Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CCleaner cannot remove file client[1].txt which keeps changing


  • Please log in to reply
10 replies to this topic

#1 tjnbarbour

tjnbarbour

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 22 May 2014 - 11:40 PM

Hi,

 

Thank you ahead of time for your assistance.

 

I have been previously infected with the IRS government warning virus. I am reasonably comfortable working with malware removal tools, and I thought I had all of the issues resolved. However, CCleaner keeps finding this file, C:\Users\Teresa's Laptop\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4HTU1IC\clients[1].txt 1 KB. Which when I locate it has literally changed before my eyes. Also, even though it shows as 1KB, the file shows only the number 1, and it disappears and reappears as I watch it.

 

I have also had a reoccurring issue with my Outlook cache becoming corrupted in this same folder.

 

I have as yet only found posts alluding to this issue, but no answers, and quite honestly, I am sick of trying to figure it out. I turned in my Tech badge a few years back, we were still using HJK, and I really hope that you can help me resolve this, and the odd things that happen now and then, I am assuming, due to this issue or residue or whatever it is.

 

Attached please find the DDS.txt file. I will be happy to provide anything else that you require.

 

Thanks again for your assistance,

 

Best regards,

 

Teresa

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:39 PM

Posted 25 May 2014 - 08:54 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the correct version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.

Let me know what problem persists.

#3 tjnbarbour

tjnbarbour
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 27 May 2014 - 12:41 AM

Thank you for the reply, have been away from my computer for a couple of days, I will follow your instructions, and reply as soon as possible.

 

Best regards,

 

Teresa



#4 tjnbarbour

tjnbarbour
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 27 May 2014 - 02:06 AM

Here are the text files you requested, as well as a third scan result for shortcuts that resulted from the additional options on the Farbar tool. I am assuming that this is something similar to the HJT tool that is no longer in use. I hope that adding that text file as well is not against your rules. AdwCleaner found several items that I allowed it to clean. Hopefully the logs will show clean, and this irritant will end. I will look forward to your reply.

 

Best regards,

 

Teresa

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 25-05-2014 02
Ran by Teresa's Laptop (administrator) on MININT-IT6PH21 on 26-05-2014 23:16:42
Running from C:\Users\Teresa's Laptop\Desktop\Computer Cleaning Tools
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Comodo Security Solutions, Inc.) C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Comodo Security Solutions, Inc.) C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Secure Backup) C:\Program Files (x86)\Malwarebytes Secure Backup\SUpdateNotifier.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Online Games Manager\ogmservice.exe
() C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
(Google Inc.) C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.24.7\GoogleCrashHandler64.exe
() C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe
(Macrovision Corporation) C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
(Malwarebytes Secure Backup) C:\Program Files (x86)\Malwarebytes Secure Backup\SAgent.Service.exe
(Thong Nguyen) C:\Program Files (x86)\PowerMenu\PowerMenu.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Secure Backup\mbsbscan.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(RealNetworks, Inc.) C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe
() C:\Program Files (x86)\Brother\Web BRAdmin\cgi-bin\wbaagent.exe
() C:\Program Files (x86)\Brother\Web BRAdmin\cgi-bin\agentrcv.exe
() C:\Program Files (x86)\Brother\Web BRAdmin\cgi-bin\wbatimer.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_13_0_0_214_ActiveX.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
(Microsoft Corporation) C:\Windows\SysWOW64\SearchProtocolHost.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Comodo Firewall] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1612504 2013-11-11] (COMODO)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [3888648 2014-05-26] (AVAST Software)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [2621440 2010-06-10] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [TkBellExe] => c:\program files (x86)\real\realplayer\Update\realsched.exe [296520 2014-04-19] (RealNetworks, Inc.)
HKLM-x32\...\Run: [SDTray] => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe [5624784 2013-07-25] (Safer-Networking Ltd.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-3797571617-2345687493-384676197-1002\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-06-27] (Google Inc.)
HKU\S-1-5-21-3797571617-2345687493-384676197-1002\...\Run: [Google Update] => C:\Users\Teresa's Laptop\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2014-02-16] (Google Inc.)
HKU\S-1-5-21-3797571617-2345687493-384676197-1002\...\Run: [Microsoft Outlook 2010] => C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office [0 2013-11-05] ()
HKU\S-1-5-21-3797571617-2345687493-384676197-1002\...\Run: [ISUSPM] => C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe [226904 2007-07-12] (Macrovision Corporation)
HKU\S-1-5-21-3797571617-2345687493-384676197-1002\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
HKU\S-1-5-21-3797571617-2345687493-384676197-1002\...\MountPoints2: {a46ff84d-093f-11e3-9488-14feb59e107b} - H:\LaunchU3.exe
Startup: C:\Users\Teresa's Laptop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk.disabled
ShortcutTarget: Dropbox.lnk.disabled -> C:\Users\Teresa's Laptop\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\Teresa's Laptop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerMenu.lnk
ShortcutTarget: PowerMenu.lnk -> C:\Program Files (x86)\PowerMenu\PowerMenu.exe (Thong Nguyen)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
URLSearchHook: HKLM-x32 - (No Name) - {37a7edb7-afda-4373-9865-02bf8160e677} - No File
URLSearchHook: HKCU - (No Name) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - No File
URLSearchHook: HKCU - (No Name) - {37a7edb7-afda-4373-9865-02bf8160e677} - No File
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - DefaultScope {308E2198-6783-485E-B21F-4C1529619369} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7GZAG_enUS438
SearchScopes: HKCU - OldDefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
SearchScopes: HKCU - {308E2198-6783-485E-B21F-4C1529619369} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7GZAG_enUS438
BHO: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin64.dll (RealDownloader)
BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO-x32: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: No Name - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -  No File
BHO-x32: No Name - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -  No File
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
BHO-x32: Logitech Flow Scroll - {E11DB59D-5008-42ff-9069-535843BC0BE1} - C:\Program Files\Logitech\FlowScroll\32-bit\LogiSmooth.dll (Logitech, Inc.)
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - E-Web Print - {201CF130-E29C-4E5C-A73F-CD197DEFA6AE} - C:\Program Files (x86)\Epson Software\E-Web Print\ewps_tb.dll (SEIKO EPSON CORPORATION)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKCU - No Name - {3BBD3C14-4C16-4989-8366-95BC9179779D} -  No File
Toolbar: HKCU - No Name - {37A7EDB7-AFDA-4373-9865-02BF8160E677} -  No File
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - C:\Windows\system32\urlmon.dll (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{42018084-A013-4F62-9B18-C7BC70C477EC}: [NameServer]8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{7ACF87CE-E134-4E74-9ECC-5771258C5BAC}: [NameServer]8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{836920ED-60BD-414C-A692-62A8663A1B06}: [NameServer]8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{846ee342-7039-11de-9d20-806e6f6e6963}: [NameServer]8.8.8.8,8.8.4.4
Tcpip\..\Interfaces\{EDD98A01-3A14-4257-90AD-04DC320B86C2}: [NameServer]8.8.8.8,8.8.4.4

FireFox:
========
FF Plugin: @java.com/DTPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.45.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer - C:\Windows\SysWOW64\Adobe\Director\np32dsw_1210150.dll (Adobe Systems, Inc.)
FF Plugin-x32: @google.com/npPicasa3,version=3.0.0 - C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF Plugin-x32: @java.com/JavaPlugin - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @mozilla.zeniko.ch/PDFLite_Browser_Plugin - C:\Program Files (x86)\PDFlite\npPdfViewer.dll (Simon Bünzli)
FF Plugin-x32: @real.com/nppl3260;version=17.0.9.17 - c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprjplug;version=15.0.1.13 - c:\program files (x86)\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=17.0.9 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=17.0.9 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=17.0.9 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpchromebrowserrecordext;version=15.0.1.13 - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprphtml5videoshim;version=15.0.1.13 - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpjplug;version=15.0.1.13 - c:\program files (x86)\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=17.0.9.17 - c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer Cloud)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: ZEON/PDF,version=2.0 - C:\Program Files (x86)\Nuance\PDF Reader\bin\nppdf.dll (Zeon Corporation)
FF Plugin HKCU: @mozilla.zeniko.ch/PDFLite_Browser_Plugin - C:\Program Files (x86)\PDFlite\npPdfViewer.dll (Simon Bünzli)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 - C:\Users\Teresa's Laptop\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 - C:\Users\Teresa's Laptop\AppData\Local\Google\Update\1.3.24.7\npGoogleUpdate3.dll (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{B7082FAA-CB62-4872-9106-E42DD88EDE45}] - C:\Program Files (x86)\McAfee\SiteAdvisor
FF HKLM-x32\...\Firefox\Extensions: [{5D3F3872-91E9-4d59-AD9F-AA174A3145DD}] - C:\Program Files\Logitech\FlowScroll\LogiSmoothFirefoxExt
FF Extension: Logitech Flow Scroll - C:\Program Files\Logitech\FlowScroll\LogiSmoothFirefoxExt [2012-04-25]
FF HKLM-x32\...\Firefox\Extensions: [e-webprint@epson.com] - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on
FF Extension: E-Web Print - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on [2012-11-16]
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014-04-19]
FF HKLM-x32\...\Firefox\Extensions: [{53D8DD28-1C83-41F3-B171-C2ED5B3E5DE8}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ []
FF HKCU\...\Firefox\Extensions: [sp2@sp.com] - C:\Program Files (x86)\Social Privacy\FF\

Chrome:
=======
CHR HomePage:
CHR StartupUrls: "hxxp://www.google.com"
CHR Extension: (Google Docs) - C:\Users\Teresa's Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-12-12]
CHR Extension: (Google Cast) - C:\Users\Teresa's Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd [2013-12-20]
CHR Extension: (avast! Online Security) - C:\Users\Teresa's Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-01-06]
CHR Extension: (RealPlayer Downloader) - C:\Users\Teresa's Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2014-04-21]
CHR Extension: (Google Wallet) - C:\Users\Teresa's Laptop\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-12-20]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-04-25]
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2014-04-06]

==================== Services (Whitelisted) =================

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-04-25] (AVAST Software)
S4 CLKMSVC10_9EC60124; C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [236016 2010-10-26] (CyberLink)
R2 CLPSLauncher; C:\Program Files (x86)\Common Files\COMODO\launcher_service.exe [70352 2013-10-11] (Comodo Security Solutions, Inc.)
R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [6254152 2013-10-19] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [164056 2013-09-24] (COMODO)
R2 GeekBuddyRSP; C:\Program Files (x86)\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2013-10-11] (Comodo Security Solutions, Inc.)
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 ogmservice; C:\Program Files (x86)\Online Games Manager\ogmservice.exe [581568 2014-03-27] (RealNetworks, Inc.)
R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [88576 2011-09-15] ()
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39568 2014-04-06] ()
S2 RealPlayer Cloud Service; c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe [1141848 2014-04-19] (RealNetworks, Inc.)
R2 RealPlayerUpdateSvc; C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [23552 2014-04-07] ()
R2 sagentservice; C:\Program Files (x86)\Malwarebytes Secure Backup\SAgent.Service.exe [39832 2013-08-15] (Malwarebytes Secure Backup)
R2 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [3921880 2013-10-15] (Safer-Networking Ltd.)
S2 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [1042272 2013-09-20] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171416 2013-09-13] (Safer-Networking Ltd.)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
R2 WBA_Agent_Client_Service; C:\Program Files (x86)\Brother\Web BRAdmin\cgi-bin\wbaagent.exe [81920 2009-02-04] ()
R2 WBA_Agent_Receiver; C:\Program Files (x86)\Brother\Web BRAdmin\cgi-bin\agentrcv.exe [81920 2009-02-04] ()
R2 WBA_Scheduler; C:\Program Files (x86)\Brother\Web BRAdmin\cgi-bin\wbatimer.exe [69632 2010-08-05] ()

==================== Drivers (Whitelisted) ====================

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-04-25] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [79184 2014-04-25] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-04-25] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-04-25] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1039096 2014-05-15] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [423240 2014-05-15] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [85328 2014-05-15] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [208416 2014-04-25] ()
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [23168 2013-09-24] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [709144 2013-11-14] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [48872 2013-09-24] (COMODO)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [96800 2013-09-24] (COMODO)
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [89304 2014-02-16] (Malwarebytes Corporation)
R1 nvkflt; C:\Windows\System32\DRIVERS\nvkflt.sys [284008 2012-10-25] (NVIDIA Corporation)
S3 Serial; C:\Windows\system32\drivers\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
S1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-05-25 10:50 - 2014-05-26 23:09 - 00001246 _____ () C:\Windows\PFRO.log
2014-05-25 01:00 - 2014-05-26 23:09 - 00000168 _____ () C:\Windows\setupact.log
2014-05-25 01:00 - 2014-05-25 01:00 - 00000000 _____ () C:\Windows\setuperr.log
2014-05-24 14:28 - 2014-05-24 14:28 - 00003266 _____ () C:\Windows\System32\Tasks\{1D878AD6-C973-4ACA-8587-3F320D104B7B}
2014-05-24 14:27 - 2014-05-24 14:28 - 00003214 _____ () C:\Windows\DPINST.LOG
2014-05-22 18:45 - 2014-05-22 18:45 - 00034657 _____ () C:\Users\Teresa's Laptop\Desktop\dds.txt
2014-05-22 18:41 - 2014-05-22 18:41 - 00688992 ____R (Swearware) C:\Users\Teresa's Laptop\Downloads\dds.com
2014-05-22 01:16 - 2014-05-22 01:16 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\PDFlite
2014-05-22 01:16 - 2014-05-22 01:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\File Association Manager
2014-05-22 01:15 - 2014-05-22 01:16 - 00000000 ____D () C:\Program Files (x86)\FileAssociationManager
2014-05-22 01:15 - 2014-05-22 01:15 - 00001865 _____ () C:\Users\Public\Desktop\PDFlite.lnk
2014-05-22 01:15 - 2014-05-22 01:15 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\FileAssociationManager
2014-05-15 20:42 - 2014-05-15 20:43 - 00000000 ____D () C:\Users\Teresa's Laptop\Documents\Registry Backups
2014-05-14 03:56 - 2014-05-26 23:11 - 00003372 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-3797571617-2345687493-384676197-1002
2014-05-14 03:16 - 2014-05-05 21:40 - 23544320 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-05-14 03:16 - 2014-05-05 21:17 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-05-14 03:16 - 2014-05-05 20:25 - 17382912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-05-14 03:16 - 2014-05-05 20:07 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-05-14 03:16 - 2014-05-05 20:00 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-05-14 03:16 - 2014-05-05 19:10 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-05-13 14:28 - 2014-05-08 23:14 - 00477184 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-05-13 14:28 - 2014-05-08 23:11 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-05-13 14:28 - 2014-03-24 19:43 - 14175744 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2014-05-13 14:28 - 2014-03-24 19:09 - 12874240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2014-05-13 14:25 - 2014-04-11 19:22 - 00155072 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-05-13 14:25 - 2014-04-11 19:22 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2014-05-13 14:25 - 2014-04-11 19:19 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-05-13 14:25 - 2014-04-11 19:19 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2014-05-13 14:25 - 2014-04-11 19:19 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2014-05-13 14:25 - 2014-04-11 19:19 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2014-05-13 14:25 - 2014-04-11 19:19 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2014-05-13 14:25 - 2014-04-11 19:12 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-05-13 14:25 - 2014-04-11 19:10 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-05-13 14:25 - 2014-03-04 02:47 - 05550016 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2014-05-13 14:25 - 2014-03-04 02:44 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-05-13 14:25 - 2014-03-04 02:44 - 00722944 _____ (Microsoft Corporation) C:\Windows\system32\objsel.dll
2014-05-13 14:25 - 2014-03-04 02:44 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2014-05-13 14:25 - 2014-03-04 02:44 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-05-13 14:25 - 2014-03-04 02:44 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-05-13 14:25 - 2014-03-04 02:44 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-05-13 14:25 - 2014-03-04 02:44 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-05-13 14:25 - 2014-03-04 02:44 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\wincredprovider.dll
2014-05-13 14:25 - 2014-03-04 02:43 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-05-13 14:25 - 2014-03-04 02:43 - 00057344 _____ (Microsoft Corporation) C:\Windows\system32\cngprovider.dll
2014-05-13 14:25 - 2014-03-04 02:43 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\adprovider.dll
2014-05-13 14:25 - 2014-03-04 02:43 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\capiprovider.dll
2014-05-13 14:25 - 2014-03-04 02:43 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\dpapiprovider.dll
2014-05-13 14:25 - 2014-03-04 02:43 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\dimsroam.dll
2014-05-13 14:25 - 2014-03-04 02:43 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-05-13 14:25 - 2014-03-04 02:20 - 03969984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2014-05-13 14:25 - 2014-03-04 02:20 - 03914176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2014-05-13 14:25 - 2014-03-04 02:17 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-05-13 14:25 - 2014-03-04 02:17 - 00538112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\objsel.dll
2014-05-13 14:25 - 2014-03-04 02:17 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-05-13 14:25 - 2014-03-04 02:17 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-05-13 14:25 - 2014-03-04 02:17 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-05-13 14:25 - 2014-03-04 02:17 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-05-13 14:25 - 2014-03-04 02:17 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cngprovider.dll
2014-05-13 14:25 - 2014-03-04 02:17 - 00049664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adprovider.dll
2014-05-13 14:25 - 2014-03-04 02:17 - 00048128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\capiprovider.dll
2014-05-13 14:25 - 2014-03-04 02:17 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dpapiprovider.dll
2014-05-13 14:25 - 2014-03-04 02:17 - 00036864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dimsroam.dll
2014-05-13 14:25 - 2014-03-04 02:17 - 00035328 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wincredprovider.dll
2014-05-13 14:25 - 2014-03-04 02:17 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-05-13 14:25 - 2014-03-04 02:16 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2014-05-08 16:57 - 2014-05-26 23:16 - 01175910 _____ () C:\Windows\WindowsUpdate.log
2014-05-08 00:11 - 2014-05-26 23:16 - 00000000 ____D () C:\FRST
2014-05-07 17:43 - 2014-05-07 17:43 - 00000000 ____D () C:\Users\Teresa's Laptop\.android
2014-05-06 14:51 - 2014-05-26 23:16 - 00000000 ____D () C:\Users\Teresa's Laptop\Desktop\Computer Cleaning Tools
2014-05-06 02:44 - 2014-05-26 22:24 - 00003280 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-3797571617-2345687493-384676197-1002
2014-05-06 02:43 - 2014-05-06 02:43 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\Leader Technologies
2014-05-06 01:27 - 2014-05-14 03:52 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-05-03 23:13 - 2014-05-03 23:13 - 00000000 ____D () C:\Windows\ERUNT
2014-05-03 21:58 - 2014-05-03 21:58 - 00000930 _____ () C:\Users\UpdatusUser\Desktop\NTREGOPT.lnk
2014-05-03 21:58 - 2014-05-03 21:58 - 00000911 _____ () C:\Users\UpdatusUser\Desktop\ERUNT.lnk
2014-05-03 21:58 - 2014-05-03 21:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
2014-05-03 21:58 - 2014-05-03 21:58 - 00000000 ____D () C:\Program Files (x86)\ERUNT
2014-05-03 21:39 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\SysWOW64\sqlite3.dll
2014-05-01 21:31 - 2014-05-01 21:47 - 00000000 ____D () C:\Users\Teresa's Laptop\SD Card Download
2014-05-01 20:30 - 2014-05-01 20:30 - 00002063 _____ () C:\Users\Public\Desktop\MyPhoneExplorer.lnk
2014-05-01 20:30 - 2014-05-01 20:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MyPhoneExplorer
2014-04-29 16:20 - 2014-04-29 16:20 - 00000000 __SHD () C:\Users\Teresa's Laptop\AppData\Local\EmieUserList
2014-04-29 16:20 - 2014-04-29 16:20 - 00000000 __SHD () C:\Users\Teresa's Laptop\AppData\Local\EmieSiteList
2014-04-29 03:02 - 2014-03-06 02:31 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-04-29 03:02 - 2014-03-06 01:57 - 00548352 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-04-29 03:02 - 2014-03-06 01:39 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-04-29 03:02 - 2014-03-06 01:32 - 00574976 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-04-29 03:02 - 2014-03-06 01:03 - 00586240 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-04-29 03:02 - 2014-03-06 01:02 - 00455168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-04-29 03:02 - 2014-03-06 00:56 - 00038400 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-04-29 03:02 - 2014-03-06 00:40 - 00440832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-04-29 03:01 - 2014-03-06 01:59 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-04-29 03:01 - 2014-03-06 01:57 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-04-29 03:01 - 2014-03-06 01:53 - 02767360 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-04-29 03:01 - 2014-03-06 01:40 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-04-29 03:01 - 2014-03-06 01:29 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-04-29 03:01 - 2014-03-06 01:29 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-04-29 03:01 - 2014-03-06 01:28 - 00752640 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-04-29 03:01 - 2014-03-06 01:15 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-04-29 03:01 - 2014-03-06 01:11 - 05784064 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-04-29 03:01 - 2014-03-06 01:09 - 00453120 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-04-29 03:01 - 2014-03-06 01:02 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-04-29 03:01 - 2014-03-06 01:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-04-29 03:01 - 2014-03-06 00:48 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-04-29 03:01 - 2014-03-06 00:47 - 02178048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-04-29 03:01 - 2014-03-06 00:46 - 04254720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-04-29 03:01 - 2014-03-06 00:46 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-04-29 03:01 - 2014-03-06 00:45 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-04-29 03:01 - 2014-03-06 00:42 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-04-29 03:01 - 2014-03-06 00:38 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-04-29 03:01 - 2014-03-06 00:36 - 00592896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-04-29 03:01 - 2014-03-06 00:22 - 00367616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-04-29 03:01 - 2014-03-06 00:21 - 00628736 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-04-29 03:01 - 2014-03-06 00:13 - 00032256 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-04-29 03:01 - 2014-03-06 00:11 - 02043904 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-04-29 03:01 - 2014-03-06 00:07 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-04-29 03:01 - 2014-03-06 00:01 - 00244224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-04-29 03:01 - 2014-03-05 23:53 - 13551104 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-04-29 03:01 - 2014-03-05 23:46 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-04-29 03:01 - 2014-03-05 23:40 - 01967104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-04-29 03:01 - 2014-03-05 23:36 - 11745792 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-04-29 03:01 - 2014-03-05 23:22 - 02260480 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-04-29 03:01 - 2014-03-05 22:58 - 01400832 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-04-29 03:01 - 2014-03-05 22:50 - 00846336 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-04-29 03:01 - 2014-03-05 22:43 - 00704512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-04-29 03:01 - 2014-03-05 22:41 - 01789440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-04-29 03:01 - 2014-03-05 22:36 - 01143808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-04-28 14:05 - 2014-04-28 14:05 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\NevoSoft Games
2014-04-27 21:31 - 2014-04-27 21:31 - 00000000 ____D () C:\Users\Teresa's Laptop\Documents\ProcAlyzer Dumps
2014-04-26 02:42 - 2014-04-27 21:26 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-04-26 02:42 - 2014-04-26 02:42 - 00001397 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2014-04-26 02:42 - 2014-04-26 02:42 - 00000656 _____ () C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
2014-04-26 02:42 - 2014-04-26 02:42 - 00000628 _____ () C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2014-04-26 02:42 - 2014-04-26 02:42 - 00000458 _____ () C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
2014-04-26 02:42 - 2014-04-26 02:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2014-04-26 02:42 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe

==================== One Month Modified Files and Folders =======

2014-05-26 23:16 - 2014-05-08 16:57 - 01175910 _____ () C:\Windows\WindowsUpdate.log
2014-05-26 23:16 - 2014-05-08 00:11 - 00000000 ____D () C:\FRST
2014-05-26 23:16 - 2014-05-06 14:51 - 00000000 ____D () C:\Users\Teresa's Laptop\Desktop\Computer Cleaning Tools
2014-05-26 23:12 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\system32\inetsrv
2014-05-26 23:11 - 2014-05-14 03:56 - 00003372 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-3797571617-2345687493-384676197-1002
2014-05-26 23:11 - 2014-04-19 18:38 - 00003258 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-3797571617-2345687493-384676197-1002
2014-05-26 23:10 - 2011-06-27 16:33 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-05-26 23:09 - 2014-05-25 10:50 - 00001246 _____ () C:\Windows\PFRO.log
2014-05-26 23:09 - 2014-05-25 01:00 - 00000168 _____ () C:\Windows\setupact.log
2014-05-26 23:09 - 2013-11-06 17:22 - 00000490 _____ () C:\Windows\Tasks\Online Backup Update Notifier.job
2014-05-26 23:09 - 2009-07-13 22:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-05-26 23:07 - 2014-01-06 19:58 - 00000000 ____D () C:\AdwCleaner
2014-05-26 23:04 - 2012-04-25 16:13 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-05-26 22:33 - 2009-07-13 22:13 - 00830094 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-05-26 22:33 - 2009-07-13 21:45 - 00021472 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-05-26 22:33 - 2009-07-13 21:45 - 00021472 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-05-26 22:24 - 2014-05-06 02:44 - 00003280 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-3797571617-2345687493-384676197-1002
2014-05-26 22:24 - 2014-02-16 21:12 - 00003394 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-3797571617-2345687493-384676197-1002
2014-05-26 22:19 - 2012-10-18 19:52 - 00000000 ____D () C:\Users\Teresa's Laptop\Desktop\Adobe CS3
2014-05-26 21:24 - 2014-02-16 18:39 - 00000948 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3797571617-2345687493-384676197-1002UA.job
2014-05-26 21:24 - 2011-06-27 16:33 - 00000916 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-05-26 11:47 - 2011-06-27 16:29 - 00003990 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{3872EA42-5899-4FAE-9AA0-11023F2150D8}
2014-05-26 03:57 - 2013-11-06 17:59 - 00000530 _____ () C:\Windows\Tasks\Malwarebytes Secure Backup - adygreenwitch@gmail.com.job
2014-05-26 02:00 - 2012-09-13 18:10 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Local\Adobe
2014-05-25 22:24 - 2014-02-16 18:39 - 00000896 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3797571617-2345687493-384676197-1002Core.job
2014-05-25 01:00 - 2014-05-25 01:00 - 00000000 _____ () C:\Windows\setuperr.log
2014-05-24 14:28 - 2014-05-24 14:28 - 00003266 _____ () C:\Windows\System32\Tasks\{1D878AD6-C973-4ACA-8587-3F320D104B7B}
2014-05-24 14:28 - 2014-05-24 14:27 - 00003214 _____ () C:\Windows\DPINST.LOG
2014-05-22 21:44 - 2012-04-07 10:49 - 00000000 ____D () C:\Users\Teresa's Laptop\Desktop\Protection Software
2014-05-22 20:26 - 2011-06-17 01:52 - 00000000 ____D () C:\dell
2014-05-22 18:45 - 2014-05-22 18:45 - 00034657 _____ () C:\Users\Teresa's Laptop\Desktop\dds.txt
2014-05-22 18:41 - 2014-05-22 18:41 - 00688992 ____R (Swearware) C:\Users\Teresa's Laptop\Downloads\dds.com
2014-05-22 18:04 - 2014-04-23 22:08 - 00000000 ____D () C:\Users\Teresa's Laptop\Desktop\Games
2014-05-22 18:00 - 2013-10-07 16:38 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\8floor
2014-05-22 17:43 - 2011-06-27 17:37 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GameHouse
2014-05-22 17:42 - 2011-06-27 17:39 - 00000000 ____D () C:\GameHouse Games
2014-05-22 17:42 - 2011-06-27 17:36 - 00000000 ____D () C:\Program Files (x86)\RealArcade
2014-05-22 01:16 - 2014-05-22 01:16 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\PDFlite
2014-05-22 01:16 - 2014-05-22 01:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\File Association Manager
2014-05-22 01:16 - 2014-05-22 01:15 - 00000000 ____D () C:\Program Files (x86)\FileAssociationManager
2014-05-22 01:15 - 2014-05-22 01:15 - 00001865 _____ () C:\Users\Public\Desktop\PDFlite.lnk
2014-05-22 01:15 - 2014-05-22 01:15 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\FileAssociationManager
2014-05-21 23:48 - 2014-01-06 20:20 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2014-05-15 20:43 - 2014-05-15 20:42 - 00000000 ____D () C:\Users\Teresa's Laptop\Documents\Registry Backups
2014-05-15 11:02 - 2014-01-06 20:20 - 01039096 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2014-05-15 11:02 - 2014-01-06 20:20 - 00423240 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys
2014-05-15 11:02 - 2014-01-06 20:20 - 00085328 _____ (AVAST Software) C:\Windows\system32\Drivers\aswstm.sys
2014-05-15 10:58 - 2012-04-25 16:13 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-05-15 10:58 - 2012-04-25 16:13 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-05-15 10:58 - 2011-06-27 16:36 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-05-14 04:31 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\rescache
2014-05-14 03:55 - 2012-04-07 10:43 - 00000258 __RSH () C:\Users\Teresa's Laptop\ntuser.pol
2014-05-14 03:55 - 2011-06-27 16:21 - 00000000 ____D () C:\Users\Teresa's Laptop
2014-05-14 03:52 - 2014-05-06 01:27 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-05-14 03:21 - 2011-07-22 16:29 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-05-14 03:09 - 2013-09-24 14:41 - 00000000 ____D () C:\Windows\system32\MRT
2014-05-14 03:04 - 2011-06-29 18:47 - 93223848 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-05-13 14:17 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-05-09 07:19 - 2011-06-27 16:33 - 00003912 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-05-09 07:19 - 2011-06-27 16:33 - 00003660 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-05-08 23:14 - 2014-05-13 14:28 - 00477184 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-05-08 23:11 - 2014-05-13 14:28 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-05-08 16:55 - 2009-07-13 20:20 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2014-05-08 16:52 - 2009-07-13 20:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-05-08 00:50 - 2011-07-25 17:44 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\Real
2014-05-07 17:43 - 2014-05-07 17:43 - 00000000 ____D () C:\Users\Teresa's Laptop\.android
2014-05-06 22:19 - 2014-02-16 18:39 - 00003938 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3797571617-2345687493-384676197-1002UA
2014-05-06 22:19 - 2014-02-16 18:39 - 00003542 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3797571617-2345687493-384676197-1002Core
2014-05-06 15:23 - 2011-06-27 16:21 - 15990784 ___SH () C:\Users\Teresa's Laptop\ntuser.bak
2014-05-06 15:23 - 2009-07-13 19:34 - 48496640 _____ () C:\Windows\system32\config\SYSTEM.bak
2014-05-06 15:23 - 2009-07-13 19:34 - 103284736 _____ () C:\Windows\system32\config\SOFTWARE.bak
2014-05-06 15:23 - 2009-07-13 19:34 - 05505024 _____ () C:\Windows\system32\config\DEFAULT.bak
2014-05-06 15:23 - 2009-07-13 19:34 - 00262144 _____ () C:\Windows\system32\config\SECURITY.bak
2014-05-06 15:23 - 2009-07-13 19:34 - 00262144 _____ () C:\Windows\system32\config\SAM.bak
2014-05-06 02:43 - 2014-05-06 02:43 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\Leader Technologies
2014-05-06 02:30 - 2011-06-27 16:22 - 00000000 ___RD () C:\Users\Teresa's Laptop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-05-06 01:35 - 2012-10-29 12:55 - 00000000 ___RD () C:\Users\Teresa's Laptop\Dropbox
2014-05-06 01:35 - 2012-10-29 12:50 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\Dropbox
2014-05-06 01:10 - 2012-01-19 17:08 - 00000000 ____D () C:\Program Files\CCleaner
2014-05-05 21:40 - 2014-05-14 03:16 - 23544320 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-05-05 21:17 - 2014-05-14 03:16 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-05-05 20:25 - 2014-05-14 03:16 - 17382912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-05-05 20:07 - 2014-05-14 03:16 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-05-05 20:00 - 2014-05-14 03:16 - 00084992 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-05-05 19:10 - 2014-05-14 03:16 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-05-03 23:13 - 2014-05-03 23:13 - 00000000 ____D () C:\Windows\ERUNT
2014-05-03 23:11 - 2013-11-05 17:03 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-05-03 22:39 - 2013-11-02 00:25 - 00000000 ____D () C:\Windows\erdnt
2014-05-03 21:58 - 2014-05-03 21:58 - 00000930 _____ () C:\Users\UpdatusUser\Desktop\NTREGOPT.lnk
2014-05-03 21:58 - 2014-05-03 21:58 - 00000911 _____ () C:\Users\UpdatusUser\Desktop\ERUNT.lnk
2014-05-03 21:58 - 2014-05-03 21:58 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT
2014-05-03 21:58 - 2014-05-03 21:58 - 00000000 ____D () C:\Program Files (x86)\ERUNT
2014-05-02 03:09 - 2012-09-26 17:20 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-05-01 22:09 - 2012-09-27 10:32 - 00012574 _____ () C:\Windows\wininit.ini
2014-05-01 22:08 - 2012-10-29 12:55 - 00001015 _____ () C:\Users\Teresa's Laptop\Desktop\Dropbox.lnk
2014-05-01 22:08 - 2012-10-29 12:51 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-05-01 21:49 - 2012-09-25 17:26 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\MyPhoneExplorer
2014-05-01 21:47 - 2014-05-01 21:31 - 00000000 ____D () C:\Users\Teresa's Laptop\SD Card Download
2014-05-01 20:30 - 2014-05-01 20:30 - 00002063 _____ () C:\Users\Public\Desktop\MyPhoneExplorer.lnk
2014-05-01 20:30 - 2014-05-01 20:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MyPhoneExplorer
2014-05-01 20:30 - 2012-09-25 17:26 - 00000000 ____D () C:\Program Files (x86)\MyPhoneExplorer
2014-04-30 15:17 - 2013-12-19 00:05 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Local\Deployment
2014-04-30 15:02 - 2012-09-11 18:43 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\SMIGames
2014-04-29 16:20 - 2014-04-29 16:20 - 00000000 __SHD () C:\Users\Teresa's Laptop\AppData\Local\EmieUserList
2014-04-29 16:20 - 2014-04-29 16:20 - 00000000 __SHD () C:\Users\Teresa's Laptop\AppData\Local\EmieSiteList
2014-04-29 00:17 - 2013-10-26 23:29 - 00000000 ____D () C:\Users\Teresa's Laptop\Documents\Retirement Info
2014-04-28 14:05 - 2014-04-28 14:05 - 00000000 ____D () C:\Users\Teresa's Laptop\AppData\Roaming\NevoSoft Games
2014-04-27 21:31 - 2014-04-27 21:31 - 00000000 ____D () C:\Users\Teresa's Laptop\Documents\ProcAlyzer Dumps
2014-04-27 21:26 - 2014-04-26 02:42 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2014-04-26 02:42 - 2014-04-26 02:42 - 00001397 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2014-04-26 02:42 - 2014-04-26 02:42 - 00000656 _____ () C:\Windows\Tasks\Check for updates (Spybot - Search & Destroy).job
2014-04-26 02:42 - 2014-04-26 02:42 - 00000628 _____ () C:\Windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
2014-04-26 02:42 - 2014-04-26 02:42 - 00000458 _____ () C:\Windows\Tasks\Scan the system (Spybot - Search & Destroy).job
2014-04-26 02:42 - 2014-04-26 02:42 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2014-04-26 02:37 - 2012-09-26 17:20 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy
2014-04-26 02:16 - 2013-08-05 19:09 - 00000000 ____D () C:\Program Files (x86)\Comodo
2014-04-26 02:16 - 2011-07-29 19:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\COMODO

Files to move or delete:
====================
C:\Users\Public\AlexaNSISPlugin.3304.dll

Some content of TEMP:
====================
C:\Users\Teresa's Laptop\AppData\Local\Temp\nsf1692.exe
C:\Users\Teresa's Laptop\AppData\Local\Temp\nslBB3E.exe
C:\Users\Teresa's Laptop\AppData\Local\Temp\nsvAEFD.exe
C:\Users\Teresa's Laptop\AppData\Local\Temp\nsvBF7.exe
C:\Users\Teresa's Laptop\AppData\Local\Temp\Quarantine.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-05-23 06:50

==================== End Of Log ============================

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:39 PM

Posted 27 May 2014 - 09:03 AM

Run this additonal tool to remove the ZeroAccess infection.

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Restart the computer normally.

Continue with this fix.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
URLSearchHook: HKLM-x32 - (No Name) - {37a7edb7-afda-4373-9865-02bf8160e677} - No File
URLSearchHook: HKCU - (No Name) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - No File
URLSearchHook: HKCU - (No Name) - {37a7edb7-afda-4373-9865-02bf8160e677} - No File
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: No Name - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -  No File
BHO-x32: No Name - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - No Name - {3BBD3C14-4C16-4989-8366-95BC9179779D} -  No File
Toolbar: HKCU - No Name - {37A7EDB7-AFDA-4373-9865-02BF8160E677} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
FF HKCU\...\Firefox\Extensions: [sp2@sp.com] - C:\Program Files (x86)\Social Privacy\FF\
S1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [X]
C:\Users\Teresa's Laptop\AppData\Local\Temp\nsf1692.exe
C:\Users\Teresa's Laptop\AppData\Local\Temp\nslBB3E.exe
C:\Users\Teresa's Laptop\AppData\Local\Temp\nsvAEFD.exe
C:\Users\Teresa's Laptop\AppData\Local\Temp\nsvBF7.exe
AlternateDataStreams: C:\ProgramData\Temp:2C5ABA5C
Task: {284C128C-9BF3-4329-8336-9122BF807AA2} - \RegClean Pro_UPDATES No Task File <==== ATTENTION
Task: {44DE4228-46FE-439A-83E4-07E5C21A6D16} - \Dealply No Task File <==== ATTENTION
Task: {628E2BD1-9284-4930-B332-AA2E467743B4} - \DealPlyUpdate No Task File <==== ATTENTION
Task: {8BCED9B7-7D2C-4DD4-93FF-0A919A3F58EA} - \RealUpgradeLogonTaskS-1-5-21-3797571617-2345687493-384676197-1002 No Task File <==== ATTENTION
Task: {927042BC-D6C5-41A2-AE66-D14B3EA2BD7B} - \RegClean Pro No Task File <==== ATTENTION
Task: {AA37D331-EF75-4CF0-A2FE-7D60413A5F0B} - \RealUpgradeScheduledTaskS-1-5-21-3797571617-2345687493-384676197-1002 No Task File <==== ATTENTION
Task: {BCBE648E-8068-46E5-966C-B6EBC4D1B567} - \RegClean Pro_DEFAULT No Task File <==== ATTENTION

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists.

#6 tjnbarbour

tjnbarbour
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 27 May 2014 - 04:41 PM

Hi Nasdaq,

 

Thank you again for your help. I know how much time and skill is involved in reading and interpreting each and every malware situation. Your assistance is immensely appreciated. I followed all of the instructions. RogueKiller actually created four txt files, all of which listed as [0]. However, two of them were superfluous, and the other two were almost identical, so I have pasted the contents of the larger of the two. The fix seemed to work fine. Please see posted logs.

 

I will work with the computer for a bit and see if it shows any signs of infection. Hopefully this will be the end of it. I look forward to your reply.

 

Best regards,

 

Teresa

 

RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Teresa's Laptop [Admin rights]
Mode : Remove -- Date : 05/27/2014 14:15:18
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 7 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Microsoft Outlook 2010 (C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office [-]) -> DELETED
[RUN][SUSP PATH] HKUS\S-1-5-21-3797571617-2345687493-384676197-1002\[...]\Run : Microsoft Outlook 2010 (C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office [-]) -> [0x2] The system cannot find the file specified.
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
[Address] EAT @explorer.exe (AsyncGetClassBits) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060970B0)
[Address] EAT @explorer.exe (AsyncInstallDistributionUnit) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06097210)
[Address] EAT @explorer.exe (BindAsyncMoniker) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06081F90)
[Address] EAT @explorer.exe (CDLGetLongPathNameA) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060978D0)
[Address] EAT @explorer.exe (CDLGetLongPathNameW) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060978E8)
[Address] EAT @explorer.exe (CORPolicyProvider) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06081674)
[Address] EAT @explorer.exe (CoGetClassObjectFromURL) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060973FC)
[Address] EAT @explorer.exe (CoInstall) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06097460)
[Address] EAT @explorer.exe (CoInternetCanonicalizeIUri) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06045660)
[Address] EAT @explorer.exe (CoInternetCombineIUri) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060480A0)
[Address] EAT @explorer.exe (CoInternetCombineUrl) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060346A4)
[Address] EAT @explorer.exe (CoInternetCombineUrlEx) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060343C0)
[Address] EAT @explorer.exe (CoInternetCompareUrl) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06085280)
[Address] EAT @explorer.exe (CoInternetCreateSecurityManager) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06001EE0)
[Address] EAT @explorer.exe (CoInternetCreateZoneManager) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06010810)
[Address] EAT @explorer.exe (CoInternetFeatureSettingsChanged) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060C0284)
[Address] EAT @explorer.exe (CoInternetGetProtocolFlags) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0608537C)
[Address] EAT @explorer.exe (CoInternetGetSecurityUrl) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060853D0)
[Address] EAT @explorer.exe (CoInternetGetSecurityUrlEx) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06049CD0)
[Address] EAT @explorer.exe (CoInternetGetSession) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06002460)
[Address] EAT @explorer.exe (CoInternetIsFeatureEnabled) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06048DC0)
[Address] EAT @explorer.exe (CoInternetIsFeatureEnabledForIUri) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060451B8)
[Address] EAT @explorer.exe (CoInternetIsFeatureEnabledForUrl) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06041820)
[Address] EAT @explorer.exe (CoInternetIsFeatureZoneElevationEnabled) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0608586C)
[Address] EAT @explorer.exe (CoInternetParseIUri) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060356A8)
[Address] EAT @explorer.exe (CoInternetParseUrl) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06011490)
[Address] EAT @explorer.exe (CoInternetQueryInfo) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06047C50)
[Address] EAT @explorer.exe (CoInternetSetFeatureEnabled) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06085AF4)
[Address] EAT @explorer.exe (CompareSecurityIds) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0601D1A4)
[Address] EAT @explorer.exe (CompatFlagsFromClsid) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06044044)
[Address] EAT @explorer.exe (CopyBindInfo) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06093020)
[Address] EAT @explorer.exe (CopyStgMedium) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0600BA0C)
[Address] EAT @explorer.exe (CreateAsyncBindCtx) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060586C0)
[Address] EAT @explorer.exe (CreateAsyncBindCtxEx) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06043D14)
[Address] EAT @explorer.exe (CreateFormatEnumerator) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060268E0)
[Address] EAT @explorer.exe (CreateIUriBuilder) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06003660)
[Address] EAT @explorer.exe (CreateURLMoniker) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0605CCF4)
[Address] EAT @explorer.exe (CreateURLMonikerEx) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060078D0)
[Address] EAT @explorer.exe (CreateURLMonikerEx2) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060440F0)
[Address] EAT @explorer.exe (CreateUri) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060016F0)
[Address] EAT @explorer.exe (CreateUriFromMultiByteString) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06081EE4)
[Address] EAT @explorer.exe (CreateUriPriv) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06081EF8)
[Address] EAT @explorer.exe (CreateUriWithFragment) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06081F40)
[Address] EAT @explorer.exe (DllCanUnloadNow) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06001600)
[Address] EAT @explorer.exe (DllGetClassObject) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0604AB3C)
[Address] EAT @explorer.exe (DllInstall) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06082458)
[Address] EAT @explorer.exe (DllRegisterServer) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06082464)
[Address] EAT @explorer.exe (DllRegisterServerEx) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0605E070)
[Address] EAT @explorer.exe (DllUnregisterServer) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06082470)
[Address] EAT @explorer.exe (Extract) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06097F74)
[Address] EAT @explorer.exe (FaultInIEFeature) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06098FE8)
[Address] EAT @explorer.exe (FileBearsMarkOfTheWeb) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06036B60)
[Address] EAT @explorer.exe (FindMediaType) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06082E9C)
[Address] EAT @explorer.exe (FindMediaTypeClass) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06026080)
[Address] EAT @explorer.exe (FindMimeFromData) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060450BC)
[Address] EAT @explorer.exe (GetAddSitesFileUrl) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060C02B0)
[Address] EAT @explorer.exe (GetClassFileOrMime) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0605B8EC)
[Address] EAT @explorer.exe (GetClassURL) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06082074)
[Address] EAT @explorer.exe (GetComponentIDFromCLSSPEC) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060992E8)
[Address] EAT @explorer.exe (GetIDNFlagsForUri) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0601C7F0)
[Address] EAT @explorer.exe (GetIUriPriv) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06081F60)
[Address] EAT @explorer.exe (GetIUriPriv2) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06081F50)
[Address] EAT @explorer.exe (GetLabelsFromNamedHost) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060C8B54)
[Address] EAT @explorer.exe (GetMarkOfTheWeb) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B9390)
[Address] EAT @explorer.exe (GetPortFromUrlScheme) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06081E94)
[Address] EAT @explorer.exe (GetPropertyFromName) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06081EA4)
[Address] EAT @explorer.exe (GetPropertyName) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06081EB4)
[Address] EAT @explorer.exe (GetSoftwareUpdateInfo) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0605E070)
[Address] EAT @explorer.exe (GetUrlmonThreadNotificationHwnd) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0605DEB4)
[Address] EAT @explorer.exe (GetZoneFromAlternateDataStreamEx) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06006D90)
[Address] EAT @explorer.exe (HlinkGoBack) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B6E78)
[Address] EAT @explorer.exe (HlinkGoForward) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B6F24)
[Address] EAT @explorer.exe (HlinkNavigateMoniker) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B6FD0)
[Address] EAT @explorer.exe (HlinkNavigateString) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B7004)
[Address] EAT @explorer.exe (HlinkSimpleNavigateToMoniker) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B7038)
[Address] EAT @explorer.exe (HlinkSimpleNavigateToString) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B75E8)
[Address] EAT @explorer.exe (IECompatLogCSSFix) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060912FC)
[Address] EAT @explorer.exe (IEDllLoader) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060826F0)
[Address] EAT @explorer.exe (IEGetUserPrivateNamespaceName) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06093244)
[Address] EAT @explorer.exe (IEInstallScope) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06097554)
[Address] EAT @explorer.exe (IntlPercentEncodeNormalize) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06081F70)
[Address] EAT @explorer.exe (IsAsyncMoniker) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060421FC)
[Address] EAT @explorer.exe (IsDWORDProperty) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06081EC4)
[Address] EAT @explorer.exe (IsIntranetAvailable) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060C0668)
[Address] EAT @explorer.exe (IsJITInProgress) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0601B328)
[Address] EAT @explorer.exe (IsLoggingEnabledA) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B855C)
[Address] EAT @explorer.exe (IsLoggingEnabledW) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B8688)
[Address] EAT @explorer.exe (IsStringProperty) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06081ED4)
[Address] EAT @explorer.exe (IsValidURL) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06037610)
[Address] EAT @explorer.exe (MkParseDisplayNameEx) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060592F0)
[Address] EAT @explorer.exe (ObtainUserAgentString) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0608DCE0)
[Address] EAT @explorer.exe (PrivateCoInstall) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06097560)
[Address] EAT @explorer.exe (QueryAssociations) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0601E9C0)
[Address] EAT @explorer.exe (QueryClsidAssociation) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06090A8C)
[Address] EAT @explorer.exe (RegisterBindStatusCallback) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0603F600)
[Address] EAT @explorer.exe (RegisterFormatEnumerator) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06041C6C)
[Address] EAT @explorer.exe (RegisterMediaTypeClass) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060820C0)
[Address] EAT @explorer.exe (RegisterMediaTypes) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06082210)
[Address] EAT @explorer.exe (RegisterWebPlatformPermanentSecurityManager) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06038C54)
[Address] EAT @explorer.exe (ReleaseBindInfo) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06007D40)
[Address] EAT @explorer.exe (RevokeBindStatusCallback) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0603FBF0)
[Address] EAT @explorer.exe (RevokeFormatEnumerator) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060822CC)
[Address] EAT @explorer.exe (SetAccessForIEAppContainer) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06093258)
[Address] EAT @explorer.exe (SetSoftwareUpdateAdvertisementState) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0605E070)
[Address] EAT @explorer.exe (ShouldDisplayPunycodeForUri) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0608DE50)
[Address] EAT @explorer.exe (ShouldShowIntranetWarningSecband) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06043A3C)
[Address] EAT @explorer.exe (ShowTrustAlertDialog) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060C0820)
[Address] EAT @explorer.exe (URLDownloadA) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06085CC4)
[Address] EAT @explorer.exe (URLDownloadToCacheFileA) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B7D9C)
[Address] EAT @explorer.exe (URLDownloadToCacheFileW) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0602A0C4)
[Address] EAT @explorer.exe (URLDownloadToFileA) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B7F10)
[Address] EAT @explorer.exe (URLDownloadToFileW) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0602EFD0)
[Address] EAT @explorer.exe (URLDownloadW) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06085D78)
[Address] EAT @explorer.exe (URLOpenBlockingStreamA) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B8058)
[Address] EAT @explorer.exe (URLOpenBlockingStreamW) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B8138)
[Address] EAT @explorer.exe (URLOpenPullStreamA) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B821C)
[Address] EAT @explorer.exe (URLOpenPullStreamW) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B82E0)
[Address] EAT @explorer.exe (URLOpenStreamA) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B8408)
[Address] EAT @explorer.exe (URLOpenStreamW) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B84D0)
[Address] EAT @explorer.exe (UnregisterWebPlatformPermanentSecurityManager) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0605C9B4)
[Address] EAT @explorer.exe (UrlMkBuildVersion) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06082804)
[Address] EAT @explorer.exe (UrlMkGetSessionOption) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x06013E60)
[Address] EAT @explorer.exe (UrlMkSetSessionOption) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0603D0E4)
[Address] EAT @explorer.exe (UrlmonCleanupCurrentThread) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x0602A27C)
[Address] EAT @explorer.exe (WriteHitLogging) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B85D0)
[Address] EAT @explorer.exe (ZonesReInit) : WININET.dll -> HOOKED (C:\Windows\system32\urlmon.dll @ 0x060B9C30)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST9500420AS +++++
--- User ---
[MBR] 1b753e8c165af52557c4300c7d2269c7
[BSP] a38d422f4aa468de0e2d9398755a79a3 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 462937 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 948097024 | Size: 14001 MB
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ST9500420AS +++++
--- User ---
[MBR] b8314fbf1f145192ad3e3f3fb1fed320
[BSP] 98a7ea93d4bb7119ca9cfddc99da8f67 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476938 MB
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_05272014_141518.txt >>
RKreport[0]_H_05272014_141455.txt;RKreport[0]_S_05272014_141233.txt

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 25-05-2014 02
Ran by Teresa's Laptop at 2014-05-27 14:30:49 Run:1
Running from C:\Users\Teresa's Laptop\Desktop\Computer Cleaning Tools
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
URLSearchHook: HKLM-x32 - (No Name) - {37a7edb7-afda-4373-9865-02bf8160e677} - No File
URLSearchHook: HKCU - (No Name) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - No File
URLSearchHook: HKCU - (No Name) - {37a7edb7-afda-4373-9865-02bf8160e677} - No File
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: No Name - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -  No File
BHO-x32: No Name - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - No Name - {3BBD3C14-4C16-4989-8366-95BC9179779D} -  No File
Toolbar: HKCU - No Name - {37A7EDB7-AFDA-4373-9865-02BF8160E677} -  No File
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
Handler-x32: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} -  No File
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
FF HKCU\...\Firefox\Extensions: [sp2@sp.com] - C:\Program Files (x86)\Social Privacy\FF\
S1 avgtp; \??\C:\Windows\system32\drivers\avgtpx64.sys [X]
C:\Users\Teresa's Laptop\AppData\Local\Temp\nsf1692.exe
C:\Users\Teresa's Laptop\AppData\Local\Temp\nslBB3E.exe
C:\Users\Teresa's Laptop\AppData\Local\Temp\nsvAEFD.exe
C:\Users\Teresa's Laptop\AppData\Local\Temp\nsvBF7.exe
AlternateDataStreams: C:\ProgramData\Temp:2C5ABA5C
Task: {284C128C-9BF3-4329-8336-9122BF807AA2} - \RegClean Pro_UPDATES No Task File <==== ATTENTION
Task: {44DE4228-46FE-439A-83E4-07E5C21A6D16} - \Dealply No Task File <==== ATTENTION
Task: {628E2BD1-9284-4930-B332-AA2E467743B4} - \DealPlyUpdate No Task File <==== ATTENTION
Task: {8BCED9B7-7D2C-4DD4-93FF-0A919A3F58EA} - \RealUpgradeLogonTaskS-1-5-21-3797571617-2345687493-384676197-1002 No Task File <==== ATTENTION
Task: {927042BC-D6C5-41A2-AE66-D14B3EA2BD7B} - \RegClean Pro No Task File <==== ATTENTION
Task: {AA37D331-EF75-4CF0-A2FE-7D60413A5F0B} - \RealUpgradeScheduledTaskS-1-5-21-3797571617-2345687493-384676197-1002 No Task File <==== ATTENTION
Task: {BCBE648E-8068-46E5-966C-B6EBC4D1B567} - \RegClean Pro_DEFAULT No Task File <==== ATTENTION

End
*****************

HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\\{37a7edb7-afda-4373-9865-02bf8160e677} => Value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{3bbd3c14-4c16-4989-8366-95bc9179779d} => Value deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{37a7edb7-afda-4373-9865-02bf8160e677} => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully.
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{B164E929-A1B6-4A06-B104-2CD0E90A88FF} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => Value deleted successfully.
HKCR\CLSID\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Value deleted successfully.
HKCR\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{3BBD3C14-4C16-4989-8366-95BC9179779D} => Value deleted successfully.
HKCR\CLSID\{3BBD3C14-4C16-4989-8366-95BC9179779D} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{37A7EDB7-AFDA-4373-9865-02BF8160E677} => Value deleted successfully.
HKCR\CLSID\{37A7EDB7-AFDA-4373-9865-02BF8160E677} => Key not found.
HKCR\PROTOCOLS\Handler\linkscanner => Key deleted successfully.
HKCR\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} => Key not found.
HKCR\PROTOCOLS\Handler\sacore => Key deleted successfully.
HKCR\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5} => Key not found.
HKCR\Wow6432Node\PROTOCOLS\Handler\dssrequest => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5} => Key not found.
HKCR\Wow6432Node\PROTOCOLS\Handler\gopher => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{79eac9e4-baf9-11ce-8c82-00aa004ba90b} => Key not found.
HKCR\Wow6432Node\PROTOCOLS\Handler\linkscanner => Key not found.
HKCR\Wow6432Node\CLSID\{F274614C-63F8-47D5-A4D1-FBDDE494F8D1} => Key not found.
HKCR\Wow6432Node\PROTOCOLS\Handler\sacore => Key not found.
HKCR\Wow6432Node\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5} => Key not found.
HKCU\Software\Mozilla\Firefox\Extensions\\sp2@sp.com => Value deleted successfully.
avgtp => Service deleted successfully.
C:\Users\Teresa's Laptop\AppData\Local\Temp\nsf1692.exe => Moved successfully.
C:\Users\Teresa's Laptop\AppData\Local\Temp\nslBB3E.exe => Moved successfully.
C:\Users\Teresa's Laptop\AppData\Local\Temp\nsvAEFD.exe => Moved successfully.
C:\Users\Teresa's Laptop\AppData\Local\Temp\nsvBF7.exe => Moved successfully.
C:\ProgramData\Temp => ":2C5ABA5C" ADS removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{284C128C-9BF3-4329-8336-9122BF807AA2} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{284C128C-9BF3-4329-8336-9122BF807AA2} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RegClean Pro_UPDATES => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{44DE4228-46FE-439A-83E4-07E5C21A6D16} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{44DE4228-46FE-439A-83E4-07E5C21A6D16} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Dealply => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{628E2BD1-9284-4930-B332-AA2E467743B4} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{628E2BD1-9284-4930-B332-AA2E467743B4} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DealPlyUpdate => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8BCED9B7-7D2C-4DD4-93FF-0A919A3F58EA} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8BCED9B7-7D2C-4DD4-93FF-0A919A3F58EA} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RealUpgradeLogonTaskS-1-5-21-3797571617-2345687493-384676197-1002 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{927042BC-D6C5-41A2-AE66-D14B3EA2BD7B} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{927042BC-D6C5-41A2-AE66-D14B3EA2BD7B} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RegClean Pro => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AA37D331-EF75-4CF0-A2FE-7D60413A5F0B} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AA37D331-EF75-4CF0-A2FE-7D60413A5F0B} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RealUpgradeScheduledTaskS-1-5-21-3797571617-2345687493-384676197-1002 => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BCBE648E-8068-46E5-966C-B6EBC4D1B567} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BCBE648E-8068-46E5-966C-B6EBC4D1B567} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RegClean Pro_DEFAULT => Key not found.

==== End of Fixlog ====



#7 tjnbarbour

tjnbarbour
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 27 May 2014 - 04:55 PM

Hi Nasdaq,

 

Too soon to celebrate, just updated and ran CCleaner again, and same stupid file is there: C:\Users\Teresa's Laptop\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4HTU1IC\clients[1].txt  1 KB. At least it is using the same folder name as before. In the past, t has created others, and made it hard to locate.

 

Just a couple more bits of information, I noticed about a month or so ago, that there appeared to be additional users showing in Regedit. I realize that there will always be more than 1 user account showing in HKeyUsers, but I am the only user on this laptop, there is no Guest account. Mine is an Administrator account, so that accounts for Default, Administrator and my account.  However, I cannot make sense of the other four listed. It may be perfectly normal, but just so you are aware, the first three users listed as S-1-5-18, 19, & 20. Then there are four other user accounts, two for each of the numbers with Classes for the second. They are S-1-5-21-3797571617-2345687493-384676197-1002, 1002Classes, then the same identifier ending in 1003, and 1003Classes respectively.

 

I have also been unable to eliminate IE from constantly asking if I want it to be my default search engine. All of the settings are correct, so I can only assume that something else is trying to change it, thus creating the irritating question. If I come across any other signs I will post them, in the mean time I will await your further instructions.

 

Best regards,

 

Teresa


Edited by tjnbarbour, 27 May 2014 - 05:21 PM.


#8 tjnbarbour

tjnbarbour
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 27 May 2014 - 05:33 PM

Hi Nasdaq,

 

More information on this mysterious file. If I catch the file before it disappears, and change the number listed from 1 to anything else, and quickly save it, the computer immediately creates another version of the same file changing the [1] to the next number in line. Once the file is changed and saved, under Properties, Security, it shows the normal permissions. However, if I open the file before it disappears, under the Security tab, it shows, a red button with an x, and says, "The requested security information is either unavailable, or can't be displayed. It also creates other folders with exactly eight characters, usually two numbers and the rest capital letters. As near as I can tell, the file switches locations every few seconds from one or another of these folders. If I delete any of the folders, it simply recreates them within seconds. If I try to delete the file, or any of the folders it is live in, I get the message that the file is open in another program and cannot be deleted. Once it is changed, there is no problem deleting. I hope that this helps.

 

Looking forward to hearing from you.

 

Teresa


Edited by tjnbarbour, 27 May 2014 - 05:35 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:39 PM

Posted 28 May 2014 - 07:12 AM

Too soon to celebrate, just updated and ran CCleaner again, and same stupid file is there: C:\Users\Teresa's Laptop\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4HTU1IC\clients[1].txt 1 KB

The file is created by an application you are using nothing to worry about. It's a text file and not running anything bad.
===

Do not worry about these they are good.
Look at what it's running

HKU\S-1-5-21-3797571617-2345687493-384676197-1002\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-06-27] (Google Inc.)
HKU\S-1-5-21-3797571617-2345687493-384676197-1002\...\Run: [Google Update] => C:\Users\Teresa's Laptop\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2014-02-16] (Google Inc.)
HKU\S-1-5-21-3797571617-2345687493-384676197-1002\...\Run: [Microsoft Outlook 2010] => C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office [0 2013-11-05] ()
HKU\S-1-5-21-3797571617-2345687493-384676197-1002\...\Run: [ISUSPM] => C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe [226904 2007-07-12] (Macrovision Corporation)
HKU\S-1-5-21-3797571617-2345687493-384676197-1002\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
HKU\S-1-5-21-3797571617-2345687493-384676197-1002\...\MountPoints2: {a46ff84d-093f-11e3-9488-14feb59e107b} - H:\LaunchU3.exe


I have also been unable to eliminate IE from constantly asking if I want it to be my default search engine.

Open Internet Explorer > Tool > Internet Options > Program Tab.
Uncheck "Tell me when Internet browser is not the default..."
Click the apply button.
===

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.
===

#10 tjnbarbour

tjnbarbour
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:10:39 AM

Posted 28 May 2014 - 09:51 PM

Hi Nasdaq,

 

I have also been unable to eliminate IE from constantly asking if I want it to be my default search engine. All of the settings are correct, so I can only assume that something else is trying to change it, thus creating the irritating question.

All of the settings, means all of the settings, I have already done that, undone and redone the check, applied, clicked OK, restarted IE, restarted the PC, ect. I used to be a pretty good tech, so I am familiar with all of the regular things to look for. I was hoping that you might have an inkling as to what else to look for, or a reg setting that I could switch to resolve this.

 

Thanks for setting my mind at ease regarding the 1002 and 1003 users.

 

Here is the scan results

 Results of screen317's Security Check version 0.99.83 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
 Windows Firewall Disabled! 
avast! Antivirus  
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Haunted Past - Realm of Ghosts
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java™ 6 Update 31 
 Java version out of Date!
 Adobe Reader XI 
 Google Chrome 34.0.1847.137 
 Google Chrome 35.0.1916.114 
````````Process Check: objlist.exe by Laurent```````` 
 Spybot Teatimer.exe is disabled!
 Comodo Firewall cmdagent.exe
 Malwarebytes' Anti-Malware mbamscheduler.exe  
 Malwarebytes Secure Backup SUpdateNotifier.exe  
 Malwarebytes Secure Backup SAgent.Service.exe  
 Malwarebytes Secure Backup mbsbscan.exe  
 Online Games Manager ogmservice.exe  
 AVAST Software Avast AvastSvc.exe 
 AVAST Software Avast avastui.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

 

I will try to ignore that weird file if you are sure it is not significant. Thank you for all of your time and guidance.

 

Best regards,

 

Teresa
 



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,454 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:39 PM

Posted 29 May 2014 - 07:20 AM


This might just be the issue.
It's new to me. Learn something everyday.

How do I prevent programs from changing my default search provider?
http://windows.microsoft.com/en-ca/windows/prevent-programs-changing-default-search-provider#1TC=windows-7

Hope it helps.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u60.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java™ 6 Update 31

===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users