Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Audio Advertisements Playing in the Backroud


  • This topic is locked This topic is locked
7 replies to this topic

#1 IwasInverted

IwasInverted

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 14 January 2014 - 03:19 PM

Hello Community:

I have already browsed through some of the other threads pertaining to this and have had little success.  I am still receiving the Audio Ads in the backround even prior to me loging in.  Please advise and thank you for your time and effort.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16470  BrowserJavaVersion: 10.45.2
Run by Maxwell at 12:13:52 on 2014-01-14
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3701.2103 [GMT -8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSr64.EXE
C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\PDF Complete\pdfsvc.exe
C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\ProgramData\TVersity\Media Server\MediaServer.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Hewlett-Packard\HP My Display\OSDManager.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
c:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\System32\EhStorAuthn.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxps://www.google.com/
uURLSearchHooks: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - <orphaned>
BHO: PE_IE_Helper Class: {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files (x86)\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} -
uRun: [drety] "C:\Windows\System32\rundll32.exe" "C:\Users\Maxwell\AppData\Roaming\drety.dll",free_data
uRun: [utprxl] "C:\Windows\System32\rundll32.exe" "C:\Users\Maxwell\AppData\Roaming\utprxl.dll",Node_AddChild
uRun: [Adobe CSS5.1 Manager] C:\Users\Maxwell\AppData\Local\65d67646-0877-49f5-9194-7e7f0a03a822ad\dfefaaad.exe
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [DT HPO] C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe -HPO
mRun: [PDF Complete] C:\Program Files (x86)\PDF Complete\pdfsty.exe
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\ACTIVC~1.LNK - C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{F9E9CA83-E1AA-4A8C-BBB0-54125106EA70} : DHCPNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe -s
x64-Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
x64-Run: [acevents] "C:\Program Files\ActivIdentity\ActivClient\acevents.exe"
x64-Run: [accrdsub] "C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe"
x64-IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
x64-IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\System32\drivers\amd_sata.sys [2011-10-17 78976]
R0 amd_xata;amd_xata;C:\Windows\System32\drivers\amd_xata.sys [2011-10-17 38528]
R2 ac.sharedstore;ActivIdentity Shared Store Service;C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [2009-6-3 277032]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2011-10-17 98208]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2011-10-17 204288]
R2 HPClientSvc;HP Client Services;C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe [2010-10-11 346168]
R2 IconMan_R;IconMan_R;C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [2011-10-17 2375168]
R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-4-2 418376]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2013-4-2 701512]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 pdfcDispatcher;PDF Document Manager;C:\Program Files (x86)\PDF Complete\pdfsvc.exe [2011-10-17 1128952]
R2 PdiService;Portrait Displays SDK Service;C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe [2011-10-17 109168]
R2 RoxioNow Service;RoxioNow Service;C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe [2010-11-26 399344]
R3 clwvd;CyberLink WebCam Virtual Driver;C:\Windows\System32\drivers\clwvd.sys [2011-3-23 31088]
R3 EMVSCARD;EMVSCARD;C:\Windows\System32\drivers\EMVSCARD.sys [2006-12-13 28544]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2013-4-2 25928]
R3 RSPCIESTOR;Realtek PCIE CardReader Driver;C:\Windows\System32\drivers\RtsPStor.sys [2011-10-17 338536]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-10-17 471144]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\System32\drivers\usbfilter.sys [2011-10-17 47232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-3-1 183560]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\System32\drivers\netr28x.sys [2011-10-17 1360960]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2010-11-20 59392]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2010-11-20 31232]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-10-5 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S4 wlcrasvc;Windows Live Mesh remote connections service;C:\Program Files\Windows Live\Mesh\wlcrasvc.exe [2010-9-22 57184]
SUnknown wecmcgcp;wecmcgcp; [x]
.
=============== Created Last 30 ================
.
2014-01-14 15:56:43 75888 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{75AD458C-7955-495F-B9EB-36F47A0992E2}\offreg.dll
2014-01-14 12:31:10 10315576 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{75AD458C-7955-495F-B9EB-36F47A0992E2}\mpengine.dll
2014-01-09 11:54:12 -------- d-----w- C:\Windows\System32\MRT
2014-01-09 01:13:29 -------- d-----w- C:\ProgramData\Oracle
2014-01-09 01:12:46 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-01-09 00:29:53 -------- d-sh--w- C:\$RECYCLE.BIN
2014-01-09 00:27:46 256000 ----a-w- C:\Windows\PEV.exe
2014-01-09 00:27:46 208896 ----a-w- C:\Windows\MBR.exe
2014-01-09 00:27:45 98816 ----a-w- C:\Windows\sed.exe
2014-01-09 00:27:36 -------- d-s---w- C:\ComboFix
2014-01-08 23:47:27 -------- d-----w- C:\Windows\ERUNT
2014-01-08 23:38:27 -------- d-----w- C:\AdwCleaner
2014-01-07 18:19:05 -------- d-----w- C:\Users\Maxwell\AppData\Roaming\DisplayTune
.
==================== Find3M  ====================
.
2013-11-26 20:25:52 267936 ------w- C:\Windows\System32\MpSigStub.exe
.
============= FINISH: 12:15:22.35 ===============
 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:36 PM

Posted 16 January 2014 - 08:10 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Also

  • Please re-run FRST again and type the following in the edit box after Search: rpcss.dll
  • Click the Search button
  • It will make a log (Search.txt)- please post the log into your reply to me. (you can use pastebin as well).

 

 

Regards,

Georgi


cXfZ4wS.png


#3 IwasInverted

IwasInverted
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 16 January 2014 - 11:20 AM

Attached File  Addition.txt   35.61KB   1 downloadsGeorgi:

Thank you for the help.  As requested below:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-01-2014 03
Ran by Maxwell (administrator) on MAXWELL-HP on 16-01-2014 08:10:31
Running from C:\Users\Maxwell\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(ActivIdentity) C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
(ActivIdentity) C:\Program Files\ActivIdentity\ActivClient\acevents.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DTSRVC.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Portrait Displays, Inc.) C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
(Roxio) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
() C:\ProgramData\TVersity\Media Server\MediaServer.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(ActivIdentity) C:\Program Files\ActivIdentity\ActivClient\acevents.exe
(ActivIdentity) C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe
(ActivIdentity) C:\Program Files\ActivIdentity\ActivClient\acsagent.exe
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Portrait Displays, Inc) C:\Program Files (x86)\Hewlett-Packard\HP My Display\OSDManager.exe
(ActivIdentity) C:\Program Files\ActivIdentity\ActivClient\acevents.exe
(CyberLink) C:\Program Files (x86)\Cyberlink\YouCam\YCMMirage.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [RTHDVCPL] - C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7220328 2011-06-07] (Realtek Semiconductor)
HKLM\...\Run: [hpsysdrv] - c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [acevents] - C:\Program Files\ActivIdentity\ActivClient\acevents.exe [196648 2009-06-03] (ActivIdentity)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [accrdsub] - C:\Program Files\ActivIdentity\ActivClient\accrdsub.exe [483880 2009-06-03] (ActivIdentity)
HKLM-x32\...\Run: [StartCCC] - c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-07-04] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Norton Online Backup] - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe [1155928 2010-06-01] (Symantec Corporation)
HKLM-x32\...\Run: [DT HPO] - C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe [121456 2011-05-26] (Portrait Displays, Inc.)
HKLM-x32\...\Run: [PDF Complete] - C:\Program Files (x86)\PDF Complete\pdfsty.exe [658424 2011-05-05] (PDF Complete Inc)
HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKCU\...\Run: [drety] - "C:\Windows\System32\rundll32.exe" "C:\Users\Maxwell\AppData\Roaming\drety.dll",free_data <===== ATTENTION
HKCU\...\Run: [utprxl] - "C:\Windows\System32\rundll32.exe" "C:\Users\Maxwell\AppData\Roaming\utprxl.dll",Node_AddChild <===== ATTENTION
HKCU\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Maxwell\AppData\Local\65d67646-0877-49f5-9194-7e7f0a03a822ad\dfefaaad.exe [0 2013-06-05] () <===== ATTENTION
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...409d6c4515e9\InprocServer32: [Default-shell32]  <==== ATTENTION!
MountPoints2: {0dcfff8a-9a07-11e1-9b04-047d7b0e6ac2} - "H:\WD SmartWare.exe" autoplay=true

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPDSK/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPDSK/1
URLSearchHook: HKCU - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - {9AF6477F-1773-4775-9C91-45496A06A742} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: PE_IE_Helper Class - {0941C58F-E461-4E03-BD7D-44C27392ADE1} - C:\Program Files (x86)\IBM\Lotus Forms\Viewer\3.5\PEhelper.dll (IBM Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\Maxwell\AppData\Roaming\Mozilla\Firefox\Profiles\a8lamvjc.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_5_502_146.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_5_502_146.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.45.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @videolan.org/vlc,version=2.0.1 - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 - C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll ()
FF Extension: SQLlite Addon - C:\Users\Maxwell\AppData\Roaming\Mozilla\Firefox\Profiles\a8lamvjc.default\Extensions\giizvikfwd@giizvikfwd.org.xpi [1658-12-23]
FF Extension: Addons Engine - C:\Users\Maxwell\AppData\Roaming\Mozilla\Firefox\Profiles\a8lamvjc.default\Extensions\{89e48054-c7b4-11e2-8275-b8ac6f996f26}.xpi [2013-05-28]
FF Extension: Java Console - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-10-30]

Chrome:
=======
CHR Extension: (Google Docs) - C:\Users\Maxwell\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0 [2013-10-10]
CHR Extension: (Google Drive) - C:\Users\Maxwell\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0 [2013-10-10]
CHR Extension: (YouTube) - C:\Users\Maxwell\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0 [2013-10-10]
CHR Extension: (Google Search) - C:\Users\Maxwell\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0 [2013-10-10]
CHR Extension: (Google Wallet) - C:\Users\Maxwell\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0 [2013-10-31]
CHR Extension: (Gmail) - C:\Users\Maxwell\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_2 [2013-10-10]
CHR HKLM-x32\...\Chrome\Extension: [bejbohlohkkgompgecdcbbglkpjfjgdj] - C:\Users\Maxwell\AppData\Local\Temp\ccex.crx [2013-10-10]
CHR HKLM-x32\...\Chrome\Extension: [jhlpjkggdghflmmfobcclppjdmpepnmh] - C:\Users\Maxwell\AppData\Roaming\OpenCandy\A8BD5F7C89DA4247B5358D92815EDAD2\chrome.crx [2013-10-10]

==================== Services (Whitelisted) =================

R2 ac.sharedstore; C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe [277032 2009-06-03] (ActivIdentity)
R2 DTSRVC; C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe [129648 2011-05-26] (Portrait Displays, Inc.)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1128952 2011-05-05] (PDF Complete Inc)
R2 TVersityMediaServer; C:\ProgramData\TVersity\Media Server\MediaServer.exe [1249064 2011-07-29] ()

==================== Drivers (Whitelisted) ====================

R3 EMVSCARD; C:\Windows\System32\Drivers\EMVSCARD.sys [28544 2006-12-13] (USB Smart Card Reader)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-01-16 08:10 - 2014-01-16 08:12 - 00014166 _____ C:\Users\Maxwell\Desktop\FRST.txt
2014-01-16 08:10 - 2014-01-16 08:10 - 00000000 ____D C:\FRST
2014-01-16 08:09 - 2014-01-16 08:09 - 02076160 _____ (Farbar) C:\Users\Maxwell\Desktop\FRST64.exe
2014-01-12 12:42 - 2014-01-13 03:54 - 00011888 _____ C:\Windows\PFRO.log
2014-01-09 05:24 - 2014-01-15 03:02 - 00039236 _____ C:\Windows\IE11_main.log
2014-01-09 05:23 - 2014-01-15 03:02 - 00036669 _____ C:\Windows\IE10_main.log
2014-01-09 03:54 - 2014-01-16 03:10 - 00000000 ____D C:\Windows\system32\MRT
2014-01-08 17:13 - 2014-01-08 17:13 - 00000000 ____D C:\ProgramData\Oracle
2014-01-08 17:13 - 2014-01-08 17:12 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-01-08 17:12 - 2014-01-08 17:12 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-01-08 17:12 - 2014-01-08 17:12 - 00174504 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-01-08 17:12 - 2014-01-08 17:12 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-01-08 17:12 - 2014-01-08 17:12 - 00000000 ____D C:\Program Files (x86)\Java
2014-01-08 16:37 - 2014-01-16 03:03 - 86054176 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-01-08 16:33 - 2014-01-16 08:05 - 01879173 _____ C:\Windows\WindowsUpdate.log
2014-01-08 16:27 - 2014-01-08 16:28 - 00000000 ___SD C:\ComboFix
2014-01-08 16:27 - 2011-06-25 22:45 - 00256000 _____ C:\Windows\PEV.exe
2014-01-08 16:27 - 2010-11-07 09:20 - 00208896 _____ C:\Windows\MBR.exe
2014-01-08 16:27 - 2009-04-19 20:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-01-08 16:27 - 2000-08-30 16:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-01-08 16:27 - 2000-08-30 16:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-01-08 16:27 - 2000-08-30 16:00 - 00098816 _____ C:\Windows\sed.exe
2014-01-08 16:27 - 2000-08-30 16:00 - 00080412 _____ C:\Windows\grep.exe
2014-01-08 16:27 - 2000-08-30 16:00 - 00068096 _____ C:\Windows\zip.exe
2014-01-08 16:26 - 2014-01-08 16:26 - 00000000 ____D C:\Windows\erdnt
2014-01-08 16:26 - 2014-01-08 16:26 - 00000000 ____D C:\Qoobox
2014-01-08 15:47 - 2014-01-08 15:47 - 00000000 ____D C:\Windows\ERUNT
2014-01-08 15:38 - 2014-01-14 08:28 - 00000000 ____D C:\AdwCleaner
2014-01-07 17:54 - 2014-01-15 12:10 - 00005024 _____ C:\Windows\setupact.log
2014-01-07 17:54 - 2014-01-07 17:54 - 00000000 _____ C:\Windows\setuperr.log
2014-01-07 10:19 - 2014-01-07 10:19 - 00000000 ____D C:\Users\Maxwell\AppData\Roaming\DisplayTune
2014-01-02 22:22 - 2014-01-02 22:22 - 00037376 _____ C:\Windows\system32\oqpuuv.mnv
2014-01-02 22:12 - 2014-01-16 04:12 - 00000086 _____ C:\Windows\system32\itlur.nuz
2014-01-02 22:12 - 2014-01-02 22:22 - 00000099 _____ C:\Windows\system32\mzxxwli.yjp
2014-01-02 22:12 - 2014-01-02 22:12 - 00000064 _____ C:\Windows\system32\hfom.qty
2013-12-19 17:14 - 2013-12-19 17:14 - 00219314 ____S C:\Windows\system32\ywkqrj.msc

==================== One Month Modified Files and Folders =======

2014-01-16 08:12 - 2014-01-16 08:10 - 00014166 _____ C:\Users\Maxwell\Desktop\FRST.txt
2014-01-16 08:10 - 2014-01-16 08:10 - 00000000 ____D C:\FRST
2014-01-16 08:09 - 2014-01-16 08:09 - 02076160 _____ (Farbar) C:\Users\Maxwell\Desktop\FRST64.exe
2014-01-16 08:05 - 2014-01-08 16:33 - 01879173 _____ C:\Windows\WindowsUpdate.log
2014-01-16 08:05 - 2013-05-29 12:14 - 00000324 ____H C:\Windows\Tasks\{046A2817-30AB-4CFE-8798-47EFC8FBD961}.job
2014-01-16 08:05 - 2013-04-01 17:58 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-01-16 04:12 - 2014-01-02 22:12 - 00000086 _____ C:\Windows\system32\itlur.nuz
2014-01-16 03:10 - 2014-01-09 03:54 - 00000000 ____D C:\Windows\system32\MRT
2014-01-16 03:03 - 2014-01-08 16:37 - 86054176 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-01-16 03:00 - 2012-04-29 09:28 - 00090543 _____ C:\Windows\SysWOW64\TVersityMediaServer.log
2014-01-15 18:32 - 2009-07-13 20:45 - 00024608 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-01-15 18:32 - 2009-07-13 20:45 - 00024608 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-01-15 12:11 - 2011-10-17 20:41 - 00000000 ____D C:\ProgramData\PDFC
2014-01-15 12:10 - 2014-01-07 17:54 - 00005024 _____ C:\Windows\setupact.log
2014-01-15 12:10 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2014-01-15 03:02 - 2014-01-09 05:24 - 00039236 _____ C:\Windows\IE11_main.log
2014-01-15 03:02 - 2014-01-09 05:23 - 00036669 _____ C:\Windows\IE10_main.log
2014-01-14 22:10 - 2009-07-13 21:13 - 00778660 _____ C:\Windows\system32\PerfStringBackup.INI
2014-01-14 16:52 - 2013-01-13 10:46 - 00000000 ____D C:\Users\Maxwell\Desktop\Movies
2014-01-14 14:09 - 2011-12-30 05:35 - 00003942 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{6F817346-4FC7-4325-A4E9-BAD2A563E278}
2014-01-14 08:28 - 2014-01-08 15:38 - 00000000 ____D C:\AdwCleaner
2014-01-13 12:37 - 2011-12-31 09:30 - 00000000 ____D C:\Users\Maxwell\AppData\Roaming\uTorrent
2014-01-13 03:54 - 2014-01-12 12:42 - 00011888 _____ C:\Windows\PFRO.log
2014-01-13 03:20 - 2012-01-02 10:24 - 00000000 ____D C:\ProgramData\Microsoft Help
2014-01-12 12:42 - 2013-03-22 02:02 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2014-01-12 12:42 - 2013-03-22 02:02 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2014-01-10 12:46 - 2011-02-11 09:15 - 00772384 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2014-01-09 05:26 - 2011-12-30 08:29 - 00000000 ____D C:\Users\Maxwell
2014-01-08 17:13 - 2014-01-08 17:13 - 00000000 ____D C:\ProgramData\Oracle
2014-01-08 17:12 - 2014-01-08 17:13 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-01-08 17:12 - 2014-01-08 17:12 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-01-08 17:12 - 2014-01-08 17:12 - 00174504 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-01-08 17:12 - 2014-01-08 17:12 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-01-08 17:12 - 2014-01-08 17:12 - 00000000 ____D C:\Program Files (x86)\Java
2014-01-08 16:35 - 2013-10-03 07:34 - 00000000 ____D C:\Program Files (x86)\Google
2014-01-08 16:28 - 2014-01-08 16:27 - 00000000 ___SD C:\ComboFix
2014-01-08 16:28 - 2009-07-13 21:08 - 00032556 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2014-01-08 16:26 - 2014-01-08 16:26 - 00000000 ____D C:\Windows\erdnt
2014-01-08 16:26 - 2014-01-08 16:26 - 00000000 ____D C:\Qoobox
2014-01-08 15:47 - 2014-01-08 15:47 - 00000000 ____D C:\Windows\ERUNT
2014-01-08 15:25 - 2013-10-02 19:24 - 00003970 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{0F085042-D10D-43CA-86DE-2D2F7D73A474}
2014-01-07 17:54 - 2014-01-07 17:54 - 00000000 _____ C:\Windows\setuperr.log
2014-01-07 17:54 - 2013-04-26 13:42 - 00000000 ____D C:\Windows\Minidump
2014-01-07 17:54 - 2011-10-17 21:33 - 00336495 ____N C:\Windows\Minidump\010714-28064-01.dmp
2014-01-07 12:11 - 2012-05-01 02:43 - 00000000 ____D C:\Users\Maxwell\AppData\Local\CrashDumps
2014-01-07 10:19 - 2014-01-07 10:19 - 00000000 ____D C:\Users\Maxwell\AppData\Roaming\DisplayTune
2014-01-02 22:22 - 2014-01-02 22:22 - 00037376 _____ C:\Windows\system32\oqpuuv.mnv
2014-01-02 22:22 - 2014-01-02 22:12 - 00000099 _____ C:\Windows\system32\mzxxwli.yjp
2014-01-02 22:12 - 2014-01-02 22:12 - 00000064 _____ C:\Windows\system32\hfom.qty
2013-12-19 17:14 - 2013-12-19 17:14 - 00219314 ____S C:\Windows\system32\ywkqrj.msc
2013-12-19 17:14 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\system32\sysprep
ZeroAccess:
C:\Users\Maxwell\AppData\Local\Google\Desktop\Install

Files to move or delete:
====================
C:\Users\Maxwell\AppData\Local\65d67646-0877-49f5-9194-7e7f0a03a822ad\dfefaaad.exe
C:\Users\Maxwell\AppData\Roaming\skype.ini
C:\ProgramData\wina7.bat
C:\ProgramData\wina7.js
C:\ProgramData\wina7.pad
C:\ProgramData\wina7.reg
C:\Users\Maxwell\acrobatreader.exe
C:\Users\Maxwell\alg.exe
C:\Users\Maxwell\chrome.exe
C:\Users\Maxwell\flashplayer.exe
C:\Users\Maxwell\googleupdate.exe
C:\Users\Maxwell\icq.exe
C:\Users\Maxwell\jqs.exe
C:\Users\Maxwell\jucheck.exe
C:\Users\Maxwell\msconfig.exe
C:\Users\Maxwell\mstsc.exe
C:\Users\Maxwell\skype.exe
C:\Users\Maxwell\teamviewer.exe
C:\Users\Maxwell\vlcplayer.exe
C:\Windows\Tasks\{046A2817-30AB-4CFE-8798-47EFC8FBD961}.job

Some content of TEMP:
====================
C:\Users\Maxwell\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Maxwell\AppData\Local\Temp\Quarantine.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2010-11-20 19:24] - [2010-11-20 19:24] - 0512512 ____A (Microsoft Corporation) BA9B84EDF9B679AC251CA47D47EB03CE

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-01-10 11:42

==================== End Of Log ============================



#4 IwasInverted

IwasInverted
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 16 January 2014 - 11:34 AM

Below is the 2nd request.  Thanks!

 

Farbar Recovery Scan Tool (x64) Version: 15-01-2014 03
Ran by Maxwell at 2014-01-16 08:21:36
Running from C:\Users\Maxwell\Desktop
Boot Mode: Normal

================== Search: "rpcss.dll" ===================

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[2010-11-20 19:24] - [2010-11-20 19:24] - 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

C:\Windows\System32\rpcss.dll
[2010-11-20 19:24] - [2010-11-20 19:24] - 0512512 ____A (Microsoft Corporation) BA9B84EDF9B679AC251CA47D47EB03CE

====== End Of Search ======



#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:36 PM

Posted 17 January 2014 - 04:31 AM

Hi,
 
 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 
 
Regards,
Georgi


cXfZ4wS.png


#6 IwasInverted

IwasInverted
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:36 AM

Posted 21 January 2014 - 07:30 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-01-2014
Ran by Maxwell at 2014-01-21 16:26:27 Run:1
Running from C:\Users\Maxwell\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKLM\...\Run: [] - [x]
HKLM-x32\...\Run: [] - [x]
HKCU\...\Run: [drety] - "C:\Windows\System32\rundll32.exe" "C:\Users\Maxwell\AppData\Roaming\drety.dll",free_data <===== ATTENTION
C:\Users\Maxwell\AppData\Roaming\drety.dll
HKCU\...\Run: [utprxl] - "C:\Windows\System32\rundll32.exe" "C:\Users\Maxwell\AppData\Roaming\utprxl.dll",Node_AddChild <===== ATTENTION
C:\Users\Maxwell\AppData\Roaming\utprxl.dll
HKCU\...\Run: [Adobe CSS5.1 Manager] - C:\Users\Maxwell\AppData\Local\65d67646-0877-49f5-9194-7e7f0a03a822ad\dfefaaad.exe [0 2013-06-05] () <===== ATTENTION
C:\Users\Maxwell\AppData\Local\65d67646-0877-49f5-9194-7e7f0a03a822ad
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...409d6c4515e9\InprocServer32: [Default-shell32]  <==== ATTENTION!
URLSearchHook: HKCU - (No Name) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - No File
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5-x64 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
cmd: netsh winsock reset
FF Extension: SQLlite Addon - C:\Users\Maxwell\AppData\Roaming\Mozilla\Firefox\Profiles\a8lamvjc.default\Extensions\giizvikfwd@giizvikfwd.org.xpi [1658-12-23]
FF Extension: Addons Engine - C:\Users\Maxwell\AppData\Roaming\Mozilla\Firefox\Profiles\a8lamvjc.default\Extensions\{89e48054-c7b4-11e2-8275-b8ac6f996f26}.xpi [2013-05-28]
CHR HKLM-x32\...\Chrome\Extension: [bejbohlohkkgompgecdcbbglkpjfjgdj] - C:\Users\Maxwell\AppData\Local\Temp\ccex.crx [2013-10-10]
CHR HKLM-x32\...\Chrome\Extension: [jhlpjkggdghflmmfobcclppjdmpepnmh] - C:\Users\Maxwell\AppData\Roaming\OpenCandy\A8BD5F7C89DA4247B5358D92815EDAD2\chrome.crx [2013-10-10]
2014-01-02 22:22 - 2014-01-02 22:22 - 00037376 _____ C:\Windows\system32\oqpuuv.mnv
2014-01-02 22:12 - 2014-01-16 04:12 - 00000086 _____ C:\Windows\system32\itlur.nuz
2014-01-02 22:12 - 2014-01-02 22:22 - 00000099 _____ C:\Windows\system32\mzxxwli.yjp
2014-01-02 22:12 - 2014-01-02 22:12 - 00000064 _____ C:\Windows\system32\hfom.qty
2013-12-19 17:14 - 2013-12-19 17:14 - 00219314 ____S C:\Windows\system32\ywkqrj.msc
C:\Users\Maxwell\AppData\Local\Google\Desktop\Install
C:\Users\Maxwell\AppData\Roaming\skype.ini
C:\ProgramData\wina7.bat
C:\ProgramData\wina7.js
C:\ProgramData\wina7.pad
C:\ProgramData\wina7.reg
C:\Users\Maxwell\acrobatreader.exe
C:\Users\Maxwell\alg.exe
C:\Users\Maxwell\chrome.exe
C:\Users\Maxwell\flashplayer.exe
C:\Users\Maxwell\googleupdate.exe
C:\Users\Maxwell\icq.exe
C:\Users\Maxwell\jqs.exe
C:\Users\Maxwell\jucheck.exe
C:\Users\Maxwell\msconfig.exe
C:\Users\Maxwell\mstsc.exe
C:\Users\Maxwell\skype.exe
C:\Users\Maxwell\teamviewer.exe
C:\Users\Maxwell\vlcplayer.exe
C:\Windows\Tasks\{046A2817-30AB-4CFE-8798-47EFC8FBD961}.job
Replace: C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll
C:\Users\Maxwell\AppData\Local\Temp
end
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\drety => Value deleted successfully.
"C:\Users\Maxwell\AppData\Roaming\drety.dll" => File/Directory not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\utprxl => Value deleted successfully.
"C:\Users\Maxwell\AppData\Roaming\utprxl.dll" => File/Directory not found.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Adobe CSS5.1 Manager => Value deleted successfully.
C:\Users\Maxwell\AppData\Local\65d67646-0877-49f5-9194-7e7f0a03a822ad => Moved successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKCU\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key deleted successfully. If the key returned, move the associated file, reboot and list the key for deletion.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} => Value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000005\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Winsock: Catalog5-x64 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5-x64 entry 000000000005\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll

=========  netsh winsock reset =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

C:\Users\Maxwell\AppData\Roaming\Mozilla\Firefox\Profiles\a8lamvjc.default\Extensions\giizvikfwd@giizvikfwd.org.xpi => Moved successfully.
C:\Users\Maxwell\AppData\Roaming\Mozilla\Firefox\Profiles\a8lamvjc.default\Extensions\{89e48054-c7b4-11e2-8275-b8ac6f996f26}.xpi => Moved successfully.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj => Key deleted successfully.
"C:\Users\Maxwell\AppData\Local\Temp\ccex.crx" => File/Directory not found.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\jhlpjkggdghflmmfobcclppjdmpepnmh => Key deleted successfully.
"C:\Users\Maxwell\AppData\Roaming\OpenCandy\A8BD5F7C89DA4247B5358D92815EDAD2\chrome.crx" => File/Directory not found.
C:\Windows\system32\oqpuuv.mnv => Moved successfully.
C:\Windows\system32\itlur.nuz => Moved successfully.
Could not move "C:\Windows\system32\mzxxwli.yjp" => Scheduled to move on reboot.
C:\Windows\system32\hfom.qty => Moved successfully.
Could not move "C:\Windows\system32\ywkqrj.msc" => Scheduled to move on reboot.
C:\Users\Maxwell\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Users\Maxwell\AppData\Roaming\skype.ini => Moved successfully.
C:\ProgramData\wina7.bat => Moved successfully.
C:\ProgramData\wina7.js => Moved successfully.
C:\ProgramData\wina7.pad => Moved successfully.
C:\ProgramData\wina7.reg => Moved successfully.
C:\Users\Maxwell\acrobatreader.exe => Moved successfully.
C:\Users\Maxwell\alg.exe => Moved successfully.
C:\Users\Maxwell\chrome.exe => Moved successfully.
C:\Users\Maxwell\flashplayer.exe => Moved successfully.
C:\Users\Maxwell\googleupdate.exe => Moved successfully.
C:\Users\Maxwell\icq.exe => Moved successfully.
C:\Users\Maxwell\jqs.exe => Moved successfully.
C:\Users\Maxwell\jucheck.exe => Moved successfully.
C:\Users\Maxwell\msconfig.exe => Moved successfully.
C:\Users\Maxwell\mstsc.exe => Moved successfully.
C:\Users\Maxwell\skype.exe => Moved successfully.
C:\Users\Maxwell\teamviewer.exe => Moved successfully.
C:\Users\Maxwell\vlcplayer.exe => Moved successfully.
C:\Windows\Tasks\{046A2817-30AB-4CFE-8798-47EFC8FBD961}.job => Moved successfully.
C:\Windows\System32\rpcss.dll => Moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll

"C:\Users\Maxwell\AppData\Local\Temp" directory move:

C:\Users\Maxwell\AppData\Local\Temp\AdwCleaner.jpg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Attach.txt => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\au-descriptor-1.7.0_45-b18.xml => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\au-descriptor-1.7.0_51-b13.xml => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\AUCHECK_PARSER.txt => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\chrome_installer.log => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Cleaning.ico => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\CVR537.tmp.cvr => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\dat430C.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\datD5B.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\DDS.txt => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\DMI1F14.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Donate.ico => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\fla3E31.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\flaFC51.tmp => Moved successfully.
Could not move "C:\Users\Maxwell\AppData\Local\Temp\FXSAPIDebugLogFile.txt" => Scheduled to move on reboot.
C:\Users\Maxwell\AppData\Local\Temp\JAUReg.log => Moved successfully.
Could not move "C:\Users\Maxwell\AppData\Local\Temp\JavaDeployReg.log" => Scheduled to move on reboot.
C:\Users\Maxwell\AppData\Local\Temp\java_install.log => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\java_install_reg.log => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\java_install_sp.log => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jinstall.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jusched.log => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\mssinstaller.exe => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\RDBB3.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\RDBCDD.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\RDD0EB.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Report.ico => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Scan.ico => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\StructuredQuery.log => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Uninstall.ico => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\users00 => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\utt61D4.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\utt61D4.tmp.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3251.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3252.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX32D0.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX32D1.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX32D2.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3331.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX339F.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX33A0.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX33A1.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX33A2.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX33B3.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX33B4.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX33B5.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3423.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3472.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3482.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3483.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX34D2.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX34D3.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3522.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3533.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3534.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3535.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3536.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3585.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3596.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3597.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3598.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3599.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX35F7.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX35F8.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX35F9.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX360A.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3659.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX365A.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX365B.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX365C.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX366C.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3709.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX370A.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX370B.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX370C.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX371D.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX371E.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX376D.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX377E.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX377F.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX37FC.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX37FD.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX37FE.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX37FF.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3810.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3821.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3822.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3823.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3872.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3882.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3883.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX38D2.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX38D3.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX38E4.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3933.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3934.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3992.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3993.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3994.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX39A5.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX39A6.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX39A7.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX39F6.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX39F7.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A56.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A57.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A58.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A59.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A5A.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A6A.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A6B.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A6C.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A6D.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A6E.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A7F.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A80.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A81.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A91.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A92.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A93.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A94.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3A95.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3AA6.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3AA7.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3AA8.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3AA9.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\VGX3ABA.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\WER9774.tmp.appcompat.txt => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\WER9CD2.tmp.WERInternalMetadata.xml => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\wmplog00.sqm => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DF1CCA6E54729B6416.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DF5618C5086594F680.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DF570DF03C0DD43DEF.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DF587F5846902389D0.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DF88684BFCE5962433.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DF8C3AC47E7CBC2710.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DF8E8A8976C50A6CA8.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DF99F43A81ACC7C81A.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DFA8B86FD326CDC3BA.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DFB1C310E12675F05C.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DFC5468DCCE1136A43.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DFDE4CF9E7ED2C4832.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DFE6B7049691EA10DD.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\~DFFB11ECB3A37A486A.TMP => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Temporary Internet Files\Content.IE5\desktop.ini => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Temporary Internet Files\Content.IE5\YW8DZ8E9\desktop.ini => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Temporary Internet Files\Content.IE5\XF6KWRVF\desktop.ini => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Temporary Internet Files\Content.IE5\RKLCS96T\desktop.ini => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Temporary Internet Files\Content.IE5\HAF9K273\desktop.ini => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\TCD7F04.tmp\CleanGradient.thmx => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\rdD8E0.tmp\main.lzx.swf => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\rdD8E0.tmp\rdD8E1.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\rdD8E0.tmp\rdD8E2.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\rdD8E0.tmp\____mmfp.ocx => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\rdD8E0.tmp\____swmx => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\rdD8E0.tmp\____swmxs => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\rd857D.tmp\main.lzx.swf => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\rd857D.tmp\rd857E.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\rd857D.tmp\rd85CD.tmp => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\rd857D.tmp\____mmfp.ocx => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\rd857D.tmp\____swmx => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\rd857D.tmp\____swmxs => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\APPID_clsid.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\APPID_files.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\appinit64_null.reg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\appinit_null.reg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\APPPATHS.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\APPROVEDEXTENSIONS_clsid.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\ask.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\askCLSID.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\askregkey_x64.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\askregkey_x86.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\askregvalue_x64.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\askregvalue_x86.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\askservices.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\badAPPINIT.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\badFOLDERS.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\badFOLDERScom.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\badFOLDERSstart.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\badLNK.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\badvalues.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\BHO_clsid.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\BHO_name.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\browsermngr_keys.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\browsermngr_values.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\CHOICE.DAT => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\chrome.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\CHRregkey_x64.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\CHRregkey_x86.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\CHR_extensions.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\CHR_open_x64.reg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\CHR_open_x86.reg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\clean_shortcut.vbs => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\CLSID_clsid.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\currentmd5.txt => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\CUT.DAT => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\datamngr_del.reg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\defaultscope.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\delfolders.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\delorphans.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\ELEVATIONPOLICY_clsid.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\ev_clear.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\EXT.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FFbrowsermngr.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FFextensions.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FFpluginREG.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FFplugins.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FFprefs.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FFregkey_x64.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FFregkey_x86.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FFwhtlist.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FFXML.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FFXPI.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FF_open_x64.reg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FF_open_x86.reg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\firefox.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FWCLSID.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\FWPolicy.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\get.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\IEwhtlst.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\iexplore.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\IE_open_x64.reg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\IE_open_x86.reg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\IFEO.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\INTERFACE_clsid.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\JRT.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\medfos.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\MENUEXT.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\misc.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\modules.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\modules.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\moduleservices.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\newmd5.txt => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\NIRCMD.DAT => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\NOTIFY.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\PREAPPROVED_clsid.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\prelim.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\PRODUCTS.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\REGhcr.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\REGhkcu_and_hklm_allow.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\REGhkcu_and_hklm_software.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\REGhkcu_software_appdatalow.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\REGhkcu_software_microsoft.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\REGhklm_software_classes.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\REGISTRYUSERSID.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\runvalues.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\runvalues_x64.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\runvalues_x86.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\S1518COMPONENTS.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\searchlnk.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\SED.DAT => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\sednewline.txt => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\services.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\serviceseventlog.cfg => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\SETTINGS_clsid.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\SHORTCUT.DAT => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\STATS_clsid.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\TDL4.bat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\TRACING.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\TYPELIB_clsid.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\UNINSTALL.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\UpgradeCodes.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\WGET.DAT => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\WOW6432NODE.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\temp\BADmodules.txt => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\temp\conduitfloat.txt => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\temp\keys.txt => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\temp\moduledump.txt => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\temp\modulefilter1.txt => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\temp\null.txt => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\erunt\ERDNT.E_E => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\erunt\ERDNTDOS.LOC => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\erunt\ERDNTWIN.LOC => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\erunt\ERUNT.EXE => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\erunt\ERUNT.EXE.manifest => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\erunt\ERUNT.LOC => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\jrt\erunt\README.TXT => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\History\History.IE5\desktop.ini => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\History\History.IE5\index.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\History\History.IE5\MSHist012014010720140108\index.dat => Moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\Cookies\index.dat => Moved successfully.
Could not move "C:\Users\Maxwell\AppData\Local\Temp" directory. => Scheduled to move on reboot.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-01-21 16:29:08)<=

C:\Windows\system32\mzxxwli.yjp => Is moved successfully.
C:\Windows\system32\ywkqrj.msc => Is moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\FXSAPIDebugLogFile.txt => Is moved successfully.
C:\Users\Maxwell\AppData\Local\Temp\JavaDeployReg.log => Is moved successfully.
C:\Users\Maxwell\AppData\Local\Temp => Moved successfully.

==== End of Fixlog ====



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:36 PM

Posted 22 January 2014 - 05:44 PM

Hi,

 

Great work! :)

 

I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

 

 

STEP 1

 

 

  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 2
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3

 

 

Please download Malwarebytes Anti-Rootkit mbamicontw5.gif and save it to your desktop.

  • Be sure to print out and follow these instructions for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation on this tool can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit (mbar) folder.

 

 

STEP 4

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 5

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

 

STEP 6

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:36 PM

Posted 30 January 2014 - 09:33 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users