Jump to content

Recommended Posts

Hi,

 

(1) An MBAM Quick scan found the following "malicious software" running on my Windows 7 computer:

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Delete on reboot.

(2) In the MBAM results Window, I clicked first on the "Remove Selected" button, then on the "Click Yes to restart now" button.  After the computer

restarted, a second Quick scan produced the same positive result.  Repeating this cycle of scan-delete-restart a few times produced the same

result each time.

(3) An internet search showed that when MBAM has found these so-called "PUMs" on others' computers, they were unable to open Regedit or

Task Manager.  However, I have continued to be able to open both.

(4) Furthermore, I have had no symptoms of infection.  Windows, IE, and all the other programs I have been using, were functioning properly

before MBAM found the "malicious software," and continue to.  I have Norton Antivirus running, as my real-time AV program, together with

Windows Defender and Windows firewall.  I regularly scan with MBAM, MS Safety Scanner, SuperAntiSpyware, and have recently added, as

on-demand scanners, ESET Online Scanner, Hitman Pro, Kaspersky TDSSKiller, and Trend Micro Housecall.  Apart from MBAM's report of

OpenCandy whenever I update FreeFileSync, I have never had either a report of malware, or an actual infection that I have known about, in the

two years since I bought the computer.

(4) After MBAM was unable to remove the PUMs, I opened Regedit and  found the following values:

HKCU . . . DisableRegedit
HKCU . . . DisableRegistryTools
HKCU . . . DisableTaskMgr
HKLM . . . DisableRegedit
HKLM . . . DisableRegistryTools

This same set of values appeared in Regedit for the regular user account, for the regular administrator account, and for the backup administrator

account.

(5) In both administrator accounts I was able to delete all these values.  In the regular user account, I was able to delete the two values only in 

HKLM.  This leaves the three HKCU values in the regular user account.  Windows refuses permission to delete them, even though I have tried

every tweak of Ownership and Permissions for the sub-key.

My questions are,,  (A)  How do I delete the three values in the registry for the regular user account?  And (B)  Do I need to do something more, in

order to ensure that these PUMs are not symptoms of an infection that remains to be dealt with?

 

Thank you for your kind attention to this matter.

 

Link to post
Share on other sites

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin

Link to post
Share on other sites

Addition.txtHi Kevin,

 

Thank you for helping me.

 

(BTW - I am in the US Pacific time zone.)

 

Per your request, the Farbar Recovery Scan Tool file FRST.txt is copy-pasted below, and the file Addition.txt is attached.

 

Robin

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013
Ran by Robin (ATTENTION: The logged in user is not administrator) on ROBIN-HP on 05-10-2013 16:00:34
Running from C:\Users\Robin\Downloads\Farbar Rcvry Scan Tool_Oct13\Download
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieCtrl.exe
(Finkit d.o.o.) C:\Users\Robin\Downloads\ManicTime_Jun13_Portable\ManicTimeUsb\ManicTime.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files (x86)\EMET 4.0\EMET_Agent.exe
(Advanced Micro Devices Inc.) c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SandboxieRpcSs.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SandboxieCrypto.exe
(Abine Inc.) C:\Program Files (x86)\DoNotTrackPlus\IE\DNTPService.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [hpsysdrv] - c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKCU\...\Run: [sandboxieControl] - C:\Program Files\Sandboxie\SbieCtrl.exe [759384 2013-07-08] (Sandboxie Holdings, LLC)
HKCU\...\Run: [ManicTime] - C:\Users\Robin\Downloads\ManicTime_Jun13_Portable\ManicTimeUsb\ManicTime.exe [250120 2013-09-06] (Finkit d.o.o.)
HKCU\...\Run: [sUPERAntiSpyware] - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6588144 2013-10-03] (SUPERAntiSpyware)
HKCU\...\Winlogon: [shell] Explorer.exe <==== ATTENTION
HKCU\...\Policies\Explorer: [NoSetActiveDesktop] 0
HKLM-x32\...\Run: [startCCC] - c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-05-12] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation)
HKLM-x32\...\Run: [EMET Agent] - C:\Program Files (x86)\EMET 4.0\EMET_agent.exe [78496 2013-06-14] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/CQDSK/1
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=CPDTDF
SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPDTDF
SearchScopes: HKLM - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM - {FA0D16A8-431F-4392-BD08-9C441800A074} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=CPDTDF
SearchScopes: HKLM-x32 - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPDTDF
SearchScopes: HKLM-x32 - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 - {FA0D16A8-431F-4392-BD08-9C441800A074} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKCU - DefaultScope {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=SWL&chn=&geo=US&ver=2
SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=CPDTDF
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=SWL&chn=&geo=US&ver=2
SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPDTDF
SearchScopes: HKCU - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKCU - {FA0D16A8-431F-4392-BD08-9C441800A074} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Do Not Track Me - {6E45F3E8-2683-4824-A6BE-08108022FB36} - C:\Program Files (x86)\DoNotTrackPlus\IE\DNTPAddon.dll (Abine Inc)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
BHO-x32: Norton Safe Web Lite BHO - {F0DA78E9-6B60-42fb-BC26-EF2CFB8C8FF3} - C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\coIEPlg.dll (Symantec Corporation)
Toolbar: HKLM-x32 - Norton Safe Web Lite - {30CEEEA2-3742-40e4-85DD-812BF1CBB83D} - C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU -  No Name - {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} -  No File
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab
DPF: HKLM-x32 {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect1263.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -  No File
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
Tcpip\..\Interfaces\{75C2E03F-A082-459A-80ED-F54B2D493FB3}: [NameServer]192.168.1.254

==================== Services (Whitelisted) =================

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [143120 2013-05-23] (SUPERAntiSpyware.com)
R2 lmhosts; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 NAV; C:\Program Files (x86)\Norton AntiVirus\Engine\20.4.0.40\ccSvcHst.exe [144368 2013-05-20] (Symantec Corporation)
R2 NlaSvc; C:\Windows\System32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 nsi; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 NSL; C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe [138760 2011-08-10] (Symantec Corporation)
R2 nvda; C:\Program Files (x86)\NVDA\nvda_service.exe [40040 2013-05-17] (NV Access Limited)
R2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [409720 2013-06-28] ()
R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [183896 2013-07-08] (Sandboxie Holdings, LLC)

==================== Drivers (Whitelisted) ====================

R1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\BASHDefs\20130924.001\BHDrvx64.sys [1525848 2013-09-23] (Symantec Corporation)
R1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\BASHDefs\20130924.001\BHDrvx64.sys [1525848 2013-09-23] (Symantec Corporation)
R1 ccSet_NAV; C:\Windows\system32\drivers\NAVx64\1404000.028\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation)
R1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\0200000.010\ccSetx64.sys [167048 2011-08-08] (Symantec Corporation)
S3 CpqDfw; C:\Windows\System32\drivers\CpqDfw.sys [27456 2012-05-29] (Windows ® Codename Longhorn DDK provider)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-09-11] (Symantec Corporation)
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-09-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [140376 2013-08-26] (Symantec Corporation)
R1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\IPSDefs\20131004.001\IDSvia64.sys [520280 2013-08-20] (Symantec Corporation)
R1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\IPSDefs\20131004.001\IDSvia64.sys [520280 2013-08-20] (Symantec Corporation)
S3 libusb0; C:\Windows\System32\drivers\libusb0.sys [29184 2011-11-23] (http://libusb-win32.sourceforge.net)
R3 Linksys_adapter_H; C:\Windows\System32\DRIVERS\AE2500w764.sys [1254464 2011-03-30] (Broadcom Corporation)
R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131005.007\ENG64.SYS [126040 2013-10-03] (Symantec Corporation)
R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131005.007\ENG64.SYS [126040 2013-10-03] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131005.007\EX64.SYS [2099288 2013-10-03] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131005.007\EX64.SYS [2099288 2013-10-03] (Symantec Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [199384 2013-07-08] (Sandboxie Holdings, LLC)
R3 SRTSP; C:\Windows\System32\Drivers\NAVx64\1404000.028\SRTSP64.SYS [796760 2013-05-15] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NAVx64\1404000.028\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation)
R0 SymDS; C:\Windows\System32\drivers\NAVx64\1404000.028\SYMDS64.SYS [493656 2013-05-20] (Symantec Corporation)
R0 SymEFA; C:\Windows\System32\drivers\NAVx64\1404000.028\SYMEFA64.SYS [1139800 2013-05-22] (Symantec Corporation)
R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-06-17] (Symantec Corporation)
R1 SymIRON; C:\Windows\system32\drivers\NAVx64\1404000.028\Ironx64.SYS [224416 2013-03-04] (Symantec Corporation)
R1 SymNetS; C:\Windows\System32\Drivers\NAVx64\1404000.028\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation)
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-10-05 16:00 - 2013-10-05 16:00 - 00000000 ____D C:\FRST
2013-10-05 14:48 - 2013-10-05 14:50 - 00000000 ____D C:\Users\Robin\Downloads\Farbar Rcvry Scan Tool_Oct13
2013-10-04 01:02 - 2013-10-05 13:49 - 00000616 _____ C:\Windows\setupact.log
2013-10-04 01:02 - 2013-10-04 01:02 - 00000000 _____ C:\Windows\setuperr.log
2013-10-03 18:45 - 2013-10-03 19:04 - 00000000 ____D C:\Users\Robin\Downloads\SuperAntiSpyware_Jul13
2013-10-01 15:34 - 2013-10-01 15:34 - 00002147 _____ C:\Users\Public\Desktop\HP Support Assistant.lnk
2013-10-01 15:30 - 2013-10-01 15:30 - 00000000 ____D C:\ProgramData\{9BF4D58B-C6D6-467B-BC5A-FD0C1278F4AF}
2013-10-01 15:28 - 2013-10-01 15:32 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\hpqLog
2013-10-01 14:58 - 2013-10-01 18:02 - 00000000 ____D C:\Users\Robin\Downloads\HP Support Asst_Pre-Installed
2013-10-01 12:51 - 2013-10-01 12:52 - 00104702 _____ C:\Users\Robin\Documents\2013-10-01 PrimaryDatabase.kdbx
2013-09-30 00:13 - 2013-09-30 00:13 - 00001240 _____ C:\Users\Robin\Desktop\misc-janice.rtf - Shortcut.lnk
2013-09-28 21:36 - 2013-09-28 22:08 - 00000000 ____D C:\Users\Robin\Desktop\GUMPS-2-copy
2013-09-27 17:13 - 2013-09-27 17:14 - 00000000 ____D C:\Program Files (x86)\Microsoft Rich Tools
2013-09-27 16:40 - 2013-09-27 17:08 - 00000000 ____D C:\Users\Robin\Downloads\RichCopy
2013-09-26 15:26 - 2013-09-26 16:22 - 00000000 ____D C:\Users\Robin\Downloads\CCleaner_Jul13
2013-09-25 16:33 - 2013-09-25 16:33 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinCDEmu
2013-09-25 16:29 - 2013-09-25 16:29 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IrfanView
2013-09-25 16:27 - 2013-09-25 16:27 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FreeFileSync
2013-09-25 16:13 - 2013-09-25 16:13 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EPIM
2013-09-25 16:08 - 2013-09-25 16:09 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Macrium Reflect
2013-09-25 15:31 - 2013-09-25 16:49 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV
2013-09-25 15:12 - 2013-09-25 15:12 - 00000000 ____D C:\Program Files (x86)\BurnAware Free
2013-09-25 14:10 - 2013-09-25 14:34 - 00000000 ____D C:\Users\Robin\Downloads\BurnAware Free_May13
2013-09-24 20:59 - 2013-10-03 19:47 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\QuickScan
2013-09-21 21:12 - 2013-09-21 21:12 - 00003784 _____ C:\{715BDB84-5996-4A9F-A8A7-3D070DA8A21D}
2013-09-21 16:35 - 2013-09-21 16:35 - 00003720 _____ C:\{F9A1C52E-50E1-4547-BE69-5875A0830EBC}
2013-09-21 16:25 - 2013-09-21 16:25 - 00003416 _____ C:\{67EBFB47-E37D-4A8A-BD84-913826C69132}
2013-09-18 23:03 - 2013-10-05 15:42 - 00000000 ____D C:\Users\Robin\Downloads\Hitman Pro_Sep13
2013-09-18 22:52 - 2013-09-19 21:30 - 00000000 ____D C:\Program Files\HitmanPro
2013-09-18 22:47 - 2013-09-18 22:55 - 00000000 ____D C:\ProgramData\HitmanPro
2013-09-18 22:00 - 2013-09-18 22:00 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\ArcaVirMicroScan
2013-09-18 14:42 - 2013-09-18 20:05 - 00000000 ____D C:\Users\Robin\Downloads\NET FW Verif_Sep13_Portable
2013-09-14 20:53 - 2013-09-14 20:55 - 00041984 ___SH C:\Users\Robin\AppData\Roaming\Thumbs.db
2013-09-14 20:53 - 2013-09-14 20:53 - 00001247 _____ C:\Users\Robin\AppData\Roaming\Roaming - Shortcut.lnk
2013-09-12 22:12 - 2013-09-12 22:12 - 00000000 _____ C:\Windows\SysWOW64\shoE63C.tmp
2013-09-11 15:50 - 2013-09-11 16:30 - 00000000 ____D C:\Users\Robin\Downloads\EssentialPIM_Sep12
2013-09-10 15:27 - 2013-08-09 22:22 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-09-10 15:27 - 2013-08-09 22:22 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-09-10 15:27 - 2013-08-09 22:22 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-09-10 15:27 - 2013-08-09 22:21 - 19246592 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-09-10 15:27 - 2013-08-09 22:21 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-09-10 15:27 - 2013-08-09 22:21 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-09-10 15:27 - 2013-08-09 22:20 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-09-10 15:27 - 2013-08-09 22:20 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-09-10 15:27 - 2013-08-09 22:20 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-09-10 15:27 - 2013-08-09 22:20 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-09-10 15:27 - 2013-08-09 22:20 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-09-10 15:27 - 2013-08-09 22:20 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-09-10 15:27 - 2013-08-09 22:20 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-09-10 15:27 - 2013-08-09 22:20 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-09-10 15:27 - 2013-08-09 20:59 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-09-10 15:27 - 2013-08-09 20:59 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-09-10 15:27 - 2013-08-09 20:58 - 14332928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-09-10 15:27 - 2013-08-09 20:58 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-09-10 15:27 - 2013-08-09 20:58 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-09-10 15:27 - 2013-08-09 20:58 - 02048000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-09-10 15:27 - 2013-08-09 20:58 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-09-10 15:27 - 2013-08-09 20:58 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-09-10 15:27 - 2013-08-09 20:58 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-09-10 15:27 - 2013-08-09 20:58 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-09-10 15:27 - 2013-08-09 20:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-09-10 15:27 - 2013-08-09 20:58 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-09-10 15:27 - 2013-08-09 20:58 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-09-10 15:27 - 2013-08-09 20:17 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-09-10 15:27 - 2013-08-09 20:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-09-10 15:27 - 2013-08-09 19:27 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-09-10 15:27 - 2013-08-09 19:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-09-10 14:54 - 2013-08-01 19:23 - 05550528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2013-09-10 14:54 - 2013-08-01 19:15 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2013-09-10 14:54 - 2013-08-01 19:15 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2013-09-10 14:54 - 2013-08-01 19:15 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2013-09-10 14:54 - 2013-08-01 19:15 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2013-09-10 14:54 - 2013-08-01 19:14 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2013-09-10 14:54 - 2013-08-01 19:14 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2013-09-10 14:54 - 2013-08-01 19:13 - 01161216 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2013-09-10 14:54 - 2013-08-01 19:13 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:59 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2013-09-10 14:54 - 2013-08-01 18:59 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2013-09-10 14:54 - 2013-08-01 18:51 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2013-09-10 14:54 - 2013-08-01 18:50 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2013-09-10 14:54 - 2013-08-01 18:50 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2013-09-10 14:54 - 2013-08-01 18:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 18:09 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2013-09-10 14:54 - 2013-08-01 17:59 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2013-09-10 14:54 - 2013-08-01 17:45 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2013-09-10 14:54 - 2013-08-01 17:45 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2013-09-10 14:54 - 2013-08-01 17:45 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2013-09-10 14:54 - 2013-08-01 17:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2013-09-10 14:54 - 2013-08-01 17:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 17:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 17:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2013-09-10 14:54 - 2013-08-01 17:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2013-09-10 14:53 - 2013-08-07 18:20 - 03155456 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-09-10 14:53 - 2013-08-04 19:25 - 00155584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ataport.sys
2013-09-10 14:53 - 2013-07-25 19:24 - 14172672 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2013-09-10 14:53 - 2013-07-25 19:24 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\shdocvw.dll
2013-09-10 14:53 - 2013-07-25 18:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-09-10 14:53 - 2013-07-25 18:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-09-06 18:28 - 2013-09-06 19:03 - 00000000 ____D C:\Users\Robin\Downloads\ManicTime_Jun13_Portable
2013-09-05 20:35 - 2013-09-05 21:16 - 00000000 ____D C:\Users\Robin\Downloads\FreeFileSync_Mar13_Portable

==================== One Month Modified Files and Folders =======

2013-10-05 16:00 - 2013-10-05 16:00 - 00000000 ____D C:\FRST
2013-10-05 15:50 - 2013-02-05 19:31 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-05 15:42 - 2013-09-18 23:03 - 00000000 ____D C:\Users\Robin\Downloads\Hitman Pro_Sep13
2013-10-05 15:35 - 2012-04-04 20:25 - 00000000 ____D C:\Users\Robin\AppData\Roaming\PrimoPDF
2013-10-05 15:34 - 2012-03-22 18:58 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-05 15:26 - 2009-07-13 21:45 - 00024608 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-05 15:26 - 2009-07-13 21:45 - 00024608 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-05 15:18 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\tracing
2013-10-05 14:50 - 2013-10-05 14:48 - 00000000 ____D C:\Users\Robin\Downloads\Farbar Rcvry Scan Tool_Oct13
2013-10-05 14:21 - 2011-11-18 07:49 - 01710806 _____ C:\Windows\WindowsUpdate.log
2013-10-05 14:17 - 2013-07-18 23:17 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
2013-10-05 13:50 - 2012-03-22 18:58 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-05 13:49 - 2013-10-04 01:02 - 00000616 _____ C:\Windows\setupact.log
2013-10-05 13:49 - 2011-11-17 23:59 - 00065536 _____ C:\Windows\system32\Ikeext.etl
2013-10-05 13:49 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-05 00:29 - 2011-11-23 00:47 - 00000000 ____D C:\Users\Robin\AppData\Local\CrashDumps
2013-10-05 00:11 - 2013-07-08 20:38 - 00000000 ____D C:\Users\Robin\Downloads\Malwarebytes_Oct12
2013-10-05 00:07 - 2013-07-18 20:51 - 00000000 ____D C:\Users\Robin\AppData\Local\DoNotTrackPlus
2013-10-04 22:32 - 2013-08-20 21:13 - 00000000 ____D C:\Users\Robin\Downloads\OTL_per scan
2013-10-04 01:02 - 2013-10-04 01:02 - 00000000 _____ C:\Windows\setuperr.log
2013-10-04 00:13 - 2011-02-11 10:00 - 00000000 ____D C:\Windows\Panther
2013-10-03 22:37 - 2013-07-04 22:57 - 00000949 _____ C:\Users\Robin\AppData\Roaming\burnaware.ini
2013-10-03 22:02 - 2013-01-01 22:46 - 00000000 ____D C:\Windows\Minidump
2013-10-03 22:02 - 2011-11-19 15:12 - 00000000 ___DC C:\Users\Robin\AppData\Local\MigWiz
2013-10-03 19:47 - 2013-09-24 20:59 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\QuickScan
2013-10-03 19:04 - 2013-10-03 18:45 - 00000000 ____D C:\Users\Robin\Downloads\SuperAntiSpyware_Jul13
2013-10-03 18:35 - 2013-07-19 03:02 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-10-02 21:22 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\NDF
2013-10-01 20:27 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache
2013-10-01 19:54 - 2012-08-23 23:18 - 00000332 _____ C:\Windows\Tasks\HPCeeScheduleForRobin.job
2013-10-01 18:02 - 2013-10-01 14:58 - 00000000 ____D C:\Users\Robin\Downloads\HP Support Asst_Pre-Installed
2013-10-01 17:53 - 2013-03-28 17:35 - 00000000 ____D C:\Users\Robin\Archive
2013-10-01 17:48 - 2013-02-08 00:46 - 00000000 ____D C:\Users\Robin\Downloads\HP Product Detection
2013-10-01 17:31 - 2011-11-25 18:29 - 00000000 ____D C:\Users\Robin\AppData\Roaming\HpUpdate
2013-10-01 17:17 - 2012-03-25 16:10 - 00000000 ____D C:\Users\Robin\AppData\Roaming\EssentialPIM
2013-10-01 15:43 - 2011-07-23 16:01 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2013-10-01 15:43 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\Help
2013-10-01 15:34 - 2013-10-01 15:34 - 00002147 _____ C:\Users\Public\Desktop\HP Support Assistant.lnk
2013-10-01 15:33 - 2011-07-23 15:59 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard
2013-10-01 15:32 - 2013-10-01 15:28 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\hpqLog
2013-10-01 15:30 - 2013-10-01 15:30 - 00000000 ____D C:\ProgramData\{9BF4D58B-C6D6-467B-BC5A-FD0C1278F4AF}
2013-10-01 15:28 - 2011-02-11 09:32 - 00000000 ____D C:\SWSETUP
2013-10-01 12:52 - 2013-10-01 12:51 - 00104702 _____ C:\Users\Robin\Documents\2013-10-01 PrimaryDatabase.kdbx
2013-09-30 22:18 - 2013-04-09 17:49 - 00000000 ____D C:\Users\Robin\Desktop\JANICE-FINAL-SAVE-ANIM-FACT
2013-09-30 17:09 - 2012-07-30 19:21 - 00000000 ____D C:\Users\Robin\Downloads\KeePass_Sep12_Port
2013-09-30 00:13 - 2013-09-30 00:13 - 00001240 _____ C:\Users\Robin\Desktop\misc-janice.rtf - Shortcut.lnk
2013-09-29 21:49 - 2009-07-13 22:13 - 00779724 _____ C:\Windows\system32\PerfStringBackup.INI
2013-09-29 21:20 - 2013-05-16 22:48 - 00011196 _____ C:\Windows\Sandboxie.ini
2013-09-28 22:08 - 2013-09-28 21:36 - 00000000 ____D C:\Users\Robin\Desktop\GUMPS-2-copy
2013-09-27 22:54 - 2013-06-05 21:50 - 00000000 ____D C:\Users\Robin\BU Versions Storage
2013-09-27 22:48 - 2013-03-29 15:56 - 00000000 ____D C:\Users\Robin\BU
2013-09-27 22:48 - 2013-03-24 00:27 - 00000000 ____D C:\Users\Robin\Documents\Periodical Articles
2013-09-27 22:48 - 2013-03-23 22:55 - 00000000 ____D C:\Users\Robin\Documents\My Internet
2013-09-27 22:48 - 2012-11-27 22:36 - 00000000 ____D C:\Users\Robin\Documents\Symantec
2013-09-27 22:48 - 2012-06-01 13:41 - 00000000 ____D C:\Users\Robin\Directory Printouts
2013-09-27 22:48 - 2012-02-21 22:47 - 00000000 ____D C:\Users\Robin\Documents\My Kindle Content
2013-09-27 22:48 - 2011-12-07 21:22 - 00000000 ____D C:\Users\Robin\Documents\Business
2013-09-27 22:48 - 2011-12-02 18:59 - 00000000 ____D C:\Users\Robin\Documents\Personal
2013-09-27 22:48 - 2011-12-02 18:59 - 00000000 ____D C:\Users\Robin\Documents\Literature et al
2013-09-27 22:48 - 2011-12-02 18:58 - 00000000 ____D C:\Users\Robin\Documents\Household
2013-09-27 22:48 - 2011-11-19 23:43 - 00000000 ____D C:\Users\Robin\Documents\My Computer
2013-09-27 22:40 - 2013-07-14 01:29 - 00000000 ____D C:\Users\Robin\BU Versions Storage_OLD
2013-09-27 21:17 - 2012-07-19 16:33 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\PrimoPDF
2013-09-27 21:06 - 2012-07-06 00:53 - 00000000 ____D C:\Users\RobinAdmin
2013-09-27 21:04 - 2011-11-17 16:51 - 00000000 ____D C:\Users\Robin
2013-09-27 17:39 - 2013-01-12 23:35 - 00000000 ____D C:\Users\Robin\Downloads\DOWNLOAD FOLDER
2013-09-27 17:14 - 2013-09-27 17:13 - 00000000 ____D C:\Program Files (x86)\Microsoft Rich Tools
2013-09-27 17:08 - 2013-09-27 16:40 - 00000000 ____D C:\Users\Robin\Downloads\RichCopy
2013-09-26 16:22 - 2013-09-26 15:26 - 00000000 ____D C:\Users\Robin\Downloads\CCleaner_Jul13
2013-09-26 16:13 - 2013-07-12 21:25 - 00000000 ____D C:\Program Files\CCleaner
2013-09-25 22:39 - 2013-08-24 17:36 - 00000000 ____D C:\Users\Robin\Downloads\TestDisk_Aug13_Portable
2013-09-25 16:49 - 2013-09-25 15:31 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV
2013-09-25 16:44 - 2012-07-09 22:32 - 00000000 ____D C:\Users\Robin\AppData\Local\Windows Live
2013-09-25 16:33 - 2013-09-25 16:33 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinCDEmu
2013-09-25 16:29 - 2013-09-25 16:29 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IrfanView
2013-09-25 16:27 - 2013-09-25 16:27 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FreeFileSync
2013-09-25 16:26 - 2012-06-01 23:37 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PDF & Screenshots
2013-09-25 16:25 - 2012-08-22 12:59 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\E-readers and Document Viewers
2013-09-25 16:25 - 2012-06-02 00:03 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Utilities
2013-09-25 16:23 - 2012-06-01 23:02 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
2013-09-25 16:22 - 2012-06-01 22:56 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Clocks & Watches
2013-09-25 16:21 - 2011-11-17 16:51 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2013-09-25 16:20 - 2013-05-31 18:35 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Time Management
2013-09-25 16:17 - 2012-06-01 23:56 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Scan & Fax
2013-09-25 16:13 - 2013-09-25 16:13 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EPIM
2013-09-25 16:09 - 2013-09-25 16:08 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Macrium Reflect
2013-09-25 16:03 - 2012-06-02 13:42 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security
2013-09-25 15:12 - 2013-09-25 15:12 - 00000000 ____D C:\Program Files (x86)\BurnAware Free
2013-09-25 14:34 - 2013-09-25 14:10 - 00000000 ____D C:\Users\Robin\Downloads\BurnAware Free_May13
2013-09-23 21:23 - 2013-01-04 19:19 - 00000000 ____D C:\Users\Robin\Downloads\MS Safety Scanner_per scan
2013-09-21 21:12 - 2013-09-21 21:12 - 00003784 _____ C:\{715BDB84-5996-4A9F-A8A7-3D070DA8A21D}
2013-09-21 20:26 - 2012-06-01 23:57 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spreadsheets & Math
2013-09-21 16:35 - 2013-09-21 16:35 - 00003720 _____ C:\{F9A1C52E-50E1-4547-BE69-5875A0830EBC}
2013-09-21 16:25 - 2013-09-21 16:25 - 00003416 _____ C:\{67EBFB47-E37D-4A8A-BD84-913826C69132}
2013-09-19 21:30 - 2013-09-18 22:52 - 00000000 ____D C:\Program Files\HitmanPro
2013-09-19 14:51 - 2013-02-05 19:31 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-09-19 14:51 - 2013-02-05 19:31 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-09-18 22:55 - 2013-09-18 22:47 - 00000000 ____D C:\ProgramData\HitmanPro
2013-09-18 22:00 - 2013-09-18 22:00 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\ArcaVirMicroScan
2013-09-18 20:05 - 2013-09-18 14:42 - 00000000 ____D C:\Users\Robin\Downloads\NET FW Verif_Sep13_Portable
2013-09-17 19:14 - 2012-10-17 15:13 - 00000000 ____D C:\Users\Robin\Downloads\New
2013-09-15 22:00 - 2013-08-31 19:52 - 00000000 ____D C:\Users\Robin\Downloads\Trend Micro Housecall_Aug13
2013-09-14 20:55 - 2013-09-14 20:53 - 00041984 ___SH C:\Users\Robin\AppData\Roaming\Thumbs.db
2013-09-14 20:53 - 2013-09-14 20:53 - 00001247 _____ C:\Users\Robin\AppData\Roaming\Roaming - Shortcut.lnk
2013-09-14 20:23 - 2012-07-08 13:09 - 00000000 ____D C:\Users\BackupAdmin
2013-09-14 20:23 - 2011-07-23 16:24 - 00000000 ____D C:\ProgramData\Norton
2013-09-14 20:23 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\registration
2013-09-13 21:55 - 2013-09-01 19:59 - 00000000 ____D C:\Users\Robin\Downloads\ESET_Aug13
2013-09-13 21:15 - 2013-01-04 19:20 - 00000000 ____D C:\Users\Robin\Downloads\Norton Power Eraser_per scan
2013-09-13 17:33 - 2013-06-20 11:30 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Foxit Software
2013-09-12 23:08 - 2011-11-17 20:47 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-09-12 22:12 - 2013-09-12 22:12 - 00000000 _____ C:\Windows\SysWOW64\shoE63C.tmp
2013-09-12 12:24 - 2009-07-13 22:08 - 00032604 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-09-11 17:19 - 2012-07-18 23:38 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\EssentialPIM
2013-09-11 16:30 - 2013-09-11 15:50 - 00000000 ____D C:\Users\Robin\Downloads\EssentialPIM_Sep12
2013-09-10 16:47 - 2012-08-15 20:16 - 00000000 ____D C:\Windows\SysWOW64\Adobe
2013-09-10 15:41 - 2012-06-07 12:35 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-09-10 15:41 - 2012-06-01 22:49 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-09-10 15:39 - 2009-07-13 21:45 - 00387736 _____ C:\Windows\system32\FNTCACHE.DAT
2013-09-10 15:26 - 2013-07-14 22:47 - 00000000 ____D C:\Windows\system32\MRT
2013-09-10 15:26 - 2011-11-17 20:38 - 00000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client
2013-09-10 15:26 - 2011-02-11 10:15 - 00795928 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2013-09-10 15:19 - 2011-11-25 13:30 - 79143768 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2013-09-09 19:12 - 2012-12-29 02:16 - 00000000 ____D C:\Users\Robin\Downloads\MS SharePoint+MODI_Feb12
2013-09-09 19:12 - 2011-11-26 12:31 - 00000000 ____D C:\Users\Robin\Downloads\arena_3.0_Downloads_playwitharena
2013-09-09 00:03 - 2013-07-16 00:08 - 00000000 ____D C:\Users\Robin\Downloads\DoNotTrackMe_Jul13
2013-09-08 21:35 - 2013-09-01 15:37 - 00000000 ____D C:\Users\Robin\Downloads\LibreOffice_May12
2013-09-08 21:35 - 2013-06-20 09:45 - 00000000 ____D C:\Users\Robin\Downloads\Foxit Reader_Sep12
2013-09-07 19:34 - 2012-09-12 23:59 - 00000000 ____D C:\Users\Robin\Downloads\Kaspersky Security Scan_per scan
2013-09-07 19:32 - 2013-01-16 01:24 - 00000000 ____D C:\Users\Robin\Downloads\Windows Defender Offline_per scan
2013-09-07 19:31 - 2013-02-22 20:49 - 00000000 ____D C:\Users\Robin\Downloads\Norton Safe Web Lite
2013-09-06 20:19 - 2013-06-02 00:18 - 00000243 _____ C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2013-09-06 20:18 - 2013-06-01 23:54 - 00000231 _____ C:\ProgramData\Microsoft.SqlServer.Compact.400.64.bc
2013-09-06 19:03 - 2013-09-06 18:28 - 00000000 ____D C:\Users\Robin\Downloads\ManicTime_Jun13_Portable
2013-09-06 17:28 - 2011-07-23 17:26 - 00289398 _____ C:\DUMP2f68.tmp
2013-09-05 21:16 - 2013-09-05 20:35 - 00000000 ____D C:\Users\Robin\Downloads\FreeFileSync_Mar13_Portable

Some content of TEMP:
====================
C:\Users\Robin\AppData\Local\Temp\Checkupdate.exe
C:\Users\Robin\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\Robin\AppData\Local\Temp\gcapi_dll.dll
C:\Users\Robin\AppData\Local\Temp\gtapi_signed.dll

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== End Of Log ============================

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST/FRST64 and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 

  • Double click on AdwCleaner.exe to run the tool.
  • Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Uncheck any elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review.
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted (if necessary):
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

 

Next,

 

Please download RogueKiller from here:

 

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe  <- 32 bit version

 

http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe  <- 64 bit version

                                     

  • Make sure to get the correct version for your system.
  • Quit all running programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • The following EULA will appear, please select accept
     
    RKLicence.png
     
  • Ensure MBR scan, Check faked and AntiRootkit are checked
  • Select Scan
     
    RK1A.png
     
  • When the scan completes select Report, copy and paste that to your reply.
     
    RK2A.png
     
  • The log should be found in RKreport[?].txt on your Desktop
  • Exit/Close RogueKiller

Link to post
Share on other sites

Hi Kevin,

 

Please forgive me for being obtuse, but I can't figure out how to download the file fixlist.txt attached to (your) message #4.

 

I tried clicking on the download icon next to the print icon at the very bottom of the web page, but that just opens this same web page again in another tab.

 

I do see the icon for the attached file Addition.txt in (my) message #3, and when I mouse over it, the cursor becomes a hand and a "Download attachment" pop-up appears.

 

I couldn't find anything to resolve this issue in the treatment of attachments in Help.

 

Perhaps the problem is caused by my browser settings?

 

Robin

Link to post
Share on other sites

Hi Kevin,

 

Nothing to worry about.  Thank you for the attachment.

 

Following are copy-pastes of the results of the three scans you requested, preceded by a summary of these items, with comments.

 

Robin

 

 

Summary of items

 

1. Fixlog.txt

 

2. AdwCleaner[R0].txt

I did not perform any cleaning with this tool because I don't know how to interpret the log.

 

3. RKreport[0]_S_10062013_155434.txt

 

4. RogueKiller_MBR

This is a copy-paste of the contents under the MBR tab, which were not included in #3.  I've copy-pasted these contents here because they twice include the phrase, "Invalid partition table. Error loading operating system. Missing operating system."

 

 

1. Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2013
Ran by Robin at 2013-10-06 12:01:07 Run:1
Running from C:\Users\Robin\Downloads\Farbar Rcvry_Oct13_Portable\Download+Scans_NV_blpgcmptr
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
HKCU\...\Winlogon: [shell] Explorer.exe <==== ATTENTION
C:\Users\Robin\AppData\Local\Temp\Checkupdate.exe
C:\Users\Robin\AppData\Local\Temp\Foxit Reader Updater.exe
C:\Users\Robin\AppData\Local\Temp\gcapi_dll.dll
C:\Users\Robin\AppData\Local\Temp\gtapi_signed.dll
End

*****************

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
"C:\Users\Robin\AppData\Local\Temp\Checkupdate.exe" => File/Directory not found.
"C:\Users\Robin\AppData\Local\Temp\Foxit Reader Updater.exe" => File/Directory not found.
"C:\Users\Robin\AppData\Local\Temp\gcapi_dll.dll" => File/Directory not found.
"C:\Users\Robin\AppData\Local\Temp\gtapi_signed.dll" => File/Directory not found.

==== End of Fixlog ====

 

 

2. AdwCleaner[R0].txt

 

 

# AdwCleaner v3.006 - Report created 06/10/2013 at 12:50:36
# Updated 01/10/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : RobinAdmin - ROBIN-HP
# Running from : C:\Users\Robin\Downloads\AdwCleaner_Oct13_Portable\Download\AdwCleaner.exe
# Option : Scan

 

 

 

 

***** [ Services ] *****

 

 

 

***** [ Files / Folders ] *****

 

***** [ Shortcuts ] *****

 

***** [ Registry ] *****

Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : [x64] HKCU\Software\APN PIP
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Found : HKLM\Software\PIP
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16686

*************************

AdwCleaner[R0].txt - [3848 octets] - [06/10/2013 12:50:36]

########## EOF - \AdwCleaner\AdwCleaner[R0].txt - [3908 octets] ##########

 

 

3. RKreport[0]_S_10062013_155434.txt

 

RogueKiller V8.7.1 _x64_ [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : RobinAdmin [Admin rights]
Mode : Scan -- Date : 10/06/2013 15:54:34
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - WDC WD50 00AAKS-60WWPA0 SATA Disk Device +++++
--- User ---
[MBR] c312eb3e7c9e40283fe5be0687ff02b5
[bSP] f240f10f74d80b93bcfbdd5c175b2e6e : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 465442 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 953432064 | Size: 11396 Mo
User = LL1 ... OK!
User != LL2 ... KO!
--- LL2 ---
[MBR] 770d4aaeb3cf76c68f1a0a5d857f35aa
[bSP] b3dc17f7a53eab7e22c06474a3fc7477 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 165308416 | Size: 300 Mo

Finished : << RKreport[0]_S_10062013_155434.txt >>

 

 

 

4. RogueKiller_MBR

 

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD50 00AAKS-60WWPA0 SATA Disk Device +++++

--- User ---

[MBR] c312eb3e7c9e40283fe5be0687ff02b5

[bSP] f240f10f74d80b93bcfbdd5c175b2e6e : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 465442 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 953432064 | Size: 11396 Mo

33 c0 8e d0 bc 00 7c 8e c0 8e d8 be 00 7c bf 00 06

b9 00 02 fc f3 a4 50 68 1c 06 cb fb b9 04 00 bd be

07 80 7e 00 00 7c 0b 0f 85 0e 01 83 c5 10 e2 f1 cd

18 88 56 00 55 c6 46 11 05 c6 46 10 00 b4 41 bb aa

55 cd 13 5d 72 0f 81 fb 55 aa 75 09 f7 c1 01 00 74

03 fe 46 10 66 60 80 7e 10 00 74 26 66 68 00 00 00

00 66 ff 76 08 68 00 00 68 00 7c 68 01 00 68 10 00

b4 42 8a 56 00 8b f4 cd 13 9f 83 c4 10 9e eb 14 b8

01 02 bb 00 7c 8a 56 00 8a 76 01 8a 4e 02 8a 6e 03

cd 13 66 61 73 1c fe 4e 11 75 0c 80 7e 00 80 0f 84

8a 00 b2 80 eb 84 55 32 e4 8a 56 00 cd 13 5d eb 9e

81 3e fe 7d 55 aa 75 6e ff 76 00 e8 8d 00 75 17 fa

b0 d1 e6 64 e8 83 00 b0 df e6 60 e8 7c 00 b0 ff e6

64 e8 75 00 fb b8 00 bb cd 1a 66 23 c0 75 3b 66 81

fb 54 43 50 41 75 32 81 f9 02 01 72 2c 66 68 07 bb

00 00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66

53 66 55 66 68 00 00 00 00 66 68 00 7c 00 00 66 61

68 00 00 07 cd 1a 5a 32 f6 ea 00 7c 00 00 cd 18 a0

b7 07 eb 08 a0 b6 07 eb 03 a0 b5 07 32 e4 05 00 07

8b f0 ac 3c 00 74 09 bb 07 00 b4 0e cd 10 eb f2 f4

eb fd 2b c9 e4 64 eb 00 24 02 e0 f8 24 02 c3 49 6e

76 61 6c 69 64 20 70 61 72 74 69 74 69 6f 6e 20 74

61 62 6c 65 00 45 72 72 6f 72 20 6c 6f 61 64 69 6e

67 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 65

6d 00 4d 69 73 73 69 6e 67 20 6f 70 65 72 61 74 69

6e 67 20 73 79 73 74 65 6d 00 00 00 63 7b 9a 89 95

e8 81 00 00

3.....|......|.........Ph...........~..|.............V.U.F...F...A..U..]r...U.u.....t..F.f`.~..t&fh....f.v.h..h.|h..h...B.V.................|.V..v..N..n...fas..N.u..~..........U2..V...]...>.}U.un.v....u.....d......`.|....d.u.......f#.u;f..TCPAu2....r,fh....fh....fh....fSfSfUfh....fh.|..fah.....Z2...|.................2.......<.t.............+..d..$...$..Invalid partition table.Error loading operating system.Missing operating system...c{.......

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] 770d4aaeb3cf76c68f1a0a5d857f35aa

[bSP] b3dc17f7a53eab7e22c06474a3fc7477 : Windows 7/8 MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 165308416 | Size: 300 Mo

33 c0 8e d0 bc 00 7c 8e c0 8e d8 be 00 7c bf 00 06

b9 00 02 fc f3 a4 50 68 1c 06 cb fb b9 04 00 bd be

07 80 7e 00 00 7c 0b 0f 85 0e 01 83 c5 10 e2 f1 cd

18 88 56 00 55 c6 46 11 05 c6 46 10 00 b4 41 bb aa

55 cd 13 5d 72 0f 81 fb 55 aa 75 09 f7 c1 01 00 74

03 fe 46 10 66 60 80 7e 10 00 74 26 66 68 00 00 00

00 66 ff 76 08 68 00 00 68 00 7c 68 01 00 68 10 00

b4 42 8a 56 00 8b f4 cd 13 9f 83 c4 10 9e eb 14 b8

01 02 bb 00 7c 8a 56 00 8a 76 01 8a 4e 02 8a 6e 03

cd 13 66 61 73 1c fe 4e 11 75 0c 80 7e 00 80 0f 84

8a 00 b2 80 eb 84 55 32 e4 8a 56 00 cd 13 5d eb 9e

81 3e fe 7d 55 aa 75 6e ff 76 00 e8 8d 00 75 17 fa

b0 d1 e6 64 e8 83 00 b0 df e6 60 e8 7c 00 b0 ff e6

64 e8 75 00 fb b8 00 bb cd 1a 66 23 c0 75 3b 66 81

fb 54 43 50 41 75 32 81 f9 02 01 72 2c 66 68 07 bb

00 00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66

53 66 55 66 68 00 00 00 00 66 68 00 7c 00 00 66 61

68 00 00 07 cd 1a 5a 32 f6 ea 00 7c 00 00 cd 18 a0

b7 07 eb 08 a0 b6 07 eb 03 a0 b5 07 32 e4 05 00 07

8b f0 ac 3c 00 74 09 bb 07 00 b4 0e cd 10 eb f2 f4

eb fd 2b c9 e4 64 eb 00 24 02 e0 f8 24 02 c3 49 6e

76 61 6c 69 64 20 70 61 72 74 69 74 69 6f 6e 20 74

61 62 6c 65 00 45 72 72 6f 72 20 6c 6f 61 64 69 6e

67 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 65

6d 00 4d 69 73 73 69 6e 67 20 6f 70 65 72 61 74 69

6e 67 20 73 79 73 74 65 6d 00 00 00 63 7b 9a 89 95

e8 81 00 00

3.....|......|.........Ph...........~..|.............V.U.F...F...A..U..]r...U.u.....t..F.f`.~..t&fh....f.v.h..h.|h..h...B.V.................|.V..v..N..n...fas..N.u..~..........U2..V...]...>.}U.un.v....u.....d......`.|....d.u.......f#.u;f..TCPAu2....r,fh....fh....fh....fSfSfUfh....fh.|..fah.....Z2...|.................2.......<.t.............+..d..$...$..Invalid partition table.Error loading operating system.Missing operating system...c{.......

 

END OF MESSAGE
 

 

Link to post
Share on other sites

Yes it would appear to show a possible MBR infection, run the following:

 

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

Image1.png

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

mbarwm.png

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

Image2.png

 

7. The following image opens, select Update

 

Image3.png

 

8. When the update completes select Next.

 

Image4.png

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

Image5.png

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

MBAntiRKcleanA.png

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

Image6.png

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 


  •      
  • Internet access
         
  • Windows Update
         
  • Windows Firewall

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown....

 

 

Regarding AdwCleaner, leave that for now until we run MBAR....

 

Kevin...

Link to post
Share on other sites

Hi Kevin,

 

The MBAM Anti-Rootkit scan results, copy-pasted below, were negative.  (I also ran Kaspersky TDSSKiller, and its results were negative as well.)

 

Robin

 

mbar-log-2013-10-07 (17-25-19).txt

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org

Database version: v2013.10.07.12

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16686
RobinAdmin :: ROBIN-HP [administrator]

10/7/2013 5:25:19 PM
mbar-log-2013-10-07 (17-25-19).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 284810
Time elapsed: 28 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

 

 

system-log.txt

 

 

 

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 10.0.9200.16686

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, Q:\ DRIVE_FIXED
CPU speed: 1.646000 GHz
Memory total: 1718140928, free: 503021568

Downloaded database version: v2013.10.07.12
Downloaded database version: v2013.09.30.01
=======================================
Initializing...
------------ Kernel report ------------
     10/07/2013 17:25:08
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\amd_sata.sys
\SystemRoot\system32\drivers\storport.sys
\SystemRoot\system32\drivers\amd_xata.sys
\SystemRoot\system32\drivers\amdsata.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\NAVx64\1404000.028\SYMDS64.SYS
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\system32\drivers\NAVx64\1404000.028\SYMEFA64.SYS
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\drivers\NAVx64\1404000.028\ccSetx64.sys
\SystemRoot\system32\drivers\NSTx64\0200000.010\ccSetx64.sys
\SystemRoot\system32\drivers\NAVx64\1404000.028\Ironx64.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\drivers\afd.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\System32\Drivers\NAVx64\1404000.028\SYMNETS.SYS
\??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
\SystemRoot\system32\drivers\NAVx64\1404000.028\SRTSPX64.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
\??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\blbdrive.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\BASHDefs\20130924.001\BHDrvx64.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\drivers\usbfilter.sys
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\L1C62x64.sys
\SystemRoot\system32\drivers\amdppm.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\BazisVirtualCDBus.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\RTKVHD64.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\hidusb.sys
\SystemRoot\system32\DRIVERS\HIDCLASS.SYS
\SystemRoot\system32\DRIVERS\HIDPARSE.SYS
\SystemRoot\system32\DRIVERS\kbdhid.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\system32\DRIVERS\AE2500w764.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\mouhid.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_amd_sata.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\system32\drivers\luafv.sys
\SystemRoot\system32\DRIVERS\Sftvollh.sys
\SystemRoot\system32\drivers\WudfPf.sys
\??\C:\Program Files\Sandboxie\SbieDrv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\DRIVERS\vwifimp.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\system32\DRIVERS\Sftfslh.sys
\SystemRoot\system32\DRIVERS\Sftplaylh.sys
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\SystemRoot\system32\DRIVERS\Sftredirlh.sys
\SystemRoot\System32\Drivers\NAVx64\1404000.028\SRTSP64.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131007.003\EX64.SYS
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131007.003\ENG64.SYS
\SystemRoot\system32\DRIVERS\udfs.sys
\??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\IPSDefs\20131005.002\IDSvia64.sys
\SystemRoot\system32\DRIVERS\cdfs.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\normaliz.dll
\Windows\System32\clbcatq.dll
\Windows\System32\psapi.dll
\Windows\System32\difxapi.dll
\Windows\System32\sechost.dll
\Windows\System32\gdi32.dll
\Windows\System32\ole32.dll
\Windows\System32\setupapi.dll
\Windows\System32\urlmon.dll
\Windows\System32\nsi.dll
\Windows\System32\usp10.dll
\Windows\System32\kernel32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\wininet.dll
\Windows\System32\imm32.dll
\Windows\System32\user32.dll
\Windows\System32\shell32.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\ws2_32.dll
\Windows\System32\comdlg32.dll
\Windows\System32\iertutil.dll
\Windows\System32\msctf.dll
\Windows\System32\Wldap32.dll
\Windows\System32\advapi32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\imagehlp.dll
\Windows\System32\lpk.dll
\Windows\System32\msvcrt.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\crypt32.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\wintrust.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\comctl32.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\devobj.dll
\Windows\System32\msasn1.dll
\Windows\SysWOW64\normaliz.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa80024ed060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000006f\
Lower Device Object: 0xfffffa80023cf060
Lower Device Driver Name: \Driver\amd_sata\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa80024ed060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa80024ec4c0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa80024ed060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa80023d5ac0, DeviceName: Unknown, DriverName: \Driver\amd_xata\
DevicePointer: 0xfffffa80023cf060, DeviceName: \Device\0000006f\, DriverName: \Driver\amd_sata\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: 81E89589

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 204800
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 206848  Numsec = 953225216

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 953432064  Numsec = 23339008

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 500107862016 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)...
Done!
Scan finished
=======================================

Removal queue found; removal started
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_2048_i.mbam...
Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
Removal finished

 

END OF POST

 

 

 

 

Link to post
Share on other sites

Run Malwarebytes quick scan and post its log...

Next,

In RogueKillers Quarantine folder RK_Quarantine folder will be this file PhysicalDrive0_User.dat  zip up that file and attach it.

Next,

download aswMBR from here: http://files.avast.com/files/rootkit-scanner/aswmbr.exe ( 4.5MB ) save to your desktop.

  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up.  Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.


 

Note: There will also be a file on your desktop named MBR.dat zip up that file and attach to your reply...

Let me see the following:

Log from Malwarebytes quick scan
Log from aswMBR
the two attached zip files from RK and aswMBR.

Thank you,

Kevin....

Link to post
Share on other sites

MBR.zipMBR.zipHi Kevin,

 

The contents and attachment for this post are as follows.

 

MBAM Quick scan log

Paste-copied below

 

aswMBR.txt

Paste-copied below

 

RK_Quarantine folder\PhysicalDriveo_User.dat

I was unable to find this folder or this file (even though I re-ran the scan and ran a search on the C-drive for both).

 

MBR.dat (zipped)

Attached

 

Robin

 

 

MBAM Quick scan log

Malwarebytes Anti-Malware 1.75.0.1300

www.malwarebytes.org

Database version: v2013.08.26.03

Windows 7 Service Pack 1 x64 NTFS

Internet Explorer 10.0.9200.16686

Robin :: ROBIN-HP [limited]

10/8/2013 3:13:24 PM

mbam-log-2013-10-08 (15-13-24).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 226996

Time elapsed: 7 minute(s), 55 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Delete on reboot.

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

 

 

 

aswMBR.txt

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software

Run date: 2013-10-08 19:35:38

-----------------------------

19:35:38.325 OS Version: Windows x64 6.1.7601 Service Pack 1

19:35:38.325 Number of processors: 2 586 0x200

19:35:38.325 ComputerName: ROBIN-HP UserName:

19:35:40.027 Initialize success

20:10:04.971 AVAST engine defs: 13100800

20:24:12.655 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000006f

20:24:12.671 Disk 0 Vendor: WDC_WD50 16.0 Size: 476940MB BusType: 11

20:24:12.796 Disk 0 MBR read successfully

20:24:12.811 Disk 0 MBR scan

20:24:12.921 Disk 0 Windows 7 default MBR code

20:24:12.921 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048

20:24:12.952 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 465442 MB offset 206848

20:24:13.014 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 11396 MB offset 953432064

20:24:13.077 Disk 0 scanning C:\Windows\system32\drivers

20:24:26.259 Service scanning

20:24:31.797 Service BHDrvx64 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\BASHDefs\20130924.001\BHDrvx64.sys **LOCKED** 5

20:24:37.054 Service eeCtrl C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys **LOCKED** 5

20:24:37.600 Service EraserUtilRebootDrv C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys **LOCKED** 5

20:24:40.876 Service IDSVia64 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\IPSDefs\20131005.002\IDSvia64.sys **LOCKED** 5

20:24:45.431 Service NAVENG C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131008.019\ENG64.SYS **LOCKED** 5

20:24:45.712 Service NAVEX15 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131008.019\EX64.SYS **LOCKED** 5

20:25:01.281 Modules scanning

20:25:01.296 Disk 0 trace - called modules:

20:25:01.343 ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys storport.sys hal.dll amd_sata.sys

20:25:01.359 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80025153d0]

20:25:01.359 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa8002401ac0]

20:25:01.374 5 amd_xata.sys[fffff8800108bd00] -> nt!IofCallDriver -> \Device\0000006f[0xfffffa80023fb060]

20:25:05.259 AVAST engine scan C:\Windows

20:25:09.143 AVAST engine scan C:\Windows\system32

20:29:29.086 AVAST engine scan C:\Windows\system32\drivers

20:30:00.832 AVAST engine scan C:\Users\RobinAdmin

20:31:49.611 AVAST engine scan C:\ProgramData

20:39:59.523 Scan finished successfully

21:40:40.517 Disk 0 MBR has been saved successfully to "C:\Users\Robin\Downloads\aswMBR_Oct13_Portable\Download_0.9.9.1771_Avast\MBR.dat"

21:40:40.537 The log file has been saved successfully to "C:\Users\Robin\Downloads\aswMBR_Oct13_Portable\Download_0.9.9.1771_Avast\aswMBR.txt"

 

END OF POST

 

Link to post
Share on other sites

Thanks for the logs, do not see any remaining issues with those logs. Regarding RK_Quarantine folder, usually that is created exactly where RoguKiller is running from, eg Desktop or dedicated folder.... Its no big deal as aswMBR indicated MBR is good.

 

What is the status of your system now, are there any remaining issues or concerns?

 

Thanks,

 

Kevin....

Link to post
Share on other sites

Hi Kevin,

 

I'm very happy you've concluded my MBR is good.  In respect to the current status of my computer--when MBAM first reported the Hijack.Regedit PUMs, my computer was functioning properly, and it has continued to do so since then.

 

I have three remaining concerns.

 

          1. The MBAM PUMs report and inappropriate, undeletable registry values
          2. The Farbar Recovery Scan Tool scan results
          3. The AdwCleaner scan results

 

1. The MBAM PUM report and inappropriate, undeletable registry values

 

(A) MBAM Quick scan continues to report the following results:

 

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Delete on reboot.

 

But there is no "Delete on reboot"; after every scan-delete-reboot, MBAM reports this same problem.

 

(The MBAM Quick scan results are copied in my last post.)

 

(B) The following three inappropriate values remain in the registry for the regular user account, and Windows continues to refuse permission to delete them regardless of tweaks to Ownership and Permissions:

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System|

 

          DisableRegedit
          DisableRegistryTools
          DisableTaskMgr

 

However, Regedit and Task Manager have never lost functionality (I don't know what "RegistryTools" refers to).

 

(2) The Farbar Recovery Scan Tool scan results

 

Is there anything to needs to be done in consequence of the Farbar Recovery Scan Tool scan results (copied in my post of October 5)?  Or did you already do that with the Fixlist.txt file you provided?

 

(3) The AdwCleaner scan results

 

In your post of October 7 you indicated that after we addressed the MBR issue that had just come up, we would get back to addressing the AdwCleaner scan results (copied as #2 in my post of October 6).  You had previously indicated that I should perform cleaning after scanning with AdwCleaner, but I couldn't do so because I don't know how to interpret the scan results.

 

Robin

Link to post
Share on other sites

FRST fix was completed...

 

Re-run AdwCleaner, let the scan complete then use the Clean function. Post that log.

 

Regarding the registry entries that seem to have you worried, the value of each entry is 0 that means the key is inert, none of the references will be disabled. To delete you must be logged on with Administrator rights and open Regedit as an Administator.

I did note when you ran FRST initially you were not logged on as an Administrator...

 

Expand each key you mention down to "System" select the system folder and it will open, the values will show in the right hand side pane. Right click on the value name that you require and select "Delete" accept the alert....

 

 

post-3601-0-46552600-1381391505_thumb.jp

Link to post
Share on other sites

Hi Kevin,

1. Thank you for the FRST fix.

2. AdwCleaner

Before- and after-cleaning logs are posted below.  (The tabs were all empty.)  It appears to me this task has been successfully completed?

3. Inappropriate registry values:  gone from Regedit, persisting in MBAM Quick scan

     A. Regedit shows the inappropriate values in HKCU in the regular user account are finally gone.

     B. However, MBAM continues to report them, and continues to do so even after Remove-restart.  The MBAM log is posted below.  Is this to be interpreted as an MBAM error?

     C.  The following is of little or no consequence--but after I ran AdwCleaner today:

          i. If I remember correctly, I then tried to delete the inappropriate registry values in the regular user account, with elevated privileges, again without success.

          ii. When I looked for the values in a user-created administrator account, they were not there (as had been the case since I successfully deleted them from all the hives in the various accounts in which they appeared, except for HKCU in the regular user account, from which they would not delete.)

          iii. Next I looked in every hive and key in the hidden administrator account, and they weren't there either.  (Out of caution I had never opened this account before today.)

          iv.  Next, I looked for the values in the regular user account again, and they were gone.  I suppose either AdwCleaner got rid of them (and I am mistaken about having looked for them immediately after running AdwCleaner today), or else opening the hidden administrator account had some sort of (miraculous) effect on them?

Robin

 

 

AdwCleaner - Before cleaning

 

 

# AdwCleaner v3.007 - Report created 10/10/2013 at 16:31:01
# Updated 09/10/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : RobinAdmin - ROBIN-HP
# Running from : C:\Users\Robin\Downloads\AdwCleaner_Oct13_Portable\Download_3.0.0.7_GCT\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : [x64] HKCU\Software\APN PIP
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Found : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Key Found : HKLM\Software\PIP
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16720

*************************

AdwCleaner[R0].txt - [4018 octets] - [06/10/2013 12:50:36]
AdwCleaner[R1].txt - [8351 octets] - [10/10/2013 14:59:15]
AdwCleaner[R2].txt - [7825 octets] - [10/10/2013 15:33:02]
AdwCleaner[R3].txt - [7548 octets] - [10/10/2013 15:49:13]
AdwCleaner[R4].txt - [7350 octets] - [10/10/2013 16:31:01]
AdwCleaner[s0].txt - [8346 octets] - [10/10/2013 15:41:13]

########## EOF - \AdwCleaner\AdwCleaner[R4].txt - [7470 octets] ##########

 

 

AdwCleaner - After cleaning

 

# AdwCleaner v3.007 - Report created 10/10/2013 at 16:38:37
# Updated 09/10/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : RobinAdmin - ROBIN-HP
# Running from : C:\Users\Robin\Downloads\AdwCleaner_Oct13_Portable\Download_3.0.0.7_GCT\adwcleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16720

*************************

AdwCleaner[R0].txt - [4018 octets] - [06/10/2013 12:50:36]
AdwCleaner[R1].txt - [8351 octets] - [10/10/2013 14:59:15]
AdwCleaner[R2].txt - [7825 octets] - [10/10/2013 15:33:02]
AdwCleaner[R3].txt - [7548 octets] - [10/10/2013 15:49:13]
AdwCleaner[R4].txt - [7608 octets] - [10/10/2013 16:31:01]
AdwCleaner[R5].txt - [852 octets] - [10/10/2013 16:38:37]
AdwCleaner[s0].txt - [8346 octets] - [10/10/2013 15:41:13]
AdwCleaner[s1].txt - [7201 octets] - [10/10/2013 16:33:53]

########## EOF - \AdwCleaner\AdwCleaner[R5].txt - [1031 octets] ##########

 

 

MBAM log

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.26.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
Robin :: ROBIN-HP [limited]

10/10/2013 5:58:22 PM
MBAM-log-2013-10-10 (18-09-36).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 230774
Time elapsed: 7 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

END OF POST

 

 

 

Link to post
Share on other sites

That is really odd for Malwarebytes to continue flagging an entry you say is gone... OK lets reinstall Malwarebytes and see what report we get after that function...

 

Download and save mbam-clean.exe and save to your desktop from the following:

 

http://www.malwarebytes.org/mbam-clean.exe

 

Now do the following:

 

  •   
       
  • Click on Start and select Control Panel
       
  • Open Uninstall a Program
       
  • Uninstall Malwarebytes' Anti-Malware
       
  • Restart your computer, very important to do that!!
       
  • Run mbam-clean.exe
       
  • It will ask to restart your computer, please allow it to do so, very important!!

 

Next, D/L and install Malwarebytes again as follows :-

 

mbamicontw5.gif Please download Malwarebytes Anti-Malware and save it to your desktop.

 

Alernative D/L mirror

Alternative D/L mirror

 

Double Click mbam-setup.exe to install the application. When complete check for updates, then run a quick scan and post that log..

Link to post
Share on other sites

Hi Kevin,

 

Before un- and re-installing MBAM, I checked the registry once more, and as often happens when one does not document every step of a procedure, I found that my account was insufficiently fine-grained.

 

1. When the registry is accessed in the regular user account without elevated privileges, the values flagged by MBAM are present.

 

2. When the registry is accessed in the regular user account with elevated privileges, the values flagged by MBAM are not present.

 

3. When the registry is accessed in a user-created administrator account, the values flagged by MBAM are not present.

 

Pix below.

 

My apologies for the imprecision.  I will stop at this point to await your instructions.

 

Robin

 

 

 

Regular user account without elevated privileges:

post-146405-0-66137900-1381525722_thumb.

 

Regular user account with elevated privileges:

post-146405-0-66730600-1381525740_thumb.

 

User-created administrator account:

post-146405-0-05904700-1381525764_thumb.

 

END OF POST

Link to post
Share on other sites

I`m really not sure what you want me to say or do, Which account do you normally use, what happens when Malwarbytes is run from that account....

 

If the regular user account (without privileges) is causing you concern, delete that account......

 

OK continue as follows for a final check on your system....

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report here

Link to post
Share on other sites

Hi Kevin,

 

The results of the ESET Online Scanner complete system scan are copy-pasted below.

 

Robin

 

C:\$RECYCLE.BIN\S-1-5-21-476204944-2562783861-3005158361-1000\$R8WHUVS.21\Download_5.21_SourceForge\FreeFileSync_5.21_Windows_Setup.exe Win32/OpenCandy application
C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEIPlug.dll Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEZSETP.dll Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\NP2lEISb.dll Win32/Toolbar.MyWebSearch application
C:\Users\Robin\BU Versions Storage_OLD\2013-05-03 170851\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exe 2013-05-03 170851.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\Robin\BU Versions Storage_OLD\2013-05-05 002104\Pgms Removed from the Computer\Problem Pgm Downloads\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exe 2013-05-05 002104.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\Robin\BU Versions Storage_OLD\2013-08-08 004930\Foxit Reader_Sep12\Download 6.0.3.0542_Foxit\FoxitReader603.0524_enu_Setup.exe 2013-08-08 004930.exe a variant of Win32/Bundled.Toolbar.Ask.D application

 

Link to post
Share on other sites

Download OTM from either of the following links and save to your Desktop:

 

http://oldtimer.geekstogo.com/OTM.exe.

http://www.itxassociates.com/OT-Tools/OTM.com

http://www.itxassociates.com/OT-Tools/OTM.exe 

 

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Filles
     
    :FilesC:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEIPlug.dllC:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEZSETP.dllC:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\NP2lEISb.dllC:\Users\Robin\BU Versions Storage_OLD\2013-05-03 170851\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exeC:\Users\Robin\BU Versions Storage_OLD\2013-05-05 002104\Pgms Removed from the Computer\Problem Pgm Downloads\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exeC:\Users\Robin\BU Versions Storage_OLD\2013-08-08 004930\Foxit Reader_Sep12\Download 6.0.3.0542_Foxit\FoxitReader603.0524_enu_Setup.exe 2013-08-08 004930.exe:Commands[EmptyTemp]
     
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

If the machine reboots, the Results log can be found here:

 

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

 

Where mmddyyyy_hhmmss is the date of the tool run.

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop.

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Let me see those two logs....

Link to post
Share on other sites

Hi Kevin,

 

Below are the OTM and Security Check logs you requested.

 

Robin

 

 

OTM

All processes killed
Error: Unable to interpret <:Files C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEIPlug.dll C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEZSETP.dll C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\NP2lEISb.dll C:\Users\Robin\BU Versions Storage_OLD\2013-05-03 170851\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exe C:\Users\Robin\BU Versions Storage_OLD\2013-05-05 002104\Pgms Removed from the Computer\Problem Pgm Downloads\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exe C:\Users\Robin\BU Versions Storage_OLD\2013-08-08 004930\Foxit Reader_Sep12\Download 6.0.3.0542_Foxit\FoxitReader603.0524_enu_Setup.exe 2013-08-08 004930.exe :Commands [EmptyTemp]> in the current context!
 
OTM by OldTimer - Version 3.1.21.0 log created on 10122013_232459

 

 

Security Check

 

 Results of screen317's Security Check version 0.99.74 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Norton AntiVirus  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 SpywareBlaster 5.0   
 VirusTotal Uploader 2.0  
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 7 Update 25 
 Java version out of Date!
 Adobe Reader XI 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
 Norton AntiVirus Engine 20.4.0.40 ccSvcHst.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

 

END OF POST


 

Link to post
Share on other sites

OTM has not work correctly, can you try once more... make sure to copy script correctly, start with and include the colon before files in the script :Files

 

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Files

    :Filesipconfig /flushdns /c:FilesC:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEIPlug.dllC:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEZSETP.dllC:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\NP2lEISb.dllC:\Users\Robin\BU Versions Storage_OLD\2013-05-03 170851\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exeC:\Users\Robin\BU Versions Storage_OLD\2013-05-05 002104\Pgms Removed from the Computer\Problem Pgm Downloads\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exeC:\Users\Robin\BU Versions Storage_OLD\2013-08-08 004930\Foxit Reader_Sep12\Download 6.0.3.0542_Foxit\FoxitReader603.0524_enu_Setup.exe 2013-08-08 004930.exe:Commands[EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red btnmoveit.png button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM


Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

 

Next,

 

Your Java javaicon.gif is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version of Java components and upgrade the application.

 

Upgrading Java:

 

Go to http://java.com/en/ and click on "Do I have Java"

It will check your current version and then offer to update to the latest version

Watch for and make sure you untick the box next to whatever free program they prompt you to install during the installation, unless you want it.

 

***Note: Check in Programs and Features (or Add/Remove Programs if you are an XP user) to make certain there are no old versions of Java still installed, if so - remove them.

 

let me know if any remaining issues/concerns..

Link to post
Share on other sites

Hi Kevin,

 

OTM

 

The new log is copy-pasted below.

 

FYI - The first time I ran OTM (when it didn't work), I copy-pasted the contents of the code box into Notepad so I could perform the OTM move offline, then copied from Notepad (which had changed the font) into OTM.  The second time I ran OTM (when it does seem to have worked), I copied directly from your posting.

 

Java

 

I've uninstalled Java without updating it.  (BTW - I've been waiting to get rid of Java altogether because of its high security risk, and am now hoping its absence doesn't interfere with LibreOffice functionality.)

 

I know of just one other issue:  can I delete the folder "OTM\Moved Files," including all its sub-folders and files?

 

Robin

 

OTM

 

All processes killed
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Robin\Downloads\OTL_per scan\Download_OTL\cmd.bat deleted successfully.
C:\Users\Robin\Downloads\OTL_per scan\Download_OTL\cmd.txt deleted successfully.
========== FILES ==========
C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEIPlug.dll moved successfully.
C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEZSETP.dll moved successfully.
DllUnregisterServer procedure not found in C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\NP2lEISb.dll
C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\NP2lEISb.dll moved successfully.
File/Folder C:\Users\Robin\BU Versions Storage_OLD\2013-05-03 170851\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exe not found.
File/Folder C:\Users\Robin\BU Versions Storage_OLD\2013-05-05 002104\Pgms Removed from the Computer\Problem Pgm Downloads\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exe not found.
C:\Users\Robin\BU Versions Storage_OLD\2013-08-08 004930\Foxit Reader_Sep12\Download 6.0.3.0542_Foxit\FoxitReader603.0524_enu_Setup.exe 2013-08-08 004930.exe moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 106660 bytes
->Temporary Internet Files folder emptied: 128 bytes
->Java cache emptied: 0 bytes
 
User: All Users
 
User: BackupAdmin
->Temp folder emptied: 56138 bytes
->Temporary Internet Files folder emptied: 26405 bytes
->Flash cache emptied: 56466 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Janice CQ2010
 
User: Public
 
User: Robin
->Temp folder emptied: 54739 bytes
->Temporary Internet Files folder emptied: 74121344 bytes
->Java cache emptied: 337898 bytes
->Flash cache emptied: 3388 bytes
 
User: RobinAdmin
->Temp folder emptied: 253076990 bytes
->Temporary Internet Files folder emptied: 14128244 bytes
->Java cache emptied: 1876 bytes
->Flash cache emptied: 506 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 525974 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 2881540 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 738 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 5735158 bytes
RecycleBin emptied: 3145103773 bytes
 
Total Files Cleaned = 3,334.00 mb
 
 
OTM by OldTimer - Version 3.1.21.0 log created on 10132013_145642

 

END OF POST
 

Link to post
Share on other sites

Use OTM to uninstall tools used and itself....

 


Double-click OTM.exe to run it. Windows 7 or Vista accept UAC alert..
Click on the green CleanUp! button and it will populate a list of items to clean from your system that we used or may have used.
It should ask if you want to clean up, select Yes. You maybe asked to reboot, allow that to happen.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.