2014-08-23 14:17 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\rescache 2014-08-23 12:30 - 2014-01-16 15:03 - 00000000 ____D () C:\Users\STAN\Documents\Personal 2014-08-23 12:16 - 2014-01-16 22:58 - 00000000 ____D () C:\Users\STAN\Desktop\MISC 2014-08-22 17:31 - 2010-11-20 23:47 - 00125280 _____ () C:\windows\PFRO.log 2014-08-22 17:30 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\PolicyDefinitions 2014-08-22 17:21 - 2014-01-19 17:50 - 00000000 ____D () C:\windows\system32\MRT 2014-08-22 17:19 - 2014-01-19 17:50 - 99218768 _____ (Microsoft Corporation) C:\windows\system32\MRT.exe 2014-08-22 16:33 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\Cursors 2014-08-22 16:13 - 2014-08-22 16:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware 2014-08-22 16:13 - 2014-08-22 16:13 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware 2014-08-21 17:34 - 2009-07-14 00:45 - 00472776 _____ () C:\windows\system32\FNTCACHE.DAT 2014-08-21 14:08 - 2014-08-21 14:08 - 00000000 ____D () C:\Users\STAN\AppData\Local\Harmony_Hollow_Software 2014-08-21 13:58 - 2014-08-21 13:58 - 00000000 ____D () C:\Users\STAN\AppData\Local\CTSounds 2014-08-21 13:58 - 2014-01-15 16:44 - 00141144 _____ () C:\Users\STAN\AppData\Local\GDIPFONTCACHEV1.DAT 2014-08-21 13:57 - 2014-08-21 13:57 - 00001060 _____ () C:\Users\STAN\Desktop\Cool Timer.lnk 2014-08-21 13:57 - 2014-08-21 13:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cool Timer 2014-08-21 13:57 - 2014-08-21 13:57 - 00000000 ____D () C:\Program Files (x86)\Cool Timer 2014-08-21 13:48 - 2009-07-13 23:20 - 00000000 ____D () C:\windows\Resources 2014-08-20 16:45 - 2014-08-20 16:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Foxit Reader 2014-08-20 16:45 - 2014-08-20 16:45 - 00000000 ____D () C:\Program Files (x86)\FOXIT SOFTWARE 2014-08-20 16:45 - 2014-01-17 10:27 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\Foxit Software 2014-08-20 16:45 - 2009-07-14 01:13 - 00792850 _____ () C:\windows\system32\PerfStringBackup.INI 2014-08-20 00:10 - 2014-04-16 22:02 - 00000000 ____D () C:\Users\STAN\Documents\- ACTIVE 2014-08-18 23:40 - 2014-08-18 18:03 - 00000000 ____D () C:\Users\STAN\AppData\Local\Screencast-O-Matic 2014-08-18 18:03 - 2014-08-18 18:03 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Screencast-O-Matic 2014-08-16 08:09 - 2014-03-04 13:35 - 00003768 _____ () C:\windows\System32\Tasks\Adobe Flash Player Updater 2014-08-16 08:09 - 2013-04-17 04:23 - 00699568 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerApp.exe 2014-08-16 08:09 - 2013-04-17 04:23 - 00071344 _____ (Adobe Systems Incorporated) C:\windows\SysWOW64\FlashPlayerCPLApp.cpl 2014-08-14 12:05 - 2014-06-18 15:36 - 00003578 _____ () C:\windows\System32\Tasks\G2MUpdateTask-S-1-5-21-2814820857-3032417316-13908079-1001 2014-08-14 11:28 - 2014-05-12 13:37 - 00000000 ____D () C:\Users\STAN\.freemind 2014-08-14 09:52 - 2014-08-14 09:52 - 00272808 _____ (Oracle Corporation) C:\windows\SysWOW64\javaws.exe 2014-08-14 09:52 - 2014-08-14 09:52 - 00175528 _____ (Oracle Corporation) C:\windows\SysWOW64\javaw.exe 2014-08-14 09:52 - 2014-08-14 09:52 - 00175528 _____ (Oracle Corporation) C:\windows\SysWOW64\java.exe 2014-08-14 09:52 - 2014-08-14 09:52 - 00098216 _____ (Oracle Corporation) C:\windows\SysWOW64\WindowsAccessBridge-32.dll 2014-08-14 09:52 - 2014-08-14 09:52 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java 2014-08-14 09:52 - 2014-08-14 09:52 - 00000000 ____D () C:\Program Files (x86)\Java 2014-08-14 09:52 - 2014-05-12 13:36 - 00000000 ____D () C:\ProgramData\Oracle 2014-08-13 12:25 - 2014-01-16 14:59 - 00000000 ____D () C:\Users\STAN\Documents\Keynote NF 2014-08-13 11:12 - 2014-01-16 15:01 - 00000000 ____D () C:\Users\STAN\Documents\My Phrases 2014-08-13 11:10 - 2014-08-13 11:10 - 00000000 ____D () C:\Users\STAN\Documents\My Phrases - Copy 2014-08-13 11:04 - 2014-08-13 11:04 - 00142870 _____ () C:\Users\STAN\Downloads\speed typing.exe 2014-08-11 20:51 - 2013-10-12 16:59 - 00000000 ____D () C:\ProgramData\CyberLink 2014-08-11 17:01 - 2014-01-16 14:51 - 00000000 ____D () C:\Users\STAN\Documents\- Stan 2014-08-08 10:34 - 2014-06-26 06:41 - 00000000 ____D () C:\Users\STAN\Documents\Aiseesoft Studio 2014-08-08 10:34 - 2014-05-30 18:26 - 00000000 ____D () C:\Users\STAN\AppData\Local\Aiseesoft Studio 2014-08-08 10:34 - 2014-05-30 18:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Aiseesoft 2014-08-08 10:34 - 2014-05-30 18:26 - 00000000 ____D () C:\ProgramData\Aiseesoft Studio 2014-08-08 10:34 - 2014-05-30 18:26 - 00000000 ____D () C:\Program Files (x86)\Aiseesoft Studio 2014-08-07 19:51 - 2014-01-16 15:00 - 00000000 ____D () C:\Users\STAN\Documents\MoviePlus X5 2014-08-07 19:00 - 2014-08-07 19:00 - 00000000 ____D () C:\Users\STAN\AppData\Local\Serif 2014-08-07 19:00 - 2014-06-19 13:36 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\Serif 2014-08-07 18:56 - 2014-08-07 18:56 - 00002511 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Serif MoviePlus X5.lnk 2014-08-07 18:55 - 2014-06-19 13:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Serif Applications 2014-08-07 18:55 - 2014-06-19 13:05 - 00000000 ____D () C:\Program Files (x86)\Serif 2014-08-07 17:06 - 2014-08-07 17:06 - 01054064 _____ (Amazon Services LLC) C:\Users\STAN\Downloads\Serif_MoviePlus_X5_Downloader.exe 2014-08-07 16:06 - 2014-07-01 17:30 - 00000000 ____D () C:\Users\STAN\Documents\Screenpresso 2014-08-07 14:06 - 2014-08-07 14:06 - 00000000 ____D () C:\Users\STAN\Documents\Avatar 2014-08-07 10:37 - 2014-01-16 18:26 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\Kingsoft 2014-08-07 10:35 - 2014-01-16 18:26 - 00000000 ____D () C:\Program Files (x86)\Kingsoft 2014-08-07 08:57 - 2014-08-07 08:57 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WPS Office 2014-08-07 08:57 - 2014-01-16 20:06 - 00000000 ____D () C:\Users\STAN\AppData\Local\Kingsoft 2014-08-07 08:57 - 2014-01-16 18:27 - 00003372 _____ () C:\windows\System32\Tasks\WpsUpdateTask_STAN 2014-08-07 08:57 - 2014-01-16 18:27 - 00003372 _____ () C:\windows\System32\Tasks\WpsNotifyTask_STAN 2014-08-07 08:57 - 2014-01-16 18:27 - 00000000 ____D () C:\ProgramData\Kingsoft 2014-08-07 08:56 - 2013-04-17 02:17 - 00000000 ____D () C:\windows\ShellNew 2014-08-05 21:18 - 2014-01-23 17:13 - 00000000 ____D () C:\Users\STAN\Documents\PrintScreen 2014-08-05 12:38 - 2014-01-15 16:44 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\hpqLog 2014-08-05 09:10 - 2014-08-04 11:20 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\KeyScrambler 2014-08-05 09:10 - 2014-08-04 11:20 - 00000000 ____D () C:\Program Files (x86)\KeyScrambler 2014-08-04 16:38 - 2014-01-16 14:52 - 00000000 ____D () C:\Users\STAN\Documents\- TEMP 2014-08-04 12:30 - 2014-01-16 18:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinPatrol 2014-08-04 12:30 - 2014-01-16 18:12 - 00000000 ____D () C:\ProgramData\InstallMate 2014-08-04 12:26 - 2014-08-04 12:26 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\QFX Software 2014-08-04 12:26 - 2014-08-04 12:26 - 00000000 ____D () C:\ProgramData\QFX Software 2014-08-04 12:24 - 2014-08-04 12:24 - 00000000 ____D () C:\Program Files (x86)\Ruiware 2014-08-04 12:05 - 2014-08-04 12:05 - 00000017 _____ () C:\Users\STAN\AppData\Local\resmon.resmoncfg 2014-08-04 11:55 - 2014-08-04 11:55 - 00000000 ____D () C:\ProgramData\Oxynger 2014-08-04 11:55 - 2014-08-04 11:55 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oxynger KeyShield 2014-08-04 11:55 - 2014-08-04 11:55 - 00000000 ____D () C:\Program Files (x86)\Oxynger 2014-08-03 23:06 - 2014-01-16 15:00 - 00000000 ____D () C:\Users\STAN\Documents\Mind Maps 2014-08-01 18:52 - 2014-08-01 18:47 - 00000000 ____D () C:\Users\STAN\AppData\Roaming\XMind 2014-08-01 18:47 - 2014-08-01 18:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XMind 2014-08-01 18:47 - 2014-08-01 18:46 - 00000000 ____D () C:\Program Files (x86)\XMind 2014-08-01 11:36 - 2014-08-01 11:36 - 00002987 _____ () C:\Users\STAN\Documents\notes.nth 2014-07-31 22:16 - 2014-07-31 14:40 - 00000000 ____D () C:\Users\STAN\AppData\Local\Cyberlink 2014-07-31 20:19 - 2014-01-16 14:59 - 00000000 ____D () C:\Users\STAN\Documents\Marketing 2014-07-31 19:41 - 2014-08-22 17:16 - 00348856 _____ (Microsoft Corporation) C:\windows\system32\iedkcs32.dll 2014-07-31 19:16 - 2014-08-22 17:16 - 00307384 _____ (Microsoft Corporation) C:\windows\SysWOW64\iedkcs32.dll 2014-07-31 14:39 - 2014-07-31 14:39 - 00000000 ____D () C:\Users\STAN\Documents\CyberLink 2014-07-30 17:48 - 2009-07-14 01:08 - 00032544 _____ () C:\windows\Tasks\SCHEDLGU.TXT 2014-07-30 11:51 - 2014-01-16 17:43 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Listary 2014-07-30 11:51 - 2014-01-16 17:43 - 00000000 ____D () C:\Program Files\Listary 2014-07-30 11:51 - 2014-01-16 17:15 - 02957432 _____ ( ) C:\Users\STAN\Downloads\Listary.exe 2014-07-30 09:05 - 2014-01-16 14:30 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service 2014-07-30 09:03 - 2014-07-30 09:03 - 00000000 ____D () C:\Program Files (x86)\MOZILLA FIREFOX Some content of TEMP: ==================== C:\Users\STAN\AppData\Local\Temp\1_Offer_8.exe C:\Users\STAN\AppData\Local\Temp\6_Offer_17.exe C:\Users\STAN\AppData\Local\Temp\Checkupdate.exe C:\Users\STAN\AppData\Local\Temp\Foxit Reader Updater.exe C:\Users\STAN\AppData\Local\Temp\Foxit Updater.exe C:\Users\STAN\AppData\Local\Temp\fp_pl_pfs_installer-1.exe C:\Users\STAN\AppData\Local\Temp\fp_pl_pfs_installer.exe C:\Users\STAN\AppData\Local\Temp\gcapi_dll.dll C:\Users\STAN\AppData\Local\Temp\gtapi_signed.dll C:\Users\STAN\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe C:\Users\STAN\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe C:\Users\STAN\AppData\Local\Temp\MPX51033_MoviePlusX5_7.0.2.018_Patch-Setup.exe C:\Users\STAN\AppData\Local\Temp\optprosetup.exe C:\Users\STAN\AppData\Local\Temp\PAGEPLUS1033_12.0.3_Patch-Setup.exe C:\Users\STAN\AppData\Local\Temp\PHOTOPLUS1033_11.1.1_Patch-Setup.exe C:\Users\STAN\AppData\Local\Temp\SDL_1.dll C:\Users\STAN\AppData\Local\Temp\SDL_2.dll C:\Users\STAN\AppData\Local\Temp\vlc-2.1.3-win32.exe C:\Users\STAN\AppData\Local\Temp\vlc-2.1.5-win32.exe C:\Users\STAN\AppData\Local\Temp\xmlUpdater.exe C:\Users\STAN\AppData\Local\Temp\ZoomIt64.exe ==================== Bamital & volsnap Check ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => File is digitally signed C:\Windows\System32\wininit.exe => File is digitally signed C:\Windows\SysWOW64\wininit.exe => File is digitally signed C:\Windows\explorer.exe => File is digitally signed C:\Windows\SysWOW64\explorer.exe => File is digitally signed C:\Windows\System32\svchost.exe => File is digitally signed C:\Windows\SysWOW64\svchost.exe => File is digitally signed C:\Windows\System32\services.exe => File is digitally signed C:\Windows\System32\User32.dll => File is digitally signed C:\Windows\SysWOW64\User32.dll => File is digitally signed C:\Windows\System32\userinit.exe => File is digitally signed C:\Windows\SysWOW64\userinit.exe => File is digitally signed C:\Windows\System32\rpcss.dll => File is digitally signed C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed LastRegBack: 2014-08-19 09:46 ==================== End Of Log ============================ TDSSKiller.3.0.0.40_26.08.2014_12.41.42_log.txt TDSSKiller.3.0.0.40_26.08.2014_13.02.58_log.txt

MALWARE AppInit_DLLs: C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll => C:\Program Files (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll File Not Found AppInit_DLLs-x32: c:\program files (x86)\searchprotect\searchprotect\bin\spvc32loader.dll => "c:\program files (x86)\searchprotect\searchprotect\bin\spvc32loader.dll" File Not Found SearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKLM-x32 - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=IE9TR&src=IE9TR&pc=CMNTDFJS FF Extension: No Name - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\staged [2014-01-16] FF Extension: No Name - C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2014-05-11] FF HKLM-x32\...\Firefox\Extensions: [otis@digitalpersona.com] - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt FF Extension: DigitalPersona Extension - c:\Program Files (x86)\Hewlett-Packard\HP ProtectTools Security Manager\Bin\FirefoxExt AlternateDataStreams: C:\Users\STAN\Documents\picked fresh.png:Roxio EMC Stream # AdwCleaner v3.308 - Report created 26/08/2014 at 06:49:55 # Updated 20/08/2014 by Xplode # Operating System : Windows 7 Professional Service Pack 1 (64 bits) # Username : STAN - STAN-HP # Running from : C:\Users\STAN\Desktop\MALWARE\AdwCleaner.exe # Option : Clean ***** [ Services ] ***** ***** [ Files / Folders ] ***** Folder Deleted : C:\Users\STAN\AppData\Local\Temp\NetCrawl Folder Deleted : C:\Users\STAN\Documents\Optimizer Pro File Deleted : C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\user.js ***** [ Scheduled Tasks ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{74F475FA-6C75-43BD-AAB9-ECDA6184F600} Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchProtectINT_RASAPI32 Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SearchProtectINT_RASMANCS Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5} Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F} Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C} Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - (x86)\searchprotect\searchprotect\bin\spvc32loader.dll Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - (x86)\SearchProtect\SearchProtect\bin\SPVC64Loader.dll ***** [ Browsers ] ***** -\\ Internet Explorer v11.0.9600.17239 -\\ Mozilla Firefox v31.0 (x86 en-US) [ File : C:\Users\STAN\AppData\Roaming\Mozilla\Firefox\Profiles\th956u7p.default\prefs.js ] Line Deleted : user_pref("CT3220468_Firefox.csv", "[{\"from\":\"Abs Layer\",\"action\":\"loading toolbar\",\"time\":1363231721759,\"isWithState\":\"\",\"timeFromStart\":0,\"timeFromPrev\":0}]"); Line Deleted : user_pref("extensions.asktb.cbid", "F3"); Line Deleted : user_pref("extensions.asktb.default-channel-url-mask", "hxxp://www.ask.com/web?q={query}&o={o}&l={l}&qsrc={qsrc}"); Line Deleted : user_pref("extensions.asktb.dtid", "YYYYYYYYUS"); Line Deleted : user_pref("extensions.asktb.first-launch-url", "hxxp://secunia.com/PSISetup.exe"); Line Deleted : user_pref("extensions.asktb.fresh-install", false); Line Deleted : user_pref("extensions.asktb.l", "dis"); Line Deleted : user_pref("extensions.asktb.last-config-req", "1287521331554"); Line Deleted : user_pref("extensions.asktb.locale", "en_US"); Line Deleted : user_pref("extensions.asktb.o", "101703"); Line Deleted : user_pref("extensions.asktb.overlay-reloaded-using-restart", true); Line Deleted : user_pref("extensions.asktb.qsrc", "2871"); Line Deleted : user_pref("extensions.asktb.r", "2"); Line Deleted : user_pref("extensions.asktb.search-suggestions-enabled", true); Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !important; background: url(\"I[...] Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*"); Line Deleted : user_pref("extensions.wrc.SearchRules.rambler.ru.style", ".WRCN {display:none} .search-results .title + .WRCN {display:inline !important; background: url(\"IMAGE\") right no-repeat}"); Line Deleted : user_pref("smartbar.machineId", "KPJH+WVMC4AYZ0SJWKLGJZSNYFARDAR8VVUIY5SJTBGS+9E44HAJGLJYWY0YQTNWCEBAL/KZZBBQGWPY1Y72HG"); Line Deleted : user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.name", "StartNow Toolbar"); -\\ Google Chrome v36.0.1985.143 [ File : C:\Users\STAN\AppData\Local\Google\Chrome\User Data\Default\preferences ] Deleted [search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms} Deleted [search Provider] : hxxp://www.ask.com/web?q={searchTerms} Deleted [Extension] : mkndcbhcgphcfkkddanakjiepeknbgle ************************* AdwCleaner[R0].txt - [4653 octets] - [26/08/2014 06:44:01] AdwCleaner[s0].txt - [4644 octets] - [26/08/2014 06:49:55] ########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [4704 octets] ########## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.1.4 (04.06.2014:1) OS: Windows 7 Professional x64 Ran by STAN on Tue 08/26/2014 at 6:59:34.92 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~ Services ~~~ Registry Values ~~~ Registry Keys ~~~ Files ~~~ Folders ~~~ FireFox Successfully deleted: [File] C:\Users\STAN\AppData\Roaming\mozilla\firefox\profiles\th956u7p.default\searchplugins\bing-zugo.xml Successfully deleted: [Folder] C:\Users\STAN\AppData\Roaming\mozilla\firefox\profiles\th956u7p.default\extensions\staged Successfully deleted the following from C:\Users\STAN\AppData\Roaming\mozilla\firefox\profiles\th956u7p.default\prefs.js user_pref("{5911488E-9D1E-40ec-8CBB-06B231CC153F}.update_url", "hxxp://tbupdate.zugo.com/ztb/update?partner_id={partner_id}&product_id={product_id}&affiliate_id={affiliate_id} Emptied folder: C:\Users\STAN\AppData\Roaming\mozilla\firefox\profiles\th956u7p.default\minidumps [254 files] ~~~ Event Viewer Logs were cleared ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Tue 08/26/2014 at 7:04:01.37 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/26/2014 Scan Time: 7:12:57 AM Logfile: Administrator: Yes Version: 2.00.2.1012 Malware Database: v2014.08.26.01 Rootkit Database: v2014.08.21.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: STAN Scan Type: Threat Scan Result: Completed Objects Scanned: 307146 Time Elapsed: 13 min, 2 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end)

I volunteer my free time to help you, if you would like to donate to show your appreciation, it will be much appreciated. I am impressed MrC. And I most certainly appreciate your help. Here are reports as requested. Stan Malwarebytes Anti-Malware www.malwarebytes.org Scan Date: 8/25/2014 Scan Time: 5:52:55 PM Logfile: mbam scan.txt Administrator: Yes Version: 2.00.2.1012 Malware Database: v2014.08.25.05 Rootkit Database: v2014.08.21.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: STAN Scan Type: Threat Scan Result: Completed Objects Scanned: 307737 Time Elapsed: 13 min, 33 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end) RogueKiller V9.2.8.0 (x64) [Jul 11 2014] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : STAN [Admin rights] Mode : Scan -- Date : 08/25/2014 18:58:25 ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 9 ¤¤¤ [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SessionLauncher -> FOUND [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SessionLauncher -> FOUND [suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SessionLauncher -> FOUND [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2814820857-3032417316-13908079-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2814820857-3032417316-13908079-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> FOUND [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> FOUND [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> FOUND ¤¤¤ Scheduled tasks : 4 ¤¤¤ [suspicious.Path] WpsNotifyTask_STAN.job -- C:\Users\STAN\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\wtoolex\wpsnotify.exe (-from=task) -> FOUND [suspicious.Path] WpsUpdateTask_STAN.job -- C:\Users\STAN\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\wtoolex\wpsupdate.exe (-from=task) -> FOUND [suspicious.Path] \\WpsNotifyTask_STAN -- C:\Users\STAN\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\wtoolex\wpsnotify.exe (-from=task) -> FOUND [suspicious.Path] \\WpsUpdateTask_STAN -- C:\Users\STAN\AppData\Local\Kingsoft\Kingsoft Office\9.1.0.4746\wtoolex\wpsupdate.exe (-from=task) -> FOUND ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ HOSTS File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: LOADED) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: HGST HTS725050A7E630 +++++ --- User --- [MBR] 284a1ee3e4c30c4a82dc818309b756e4 [bSP] 70779bed7b6d1bb3b5483872a0761431 : Windows Vista/7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 300 MB 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 616448 | Size: 454685 MB 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 931811328 | Size: 19903 MB 3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 972572672 | Size: 2043 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: TOSHIBA External USB 3.0 USB Device +++++ --- User --- [MBR] 364e4b7c5e95bd6080c9b2c69063cc3f [bSP] 2db36b1844f9f22fbcd4aa00f3c9fd2b : Windows Vista/7/8 MBR Code Partition table: 0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476937 MB User = LL1 ... OK Error reading LL2 MBR! ([32] The request is not supported. ) ============================================ RKreport_SCN_08252014_184619.log