Jump to content

Two Infections


Recommended Posts

After some strange behaviour on my daughter's laptop - I disabled the existing free AV - installed MB and Avast and ran a few scans. Almost as soon as Avast started up it stopped and requested a boot time scan. It found the following:

Win32:BProtect

Win64:Dropper-gen

both in the C:\ProgramData\perfor~1 directory.

Also:

Win32:Malware-gen (setup.exe)

Win32:Malware-gen (Setup.exe)

both in C:\Users\name\Documents directory.

All are quarantined but not deleted.

My logs below:

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 14-11-2014

Ran by Joanne (administrator) on JOANNE-VAIO on 16-11-2014 11:48:05

Running from C:\Users\Joanne\Desktop\MalwareBytes

Loaded Profile: Joanne (Available profiles: Joanne & Jo and Ben)

Platform: Windows 7 Home Premium (X64) OS Language: English (United States)

Internet Explorer Version 8

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe

(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe

(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe

(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE

(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe

(Sony Corporation) C:\Program Files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe

(Sony Corporation) C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe

(Sony Corporation) C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe

(ArcSoft, Inc.) C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe

(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Event Service\VESMgr.exe

(Sony Corporation) C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe

(Sony Corporation) C:\Program Files\Sony\VAIO Smart Network\VSNService.exe

(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe

(Sony Corporation) C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe

(Sony Corporation) C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe

(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCPerfService.exe

(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe

(Sony Corporation) C:\Program Files\Sony\VAIO Power Management\SPMService.exe

(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCSpt.exe

(Sony Corporation) C:\Program Files\Sony\VAIO Gate\VAIO Gate.exe

(Sony Corporation) C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

(Sony of America Corporation) C:\Program Files\Sony\VAIO Care\listener.exe

(Sony Corporation) C:\Program Files\Sony\VAIO Update 5\VAIOUpdt.exe

(Microsoft Corporation) C:\Windows\System32\msiexec.exe

(Microsoft Corporation) C:\Windows\SysWOW64\msiexec.exe

(Intel Corporation) C:\Windows\System32\igfxtray.exe

(Intel Corporation) C:\Windows\System32\hkcmd.exe

(Intel Corporation) C:\Windows\System32\igfxpers.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint\Apoint.exe

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe

(Sony Corporation) C:\Program Files (x86)\Sony\Media Gallery\ElbServer.exe

(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe

(Sony Corporation) C:\Program Files\Sony\VCM Manager Settings\VcmMgrNotification64.exe

(Sony Corporation) C:\Program Files\Sony\VAIO Smart Network\VSNClient.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint\ApMsgFwd.exe

(Alps Electric Co., Ltd.) C:\Program Files\Apoint\ApntEx.exe

(ALPS) C:\Program Files\Apoint\Apvfb.exe

(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe

(Sony Corporation) C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe

(Sony Corporation) C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe

(Sony Corporation) C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe

(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe

(Sony Corporation) C:\Program Files\Sony\VAIO Care\VCsystray.exe

(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe

(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe

(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe

(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe

(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe

(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe

(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe

(Sony Corporation) C:\Program Files\Sony\VCM Manager Settings\VcmMgrNotification64.exe

(Sony Corporation) C:\Program Files\Sony\VAIO Personalization Manager\VpmIfPav.exe

(Sony Corporation) C:\Program Files\Sony\VCM Manager Settings\VcmMgrNotification64.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10775584 2010-05-31] (Realtek Semiconductor)

HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2040352 2010-05-31] (Realtek Semiconductor)

HKLM\...\Run: [Apoint] => C:\Program Files\Apoint\Apoint.exe [212480 2010-05-31] (Alps Electric Co., Ltd.)

HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)

HKLM-x32\...\Run: [iAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-04] (Intel Corporation)

HKLM-x32\...\Run: [iSBMgr.exe] => C:\Program Files (x86)\Sony\ISB Utility\ISBMgr.exe [673136 2010-05-31] (Sony Corporation)

HKLM-x32\...\Run: [PMBVolumeWatcher] => C:\Program Files (x86)\Sony\PMB\PMBVolumeWatcher.exe [600928 2010-06-01] (Sony Corporation)

HKLM-x32\...\Run: [GrooveMonitor] => C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)

HKLM-x32\...\Run: [sHTtray.exe] => C:\Program Files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe [99696 2010-06-20] (Sony Corporation)

HKLM-x32\...\Run: [browserPlugInHelper] => C:\Program Files (x86)\Wondershare\Video Converter Ultimate\BrowserPlugInHelper.exe

HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)

HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)

HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-12-21] (Adobe Systems Incorporated)

HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-07-08] (Apple Inc.)

HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5225064 2014-11-14] (AVAST Software)

Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\Run: [EPSON SX125 Series] => C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIGGE.EXE [224768 2009-09-14] (SEIKO EPSON CORPORATION)

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\Run: [Elbserver] => C:\Program Files (x86)\Sony\Media Gallery\ElbServer.exe [81264 2010-06-22] (Sony Corporation)

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\Run: [VRLPHelper] => C:\Program Files (x86)\Sony\Media Gallery\VRLPHelper.exe [183152 2010-06-22] (Sony Corporation)

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [22415552 2014-04-25] (Google)

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [6501656 2014-10-30] (Piriform Ltd)

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: F - F:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {07923d22-6c74-11e1-acc4-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {0d315c2a-42fe-11e2-a4ce-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {0d315c31-42fe-11e2-a4ce-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {10dc1b38-f1f4-11e1-9caa-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {1268d945-1a16-11e2-b372-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {19a94972-6885-11e2-b374-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {1ab16a5e-e3c5-11e0-99f6-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {24516268-2051-11e3-9781-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {2a5452bd-c609-11e1-a5f0-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {2cc4c5f5-b270-11e1-a954-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {34b94382-6af2-11e1-9c0b-f0bf975cc6c1} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {34cad167-13f1-11e3-a6a8-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {38862bc4-2130-11e2-98ef-ec55f9caacbe} - F:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {3916f0e1-fa71-11e0-ba96-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {3916f0e3-fa71-11e0-ba96-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {3a64f190-8fd7-11e1-9cd9-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {3db51668-a830-11e1-8706-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {3db5166b-a830-11e1-8706-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {484109e4-108a-11e3-9732-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {52dfe6a3-efae-11e3-850d-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {559cfc3d-6bbd-11e1-bb44-f0bf975cc6c1} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {55df16f3-0e5c-11e2-b33a-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {55df1739-0e5c-11e2-b33a-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {563f390e-5c27-11e2-81f7-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {567813fa-ec22-11e3-899c-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {576da2cb-6ecc-11e1-9df0-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {59c2af69-0200-11e1-9c14-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {5ddd53f9-8bcd-11e1-9511-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {650d381f-ee7b-11e3-a067-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {650d3825-ee7b-11e3-a067-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {6665bd66-43c8-11e2-8497-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {67ac8974-e8c8-11e2-a2ee-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {7645fb20-f585-11e3-852f-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {7c712cf4-f6b9-11e1-b2c8-ec55f9caacbe} - F:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {7e8e831c-dc1c-11e2-b106-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {84afd019-3969-11e2-861f-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {85e08b7b-7da9-11e1-88f2-806e6f6e6963} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {8a4daf64-058d-11e1-b767-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {8aaed94f-f536-11e3-ab54-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {8da522d1-b60f-11e1-9e8e-806e6f6e6963} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {8e4582f3-0f4f-11e3-a27e-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {8f816b23-6a1e-11e1-9d89-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {94a87af4-9884-11e1-ac9d-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {974247f7-87f8-11e1-9545-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {9fbc4af1-ee39-11e2-9add-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {a78bc19c-5f2b-11e1-9df2-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {a78bc1b6-5f2b-11e1-9df2-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {b9ed4010-7f2b-11e1-99b4-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {bda1a3e5-7cfb-11e1-9045-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {c36a3cf6-f13f-11e3-85a4-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {c37c39f4-edfe-11e1-b2ff-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {c5df1916-92f6-11e1-be58-ec55f9caacbe} - F:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {cf4c2fee-15fe-11e3-8314-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {dbdbe346-de56-11e1-98b5-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {dc2bdb46-644b-11e1-9c11-806e6f6e6963} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {dc2bdb65-644b-11e1-9c11-f0bf975cc6c1} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {e1293f29-2844-11e2-ab3e-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {e1293f2f-2844-11e2-ab3e-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {e677694b-618a-11e1-9724-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {f0f79d93-5b34-11e1-9c16-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {f3c3efe7-159d-11e3-a6a6-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {f6f66b50-9e9b-11e2-a7fe-ec55f9caacbe} - E:\AutoRun.exe

HKU\S-1-5-21-2976095537-2280378114-1351645280-1000\...\MountPoints2: {febb456e-7202-11e1-87c9-ec55f9caacbe} - E:\AutoRun.exe

AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll => C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\x64\datamngr.dll [1778584 2011-12-06] (Bandoo Media, inc)

AppInit_DLLs-x32: c:\progra~2\wi3c8a~1\datamngr\datamngr.dll => c:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\datamngr.dll [1236368 2011-12-06] (Bandoo Media, inc)

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk

ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=SVEE&bmod=SVEE

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com

StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe

SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&appid=101&systemid=406&sr=0&q={searchTerms}

SearchScopes: HKLM-x32 - DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL =

BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)

BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg64.dll (Google Inc.)

BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)

BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File

BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

BHO-x32: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)

BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

BHO-x32: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)

BHO-x32: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)

Toolbar: HKU\S-1-5-21-2976095537-2280378114-1351645280-1000 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)

Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)

Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~2\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL (Microsoft Corporation)

Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:

========

FF ProfilePath: C:\Users\Joanne\AppData\Roaming\Mozilla\Firefox\Profiles\9w274o2k.default

FF NewTab: about:blank

FF DefaultSearchEngine: Web Search

FF SelectedSearchEngine: Web Search

FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_223.dll ()

FF Plugin: @microsoft.com/GENUINE -> disabled No File

FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_223.dll ()

FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()

FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File

FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)

FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)

FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF Extension: EpicPlay Games - C:\Users\Joanne\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@epicplay.com [2012-01-09]

FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF

FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-11-14]

Chrome:

=======

CHR dev: Chrome dev build detected! <======= ATTENTION

CHR Profile: C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default

CHR Extension: (Google Drive) - C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-02-22]

CHR Extension: (surFKeeepit) - C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\bohochmglconpjoecbcncjnldbnkdajj [2014-06-09]

CHR Extension: (Minecrizzy) - C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciaaiedhdplbckgciamhkoejibpoegke [2014-06-23]

CHR Extension: (JavaScript Notepad) - C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\eemkmiehbcigiognajmhgfgglomdbddc [2014-07-28]

CHR Extension: (CENTER DRIVEN CnC TA Script Collection) - C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\glicbealjcpdfcnkjeeememcglfoafbo [2014-09-12]

CHR Extension: (Video Bookmarks) - C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkpgpmmooejhfhojndincjeonokodggj [2014-08-13]

CHR Extension: (GNotes Extension) - C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\idpclaojcopihmplcfnmgfkllldpajen [2014-06-09]

CHR Extension: (One Direction Website App) - C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\infbohjcpbljfmnimjodijobdhjfijnp [2014-11-06]

CHR Extension: (9GAG Mini) - C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\inmkmihphgjhmeabggdcokmkjhbnmdml [2014-10-14]

CHR Extension: (Spreed speed read the web) - C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\ipikiaejjblmdopojhpejjmbedhlibno [2014-06-16]

CHR Extension: (surfkeepit) - C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmddnpkedpgfcicmdpbnjjfonhhonfdk [2014-11-06]

CHR Extension: (Bookmark) - C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\naghkjogakhpimmejjmakpmnbdeccinm [2014-07-10]

CHR Extension: (Google Wallet) - C:\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-02]

CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-11-14]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-11-14] (AVAST Software)

R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)

R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)

R2 SampleCollector; C:\Program Files\Sony\VAIO Care\VCPerfService.exe [252416 2010-05-25] (Sony Corporation) [File not signed]

R2 uCamMonitor; C:\Program Files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [104960 2008-09-18] (ArcSoft, Inc.)

S2 VCFw; C:\Program Files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [851824 2010-06-17] (Sony Corporation)

R2 VSNService; C:\Program Files\Sony\VAIO Smart Network\VSNService.exe [836608 2010-06-08] (Sony Corporation) [File not signed]

S3 VUAgent; C:\Program Files\Sony\VAIO Update 5\VUAgent.exe [1250160 2010-05-31] (Sony Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 ArcSoftKsUFilter; C:\Windows\System32\DRIVERS\ArcSoftKsUFilter.sys [19968 2009-05-26] (ArcSoft, Inc.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-11-14] ()

R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [83280 2014-11-14] (AVAST Software)

R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-11-14] (AVAST Software)

R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-11-14] ()

R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2014-11-14] (AVAST Software)

R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2014-11-14] (AVAST Software)

R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2014-11-14] (AVAST Software)

R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2014-11-14] ()

R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)

R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)

S3 WsAudio_Device; C:\Windows\System32\drivers\VirtualAudio.sys [31080 2012-11-20] (Wondershare)

S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [X]

S3 huawei_cdcacm; system32\DRIVERS\ew_jucdcacm.sys [X]

S3 huawei_cdcecm; system32\DRIVERS\ew_jucdcecm.sys [X]

S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [X]

S3 huawei_ext_ctrl; system32\DRIVERS\ew_juextctrl.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-16 11:47 - 2014-11-16 11:48 - 00000000 ____D () C:\FRST

2014-11-16 11:46 - 2014-11-16 11:48 - 00000000 ____D () C:\Users\Joanne\Desktop\MalwareBytes

2014-11-15 10:44 - 2014-11-15 10:44 - 00021814 _____ () C:\Users\Joanne\Documents\DDS.txt

2014-11-15 10:42 - 2014-11-15 10:42 - 00011995 _____ () C:\Users\Joanne\Desktop\attach.txt

2014-11-15 10:34 - 2014-11-15 10:41 - 00021814 _____ () C:\Users\Joanne\Desktop\dds.txt

2014-11-15 10:24 - 2014-11-15 09:53 - 00688992 ____R (Swearware) C:\Users\Joanne\Desktop\dds.com

2014-11-14 22:17 - 2014-11-14 22:17 - 00001764 _____ () C:\Windows\PFRO.log

2014-11-14 21:25 - 2014-11-14 21:25 - 00001964 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk

2014-11-14 21:25 - 2014-11-14 21:25 - 00000000 ____D () C:\Users\Joanne\AppData\Roaming\AVAST Software

2014-11-14 21:25 - 2014-11-14 21:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software

2014-11-14 21:24 - 2014-11-15 11:31 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update

2014-11-14 21:24 - 2014-11-14 21:24 - 00436624 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys

2014-11-14 21:24 - 2014-11-14 21:24 - 00364512 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe

2014-11-14 21:24 - 2014-11-14 21:24 - 00267632 _____ () C:\Windows\system32\Drivers\aswVmm.sys

2014-11-14 21:24 - 2014-11-14 21:24 - 00116728 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys

2014-11-14 21:24 - 2014-11-14 21:24 - 00093568 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys

2014-11-14 21:24 - 2014-11-14 21:24 - 00083280 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys

2014-11-14 21:24 - 2014-11-14 21:24 - 00065776 _____ () C:\Windows\system32\Drivers\aswRvrt.sys

2014-11-14 21:24 - 2014-11-14 21:24 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr

2014-11-14 21:24 - 2014-11-14 21:24 - 00029208 _____ () C:\Windows\system32\Drivers\aswHwid.sys

2014-11-14 21:24 - 2014-11-14 21:23 - 01050432 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys

2014-11-14 21:22 - 2014-11-14 21:22 - 00000000 ____D () C:\Program Files\AVAST Software

2014-11-14 21:16 - 2014-11-14 21:22 - 00000000 ____D () C:\ProgramData\AVAST Software

2014-11-14 21:03 - 2014-11-16 11:36 - 00000426 _____ () C:\Windows\setupact.log

2014-11-14 21:03 - 2014-11-14 21:03 - 00000000 _____ () C:\Windows\setuperr.log

2014-11-14 18:00 - 2014-11-14 18:00 - 00003958 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{59C6A6E3-20FB-45F5-8D29-A07C8E01C34E}

2014-11-14 17:59 - 2014-11-14 17:59 - 00132184 _____ () C:\Users\Jo and Ben\AppData\Local\GDIPFONTCACHEV1.DAT

2014-11-14 17:59 - 2014-11-14 17:59 - 00000020 ___SH () C:\Users\Jo and Ben\ntuser.ini

2014-11-14 17:59 - 2014-11-14 17:59 - 00000000 ____D () C:\Users\Jo and Ben\Documents\Bluetooth Exchange Folder

2014-11-14 17:59 - 2014-11-14 17:59 - 00000000 ____D () C:\Users\Jo and Ben\AppData\Roaming\Sony Corporation

2014-11-14 17:59 - 2014-11-14 17:59 - 00000000 ____D () C:\Users\Jo and Ben\AppData\Roaming\Intel Corporation

2014-11-14 17:59 - 2014-11-14 17:59 - 00000000 ____D () C:\Users\Jo and Ben\AppData\Roaming\Apple Computer

2014-11-14 17:59 - 2014-11-14 17:59 - 00000000 ____D () C:\Users\Jo and Ben\AppData\Local\VirtualStore

2014-11-14 17:59 - 2014-11-14 17:59 - 00000000 ____D () C:\Users\Jo and Ben\AppData\Local\Broadcom

2014-11-14 17:59 - 2014-11-14 17:59 - 00000000 ____D () C:\Users\Jo and Ben

2014-11-14 17:59 - 2012-11-05 17:25 - 00000000 ____D () C:\Users\Jo and Ben\AppData\LocalGoogle

2014-11-14 17:59 - 2012-11-05 17:25 - 00000000 ____D () C:\Users\Jo and Ben\AppData\Local\Google

2014-11-14 17:59 - 2011-12-25 08:59 - 00000000 ____D () C:\Users\Jo and Ben\AppData\Local\Sony Corporation

2014-11-14 17:59 - 2011-10-22 20:53 - 00000000 ____D () C:\Users\Jo and Ben\AppData\Local\Microsoft Help

2014-11-14 17:59 - 2010-12-18 13:12 - 00000000 ____D () C:\Users\Jo and Ben\AppData\Roaming\Macromedia

2014-11-14 17:59 - 2009-07-14 04:54 - 00000000 ___RD () C:\Users\Jo and Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories

2014-11-14 17:59 - 2009-07-14 04:49 - 00000000 ___RD () C:\Users\Jo and Ben\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

2014-11-13 23:21 - 2014-11-05 02:48 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll

2014-11-13 23:21 - 2014-11-05 02:47 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll

2014-11-13 23:21 - 2014-11-05 02:41 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll

2014-11-10 20:28 - 2014-11-10 20:28 - 00000000 ____D () C:\Program Files (x86)\VS Revo Group

2014-11-10 11:29 - 2014-11-10 11:29 - 00002774 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC

2014-11-10 11:29 - 2014-11-10 11:29 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk

2014-11-10 11:29 - 2014-11-10 11:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner

2014-11-10 11:29 - 2014-11-10 11:29 - 00000000 ____D () C:\Program Files\CCleaner

2014-11-10 10:31 - 2014-11-14 22:27 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-11-10 10:30 - 2014-11-10 10:30 - 00001066 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk

2014-11-10 10:30 - 2014-11-10 10:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware

2014-11-10 10:30 - 2014-11-10 10:30 - 00000000 ____D () C:\ProgramData\Malwarebytes

2014-11-10 10:30 - 2014-11-10 10:30 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware

2014-11-10 10:30 - 2014-10-01 11:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-11-10 10:30 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys

2014-11-10 10:30 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

2014-11-06 20:35 - 2014-11-06 20:35 - 01055936 _____ (Adobe) C:\Users\Joanne\Downloads\flash_setup.exe

2014-11-06 20:23 - 2014-11-14 21:42 - 00000000 ____D () C:\ProgramData\SaverAddon

2014-11-06 20:22 - 2014-11-06 20:22 - 00000000 ____D () C:\ProgramData\GetTheDiscount

2014-11-06 20:21 - 2010-05-23 10:15 - 01619456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WMVDECOD.DLL

2014-11-06 20:21 - 2010-05-23 10:11 - 03181568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mf.dll

2014-11-06 20:21 - 2010-05-23 10:11 - 00196608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfreadwrite.dll

2014-11-06 20:21 - 2010-05-23 08:37 - 01888256 _____ (Microsoft Corporation) C:\Windows\system32\WMVDECOD.DLL

2014-11-06 20:21 - 2010-05-23 08:35 - 04068864 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll

2014-11-06 20:21 - 2010-05-23 08:35 - 00257024 _____ (Microsoft Corporation) C:\Windows\system32\mfreadwrite.dll

2014-11-06 20:21 - 2010-05-23 08:35 - 00206848 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-16 11:46 - 2009-07-14 04:45 - 00019760 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-11-16 11:46 - 2009-07-14 04:45 - 00019760 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-11-16 11:43 - 2011-09-20 11:28 - 01381158 _____ () C:\Windows\WindowsUpdate.log

2014-11-16 11:39 - 2010-12-18 13:25 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job

2014-11-16 11:36 - 2013-03-08 17:40 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job

2014-11-16 11:36 - 2009-07-14 05:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-11-15 11:24 - 2010-12-18 13:25 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job

2014-11-15 10:24 - 2009-07-14 05:13 - 00730596 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-11-14 22:50 - 2013-03-08 17:40 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater

2014-11-14 22:50 - 2013-03-08 17:39 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2014-11-14 22:50 - 2013-03-08 17:39 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

2014-11-14 22:42 - 2009-07-14 03:20 - 00000000 ____D () C:\Windows\system32\NDF

2014-11-14 21:36 - 2014-06-04 20:07 - 00000000 ____D () C:\ProgramData\Performancer

2014-11-14 17:55 - 2011-11-25 14:23 - 00506814 _____ () C:\test.xml

2014-11-14 17:09 - 2014-07-10 11:22 - 00000000 ___SD () C:\Windows\system32\CompatTel

2014-11-14 17:09 - 2011-09-29 19:59 - 00000000 ____D () C:\ProgramData\Microsoft Help

2014-11-14 17:05 - 2013-08-19 19:29 - 00000000 ____D () C:\Windows\system32\MRT

2014-11-14 17:01 - 2013-05-07 21:21 - 103374192 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

2014-11-13 23:18 - 2011-09-20 12:46 - 00003942 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{B54CA724-A1D6-4C74-B9F7-80CE8592526B}

2014-11-10 11:43 - 2010-10-12 17:28 - 00000000 ____D () C:\Windows\Panther

2014-11-10 11:14 - 2014-10-14 15:12 - 00000000 ____D () C:\ProgramData\FineiDeaLSofT

2014-11-10 11:14 - 2014-09-12 19:46 - 00000000 ____D () C:\ProgramData\doownnloaditkeep

2014-11-10 11:14 - 2014-08-13 15:51 - 00000000 ____D () C:\ProgramData\cOupoNPeiakk

2014-11-10 11:14 - 2014-07-28 16:57 - 00000000 ____D () C:\ProgramData\ApaptoU

2014-11-10 11:14 - 2014-02-08 14:58 - 00000000 ____D () C:\Users\Joanne\AppData\Roaming\DigitalSites

2014-11-10 11:14 - 2013-10-10 09:59 - 00000000 ____D () C:\ProgramData\BitGuard

2014-11-10 11:14 - 2013-10-10 09:58 - 00000000 ____D () C:\Users\Joanne\AppData\Roaming\DigitalSite

2014-11-06 20:23 - 2014-02-18 21:46 - 00000000 ____D () C:\ProgramData\4a7e694a3d4b435c

2014-10-30 11:25 - 2011-10-22 20:34 - 00275080 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed

C:\Windows\System32\wininit.exe => File is digitally signed

C:\Windows\SysWOW64\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\System32\services.exe => File is digitally signed

C:\Windows\System32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\System32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-11-09 23:32

==================== End Of Log ============================

Some help with this would be much appreciated.

Link to post
Share on other sites

  • Staff

Please run the following:

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

    You can get help on disabling your protection programs here

  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:

    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    ---------------------------------------------------------------------------------------------

  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

NEXT

Download AdwCleaner from here and save it to your desktop.

  • Run AdwCleaner and select Scan
  • If items are found, please select the Clean button
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply
Link to post
Share on other sites

Thanks for your reply.

One little problem. This is my daughter's machine and she has Microsoft's Security essentials installed and running on it and I cannot, no matter what I do, stop it from running - from Services, msconfig, rename the exec, can't change the file permissions to allow me to do anything.

What I do see is it listed in the uninstall programme list but before I do that I would like the ok from you.

Link to post
Share on other sites

Right, killed the damn thing in the registry!

 

Here's the ComboFix log:

 

ComboFix 14-11-17.01 - Joanne 18/11/2014  23:57:25.1.2 - x64
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.44.1033.18.3758.2153 [GMT 0:00]
Running from: c:\users\Joanne\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Microsoft Security Essentials *Disabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FineiDeaLSofT
c:\programdata\FineiDeaLSofT\J9siK.dat
c:\programdata\FineiDeaLSofT\J9siK.tlb
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\glicbealjcpdfcnkjeeememcglfoafbo
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\glicbealjcpdfcnkjeeememcglfoafbo\195\background.html
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\glicbealjcpdfcnkjeeememcglfoafbo\195\content.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\glicbealjcpdfcnkjeeememcglfoafbo\195\KN_.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\glicbealjcpdfcnkjeeememcglfoafbo\195\lsdb.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\glicbealjcpdfcnkjeeememcglfoafbo\195\manifest.json
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkpgpmmooejhfhojndincjeonokodggj
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkpgpmmooejhfhojndincjeonokodggj\116\background.html
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkpgpmmooejhfhojndincjeonokodggj\116\content.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkpgpmmooejhfhojndincjeonokodggj\116\g0f2w.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkpgpmmooejhfhojndincjeonokodggj\116\lsdb.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\hkpgpmmooejhfhojndincjeonokodggj\116\manifest.json
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\infbohjcpbljfmnimjodijobdhjfijnp
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\infbohjcpbljfmnimjodijobdhjfijnp\213\background.html
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\infbohjcpbljfmnimjodijobdhjfijnp\213\content.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\infbohjcpbljfmnimjodijobdhjfijnp\213\lsdb.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\infbohjcpbljfmnimjodijobdhjfijnp\213\manifest.json
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\infbohjcpbljfmnimjodijobdhjfijnp\213\YBHci.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\inmkmihphgjhmeabggdcokmkjhbnmdml
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\inmkmihphgjhmeabggdcokmkjhbnmdml\143\background.html
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\inmkmihphgjhmeabggdcokmkjhbnmdml\143\content.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\inmkmihphgjhmeabggdcokmkjhbnmdml\143\lsdb.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\inmkmihphgjhmeabggdcokmkjhbnmdml\143\manifest.json
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\inmkmihphgjhmeabggdcokmkjhbnmdml\143\WuV.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmddnpkedpgfcicmdpbnjjfonhhonfdk
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmddnpkedpgfcicmdpbnjjfonhhonfdk\8.1\background.html
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmddnpkedpgfcicmdpbnjjfonhhonfdk\8.1\cH1RZU.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmddnpkedpgfcicmdpbnjjfonhhonfdk\8.1\content.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmddnpkedpgfcicmdpbnjjfonhhonfdk\8.1\lsdb.js
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\kmddnpkedpgfcicmdpbnjjfonhhonfdk\8.1\manifest.json
c:\users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Preferences
c:\users\Joanne\AppData\Local\Malware360Installer.exe
c:\users\Joanne\AppData\Local\Temp\_MEI44802\_ctypes.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\_elementtree.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\_hashlib.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\_multiprocessing.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\_socket.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\_ssl.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\pyexpat.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\pysqlite2._sqlite.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\python27.dll
c:\users\Joanne\AppData\Local\Temp\_MEI44802\pythoncom27.dll
c:\users\Joanne\AppData\Local\Temp\_MEI44802\PyWinTypes27.dll
c:\users\Joanne\AppData\Local\Temp\_MEI44802\select.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\unicodedata.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\win32api.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\win32com.shell.shell.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\win32crypt.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\win32event.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\win32file.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\win32gui.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\win32inet.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\win32pdh.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\win32pipe.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\win32process.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\win32profile.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\win32security.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\win32ts.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\windows._lib_cacheinvalidation.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wx._animate.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wx._controls_.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wx._core_.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wx._gdi_.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wx._html2.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wx._misc_.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wx._windows_.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wx._wizard.pyd
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wxbase294u_net_vc90.dll
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wxbase294u_vc90.dll
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wxmsw294u_adv_vc90.dll
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wxmsw294u_core_vc90.dll
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wxmsw294u_html_vc90.dll
c:\users\Joanne\AppData\Local\Temp\_MEI44802\wxmsw294u_webview_vc90.dll
c:\users\Joanne\Documents\~WRL0001.tmp
c:\users\Joanne\Documents\~WRL0106.tmp
c:\windows\msdownld.tmp
.
.
(((((((((((((((((((((((((   Files Created from 2014-10-19 to 2014-11-19  )))))))))))))))))))))))))))))))
.
.
2014-11-19 00:08 . 2014-11-19 00:08    --------    d-----w-    c:\users\Default\AppData\Local\temp
2014-11-16 12:04 . 2014-11-16 12:04    --------    d-----w-    c:\program files (x86)\Common Files\Java
2014-11-16 12:03 . 2014-09-26 18:42    98216    ----a-w-    c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-11-16 11:47 . 2014-11-16 11:50    --------    d-----w-    C:\FRST
2014-11-14 21:25 . 2014-11-14 21:25    --------    d-----w-    c:\users\Joanne\AppData\Roaming\AVAST Software
2014-11-14 21:24 . 2014-11-14 21:24    83280    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2014-11-14 21:24 . 2014-11-14 21:24    65776    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2014-11-14 21:24 . 2014-11-14 21:24    436624    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2014-11-14 21:24 . 2014-11-14 21:24    29208    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2014-11-14 21:24 . 2014-11-14 21:24    267632    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2014-11-14 21:24 . 2014-11-14 21:24    116728    ----a-w-    c:\windows\system32\drivers\aswStm.sys
2014-11-14 21:24 . 2014-11-14 21:24    93568    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2014-11-14 21:24 . 2014-11-14 21:23    1050432    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2014-11-14 21:24 . 2014-11-14 21:24    364512    ----a-w-    c:\windows\system32\aswBoot.exe
2014-11-14 21:24 . 2014-11-14 21:24    43152    ----a-w-    c:\windows\avastSS.scr
2014-11-14 21:22 . 2014-11-14 21:22    --------    d-----w-    c:\program files\AVAST Software
2014-11-14 21:16 . 2014-11-14 21:22    --------    d-----w-    c:\programdata\AVAST Software
2014-11-14 17:59 . 2014-11-14 17:59    --------    d-----w-    c:\users\Jo and Ben
2014-11-13 23:25 . 2014-09-21 11:11    1188440    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{72B0D11E-AFB8-49DD-B119-05F3B3DE83A2}\gapaengine.dll
2014-11-13 23:23 . 2014-10-20 02:37    11627712    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1CF63220-9508-40E4-9C9D-4EB3B10DDA5C}\mpengine.dll
2014-11-13 23:21 . 2014-11-05 02:48    304640    ----a-w-    c:\windows\system32\generaltel.dll
2014-11-13 23:21 . 2014-11-05 02:47    228864    ----a-w-    c:\windows\system32\aepdu.dll
2014-11-13 23:21 . 2014-11-05 02:41    424448    ----a-w-    c:\windows\system32\aeinv.dll
2014-11-10 20:28 . 2014-11-10 20:28    --------    d-----w-    c:\program files (x86)\VS Revo Group
2014-11-10 19:53 . 2014-10-20 02:37    11627712    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-11-10 11:29 . 2014-11-10 11:29    --------    d-----w-    c:\program files\CCleaner
2014-11-10 10:31 . 2014-11-18 23:51    129752    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-10 10:30 . 2014-11-10 10:30    --------    d-----w-    c:\program files (x86)\Malwarebytes Anti-Malware
2014-11-10 10:30 . 2014-11-10 10:30    --------    d-----w-    c:\programdata\Malwarebytes
2014-11-10 10:30 . 2014-10-01 11:11    63704    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-11-10 10:30 . 2014-10-01 11:11    93400    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-11-10 10:30 . 2014-10-01 11:11    25816    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-11-06 20:21 . 2010-05-23 08:35    257024    ----a-w-    c:\windows\system32\mfreadwrite.dll
2014-11-06 20:21 . 2010-05-23 08:35    206848    ----a-w-    c:\windows\system32\mfps.dll
2014-11-06 20:21 . 2010-05-23 10:11    196608    ----a-w-    c:\windows\SysWow64\mfreadwrite.dll
2014-11-06 20:21 . 2010-05-23 10:15    1619456    ----a-w-    c:\windows\SysWow64\WMVDECOD.DLL
2014-11-06 20:21 . 2010-05-23 08:37    1888256    ----a-w-    c:\windows\system32\WMVDECOD.DLL
2014-11-06 20:21 . 2010-05-23 08:35    4068864    ----a-w-    c:\windows\system32\mf.dll
2014-11-06 20:21 . 2010-05-23 10:11    3181568    ----a-w-    c:\windows\SysWow64\mf.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-14 22:50 . 2013-03-08 17:39    71344    ----a-w-    c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-14 22:50 . 2013-03-08 17:39    701104    ----a-w-    c:\windows\SysWow64\FlashPlayerApp.exe
2014-11-14 17:01 . 2013-05-07 21:21    103374192    ----a-w-    c:\windows\system32\MRT.exe
2014-10-30 11:25 . 2011-10-22 20:34    275080    ------w-    c:\windows\system32\MpSigStub.exe
2014-09-21 11:11 . 2012-02-10 21:03    1188440    ----a-w-    c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2014-09-15 17:06 . 2014-09-15 17:06    9318    ----a-w-    c:\users\Joanne\AppData\Local\Setup.exe
2014-09-15 00:44 . 2014-10-15 16:43    3195392    ----a-w-    c:\windows\system32\win32k.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1475072]
"Elbserver"="c:\program files (x86)\Sony\Media Gallery\ElbServer.exe" [2010-06-22 81264]
"VRLPHelper"="c:\program files (x86)\Sony\Media Gallery\VRLPHelper.exe" [2010-06-22 183152]
"GoogleDriveSync"="c:\program files (x86)\Google\Drive\googledrivesync.exe" [2014-04-25 22415552]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2014-10-30 6501656]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2010-05-31 673136]
"PMBVolumeWatcher"="c:\program files (x86)\Sony\PMB\PMBVolumeWatcher.exe" [2010-06-01 600928]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"SHTtray.exe"="c:\program files (x86)\Common Files\Sony Shared\SOHLib\SHTtray.exe" [2010-06-20 99696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-12-21 959904]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-07-08 152392]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-11-14 5225064]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-09-26 271744]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-6-8 1128224]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R2 SOHCImp;VAIO Media plus Content Importer;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHCImp.exe [x]
R2 VCFw;VAIO Content Folder Watcher;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe;c:\program files (x86)\Common Files\Sony Shared\VAIO Content Folder Watcher\VCFw.exe [x]
R2 VcmINSMgr;VAIO Content Metadata Intelligent Network Service Manager;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe;c:\program files\Sony\VCM Intelligent Network Service Manager\VcmINSMgr.exe [x]
R3 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [x]
R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys;c:\windows\SYSNATIVE\DRIVERS\ew_hwusbdev.sys [x]
R3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jucdcacm.sys [x]
R3 huawei_cdcecm;huawei_cdcecm;c:\windows\system32\DRIVERS\ew_jucdcecm.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jucdcecm.sys [x]
R3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jubusenum.sys [x]
R3 huawei_ext_ctrl;huawei_ext_ctrl;c:\windows\system32\DRIVERS\ew_juextctrl.sys;c:\windows\SYSNATIVE\DRIVERS\ew_juextctrl.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper64.exe [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WsAudio_Device;WsAudio_Device;c:\windows\system32\drivers\VirtualAudio.sys;c:\windows\SYSNATIVE\drivers\VirtualAudio.sys [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
S2 EPSON_EB_RPCV4_04;EPSON V5 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE;c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50STB.EXE [x]
S2 EPSON_PM_RPCV4_04;EPSON V3 Service4(04);c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE;c:\program files\Common Files\EPSON\EPW!3 SSRP\E_S50RPB.EXE [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe;c:\program files (x86)\Sony\PMB\PMBDeviceInfoProvider.exe [x]
S2 rimspci;rimspci;c:\windows\system32\drivers\rimssne64.sys;c:\windows\SYSNATIVE\drivers\rimssne64.sys [x]
S2 risdsnpe;risdsnpe;c:\windows\system32\drivers\risdsne64.sys;c:\windows\SYSNATIVE\drivers\risdsne64.sys [x]
S2 SampleCollector;VAIO Care Performance Service;c:\program files\Sony\VAIO Care\VCPerfService.exe;c:\program files\Sony\VAIO Care\VCPerfService.exe [x]
S2 SOHDms;VAIO Media plus Digital Media Server;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDms.exe [x]
S2 SOHDs;VAIO Media plus Device Searcher;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe;c:\program files (x86)\Common Files\Sony Shared\SOHLib\SOHDs.exe [x]
S2 uCamMonitor;CamMonitor;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe;c:\program files (x86)\ArcSoft\Magic-i Visual Effects 2\uCamMonitor.exe [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S2 VAIO Power Management;VAIO Power Management;c:\program files\Sony\VAIO Power Management\SPMService.exe;c:\program files\Sony\VAIO Power Management\SPMService.exe [x]
S2 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [x]
S2 VSNService;VSNService;c:\program files\Sony\VAIO Smart Network\VSNService.exe;c:\program files\Sony\VAIO Smart Network\VSNService.exe [x]
S3 ArcSoftKsUFilter;ArcSoft Magic-I Visual Effect;c:\windows\system32\DRIVERS\ArcSoftKsUFilter.sys;c:\windows\SYSNATIVE\DRIVERS\ArcSoftKsUFilter.sys [x]
S3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys;c:\windows\SYSNATIVE\drivers\btwampfl.sys [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys;c:\windows\SYSNATIVE\drivers\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys;c:\windows\SYSNATIVE\drivers\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys;c:\windows\SYSNATIVE\drivers\SFEP.sys [x]
S3 SpfService;VAIO Entertainment Common Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe;c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\SPF\SpfService64.exe [x]
S3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update 5\VUAgent.exe;c:\program files\Sony\VAIO Update 5\VUAgent.exe [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-03-08 22:50]
.
2014-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-18 13:25]
.
2014-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-12-18 13:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-11-14 21:24    860984    ----a-w-    c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2014-04-25 09:03    777032    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-04-25 09:03    777032    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedEditOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2014-04-25 09:03    777032    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedViewOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2014-04-25 09:03    777032    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2014-04-25 09:03    777032    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2014-04-25 09:03    777032    ----a-w-    c:\program files (x86)\Google\Drive\googledrivesync64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-06-24 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-06-24 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-06-24 413208]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-05-31 10775584]
"RtHDVBg"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2010-05-31 2040352]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2014-08-22 1331288]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = www.google.com
mStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <-loopback>
uSearchAssistant = www.google.com
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Joanne\AppData\Roaming\Mozilla\Firefox\Profiles\9w274o2k.default\
FF - prefs.js: browser.search.selectedEngine - Web Search
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Wow6432Node-HKLM-Run-BrowserPlugInHelper - c:\program files (x86)\Wondershare\Video Converter Ultimate\BrowserPlugInHelper.exe
Toolbar-10 - (no file)
HKLM-Run-Apoint - c:\program files (x86)\Apoint\Apoint.exe
AddRemove-{10A0E600-D246-BD63-F465-4C849C688998} - c:\programdata\SaverAddon\BHs40yz1db6bmf.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\SampleCollector]
"ImagePath"="\"c:\program files\Sony\VAIO Care\VCPerfService.exe\" \"/service\" \"/sstates\" \"/sampleinterval=2000\" \"/procinterval=5\" \"/dllinterval=120\" \"/counter=\Processor(_Total)\% Processor Time:1/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:1\" \"/counter=\Network Interface(*)\Bytes Total/sec:1\" \"/expandcounter=\Processor Information(*)\Processor Frequency:1\" \"/expandcounter=\Processor(*)\% Idle Time:1\" \"/expandcounter=\Processor(*)\% C1 Time:1\" \"/expandcounter=\Processor(*)\% C2 Time:1\" \"/expandcounter=\Processor(*)\% C3 Time:1\" \"/expandcounter=\Processor(*)\% Processor Time:1\" \"/directory=inteldata\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_223_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_15_0_0_223_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_15_0_0_223_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.15"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_15_0_0_223.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Sony\VAIO Event Service\VESMgr.exe
c:\windows\SysWOW64\DllHost.exe
c:\program files (x86)\Sony\VAIO Event Service\VESMgrSub.exe
c:\program files\Sony\VAIO Care\VCSpt.exe
c:\windows\SysWOW64\RunDll32.exe
c:\program files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
c:\program files\Sony\VAIO Care\listener.exe
c:\program files\Sony\VAIO Personalization Manager\VpmIfPav.exe
.
**************************************************************************
.
Completion time: 2014-11-19  00:18:08 - machine was rebooted
ComboFix-quarantined-files.txt  2014-11-19 00:18
.
Pre-Run: 179,864,788,992 bytes free
Post-Run: 179,399,643,136 bytes free
.
- - End Of File - - 79B25D1368FBD9A0423DEB4536B197F7

 

.............and the AdwCleaner log attached.
 

AdwCleanerS0.txt

Link to post
Share on other sites

  • Staff

very good, that removed a lot of junk.

 

The log is showing remnants of avast on the PC as well

AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}

AV: Microsoft Security Essentials *Disabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}

use their removal tool to get rid of the leftovers:

  • Download aswClear.exe on to your desktop
  • Open (execute) it
  • If you installed avast! in a different folder than the default, browse for it. (Note: Be careful! The content of any folder you choose will be deleted!)
  • Click REMOVE
  • Restart your computer
usually to disable MSE, you would open the program > click on settings > go to Real time protection > uncheck the box beside "turn on real-time protection (recommended)" and that should disable it enough for the tools to run.

NEXT

Please run a free online scan with the ESET Online Scanner

US Link: http://www.eset.com/us/online-scanner/

EU Link: http://www.eset.eu/online-scanner/

Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

• Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.

• Turn off the real time scanner of any existing antivirus program while performing the online scan.

• Click the blue Run ESET Online Scanner button

• Tick the box next to YES, I accept the Terms of Use.

• Click Start

• When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button

• Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications

• Click on Advanced Settings

• Make sure that the option Remove found threats is unticked.

• Ensure these options are ticked

○ Scan archives

○ Scan for potentially unsafe applications

○ Enable Anti-Stealth technology

• Click Start

• Wait for the scan to finish

• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."

• Save that text file on your desktop. Attach the log as a reply to your next reply..

• Close the ESET online scan, and let me know how things are now.

Please let me know how the machine is running now and if there are any outstanding issues.

Link to post
Share on other sites

Cat, she did install Avast and this is now her front line AV - is it necessary to comletely uninstall it?

 

I will be buying a full MB licence towards the end of the year when my F-Secure runs out so I will be including her in that as part of my 3 licence set up. I was going to advise her to keep the MSE disabled and use Avast in the meantime unless you think that isn't a good idea.

Link to post
Share on other sites

Sorry for the delay - the forum wouldn't let me sign in tonight after the maintenance period. Had to reset my password.

 

Right, Eset logs:

 

C:\AdwCleaner\Quarantine\C\Users\Joanne\AppData\Local\Babylon\Setup\BExternal.dll.vir    a variant of Win32/Toolbar.Babylon.F potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Joanne\AppData\Local\Babylon\Setup\IECookieLow.dll.vir    a variant of Win32/Toolbar.Babylon.E potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Joanne\AppData\Local\Babylon\Setup\Setup.exe.vir    a variant of Win32/Toolbar.Babylon.E potentially unwanted application
C:\Program Files (x86)\Adlsoft Uncompressor\Uninstall\Uninstall.exe    a variant of Win32/InstallCore.F potentially unwanted application
C:\Qoobox\Quarantine\C\Users\Joanne\AppData\Local\Google\Chrome\User Data\Default\Extensions\glicbealjcpdfcnkjeeememcglfoafbo\195\content.js.vir    JS/Chromex.Agent.L trojan
C:\Users\Joanne\Documents\Juice Plus\Zen Office\adobe_flash_setup.exe    a variant of Win32/InstallCore.PL potentially unwanted application
C:\Users\Joanne\Downloads\FreeFlash.exe    Win32/Tivmonk.B trojan
 

There seems to be a bit more work to do yet.

 

That  Win32/Tivmonk.B trojan is a bit worrying.

Link to post
Share on other sites

  • Staff

This is the only one that needs deleting

C:\Users\Joanne\Downloads\FreeFlash.exe

where did that come from?

The other detections are already in quarantine or just installation files bundled with adware.

Please run a fresh scan with malwarebytes, remove anything detected, reboot, then attach the new log.

Please advise how the computer is running now and if there are any outstanding issues.

Link to post
Share on other sites

The latest MB scan:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 21/11/2014
Scan Time: 16:15:08
Logfile: mb_21-11-14.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.11.18.05
Rootkit Database: v2014.11.12.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7
CPU: x64
File System: NTFS
User: Joanne

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 438874
Time Elapsed: 26 min, 43 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
PUP.Optional.Snapdo.T, HKU\S-1-5-21-2976095537-2280378114-1351645280-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES|DefaultScope, {006ee092-9658-4fd6-bd8e-a21a348e59f5}, Quarantined, [9e4bc2788def5adc9104a5a7937027d9]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Ok, that's removed.

 

The machine seems to be running ok now with no pop-ups or redirect issues and is much quicker.

 

Boot is a little slow - I think that may be down to Sony Vaio functions that have no internet access (I've had the network adaptor disabled while we get this sorted out -I've been conducting the whole of this dialogue from one of my machines. ) - or even missing Sony files. There are numerous image files and directories that have been deleted (before we started any of this stuff) and I seem to remember that is a very likely consequence of one of these infections.

Link to post
Share on other sites

  • Staff

Try this:

 

Please download Windows Repair (all in one) from http://www.tweaking.com/files/setups/tweaking.com_windows_repair_aio_setup.exe

Install the program then run the following steps:

Go to step 2 and allow it to run the Disk check (this will check for any bad sectors)

Once that is done then go to step 3 and allow it to run the SFC (system file checker)

On the Start Repairs tab => Click the Start Button

Click the "select all" check box and then click on Start

Please DON'T use the computer while each scan is in progress.

A restart may be needed to finish the repair procedure.

 

Let me know how it goes

Link to post
Share on other sites

Ran all that and it did a few repairs but nothing that seemed to be significant.

 

The machine is now running ok - my daughter thinks it is probably as fast as it ever was so as long as you are happy that we have cleared out all the bad stuff I will be well pleased.

 

Looking at the list of installed programmes on this machine there is an unbelievable amount of Sony stuff there, all running in the background and hogging resources of one sort or another - the downside of buying PC's with installed OS's I suppose.

 

Are we all done now?

Link to post
Share on other sites

  • Staff

Yes. We just have some housekeeping to do now,

Please do the following:

You can delete the FRST and Windows Repair logs and program from your desktop.

NEXT

Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Press the WinKey +R to open a run box
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.
Combofix_uninstall_image.jpg

NEXT

If there are any logs/tools remaining on your desktop > right click and delete them.

NEXT

Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article

    Strong passwords: How to create and use them Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :

    http://windowsupdate.microsoft.com/

    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for Chrome, Firefox and IE
  • AdblockPlus
    • AdblockPlus, Surf the web without annoying ads!
    • Blocks banners, pop-ups and video ads - even on Facebook and YouTube
    • Protects your online privacy
    • Two-click installation, It's free!
    • click the icon that corresponds to your browser and download.
  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.
  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

    PC Safety and Security--What Do I Need?.

  • Simple and easy ways to keep your computer safe and secure on the Internet
Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.