Jump to content

presumed infection; possibly win32.downloader.gen


Recommended Posts

I used to use AumHa, but have been out of the loop fo a while so this is my first time here.

 

This could be a compound situation where an earlier undetected infection damaged system restore and back up, and waited for a second problem to prompt me to try a restore, after which the full nastiness was released.

 

Seemed to begin with detection of win32.downloaded.gen

spybot detected and said it removed it. Deep scan with Avast and with malwarebytes and malicious software removal tool found nothing.

firefox still seemed to be getting slower and slower, so I tried system restore, but got the cant find c:\ error.

Despite sr saying it had changed nothing, my colour schemes and appearences were all different afterwards.

 

Found a hotfix about the c:\ error message; installed it but still the restore points don't work.  Don't know how to test system restore after the hotfix, without a restore point, and don't want to make restore points if they will include malware...

Tried to back up files to an external drive, but, though explorer could see the drive, backup said I didn't have permission to use it.

The basic HP backup option could not even see the drive. (I have managed to back up my obvious files manually with copy in explorer.)

I had images on the external drive made both with the windows tool and ReDoBackup and Recovery, but neither restore function could see the images on the drive; even though explorer can.

 

Ran
adwcleaner:  it did remove some things but didn't seem to make any difference.

colour schemes of firefox and explorer changed; web site colours all look wrong and generally primative

notepad icons changed to piece of paper and don't change back when notepad is reselected as default.

permissions on the event log were wiped so that it would not start--leading to loss of connection via phone tether.

pdfs and docs changed to generic icon
_____________________

 

As per instructions here:

downloaded dds.scr but it disappeared when dragged to desktop so I downloaded dds.com which did show up on desktop.

dds.com seemed to run ok.  Text files attached.

 

dds.txt  

attach.txt

 

Very grateful for any help that could be provided.  I thought I had taken a lot of care with security and updates and back ups, so to get caught out like this is quite a blow. :-(  (Idiot that I am!)
 

Link to post
Share on other sites

Disappointed that nobody replied to my earlier post.

 

If anyone is reading, it might be useful for them to know a bit more.

 

After my post, things continued to go wrong.
Symptoms thus:

System restore gets error about not being able to find c:\, but only after it has mucked up some settings.

Backup gives similar errors.
Third party backup, doesn't see external drive, or says can't access.

Windows and browser design settings all change: websites look primative, blurry, and in the wrong colours.

 

A day later I find I can't connect to the internet through tethered phone because certain services won't start.  Can still connect via router.

Then many--mostly MS--, icons change to generic icon.  Properties sheets show they have lost targets.  Making new shortcuts doesn't help.

 

Next day, NoSquint browser add on has been disabled; a file has moved from one side of my desktop to the other; and, in my Classic Shell enhanced Explorer, the tool bar has moved from right to left.

 

Some sleuthing finds that:

 

Permissions on the Event Log service have been wiped, so system can't start it.  This is clever, because the services that one uses when connecting via a phone, do not have the Event Log service listed in their dependencies.  I was very lucky to find this out, and reset permission and ownership of the log to SYSTEM.  Then it worked.

 

Googling about lost pdf icons eventually gave me the clue to the icon problem, and the answer to many of the other problems then became apparent:  The whole Windows\Installer folder had been wiped!

Very luckily, more reading led me to discover that there were earlier versions of the installer files still on the system, and I was able to copy them back to the correct location: all 4.75gb of them!

After this, my icons popped back a few at a time, and I was very pleased to find that my windows and browser pages had also become sharp and, apparently, correct again.

Browser has worked smoothly for some time since, but I still don't know if an infection is still present, or if, I may be actively being hacked in real time, and the hacker has gone to sleep!  How can I find out?

 

Further:  I read that there have been others who had the 'can't find c:\' error, in System Restore, and there was a hotfix available.  I installed this: but how can I tell if System Restore is now working, without trying a restore and screwing things up if it hasn't been fixed?

 

I hope that the above observations may help anyone who gets similar weird things happen to their computers.  I would appreciate at least one reply, please.

 

Attach new dds logs:

dds-140116.txt

attach-140116.txt

 

Link to post
Share on other sites

  • Root Admin

Hello and :welcome:

Please read the following and post back the logs

General P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Before we proceed further, please read all of the following instructions carefully.

If there is anything that you do not understand kindly ask before proceeding.

If needed please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit
  • Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
  • When we are done, I'll give you instructions on how to cleanup all the tools and logs
  • Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  • Your topic will be closed if you haven't replied within 3 days
  • (If I have not responded within 24 hours, please send me a Private Message as a reminder)
STEP 0

RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes

so that your normal security software can then run and clean your computer of infections.

When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies

that stop us from using certain tools. When finished it will display a log file that shows the processes that were

terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot

your computer as any malware processes that are configured to start automatically will just be started again.

Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1

Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.
STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
  • Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe
STEP 02

Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • RogueKiller 32-bit | RogueKiller 64-bit
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes Close the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!!
  • Post back the report which should be located on your desktop.
Link to post
Share on other sites

Hi AdvancedSetup (Ron?),

 

Thanks very much for your kind assistance.  The pc has been running suspiciously smoothly today, but I'm not about to trust it yet!

 

A few points in following your instructions:

I notice that exe files seem to disappear when copied to my (visual) desktop, though Explorer does show them.  Has Windows 7 got a default not to allow programmes themselves on the desktop, or is this a left over of my bug?  I notice that rkill said it reassiged the .exe .com and .bat extensions, so, possibly this behaviour may cease when I restart?

 

ERUNT says it backs up the REG, including the user.dat section.  Does this mean there is no need for me to keep copies of my profile ntuser.dat files?  I've lost Outlook mail through corrupted ntuser.dat files before, so if I can rely on ERUNT to save me the trouble of logging in as admin to save my profile that would be handy.

 

ERUNT also installed a thing called NTRGOPT with a link to my desktop (options?), what is this for?

 

Downloading Rogue Killer, this disappeared both from my visible desktop AND from my desktop folder in Explorer when I moved it to the desktop?!  But the dissapeared prog files did appear on the desk top after they had been run.  Odd.

 

I ran it from the downloads folder.
You might like to note that the version is out of date, and a new one had to be downloaded from the vendor site.

 

Both rkill, and rogue killer noted some entries from my hosts file.  I thought this was meant to just have dodgy sites in, so why does it say to inspect it?  I notice rkill says the hosts folder was another one on which the permissions had been changed, and it reset them.  So, the inference is that something did this in order that these, dodgy, sites would no longer be checked, is it?

 

rogue killer also seems to list me browser extensions several times.  A glitch?

 

rkill stopped a process of firefox called afom.exe : what is that?

And it deleted taskmgr.exe debugger from the reg.  Was that part of my infection?

 

Anyway, I will attach the various logs and await your attention.

I presume you want me to leave my machine running while I wait.

 

Thanks once again (y)

 

 

Um: there are no options for attaching my text files.  Presumably you mean I have to paste them in.

 

Incidentally.  I wonder if you can fix my log in.  I accidentally hit the remember me button, and it will not let me deselect it.

_____________________________________

 

Rkill:

Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/17/2014 12:07:03 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe (PID: 2700) [uP-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

 * taskmgr.exe debugger. [iFEO Debugger Deleted]

Backup Registry file created at:
 C:\Users\SteveH\Desktop\rkill\rkill-01-17-2014-12-07-14.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.

 * HOSTS file entries found:

  127.0.0.1    www.007guard.com
  127.0.0.1    007guard.com
  127.0.0.1    008i.com
  127.0.0.1    www.008k.com
  127.0.0.1    008k.com
  127.0.0.1    www.00hq.com
  127.0.0.1    00hq.com
  127.0.0.1    010402.com
  127.0.0.1    www.032439.com
  127.0.0.1    032439.com
  127.0.0.1    www.0scan.com
  127.0.0.1    0scan.com
  127.0.0.1    1000gratisproben.com
  127.0.0.1    www.1000gratisproben.com
  127.0.0.1    1001namen.com
  127.0.0.1    www.1001namen.com
  127.0.0.1    www.100888290cs.com
  127.0.0.1    100888290cs.com
  127.0.0.1    100sexlinks.com
  127.0.0.1    www.100sexlinks.com

  20 out of 15490 HOSTS entries shown.
  Please review HOSTS file for further entries.

Program finished at: 01/17/2014 12:08:58 AM
Execution time: 0 hours(s), 1 minute(s), and 55 seconds(s)

______________________________________________

 

RKreport:

RogueKiller V8.8.1 _x64_ [Jan 14 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : SteveH [Admin rights]
Mode : Scan -- Date : 01/17/2014 01:11:15
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com
127.0.0.1    www.0scan.com
127.0.0.1    0scan.com
127.0.0.1    1000gratisproben.com
127.0.0.1    www.1000gratisproben.com
127.0.0.1    1001namen.com
127.0.0.1    www.1001namen.com
127.0.0.1    www.100888290cs.com
127.0.0.1    100888290cs.com
127.0.0.1    100sexlinks.com
127.0.0.1    www.100sexlinks.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) TOSHIBA MK3276GSX SATA Disk Device +++++
--- User ---
[MBR] 77ea3e2de9a0404dbb11b8f1c56235d7
[bSP] 1edc931bc46ee562f1e5842eabd54a37 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 277744 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 569229312 | Size: 23237 Mo
3 - [XXXXXX] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 616818688 | Size: 4063 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_01172014_011115.txt >>

__________________________________________________

 

Link to post
Share on other sites

  • Root Admin

ERUNT should be able to backup your hive files just fine as long as it's run with Administrator rights.

NTREGOP is a tool to defrag the registry - you can ignore it.

I think you probably have some type of infection bothering the system for downloads based on your information. Let me have you run the following and we'll see if it can clean it up for us.

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here: C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.
Link to post
Share on other sites

Thank you so much for your help.  However, I am now getting quite scared.

I ran Combofix, and all seemed to be running very quietly and smoothly, with even my google visited links remaining coloured whereas they had not been doing so recently (possibly indicates my security is no longer as good, thinking about it!).

 

But suddenly, I found that NoSquint's control panel could no longer get focus over the browser.

Then, while I was looking into this, my entire notification area disappeared!

Restarting with networking off gets both the NA and NoSquint properly back, but I am now scared to remain on line, as it may be that someone has remote contol of my machine and is actively playing with my settings.  What do you think.

 

Here is the Combofix log:

ComboFix 14-01-16.03 - SteveH 17/01/2014  17:23:20.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.3689.2311 [GMT 0:00]
Running from: c:\users\SteveH\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\windows\SysWow64\Packet.dll
c:\windows\SysWow64\pthreadVC.dll
c:\windows\SysWow64\wpcap.dll
c:\windows\wininit.ini
C:\Windows6.1-KB2709289-x64.msu
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Service_npf
.
.
(((((((((((((((((((((((((   Files Created from 2013-12-17 to 2014-01-17  )))))))))))))))))))))))))))))))
.
.
2014-01-17 00:38 . 2014-01-17 00:39    --------    d-----w-    c:\program files (x86)\ERUNT
2014-01-15 21:52 . 2014-01-15 22:43    --------    d-sh--w-    c:\windows\Installer
2014-01-15 15:13 . 2013-11-27 01:41    53248    ----a-w-    c:\windows\system32\drivers\usbehci.sys
2014-01-15 15:13 . 2013-11-27 01:41    325120    ----a-w-    c:\windows\system32\drivers\usbport.sys
2014-01-15 15:12 . 2013-11-27 01:41    343040    ----a-w-    c:\windows\system32\drivers\usbhub.sys
2014-01-15 15:12 . 2013-11-27 01:41    99840    ----a-w-    c:\windows\system32\drivers\usbccgp.sys
2014-01-15 15:12 . 2013-11-27 01:41    25600    ----a-w-    c:\windows\system32\drivers\usbohci.sys
2014-01-15 15:12 . 2013-11-27 01:41    30720    ----a-w-    c:\windows\system32\drivers\usbuhci.sys
2014-01-15 15:12 . 2013-11-27 01:41    7808    ----a-w-    c:\windows\system32\drivers\usbd.sys
2014-01-15 15:12 . 2013-11-26 10:32    3156480    ----a-w-    c:\windows\system32\win32k.sys
2014-01-15 15:12 . 2013-11-26 11:40    376768    ----a-w-    c:\windows\system32\drivers\netio.sys
2014-01-14 19:59 . 2014-01-15 20:50    --------    d-----w-    C:\AdwCleaner
2014-01-13 04:37 . 2014-01-13 04:37    --------    d-s---w-    c:\windows\SysWow64\Microsoft
2014-01-10 01:03 . 2014-01-10 01:10    --------    d-----w-    c:\windows\mozilla-temp-files
2014-01-07 19:55 . 2014-01-17 04:24    --------    d-----w-    c:\users\SteveH\AppData\Roaming\vlc
2014-01-07 19:15 . 2014-01-07 19:15    --------    d-----w-    c:\users\SteveH\AppData\Roaming\Process Hacker 2
2014-01-07 18:51 . 2014-01-07 18:51    --------    d-----w-    c:\program files\Process Hacker 2
2014-01-06 19:23 . 2014-01-06 19:23    4558848    ----a-w-    c:\windows\SysWow64\GPhotos.scr
2014-01-03 16:40 . 2014-01-03 16:40    --------    d-----w-    c:\users\SteveH\AppData\Local\VS Revo Group
2014-01-03 16:39 . 2014-01-03 16:39    --------    d-----w-    c:\programdata\VS Revo Group
2014-01-03 16:39 . 2009-12-30 10:21    31800    ----a-w-    c:\windows\system32\drivers\revoflt.sys
2014-01-03 16:39 . 2014-01-03 16:39    --------    d-----w-    c:\program files\VS Revo Group
2014-01-03 16:32 . 2014-01-03 16:32    --------    d-----w-    c:\program files (x86)\VS Revo Group
2013-12-21 20:12 . 2013-12-21 20:12    --------    d-----w-    c:\users\SteveH\AppData\Roaming\AVAST Software
2013-12-21 20:08 . 2013-12-21 20:08    71048    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-12-21 20:08 . 2013-12-21 20:08    692616    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2013-12-21 19:58 . 2013-12-21 20:29    79672    ----a-w-    c:\windows\system32\drivers\aswstm.sys
2013-12-20 21:43 . 2013-12-20 21:43    --------    d-----w-    c:\users\SteveH\AppData\Roaming\OpenOffice
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-15 15:14 . 2012-05-03 16:30    86054176    ----a-w-    c:\windows\system32\MRT.exe
2013-12-21 19:58 . 2013-03-03 02:09    207904    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2013-12-21 19:58 . 2013-03-03 02:09    65776    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2013-12-21 19:58 . 2012-04-28 18:22    1034464    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2013-12-21 19:58 . 2012-04-28 18:22    422216    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2013-12-21 19:58 . 2012-04-28 18:22    92544    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2013-12-21 19:58 . 2012-04-28 18:22    78648    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2013-12-21 19:58 . 2012-04-28 18:22    334136    ----a-w-    c:\windows\system32\aswBoot.exe
2013-12-21 19:58 . 2012-04-28 18:22    43152    ----a-w-    c:\windows\avastSS.scr
2013-12-19 13:11 . 2012-04-28 18:22    64288    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2013-12-08 22:23 . 2013-12-08 22:23    108968    ----a-w-    c:\windows\system32\WindowsAccessBridge-64.dll
2013-12-08 22:23 . 2013-12-08 22:24    312744    ----a-w-    c:\windows\system32\javaws.exe
2013-12-08 22:23 . 2013-12-08 22:23    189352    ----a-w-    c:\windows\system32\javaw.exe
2013-12-08 22:23 . 2013-12-08 22:23    189352    ----a-w-    c:\windows\system32\java.exe
2013-12-08 22:06 . 2013-12-08 22:06    96168    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-11-26 11:54 . 2013-12-12 12:46    23183360    ----a-w-    c:\windows\system32\mshtml.dll
2013-11-26 10:19 . 2013-12-12 12:46    2724864    ----a-w-    c:\windows\system32\mshtml.tlb
2013-11-26 10:18 . 2013-12-12 12:46    4096    ----a-w-    c:\windows\system32\ieetwcollectorres.dll
2013-11-26 09:48 . 2013-12-12 12:46    66048    ----a-w-    c:\windows\system32\iesetup.dll
2013-11-26 09:46 . 2013-12-12 12:46    48640    ----a-w-    c:\windows\system32\ieetwproxystub.dll
2013-11-26 09:41 . 2013-12-12 12:46    2764288    ----a-w-    c:\windows\system32\iertutil.dll
2013-11-26 09:29 . 2013-12-12 12:46    53760    ----a-w-    c:\windows\system32\jsproxy.dll
2013-11-26 09:27 . 2013-12-12 12:46    33792    ----a-w-    c:\windows\system32\iernonce.dll
2013-11-26 09:23 . 2013-12-12 12:46    2724864    ----a-w-    c:\windows\SysWow64\mshtml.tlb
2013-11-26 09:21 . 2013-12-12 12:46    574976    ----a-w-    c:\windows\system32\ieui.dll
2013-11-26 09:18 . 2013-12-12 12:46    139264    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-11-26 09:18 . 2013-12-12 12:46    111616    ----a-w-    c:\windows\system32\ieetwcollector.exe
2013-11-26 09:16 . 2013-12-12 12:46    708608    ----a-w-    c:\windows\system32\jscript9diag.dll
2013-11-26 08:57 . 2013-12-12 12:46    218624    ----a-w-    c:\windows\system32\ie4uinit.exe
2013-11-26 08:35 . 2013-12-12 12:46    5769216    ----a-w-    c:\windows\system32\jscript9.dll
2013-11-26 08:28 . 2013-12-12 12:46    553472    ----a-w-    c:\windows\SysWow64\jscript9diag.dll
2013-11-26 08:16 . 2013-12-12 12:46    4243968    ----a-w-    c:\windows\SysWow64\jscript9.dll
2013-11-26 08:02 . 2013-12-12 12:46    1995264    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-11-26 07:48 . 2013-12-12 12:46    12996608    ----a-w-    c:\windows\system32\ieframe.dll
2013-11-26 07:32 . 2013-12-12 12:46    1928192    ----a-w-    c:\windows\SysWow64\inetcpl.cpl
2013-11-26 07:07 . 2013-12-12 12:46    2334208    ----a-w-    c:\windows\system32\wininet.dll
2013-11-26 06:40 . 2013-12-12 12:46    1395200    ----a-w-    c:\windows\system32\urlmon.dll
2013-11-26 06:34 . 2013-12-12 12:46    817664    ----a-w-    c:\windows\system32\ieapfltr.dll
2013-11-26 06:33 . 2013-12-12 12:46    1820160    ----a-w-    c:\windows\SysWow64\wininet.dll
2013-11-23 18:26 . 2013-12-12 12:39    417792    ----a-w-    c:\windows\SysWow64\WMPhoto.dll
2013-11-23 17:47 . 2013-12-12 12:39    465920    ----a-w-    c:\windows\system32\WMPhoto.dll
2013-11-12 02:23 . 2013-12-12 12:39    2048    ----a-w-    c:\windows\system32\tzres.dll
2013-11-12 02:07 . 2013-12-12 12:39    2048    ----a-w-    c:\windows\SysWow64\tzres.dll
2013-11-11 18:15 . 2013-11-11 18:15    940032    ----a-w-    c:\windows\system32\MsSpellCheckingFacility.exe
2013-11-11 18:15 . 2013-11-11 18:15    194048    ----a-w-    c:\windows\SysWow64\elshyph.dll
2013-11-11 18:15 . 2013-11-11 18:15    71680    ----a-w-    c:\windows\SysWow64\RegisterIEPKEYs.exe
2013-11-11 18:15 . 2013-11-11 18:15    645120    ----a-w-    c:\windows\SysWow64\jsIntl.dll
2013-11-11 18:15 . 2013-11-11 18:15    62464    ----a-w-    c:\windows\SysWow64\tdc.ocx
2013-11-11 18:15 . 2013-11-11 18:15    61952    ----a-w-    c:\windows\SysWow64\iesetup.dll
2013-11-11 18:15 . 2013-11-11 18:15    34816    ----a-w-    c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2013-11-11 18:15 . 2013-11-11 18:15    337408    ----a-w-    c:\windows\SysWow64\html.iec
2013-11-11 18:15 . 2013-11-11 18:15    24576    ----a-w-    c:\windows\SysWow64\licmgr10.dll
2013-11-11 18:15 . 2013-11-11 18:15    235008    ----a-w-    c:\windows\system32\elshyph.dll
2013-11-11 18:15 . 2013-11-11 18:15    182272    ----a-w-    c:\windows\SysWow64\msls31.dll
2013-11-11 18:15 . 2013-11-11 18:15    1051136    ----a-w-    c:\windows\SysWow64\mshtmlmedia.dll
2013-11-11 18:15 . 2013-11-11 18:15    942592    ----a-w-    c:\windows\system32\jsIntl.dll
2013-11-11 18:15 . 2013-11-11 18:15    90112    ----a-w-    c:\windows\system32\SetIEInstalledDate.exe
2013-11-11 18:15 . 2013-11-11 18:15    86016    ----a-w-    c:\windows\SysWow64\iesysprep.dll
2013-11-11 18:15 . 2013-11-11 18:15    86016    ----a-w-    c:\windows\system32\RegisterIEPKEYs.exe
2013-11-11 18:15 . 2013-11-11 18:15    84992    ----a-w-    c:\windows\system32\mshtmled.dll
2013-11-11 18:15 . 2013-11-11 18:15    83968    ----a-w-    c:\windows\system32\MshtmlDac.dll
2013-11-11 18:15 . 2013-11-11 18:15    81408    ----a-w-    c:\windows\system32\icardie.dll
2013-11-11 18:15 . 2013-11-11 18:15    774144    ----a-w-    c:\windows\system32\jscript.dll
2013-11-11 18:15 . 2013-11-11 18:15    77312    ----a-w-    c:\windows\system32\tdc.ocx
2013-11-11 18:15 . 2013-11-11 18:15    74240    ----a-w-    c:\windows\SysWow64\SetIEInstalledDate.exe
2013-11-11 18:15 . 2013-11-11 18:15    626176    ----a-w-    c:\windows\system32\msfeeds.dll
2013-11-11 18:15 . 2013-11-11 18:15    62464    ----a-w-    c:\windows\system32\pngfilt.dll
2013-11-11 18:15 . 2013-11-11 18:15    61952    ----a-w-    c:\windows\SysWow64\MshtmlDac.dll
2013-11-11 18:15 . 2013-11-11 18:15    616104    ----a-w-    c:\windows\system32\ieapfltr.dat
2013-11-11 18:15 . 2013-11-11 18:15    548352    ----a-w-    c:\windows\system32\vbscript.dll
2013-11-11 18:15 . 2013-11-11 18:15    52224    ----a-w-    c:\windows\system32\msfeedsbs.dll
2013-11-11 18:15 . 2013-11-11 18:15    51200    ----a-w-    c:\windows\SysWow64\ieetwproxystub.dll
2013-11-11 18:15 . 2013-11-11 18:15    48640    ----a-w-    c:\windows\SysWow64\mshtmler.dll
2013-11-11 18:15 . 2013-11-11 18:15    48640    ----a-w-    c:\windows\system32\mshtmler.dll
2013-11-11 18:15 . 2013-11-11 18:15    48128    ----a-w-    c:\windows\system32\imgutil.dll
2013-11-11 18:15 . 2013-11-11 18:15    454656    ----a-w-    c:\windows\SysWow64\vbscript.dll
2013-11-11 18:15 . 2013-11-11 18:15    453120    ----a-w-    c:\windows\system32\dxtmsft.dll
2013-11-11 18:15 . 2013-11-11 18:15    413696    ----a-w-    c:\windows\system32\html.iec
2013-11-11 18:15 . 2013-11-11 18:15    40448    ----a-w-    c:\windows\system32\JavaScriptCollectionAgent.dll
2013-11-11 18:15 . 2013-11-11 18:15    36352    ----a-w-    c:\windows\SysWow64\imgutil.dll
2013-11-11 18:15 . 2013-11-11 18:15    30208    ----a-w-    c:\windows\system32\licmgr10.dll
2013-11-11 18:15 . 2013-11-11 18:15    296960    ----a-w-    c:\windows\system32\dxtrans.dll
2013-11-11 18:15 . 2013-11-11 18:15    263376    ----a-w-    c:\windows\system32\iedkcs32.dll
2013-11-11 18:15 . 2013-11-11 18:15    247808    ----a-w-    c:\windows\system32\msls31.dll
2013-11-11 18:15 . 2013-11-11 18:15    243200    ----a-w-    c:\windows\system32\webcheck.dll
2013-11-11 18:15 . 2013-11-11 18:15    235520    ----a-w-    c:\windows\system32\url.dll
2013-11-11 18:15 . 2013-11-11 18:15    195584    ----a-w-    c:\windows\system32\msrating.dll
2013-11-11 18:15 . 2013-11-11 18:15    167424    ----a-w-    c:\windows\system32\iexpress.exe
2013-11-11 18:15 . 2013-11-11 18:15    151552    ----a-w-    c:\windows\SysWow64\iexpress.exe
2013-11-11 18:15 . 2013-11-11 18:15    147968    ----a-w-    c:\windows\system32\occache.dll
2013-11-11 18:15 . 2013-11-11 18:15    143872    ----a-w-    c:\windows\system32\wextract.exe
2013-11-11 18:15 . 2013-11-11 18:15    139264    ----a-w-    c:\windows\SysWow64\wextract.exe
2013-11-11 18:15 . 2013-11-11 18:15    13824    ----a-w-    c:\windows\system32\mshta.exe
2013-11-11 18:15 . 2013-11-11 18:15    135680    ----a-w-    c:\windows\system32\iepeers.dll
2013-11-11 18:15 . 2013-11-11 18:15    13312    ----a-w-    c:\windows\SysWow64\mshta.exe
2013-11-11 18:15 . 2013-11-11 18:15    13312    ----a-w-    c:\windows\system32\msfeedssync.exe
2013-11-11 18:15 . 2013-11-11 18:15    131072    ----a-w-    c:\windows\system32\IEAdvpack.dll
2013-11-11 18:15 . 2013-11-11 18:15    1228800    ----a-w-    c:\windows\system32\mshtmlmedia.dll
2013-11-11 18:15 . 2013-11-11 18:15    112128    ----a-w-    c:\windows\SysWow64\ieUnatt.exe
2013-11-11 18:15 . 2013-11-11 18:15    111616    ----a-w-    c:\windows\SysWow64\IEAdvpack.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-09-28 15:12    220632    ----a-w-    c:\users\SteveH\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-09-28 15:12    220632    ----a-w-    c:\users\SteveH\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-09-28 15:12    220632    ----a-w-    c:\users\SteveH\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ShareOverlay]
@="{594D4122-1F87-41E2-96C7-825FB4796516}"
[HKEY_CLASSES_ROOT\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}]
2013-10-20 17:47    627712    ----a-w-    c:\program files\Classic Shell\ClassicExplorer32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"AltDrag"="c:\program files (x86)\AltDrag\AltDrag.exe" [2013-09-13 112640]
"ClipCube"="c:\program files\ClipCube\ClipCube.exe" [2013-10-25 1353728]
"SandboxieControl"="c:\program files\Sandboxie\SbieCtrl.exe" [2013-10-16 759496]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HPQuickWebProxy"="c:\program files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe" [2011-10-08 169528]
"HPOSD"="c:\program files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe" [2011-08-19 379960]
"HP Quick Launch"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2012-03-05 578944]
"HP CoolSense"="c:\program files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe" [2012-11-05 1343904]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2013-09-09 443408]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-12-19 642808]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2013-12-21 3764024]
.
c:\users\SteveH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
always-on-top.exe - Shortcut.lnk - c:\program files\AlwaysOnTop\always-on-top.exe [2008-11-5 203965]
ClipCube.exe - Shortcut.lnk - c:\program files\ClipCube\ClipCube.exe [2013-3-27 1353728]
ResizeEnableRunner.exe - Shortcut.lnk - c:\program files\ResizeEnable\ResizeEnableRunner.exe [2003-12-30 40960]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages    REG_MULTI_SZ       scecli c:\program files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 bcbtums;Bluetooth RAM Firmware Download USB Filter;c:\windows\system32\drivers\bcbtums.sys;c:\windows\SYSNATIVE\drivers\bcbtums.sys [x]
R3 BlackBerry Device Manager;BlackBerry Device Manager;c:\program files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe;c:\program files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [x]
R3 btwampfl;btwampfl Bluetooth filter driver;c:\windows\system32\drivers\btwampfl.sys;c:\windows\SYSNATIVE\drivers\btwampfl.sys [x]
R3 BTWDPAN;Bluetooth Personal Area Network;c:\windows\system32\DRIVERS\btwdpan.sys;c:\windows\SYSNATIVE\DRIVERS\btwdpan.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys;c:\windows\SYSNATIVE\DRIVERS\revoflt.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 ezSharedSvc;Easybits Services for Windows;c:\windows\System32\ezSharedSvcHost.exe;c:\windows\SYSNATIVE\ezSharedSvcHost.exe [x]
R4 FreemakeVideoCapture;FreemakeVideoCapture;c:\program files (x86)\Freemake\CaptureLib\CaptureLibService.exe;c:\program files (x86)\Freemake\CaptureLib\CaptureLibService.exe [x]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys;c:\windows\SYSNATIVE\DRIVERS\amd_xata.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 MxEFUF;Matrox Extio Upper Function Filter;c:\windows\system32\DRIVERS\MxEFUF64.sys;c:\windows\SYSNATIVE\DRIVERS\MxEFUF64.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe;c:\program files\IDT\WDM\AESTSr64.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 HPClientSvc;HP Client Services;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe;c:\program files\Hewlett-Packard\HP Client Services\HPClientServices.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe [x]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [x]
S3 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\clwvd.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2014-01-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-21 20:08]
.
2014-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-28 18:22]
.
2014-01-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-28 18:22]
.
2014-01-16 c:\windows\Tasks\HPCeeScheduleForSteveH.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 11:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-09-28 15:12    244696    ----a-w-    c:\users\SteveH\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-09-28 15:12    244696    ----a-w-    c:\users\SteveH\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-09-28 15:12    244696    ----a-w-    c:\users\SteveH\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-12-21 19:58    287280    ----a-w-    c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ShareOverlay]
@="{594D4122-1F87-41E2-96C7-825FB4796516}"
[HKEY_CLASSES_ROOT\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}]
2013-10-20 17:47    774144    ----a-w-    c:\program files\Classic Shell\ClassicExplorer64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2011-07-01 1128448]
"SetDefault"="c:\program files\Hewlett-Packard\HP LaunchBox\SetDefault.exe" [2011-12-19 44880]
"Classic Start Menu"="c:\program files\Classic Shell\ClassicStartMenu.exe" [2013-10-20 152576]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm

mLocal Page = c:\windows\SysWOW64\blank.htm


IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: network.proxy.type - 2
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
HKLM_Wow6432Node-ActiveSetup-{F5E7D9AF-60F6-4A30-87E3-4EA94D322CE1} - msiexec
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-get_iplayer - c:\program files (x86)\get_iplayer\Uninst.exe
AddRemove-{EE202411-2C26-49E8-9784-1BC1DBF7DE96} - c:\program files (x86)\InstallShield Installation Information\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\CyberLink\YouCam\YCMMirage.exe
.
**************************************************************************
.
Completion time: 2014-01-17  17:54:47 - machine was rebooted
ComboFix-quarantined-files.txt  2014-01-17 17:54
.
Pre-Run: 145,404,006,400 bytes free
Post-Run: 144,646,471,680 bytes free
.
- - End Of File - - BDC61C45824F27ECD0B2D3D58D905C56
A36C5E4F47E84449FF07ED3517B43A31
 

Link to post
Share on other sites

  • Root Admin

Unfortunately malware detection and clean up can sometimes cause unexpected behaviors.  We are not done yet and have more scans to run to get you cleaned up.  Combofix is just a starting point.

 

Please read the following article to hopefully better understand

The complexity of finding, preventing, and cleanup from malware

 

Then Please go ahead and run through the following steps and post back the logs when ready.

STEP 03
Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

STEP 04
Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus



STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.


Then..................

Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.


STEP 06
button_eos.gif

Please go here to run the online antivirus scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

    [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.



STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.


 

Link to post
Share on other sites

Hi Ron: After an all night session of scanning, I'm seeing double and I take my hat off to you Sir for being able to understand all this!

 

First a couple of things you should know:

 

I had already run AdwCleaner before I contacted you, so I checked in its quarantine folders and found it had deleted  a whole swarm of viruses--mostly regarding audiovisual things--from NCH Software.  There are 26 viruses in all, many of them under a folder called 'Prism'.

I must remember to avoid NCH!

 

Secondly: While waiting for news, I started reading back through the event log and noticed that just prior to the first eventlog service misstart and its cascade of dependency failures, there was an event: "HP Client services reported 'unknown service request received'".  This was directly followed by: "event 7030 Involving PEVSystemStart."  MS say this code is given when a system
tries to interact with the desktop, but can't, because remote desktop was discontinued after Vista.  Was this someone taking control of my system?

 

I ask, because the 'unknown service request' even has repeated, and it happened immediately before I lost the notification area as described above.

 

After the first eventlog failure, my attempts to use system restore failed.  Is system restore dependent on the evenlog service too?

 

 

So to 'today':  Firstly do note that none of the exe tools you say to download to the desktop are actually visible on the desktop until after they have been run.  The last one did not appear on the desktop even after it was run.  If this is not part of my pc malfunction, it will need pointing out to other users.

 

MWB Anti Root-kit:

 

This finds nothing, which is presumably why there was no mbar-log.txt.

 

After I had closed all the windows, I found underneath, a small one saying: "afom memory release failed".

 

Here is the system-log.txt:

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.07.0.1008

© Malwarebytes Corporation 2011-2012

OS version: 6.1.7601 Windows 7 Service Pack 1 x64

Account is Administrative

Internet Explorer version: 11.0.9600.16476

Java version: 1.6.0_45

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, E:\ DRIVE_FIXED
CPU speed: 1.646000 GHz
Memory total: 3868622848, free: 2496806912

Downloaded database version: v2014.01.17.09
Downloaded database version: v2013.12.18.01
=======================================
Initializing...
------------ Kernel report ------------
     01/18/2014 01:04:29
------------ Loaded modules -----------
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\hal.dll
\SystemRoot\system32\kdcom.dll
\SystemRoot\system32\mcupdate_AuthenticAMD.dll
\SystemRoot\system32\PSHED.dll
\SystemRoot\system32\CLFS.SYS
\SystemRoot\system32\CI.dll
\SystemRoot\system32\drivers\Wdf01000.sys
\SystemRoot\system32\drivers\WDFLDR.SYS
\SystemRoot\system32\drivers\ACPI.sys
\SystemRoot\system32\drivers\WMILIB.SYS
\SystemRoot\system32\drivers\msisadrv.sys
\SystemRoot\system32\drivers\pci.sys
\SystemRoot\system32\drivers\vdrvroot.sys
\SystemRoot\system32\DRIVERS\LPCFilter.sys
\SystemRoot\System32\drivers\partmgr.sys
\SystemRoot\system32\drivers\compbatt.sys
\SystemRoot\system32\drivers\BATTC.SYS
\SystemRoot\system32\drivers\volmgr.sys
\SystemRoot\System32\drivers\volmgrx.sys
\SystemRoot\System32\drivers\mountmgr.sys
\SystemRoot\system32\drivers\amdsata.sys
\SystemRoot\system32\drivers\storport.sys
\SystemRoot\system32\drivers\amdxata.sys
\SystemRoot\system32\DRIVERS\amd_sata.sys
\SystemRoot\system32\DRIVERS\amd_xata.sys
\SystemRoot\system32\drivers\fltmgr.sys
\SystemRoot\system32\drivers\fileinfo.sys
\SystemRoot\System32\Drivers\Ntfs.sys
\SystemRoot\System32\Drivers\msrpc.sys
\SystemRoot\System32\Drivers\ksecdd.sys
\SystemRoot\System32\Drivers\cng.sys
\SystemRoot\System32\drivers\pcw.sys
\SystemRoot\System32\Drivers\Fs_Rec.sys
\SystemRoot\system32\drivers\ndis.sys
\SystemRoot\system32\drivers\NETIO.SYS
\SystemRoot\System32\Drivers\ksecpkg.sys
\SystemRoot\System32\drivers\tcpip.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\drivers\wd.sys
\SystemRoot\system32\drivers\volsnap.sys
\SystemRoot\System32\Drivers\spldr.sys
\SystemRoot\System32\drivers\rdyboost.sys
\SystemRoot\system32\DRIVERS\MxEFUF64.sys
\SystemRoot\System32\Drivers\mup.sys
\SystemRoot\System32\drivers\hwpolicy.sys
\SystemRoot\system32\DRIVERS\hpdskflt.sys
\SystemRoot\System32\DRIVERS\fvevol.sys
\SystemRoot\system32\drivers\disk.sys
\SystemRoot\system32\drivers\CLASSPNP.SYS
\SystemRoot\System32\Drivers\aswVmm.sys
\SystemRoot\System32\Drivers\aswRvrt.sys
\??\C:\Windows\system32\drivers\aswSnx.sys
\??\C:\Windows\system32\drivers\aswSP.sys
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\drivers\VIDEOPRT.SYS
\SystemRoot\System32\drivers\watchdog.sys
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\system32\drivers\rdpencdd.sys
\SystemRoot\system32\drivers\rdprefmp.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\tdx.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\System32\Drivers\aswTdi.SYS
\SystemRoot\system32\drivers\afd.sys
\??\C:\Windows\system32\drivers\aswRdr2.sys
\SystemRoot\System32\DRIVERS\netbt.sys
\SystemRoot\system32\drivers\ws2ifsl.sys
\SystemRoot\system32\DRIVERS\wfplwf.sys
\SystemRoot\system32\DRIVERS\pacer.sys
\SystemRoot\system32\DRIVERS\vwififlt.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\drivers\termdd.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\drivers\nsiproxy.sys
\SystemRoot\system32\drivers\mssmbios.sys
\SystemRoot\System32\drivers\discache.sys
\SystemRoot\System32\Drivers\dfsc.sys
\SystemRoot\system32\drivers\blbdrive.sys
\SystemRoot\system32\DRIVERS\tunnel.sys
\SystemRoot\system32\DRIVERS\amdppm.sys
\SystemRoot\system32\DRIVERS\atikmpag.sys
\SystemRoot\system32\DRIVERS\atikmdag.sys
\SystemRoot\System32\Drivers\fastfat.SYS
\SystemRoot\System32\drivers\dxgkrnl.sys
\SystemRoot\System32\drivers\dxgmms1.sys
\SystemRoot\system32\drivers\HDAudBus.sys
\SystemRoot\system32\DRIVERS\usbohci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbfilter.sys
\SystemRoot\system32\drivers\usbehci.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\drivers\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\bcmwl664.sys
\SystemRoot\system32\DRIVERS\vwifibus.sys
\SystemRoot\system32\DRIVERS\Rt64win7.sys
\SystemRoot\system32\DRIVERS\Accelerometer.sys
\SystemRoot\system32\drivers\CmBatt.sys
\SystemRoot\system32\drivers\wmiacpi.sys
\SystemRoot\system32\drivers\CompositeBus.sys
\SystemRoot\system32\DRIVERS\clwvd.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\drivers\ksthunk.sys
\SystemRoot\System32\Drivers\RootMdm.sys
\SystemRoot\system32\drivers\modem.sys
\SystemRoot\system32\DRIVERS\AgileVpn.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\rassstp.sys
\SystemRoot\system32\DRIVERS\RimSerial_AMD64.sys
\SystemRoot\system32\drivers\swenum.sys
\SystemRoot\system32\DRIVERS\umbus.sys
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\drivers\AtihdW76.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\DRIVERS\stwrt64.sys
\SystemRoot\System32\Drivers\crashdmp.sys
\SystemRoot\System32\Drivers\dump_diskdump.sys
\SystemRoot\System32\Drivers\dump_amd_sata.sys
\SystemRoot\System32\Drivers\dump_dumpfve.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\Drivers\RtsUStor.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\System32\Drivers\usbvideo.sys
\SystemRoot\system32\DRIVERS\monitor.sys
\SystemRoot\System32\TSDDD.dll
\SystemRoot\System32\cdd.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\system32\drivers\luafv.sys
\??\C:\Windows\system32\drivers\aswMonFlt.sys
\??\C:\Program Files\Sandboxie\SbieDrv.sys
\SystemRoot\system32\DRIVERS\lltdio.sys
\SystemRoot\system32\DRIVERS\nwifi.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\rspndr.sys
\SystemRoot\system32\drivers\HTTP.sys
\SystemRoot\system32\DRIVERS\bowser.sys
\SystemRoot\System32\drivers\mpsdrv.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\system32\DRIVERS\mrxsmb10.sys
\SystemRoot\system32\DRIVERS\mrxsmb20.sys
\SystemRoot\system32\drivers\peauth.sys
\SystemRoot\System32\Drivers\secdrv.SYS
\SystemRoot\System32\DRIVERS\srvnet.sys
\SystemRoot\System32\drivers\tcpipreg.sys
\SystemRoot\System32\DRIVERS\srv2.sys
\SystemRoot\System32\DRIVERS\srv.sys
\??\C:\Windows\system32\drivers\aswStm.sys
\??\C:\Windows\system32\Drivers\PROCEXP152.SYS
\SystemRoot\System32\Drivers\RimUsb_AMD64.sys
\SystemRoot\system32\DRIVERS\USBSTOR.SYS
\SystemRoot\system32\drivers\WudfPf.sys
\SystemRoot\system32\DRIVERS\WUDFRd.sys
\SystemRoot\system32\DRIVERS\asyncmac.sys
\??\C:\Windows\system32\drivers\mbamchameleon.sys
\??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
\Windows\System32\ntdll.dll
\Windows\System32\smss.exe
\Windows\System32\apisetschema.dll
\Windows\System32\autochk.exe
\Windows\System32\imm32.dll
\Windows\System32\difxapi.dll
\Windows\System32\ws2_32.dll
\Windows\System32\shlwapi.dll
\Windows\System32\normaliz.dll
\Windows\System32\iertutil.dll
\Windows\System32\sechost.dll
\Windows\System32\nsi.dll
\Windows\System32\Wldap32.dll
\Windows\System32\psapi.dll
\Windows\System32\clbcatq.dll
\Windows\System32\lpk.dll
\Windows\System32\rpcrt4.dll
\Windows\System32\user32.dll
\Windows\System32\msvcrt.dll
\Windows\System32\ole32.dll
\Windows\System32\setupapi.dll
\Windows\System32\wininet.dll
\Windows\System32\kernel32.dll
\Windows\System32\msctf.dll
\Windows\System32\comdlg32.dll
\Windows\System32\urlmon.dll
\Windows\System32\shell32.dll
\Windows\System32\advapi32.dll
\Windows\System32\usp10.dll
\Windows\System32\gdi32.dll
\Windows\System32\oleaut32.dll
\Windows\System32\imagehlp.dll
\Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
\Windows\System32\KernelBase.dll
\Windows\System32\cfgmgr32.dll
\Windows\System32\comctl32.dll
\Windows\System32\crypt32.dll
\Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
\Windows\System32\wintrust.dll
\Windows\System32\devobj.dll
\Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
\Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
\Windows\System32\msasn1.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk1\DR1
Upper Device Object: 0xfffffa800460b790
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000008b\
Lower Device Object: 0xfffffa800404db60
Lower Device Driver Name: \Driver\USBSTOR\
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xfffffa800400a060
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\0000006a\
Lower Device Object: 0xfffffa8003c87060
Lower Device Driver Name: \Driver\amd_sata\
<<<2>>>
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xfffffa800400a060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa800400aab0, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800400a060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa8004009b10, DeviceName: Unknown, DriverName: \Driver\hpdskflt\
DevicePointer: 0xfffffa8003206a30, DeviceName: Unknown, DriverName: \Driver\amd_xata\
DevicePointer: 0xfffffa8003c87760, DeviceName: Unknown, DriverName: \Driver\ACPI\
DevicePointer: 0xfffffa8003c87060, DeviceName: \Device\0000006a\, DriverName: \Driver\amd_sata\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
<<<2>>>
<<<3>>>
Volume: C:
File system type: NTFS
SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: CEC4B1B2

Partition information:

    Partition 0 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 2048  Numsec = 407552
    Partition file system is NTFS
    Partition is bootable

    Partition 1 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 409600  Numsec = 568819712

    Partition 2 type is Primary (0x7)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 569229312  Numsec = 47589376

    Partition 3 type is Other (0xc)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 616818688  Numsec = 8321712

Disk Size: 320072933376 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-2047-625122448-625142448)...
Done!
Physical Sector Size: 0
Drive: 1, DevicePointer: 0xfffffa800460b790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xfffffa8003fe0040, DeviceName: Unknown, DriverName: \Driver\partmgr\
DevicePointer: 0xfffffa800460b790, DeviceName: \Device\Harddisk1\DR1\, DriverName: \Driver\Disk\
DevicePointer: 0xfffffa800404db60, DeviceName: \Device\0000008b\, DriverName: \Driver\USBSTOR\
------------ End ----------
Scan finished


 

Link to post
Share on other sites

Next comes Junkware Removal Tool

 

It starts by backing up my registry (Full?) to ERUNT.  [Presumably I need to delete all these 'backups' if I can find them again, after we've finished?]

 

A little surprised to find that JRT, along with removing mysterious reg keys to "'caphyon', and two for 'searchScopes'", also removed, what I had thought was a built-in search assistant for searching youtube?

None of these progs seem to like my Firefox profile preferences, and all seem to remove 'prefs.js'.  Why is this?

I appear to be getting into some trouble with FF!

 

Here is JRT.txt:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.0 (01.07.2014:1)
OS: Windows 7 Home Premium x64
Ran by SteveH on 18/01/2014 at  1:45:22.15
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\caphyon
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{67B3D6D9-A186-4164-8FDA-1E215311B07A}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{67B3D6D9-A186-4164-8FDA-1E215311B07A}



~~~ Files



~~~ Folders

Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{014A490C-3B89-4C41-9B4B-14C7C7C51321}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{0822D0F8-366A-45C5-AEC4-A2ABAE82A1DF}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{22CBF769-3929-4B45-931C-E89E18E46CAA}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{241BC725-6819-4872-9C5A-B7D6E9F0A356}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{25983774-A998-46DA-ACEA-BC3CAA863CC9}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{2EB9AD35-25BF-4258-80B7-F7FF1E98CF80}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{2FDD7E16-E33D-455C-89AA-3981FDA96632}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{3ACE67A8-BFA7-465D-836B-17C7E57538D4}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{4D411108-168D-4F5B-AEB3-E03F8A1A8CB1}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{4EF392B6-CA9F-4C57-99F9-E7FE4E046B74}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{5E416379-0E2E-45FF-A50D-61713A9285F6}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{60FDF030-02DF-4DE9-B0A4-64DEC9D22551}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{6396B08B-99F8-4B25-8696-706D9911808C}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{6D6BEE53-1273-4E42-93C5-76FB2C4B54A3}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{6F71CD3D-D52E-49ED-8FBE-91BD7039C93B}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{76891141-2C70-4BF5-866F-3956EE2EEDDA}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{8DF1CAB5-6D77-4726-AD26-5216073342FD}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{947234C4-F34F-4B33-9819-F384722C5E7E}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{A0EE02A6-735E-45EE-8206-869BD2FC82C2}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{A932DA35-817C-423D-8ED5-103F107A8BDB}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{B5E089FB-C71B-4A41-B079-08BA115490EC}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{BD25C462-DE4F-4E57-A3A1-1A7D0B60928C}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{DA4DD97D-395D-4D2C-A2A8-8FB8653A8C70}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{DC8221F9-12AE-4FE2-BF09-F18FB7A84F9A}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{DF087359-8D19-4582-8A7B-AB37AF59AB13}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{DF9168A3-1C7D-4193-A555-6E1E0E334481}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{E14A98DB-083E-431A-9E51-20EE2D8F7E64}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{E29D4407-F800-4AB5-BBFC-3F9D1407552C}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{E4CA8B4A-ADBF-429A-BF76-B98DFBCDBBEB}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{E71BF24E-2C14-4800-9525-4A458959F168}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{E782371C-E958-4856-8E05-8F1BE67FD4FB}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{E99C4457-E5AB-4D39-B733-539532C78E1A}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{EBDD1A2F-2CD1-4D8F-AFF6-EFEDDF29F472}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{EE400A1A-0312-49C9-95EE-1C9A46C5054E}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{EE8ACE64-5079-424A-9247-A433E52D439B}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{FCD8C50C-4AB5-4D56-BB96-0C3AE48F1FA5}
Successfully deleted: [Empty Folder] C:\Users\SteveH\appdata\local\{FD4D19AE-5509-45E5-B179-3F35B07FC030}



~~~ FireFox

Successfully deleted: [File] C:\Users\SteveH\AppData\Roaming\mozilla\firefox\profiles\fbs8n94d.default\searchplugins\youtube-video-search.xml
Successfully deleted the following from C:\Users\SteveH\AppData\Roaming\mozilla\firefox\profiles\fbs8n94d.default\prefs.js

user_pref("socialfixer.100000135923710/cache/bfb_tip_pagelet", "<div style=\"border:2px solid #cccc99;padding:5px;background-color:#ffffcc;-moz-border-radius:5px;-webkit-borde
Emptied folder: C:\Users\SteveH\AppData\Roaming\mozilla\firefox\profiles\fbs8n94d.default\minidumps [17 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 18/01/2014 at  2:09:17.53
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



 

Link to post
Share on other sites

Next, my second run of AdwareCleaner

 

This came up clean, but removed my 'prefs.js' again!

 

Rebooted anyway and was surprised to find that my Google search results no longer had the site rating bars beside them?

Incidentally, as I write, a new bug has appeared and is now underlining everything I write!

 

AdwCleaner[s2].txt

 

# AdwCleaner v3.017 - Report created 18/01/2014 at 02:44:17
# Updated 12/01/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : SteveH - STEVEH-HP
# Running from : C:\Users\SteveH\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v27.0 (en-US)

[ File : C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [4621 octets] - [14/01/2014 19:59:31]
AdwCleaner[R1].txt - [948 octets] - [14/01/2014 20:50:51]
AdwCleaner[R2].txt - [1067 octets] - [15/01/2014 20:36:11]
AdwCleaner[R3].txt - [1128 octets] - [15/01/2014 20:49:37]
AdwCleaner[R4].txt - [1135 octets] - [18/01/2014 02:38:22]
AdwCleaner[s0].txt - [4344 octets] - [14/01/2014 20:38:52]
AdwCleaner[s1].txt - [1010 octets] - [14/01/2014 20:53:51]
AdwCleaner[s2].txt - [1057 octets] - [18/01/2014 02:44:17]

########## EOF - C:\AdwCleaner\AdwCleaner[s2].txt - [1117 octets] ##########
 

Link to post
Share on other sites

MWB Quick Scan

 

Clean

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.01.17.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
SteveH :: STEVEH-HP [administrator]

18/01/2014 03:07:34
mbam-log-2014-01-18 (03-07-34).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup

| Registry | File System |

Heuristics/Extra | Heuristics/Shuriken

| PUP | PUM
Scan options disabled: P2P
Objects scanned: 212607
Time elapsed: 7 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 

Link to post
Share on other sites

  • Root Admin

Caphyon is actually a legit company and has some good products but they also offer some web popularity software that is a bit more like a PUP (Possibly Unwanted Program) for many and why they choose to remove it.

 

The other Firefox preferences are being modified or removed due to add-ons that are questionable and can often help lead to a real infection at some point.

 

Inside the MBAR folder there is a folder named PLUGINS and inside there is a file named FIXDAMAGE.EXE  please find that file and then right click over it and choose "Run as administrator"

 

Then restart the computer and continue on with the other scans and post back those logs when ready.

Link to post
Share on other sites

Now for the Scary one!

 

ESET Online Scanner

 

This has highlighted something I really do not understand about my system.

 

My folder tree seems to have two identical sets of files for my profile?

C:\Documents and Settings\SteveH; and,

C:\Users\SteveH

 

Are there really two identical sets, or is this some weird quirk of the 'Libraries' thing that is SO confusing?

 

ESET finds 2 instances of  'Win32/DownloadAdmin.G' in each of my 'profile branches'.

 

What is more, they are in a folder which I don't remember creating, and contains several of my frequently used programmes, which I'm pretty sure I would not have filed in any form of 'My Documents'. ?  I have no idea how these files all came together in the same folder.  There are several 'previous versions' of this 'IT-Comp-Soft' folder: all made within the last few days.

 

 

ESET-log.txt

 

C:\Documents and Settings\SteveH\Documents\IT-Comp-Soft\cbsidlm-tr1_10a-TimeLeft-ORG-10034817.exe    Win32/DownloadAdmin.G application
C:\Documents and Settings\SteveH\My Documents\IT-Comp-Soft\cbsidlm-tr1_10a-TimeLeft-ORG-10034817.exe    Win32/DownloadAdmin.G application
C:\Users\SteveH\Documents\IT-Comp-Soft\cbsidlm-tr1_10a-TimeLeft-ORG-10034817.exe    Win32/DownloadAdmin.G application
C:\Users\SteveH\My Documents\IT-Comp-Soft\cbsidlm-tr1_10a-TimeLeft-ORG-10034817.exe    Win32/DownloadAdmin.G application
 

Link to post
Share on other sites

  • Root Admin

No they are the same folder it is only a Junction point.  Odd though that ESET would see them as different as they normally account for that.

 

http://en.wikipedia.org/wiki/NTFS_junction_point

 

 

 

Please run a Full Disk Check on your system drive.  If needed here are some links on how to run a Disk Check.

On Windows XP the disk check log is in the Event Logs under Application with a heading source of  Winlogon
On Windows 7 the disk check log is in the Event Logs under Application with a heading source of  Wininit
On Windows 8 the disk check log is in the Event Logs under Application with a heading source of  Chkdsk

How to Run Disk Check in Windows 7

How to Run Check Disk at Startup in Vista or Windows 7

How to Read the Event Viewer Log for Check Disk (chkdsk) in Vista, Windows 7, and Windows 8
 

 

 

After you've run the Disk Check then run a temporary file cleaner.  Disable your antivirus and MBAM while running it.

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

 

 

 

Link to post
Share on other sites

I already have the other scans Ron (y):

 

Farbar runs quickly: It is the one exe that has NOT shown up on my desktop after running.

 

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 17-01-2014 03
Ran by SteveH (administrator) on STEVEH-HP on 18-01-2014 05:43:42
Running from C:\Users\SteveH\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\System32\atiesrxx.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Safer Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Sysinternals - www.sysinternals.com) C:\Program Files\ProcessExplorer\procexp.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Program Files\Hewlett-Packard\HP LaunchBox\HPTaskBar1.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Sysinternals - www.sysinternals.com) C:\Program Files\ProcessExplorer\procexp64.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files\Hewlett-Packard\HP LaunchBox\HPTaskBar2.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
() C:\Program Files\ClipCube\ClipCube.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieCtrl.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
() C:\Program Files\AlwaysOnTop\always-on-top.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
() C:\Program Files\ResizeEnable\ResizeEnableRunner.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(IDEVFH) C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B}\components\afom.exe
(Research In Motion Limited) C:\Program Files (x86)\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
(Microsoft Corporation) C:\Program Files (x86)\Internet Explorer\ielowutil.exe


==================== Registry (Whitelisted) ==================

HKLM\...\Run: [sysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [1128448 2011-07-01] (IDT, Inc.)
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2885904 2013-02-03] (Synaptics Incorporated)
HKLM\...\Run: [setDefault] - C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe [44880 2011-12-19] (Hewlett-Packard Development Company, L.P.)
HKLM\...\Run: [Classic Start Menu] - C:\Program Files\Classic Shell\ClassicStartMenu.exe [152576 2013-10-20] (IvoSoft)
HKLM-x32\...\Run: [HPQuickWebProxy] - C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe [169528 2011-10-08] (Hewlett-Packard Company)
HKLM-x32\...\Run: [HPOSD] - C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe [379960 2011-08-19] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP Quick Launch] - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [578944 2012-03-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP CoolSense] - C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [1343904 2012-11-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] - C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [443408 2013-09-09] (Research In Motion Limited)
HKLM-x32\...\Run: [startCCC] - C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642808 2012-12-19] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKLM-x32\...\Run: [AvastUI.exe] - C:\Program Files\AVAST Software\Avast\AvastUI.exe [3764024 2013-12-21] (AVAST Software)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1
HKCU\...\Run: [spybotSD TeaTimer] - C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKCU\...\Run: [AltDrag] - C:\Program Files (x86)\AltDrag\AltDrag.exe [112640 2013-09-13] (Stefan Sundin)
HKCU\...\Run: [ClipCube] - C:\Program Files\ClipCube\ClipCube.exe [1353728 2013-10-25] ()
HKCU\...\Run: [sandboxieControl] - C:\Program Files\Sandboxie\SbieCtrl.exe [759496 2013-10-16] (Sandboxie Holdings, LLC)
Lsa: [Notification Packages] scecli C:\Program Files\WIDCOMM\Bluetooth Software\BtwProximityCP.dll
Startup: C:\Users\SteveH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\always-on-top.exe - Shortcut.lnk
ShortcutTarget: always-on-top.exe - Shortcut.lnk -> C:\Program Files\AlwaysOnTop\always-on-top.exe ()
Startup: C:\Users\SteveH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ClipCube.exe - Shortcut.lnk
ShortcutTarget: ClipCube.exe - Shortcut.lnk -> C:\Program Files\ClipCube\ClipCube.exe ()
Startup: C:\Users\SteveH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ResizeEnableRunner.exe - Shortcut.lnk
ShortcutTarget: ResizeEnableRunner.exe - Shortcut.lnk -> C:\Program Files\ResizeEnable\ResizeEnableRunner.exe ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {67B3D6D9-A186-4164-8FDA-1E215311B07A} URL = http://www.amazon.co.uk/s/ref=azs_osd_ieauk?ie=UTF-8&tag=hp-uk3-vsb-21&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-111095-2958-3/4?mpre=http://www.ebay.co.uk/sch/i.html?_nkw={searchTerms}
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-111095-2958-3/4?mpre=http://www.ebay.co.uk/sch/i.html?_nkw={searchTerms}
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/710-111095-2958-3/4?mpre=http://www.ebay.co.uk/sch/i.html?_nkw={searchTerms}
BHO: avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: ExplorerBHO Class - {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
BHO: SteadyVideoBHO Class - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
BHO: ClassicIEBHO Class - {EA801577-E6AD-4BD5-8F71-4BE0154331A4} - C:\Program Files\Classic Shell\ClassicIEDLL_64.dll (IvoSoft)
BHO-x32: ExplorerBHO Class - {449D0D6E-2412-4E61-B68F-1CB625CD9E52} - C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
BHO-x32: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: SteadyVideoBHO Class - {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} - C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
BHO-x32: ClassicIEBHO Class - {EA801577-E6AD-4BD5-8F71-4BE0154331A4} - C:\Program Files\Classic Shell\ClassicIEDLL_32.dll (IvoSoft)
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll (IvoSoft)
Toolbar: HKLM - avast! Online Security - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll (IvoSoft)
Toolbar: HKLM-x32 - avast! Online Security - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Tcpip\..\Interfaces\{284FB188-13D7-4EE3-BDF9-DB3CCA4B9E0B}: [NameServer]149.254.230.7 149.254.199.126

FireFox:
========
FF ProfilePath: C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default
FF NetworkProxy: "autoconfig_url", "http://clientconfig.immunicity.org/pacs/all.pac"
FF NetworkProxy: "type", 2
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_9_900_170.dll ()
FF Plugin: @java.com/DTPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_9_900_170.dll ()
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1206147.dll (Adobe Systems, Inc.)
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @divx.com/DivX Web Player Plug-In,version=1.0.0 - C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=10.45.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @RIM.com/WebSLLauncher,version=1.0 - C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.1 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\searchplugins\amazon-couk.xml
FF SearchPlugin: C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\searchplugins\cambridge-advanced-learners-dictionary.xml
FF SearchPlugin: C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\searchplugins\dailymotion.xml
FF SearchPlugin: C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\searchplugins\dictionarycom.xml
FF SearchPlugin: C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\searchplugins\the-free-dictionary.xml
FF SearchPlugin: C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\searchplugins\urban-dictionary.xml
FF SearchPlugin: C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\searchplugins\wikisource-en.xml
FF SearchPlugin: C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\searchplugins\wiktionary-en.xml
FF Extension: DoNotTrackMe: Online Privacy Protection - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\donottrackplus@abine.com [2014-01-03]
FF Extension: British English Dictionary - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\en-GB@dictionaries.addons.mozilla.org [2012-07-31]
FF Extension: Fox Splitter - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\foxsplitter@piro.sakura.ne.jp [2013-03-30]
FF Extension: MaskMe - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\idme@abine.com [2014-01-16]
FF Extension: Shortly URL Shortner - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\shortly@aloshbennett.in [2013-09-25]
FF Extension: Tweet Context - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\TweetContext@loucypher [2013-03-30]
FF Extension: Unsorted Bookmarks Folder Menu - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\UnsortedBookmarksMenu@alice [2013-01-08]
FF Extension: Flashblock - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2013-04-15]
FF Extension: Empty Cache Button - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{4cc4a13b-94a6-7568-370d-5f9de54a9c7f} [2013-11-17]
FF Extension: Facebook Bookmarks - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{50fa8145-5954-4508-9124-e61bbc85c08b} [2013-07-24]
FF Extension: Facebook Share Button - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{d4e0dc9c-c356-438e-afbe-dca439f4399d} [2013-12-24]
FF Extension: Memory Fox - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{E173B749-DB5B-4fd2-BA0E-94ECEA0CA55B} [2013-11-15]
FF Extension: Disconnect - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\2.0@disconnect.me.xpi [2014-01-06]
FF Extension: LikedFB - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\311742309af403146d6b80e526df3e8f@link.codefisher.org.xpi [2013-12-06]
FF Extension: LinkButtonMaker - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\77347152751b936d6a1267e125bc0161@link.codefisher.org.xpi [2013-09-27]
FF Extension: Keepvid - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\900550ae99413cd377e7655d769cc23f@link.codefisher.org.xpi [2013-09-21]
FF Extension: Adblock Plus Pop-up Addon - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\adblockpopups@jessehakanen.net.xpi [2013-04-15]
FF Extension: PicasaWebAlbums - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\c0215ecde067b3b621887ecfc90dca5c@link.codefisher.org.xpi [2013-09-27]
FF Extension: Copy Link Text - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\copylinktext@brett.zamir.xpi [2013-12-06]
FF Extension: Duplicate in Tab Context Menu - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\DuplicateInTabContext@schuzak.jp.xpi [2013-01-09]
FF Extension: Element Hiding Helper for Adblock Plus - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\elemhidehelper@adblockplus.org.xpi [2013-03-09]
FF Extension: rollApp File Opener - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\extension@rollapp.com.xpi [2013-06-03]
FF Extension: F.B. Purity - Cleans Up Facebook - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\fbp@fbpurity.com.xpi [2012-08-10]
FF Extension: Shareaholic - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\firefox-extension@shareaholic.com.xpi [2012-10-10]
FF Extension: Go Parent Folder - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\goParentFolder@alice.xpi [2013-12-09]
FF Extension: Flash OnOff - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\jid0-XXocAsQYPfKHSY8ebTi0VcX8eNQ@jetpack.xpi [2013-08-20]
FF Extension: Fluid twitter layout - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\jid0-YAGhvdWz2KzjflClxF2hM2Lt1Ao@jetpack.xpi [2013-02-19]
FF Extension: twitter-expand - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\jid1-V3F5mUFyi3SkuA@jetpack.xpi [2013-02-21]
FF Extension: Link Alert - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\linkalert.conlan@addons.mozilla.com.xpi [2013-12-06]
FF Extension: Nav Bar on Title Bar - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\navbarontop@digimarco.com.xpi [2013-02-19]
FF Extension: NoSquint - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\nosquint@urandom.ca.xpi [2013-05-20]
FF Extension: Page Hacker - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\pagehacker-nico@nc.xpi [2013-01-21]
FF Extension: ShareMeNot - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\sharemenot@franziroesner.com.xpi [2013-03-30]
FF Extension: Show Parent Folder - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\showParentFolder@alice.xpi [2013-12-09]
FF Extension: Simple Timer - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\simpletimer@grbradt.org.xpi [2013-06-04]
FF Extension: Split Pannel - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\splitpannel@max.max.xpi [2013-03-30]
FF Extension: Test Pilot - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\testpilot@labs.mozilla.com.xpi [2012-05-30]
FF Extension: TinEye Reverse Image Search - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\tineye@ideeinc.com.xpi [2013-09-07]
FF Extension: Google Translator for Firefox - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\translator@zoli.bod.xpi [2013-02-15]
FF Extension: Troubleshooter - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\troubleshooter@mozilla.org.xpi [2013-05-18]
FF Extension: Undo Closed Tabs Button - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\undoclosedtabsbutton@supernova00.biz.xpi [2012-12-15]
FF Extension: View in Office Web Viewer - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\viewinofficeapps@huhsiaotao.xpi [2013-03-14]
FF Extension: Resurrect Pages - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{0c8fbd76-bdeb-4c52-9b24-d587ce7b9dc3}.xpi [2013-02-02]
FF Extension: Uppity - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{16cbd87c-eb99-4f5c-9825-83cf13ab7ff8}.xpi [2013-09-18]
FF Extension: RefControl - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{455D905A-D37C-4643-A9E2-F6FEFAA0424A}.xpi [2013-03-22]
FF Extension: NoScript - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2013-04-15]
FF Extension: Mozilla Archive Format - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{7f57cf46-4467-4c2d-adfa-0cba7c507e54}.xpi [2013-06-03]
FF Extension: ReloadEvery - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}.xpi [2013-10-28]
FF Extension: Active Stop Button - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{9e96e0c4-9bde-49b7-989f-a4ca4bdc90bb}.xpi [2013-10-12]
FF Extension: Cookie Controller - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{ac2cfa60-bc96-11e0-962b-0800200c9a66}.xpi [2014-01-06]
FF Extension: Adblock Plus - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-05-03]
FF Extension: Greasemonkey - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2012-08-24]
FF Extension: Theme Font & Size Changer - C:\Users\SteveH\AppData\Roaming\Mozilla\Firefox\Profiles\fbs8n94d.default\Extensions\{f69e22c7-bc50-414a-9269-0f5c344cd94c}.xpi [2013-11-29]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} [2014-01-11]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2012-04-28]
FF HKLM-x32\...\Firefox\Extensions: [fmdownloader@gmail.com] - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Firefox\fmdownloader@gmail.com\
FF Extension: Freemake Video Downloader Plugin - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Firefox\fmdownloader@gmail.com\ []
FF HKLM-x32\...\Firefox\Extensions: [ytfmdownloader@gmail.com] - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Firefox\ytfmdownloader@gmail.com\
FF Extension: Freemake Youtube Download Button - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Firefox\ytfmdownloader@gmail.com\ []
FF HKLM-x32\...\Firefox\Extensions: [fmconverter@gmail.com] - C:\Program Files (x86)\Freemake\Freemake Video Converter\BrowserPlugin\Firefox\
FF Extension: Freemake Video Converter Plugin - C:\Program Files (x86)\Freemake\Freemake Video Converter\BrowserPlugin\Firefox\ []

==================== Services (Whitelisted) =================

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-12-19] (Advanced Micro Devices, Inc.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2013-12-21] (AVAST Software)
R3 BlackBerry Device Manager; C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe [585728 2013-09-09] (Research In Motion Limited)
S4 FreemakeVideoCapture; C:\Program Files (x86)\Freemake\CaptureLib\CaptureLibService.exe [9216 2013-11-08] (Ellora Assets Corp.)
R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [186056 2013-10-16] (Sandboxie Holdings, LLC)
R2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)

==================== Drivers (Whitelisted) ====================

R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [78648 2013-12-21] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [92544 2013-12-21] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2013-12-21] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1034464 2013-12-21] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [422216 2013-12-21] (AVAST Software)
R3 aswStm; C:\Windows\system32\drivers\aswStm.sys [79672 2013-12-21] (AVAST Software)
R1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [64288 2013-12-19] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [207904 2013-12-21] ()
S3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [133672 2011-09-21] (Broadcom Corporation.)
S3 BTWDPAN; C:\Windows\System32\DRIVERS\btwdpan.sys [89640 2011-09-21] (Broadcom Corporation.)
R0 LPCFilter; C:\Windows\System32\DRIVERS\LPCFilter.sys [30312 2012-03-07] (Windows ® Win 7 DDK provider)
R0 MxEFUF; C:\Windows\System32\DRIVERS\MxEFUF64.sys [157696 2011-10-20] (Matrox Graphics Inc.)
R3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [79872 2013-06-27] (Research In Motion Limited)
R3 RimVSerPort; C:\Windows\System32\DRIVERS\RimSerial_AMD64.sys [44032 2011-07-20] (Research in Motion Ltd)
R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [200552 2013-10-16] (Sandboxie Holdings, LLC)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-14] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2014-01-18 05:43 - 2014-01-18 05:44 - 00031402 _____ C:\Users\SteveH\Desktop\FRST.txt
2014-01-18 05:43 - 2014-01-18 05:43 - 00000000 ____D C:\FRST
2014-01-18 05:37 - 2014-01-18 05:37 - 02076160 _____ (Farbar) C:\Users\SteveH\Desktop\FRST64.exe
2014-01-18 03:37 - 2014-01-18 03:37 - 00000000 ____D C:\Program Files (x86)\ESET
2014-01-18 03:36 - 2014-01-18 03:36 - 02347384 _____ (ESET) C:\Users\SteveH\Downloads\esetsmartinstaller_enu.exe
2014-01-18 03:02 - 2014-01-18 03:02 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\Malwarebytes
2014-01-18 03:01 - 2014-01-18 03:01 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-18 03:01 - 2014-01-18 03:01 - 00001109 _____ C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-18 03:01 - 2014-01-18 03:01 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-18 03:01 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-01-18 02:58 - 2014-01-18 02:59 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\SteveH\Downloads\mbam-setup-1.75.0.1300.exe
2014-01-18 02:09 - 2014-01-18 02:09 - 00005533 _____ C:\Users\SteveH\Desktop\JRT.txt
2014-01-18 01:45 - 2014-01-18 01:45 - 00000000 ____D C:\Windows\ERUNT
2014-01-18 01:34 - 2014-01-18 01:35 - 01037068 _____ (Thisisu) C:\Users\SteveH\Desktop\JRT.exe
2014-01-18 01:04 - 2014-01-18 01:37 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-01-18 01:04 - 2014-01-18 01:04 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-18 01:00 - 2014-01-18 01:00 - 00089304 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-01-18 00:59 - 2014-01-18 01:00 - 00000000 ____D C:\Program Files\MWB
2014-01-18 00:53 - 2014-01-18 00:55 - 12582688 _____ (Malwarebytes Corp.) C:\Users\SteveH\Downloads\mbar-1.07.0.1008.exe
2014-01-18 00:36 - 2014-01-18 00:37 - 00671232 _____ C:\Users\SteveH\Downloads\MicrosoftFixit50688.msi
2014-01-17 17:54 - 2014-01-17 17:54 - 00027718 _____ C:\ComboFix.txt
2014-01-17 17:44 - 2014-01-17 17:44 - 00000552 _____ C:\Windows\PFRO.log
2014-01-17 17:19 - 2014-01-17 17:55 - 00000000 ____D C:\Qoobox
2014-01-17 17:19 - 2014-01-17 17:55 - 00000000 ____D C:\ComboFix
2014-01-17 17:19 - 2011-06-26 06:45 - 00256000 _____ C:\Windows\PEV.exe
2014-01-17 17:19 - 2010-11-07 17:20 - 00208896 _____ C:\Windows\MBR.exe
2014-01-17 17:19 - 2009-04-20 04:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-01-17 17:19 - 2000-08-31 00:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-01-17 17:19 - 2000-08-31 00:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-01-17 17:19 - 2000-08-31 00:00 - 00098816 _____ C:\Windows\sed.exe
2014-01-17 17:19 - 2000-08-31 00:00 - 00080412 _____ C:\Windows\grep.exe
2014-01-17 17:19 - 2000-08-31 00:00 - 00068096 _____ C:\Windows\zip.exe
2014-01-17 17:13 - 2014-01-17 17:13 - 05167985 ____R (Swearware) C:\Users\SteveH\Desktop\ComboFix.exe
2014-01-17 01:11 - 2014-01-17 01:17 - 00002244 _____ C:\Users\SteveH\Desktop\RKreport[0]_S_01172014_011115.txt
2014-01-17 00:59 - 2014-01-17 01:11 - 00000000 ____D C:\Users\SteveH\Desktop\RK_Quarantine
2014-01-17 00:50 - 2014-01-17 00:50 - 04406784 _____ C:\Users\SteveH\Desktop\RogueKillerX64.exe
2014-01-17 00:47 - 2014-01-17 17:49 - 00000000 ____D C:\Windows\ERDNT
2014-01-17 00:38 - 2014-01-17 00:39 - 00000000 ____D C:\Program Files (x86)\ERUNT
2014-01-17 00:38 - 2014-01-17 00:38 - 00000905 _____ C:\Users\SteveH\Desktop\ERUNT.lnk
2014-01-17 00:36 - 2014-01-17 00:36 - 00791393 _____ (Lars Hederer                                                ) C:\Users\SteveH\Downloads\erunt-setup.exe
2014-01-17 00:07 - 2014-01-17 00:08 - 00004410 _____ C:\Users\SteveH\Desktop\Rkill.txt
2014-01-17 00:07 - 2014-01-17 00:07 - 00000000 ____D C:\Users\SteveH\Desktop\rkill
2014-01-16 23:50 - 2014-01-16 23:50 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\SteveH\Desktop\rkill.exe
2014-01-16 15:19 - 2014-01-16 15:19 - 00026509 _____ C:\Users\SteveH\Desktop\dds-140116.txt
2014-01-16 15:19 - 2014-01-16 15:19 - 00016592 _____ C:\Users\SteveH\Desktop\attach-140116.txt
2014-01-15 15:13 - 2013-11-27 01:41 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2014-01-15 15:13 - 2013-11-27 01:41 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2014-01-15 15:12 - 2013-11-27 01:41 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2014-01-15 15:12 - 2013-11-27 01:41 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2014-01-15 15:12 - 2013-11-27 01:41 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2014-01-15 15:12 - 2013-11-27 01:41 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2014-01-15 15:12 - 2013-11-27 01:41 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2014-01-15 15:12 - 2013-11-26 11:40 - 00376768 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2014-01-15 15:12 - 2013-11-26 10:32 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-01-15 02:52 - 2014-01-18 05:24 - 00011243 _____ C:\Users\SteveH\Desktop\PresumedMalwareInfection.txt
2014-01-15 02:26 - 2014-01-15 02:26 - 00016390 _____ C:\Users\SteveH\Desktop\attach-140115.txt
2014-01-15 02:26 - 2014-01-15 02:25 - 00025940 _____ C:\Users\SteveH\Desktop\dds-140115.txt
2014-01-15 02:09 - 2014-01-15 02:10 - 00688992 ____R (Swearware) C:\Users\SteveH\Desktop\dds.com
2014-01-14 19:59 - 2014-01-18 02:44 - 00000000 ____D C:\AdwCleaner
2014-01-14 19:57 - 2014-01-14 19:57 - 01236282 _____ C:\Users\SteveH\Desktop\adwcleaner.exe
2014-01-13 23:35 - 2014-01-13 23:35 - 00768096 _____ C:\Users\SteveH\Downloads\447986_intl_x64_zip.exe
2014-01-13 05:52 - 2014-01-18 02:46 - 00002103 _____ C:\Windows\setupact.log
2014-01-13 05:52 - 2014-01-13 05:52 - 00000000 _____ C:\Windows\setuperr.log
2014-01-11 18:53 - 2014-01-18 04:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2014-01-10 01:03 - 2014-01-10 01:10 - 00000000 ____D C:\Windows\mozilla-temp-files
2014-01-07 19:55 - 2014-01-17 04:24 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\vlc
2014-01-07 19:15 - 2014-01-07 19:15 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\Process Hacker 2
2014-01-07 18:51 - 2014-01-07 18:51 - 00000000 ____D C:\Program Files\Process Hacker 2
2014-01-06 19:23 - 2014-01-06 19:23 - 04558848 _____ (Google Inc.) C:\Windows\SysWOW64\GPhotos.scr
2014-01-04 21:07 - 2014-01-04 21:07 - 00000730 _____ C:\Users\SteveH\Documents\BMJComment140104.txt
2014-01-03 16:40 - 2014-01-03 16:40 - 00000000 ____D C:\Users\SteveH\AppData\Local\VS Revo Group
2014-01-03 16:39 - 2014-01-03 16:39 - 00001077 _____ C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
2014-01-03 16:39 - 2014-01-03 16:39 - 00001077 _____ C:\ProgramData\Desktop\Revo Uninstaller Pro.lnk
2014-01-03 16:39 - 2014-01-03 16:39 - 00000000 ____D C:\ProgramData\VS Revo Group
2014-01-03 16:39 - 2014-01-03 16:39 - 00000000 ____D C:\Program Files\VS Revo Group
2014-01-03 16:39 - 2009-12-30 10:21 - 00031800 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys
2014-01-03 16:32 - 2014-01-03 16:32 - 00001264 _____ C:\Users\SteveH\Desktop\Revo Uninstaller.lnk
2014-01-03 16:32 - 2014-01-03 16:32 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
2013-12-30 15:09 - 2013-12-30 15:09 - 00000040 _____ C:\Users\Public\Documents\_rgpl
2013-12-30 15:09 - 2013-12-30 15:09 - 00000040 _____ C:\ProgramData\Documents\_rgpl
2013-12-27 01:18 - 2013-12-27 01:18 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google+ Auto Backup
2013-12-21 20:12 - 2013-12-21 20:12 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\AVAST Software
2013-12-21 20:08 - 2014-01-18 04:49 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-12-21 20:08 - 2013-12-21 20:08 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-12-21 20:08 - 2013-12-21 20:08 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-12-21 20:08 - 2013-12-21 20:08 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-12-21 19:59 - 2014-01-07 04:29 - 00002208 _____ C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2013-12-21 19:59 - 2014-01-07 04:29 - 00002208 _____ C:\ProgramData\Desktop\avast! Free Antivirus.lnk
2013-12-21 19:58 - 2013-12-21 20:29 - 00079672 _____ (AVAST Software) C:\Windows\system32\Drivers\aswstm.sys
2013-12-21 19:31 - 2013-12-21 19:31 - 00840072 _____ (Adobe Systems Incorporated) C:\Users\SteveH\Desktop\uninstall_flash_player.exe
2013-12-20 22:12 - 2013-12-20 22:12 - 00013560 _____ C:\Users\SteveH\Desktop\uTorrent.exe - Shortcut.lnk
2013-12-20 21:43 - 2013-12-20 21:43 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\OpenOffice

==================== One Month Modified Files and Folders =======

2014-01-18 05:44 - 2014-01-18 05:43 - 00031402 _____ C:\Users\SteveH\Desktop\FRST.txt
2014-01-18 05:43 - 2014-01-18 05:43 - 00000000 ____D C:\FRST
2014-01-18 05:37 - 2014-01-18 05:37 - 02076160 _____ (Farbar) C:\Users\SteveH\Desktop\FRST64.exe
2014-01-18 05:24 - 2014-01-15 02:52 - 00011243 _____ C:\Users\SteveH\Desktop\PresumedMalwareInfection.txt
2014-01-18 04:49 - 2013-12-21 20:08 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-18 04:47 - 2012-04-28 18:23 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-01-18 04:27 - 2014-01-11 18:53 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2014-01-18 04:25 - 2012-04-28 17:10 - 00003934 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{EEC1444B-76D3-446C-9F0D-1B5A0E369B62}
2014-01-18 03:37 - 2014-01-18 03:37 - 00000000 ____D C:\Program Files (x86)\ESET
2014-01-18 03:36 - 2014-01-18 03:36 - 02347384 _____ (ESET) C:\Users\SteveH\Downloads\esetsmartinstaller_enu.exe
2014-01-18 03:02 - 2014-01-18 03:02 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\Malwarebytes
2014-01-18 03:01 - 2014-01-18 03:01 - 00001109 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-18 03:01 - 2014-01-18 03:01 - 00001109 _____ C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2014-01-18 03:01 - 2014-01-18 03:01 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2014-01-18 02:59 - 2014-01-18 02:58 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\SteveH\Downloads\mbam-setup-1.75.0.1300.exe
2014-01-18 02:54 - 2009-07-14 04:45 - 00032064 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-18 02:54 - 2009-07-14 04:45 - 00032064 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-18 02:52 - 2012-02-01 09:03 - 01412821 _____ C:\Windows\WindowsUpdate.log
2014-01-18 02:47 - 2012-04-28 18:23 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-01-18 02:46 - 2014-01-13 05:52 - 00002103 _____ C:\Windows\setupact.log
2014-01-18 02:46 - 2009-07-14 05:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-18 02:44 - 2014-01-14 19:59 - 00000000 ____D C:\AdwCleaner
2014-01-18 02:09 - 2014-01-18 02:09 - 00005533 _____ C:\Users\SteveH\Desktop\JRT.txt
2014-01-18 01:45 - 2014-01-18 01:45 - 00000000 ____D C:\Windows\ERUNT
2014-01-18 01:37 - 2014-01-18 01:04 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-01-18 01:35 - 2014-01-18 01:34 - 01037068 _____ (Thisisu) C:\Users\SteveH\Desktop\JRT.exe
2014-01-18 01:04 - 2014-01-18 01:04 - 00000000 ____D C:\ProgramData\Malwarebytes
2014-01-18 01:00 - 2014-01-18 01:00 - 00089304 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-01-18 01:00 - 2014-01-18 00:59 - 00000000 ____D C:\Program Files\MWB
2014-01-18 00:55 - 2014-01-18 00:53 - 12582688 _____ (Malwarebytes Corp.) C:\Users\SteveH\Downloads\mbar-1.07.0.1008.exe
2014-01-18 00:37 - 2014-01-18 00:36 - 00671232 _____ C:\Users\SteveH\Downloads\MicrosoftFixit50688.msi
2014-01-17 23:58 - 2009-07-14 03:20 - 00000000 ____D C:\Windows\system32\NDF
2014-01-17 22:37 - 2013-11-05 01:54 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\ClassicShell
2014-01-17 17:55 - 2014-01-17 17:19 - 00000000 ____D C:\Qoobox
2014-01-17 17:55 - 2014-01-17 17:19 - 00000000 ____D C:\ComboFix
2014-01-17 17:55 - 2009-07-14 03:20 - 00000000 __RHD C:\Users\Default
2014-01-17 17:54 - 2014-01-17 17:54 - 00027718 _____ C:\ComboFix.txt
2014-01-17 17:49 - 2014-01-17 00:47 - 00000000 ____D C:\Windows\ERDNT
2014-01-17 17:46 - 2009-07-14 02:34 - 00000215 _____ C:\Windows\system.ini
2014-01-17 17:44 - 2014-01-17 17:44 - 00000552 _____ C:\Windows\PFRO.log
2014-01-17 17:44 - 2009-07-14 02:34 - 84148224 _____ C:\Windows\system32\config\SOFTWARE.bak
2014-01-17 17:44 - 2009-07-14 02:34 - 17301504 _____ C:\Windows\system32\config\SYSTEM.bak
2014-01-17 17:44 - 2009-07-14 02:34 - 05242880 _____ C:\Windows\system32\config\DEFAULT.bak
2014-01-17 17:44 - 2009-07-14 02:34 - 00262144 _____ C:\Windows\system32\config\SECURITY.bak
2014-01-17 17:44 - 2009-07-14 02:34 - 00262144 _____ C:\Windows\system32\config\SAM.bak
2014-01-17 17:13 - 2014-01-17 17:13 - 05167985 ____R (Swearware) C:\Users\SteveH\Desktop\ComboFix.exe
2014-01-17 04:24 - 2014-01-07 19:55 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\vlc
2014-01-17 01:17 - 2014-01-17 01:11 - 00002244 _____ C:\Users\SteveH\Desktop\RKreport[0]_S_01172014_011115.txt
2014-01-17 01:11 - 2014-01-17 00:59 - 00000000 ____D C:\Users\SteveH\Desktop\RK_Quarantine
2014-01-17 00:50 - 2014-01-17 00:50 - 04406784 _____ C:\Users\SteveH\Desktop\RogueKillerX64.exe
2014-01-17 00:39 - 2014-01-17 00:38 - 00000000 ____D C:\Program Files (x86)\ERUNT
2014-01-17 00:38 - 2014-01-17 00:38 - 00000905 _____ C:\Users\SteveH\Desktop\ERUNT.lnk
2014-01-17 00:36 - 2014-01-17 00:36 - 00791393 _____ (Lars Hederer                                                ) C:\Users\SteveH\Downloads\erunt-setup.exe
2014-01-17 00:35 - 2009-07-14 05:13 - 00782510 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-17 00:08 - 2014-01-17 00:07 - 00004410 _____ C:\Users\SteveH\Desktop\Rkill.txt
2014-01-17 00:07 - 2014-01-17 00:07 - 00000000 ____D C:\Users\SteveH\Desktop\rkill
2014-01-16 23:50 - 2014-01-16 23:50 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\SteveH\Desktop\rkill.exe
2014-01-16 15:19 - 2014-01-16 15:19 - 00026509 _____ C:\Users\SteveH\Desktop\dds-140116.txt
2014-01-16 15:19 - 2014-01-16 15:19 - 00016592 _____ C:\Users\SteveH\Desktop\attach-140116.txt
2014-01-16 14:48 - 2012-07-09 00:27 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2014-01-16 00:09 - 2012-06-03 13:25 - 00003192 _____ C:\Windows\System32\Tasks\HPCeeScheduleForSteveH
2014-01-16 00:09 - 2012-06-03 13:25 - 00000336 _____ C:\Windows\Tasks\HPCeeScheduleForSteveH.job
2014-01-15 19:56 - 2012-07-11 00:22 - 00001127 _____ C:\Users\SteveH\Desktop\MK.docx - Shortcut.lnk
2014-01-15 19:54 - 2012-12-19 21:34 - 00000000 ____D C:\Users\SteveH\Documents\Reference
2014-01-15 15:39 - 2009-07-14 04:45 - 00372944 _____ C:\Windows\system32\FNTCACHE.DAT
2014-01-15 15:18 - 2013-07-12 02:35 - 00000000 ____D C:\Windows\system32\MRT
2014-01-15 15:14 - 2012-05-03 16:30 - 86054176 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-01-15 14:37 - 2012-10-11 18:00 - 00000000 ____D C:\Program Files\ProcessExplorer
2014-01-15 03:01 - 2013-12-09 16:16 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\uTorrent
2014-01-15 02:26 - 2014-01-15 02:26 - 00016390 _____ C:\Users\SteveH\Desktop\attach-140115.txt
2014-01-15 02:25 - 2014-01-15 02:26 - 00025940 _____ C:\Users\SteveH\Desktop\dds-140115.txt
2014-01-15 02:10 - 2014-01-15 02:09 - 00688992 ____R (Swearware) C:\Users\SteveH\Desktop\dds.com
2014-01-15 00:30 - 2012-11-19 20:11 - 00001245 _____ C:\Users\Public\Desktop\HP Support Assistant.lnk
2014-01-15 00:30 - 2012-11-19 20:11 - 00001245 _____ C:\ProgramData\Desktop\HP Support Assistant.lnk
2014-01-15 00:15 - 2012-06-29 18:59 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2014-01-14 19:57 - 2014-01-14 19:57 - 01236282 _____ C:\Users\SteveH\Desktop\adwcleaner.exe
2014-01-14 02:31 - 2012-05-01 15:26 - 00000000 ____D C:\Users\SteveH\Podcasts
2014-01-13 23:35 - 2014-01-13 23:35 - 00768096 _____ C:\Users\SteveH\Downloads\447986_intl_x64_zip.exe
2014-01-13 23:23 - 2013-12-08 21:17 - 00001682 _____ C:\Windows\Sandboxie.ini
2014-01-13 06:01 - 2012-04-28 19:06 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2014-01-13 05:52 - 2014-01-13 05:52 - 00000000 _____ C:\Windows\setuperr.log
2014-01-12 13:10 - 2012-05-27 12:16 - 00000000 _____ C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-01-12 13:10 - 2012-05-06 17:39 - 00000052 _____ C:\Windows\SysWOW64\DOErrors.log
2014-01-11 19:27 - 2013-10-26 18:21 - 00017937 _____ C:\Users\SteveH\Desktop\Symptoms.txt
2014-01-11 18:09 - 2013-01-08 02:19 - 00000000 ____D C:\Windows\pss
2014-01-10 01:10 - 2014-01-10 01:03 - 00000000 ____D C:\Windows\mozilla-temp-files
2014-01-10 01:02 - 2013-12-11 20:19 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2014-01-07 19:54 - 2013-09-14 01:47 - 00001066 _____ C:\Users\Public\Desktop\VLC media player.lnk
2014-01-07 19:54 - 2013-09-14 01:47 - 00001066 _____ C:\ProgramData\Desktop\VLC media player.lnk
2014-01-07 19:15 - 2014-01-07 19:15 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\Process Hacker 2
2014-01-07 18:51 - 2014-01-07 18:51 - 00000000 ____D C:\Program Files\Process Hacker 2
2014-01-07 04:29 - 2013-12-21 19:59 - 00002208 _____ C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2014-01-07 04:29 - 2013-12-21 19:59 - 00002208 _____ C:\ProgramData\Desktop\avast! Free Antivirus.lnk
2014-01-06 19:23 - 2014-01-06 19:23 - 04558848 _____ (Google Inc.) C:\Windows\SysWOW64\GPhotos.scr
2014-01-04 23:57 - 2012-12-19 21:45 - 00000000 ____D C:\Users\SteveH\Documents\Nature
2014-01-04 21:07 - 2014-01-04 21:07 - 00000730 _____ C:\Users\SteveH\Documents\BMJComment140104.txt
2014-01-03 22:46 - 2013-10-22 14:23 - 00000000 ____D C:\Users\SteveH\Documents\SAH
2014-01-03 16:48 - 2013-01-07 02:29 - 00000000 ____D C:\Users\SteveH\Documents\Youcam
2014-01-03 16:40 - 2014-01-03 16:40 - 00000000 ____D C:\Users\SteveH\AppData\Local\VS Revo Group
2014-01-03 16:39 - 2014-01-03 16:39 - 00001077 _____ C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
2014-01-03 16:39 - 2014-01-03 16:39 - 00001077 _____ C:\ProgramData\Desktop\Revo Uninstaller Pro.lnk
2014-01-03 16:39 - 2014-01-03 16:39 - 00000000 ____D C:\ProgramData\VS Revo Group
2014-01-03 16:39 - 2014-01-03 16:39 - 00000000 ____D C:\Program Files\VS Revo Group
2014-01-03 16:32 - 2014-01-03 16:32 - 00001264 _____ C:\Users\SteveH\Desktop\Revo Uninstaller.lnk
2014-01-03 16:32 - 2014-01-03 16:32 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
2014-01-02 03:20 - 2012-06-10 19:03 - 00000000 ____D C:\Users\SteveH\AppData\Local\CrashDumps
2013-12-31 00:09 - 2012-04-28 16:06 - 00000000 ____D C:\Users\SteveH
2013-12-30 15:09 - 2013-12-30 15:09 - 00000040 _____ C:\Users\Public\Documents\_rgpl
2013-12-30 15:09 - 2013-12-30 15:09 - 00000040 _____ C:\ProgramData\Documents\_rgpl
2013-12-27 01:18 - 2013-12-27 01:18 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google+ Auto Backup
2013-12-26 21:00 - 2012-04-28 21:16 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\Audacity
2013-12-21 20:29 - 2013-12-21 19:58 - 00079672 _____ (AVAST Software) C:\Windows\system32\Drivers\aswstm.sys
2013-12-21 20:12 - 2013-12-21 20:12 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\AVAST Software
2013-12-21 20:08 - 2013-12-21 20:08 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-12-21 20:08 - 2013-12-21 20:08 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-12-21 20:08 - 2013-12-21 20:08 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-12-21 20:07 - 2012-04-29 23:39 - 00000000 ____D C:\Users\SteveH\AppData\Local\Adobe
2013-12-21 19:58 - 2013-03-03 02:09 - 00207904 _____ C:\Windows\system32\Drivers\aswVmm.sys
2013-12-21 19:58 - 2013-03-03 02:09 - 00065776 _____ C:\Windows\system32\Drivers\aswRvrt.sys
2013-12-21 19:58 - 2012-04-28 18:22 - 01034464 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2013-12-21 19:58 - 2012-04-28 18:22 - 00422216 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2013-12-21 19:58 - 2012-04-28 18:22 - 00334136 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2013-12-21 19:58 - 2012-04-28 18:22 - 00092544 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2013-12-21 19:58 - 2012-04-28 18:22 - 00078648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2013-12-21 19:58 - 2012-04-28 18:22 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2013-12-21 19:52 - 2012-04-28 18:22 - 00000000 ____D C:\ProgramData\AVAST Software
2013-12-21 19:52 - 2012-04-28 18:22 - 00000000 _____ C:\Windows\SysWOW64\config.nt
2013-12-21 19:31 - 2013-12-21 19:31 - 00840072 _____ (Adobe Systems Incorporated) C:\Users\SteveH\Desktop\uninstall_flash_player.exe
2013-12-20 22:12 - 2013-12-20 22:12 - 00013560 _____ C:\Users\SteveH\Desktop\uTorrent.exe - Shortcut.lnk
2013-12-20 21:43 - 2013-12-20 21:43 - 00000000 ____D C:\Users\SteveH\AppData\Roaming\OpenOffice
2013-12-19 13:45 - 2012-04-28 17:10 - 00000000 ___RD C:\Users\SteveH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-12-19 13:11 - 2012-04-28 18:22 - 00064288 _____ (AVAST Software) C:\Windows\system32\Drivers\aswTdi.sys

Some content of TEMP:
====================
C:\Users\SteveH\AppData\Local\Temp\Quarantine.exe


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit


LastRegBack: 2014-01-12 05:44

==================== End Of Log ============================

 

Addition.txt

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 17-01-2014 03
Ran by SteveH at 2014-01-18 05:45:31
Running from C:\Users\SteveH\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

7-Zip 9.20 (x64 edition) (Version: 9.20.00.0 - Igor Pavlov)
AC3Filter 2.5b (x32 Version: 2.5b - Alexander Vigovsky)
Adobe Flash Player 11 Plugin (x32 Version: 11.9.900.170 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.06) (x32 Version: 11.0.06 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (x32 Version: 12.0.6.147 - Adobe Systems, Inc.)
AltDrag (x32 Version: 1.0 - Stefan Sundin)
Amazon Kindle (HKCU Version:  - Amazon)
AMD Accelerated Video Transcoding (Version: 12.5.100.21219 - Advanced Micro Devices, Inc.) Hidden
AMD APP SDK Runtime (Version: 10.0.1084.4 - Advanced Micro Devices Inc.) Hidden
AMD Catalyst Install Manager (Version: 8.0.903.0 - Advanced Micro Devices, Inc.)
AMD Drag and Drop Transcoding (Version: 2.00.0000 - Advanced Micro Devices, Inc.) Hidden
AMD Fuel (Version: 2012.1219.1521.27485 - Advanced Micro Devices, Inc.) Hidden
AMD Media Foundation Decoders (Version: 1.0.71219.1540 - Advanced Micro Devices, Inc.) Hidden
AMD Steady Video Plug-In  (Version: 2.06.0000 - AMD) Hidden
AMD VISION Engine Control Center (x32 Version: 2012.1219.1521.27485 - Advanced Micro Devices, Inc.) Hidden
Audacity 2.0 (x32 Version:  - Audacity Team)
AutoSizer (x32 Version:  - )
avast! Free Antivirus (x32 Version: 9.0.2011 - Avast Software)
BlackBerry Desktop Software 7.1 (x32 Version: 7.1.0.37 - Research In Motion Ltd.)
BlackBerry Desktop Software 7.1 (x32 Version: 7.1.0.37 - Research In Motion Ltd.) Hidden
BlackBerry Device Software Updater (x32 Version: 8.0.0.41 - Research In Motion Ltd)
Blio (x32 Version: 2.2.8188 - K-NFB Reading Technology, Inc.)
Broadcom 802.11 Wireless LAN Adapter (Version:  - Broadcom Corporation)
Broadcom Bluetooth Software (Version: 6.5.0.2300 - Broadcom Corporation)
Broadcom InConcert Maestro (Version: 1.0.5.2300 - Broadcom Corporation)
Bulk Rename Utility 2.7.1.2 (Version:  - TGRMN Software)
Catalyst Control Center - Branding (x32 Version: 1.00.0000 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Graphics Previews Common (x32 Version: 2012.1219.1521.27485 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center InstallProxy (x32 Version: 2012.1219.1521.27485 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Localization All (x32 Version: 2012.1219.1521.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Chinese Standard (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Chinese Traditional (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Czech (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Danish (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Dutch (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help English (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Finnish (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help French (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help German (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Greek (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Hungarian (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Italian (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Japanese (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Korean (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Norwegian (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Polish (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Portuguese (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Russian (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Spanish (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Swedish (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Thai (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
CCC Help Turkish (x32 Version: 2012.1219.1520.27485 - Advanced Micro Devices, Inc.) Hidden
ccc-utility64 (Version: 2012.1219.1521.27485 - Advanced Micro Devices, Inc.) Hidden
CCleaner (Version: 4.08 - Piriform)
Classic Shell (Version: 4.0.2 - IvoSoft)
CyberLink YouCam (x32 Version: 3.5.1.4305 - CyberLink Corp.)
CyberLink YouCam (x32 Version: 3.5.1.4305 - CyberLink Corp.) Hidden
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (x32 Version:  - Microsoft)
DivX Setup (x32 Version: 2.6.1.87 - DivX, LLC)
ERUNT 1.1j (x32 Version:  - Lars Hederer)
ESET Online Scanner v3 (x32 Version:  - )
ESU for Microsoft Windows 7 SP1 (x32 Version: 2.1.1 - Hewlett-Packard)
FFmpeg v0.6.2 for Audacity (x32 Version:  - )
Freemake Video Converter version 4.0.4 (x32 Version: 4.0.4 - Ellora Assets Corporation)
Freemake Video Downloader (x32 Version: 3.6.1 - Ellora Assets Corporation)
get_iplayer 4.8 (x32 Version: 4.8 - infradead.org)
Google Earth (x32 Version: 7.1.2.2041 - Google)
Google Update Helper (x32 Version: 1.3.22.3 - Google Inc.) Hidden
Google+ Auto Backup (x32 Version: 1.0.19.76 - Google)
GoToMeeting 5.5.0.1132 (HKCU Version: 5.5.0.1132 - CitrixOnline)
GPL MPEG-1/2 DirectShow Decoder Filter (x32 Version: 0.1.2 - Peter Wimmer)
Hewlett-Packard ACLM.NET v1.2.1.1 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP 3D DriveGuard (Version: 4.1.16.1 - Hewlett-Packard Company)
HP Auto (Version: 1.0.12935.3667 - Hewlett-Packard Company) Hidden
HP Client Services (Version: 1.1.12938.3539 - Hewlett-Packard) Hidden
HP CoolSense (x32 Version: 2.10.51 - Hewlett-Packard Company)
HP Customer Experience Enhancements (x32 Version: 6.0.1.8 - Hewlett-Packard) Hidden
HP Documentation (x32 Version: 1.1.0.0 - Hewlett-Packard)
HP Launch Box (Version: 1.1.5 - Hewlett-Packard Company)
HP On Screen Display (x32 Version: 1.3.5 - Hewlett-Packard Company)
HP Power Manager (x32 Version: 1.4.7 - Hewlett-Packard Company)
HP Quick Launch (x32 Version: 2.7.2 - Hewlett-Packard Company)
HP QuickWeb (x32 Version: 3.1.1.10197 - Hewlett-Packard Company)
HP Recovery Manager (x32 Version: 2.0.0 - Hewlett-Packard) Hidden
HP Security Assistant (Version: 3.0.4 - Hewlett-Packard Company)
HP Setup (x32 Version: 9.0.15109.3899 - Hewlett-Packard Company)
HP Setup Manager (x32 Version: 1.2.14901.3869 - Hewlett-Packard Company)
HP Software Framework (x32 Version: 4.6.10.1 - Hewlett-Packard Company)
HP Support Assistant (x32 Version: 7.0.39.15 - Hewlett-Packard Company)
IDT Audio (x32 Version: 1.0.6351.0 - IDT)
Java 7 Update 45 (64-bit) (Version: 7.0.450 - Oracle)
Java 7 Update 45 (x32 Version: 7.0.450 - Oracle)
Java Auto Updater (x32 Version: 2.1.9.8 - Sun Microsystems, Inc.) Hidden
Java 6 Update 45 (64-bit) (Version: 6.0.450 - Oracle)
Java 6 Update 45 (x32 Version: 6.0.450 - Oracle)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
K-Lite Codec Pack 10.0.7 Full (x32 Version: 10.0.7 - )
LADSPA_plugins-win-0.4.15 (x32 Version:  - Audacity Team)
LAME v3.99.3 (for Windows) (x32 Version:  - )
Malwarebytes Anti-Malware version 1.75.0.1300 (x32 Version: 1.75.0.1300 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Home and Student 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Single Image 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SkyDrive (HKCU Version: 16.4.6013.0910 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (x32 Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (x32 Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (x32 Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (x32 Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.51106 (x32 Version: 11.0.51106 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.51106 (x32 Version: 11.0.51106 - Microsoft Corporation) Hidden
Mozilla Firefox 27.0 (x86 en-US) (x32 Version: 27.0 - Mozilla)
Mozilla Maintenance Service (x32 Version: 27.0 - Mozilla)
Mozilla Thunderbird 24.2.0 (x86 en-US) (x32 Version: 24.2.0 - Mozilla)
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MyDefrag v4.3.1 (Version: 4.0.0.0 - J.C. Kessels)
NirSoft SysExporter (x32 Version:  - )
NirSoft VideoCacheView (x32 Version:  - )
OpenOffice 4.0.1 (x32 Version: 4.01.9714 - Apache Software Foundation)
opensource (x32 Version: 1.0.14960.3876 - Your Company Name) Hidden
Osmo4/GPAC (remove only) (x32 Version:  - )
Picasa 3 (x32 Version: 3.9 - Google, Inc.)
PlayReady PC Runtime x86 (x32 Version: 1.3.0 - Microsoft Corporation)
Process Hacker 2.33 (r5590) (Version: 2.33.0.5590 - wj32)
Realtek Ethernet Controller Driver (x32 Version: 7.54.309.2012 - Realtek)
Realtek USB 2.0 Card Reader (x32 Version: 6.1.7601.30130 - Realtek Semiconductor Corp.)
Revo Uninstaller 1.95 (x32 Version: 1.95 - VS Revo Group)
Revo Uninstaller Pro 3.0.8 (Version: 3.0.8 - VS Revo Group, Ltd.)
Sandboxie 4.06 (64-bit) (Version: 4.06 - Sandboxie Holdings, LLC)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (x32 Version:  - Microsoft) Hidden
Skype™ 5.10 (x32 Version: 5.10.116 - Skype Technologies S.A.)
Spybot - Search & Destroy (x32 Version: 1.6.2 - Safer Networking Limited)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics TouchPad Driver (Version: 16.0.1.0 - Synaptics Incorporated)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition (x32 Version:  - Microsoft)
VC80CRTRedist - 8.0.50727.6195 (x32 Version: 1.2.0 - DivX, Inc) Hidden
VLC media player 2.1.2 (x32 Version: 2.1.2 - VideoLAN)
WinDirStat 1.1.2 (HKCU Version:  - )
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (x32 Version: 15.4.3555.0308 - Microsoft Corporation)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3555.0308 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
WinPcap 4.1.2 (x32 Version: 4.1.0.2001 - CACE Technologies)

==================== Restore Points  =========================

12-01-2014 16:32:43 Revo Uninstaller Pro's restore point - get_iplayer 4.8
12-01-2014 16:39:19 Revo Uninstaller Pro's restore point - TinEyeClient
13-01-2014 04:43:05 Restore Operation
13-01-2014 16:42:17 Windows Update
13-01-2014 18:28:46 Windows Backup
13-01-2014 22:24:20 Revo Uninstaller Pro's restore point - Malwarebytes Anti-Malware version 1.75.0.1300
15-01-2014 15:14:10 Windows Update
17-01-2014 17:19:34 ComboFix created restore point
18-01-2014 00:37:41 Installed Microsoft Fix it 50688

==================== Hosts content: ==========================

2009-07-14 02:34 - 2014-01-17 17:45 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {070F61FB-8B54-4BE6-A3F0-359A864ADCAE} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Warranty Opt-In(No) => c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\Detection_PostWarrantyAlert.exe [2013-12-12] (Hewlett-Packard)
Task: {0931CFC9-2269-4916-B012-113DDF64F3B4} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {0FD119AF-CF6D-4D94-AB48-44262B68413A} - System32\Tasks\MirageAgent => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe [2011-07-07] (CyberLink)
Task: {26F8CA42-BB7C-42BF-8609-B4E7A996A194} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2012-09-27] (Hewlett-Packard Company)
Task: {38C2E4FA-7BC1-4422-A7D2-CD080D01CE92} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-04-28] (Google Inc.)
Task: {3B7C2E91-2708-4AE6-8FB5-4167738A4544} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2013-11-22] (Hewlett-Packard)
Task: {3EC94CD6-48F6-45B0-8D1C-421DB53895A0} - System32\Tasks\Microsoft\Windows\Media Center\mcupdate_scheduled => C:\Windows\ehome\mcupdate.exe
Task: {5904C41F-C0A3-47B6-AE0F-1E0DBB792B58} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2012-09-27] (Hewlett-Packard Company)
Task: {69443C8D-7731-47EA-9750-F4F91890488F} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-21] (Adobe Systems Incorporated)
Task: {78B6F98A-85D5-484E-9A1B-083721FF0429} - System32\Tasks\HPCeeScheduleForSteveH => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15] (Hewlett-Packard)
Task: {87727854-C9B6-4916-9C32-A2404D8277E4} - System32\Tasks\ProcExplorer\RunAtStartAsAdmin => C:\Program Files\ProcessExplorer\procexp.exe [2012-10-02] (Sysinternals - www.sysinternals.com)
Task: {87840DE1-FBA7-4B0A-9E38-4E7C15A7F956} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-04-28] (Google Inc.)
Task: {88FB9655-3631-4E66-B309-DFC602C48DF8} - System32\Tasks\{4FC91981-ED3A-4508-9D33-BB066B4158A7} => C:\Program Files (x86)\Windows Live\Photo Gallery\WLXPhotoGallery.exe [2012-03-08] (Microsoft Corporation)
Task: {B75A7DD3-51C3-4DC9-945E-FD434CE8085B} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Warranty Opt-In(Yes) => c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\Detection_PostWarrantyAlert.exe [2013-12-12] (Hewlett-Packard)
Task: {C17409D8-A107-42BC-9EEB-81AC37BD0092} - System32\Tasks\Microsoft\Windows\Media Center\StartRecording => C:\Windows\ehome\ehrec.exe
Task: {E56D6D06-F2A8-42FB-B793-C4904536727F} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2013-12-21] (AVAST Software)
Task: {EF716444-8503-4E92-BCF6-6708B54CCD75} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2013-09-23] (Hewlett-Packard Company)
Task: {F790EF7D-2739-420E-BD21-0BC600BFE14E} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-11-22] (Piriform Ltd)
Task: {FBDF9C20-6A65-41B1-AC64-EC9B4A106A11} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2013-11-22] (Hewlett-Packard)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleForSteveH.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe

==================== Loaded Modules (whitelisted) =============

2012-12-19 15:32 - 2012-12-19 15:32 - 00103424 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
2014-01-18 02:53 - 2014-01-17 21:22 - 02155008 _____ () C:\Program Files\AVAST Software\Avast\defs\14011701\algo.dll
2003-12-30 18:18 - 2003-12-30 18:18 - 00069632 _____ () C:\Program Files\ResizeEnable\ResizeEnable.dll
2013-12-21 19:58 - 2013-12-21 19:58 - 19336120 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2013-12-11 20:19 - 2013-12-11 20:19 - 03017840 _____ () C:\Program Files (x86)\Mozilla Thunderbird\mozjs.dll
2013-12-11 20:19 - 2013-12-11 20:19 - 00158832 _____ () C:\Program Files (x86)\Mozilla Thunderbird\NSLDAP32V60.dll
2013-12-11 20:19 - 2013-12-11 20:19 - 00023152 _____ () C:\Program Files (x86)\Mozilla Thunderbird\NSLDAPPR32V60.dll
2014-01-11 18:53 - 2014-01-14 23:26 - 03569264 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========


==================== Safe Mode (whitelisted) ===================


==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (01/18/2014 05:37:57 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (01/18/2014 03:37:41 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (01/18/2014 03:36:48 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (01/18/2014 02:51:49 AM) (Source: RasClient) (User: )
Description: CoId={B5F61CB3-0346-4BE4-AA53-F283B1917716}: The user SteveH-HP\SteveH dialed a connection named virgin which has failed. The error code returned on failure is 633.

Error: (01/18/2014 02:51:48 AM) (Source: RasClient) (User: )
Description: CoId={C58971C6-4D20-42FB-93D4-8F41DFBAA797}: The user SteveH-HP\SteveH dialed a connection named virgin which has failed. The error code returned on failure is 633.

Error: (01/18/2014 02:51:47 AM) (Source: RasClient) (User: )
Description: CoId={E8C6B2E0-9233-4754-9C4D-D6B92202C4A2}: The user SteveH-HP\SteveH dialed a connection named virgin which has failed. The error code returned on failure is 633.

Error: (01/18/2014 02:51:46 AM) (Source: RasClient) (User: )
Description: CoId={647918FC-4BEF-46C2-900A-1D44E0F71056}: The user SteveH-HP\SteveH dialed a connection named virgin which has failed. The error code returned on failure is 633.

Error: (01/18/2014 02:51:42 AM) (Source: RasClient) (User: )
Description: CoId={9B0517FC-7294-4D82-A01F-40BF5CEE2EC0}: The user SteveH-HP\SteveH dialed a connection named virgin which has failed. The error code returned on failure is 633.


System errors:
=============

Microsoft Office Sessions:
=========================
Error: (01/18/2014 05:37:57 AM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\SteveH\Downloads\esetsmartinstaller_enu.exe

Error: (01/18/2014 03:37:41 AM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\SteveH\Downloads\esetsmartinstaller_enu.exe

Error: (01/18/2014 03:36:48 AM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\SteveH\Downloads\esetsmartinstaller_enu.exe

Error: (01/18/2014 02:51:49 AM) (Source: RasClient)(User: )
Description: {B5F61CB3-0346-4BE4-AA53-F283B1917716}SteveH-HP\SteveHvirgin633

Error: (01/18/2014 02:51:48 AM) (Source: RasClient)(User: )
Description: {C58971C6-4D20-42FB-93D4-8F41DFBAA797}SteveH-HP\SteveHvirgin633

Error: (01/18/2014 02:51:47 AM) (Source: RasClient)(User: )
Description: {E8C6B2E0-9233-4754-9C4D-D6B92202C4A2}SteveH-HP\SteveHvirgin633

Error: (01/18/2014 02:51:46 AM) (Source: RasClient)(User: )
Description: {647918FC-4BEF-46C2-900A-1D44E0F71056}SteveH-HP\SteveHvirgin633

Error: (01/18/2014 02:51:42 AM) (Source: RasClient)(User: )
Description: {9B0517FC-7294-4D82-A01F-40BF5CEE2EC0}SteveH-HP\SteveHvirgin633


CodeIntegrity Errors:
===================================
  Date: 2014-01-17 17:42:08.575
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-01-17 17:42:07.998
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2012-07-31 22:51:25.842
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ATI Technologies\Multimedia\AMDMFTDecoder_64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-07-29 15:23:45.209
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ATI Technologies\Multimedia\AMDMFTDecoder_64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-07-29 15:14:23.612
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ATI Technologies\Multimedia\AMDMFTDecoder_64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-07-29 14:19:48.222
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ATI Technologies\Multimedia\AMDMFTDecoder_64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-07-29 14:18:03.717
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ATI Technologies\Multimedia\AMDMFTDecoder_64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-07-29 14:05:42.512
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ATI Technologies\Multimedia\AMDMFTDecoder_64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-07-29 14:04:20.022
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ATI Technologies\Multimedia\AMDMFTDecoder_64.dll because the set of per-page image hashes could not be found on the system.

  Date: 2012-06-07 23:29:44.135
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Common Files\ATI Technologies\Multimedia\AMDMFTDecoder_64.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Percentage of memory in use: 46%
Total physical RAM: 3689.41 MB
Available physical RAM: 1983.1 MB
Total Pagefile: 7376.99 MB
Available Pagefile: 5028.99 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:271.23 GB) (Free:134.02 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive d: (Recovery) (Fixed) (Total:22.69 GB) (Free:2.43 GB) NTFS ==>[system with boot components (obtained from reading drive)]
Drive e: (HP_TOOLS) (Fixed) (Total:3.96 GB) (Free:1.08 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: CEC4B1B2)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=271 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=23 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=4 GB) - (Type=0C)

==================== End Of Log ============================

Link to post
Share on other sites

Hi Ron:

I ran the FIXDAMAGE.EXE.  It only seemed to highlight the fact that the Windows Firewall wasn't turned on.

Rather a worry that I got no warnings about that.

 

Also, you don't mention anything about removing the viruses that ESET found?  This was only a check scan: not a fix.

 

Is it ok to leave them and the odd folder they are in, while I do the check disc?

Link to post
Share on other sites

Immunicity is a proxy, as far as I know.  This is not a business or network machine, but I am, currently using it via a router that is the public end of a hospital network.

Link to post
Share on other sites

  • Root Admin

The files from the ESET scan are okay, they are not an infection.

 

Your proxy is okay as long as you're fully aware of int and you use it.

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.
 

fixlist.txt

Link to post
Share on other sites

Many thank Ron!

 

Glad to hear those dodgy looking-named files are OK.  Just need to put them in more understandable folders now!

 

I ran the TFC cleaner.  It didn't take long as I use CCleaner most days too.

 

Then Check disc and your Fix.

Looks from the Fixlog, as if it has taken my Process Explorer start away.  I like to keep an eye on this in the notification area, and to watch on startup to see if anything odd loads, or fails to.  Should I not be doing that?

 

And Java?  I'm afraid, I get a bit mixed up over what Java is what, but, I'm a bit surprised to see it's all been taken off the browser.  I'm sure I've had to put it there to access sites, in the past.  If I really don't need it, that's great!

On the other hand, I know I do need JRE 6 & 7, in my file tree, because my Open Office kept getting error messages, until I had both.  I hope it will still work.

 

Also, when I came back on line via the router, I notice I am still missing the site 'approval' ratings that used to be a guide beside the Google links.  Should I try to get them back, or were they just giving a false sense of security? (I can't remember what security service they were now!  I just took them for granted.)

 

And the NoSquint control box got stuck behind the browser window again, as if something is still playing with my window priority settings. (Alt; Tab, just skips over the control panel). It came back on reloading FF, but it is a bit unsettling.

 

 

All probably small points, I expect, but I hope you don't mind my asking.

 

Thanks again,

Steve.

 

 

 

Anyway, here are the logs:

 

Wininit.txt

 


Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.                         

CHKDSK is verifying files (stage 1 of 3)...
  188928 file records processed.                                          File verification completed.
  655 large file records processed.                                      0 bad file records processed.                                        0 EA records processed.                                              43 reparse records processed.                                       CHKDSK is verifying indexes (stage 2 of 3)...
  247760 index entries processed.                                         Index verification completed.
  0 unindexed files scanned.                                           0 unindexed files recovered.                                       CHKDSK is verifying security descriptors (stage 3 of 3)...
  188928 file SDs/SIDs processed.                                         Cleaning up 2156 unused index entries from index $SII of file 0x9.
Cleaning up 2156 unused index entries from index $SDH of file 0x9.
Cleaning up 2156 unused security descriptors.
Security descriptor verification completed.
  29417 data files processed.                                            CHKDSK is verifying Usn Journal...
  36654688 USN bytes processed.                                             Usn Journal verification completed.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

 284409855 KB total disk space.
 143471180 KB in 121920 files.
     76984 KB in 29418 indexes.
         0 KB in bad sectors.
    301767 KB in use by the system.
     65536 KB occupied by the log file.
 140559924 KB available on disk.

      4096 bytes in each allocation unit.
  71102463 total allocation units on disk.
  35139981 allocation units available on disk.

Internal Info:
00 e2 02 00 36 4f 02 00 fc 44 04 00 00 00 00 00  ....6O...D......
e3 04 00 00 2b 00 00 00 00 00 00 00 00 00 00 00  ....+...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Windows has finished checking your disk.
Please wait while your computer restarts.

___________________________________________

 

Fixlog.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-01-2014 03
Ran by SteveH at 2014-01-18 11:53:43 Run:1
Running from C:\Users\SteveH\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.amazon.co...field-keywords={searchTerms}
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...ch/i.html?_nkw={searchTerms}
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...ch/i.html?_nkw={searchTerms}
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...ch/i.html?_nkw={searchTerms}
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Plugin: @java.com/DTPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.45.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} [2014-01-11]
C:\Users\SteveH\AppData\Local\Temp\Quarantine.exe
Task: {38C2E4FA-7BC1-4422-A7D2-CD080D01CE92} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-04-28] (Google Inc.)
Task: {87727854-C9B6-4916-9C32-A2404D8277E4} - System32\Tasks\ProcExplorer\RunAtStartAsAdmin => C:\Program Files\ProcessExplorer\procexp.exe [2012-10-02] (Sysinternals - www.sysinternals.com)
Task: {87840DE1-FBA7-4B0A-9E38-4E7C15A7F956} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-04-28] (Google Inc.)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe




*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\Malwarebytes Anti-Malware => Value not found.
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67B3D6D9-A186-4164-8FDA-1E215311B07A} => Key deleted successfully.
HKCR\CLSID\{67B3D6D9-A186-4164-8FDA-1E215311B07A} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key deleted successfully.
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key deleted successfully.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key deleted successfully.
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key deleted successfully.
HKCR\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key deleted successfully.
HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.
HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.45.2 => Key deleted successfully.
C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll => Moved successfully.
HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.45.2 => Key deleted successfully.
C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll => Moved successfully.
HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.45.2 => Key deleted successfully.
C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll => Moved successfully.
HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=10.45.2 => Key deleted successfully.
C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll => Moved successfully.
C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} => Moved successfully.
"C:\Users\SteveH\AppData\Local\Temp\Quarantine.exe" => File/Directory not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{38C2E4FA-7BC1-4422-A7D2-CD080D01CE92} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{38C2E4FA-7BC1-4422-A7D2-CD080D01CE92} => Key deleted successfully.
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{87727854-C9B6-4916-9C32-A2404D8277E4} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87727854-C9B6-4916-9C32-A2404D8277E4} => Key deleted successfully.
C:\Windows\System32\Tasks\ProcExplorer\RunAtStartAsAdmin => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ProcExplorer\RunAtStartAsAdmin => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{87840DE1-FBA7-4B0A-9E38-4E7C15A7F956} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{87840DE1-FBA7-4B0A-9E38-4E7C15A7F956} => Key deleted successfully.
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA => Key deleted successfully.
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => Moved successfully.
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => Moved successfully.

==== End of Fixlog ====

 

Link to post
Share on other sites

  • Root Admin

Yes if you're using Open Office then it will need Java. You can install 6 or 7 (or both, but make sure that they're both the very latest version at all times and remove the old ones from Control Panel).

How is the computer running now?

Please download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
I may not be able to reply until Monday but I'll try. Send me a PM if I've not replied by Monday.

Thanks

Link to post
Share on other sites

Hi Ron.

 

I have to say things seem to be going suspiciously smoothly at the moment!  Websites are scrolling like magic in Firefox, in a way I'd forgotten was possible; and they are all nice and sharp and legible.  The big test will be Facebook: that has been very slow, paging down; and it was when it started being very slow to respond to keystrokes, that made me try the ill fated system restore.

 

Though it hasn't been a long test with the browser via wireless 'today', as I was testing for getting on 36hr solid and could hardly see any more!  Last night I was mostly connected via phone tether, which I somehow assume is less likely to attract trouble.

 

Eventlog aggregate view is only showing a handful of errors, and they look like the usual connectivity hiccups with the router connection.

 

Do you think we have rooted out the malware now?  If so, do you know which particular thing was causing the problem?

 

I would like to get ahead and get a better disc imaging product now, but:

1)  I am wary of trying to buy anything until I know my keystrokes aren't being logged or my desktop observed from afar; and,

 

2) Can I now assume that System Restore will function correctly, and not start the process only to tell me it 'couldn't find C:\', or, indeed, the backup image on my external drive (Bit of a handicap not having a built-in DVD R/W) ?

 

Also, would you recommend any additions to my security, that might better prevent the accumulation of these bugs, than my current kit has done?  (Actually, this is the first time I've got caught out in years, so I shouldn't really complain!)

 

Well, things still seem to be running smooth, so I'll post your latest log, and thank you once again for your help.

(y) (y)

 

SecCheckLog

 

 Results of screen317's Security Check version 0.99.79  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 6 Update 45  
 Java 7 Update 45  
 Java version out of Date!
 Adobe Flash Player 11.9.900.170  
 Adobe Reader XI  
 Mozilla Firefox (27.0)
 Mozilla Thunderbird (24.2.0)
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast AvastUI.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

Link to post
Share on other sites

  • Root Admin

I think your biggest issue was that your hard disk was corrupted and needed to have the disk check run. Then cleaning up the Java and temp files as well as some browser junk has pretty much got you back under control.

I would review this link for backup software (there are some good free ones) before worry about buying something.

Backup Software

 

I believe that System Restore should work and this is one of the items I want you to run below so if it is an issue please let me know.



At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
It will also reset your System Restore by flushing out previous restore points and create a new restore point.
It will also remove all the backups our tools may have created.

Uninstall ComboFix (if used):

  • Turn off all active protection software including your antivirus.
  • Push the "Windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • Please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.

CF-Uninstall.png



Remove the rest of the tools used:




Please download OTCleanIt and save it to your Desktop. This tool will remove all the tools we used to clean your pc.

  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not go ahead and delete it by yourself.
  • If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


AdwCleaner Removal:

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Uninstall
  • Confirm with Yes

ESET antivirus Removal:

  • This tool can be uninstalled via the Control Panel, Programs, Uninstall

If there are any other left over Folders, Files, Logs then you can delete them on your own.

Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP


As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

If you're not currently using Malwarebytes PRO then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

Link to post
Share on other sites

Hi Ron,

 

The computer seems to be running better than ever I can remember: it might even have been faulty from new judging by the superb state of the display images now. It has also acquired 3d-type shadowing, which I don't think it had before.

I have been having trouble with my eyes, so hadn't realised that the picture images really were unclear, rather than my eyes!  So this is all something of a novel experience to see things properly!

 

I noticed that the 'viruses' that ADWCleaner removed when I ran it before contacting you, were all AV related.  It seems likely that these may have done the damage to the display.  Could these viruses have been concealed in a codex pack?  I have always been a bit uneasy about the way Avast scans give a whole list of 'access denied's when they get to codexes, and had wondered if there was a way to get access and scan?  What do you think?

 

I may redownload ADWC again later, as it seems to be a useful tool, and I want to remember it.

 

For that matter, I would also like to hang on to, ESET.  It is very slow to download its database via my cell phone, and I will be being discharged from hospital tomorrow and so, losing the internet connection for a time, so, if I can keep the existing db and just update it as needed, it would be useful.

 

OldTimer didn't seem to remove very much: I still have, rkill, RogueKiller, JRT, and Security Check.

 

When I went to remove the restore points, disc cleanup asked if I wanted to clean out out of date windows updates as well.  Was a bit of a shock to find it meant over 4 gig of them!  And then a bit of a worry when the computer just said 'cleaning up' for about 20 minutes after the restart.  But it came back in the end.

 

I had a popup about a Java 7 update after the restart.  Unfortunately, it says it will remove Java 6, if I let it update 7, so, as I need 6 for Apache, I don't know what to do about that yet.

 

I tried the RedoUpdate before I made my OP.  I'd read through a lot of alternatives on Wiki, before selecting this.  Then after going to all the trouble of making a bootup USB to run it from, making an image and full backup set, only to find, when needed, that the pc wouldn't recognise the external drive from the Redo 'restore' option, was rather a blow.

 

Mind you, I've also had trouble before with Acronis, when the boot disc's user interface was too big to fit on my then laptop screen, so I could not press the buttons to do the restore!  I think I will, however, see about renewing my Acronis license.

 

When I'm all sorted here I'll see about upgrading to MWB Pro too I think. 

They seem to give very good service. (y)

 

:) :) :)

 

Thank you, so much for your help.  It has been rather harrowing, but very educational.  I shall work my way through the links you have provided, and, hopefully learn some more useful tips.

 

This forum will be highly recommended.

Link to post
Share on other sites

PS.  I still don't know if it's possible to test System Restore, without actually doing a restore and risking going back to square one if it still decides to say 'can't find C:\' ?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.