Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Plays Radio


  • This topic is locked This topic is locked
60 replies to this topic

#1 gapdong

gapdong

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 19 October 2014 - 12:41 PM

Sorry, I think I've been posting to wrong forum. I posted it here: http://www.bleepingcomputer.com/forums/t/552416/computer-plays-radio/. Anyway, ran Malwarebytes and Avast and didn't detect anything. Tried to download "dds" or "rsit" a window pops up saying "your current security settings do no allow for this file to be downloaded." Therefore I haven't been able to download and run it. What should I do next?



BC AdBot (Login to Remove)

 


#2 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:03 AM

Posted 19 October 2014 - 02:04 PM

Hello and Welcome on board,

my Name is Machiavelli and I will assist you with your problem.
If you booted into safe mode on your computer then print my instructions!
I'm in the 'Malware Staff Team' and will provide you with advice:

To remove Malware on a computer can be very complicated. Malware (malicious software) is able to hide and so I may not be able to find it so easily. In order to remove Malware from you Computer, you need to follow my instructions carefully. Don't be worried if you don't know what to do. just ask me! Please stay in contact with me until the problem is fixed.

Below are a few tips:
  • Removing Malware is usually very difficult.
    We need to search and analyse a lot of files. As this is done in our free time, please be patient especially if I don't answer every day!
  • Please follow these instructions
    If you don't follow the instructions your computer may crash. If you fix your PC by yourself, this can be very risky!
  • Please stay in contact with me until your problem is resolved
    As Malware may not be totally removed in one session or in one day, please stay in contact with me until the problem is resolved.
  • Please don't run any other tools without consulting with me as this can complicate finding and removing all Malware
    Don't run any tools while I'm fixing your PC. That is counter productive and again, will only complicate finding and removing all Malware!
  • Read my post completely
    If you don't do so, you may make mistakes that could result in your System crashing by your own actions!
 
 

ran Malwarebytes

I need the logs.

Please download FRST (by Farbar) from the link below and save it to your Desktop.
 

Download Mirror #1

If you are unsure whether you have 32-Bit or 64-Bit Windows, see here
  • Disable all anti-virus and anti-malware software to prevent them inhibiting FRST in any way. If you are unsure how to do this, see THIS.
  • Double-click FRST.exe/FRST64.exe (depending on which version you downloaded) to run it. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • When the disclaimer appears, click Yes.
  • Click Scan to start FRST.
  • When FRST finishes scanning, two logs, FRST.txt and Addition.txt will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of both of these logs into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#3 gapdong

gapdong
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 19 October 2014 - 10:13 PM

1) Tried to download FRST but the window popped up that said "your current security settings do no allow for this file to be downloaded."

2) Ran Malwarebytes...ran for 6 hours and suddenly a message popped up saying there was an issue and stopped running.

 

Next steps?



#4 gapdong

gapdong
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 19 October 2014 - 11:06 PM

I was able to get Malwarebytes to do a shorter scan. Here is the log:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/19/2014
Scan Time: 8:32:50 PM
Logfile: malwarebyteslog.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.10.19.07
Rootkit Database: v2014.10.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Joanne

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 347038
Time Elapsed: 29 min, 14 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.uTorrentBar.A, HKLM\SOFTWARE\uTorrentBar, No Action By User, [f69d9e786f0d7db9dc4cf82593708779],
PUP.Optional.uTorrentBar.A, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\bejbohlohkkgompgecdcbbglkpjfjgdj, No Action By User, [0e8568ae512b9f970a1c2df06c97817f],
PUP.Optional.uTorrentBar.A, HKU\S-1-5-21-3104870216-2912995691-283130738-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\uTorrentBar, No Action By User, [0192799dfd7f45f13af0011c7f8438c8],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 10
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Logs, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\MyStuffApps, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Repository, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Repository\conduit_CT2786678_CT2786678, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Repository\conduit_CT2786678_CT2786678\AppsMetaData, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Repository\conduit_CT2786678_CT2786678\ToolbarLogin, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Repository\conduit_CT2786678_CT2786678\ToolbarSettings, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Repository\conduit_CT2786678_en, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Repository\conduit_CT2786678_en\ToolbarTranslation, No Action By User, [761d977fcfad88ae220283934bb8ac54],

Files: 11
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\ldrtbuTor.dll, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\tbuTor.dll, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\ThirdPartyComponents.xml, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\toolbar.cfg, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Repository\conduit_CT2786678_CT2786678\AppsMetaData\data.bck.txt, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Repository\conduit_CT2786678_CT2786678\AppsMetaData\data.txt, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Repository\conduit_CT2786678_CT2786678\ToolbarLogin\data.txt, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Repository\conduit_CT2786678_CT2786678\ToolbarSettings\data.bck.txt, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Repository\conduit_CT2786678_CT2786678\ToolbarSettings\data.txt, No Action By User, [761d977fcfad88ae220283934bb8ac54],
PUP.Optional.uTorrentBar.A, C:\Users\Joanne\AppData\LocalLow\uTorrentBar\Repository\conduit_CT2786678_en\ToolbarTranslation\data.txt, No Action By User, [761d977fcfad88ae220283934bb8ac54],
Exploit.Drop.GS, C:\Users\Joanne\AppData\Local\Temp\wcrash.exe, Quarantined, [eda654c2e399c6704c84f67a6a999769],

Physical Sectors: 0
(No malicious items detected)

(end)



#5 gapdong

gapdong
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 19 October 2014 - 11:25 PM

Finally able to get FRST to download and run. Here are the logs:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-10-2014
Ran by Joanne (administrator) on JOANNE-PC on 19-10-2014 21:20:53
Running from C:\Users\Joanne\Desktop
Loaded Profile: Joanne (Available profiles: IUSR_NMPR & Joanne)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\WINDOWS\System32\SLsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
() C:\Program Files\Paragon Software\HFS+ for Windows  9.0\apmwinsrv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(Conexant Systems, Inc.) C:\WINDOWS\System32\drivers\XAudio.exe
(Microsoft Corporation) C:\WINDOWS\System32\mobsync.exe
(Hewlett-Packard Company) C:\hp\support\hpsysdrv.exe
(Realtek Semiconductor) C:\WINDOWS\RtHDVCpl.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
(Intel Corporation) C:\WINDOWS\System32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\System32\igfxpers.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(RealNetworks, Inc.) C:\Program Files\Real\realplayer\Update\realsched.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehtray.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(Intel Corporation) C:\WINDOWS\System32\igfxsrvc.exe
(Microsoft Corporation) C:\WINDOWS\System32\dllhost.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(Microsoft Corporation) C:\WINDOWS\System32\wbem\unsecapp.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehsched.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehrecvr.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(RealNetworks, Inc.) C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe
(Hewlett-Packard Company) C:\hp\KBD\kbd.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\hp\support\hpsysdrv.exe [65536 2006-09-28] (Hewlett-Packard Company)
HKLM\...\Run: [KBD] => C:\HP\KBD\KbdStub.EXE [65536 2006-12-08] ()
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4874240 2008-01-15] (Realtek Semiconductor)
HKLM\...\Run: [CCUTRAYICON] => FactoryMode
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
HKLM\...\Run: [Malwarebytes Anti-Malware (reboot)] => "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [178712 2008-06-02] (Intel Corporation)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-08-28] (AVAST Software)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-05-15] (Apple Inc.)
HKLM\...\Run: [TkBellExe] => c:\program files\real\realplayer\Update\realsched.exe [295512 2014-07-02] (RealNetworks, Inc.)
HKLM\...\RunOnce: [AvgUninstallURL] => cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNjIzNDc4MDU4LVRCOSsyLUZMKzktWE8zNisxLUY5TTdDKzMtUUlYMSs0LVgyM (the data entry has 140 more characters).
HKLM\...\RunOnce: [Launcher] => C:\Windows\SMINST\launcher.exe [44168 2007-03-07] (soft thinks)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\MountPoints2: {110667a2-2276-11df-9890-001bfcb4bc9d} - F:\LaunchU3.exe
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\MountPoints2: {736cbb7b-f5cb-11de-add6-001bfcb4bc9d} - F:\LaunchU3.exe -a
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\MountPoints2: {d4ec1971-b430-11de-aae6-001bfcb4bc9d} - J:\LaunchU3.exe -a
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\MountPoints2: {df0f3a5e-cae4-11de-89cf-001bfcb4bc9d} - J:\LaunchU3.exe -a
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...409d6c4515e9\InprocServer32: [Default-shell32] shell32.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\InprocServer32: [Default-pngfilt]  <==== ATTENTION!

HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Joanne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com?fr=hp-avast&type=avastbcl
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.yahoo.com?fr=hp-avast&type=avastbcl
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com?fr=hp-avast&type=avastbcl
SearchScopes: HKLM - DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM - {408612A3-1FEB-406F-9AB1-229E891F718C} URL = http://search.live.com/results.aspx?q={searchTerms}&amp;entrypoint={referrer:source?}&amp;FORM=HVDUS7
SearchScopes: HKLM - {4ACCB679-8DC7-493D-8B70-0691A45ADA0A} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKLM - {64D07515-4B58-4CE1-86C9-F9408DABED5F} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM - {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
SearchScopes: HKCU - DefaultScope {A1CF9762-0C20-4403-B139-DD71675279FA} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7RNTN_en
SearchScopes: HKCU - {408612A3-1FEB-406F-9AB1-229E891F718C} URL =
SearchScopes: HKCU - {4ACCB679-8DC7-493D-8B70-0691A45ADA0A} URL =
SearchScopes: HKCU - {64D07515-4B58-4CE1-86C9-F9408DABED5F} URL =
SearchScopes: HKCU - {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKCU - {A1CF9762-0C20-4403-B139-DD71675279FA} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7RNTN_en
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL =
SearchScopes: HKCU - {C86E956C-E62C-4EB4-90CB-36AEF1F014B1} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog9 11 mswsock.dll File Not found ()
Winsock: Catalog9 12 mswsock.dll File Not found ()
Winsock: Catalog9 13 mswsock.dll File Not found ()
Winsock: Catalog9 14 mswsock.dll File Not found ()
Winsock: Catalog9 15 mswsock.dll File Not found ()
Winsock: Catalog9 16 mswsock.dll File Not found ()
Winsock: Catalog9 17 mswsock.dll File Not found ()
Winsock: Catalog9 18 mswsock.dll File Not found ()
Winsock: Catalog9 19 mswsock.dll File Not found ()
Winsock: Catalog9 20 mswsock.dll File Not found ()
Winsock: Catalog9 21 mswsock.dll File Not found ()
Winsock: Catalog9 22 mswsock.dll File Not found ()
Winsock: Catalog9 23 mswsock.dll File Not found ()
Winsock: Catalog9 24 mswsock.dll File Not found ()
Winsock: Catalog9 25 mswsock.dll File Not found ()
Winsock: Catalog9 26 mswsock.dll File Not found ()
Winsock: Catalog9 27 mswsock.dll File Not found ()
Winsock: Catalog9 28 mswsock.dll File Not found ()
Winsock: Catalog9 29 mswsock.dll File Not found ()
Winsock: Catalog9 30 mswsock.dll File Not found ()
Winsock: Catalog9 31 mswsock.dll File Not found ()
Winsock: Catalog9 32 mswsock.dll File Not found ()
Winsock: Catalog9 33 mswsock.dll File Not found ()
Winsock: Catalog9 34 mswsock.dll File Not found ()
Winsock: Catalog9 35 mswsock.dll File Not found ()
Winsock: Catalog9 36 mswsock.dll File Not found ()
Winsock: Catalog9 37 mswsock.dll File Not found ()
Winsock: Catalog9 38 mswsock.dll File Not found ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Joanne\AppData\Roaming\Mozilla\Firefox\Profiles\2yhak9g0.default
FF DefaultSearchEngine: Yahoo! (Avast)
FF DefaultSearchUrl: https://search.yahoo.com/yhs/search
FF SearchEngineOrder.1: Yahoo! (Avast)
FF SelectedSearchEngine: Yahoo! (Avast)
FF Homepage: https://www.yahoo.com?fr=hp-avast&type=avastbcl
FF Keyword.URL: https://search.yahoo.com/yhs/search
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=1.6.0_35 -> C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=16.0.3.51 -> c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=16.0.3.51 -> c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin: @real.com/RhapsodyPlayerEngine,version=1.0 -> C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpplugin.dll (RealPlayer)
FF SearchPlugin: C:\Users\Joanne\AppData\Roaming\Mozilla\Firefox\Profiles\2yhak9g0.default\searchplugins\yahoo-avast.xml
FF Extension: Microsoft .NET Framework Assistant - C:\Users\Joanne\AppData\Roaming\Mozilla\Firefox\Profiles\2yhak9g0.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2012-06-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-06-30]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-09-01]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-10-05]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-09-02]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2011-08-28]
FF HKLM\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKCU\...\Firefox\Extensions: [{882D0169-B598-4EFA-829E-6FF753248379}] - C:\Users\Joanne\AppData\Local\{882D0169-B598-4EFA-829E-6FF753248379}
FF Extension: XULRunner - C:\Users\Joanne\AppData\Local\{882D0169-B598-4EFA-829E-6FF753248379} [2010-12-08]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [bejbohlohkkgompgecdcbbglkpjfjgdj] - C:\Users\Joanne\AppData\Local\Temp\ccex.crx []
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-08-28]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AlertService; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [188416 2006-09-11] (Intel® Corporation) [File not signed]
R2 apmwinsrv; C:\Program Files\Paragon Software\HFS+ for Windows  9.0\apmwinsrv.exe [65328 2012-04-04] ()
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-08-28] (AVAST Software)
R2 DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [208896 2006-09-03] () [File not signed]
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-03-13] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [131072 2007-03-13] (Hewlett-Packard Co.) [File not signed]
S3 IDriverT; c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
S2 IntelDHSvcConf; C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [29696 2006-05-10] (Intel® Corporation) [File not signed]
S3 ISSM; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [75264 2006-09-11] (Intel® Corporation) [File not signed]
R2 LightScribeService; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2007-01-17] (Hewlett-Packard Company) [File not signed]
S3 M1 Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [26624 2006-08-31] () [File not signed]
S3 MCLServiceATL; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [167936 2006-09-11] (Intel® Corporation) [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S3 Remote UI Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [544256 2006-09-11] (Intel® Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 apmwin; C:\Windows\System32\DRIVERS\apmwin.sys [43056 2012-04-04] (Paragon Software Group)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-08-28] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [67824 2014-08-28] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr.sys [55112 2014-08-28] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-08-28] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [779536 2014-08-28] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [414520 2014-08-28] (AVAST Software)
R1 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [57800 2014-08-28] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [192352 2014-08-28] ()
R0 gpt_loader; C:\Windows\System32\DRIVERS\gpt_loader.sys [44976 2012-04-04] (Paragon Software Group)
R3 hcw18bda; C:\Windows\System32\drivers\hcw18bda.sys [354432 2007-01-15] (Hauppauge Computer Works, Inc)
S3 Hfsplus; C:\Windows\System32\DRIVERS\hfsplus.sys [165680 2012-04-04] (Paragon Software Group)
R2 HfsplusRec; C:\Windows\System32\DRIVERS\hfsplusrec.sys [15152 2012-04-04] (Paragon Software Group)
R0 mounthlp; C:\Windows\System32\DRIVERS\mounthlp.sys [34096 2012-04-04] (Paragon Software Group)
S3 netr73; C:\Windows\System32\DRIVERS\WUSB54GCx86.sys [256000 2007-03-12] (Ralink Technology Inc.)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [41984 2010-09-28] (Apple, Inc.) [File not signed]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 Lavasoft Kernexplorer; \??\C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys [X]
S0 Lbd; system32\DRIVERS\Lbd.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-19 21:20 - 2014-10-19 21:21 - 00024211 _____ () C:\Users\Joanne\Desktop\FRST.txt
2014-10-19 21:20 - 2014-10-19 21:21 - 00000000 ____D () C:\FRST
2014-10-19 21:18 - 2014-10-19 21:18 - 01103360 _____ (Farbar) C:\Users\Joanne\Desktop\FRST.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-19 21:15 - 2006-11-02 03:33 - 00707794 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-19 21:12 - 2006-11-02 05:37 - 00000000 ___RD () C:\Users\Public\Recorded TV
2014-10-19 21:11 - 2014-09-16 18:09 - 00000380 _____ () C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Joanne.job
2014-10-19 21:11 - 2007-05-15 00:59 - 00000000 ____D () C:\Windows\SMINST
2014-10-19 21:10 - 2013-09-20 17:01 - 00173608 _____ () C:\Windows\PFRO.log
2014-10-19 21:10 - 2010-03-07 13:00 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-19 21:10 - 2006-11-02 06:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-19 21:10 - 2006-11-02 05:47 - 00003568 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-19 21:10 - 2006-11-02 05:47 - 00003568 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-19 21:10 - 2006-11-02 04:18 - 00000000 ____D () C:\Windows\tapi
2014-10-19 21:09 - 2006-11-02 06:01 - 00032622 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-10-19 20:56 - 2010-03-07 13:00 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-19 20:42 - 2012-06-15 21:10 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-19 20:31 - 2014-06-08 11:00 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-19 18:38 - 2014-09-16 18:09 - 00000370 _____ () C:\Windows\Tasks\ReclaimerUpdateXML_Joanne.job
2014-10-19 13:14 - 2014-09-16 18:09 - 00000374 _____ () C:\Windows\Tasks\ReclaimerUpdateFiles_Joanne.job
2014-10-18 22:36 - 2012-11-21 14:41 - 00001596 _____ () C:\Windows\WindowsUpdate.log
2014-10-18 22:36 - 2012-11-21 14:38 - 00001965 _____ () C:\Windows\setupact.log
2014-10-17 20:02 - 2013-05-15 18:41 - 00000966 _____ () C:\Users\Joanne\Desktop\Rkill.txt
2014-10-15 19:12 - 2012-02-06 08:19 - 00000384 _____ () C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2014-09-23 20:42 - 2012-06-15 21:10 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-09-23 20:42 - 2011-12-01 19:27 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3104870216-2912995691-283130738-1001\$51a7b1b258aafcec05dd0477f09b1a43

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$51a7b1b258aafcec05dd0477f09b1a43

Files to move or delete:
====================
C:\ProgramData\0tbpw.pad

Some content of TEMP:
====================
C:\Users\Joanne\AppData\Local\Temp\3zc993kz.dll
C:\Users\Joanne\AppData\Local\Temp\lowproc.exe
C:\Users\Joanne\AppData\Local\Temp\nfiioeal.dll
C:\Users\Joanne\AppData\Local\Temp\pohqedwc.dll
C:\Users\Joanne\AppData\Local\Temp\qmut6ubn.dll
C:\Users\Joanne\AppData\Local\Temp\stubhelper.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-10-19 21:16

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 19-10-2014
Ran by Joanne at 2014-10-19 21:21:44
Running from C:\Users\Joanne\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: avast! Antivirus (Enabled - Up to date) {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AS: avast! Antivirus (Enabled - Up to date) {904CF271-6431-DA47-5FCE-A87D98DFB681}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

32 Bit HP CIO Components Installer (Version: 7.1.8 - Hewlett-Packard) Hidden
6300 (Version: 82.0.242.000 - Hewlett-Packard) Hidden
6300_Help (Version: 82.0.242.000 - Hewlett-Packard) Hidden
6300Trb (Version: 82.0.242.000 - Hewlett-Packard) Hidden
Activation Assistant for the 2007 Microsoft Office suites (HKLM\...\Activation Assistant for the 2007 Microsoft Office suites) (Version:  - Microsoft Corporation)
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0 - Microsoft Corporation) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.5.1.17730 - Adobe Systems Inc.)
Adobe AIR (Version: 2.5.1.17730 - Adobe Systems Inc.) Hidden
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Adobe Reader X (10.1.12) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.12 - Adobe Systems Incorporated)
AIO_CDB_ProductContext (Version: 82.0.242.000 - Hewlett-Packard) Hidden
AIO_CDB_Software (Version: 82.0.242.000 - Hewlett-Packard) Hidden
AIO_Scan (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Apple Application Support (HKLM\...\{D9DAD0FF-495A-472B-9F10-BAE430A26682}) (Version: 3.0.3 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{18D47FA1-0440-48D3-A7E0-DA09537FF471}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM\...\{C6579A65-9CAE-4B31-8B6B-3306E0630A66}) (Version: 2.1.3.127 - Apple Inc.)
avast! Free Antivirus (HKLM\...\avast) (Version: 9.0.2021 - AVAST Software)
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
BufferChm (Version: 82.0.173.000 - Hewlett-Packard) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 3.05 - Piriform)
Chinese Simplified Fonts Support For Adobe Reader 8 (HKLM\...\{AC76BA86-7AD7-2447-0000-800000000003}) (Version: 8.0.0 - Adobe Systems)
Copy (Version: 82.0.188.000 - Hewlett-Packard) Hidden
CustomerResearchQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
Destinations (Version: 82.0.173.000 - Hewlett-Packard) Hidden
DeviceManagementQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
DVD Shrink 3.2 (HKLM\...\DVD Shrink_is1) (Version:  - DVD Shrink)
DVDFab 8.0.4.0 (11/11/2010) (HKLM\...\DVDFab 8_is1) (Version:  - Fengtao Software Inc.)
Enhanced Multimedia Keyboard Solution (HKLM\...\KBD) (Version:  - Hewlett-Packard)
eSupportQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
Fax (Version: 82.0.188.000 - Hewlett-Packard) Hidden
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
Hardware Diagnostic Tools (HKLM\...\PC-Doctor 5 for Windows) (Version: 5.00.4424.15 - PC-Doctor, Inc.)
HP Customer Experience Enhancements (HKLM\...\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}) (Version: 5.1.0.2264 - Hewlett-Packard)
HP Customer Feedback (Version: 1.0.0 - Hewlett-Packard) Hidden
HP Customer Participation Program 8.0 (HKLM\...\HPExtendedCapabilities) (Version: 8.0 - HP)
HP Driver Diagnostics (HKLM\...\{0EC7C406-B592-4686-BAC1-AD29A85EAE6A}) (Version: 1.03.0005 - Hewlett-Packard Company)
HP Easy Setup - Frontend (HKLM\...\{40F7AED3-0C7D-4582-99F6-484A515C73F2}) (Version: 5.1.0.2269 - Hewlett-Packard)
HP Imaging Device Functions 8.0 (HKLM\...\HP Imaging Device Functions) (Version: 8.0 - HP)
HP On-Screen Cap/Num/Scroll Lock Indicator (HKLM\...\OsdMaestro) (Version:  - Hewlett-Packard)
HP Photosmart Essential 2.0 (HKLM\...\HP Photosmart Essential) (Version: 2.0 - HP)
HP Photosmart Essential2.5 (Version: 1.00.0000 - Hewlett-Packard) Hidden
HP Photosmart, Officejet, PSC and Deskjet All-In-One Driver Software 8.0.B (HKLM\...\{C916D86C-AB76-49c7-B0E4-A946E0FD9BC2}) (Version: 8.0 - HP)
HP Picasso Media Center Add-In (Version: 1.0.0 - HP) Hidden
HP Product Assistant (Version: 100.000.001.000 - Hewlett-Packard) Hidden
HP Solution Center 8.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 8.0 - HP)
HP Update (HKLM\...\{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}) (Version: 5.003.001.001 - Hewlett-Packard)
HPProductAssistant (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - )
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - )
Intel® Viiv™ Software (HKLM\...\Intel® Configuration Center) (Version: 1.6.361.6 - Intel Corporation)
Intel® Viiv™ Software (Version: 1.6.361.6 - Intel Corporation) Hidden
iTunes (HKLM\...\{A9B3F8D5-DF4F-462B-81B7-4B69EBEDBC5B}) (Version: 11.2.0.115 - Apple Inc.)
Japanese Fonts Support For Adobe Reader 8 (HKLM\...\{AC76BA86-7AD7-5760-0000-800000000003}) (Version: 8.0 - Adobe Systems)
Java Auto Updater (Version: 2.0.7.1 - Sun Microsystems, Inc.) Hidden
Java™ 6 Update 35 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83216033FF}) (Version: 6.0.350 - Oracle)
LightScribe  1.4.142.1 (Version: 1.4.142.1 - http://www.lightscribe.com) Hidden
Linksys Compact Wireless-G USB Adapter Driver - WUSB54GC (HKLM\...\{F855C3AE-992D-4B84-A09D-07103CDCDAC2}) (Version: 1.0 - Linksys, A Division of Cisco Systems, Inc.)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
MarketResearch (Version: 82.0.174.000 - Hewlett-Packard) Hidden
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM\...\HOMESTUDENTR) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs (HKLM\...\{90120000-00B2-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Works (HKLM\...\{6D52C408-B09A-4520-9B18-475B81D393F1}) (Version: 08.05.0818 - Microsoft Corporation)
Mozilla Firefox 16.0.2 (x86 en-US) (HKLM\...\Mozilla Firefox 16.0.2 (x86 en-US)) (Version: 16.0.2 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 16.0.2 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
My HP Games (HKLM\...\WildTangent hpdesktop Master Uninstall) (Version: HPCMPQ1701 - WildTangent)
Paragon HFS+ for Windows™ 9.0 (HKLM\...\{456534C0-51E7-11DF-B336-005056C00008}) (Version: 1.00 - Paragon Software)
PSSWCORE (Version: 2.00.5000 - Hewlett-Packard) Hidden
Python 2.4.3 (HKLM\...\{75E71ADD-042C-4F30-BFAC-A9EC42351313}) (Version: 2.4.3150 - Martin v. Löwis)
QuickTime (HKLM\...\{7BE15435-2D3E-4B58-867F-9C75BED0208C}) (Version: 7.71.80.42 - Apple Inc.)
RealDownloader (Version: 1.3.3 - RealNetworks, Inc.) Hidden
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0 - RealNetworks, Inc) Hidden
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0 - RealNetworks, Inc) Hidden
RealPlayer (HKLM\...\RealPlayer 16.0) (Version: 16.0.3 - RealNetworks)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5548 - Realtek Semiconductor Corp.)
RealUpgrade 1.1 (Version: 1.1.0 - RealNetworks, Inc.) Hidden
Rhapsody Player Engine (HKLM\...\{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}) (Version: 1.0.604 - RealNetworks)
Roxio Activation Module (Version: 1.0 - Roxio) Hidden
Roxio Creator Audio (HKLM\...\{83FFCFC7-88C6-41c6-8752-958A45325C82}) (Version: 3.4.0 - Roxio)
Roxio Creator Basic v9 (HKLM\...\{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}) (Version: 3.4.0 - Roxio)
Roxio Creator Copy (HKLM\...\{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}) (Version: 3.4.0 - Roxio)
Roxio Creator Data (HKLM\...\{0D397393-9B50-4c52-84D5-77E344289F87}) (Version: 3.4.0 - Roxio)
Roxio Creator EasyArchive (HKLM\...\{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}) (Version: 3.4.0 - Roxio)
Roxio Creator Tools (HKLM\...\{0394CDC8-FABD-4ed8-B104-03393876DFDF}) (Version: 3.4.0 - Roxio)
Roxio Express Labeler 3 (HKLM\...\{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}) (Version: 3.2.1 - Roxio)
Roxio MyDVD Basic v9 (HKLM\...\{938B1CD7-7C60-491E-AA90-1F1888168240}) (Version: 9.0.559 - Roxio)
Safari (HKLM\...\{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}) (Version: 5.31.21.10 - Apple Inc.)
Scan (Version: 8.1.0.0 - Hewlett-Packard) Hidden
Soft Data Fax Modem with SmartCP (HKLM\...\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1) (Version: 7.74.00 - Conexant Systems)
SolutionCenter (Version: 82.0.188.000 - Hewlett-Packard) Hidden
Status (Version: 82.0.173.000 - Hewlett-Packard) Hidden
Toolbox (Version: 82.0.173.000 - Hewlett-Packard) Hidden
TrayApp (Version: 82.0.188.000 - Hewlett-Packard) Hidden
TubeDigger 3.1.1 (HKLM\...\{1E3745C1-674D-4B2E-B8F7-3F4088950ED7}_is1) (Version: 3.1.1 - TubeDigger)
UnloadSupport (Version: 1.00.0000 - Hewlett-Packard) Hidden
ViKi Desktop Plug-in (HKLM\...\ViiKiiDesktopPlugin.5E22EA0FF243470AB5EDDF282C0A5B52E9909C36.1) (Version: 0.6 - ViKi, Inc)
ViKi Desktop Plug-in (Version: 0.6 - ViKi, Inc) Hidden
Visual C++ 2008 x86 Runtime - (v9.0.30729) (Version: 9.0.30729 - Microsoft Corporation) Hidden
Visual C++ 2008 x86 Runtime - v9.0.30729.01 (HKLM\...\{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01) (Version: 9.0.30729.01 - Microsoft Corporation)
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WebReg (Version: 82.0.173.000 - Hewlett-Packard) Hidden
WinAVI All in One Converter (HKLM\...\WinAVI All in One Converter) (Version: 1.2.1.3952 - ZJMedia Digital Technology Ltd.)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version:  - )
YTD Video Downloader 3.9.5 (HKLM\...\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}) (Version:  - GreenTree Applications SRL)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{17764098-F985-44E2-93C3-DF9B49F1CC19}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{51240B37-45D0-413C-BAE0-D8F3ACDC15E6}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{54BE6B6F-3056-470B-97E1-BB92E051B6C4}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{5E6F22B3-7DF6-4C64-8AD0-1A6CC1351085}\InprocServer32 -> C:\Program Files\Hp\Common\HPScripting.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{64CB8178-1A77-4443-BE13-30BE889B99BB}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{6B75345B-AA36-438A-BBE6-4078B4C6984D}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{7D4CF499-32EC-4E8E-8714-7E74303869F0}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{8877F3CD-3C29-4E2D-B7DD-70B24DF4EBD1}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{9E1DDDD2-0638-4607-B266-13FE69EDFFD3}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{9E3A85FC-1E59-4C57-ACEA-17E7D61000F1}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{AA6A5B54-2ACF-4FDB-A82B-E505A5E0B65E}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{AAFBE339-5BEE-417C-BE98-218DA8512B43}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{B2CD4730-67E7-401C-A2CB-D74715E05FA4}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{B5201019-B9A8-411C-A7AC-CEA856A63C00}\InprocServer32 -> C:\Program Files\Hp\Common\HPScripting.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{BC2971B9-2A4F-44C8-8D7F-04E027544828}\InprocServer32 -> C:\Program Files\Hp\Common\HPScripting.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{D057CD8F-1469-4A41-B24C-7EED6B1DDCD2}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{E975F61C-2C2B-4FE8-A4CD-24C52969CE12}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{FA9C5110-071C-4964-9DD0-610806FF0F81}\InprocServer32 -> C:\Program Files\Hp\Common\HPDeviceDetection.dll (Hewlett-Packard)
CustomCLSID: HKU\S-1-5-21-3104870216-2912995691-283130738-1001_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 -> C:\Windows\system32\shell32.dll (Microsoft Corporation)

==================== Restore Points  =========================

19-08-2014 04:23:21 Scheduled Checkpoint
28-08-2014 19:20:58 avast! antivirus system restore point
31-08-2014 06:35:46 Scheduled Checkpoint
06-09-2014 06:05:43 Scheduled Checkpoint
08-09-2014 01:10:13 Scheduled Checkpoint
09-09-2014 01:08:06 Scheduled Checkpoint
10-09-2014 04:41:41 Scheduled Checkpoint
11-09-2014 01:04:45 Scheduled Checkpoint
12-09-2014 01:29:16 Scheduled Checkpoint
13-09-2014 01:17:37 Scheduled Checkpoint
16-09-2014 00:42:26 Scheduled Checkpoint
18-09-2014 05:12:49 Scheduled Checkpoint
21-09-2014 23:59:31 Scheduled Checkpoint
24-09-2014 00:32:58 Scheduled Checkpoint
28-09-2014 01:01:40 Scheduled Checkpoint
01-10-2014 03:42:23 Scheduled Checkpoint
14-10-2014 05:14:11 Scheduled Checkpoint
15-10-2014 00:32:27 Scheduled Checkpoint
16-10-2014 04:33:35 Scheduled Checkpoint
19-10-2014 18:09:41 Scheduled Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 03:23 - 2006-09-18 14:41 - 00000761 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {05409C6A-2DA3-420D-9A26-E2AEAE485813} - System32\Tasks\RNUpgradeHelperResumePrompt_Joanne => C:\Users\Joanne\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.02\agent\rnupgagent.exe [2014-09-15] (RealNetworks, Inc.)
Task: {1BC00A7F-3E70-4D52-9E3E-A5817C94DD09} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-3104870216-2912995691-283130738-1001 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {1C64BF11-7647-4427-A7A1-A58897D56F3E} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-23] (Adobe Systems Incorporated)
Task: {1CC81347-6204-4B83-900C-01E02F50F067} - System32\Tasks\Microsoft\Windows\MobilePC\TMM
Task: {2327A913-D029-4736-AF59-3F6BF5EC9CF0} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-3104870216-2912995691-283130738-1001 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {275DE0FA-AA0A-4C7D-9AA8-73B1F0797358} - System32\Tasks\Microsoft\Windows\Tcpip\WSHReset => C:\Windows\system32\netsh.exe [2006-11-02] (Microsoft Corporation)
Task: {2D35A035-FAF6-48A2-8B77-132B02C5B5A2} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2010-03-07] (Google Inc.)
Task: {366F54D5-8028-41B6-AEF6-BC9087F7ED20} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {3BCDF251-CA5C-4045-A1FC-8FCEF9FBDC93} - System32\Tasks\Microsoft\Windows\Shell\CrawlStartPages
Task: {42FFD6C3-20EE-4BB9-A163-C52522C2DAF6} - System32\Tasks\ReclaimerUpdateFiles_Joanne => C:\Users\Joanne\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.02\agent\rnupgagent.exe [2014-09-15] (RealNetworks, Inc.)
Task: {44980BEE-7809-44A9-AC24-D6E578A3B7DF} - System32\Tasks\Microsoft\Windows\RAC\RACAgent => C:\Windows\system32\RacAgent.exe [2008-01-19] (Microsoft Corporation)
Task: {4DB59BF4-6202-4D08-AEA6-7B4A910202B8} - System32\Tasks\RNUpgradeHelperLogonPrompt_Joanne => C:\Users\Joanne\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.02\agent\rnupgagent.exe [2014-09-15] (RealNetworks, Inc.)
Task: {57543DB0-EE77-4547-9E65-5785887D717F} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2014-08-28] (AVAST Software)
Task: {B5D6D8A8-EB96-4EA5-B6AF-E5AE43DD3779} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2010-03-07] (Google Inc.)
Task: {BE4E7423-AFED-40A2-94A4-51E26CE5D64F} - System32\Tasks\Ad-Aware Update (Weekly) => C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: {E1643EA0-FBCD-476D-A8F4-9D066EBB293E} - System32\Tasks\RealUpgradeLogonTaskS-1-5-21-3104870216-2912995691-283130738-1001 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {E22626F0-D9E6-4A6A-8AF3-D43F811120E0} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-3104870216-2912995691-283130738-1001 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {E5150B95-F9B4-4D5D-95A2-7EC1ACBA95F8} - System32\Tasks\Microsoft\Windows\Wireless\GatherWirelessInfo => C:\Windows\system32\gatherWirelessInfo.vbs [2009-10-05] ()
Task: {EECC2B0B-BC20-4AF8-8847-613DAE7DF014} - System32\Tasks\ReclaimerUpdateXML_Joanne => C:\Users\Joanne\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.02\agent\rnupgagent.exe [2014-09-15] (RealNetworks, Inc.)
Task: {F9B39C15-8A8F-44CD-9BF5-73F185E60C32} - System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
Task: {FD62788B-42AB-4CE0-ACE4-31B348DD1D12} - System32\Tasks\Registration => C:\Program Files\Hewlett-Packard\SDP\RemEngine.exe [2007-03-05] ()

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Ad-Aware Update (Weekly).job => C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\ReclaimerUpdateFiles_Joanne.job => C:\Users\Joanne\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.02\agent\rnupgagent.exe
Task: C:\Windows\Tasks\ReclaimerUpdateXML_Joanne.job => C:\Users\Joanne\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.02\agent\rnupgagent.exe
Task: C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Joanne.job => C:\Users\Joanne\AppData\Roaming\Real\Update\UpgradeHelper\RealPlayer\11.02\agent\rnupgagent.exe

==================== Loaded Modules (whitelisted) =============

2014-04-02 06:35 - 2014-08-28 12:23 - 00301152 _____ () C:\Program Files\AVAST Software\Avast\aswProperty.dll
2014-10-19 14:39 - 2014-10-19 14:40 - 02896384 _____ () C:\Program Files\AVAST Software\Avast\defs\14101901\algo.dll
2012-04-04 18:44 - 2012-04-04 18:44 - 00065328 _____ () C:\Program Files\Paragon Software\HFS+ for Windows  9.0\apmwinsrv.exe
2014-02-12 21:58 - 2014-02-12 21:58 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 21:58 - 2014-02-12 21:58 - 01044808 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2006-09-03 10:32 - 2006-09-03 10:32 - 00208896 _____ () C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
2013-08-14 15:19 - 2013-08-14 15:19 - 00039056 _____ () C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
2013-12-18 14:44 - 2014-08-28 12:23 - 19329904 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2006-12-10 21:51 - 2006-12-10 21:51 - 00065536 ____R () C:\Program Files\HP\Digital Imaging\bin\crm\xmlparse.dll
2006-12-10 21:51 - 2006-12-10 21:51 - 00077824 ____R () C:\Program Files\HP\Digital Imaging\bin\crm\xmltok.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:264B2CC4

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

 

HKU\S-1-5-21-3104870216-2912995691-283130738-1001\Software\Classes\.exe:  =>  <===== ATTENTION!

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Users^Joanne^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk => C:\Windows\pss\OpenOffice.org 3.3.lnk.Startup
MSCONFIG\startupfolder: C:^Users^Joanne^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ViiKiiDesktopPlugin.lnk => C:\Windows\pss\ViiKiiDesktopPlugin.lnk.Startup
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

========================= Accounts: ==========================

Administrator (S-1-5-21-3104870216-2912995691-283130738-500 - Administrator - Disabled)
Guest (S-1-5-21-3104870216-2912995691-283130738-501 - Limited - Disabled)
IUSR_NMPR (S-1-5-21-3104870216-2912995691-283130738-1000 - Limited - Enabled) => C:\Users\IUSR_NMPR
Joanne (S-1-5-21-3104870216-2912995691-283130738-1001 - Administrator - Enabled) => C:\Users\Joanne

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (10/19/2014 08:11:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application mbam.exe, version 1.0.0.532, time stamp 0x53518532, faulting module mbamcore.dll, version 1.0.11.0, time stamp 0x536d8027, exception code 0xc0000005, fault offset 0x000b1d07,
process id 0x1554, application start time 0xmbam.exe0.

Error: (10/19/2014 00:29:26 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 9.0.8112.16450 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: d08
Start Time: 01cfebc2e37b8c89
Termination Time: 357

Error: (10/19/2014 10:33:40 AM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (10/18/2014 07:31:08 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (10/17/2014 08:59:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iexplore.exe, version 9.0.8112.16450, time stamp 0x4549b14e, faulting module MSHTML.dll, version 9.0.8112.16450, time stamp 0x50372c8a, exception code 0xc0000005, fault offset 0x004278c8,
process id 0x2774, application start time 0xiexplore.exe0.

Error: (10/17/2014 08:06:46 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (10/17/2014 08:00:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application iTunes.exe, version 11.2.0.115, time stamp 0x53755cb7, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x3eef800a,
process id 0x1584, application start time 0xiTunes.exe0.

Error: (10/17/2014 07:20:34 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (10/17/2014 07:20:34 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (10/17/2014 06:31:27 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

System errors:
=============
Error: (10/19/2014 09:11:57 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (10/19/2014 09:11:56 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {0228576F-6E6C-4E1A-B175-0E46A316AFE2}

Error: (10/19/2014 09:11:31 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: i8042prt
Lbd

Error: (10/19/2014 09:11:31 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: IPsec Policy AgentBFE

Error: (10/19/2014 09:11:31 PM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: IKE and AuthIP IPsec Keying ModulesBFE

Error: (10/19/2014 09:11:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: Parallel port driver%%1058

Error: (10/19/2014 09:11:31 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Computer Browser%%1060

Error: (10/19/2014 10:34:11 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (10/19/2014 10:34:10 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {0228576F-6E6C-4E1A-B175-0E46A316AFE2}

Error: (10/19/2014 10:33:47 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: i8042prt
Lbd

Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
  Date: 2014-10-19 20:45:43.905
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-19 20:45:42.796
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-19 20:45:42.341
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-19 20:45:41.748
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-19 20:45:40.441
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-19 20:45:40.027
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-19 20:45:39.646
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-19 20:45:39.254
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-19 12:36:10.271
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-19 12:36:09.324
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\WINDOWS\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: Intel® Core™2 CPU 4400 @ 2.00GHz
Percentage of memory in use: 56%
Total physical RAM: 2037.77 MB
Available physical RAM: 892.96 MB
Total Pagefile: 4316.79 MB
Available Pagefile: 3019.57 MB
Total Virtual: 2047.88 MB
Available Virtual: 1873.45 MB

==================== Drives ================================

Drive c: (HP) (Fixed) (Total:289.26 GB) (Free:174.33 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Recovery) (Fixed) (Total:8.83 GB) (Free:1 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 298.1 GB) (Disk ID: 1549F232)
Partition 1: (Active) - (Size=289.3 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=8.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#6 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:03 AM

Posted 20 October 2014 - 12:14 AM

In your logs I see a Backdoor. That means that your machine is infected with some nasty files which can steal some information. It is difficult to tell whether or not any data has been stolen and finding out which is true instead of doing countermeasures is unproductive. In this light, for your safety, assume that your log-in details and other information have been accessed by another source.
Below are the steps that you should administer:
  • Please disconnect from the Internet! Also don't use it while we are cleaning the infected machine. This is especially true when you are using the computer in question for online banking and other sites that require sensitive and personal information.
  • It is strongly advised that you change your passwords on a clean PC and notify the bank immediately to watch out for suspicious transactions.
I can try to clean the infection but I have to say your computer is very likely compromised and that there is no way to be sure your computer can ever again be trusted.Experts in the security community believe that a reformat and re-installation of the operating system is the best solution. Please peruse the following if you would like to know more:Now - you decide if you want to reformat the PC or to cleaning the PC. Think of it and choose the best solution for you! Let me know of your decision. If you decide to go through the proceed, please proceed with the following steps.

 

Step 1: Adwarecleaner

Please download AdwCleaner (by Xplode) from the link below and save it to your Desktop:

Download Mirror #1
  • Right-click on AdwCleaner.exe and select Run as administrator. (If you have Windows XP the just run it)
  • Click Scan and let the scan run.
  • When it finishes, click Clean, following the on screen prompts
  • After your computer reboots, a log will open. Please Copy (Ctrl+C) and Paste (Ctrl+V) this into your next post.
Note: The log can also be found in here: C:\AdwCleaner\

Step 2: Malwarebytes

Please download Malwarebytes Anti-Malware to your desktop Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings.JPG

Go back to the Dashboard and select Scan Now

MBAMScan.JPG

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot.JPG

MBAMLog.JPG

On completion of the scan (or after the reboot) select View Detailed Log
Select Export > Select text file and save to the desktop
Attach/Post that log

Step 3: Junkware Removal Tool

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 4: FRST Scan
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#7 gapdong

gapdong
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 20 October 2014 - 10:12 AM

I have a few questions:

1) Is it possible that the virus may have infected other computers on the same network (or could it have originated from another computer and infected this computer)?

2) Will you provide instructions to reformat and re-install the operating system onto the computer?

3) After reformatting, is there a way to check if the virus has been removed? You mentioned there's no way to be sure that the computer can ever be trusted again...seems like a scary thought!

4) Is there a difference with trying to clean the computer first, then reformat or just reformat from the get-go?

5) What is required for the reformat and reinstall? I'm not sure I have any original disks that came with the computer...

6) Where on the log did you see there's a backdoor installed?

 

Sorry for so many questions! I'm probably inclined to reformat since you think it may be the best solution to clean the computer...



#8 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:03 AM

Posted 20 October 2014 - 01:08 PM

1) Yes.
2) If you want, yes.
3) Normally , if you do the reformat correctly, the Malware should be gone. But we can check with FRST.
4) Reformat is faster than trying to clean it.
5) You just need Windows CD - nothing more.
6)

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3104870216-2912995691-283130738-1001\$51a7b1b258aafcec05dd0477f09b1a43
ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$51a7b1b258aafcec05dd0477f09b1a43


I have no problems cleaning it, don't worry.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#9 gapdong

gapdong
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 20 October 2014 - 02:06 PM

-If we want to see if other computers are infected, do we need to run a scan on each computer separately?

-What is the Windows CD that's required for reformatting? I don't know if I have one... What is it called?



#10 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:03 AM

Posted 20 October 2014 - 02:19 PM

- Yes.
- The Cover may say "Windows Vista" or something like that.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#11 gapdong

gapdong
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 21 October 2014 - 11:30 PM

I wasn't able to find the vista cd so I think I will have to opt for clearing the malware. I followed your instructions and the logs are below:

 

# AdwCleaner v4.001 - Report created 21/10/2014 at 20:29:00
# DB v
# Updated 20/10/2014 by Xplode
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Joanne - JOANNE-PC
# Running from : C:\Users\Joanne\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\Users\Joanne\AppData\Local\Babylon
Folder Deleted : C:\Users\Joanne\AppData\Roaming\Babylon
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Users\Joanne\AppData\Local\Conduit
Folder Deleted : C:\Users\Joanne\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Joanne\AppData\Roaming\Mozilla\Firefox\Profiles\2yhak9g0.default\ConduitCommon
Folder Deleted : C:\Users\Joanne\AppData\LocalLow\uTorrentBar

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bejbohlohkkgompgecdcbbglkpjfjgdj
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2786678
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{13086CD4-88B6-45E3-9182-3BC2664199F7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1FCD7139-C2A3-49AD-8B9E-E82E48AE5DF6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{319FCB76-1568-4EFA-863B-B03A2B16EB5C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4796719D-2B92-47BC-920B-77BCDBDBCB6A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{64A66B25-A70F-4373-95EF-3A1DB6040B3A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6DDA37BA-0553-499A-AE0D-BEBA67204548}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6FC5F7E0-D65A-465C-B8EE-A5F8E008D6DF}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{731D436C-464C-4F29-BFB2-DE9C458535AE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7C89C8A6-991C-4626-9E26-B12EB4D89C04}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EEF00686-CAB8-4885-9CCB-78FF483041AA}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FDA55C78-736E-4E8A-996C-4A80FC0396FB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A97B89CD-B65C-49DD-AF46-2B772C627456}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BCC2EF79-6F39-40C7-B455-C4A8899DD0AA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B3704E8D-8C40-4BD6-B82A-B02517D314AC}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\uTorrentBar
Key Deleted : HKLM\SOFTWARE\Babylon
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\uTorrentBar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00B2-0409-0000-0000000FF1CE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{90120000-00B2-0409-0000-0000000FF1CE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16450


-\\ Mozilla Firefox v16.0.2 (en-US)

[2yhak9g0.default] - Line Deleted : user_pref("CT2786678..clientLogIsEnabled", false);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678..clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asmx/ReportDiagnosticsEvent");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678..uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/RegisterToolbarUninstallation");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.ALLOW_SHOWING_HIDDEN_TOOLBAR", false);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.BrowserCompStateIsOpen_129579220236217502", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.CTID", "CT2786678");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.CurrentServerDate", "13-5-2012");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.DSInstall", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.DialogsAlignMode", "LTR");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.DialogsGetterLastCheckTime", "Sat May 12 2012 19:09:43 GMT-0700 (Pacific Daylight Time)");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.DownloadReferralCookieData", "");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.FirstServerDate", "13-5-2012");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.FirstTime", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.FirstTimeFF3", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.FirstTimeHiddenVer", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.FixPageNotFoundErrors", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.GroupingServerCheckInterval", 1440);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.HPInstall", false);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.HasUserGlobalKeys", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.Initialize", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.InitializeCommonPrefs", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.InstallationAndCookieDataSentCount", 1);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.InstallationType", "Unknown");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.InstalledDate", "Sat May 12 2012 19:09:43 GMT-0700 (Pacific Daylight Time)");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.IsGrouping", false);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.IsInitSetupIni", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.IsMulticommunity", false);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.IsOpenThankYouPage", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.IsOpenUninstallPage", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.LanguagePackLastCheckTime", "Sat May 12 2012 19:09:43 GMT-0700 (Pacific Daylight Time)");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.LanguagePackReloadIntervalMM", 1440);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.LastLogin_3.12.2.3", "Sat May 12 2012 19:09:44 GMT-0700 (Pacific Daylight Time)");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.LatestVersion", "3.12.2.3");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.Locale", "en");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.MCDetectTooltipHeight", "83");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.MCDetectTooltipWidth", "295");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.MyStuffEnabledAtInstallation", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.OriginalFirstVersion", "3.12.2.3");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.SearchCaption", "uTorrentBar Customized Web Search");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.SearchFromAddressBarIsInit", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.SearchInNewTabEnabled", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.SearchInNewTabIntervalMM", 1440);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.SearchInNewTabLastCheckTime", "Sat May 12 2012 19:09:44 GMT-0700 (Pacific Daylight Time)");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_TOOLBAR_ID");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.SendProtectorDataViaLogin", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.ServiceMapLastCheckTime", "Sat May 12 2012 19:09:42 GMT-0700 (Pacific Daylight Time)");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.SettingsLastCheckTime", "Sat May 12 2012 19:09:42 GMT-0700 (Pacific Daylight Time)");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.SettingsLastUpdate", "1334663249");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.TBHomePageUrl", "hxxp://search.conduit.com/?ctid=CT2786678&SearchSource=13");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.ToolbarShrinkedFromSetup", false);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.TrusteLinkUrl", "hxxp://trust.conduit.com/CT2786678");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.TrustedApiDomains", "conduit.com,conduit-hosting.com,conduit-services.com,client.conduit-storage.com,OurToolbar.com,CommunityToolbars.com,ForumToolbar.com,MyBlogToolbar.com,MyCity[...]
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.UserID", "UN33316873118974744");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.alertChannelId", "1178763");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.homepageProtectorEnableByLogin", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.initDone", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.myStuffEnabled", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.myStuffPublihserMinWidth", 400);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOrigin=29&ctid=EB_TOOLBAR_ID&octid=EB_ORIGINAL_CTID");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.myStuffServiceIntervalMM", 1440);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?ComponentId=EB_MY_STUFF_INSTANCE_GUID&lut=EB_MY_STUFF_LUT");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.navigateToUrlOnSearch", false);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.revertSettingsEnabled", false);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.searchProtectorDialogDelayInSec", 10);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.searchProtectorEnableByLogin", true);
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.testingCtid", "");
[2yhak9g0.default] - Line Deleted : user_pref("CT2786678.toolbarAppMetaDataLastCheckTime", "Sat May 12 2012 19:09:43 GMT-0700 (Pacific Daylight Time)");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.ConduitSearchList", "uTorrentBar Customized Web Search");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.LatestLibsPath", "file:///C:\\Users\\Joanne\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\2yhak9g0.default\\conduitCommon\\modules\\3.9.0.3");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.LatestToolbarVersionInstalled", "3.9.0.3");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=937811&p=");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2786678");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2786678");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.ToolbarsList4", "CT2786678");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.globalUserId", "88ca730e-96ef-4322-be1c-6130f2fa4c46");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.isAlertUrlAddedToFeedItemTable", true);
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.isClickActionAddedToFeedItemTable", true);
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.keywordURLSelectedCTID", "CT2786678");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.notifications.locale", "");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.notifications.loginIntervalMin", 0);
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.notifications.loginLastCheckTime", "Mon Jan 30 2012 11:35:29 GMT-0800 (Pacific Standard Time)");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.notifications.loginLastUpdateTime", "");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.notifications.servicesServerUrl", "hxxp://alert.services.conduit.com");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.notifications.userId", "f4dd3fcb-cbaa-4a47-ac8a-16bf38db3597");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.originalHomepage", "hxxp://www.google.com/");
[2yhak9g0.default] - Line Deleted : user_pref("CommunityToolbar.originalSearchEngine", "Search the web (Babylon)");
[2yhak9g0.default] - Line Deleted : user_pref("browser.babylon.HPOnNewTab", "search.babylon.com");
[2yhak9g0.default] - Line Deleted : user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");

*************************

AdwCleaner[R0].txt - [15101 octets] - [21/10/2014 20:21:23]
AdwCleaner[S0].txt - [15304 octets] - [21/10/2014 20:29:00]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [15365 octets] ##########

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/21/2014
Scan Time: 8:34:00 PM
Logfile: mal.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.10.19.07
Rootkit Database: v2014.10.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Joanne

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 349846
Time Elapsed: 29 min, 32 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.21.2014:1)
OS: Windows Vista ™ Home Premium x86
Ran by Joanne on Tue 10/21/2014 at 21:09:30.21
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{64D07515-4B58-4CE1-86C9-F9408DABED5F}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{408612A3-1FEB-406F-9AB1-229E891F718C}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{64D07515-4B58-4CE1-86C9-F9408DABED5F}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\ytd video downloader"
Successfully deleted: [Folder] "C:\Users\Joanne\Local Settings\Application Data\tempdir"
Successfully deleted: [Folder] "C:\Program Files\free youtube downloader"
Successfully deleted: [Folder] "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ytd video downloader"



~~~ FireFox

Successfully deleted: [File] C:\user.js
Emptied folder: C:\Users\Joanne\AppData\Roaming\mozilla\firefox\profiles\2yhak9g0.default\minidumps [36 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 10/21/2014 at 21:20:53.61
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-10-2014
Ran by Joanne (administrator) on JOANNE-PC on 21-10-2014 21:24:20
Running from C:\Users\Joanne\Desktop
Loaded Profile: Joanne (Available profiles: IUSR_NMPR & Joanne)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\WINDOWS\System32\SLsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
() C:\Program Files\Paragon Software\HFS+ for Windows  9.0\apmwinsrv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(Conexant Systems, Inc.) C:\WINDOWS\System32\drivers\XAudio.exe
(Hewlett-Packard Company) C:\hp\support\hpsysdrv.exe
(Realtek Semiconductor) C:\WINDOWS\RtHDVCpl.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
(Intel Corporation) C:\WINDOWS\System32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\System32\igfxpers.exe
(Intel Corporation) C:\WINDOWS\System32\igfxsrvc.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(RealNetworks, Inc.) C:\Program Files\Real\realplayer\Update\realsched.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehtray.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehmsas.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehsched.exe
(Microsoft Corporation) C:\WINDOWS\System32\dllhost.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehrecvr.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
(Microsoft Corporation) C:\WINDOWS\System32\wbem\unsecapp.exe
(Hewlett-Packard Company) C:\hp\KBD\kbd.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\hp\support\hpsysdrv.exe [65536 2006-09-28] (Hewlett-Packard Company)
HKLM\...\Run: [KBD] => C:\HP\KBD\KbdStub.EXE [65536 2006-12-08] ()
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4874240 2008-01-15] (Realtek Semiconductor)
HKLM\...\Run: [CCUTRAYICON] => FactoryMode
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
HKLM\...\Run: [Malwarebytes Anti-Malware (reboot)] => "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [178712 2008-06-02] (Intel Corporation)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-08-28] (AVAST Software)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-05-15] (Apple Inc.)
HKLM\...\Run: [TkBellExe] => c:\program files\real\realplayer\Update\realsched.exe [295512 2014-07-02] (RealNetworks, Inc.)
HKLM\...\RunOnce: [AvgUninstallURL] => cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNjIzNDc4MDU4LVRCOSsyLUZMKzktWE8zNisxLUY5TTdDKzMtUUlYMSs0LVgyM (the data entry has 140 more characters).
HKLM\...\RunOnce: [Launcher] => C:\Windows\SMINST\launcher.exe [44168 2007-03-07] (soft thinks)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\MountPoints2: {110667a2-2276-11df-9890-001bfcb4bc9d} - F:\LaunchU3.exe
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\MountPoints2: {736cbb7b-f5cb-11de-add6-001bfcb4bc9d} - F:\LaunchU3.exe -a
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\MountPoints2: {d4ec1971-b430-11de-aae6-001bfcb4bc9d} - J:\LaunchU3.exe -a
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\MountPoints2: {df0f3a5e-cae4-11de-89cf-001bfcb4bc9d} - J:\LaunchU3.exe -a
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...409d6c4515e9\InprocServer32: [Default-shell32] shell32.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\InprocServer32: [Default-pngfilt]  <==== ATTENTION!

HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Joanne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com?fr=hp-avast&type=avastbcl
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.yahoo.com?fr=hp-avast&type=avastbcl
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com?fr=hp-avast&type=avastbcl
SearchScopes: HKLM - {4ACCB679-8DC7-493D-8B70-0691A45ADA0A} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKCU - {408612A3-1FEB-406F-9AB1-229E891F718C} URL =
SearchScopes: HKCU - {4ACCB679-8DC7-493D-8B70-0691A45ADA0A} URL =
SearchScopes: HKCU - {A1CF9762-0C20-4403-B139-DD71675279FA} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7RNTN_en
SearchScopes: HKCU - {C86E956C-E62C-4EB4-90CB-36AEF1F014B1} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Joanne\AppData\Roaming\Mozilla\Firefox\Profiles\2yhak9g0.default
FF DefaultSearchEngine: Yahoo! (Avast)
FF DefaultSearchUrl: https://search.yahoo.com/yhs/search
FF SearchEngineOrder.1: Yahoo! (Avast)
FF SelectedSearchEngine: Yahoo! (Avast)
FF Homepage: https://www.yahoo.com?fr=hp-avast&type=avastbcl
FF Keyword.URL: https://search.yahoo.com/yhs/search
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=1.6.0_35 -> C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=16.0.3.51 -> c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=16.0.3.51 -> c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin: @real.com/RhapsodyPlayerEngine,version=1.0 -> C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpplugin.dll (RealPlayer)
FF SearchPlugin: C:\Users\Joanne\AppData\Roaming\Mozilla\Firefox\Profiles\2yhak9g0.default\searchplugins\yahoo-avast.xml
FF Extension: Microsoft .NET Framework Assistant - C:\Users\Joanne\AppData\Roaming\Mozilla\Firefox\Profiles\2yhak9g0.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2012-06-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-06-30]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-09-01]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-10-05]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-09-02]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2011-08-28]
FF HKLM\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKCU\...\Firefox\Extensions: [{882D0169-B598-4EFA-829E-6FF753248379}] - C:\Users\Joanne\AppData\Local\{882D0169-B598-4EFA-829E-6FF753248379}
FF Extension: XULRunner - C:\Users\Joanne\AppData\Local\{882D0169-B598-4EFA-829E-6FF753248379} [2010-12-08]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-08-28]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AlertService; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [188416 2006-09-11] (Intel® Corporation) [File not signed]
R2 apmwinsrv; C:\Program Files\Paragon Software\HFS+ for Windows  9.0\apmwinsrv.exe [65328 2012-04-04] ()
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-08-28] (AVAST Software)
R2 DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [208896 2006-09-03] () [File not signed]
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-03-13] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [131072 2007-03-13] (Hewlett-Packard Co.) [File not signed]
S3 IDriverT; c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
S2 IntelDHSvcConf; C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [29696 2006-05-10] (Intel® Corporation) [File not signed]
S3 ISSM; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [75264 2006-09-11] (Intel® Corporation) [File not signed]
R2 LightScribeService; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2007-01-17] (Hewlett-Packard Company) [File not signed]
S3 M1 Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [26624 2006-08-31] () [File not signed]
S3 MCLServiceATL; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [167936 2006-09-11] (Intel® Corporation) [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S3 Remote UI Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [544256 2006-09-11] (Intel® Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 apmwin; C:\Windows\System32\DRIVERS\apmwin.sys [43056 2012-04-04] (Paragon Software Group)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-08-28] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [67824 2014-08-28] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr.sys [55112 2014-08-28] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-08-28] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [779536 2014-08-28] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [414520 2014-08-28] (AVAST Software)
R1 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [57800 2014-08-28] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [192352 2014-08-28] ()
R0 gpt_loader; C:\Windows\System32\DRIVERS\gpt_loader.sys [44976 2012-04-04] (Paragon Software Group)
R3 hcw18bda; C:\Windows\System32\drivers\hcw18bda.sys [354432 2007-01-15] (Hauppauge Computer Works, Inc)
S3 Hfsplus; C:\Windows\System32\DRIVERS\hfsplus.sys [165680 2012-04-04] (Paragon Software Group)
R2 HfsplusRec; C:\Windows\System32\DRIVERS\hfsplusrec.sys [15152 2012-04-04] (Paragon Software Group)
R0 mounthlp; C:\Windows\System32\DRIVERS\mounthlp.sys [34096 2012-04-04] (Paragon Software Group)
S3 netr73; C:\Windows\System32\DRIVERS\WUSB54GCx86.sys [256000 2007-03-12] (Ralink Technology Inc.)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [41984 2010-09-28] (Apple, Inc.) [File not signed]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 Lavasoft Kernexplorer; \??\C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys [X]
S0 Lbd; system32\DRIVERS\Lbd.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-21 21:20 - 2014-10-21 21:20 - 00001601 _____ () C:\Users\Joanne\Desktop\JRT.txt
2014-10-21 21:09 - 2014-10-21 21:09 - 00000000 ____D () C:\Windows\ERUNT
2014-10-21 21:04 - 2014-10-21 21:04 - 00001058 _____ () C:\Users\Joanne\Desktop\mal.txt
2014-10-21 20:32 - 2014-10-21 20:32 - 00015446 _____ () C:\Users\Joanne\Desktop\AdwCleaner[S0].txt
2014-10-21 20:21 - 2014-10-21 20:29 - 00000000 ____D () C:\AdwCleaner
2014-10-21 20:19 - 2014-10-21 13:44 - 01962496 _____ () C:\Users\Joanne\Desktop\AdwCleaner.exe
2014-10-21 20:19 - 2014-10-21 11:25 - 01706144 _____ (Thisisu) C:\Users\Joanne\Desktop\JRT.exe
2014-10-19 21:21 - 2014-10-19 21:24 - 00033521 _____ () C:\Users\Joanne\Desktop\Addition.txt
2014-10-19 21:20 - 2014-10-21 21:24 - 00020258 _____ () C:\Users\Joanne\Desktop\FRST.txt
2014-10-19 21:20 - 2014-10-21 21:24 - 00000000 ____D () C:\FRST
2014-10-19 21:18 - 2014-10-19 21:18 - 01103360 _____ (Farbar) C:\Users\Joanne\Desktop\FRST.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-21 21:13 - 2006-11-02 03:33 - 00707794 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-21 21:07 - 2006-11-02 05:37 - 00000000 ___RD () C:\Users\Public\Recorded TV
2014-10-21 21:06 - 2014-09-16 18:09 - 00000380 _____ () C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Joanne.job
2014-10-21 21:06 - 2010-03-07 13:00 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-21 21:06 - 2007-05-15 00:59 - 00000000 ____D () C:\Windows\SMINST
2014-10-21 21:06 - 2006-11-02 06:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-21 21:06 - 2006-11-02 05:47 - 00003568 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-21 21:06 - 2006-11-02 05:47 - 00003568 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-21 21:05 - 2012-11-21 14:41 - 00007674 _____ () C:\Windows\WindowsUpdate.log
2014-10-21 21:05 - 2006-11-02 06:01 - 00032622 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-10-21 21:04 - 2014-06-08 10:59 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-10-21 20:56 - 2010-03-07 13:00 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-21 20:42 - 2012-06-15 21:10 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-21 20:34 - 2014-06-08 11:00 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-21 20:30 - 2013-09-20 17:01 - 00174284 _____ () C:\Windows\PFRO.log
2014-10-21 20:19 - 2012-11-21 14:38 - 00002679 _____ () C:\Windows\setupact.log
2014-10-19 21:10 - 2006-11-02 04:18 - 00000000 ____D () C:\Windows\tapi
2014-10-19 18:38 - 2014-09-16 18:09 - 00000370 _____ () C:\Windows\Tasks\ReclaimerUpdateXML_Joanne.job
2014-10-19 13:14 - 2014-09-16 18:09 - 00000374 _____ () C:\Windows\Tasks\ReclaimerUpdateFiles_Joanne.job
2014-10-17 20:02 - 2013-05-15 18:41 - 00000966 _____ () C:\Users\Joanne\Desktop\Rkill.txt
2014-10-15 19:12 - 2012-02-06 08:19 - 00000384 _____ () C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2014-09-23 20:42 - 2012-06-15 21:10 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-09-23 20:42 - 2011-12-01 19:27 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl

Files to move or delete:
====================
C:\ProgramData\0tbpw.pad


Some content of TEMP:
====================
C:\Users\Joanne\AppData\Local\Temp\3zc993kz.dll
C:\Users\Joanne\AppData\Local\Temp\lowproc.exe
C:\Users\Joanne\AppData\Local\Temp\nfiioeal.dll
C:\Users\Joanne\AppData\Local\Temp\pohqedwc.dll
C:\Users\Joanne\AppData\Local\Temp\qmut6ubn.dll
C:\Users\Joanne\AppData\Local\Temp\sqlite3.dll
C:\Users\Joanne\AppData\Local\Temp\stubhelper.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-10-21 21:20

==================== End Of Log ============================

 

 



#12 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:03 AM

Posted 22 October 2014 - 09:30 AM

First,
  • Please download the attached fixlist.txt file and save it to the same location as FRST
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
Next,
  • Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
  • Click Scan to start FRST.
  • When FRST finishes scanning, a log, FRST.txt, will open.
  • Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.

Attached Files


~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 


#13 gapdong

gapdong
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 23 October 2014 - 01:36 AM

Followed your instructions. I also got an error that read "The Recycle Bin on C:\ is corrupted. Do you want to empty the Recycle Bin for this drive" when the Fix was running.

 

Below are the logs:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 19-10-2014
Ran by Joanne at 2014-10-22 22:29:59 Run:1
Running from C:\Users\Joanne\Desktop
Loaded Profile: Joanne (Available profiles: IUSR_NMPR & Joanne)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM\...\Run: [CCUTRAYICON] => FactoryMode
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\MountPoints2: {110667a2-2276-11df-9890-001bfcb4bc9d} - F:\LaunchU3.exe
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\MountPoints2: {736cbb7b-f5cb-11de-add6-001bfcb4bc9d} - F:\LaunchU3.exe -a
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\MountPoints2: {d4ec1971-b430-11de-aae6-001bfcb4bc9d} - J:\LaunchU3.exe -a
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\MountPoints2: {df0f3a5e-cae4-11de-89cf-001bfcb4bc9d} - J:\LaunchU3.exe -a
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...409d6c4515e9\InprocServer32: [Default-shell32] shell32.dll ATTENTION! ====> ZeroAccess?
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\InprocServer32: [Default-pngfilt]  <==== ATTENTION!
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com?fr=hp-avast&type=avastbcl
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.yahoo.com?fr=hp-avast&type=avastbcl
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com?fr=hp-avast&type=avastbcl
SearchScopes: HKLM - {4ACCB679-8DC7-493D-8B70-0691A45ADA0A} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=hp-pvdt
SearchScopes: HKCU - {408612A3-1FEB-406F-9AB1-229E891F718C} URL =
SearchScopes: HKCU - {4ACCB679-8DC7-493D-8B70-0691A45ADA0A} URL =
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
FF DefaultSearchEngine: Yahoo! (Avast)
FF DefaultSearchUrl: https://search.yahoo.com/yhs/search
FF SearchEngineOrder.1: Yahoo! (Avast)
FF SelectedSearchEngine: Yahoo! (Avast)
FF Homepage: https://www.yahoo.com?fr=hp-avast&type=avastbcl
FF Keyword.URL: https://search.yahoo.com/yhs/search
C:\ProgramData\0tbpw.pad
C:\Users\Joanne\AppData\Local\Temp\3zc993kz.dll
C:\Users\Joanne\AppData\Local\Temp\lowproc.exe
C:\Users\Joanne\AppData\Local\Temp\nfiioeal.dll
C:\Users\Joanne\AppData\Local\Temp\pohqedwc.dll
C:\Users\Joanne\AppData\Local\Temp\qmut6ubn.dll
C:\Users\Joanne\AppData\Local\Temp\sqlite3.dll
C:\Users\Joanne\AppData\Local\Temp\stubhelper.dll
EmptyTemp:
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\CCUTRAYICON => value deleted successfully.
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
"HKU\S-1-5-21-3104870216-2912995691-283130738-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{110667a2-2276-11df-9890-001bfcb4bc9d}" => Key deleted successfully.
"HKCR\CLSID\{110667a2-2276-11df-9890-001bfcb4bc9d}" => Key not found.
"HKU\S-1-5-21-3104870216-2912995691-283130738-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{736cbb7b-f5cb-11de-add6-001bfcb4bc9d}" => Key deleted successfully.
"HKCR\CLSID\{736cbb7b-f5cb-11de-add6-001bfcb4bc9d}" => Key not found.
"HKU\S-1-5-21-3104870216-2912995691-283130738-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d4ec1971-b430-11de-aae6-001bfcb4bc9d}" => Key deleted successfully.
"HKCR\CLSID\{d4ec1971-b430-11de-aae6-001bfcb4bc9d}" => Key not found.
"HKU\S-1-5-21-3104870216-2912995691-283130738-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{df0f3a5e-cae4-11de-89cf-001bfcb4bc9d}" => Key deleted successfully.
"HKCR\CLSID\{df0f3a5e-cae4-11de-89cf-001bfcb4bc9d}" => Key not found.
"HKU\S-1-5-21-3104870216-2912995691-283130738-1001\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}" => Key deleted successfully.
"HKU\S-1-5-21-3104870216-2912995691-283130738-1001\Software\Classes\CLSID\{A3CCEDF7-2DE2-11D0-86F4-00A0C913F750}" => Key deleted successfully.
"HKU\S-1-5-21-3104870216-2912995691-283130738-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-3104870216-2912995691-283130738-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Search Page => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\Main\\Search Bar => value deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4ACCB679-8DC7-493D-8B70-0691A45ADA0A}" => Key deleted successfully.
"HKCR\CLSID\{4ACCB679-8DC7-493D-8B70-0691A45ADA0A}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{408612A3-1FEB-406F-9AB1-229E891F718C}" => Key deleted successfully.
"HKCR\CLSID\{408612A3-1FEB-406F-9AB1-229E891F718C}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4ACCB679-8DC7-493D-8B70-0691A45ADA0A}" => Key deleted successfully.
"HKCR\CLSID\{4ACCB679-8DC7-493D-8B70-0691A45ADA0A}" => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}" => Key not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000005\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
Firefox DefaultSearchEngine deleted successfully.
Firefox DefaultSearchUrl deleted successfully.
Firefox SearchEngineOrder.1 deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
Firefox homepage deleted successfully.
Firefox Keyword.URL deleted successfully.
C:\ProgramData\0tbpw.pad => Moved successfully.
C:\Users\Joanne\AppData\Local\Temp\3zc993kz.dll => Moved successfully.
C:\Users\Joanne\AppData\Local\Temp\lowproc.exe => Moved successfully.
C:\Users\Joanne\AppData\Local\Temp\nfiioeal.dll => Moved successfully.
C:\Users\Joanne\AppData\Local\Temp\pohqedwc.dll => Moved successfully.
C:\Users\Joanne\AppData\Local\Temp\qmut6ubn.dll => Moved successfully.
C:\Users\Joanne\AppData\Local\Temp\sqlite3.dll => Moved successfully.
C:\Users\Joanne\AppData\Local\Temp\stubhelper.dll => Moved successfully.
EmptyTemp: => Removed 10.9 GB temporary data.


The system needed a reboot.

==== End of Fixlog ====

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 19-10-2014
Ran by Joanne (administrator) on JOANNE-PC on 22-10-2014 23:30:59
Running from C:\Users\Joanne\Desktop
Loaded Profile: Joanne (Available profiles: IUSR_NMPR & Joanne)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\WINDOWS\System32\SLsvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
() C:\Program Files\Paragon Software\HFS+ for Windows  9.0\apmwinsrv.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(Conexant Systems, Inc.) C:\WINDOWS\System32\drivers\XAudio.exe
(Microsoft Corporation) C:\WINDOWS\System32\mobsync.exe
(Hewlett-Packard Company) C:\hp\support\hpsysdrv.exe
(Realtek Semiconductor) C:\WINDOWS\RtHDVCpl.exe
(Hewlett-Packard Co.) C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
(Intel Corporation) C:\WINDOWS\System32\hkcmd.exe
(Intel Corporation) C:\WINDOWS\System32\igfxpers.exe
(Intel Corporation) C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Intel Corporation) C:\WINDOWS\System32\igfxsrvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(RealNetworks, Inc.) C:\Program Files\Real\realplayer\Update\realsched.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehtray.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehmsas.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehsched.exe
(Microsoft Corporation) C:\WINDOWS\ehome\ehrecvr.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
(Microsoft Corporation) C:\WINDOWS\System32\wbem\unsecapp.exe
(Hewlett-Packard Company) C:\hp\KBD\kbd.exe
(Microsoft Corporation) C:\WINDOWS\System32\wuauclt.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\hp\support\hpsysdrv.exe [65536 2006-09-28] (Hewlett-Packard Company)
HKLM\...\Run: [KBD] => C:\HP\KBD\KbdStub.EXE [65536 2006-12-08] ()
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4874240 2008-01-15] (Realtek Semiconductor)
HKLM\...\Run: [HP Software Update] => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
HKLM\...\Run: [Malwarebytes Anti-Malware (reboot)] => "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
HKLM\...\Run: [IAAnotif] => C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [178712 2008-06-02] (Intel Corporation)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [43848 2014-02-12] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2011-10-24] (Apple Inc.)
HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [4085896 2014-08-28] (AVAST Software)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2014-05-15] (Apple Inc.)
HKLM\...\Run: [TkBellExe] => c:\program files\real\realplayer\Update\realsched.exe [295512 2014-07-02] (RealNetworks, Inc.)
HKLM\...\RunOnce: [AvgUninstallURL] => cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNjIzNDc4MDU4LVRCOSsyLUZMKzktWE8zNisxLUY5TTdDKzMtUUlYMSs0LVgyM (the data entry has 140 more characters).
HKLM\...\RunOnce: [Launcher] => C:\Windows\SMINST\launcher.exe [44168 2007-03-07] (soft thinks)
HKU\S-1-5-19\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-20\...\Run: [WindowsWelcomeCenter] => rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\S-1-5-21-3104870216-2912995691-283130738-1001\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Joanne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

SearchScopes: HKCU - {A1CF9762-0C20-4403-B139-DD71675279FA} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}&rlz=1I7RNTN_en
SearchScopes: HKCU - {C86E956C-E62C-4EB4-90CB-36AEF1F014B1} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
BHO: RealPlayer Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\Joanne\AppData\Roaming\Mozilla\Firefox\Profiles\2yhak9g0.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=1.6.0_35 -> C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
FF Plugin: @java.com/JavaPlugin -> C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @real.com/nppl3260;version=16.0.3.51 -> c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpchromebrowserrecordext;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprphtml5videoshim;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprpplugin;version=16.0.3.51 -> c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin: @real.com/RhapsodyPlayerEngine,version=1.0 -> C:\Program Files\Real\RhapsodyPlayerEngine\nprhapengine.dll (RealNetworks, Inc.)
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppl3260.dll (RealNetworks, Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nprpplugin.dll (RealPlayer)
FF SearchPlugin: C:\Users\Joanne\AppData\Roaming\Mozilla\Firefox\Profiles\2yhak9g0.default\searchplugins\yahoo-avast.xml
FF Extension: Microsoft .NET Framework Assistant - C:\Users\Joanne\AppData\Roaming\Mozilla\Firefox\Profiles\2yhak9g0.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b}.xpi [2012-06-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-06-30]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2012-09-01]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-10-05]
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-09-02]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2011-08-28]
FF HKLM\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKCU\...\Firefox\Extensions: [{882D0169-B598-4EFA-829E-6FF753248379}] - C:\Users\Joanne\AppData\Local\{882D0169-B598-4EFA-829E-6FF753248379}
FF Extension: XULRunner - C:\Users\Joanne\AppData\Local\{882D0169-B598-4EFA-829E-6FF753248379} [2010-12-08]

Chrome:
=======
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-08-28]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AlertService; C:\Program Files\Intel\IntelDH\CCU\AlertService.exe [188416 2006-09-11] (Intel® Corporation) [File not signed]
R2 apmwinsrv; C:\Program Files\Paragon Software\HFS+ for Windows  9.0\apmwinsrv.exe [65328 2012-04-04] ()
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-08-28] (AVAST Software)
R2 DQLWinService; C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.exe [208896 2006-09-03] () [File not signed]
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [225280 2007-03-13] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [131072 2007-03-13] (Hewlett-Packard Co.) [File not signed]
S3 IDriverT; c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [73728 2004-10-22] (Macrovision Corporation) [File not signed]
S2 IntelDHSvcConf; C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe [29696 2006-05-10] (Intel® Corporation) [File not signed]
S3 ISSM; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe [75264 2006-09-11] (Intel® Corporation) [File not signed]
R2 LightScribeService; c:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2007-01-17] (Hewlett-Packard Company) [File not signed]
S3 M1 Server; C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe [26624 2006-08-31] () [File not signed]
S3 MCLServiceATL; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe [167936 2006-09-11] (Intel® Corporation) [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-08-06] (Hewlett-Packard) [File not signed]
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
S3 Remote UI Service; C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe [544256 2006-09-11] (Intel® Corporation) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R0 apmwin; C:\Windows\System32\DRIVERS\apmwin.sys [43056 2012-04-04] (Paragon Software Group)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [24184 2014-08-28] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [67824 2014-08-28] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr.sys [55112 2014-08-28] (AVAST Software)
R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-08-28] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [779536 2014-08-28] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [414520 2014-08-28] (AVAST Software)
R1 aswTdi; C:\Windows\system32\drivers\aswTdi.sys [57800 2014-08-28] (AVAST Software)
R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [192352 2014-08-28] ()
R0 gpt_loader; C:\Windows\System32\DRIVERS\gpt_loader.sys [44976 2012-04-04] (Paragon Software Group)
R3 hcw18bda; C:\Windows\System32\drivers\hcw18bda.sys [354432 2007-01-15] (Hauppauge Computer Works, Inc)
S3 Hfsplus; C:\Windows\System32\DRIVERS\hfsplus.sys [165680 2012-04-04] (Paragon Software Group)
R2 HfsplusRec; C:\Windows\System32\DRIVERS\hfsplusrec.sys [15152 2012-04-04] (Paragon Software Group)
R0 mounthlp; C:\Windows\System32\DRIVERS\mounthlp.sys [34096 2012-04-04] (Paragon Software Group)
S3 netr73; C:\Windows\System32\DRIVERS\WUSB54GCx86.sys [256000 2007-03-12] (Ralink Technology Inc.)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [41984 2010-09-28] (Apple, Inc.) [File not signed]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 Lavasoft Kernexplorer; \??\C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys [X]
S0 Lbd; system32\DRIVERS\Lbd.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]

==================== NetSvcs (Whitelisted) ===================


(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-21 21:25 - 2014-10-21 21:25 - 00025128 _____ () C:\Users\Joanne\Desktop\FRST1.txt
2014-10-21 21:20 - 2014-10-21 21:20 - 00001601 _____ () C:\Users\Joanne\Desktop\JRT.txt
2014-10-21 21:09 - 2014-10-21 21:09 - 00000000 ____D () C:\Windows\ERUNT
2014-10-21 21:04 - 2014-10-21 21:04 - 00001058 _____ () C:\Users\Joanne\Desktop\mal.txt
2014-10-21 20:32 - 2014-10-21 20:32 - 00015446 _____ () C:\Users\Joanne\Desktop\AdwCleaner[S0].txt
2014-10-21 20:21 - 2014-10-21 20:29 - 00000000 ____D () C:\AdwCleaner
2014-10-21 20:19 - 2014-10-21 13:44 - 01962496 _____ () C:\Users\Joanne\Desktop\AdwCleaner.exe
2014-10-21 20:19 - 2014-10-21 11:25 - 01706144 _____ (Thisisu) C:\Users\Joanne\Desktop\JRT.exe
2014-10-19 21:21 - 2014-10-19 21:24 - 00033521 _____ () C:\Users\Joanne\Desktop\Addition.txt
2014-10-19 21:20 - 2014-10-22 23:31 - 00000000 ____D () C:\FRST
2014-10-19 21:20 - 2014-10-22 23:30 - 00017784 _____ () C:\Users\Joanne\Desktop\FRST.txt
2014-10-19 21:18 - 2014-10-19 21:18 - 01103360 _____ (Farbar) C:\Users\Joanne\Desktop\FRST.exe

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-22 23:30 - 2006-11-02 03:33 - 00707794 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-22 23:29 - 2012-11-21 14:41 - 00035617 _____ () C:\Windows\WindowsUpdate.log
2014-10-22 23:26 - 2006-11-02 05:37 - 00000000 ___RD () C:\Users\Public\Recorded TV
2014-10-22 23:25 - 2007-05-15 00:59 - 00000000 ____D () C:\Windows\SMINST
2014-10-22 23:24 - 2014-09-16 18:09 - 00000380 _____ () C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_Joanne.job
2014-10-22 23:24 - 2013-09-20 17:01 - 00614462 _____ () C:\Windows\PFRO.log
2014-10-22 23:24 - 2010-03-07 13:00 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-22 23:24 - 2006-11-02 06:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-22 23:24 - 2006-11-02 05:47 - 00003568 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-22 23:24 - 2006-11-02 05:47 - 00003568 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-22 23:23 - 2006-11-02 06:01 - 00032622 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-10-22 22:57 - 2010-03-07 13:00 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-22 22:42 - 2012-06-15 21:10 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-21 21:27 - 2009-10-04 18:32 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-10-21 21:04 - 2014-06-08 10:59 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-10-21 20:34 - 2014-06-08 11:00 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-21 20:19 - 2012-11-21 14:38 - 00002679 _____ () C:\Windows\setupact.log
2014-10-19 21:10 - 2006-11-02 04:18 - 00000000 ____D () C:\Windows\tapi
2014-10-19 18:38 - 2014-09-16 18:09 - 00000370 _____ () C:\Windows\Tasks\ReclaimerUpdateXML_Joanne.job
2014-10-19 13:14 - 2014-09-16 18:09 - 00000374 _____ () C:\Windows\Tasks\ReclaimerUpdateFiles_Joanne.job
2014-10-17 20:02 - 2013-05-15 18:41 - 00000966 _____ () C:\Users\Joanne\Desktop\Rkill.txt
2014-10-15 19:12 - 2012-02-06 08:19 - 00000384 _____ () C:\Windows\Tasks\Ad-Aware Update (Weekly).job
2014-09-23 20:42 - 2012-06-15 21:10 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-09-23 20:42 - 2011-12-01 19:27 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-10-22 23:30

==================== End Of Log ============================



#14 gapdong

gapdong
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 23 October 2014 - 01:38 AM

And also, my firewall doesn't turn on. I'm not sure if it's the result of the malware...


Edited by gapdong, 23 October 2014 - 01:42 AM.


#15 Machiavelli

Machiavelli

    Agent 007


  • Malware Response Instructor
  • 4,115 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:02:03 AM

Posted 23 October 2014 - 07:10 AM

Please download Farbar Service Scanner and run it on the computer with the issue. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FSS icon and select Run as Administrator)
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

~Machiavelli

If I don't reply within 24 hours please PM me!

  • Every topic with no replies within 5 days will be closed.
  • If you like my help here please give me feedback.

unite_blue.png
 
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users