Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Proxy settings PUP


  • This topic is locked This topic is locked
19 replies to this topic

#1 fistikuffs

fistikuffs

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 28 January 2015 - 04:03 PM

Hi all,
 
My sisters laptop was absolutely full of adware/spyware trojans, you name it. Some application called winservice86 kept re-installing itself and her browser was essentially useless due to some nasty proxy redirect (127.0.0.1:50758). I noticed also that in the LAN connections tab there was a notice saying that "some services are managed by your system administrator. I'm used to seeing this on domain machines which get their proxy settings through GPO but this machine is not a member of any domain. To make matters worse, I'm in Ireland but she is in Scotland!!
 
I managed to sort out most of the  problems (I think) using a combination of Malwarebytes/ADWCleaner and HitmanPro but the proxy issue persists. I have looked for threads on BleepingComputer to see if I could resolve it but the solutions seem to be specific to the individual users/pcs. So I'm opening this thread in the hope that someone can help me.
 
I'd greatly appreciate any assistance that anyone can give me. 
 
Here is the FRST log, I'll also attach the additon.txt and the Mbam log from when it was really dirty if that helps.
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-01-2015 01
Ran by Lorraine (administrator) on LORRAINE-PC on 28-01-2015 20:23:14
Running from C:\Users\Lorraine\Desktop
Loaded Profiles: Lorraine (Available profiles: Lorraine)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Vosteran)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Seiko Epson Corporation) C:\Windows\System32\escsvc.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON Software\Event Manager\EEventManager.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\w32x86\3\E_FATILFE.EXE
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\w32x86\3\E_FATILFE.EXE
(Google Inc.) C:\Users\Lorraine\AppData\Local\Google\Update\GoogleUpdate.exe
(BitTorrent Inc.) C:\Users\Lorraine\AppData\Roaming\uTorrent\uTorrent.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Desktop.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [974432 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [EEventManager] => C:\Program Files\Epson Software\Event Manager\EEventManager.exe [1065024 2014-05-02] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-2348153390-1346638800-1696268739-1000\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATILFE.EXE [260160 2013-01-24] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-2348153390-1346638800-1696268739-1000\...\Run: [EPLTarget\P0000000000000001] => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATILFE.EXE [260160 2013-01-24] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-2348153390-1346638800-1696268739-1000\...\Run: [Google Update] => C:\Users\Lorraine\AppData\Local\Google\Update\GoogleUpdate.exe [107912 2014-10-23] (Google Inc.)
HKU\S-1-5-21-2348153390-1346638800-1696268739-1000\...\Run: [uTorrent] => C:\Users\Lorraine\AppData\Roaming\uTorrent\uTorrent.exe [1377872 2015-01-16] (BitTorrent Inc.)
AppInit_DLLs: C:/PROGRA~2/{D4053~1/171~1.0/caso.dll => C:/PROGRA~2/{D4053~1/171~1.0/caso.dll [649216 2015-01-25] ()
BootExecute: autocheck autochk * bootdelete
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:50758;https=127.0.0.1:50758
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:50758;https=127.0.0.1:50758
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
HKU\S-1-5-21-2348153390-1346638800-1696268739-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/en-ie/?ocid=iehp
SearchScopes: HKLM -> {80c554b9-c7f8-4a21-9471-06d606da78a2} URL = http://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Easy Photo Print -> {9421DD08-935F-4701-A9CA-22DF90AC4EA6} -> C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
Toolbar: HKLM - Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION)
Toolbar: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
 
FireFox:
========
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.0.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2348153390-1346638800-1696268739-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\Lorraine\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKU\S-1-5-21-2348153390-1346638800-1696268739-1000: @talk.google.com/O1DPlugin -> C:\Users\Lorraine\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKU\S-1-5-21-2348153390-1346638800-1696268739-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Lorraine\AppData\Local\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-2348153390-1346638800-1696268739-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Lorraine\AppData\Local\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Lorraine\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Lorraine\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
 
Chrome: 
=======
CHR HKLM\...\Chrome\Extension: [gfkbfjcbkhnmiignagpkiijohkcdkffb] - No Path
StartMenuInternet: Google Chrome - chrome.exe
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 EpsonScanSvc; C:\Windows\system32\EscSvc.exe [126128 2012-05-17] (Seiko Epson Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22192 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [288120 2014-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 L1E; C:\Windows\System32\DRIVERS\L1E62x86.sys [47104 2009-07-13] (Atheros Communications, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [231800 2014-07-17] (Microsoft Corporation)
R3 MTsensor; C:\Windows\System32\DRIVERS\ATKACPI.sys [7680 2007-07-31] (ATK0100)
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-28 20:23 - 2015-01-28 20:23 - 00008914 _____ () C:\Users\Lorraine\Desktop\FRST.txt
2015-01-28 20:23 - 2015-01-28 20:23 - 00000000 ____D () C:\FRST
2015-01-28 20:20 - 2015-01-28 20:20 - 01121792 _____ (Farbar) C:\Users\Lorraine\Desktop\FRST.exe
2015-01-27 22:49 - 2015-01-27 22:49 - 00026204 _____ () C:\Windows\system32\.crusader
2015-01-27 22:38 - 2015-01-27 22:50 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-01-27 22:37 - 2015-01-27 21:12 - 10285456 _____ (SurfRight B.V.) C:\Users\Lorraine\Desktop\HitmanPro.exe
2015-01-27 20:49 - 2015-01-27 21:06 - 00000000 ____D () C:\AdwCleaner
2015-01-27 20:47 - 2015-01-27 20:47 - 02194432 _____ () C:\Users\Lorraine\Desktop\adwcleaner_4.109.exe
2015-01-27 20:16 - 2015-01-27 20:16 - 00146136 _____ () C:\Windows\Minidump\012715-21684-01.dmp
2015-01-27 19:04 - 2014-10-30 01:45 - 00155136 _____ (Microsoft Corporation) C:\Windows\system32\charmap.exe
2015-01-26 19:08 - 2015-01-26 19:08 - 00000000 ____D () C:\Windows\system32\appraiser
2015-01-26 07:51 - 2014-10-18 01:33 - 03209728 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2015-01-26 07:51 - 2014-07-07 01:40 - 00103424 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2015-01-26 07:51 - 2014-07-07 01:39 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe
2015-01-26 07:51 - 2014-07-07 01:39 - 00023040 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe
2015-01-26 07:51 - 2014-07-07 01:37 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll
2015-01-26 07:38 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\1d4300f6-d1f4-42e8-ade6-415e2f547b16
2015-01-26 07:25 - 2014-12-04 04:38 - 00728576 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-01-26 07:25 - 2014-12-04 04:38 - 00610304 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-01-26 07:25 - 2014-12-04 04:38 - 00337920 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-01-26 07:25 - 2014-12-04 04:38 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-01-26 07:25 - 2014-12-04 04:38 - 00202752 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-01-26 07:25 - 2014-12-04 04:38 - 00159744 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2015-01-26 07:25 - 2014-12-04 04:34 - 00873984 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-01-26 07:25 - 2014-12-01 23:28 - 01160872 _____ (Microsoft Corporation) C:\Windows\system32\aitstatic.exe
2015-01-26 07:25 - 2014-11-11 01:32 - 00074752 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tdx.sys
2015-01-26 07:24 - 2014-11-08 02:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2015-01-26 07:24 - 2014-10-03 01:45 - 01177088 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll
2015-01-26 07:24 - 2014-10-03 01:45 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\WSManMigrationPlugin.dll
2015-01-26 07:24 - 2014-10-03 01:45 - 00214016 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll
2015-01-26 07:24 - 2014-10-03 01:45 - 00145920 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll
2015-01-26 07:24 - 2014-10-03 01:44 - 00198656 _____ (Microsoft Corporation) C:\Windows\system32\WSManHTTPConfig.exe
2015-01-25 22:36 - 2015-01-25 22:36 - 00000000 __RSH () C:\MSDOS.SYS
2015-01-25 22:36 - 2015-01-25 22:36 - 00000000 __RSH () C:\IO.SYS
2015-01-25 20:51 - 2015-01-27 21:55 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-25 20:49 - 2015-01-25 20:49 - 00001064 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-25 20:49 - 2015-01-25 20:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-25 20:48 - 2015-01-25 20:49 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-01-25 20:48 - 2015-01-25 20:48 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-01-25 20:48 - 2014-11-21 06:14 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-25 20:48 - 2014-11-21 06:14 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-25 20:48 - 2014-11-21 06:14 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-25 20:42 - 2015-01-25 20:42 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Lorraine\Desktop\mbam-setup-2.0.4.1028.exe
2015-01-25 17:59 - 2015-01-25 19:27 - 00301168 _____ (CartCrunch Israel Ltd.) C:\Windows\system32\ColorMedia.dll
2015-01-25 17:56 - 2015-01-25 17:56 - 00001136 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 9.lnk
2015-01-25 17:56 - 2015-01-25 17:56 - 00001124 _____ () C:\Users\Public\Desktop\TeamViewer 9.lnk
2015-01-25 17:56 - 2015-01-25 17:56 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\TeamViewer
2015-01-25 17:56 - 2015-01-25 17:56 - 00000000 ____D () C:\Program Files\TeamViewer
2015-01-25 17:36 - 2015-01-25 17:36 - 00022528 _____ () C:\Users\Lorraine\AppData\Local\dsisetup18815432.exe
2015-01-25 17:36 - 2015-01-25 17:36 - 00000010 _____ () C:\Users\Lorraine\AppData\Local\DSI.DAT
2015-01-25 11:40 - 2015-01-28 19:15 - 00001348 _____ () C:\Windows\Tasks\FQOBU.job
2015-01-25 11:40 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\6dae5d2a-778f-4c1f-b806-536bc6946d94
2015-01-25 11:36 - 2015-01-25 11:36 - 00000000 ____D () C:\ProgramData\{D4053CC6-8487-ED40-3501-9DC2E5834E4C}
2015-01-25 11:30 - 2015-01-26 07:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-01-25 11:30 - 2015-01-26 07:50 - 00000000 ____D () C:\Program Files\Microsoft Silverlight
2015-01-25 11:28 - 2015-01-25 11:28 - 00000000 ____D () C:\Program Files\download Manager
2015-01-25 11:12 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\b61a9aa1-c6a2-4fdf-8e76-b62bc216dc2b
2015-01-25 11:10 - 2015-01-25 11:10 - 00000000 ____D () C:\Program Files\WIntEnhance
2015-01-24 22:23 - 2015-01-28 19:15 - 00001350 _____ () C:\Windows\Tasks\KMWYFE.job
2015-01-24 21:06 - 2015-01-25 22:53 - 00000000 ____D () C:\Program Files\Optimizer Pro 3.33
2015-01-24 09:34 - 2015-01-24 11:12 - 439872826 _____ () C:\Users\Lorraine\Downloads\The.Real.Housewives.Of.Beverly.Hills.S05E10.House.Of.Cards.WEB-DL.x264-Hector.mp4
2015-01-24 09:33 - 2015-01-24 11:07 - 430116039 _____ () C:\Users\Lorraine\Downloads\The.Real.Housewives.Of.Atlanta.S07E11.Divide.and.Ki-Ki.WEB-DL.x264-Hector.mp4
2015-01-24 09:32 - 2015-01-24 10:02 - 00000000 ____D () C:\Users\Lorraine\Downloads\Jaws (1975)
2015-01-23 21:19 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\5ec9981e-2ee6-479f-8d6a-cd8274228a53
2015-01-22 20:34 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\b85a2eed-d376-4a88-a8d3-95279e1e8137
2015-01-22 20:30 - 2015-01-22 20:44 - 00000000 ____D () C:\Users\Lorraine\Downloads\Arsenic.and.Old.Lace.1944.DVDRip.XviD.AC3-tahi
2015-01-22 20:28 - 2015-01-23 20:29 - 00000000 ____D () C:\Users\Lorraine\Downloads\Because.I.Said.So.2007.SWESUB.AC3.DVDRip.XviD-Roobb
2015-01-20 21:15 - 2015-01-20 21:15 - 00286208 _____ () C:\Users\Lorraine\Downloads\course 2a day 3 2013.ppt
2015-01-20 21:07 - 2015-01-20 21:12 - 00000000 ____D () C:\Users\Lorraine\Desktop\Autism Readings Day 2B
2015-01-20 21:04 - 2015-01-20 21:04 - 00292352 _____ () C:\Users\Lorraine\Downloads\Course 2a day 2 2013.ppt1.ppt
2015-01-20 20:24 - 2015-01-20 21:16 - 00000000 ____D () C:\Users\Lorraine\Desktop\Autism Course 2A
2015-01-20 19:50 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\0a1b8acd-a52a-488d-bdee-77150bc737e2
2015-01-19 19:33 - 2015-01-24 20:32 - 00000000 ____D () C:\Users\Lorraine\Desktop\Rejig Essay readings
2015-01-18 20:25 - 2015-01-18 20:25 - 00000000 ____D () C:\Users\Lorraine\Desktop\The Triad of Impairment in Autism Revisited   ReadCube Articles_files
2015-01-18 19:25 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\a4aba71c-b51e-401b-99e2-28dd1bc2ab59
2015-01-18 16:02 - 2015-01-18 16:02 - 00049600 _____ () C:\Users\Lorraine\Desktop\S0891422210002647.htm
2015-01-18 13:12 - 2015-01-18 13:12 - 00001038 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Driving Theory Test Express.lnk
2015-01-18 13:12 - 2015-01-18 13:12 - 00001032 _____ () C:\Users\Public\Desktop\Driving Theory Test Express.lnk
2015-01-18 13:12 - 2015-01-18 13:12 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Driving Theory Test Express
2015-01-18 13:11 - 2015-01-18 13:58 - 00000000 ____D () C:\Program Files\Driving Theory Test Express
2015-01-18 13:11 - 1998-06-18 00:30 - 00032768 _____ (Microsoft Corporation) C:\Windows\system32\REGTOOL5.DLL
2015-01-17 15:59 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\4ff07ec6-a13b-41f4-bf55-c36d092a4973
2015-01-16 18:31 - 2015-01-16 20:00 - 731691008 _____ () C:\Users\Lorraine\Downloads\Trailer.Park.Boys.The.Movie.The.Big.Dirty.2006.John.Paul.Tremblay.Robb.Wells.and.Mike.Smith.DVDRIP.Avi-The.Buzzsaw.avi
2015-01-15 19:32 - 2015-01-16 20:26 - 940549895 _____ () C:\Users\Lorraine\Downloads\The.Theory.of.Everything.2014.720p.WEBRiP.900MB.ShAaNiG.mkv
2015-01-15 18:06 - 2015-01-15 19:30 - 328512740 _____ () C:\Users\Lorraine\Downloads\The.Real.Housewives.Of.Beverly.Hills.S05E09.PDTV.x264.Hector.mp4
2015-01-15 18:05 - 2015-01-15 19:16 - 291003205 _____ () C:\Users\Lorraine\Downloads\The.Real.Housewives.Of.Beverly.Hills.S05E08.PDTV.x264.Hector.mp4
2015-01-14 18:53 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\20d59262-3625-45bc-b106-ff97f6778bf6
2015-01-14 18:50 - 2014-12-12 05:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-01-14 18:50 - 2014-12-12 05:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 18:47 - 2014-12-19 02:43 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 18:47 - 2014-12-19 01:34 - 00116224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 18:47 - 2014-12-11 17:47 - 00046592 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 18:47 - 2014-12-06 03:50 - 00242688 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 18:41 - 2015-01-26 20:59 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\VzyXdm5
2015-01-14 18:41 - 2015-01-26 20:59 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\noFaNjf
2015-01-14 18:30 - 2015-01-27 22:51 - 00001530 _____ () C:\Windows\setupact.log
2015-01-14 18:29 - 2015-01-27 21:02 - 01036508 _____ () C:\Windows\PFRO.log
2015-01-11 19:17 - 2015-01-11 19:18 - 00287744 _____ () C:\Users\Lorraine\Downloads\course 2a day 1 2013.ppt
2015-01-11 10:53 - 2015-01-11 10:53 - 00012256 _____ () C:\Users\Lorraine\Downloads\Horrible_Bosses_2_(2014).DVDRip.ANDRONiA.torrent
2015-01-07 20:21 - 2015-01-07 21:23 - 387244910 _____ () C:\Users\Lorraine\Downloads\The.Real.Housewives.Of.Atlanta.S07E07.Nice.To.Metria.WEB-DL.x264-RKSTR.mp4
2015-01-07 20:20 - 2015-01-07 20:20 - 00015353 _____ () C:\Users\Lorraine\Downloads\The_Real_Housewives_Of_Atlanta_S07E07_Nice_To_Metria_WEB-DL_x264-RKSTR_mp4.torrent
2015-01-05 23:03 - 2015-01-08 19:36 - 1910258619 _____ () C:\Users\Lorraine\Downloads\The.Hunger.Games.Catching.Fire.ITA.ENG.AC3.BDRip.1080p.X265_ZMachine.mkv
2015-01-05 21:38 - 2015-01-05 21:38 - 00237427 _____ () C:\Users\Lorraine\Downloads\The_Hunger_Games_Catching_Fire_ITA_ENG_AC3_BDRip_1080p_X265_ZMachine.torrent
2015-01-05 21:37 - 2015-01-05 21:37 - 00011312 _____ () C:\Users\Lorraine\Downloads\The_Hunger_Games_Mocking_Jay_Part_1_ENG_CAM_(2014)_-_Jacks66.torrent
2015-01-05 21:36 - 2015-01-05 21:36 - 00141941 _____ () C:\Users\Lorraine\Downloads\Stella_(2012)_S02E01_Series_2_Episode_1_HDTV_XviD-LOL[ettv] (1).torrent
2015-01-05 21:33 - 2015-01-05 21:33 - 00023927 _____ () C:\Users\Lorraine\Downloads\Stella_-_The_complete_TV_series.torrent
2015-01-05 21:32 - 2015-01-05 21:32 - 00001749 _____ () C:\Users\Lorraine\Downloads\The_Real_Housewives_of_Atlanta_S07E07_HDTV_x264-CRiMSON_[GloDLS] (1).torrent
2015-01-05 19:59 - 2015-01-05 19:59 - 00063474 _____ () C:\Users\Lorraine\Downloads\Stella_UK_Series_1_rar.torrent
2015-01-05 19:51 - 2015-01-05 19:51 - 00141941 _____ () C:\Users\Lorraine\Downloads\Stella_(2012)_S02E01_Series_2_Episode_1_HDTV_XviD-LOL[ettv].torrent
2015-01-05 19:47 - 2015-01-05 19:48 - 00123053 _____ () C:\Users\Lorraine\Downloads\Stella_UK_S02E01_720p_HDTV_x264-TLA (1).torrent
2015-01-05 19:47 - 2015-01-05 19:47 - 00123053 _____ () C:\Users\Lorraine\Downloads\Stella_UK_S02E01_720p_HDTV_x264-TLA.torrent
2015-01-05 19:46 - 2015-01-05 19:46 - 00078573 _____ () C:\Users\Lorraine\Downloads\Stella_UK_S02E01_HDTV_XviD-AFG.torrent
2015-01-04 21:51 - 2015-01-04 21:52 - 00075268 _____ () C:\Users\Lorraine\Downloads\Stella_(UK)_COMPLETE_Series_1_(2012)_720p.torrent
2015-01-04 21:49 - 2015-01-04 21:49 - 00016919 _____ () C:\Users\Lorraine\Downloads\Broadchurch.torrent
2015-01-04 20:36 - 2015-01-04 20:36 - 00146144 _____ () C:\Windows\Minidump\010415-28766-01.dmp
2015-01-04 19:03 - 2015-01-13 11:44 - 269424116 _____ () C:\Users\Lorraine\Downloads\Leap Year_2010_1080p_x264.mkv
2015-01-04 19:00 - 2015-01-04 19:00 - 00043005 _____ () C:\Users\Lorraine\Downloads\ECB537067EEECCC7476885D919A6DFBCB0511F35.torrent
2015-01-04 18:54 - 2015-01-05 20:05 - 281395470 _____ () C:\Users\Lorraine\Downloads\Ripper.Street.S03E04.Your.Father.My.Friend.720p.WEBRIP.2CH.x265.HEVC-PSA.mkv
2015-01-04 18:22 - 2015-01-04 23:04 - 395428054 _____ () C:\Users\Lorraine\Downloads\Ripper Street - S03E05  (5 Dec 2014).mp4
2015-01-04 18:21 - 2015-01-04 23:27 - 676224131 _____ () C:\Users\Lorraine\Downloads\Ripper Street - S03E07.mp4
2015-01-04 18:16 - 2015-01-04 18:16 - 00015728 _____ () C:\Users\Lorraine\Downloads\Maleficent_(2014)_[1080p].torrent
2015-01-04 18:16 - 2015-01-04 18:16 - 00003766 _____ () C:\Users\Lorraine\Downloads\Ripper_Street_S03E04_720p_WEBRIP_2CH_x265_HEVC-PSA.torrent
2015-01-04 18:14 - 2015-01-04 18:15 - 00015824 _____ () C:\Users\Lorraine\Downloads\Ripper_Street_-_S03E05_(5_Dec_2014)_Heavy_Boots.torrent
2015-01-04 18:14 - 2015-01-04 18:14 - 00029830 _____ () C:\Users\Lorraine\Downloads\Ripper_Street_S03E04_Your_Father_My_Friend_720p_WEBRiP_x264-FaiL.torrent
2015-01-04 18:14 - 2015-01-04 18:14 - 00011182 _____ () C:\Users\Lorraine\Downloads\Ripper_Street_S03E04_Your_Father_My_Friend_WEBRiP_x264-FaiLED.torrent
2015-01-04 18:13 - 2015-01-04 18:13 - 00030073 _____ () C:\Users\Lorraine\Downloads\Ripper_Street_S03_E06_WEB-DL_x264_-_NoGrp.torrent
2015-01-04 18:13 - 2015-01-04 18:13 - 00013716 _____ () C:\Users\Lorraine\Downloads\Ripper_Street_-_S03E07.torrent
2015-01-04 18:12 - 2015-01-05 18:02 - 997931351 _____ () C:\Users\Lorraine\Downloads\The.Real.Housewives.Of.Beverly.Hills.S05E05.Star.Sighting.720p.WEB-DL.x264-RKSTR.mp4
2015-01-04 18:12 - 2015-01-04 18:12 - 00018934 _____ () C:\Users\Lorraine\Downloads\Leap_Year_(2010)_BDRip_720p.mkv.torrent
2015-01-04 18:11 - 2015-01-04 18:11 - 00019624 _____ () C:\Users\Lorraine\Downloads\The_Real_Housewives_Of_Beverly_Hills_S05E05_Star_Sighting_720p_WEB-DL_x264-RKSTR_mp4.torrent
2015-01-04 18:10 - 2015-01-04 18:10 - 00021020 _____ () C:\Users\Lorraine\Downloads\The_Real_Housewives_Of_Atlanta_S07E05_Friend_Or_Faux_HDTV-MegaJoey.torrent
2015-01-04 18:10 - 2015-01-04 18:10 - 00001749 _____ () C:\Users\Lorraine\Downloads\The_Real_Housewives_of_Atlanta_S07E07_HDTV_x264-CRiMSON_[GloDLS].torrent
2015-01-04 18:09 - 2015-01-04 18:09 - 00027144 _____ () C:\Users\Lorraine\Downloads\The_Real_Housewives_of_Atlanta_S07E05_HDTV_x264-CRiMSON.torrent
2015-01-04 18:08 - 2015-01-04 18:08 - 00017888 _____ () C:\Users\Lorraine\Downloads\The_Real_Housewives_Of_Atlanta_S07E06_Make_Ups_And_Breakdowns_720p_WEB-DL_x264-RKSTR_mp4.torrent
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-28 20:21 - 2014-12-12 20:14 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\uTorrent
2015-01-28 20:20 - 2009-07-14 04:34 - 00017648 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-28 20:20 - 2009-07-14 04:34 - 00017648 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-28 20:16 - 2014-10-28 12:16 - 00000917 _____ () C:\Windows\Tasks\EPSON XP-312 313 315 Series Update {3D5B7A95-2F35-40B4-AAE2-DD2B4F1B2E83}.job
2015-01-28 20:16 - 2014-10-28 12:16 - 00000731 _____ () C:\Windows\Tasks\EPSON XP-312 313 315 Series Invitation {3D5B7A95-2F35-40B4-AAE2-DD2B4F1B2E83}.job
2015-01-28 20:15 - 2014-12-02 19:10 - 00000920 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2348153390-1346638800-1696268739-1000UA.job
2015-01-28 20:12 - 2014-10-28 13:12 - 00000917 _____ () C:\Windows\Tasks\EPSON XP-312 313 315 Series Update {E3F2510D-691C-4559-AA4D-80EACF8CF34D}.job
2015-01-28 20:12 - 2014-10-28 13:12 - 00000731 _____ () C:\Windows\Tasks\EPSON XP-312 313 315 Series Invitation {E3F2510D-691C-4559-AA4D-80EACF8CF34D}.job
2015-01-28 20:08 - 2014-10-23 01:45 - 01581638 _____ () C:\Windows\WindowsUpdate.log
2015-01-28 19:15 - 2014-12-02 19:10 - 00000868 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2348153390-1346638800-1696268739-1000Core.job
2015-01-27 23:28 - 2009-07-14 02:37 - 00000000 ____D () C:\Windows\rescache
2015-01-27 22:51 - 2009-07-14 04:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-27 20:52 - 2014-10-22 10:19 - 00001152 _____ () C:\Users\Lorraine\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-01-27 20:31 - 2009-07-14 02:37 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-27 20:16 - 2014-11-20 21:42 - 00000000 ____D () C:\Windows\Minidump
2015-01-26 20:59 - 2014-12-14 11:41 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\kGC4mgU
2015-01-26 20:59 - 2014-11-14 20:10 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\FGnAgzr
2015-01-26 20:59 - 2014-10-28 07:03 - 00000000 ____D () C:\ProgramData\cab4fbb2-1ac7-44d2-9b7d-0c921d8827f4
2015-01-26 20:59 - 2009-07-14 02:37 - 00000000 ____D () C:\Windows\AppCompat
2015-01-26 20:46 - 2014-11-22 19:19 - 00000198 _____ () C:\Users\Lorraine\AppData\Local\recently-fix.db
2015-01-26 20:41 - 2014-10-23 09:37 - 00000000 ____D () C:\Program Files\Google
2015-01-26 19:08 - 2014-10-24 08:43 - 00000000 ___SD () C:\Windows\system32\CompatTel
2015-01-26 07:17 - 2009-07-14 04:33 - 00408752 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-01-25 23:01 - 2014-10-23 09:36 - 00109280 _____ () C:\Users\Lorraine\AppData\Local\GDIPFONTCACHEV1.DAT
2015-01-25 22:38 - 2014-12-10 21:47 - 00000000 ____D () C:\Users\Lorraine\AppData\Local\ICSharpCode.net
2015-01-25 20:58 - 2014-12-01 21:12 - 00000670 __RSH () C:\ProgramData\ntuser.pol
2015-01-25 20:56 - 2014-11-22 14:10 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\YcanPDF
2015-01-25 17:36 - 2014-12-11 07:46 - 00000125 _____ () C:\Users\Lorraine\AppData\Roaming\WB.CFG
2015-01-25 17:14 - 2009-07-14 02:04 - 00000580 _____ () C:\Windows\win.ini
2015-01-25 11:23 - 2014-10-23 20:09 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\BitTorrent
2015-01-24 22:24 - 2009-07-14 02:37 - 00000000 ___HD () C:\Windows\system32\GroupPolicy
2015-01-24 14:34 - 2010-11-20 21:01 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-23 20:52 - 2014-10-23 19:59 - 00000000 ____D () C:\Users\Lorraine\Desktop\Movies
2015-01-23 20:50 - 2014-10-27 18:47 - 00000000 ____D () C:\Users\Lorraine\Desktop\TV Shows
2015-01-23 20:48 - 2014-10-25 15:40 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\vlc
2015-01-18 21:06 - 2009-07-14 02:37 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared
2015-01-18 19:15 - 2014-10-23 10:28 - 00000000 ____D () C:\Users\Lorraine\Desktop\Autism Essay 1A Readings
2015-01-14 22:01 - 2014-10-22 11:54 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 21:53 - 2014-10-22 11:54 - 110348472 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-12-31 11:13 - 2014-10-22 10:36 - 00249488 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
 
==================== Files in the root of some directories =======
 
2014-09-01 08:18 - 2014-09-01 08:18 - 0001248 _____ () C:\Users\Lorraine\AppData\Roaming\FQOBU
2014-09-01 08:18 - 2014-09-01 08:18 - 0001248 _____ () C:\Users\Lorraine\AppData\Roaming\KMWYFE
2014-12-11 07:46 - 2015-01-25 17:36 - 0000125 _____ () C:\Users\Lorraine\AppData\Roaming\WB.CFG
2015-01-25 17:36 - 2015-01-25 17:36 - 0000010 _____ () C:\Users\Lorraine\AppData\Local\DSI.DAT
2015-01-25 17:36 - 2015-01-25 17:36 - 0022528 _____ () C:\Users\Lorraine\AppData\Local\dsisetup18815432.exe
2014-11-22 19:19 - 2015-01-26 20:46 - 0000198 _____ () C:\Users\Lorraine\AppData\Local\recently-fix.db
2014-11-14 20:00 - 2014-11-14 20:00 - 0000000 _____ () C:\ProgramData\spds90.txt
 
Some content of TEMP:
====================
C:\Users\Lorraine\AppData\Local\Temp\1F930CC8-E339-2FC0-3339-A4A1A5F8D188.dll
C:\Users\Lorraine\AppData\Local\Temp\46209AC9-174E-C925-70D8-6734ED8E7FC6.dll
C:\Users\Lorraine\AppData\Local\Temp\965C2210-0E12-AE99-A163-581506C0F4C9.dll
C:\Users\Lorraine\AppData\Local\Temp\AAZWKJXEi6.exe
C:\Users\Lorraine\AppData\Local\Temp\Bootstrapper.exe
C:\Users\Lorraine\AppData\Local\Temp\CloudBackup7388.exe
C:\Users\Lorraine\AppData\Local\Temp\ICReinstall_download.exe
C:\Users\Lorraine\AppData\Local\Temp\install_reader11_en_gtba_chra_dy_aaa_aih.exe
C:\Users\Lorraine\AppData\Local\Temp\lPCTZ9eWyh.exe
C:\Users\Lorraine\AppData\Local\Temp\optprosetup.exe
C:\Users\Lorraine\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Lorraine\AppData\Local\Temp\row3zMIyrr.exe
C:\Users\Lorraine\AppData\Local\Temp\Runner2.exe
C:\Users\Lorraine\AppData\Local\Temp\Runner4.exe
C:\Users\Lorraine\AppData\Local\Temp\SpOrder.dll
C:\Users\Lorraine\AppData\Local\Temp\utt4D20.tmp.exe
C:\Users\Lorraine\AppData\Local\Temp\uttE538.tmp.exe
C:\Users\Lorraine\AppData\Local\Temp\vcredist_x86.exe
C:\Users\Lorraine\AppData\Local\Temp\VOPackage_1712.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-24 00:24
 
==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 28-01-2015 01
Ran by Lorraine at 2015-01-28 20:23:57
Running from C:\Users\Lorraine\Desktop
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-2348153390-1346638800-1696268739-1000\...\uTorrent) (Version: 3.4.2.37754 - BitTorrent Inc.)
Adobe Reader XI (11.0.10) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Driving Theory Test Express v3.1.0.0 (HKLM\...\Driving Theory Test Express v3.1.0.0_is1) (Version: - Oasis Business Services Int. Ltd.)
Epson Easy Photo Print 2 (HKLM\...\{71E90740-5E5F-4D43-AB8F-CAC1D93DBB5B}) (Version: 2.5.0.0 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM\...\{0F13C24A-FFE2-4CD0-8E0B-DC804E0A0E0B}) (Version: 3.10.0035 - Seiko Epson Corporation)
EPSON Manuals (HKLM\...\{84CECC1B-21EF-41B1-9A91-3E724E5D99D3}) (Version: 1.32.0.0 - SEIKO EPSON CORPORATION)
EPSON Scan (HKLM\...\EPSON Scanner) (Version: - Seiko Epson Corporation)
EPSON XP-312 313 315 Series Printer Uninstall (HKLM\...\EPSON XP-312 313 315 Series) (Version: - SEIKO EPSON Corporation)
EpsonNet Print (HKLM\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.6.0 - SEIKO EPSON CORPORATION)
Google Talk Plugin (HKLM\...\{0C5C1177-94C5-3EFB-A8BE-3F6AF1AF887F}) (Version: 5.38.6.0 - Google)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM\...\Office14.PROPLUS) (Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (HKLM\...\{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{DE28B448-32E8-4E8F-84F0-A52B21A49B5B}) (Version: - Microsoft)
TeamViewer 9 (HKLM\...\TeamViewer 9) (Version: 9.0.26297 - TeamViewer)
VLC media player 2.1.3 (HKLM\...\VLC media player) (Version: 2.1.3 - VideoLAN)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\Lorraine\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Lorraine\AppData\Local\Google\Update\1.3.25.5\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Users\Lorraine\AppData\Local\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Users\Lorraine\AppData\Local\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{39125640-8D80-11DC-A2FE-C5C455D89593}\InprocServer32 -> C:\Users\Lorraine\AppData\Local\Google\Google Talk Plugin\googletalkax.dll (Google)
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Users\Lorraine\AppData\Local\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{7c6e29bc-8b8b-4c3d-859e-af6cd158be0f}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c0-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c1-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c2-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c3-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c4-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c5-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c8-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c9-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969d6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> "C:\Users\Lorraine\AppData\Local\Vosteran\Application\31.0.1650.23\delegate_execute.exe" No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{AB9F4455-E591-4132-A386-0B91EAEDB96C}\InprocServer32 -> C:\Users\Lorraine\AppData\Local\Google\Google Talk Plugin\o1dax.dll (Google)
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\Lorraine\AppData\Local\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\Lorraine\AppData\Local\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Users\Lorraine\AppData\Local\Google\Update\1.3.25.5\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Lorraine\AppData\Local\Google\Update\1.3.25.5\psuser.dll (Google Inc.)

==================== Restore Points =========================

22-01-2015 20:26:14 Windows Update
25-01-2015 17:52:13 Uniblue SpeedUpMyPC installation
25-01-2015 17:56:02 Uniblue SpeedUpMyPC installation
26-01-2015 07:30:14 Windows Update
26-01-2015 07:49:44 Windows Update
27-01-2015 20:26:43 Windows Update
27-01-2015 22:47:17 Checkpoint by HitmanPro
27-01-2015 22:48:39 Checkpoint by HitmanPro

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 02:04 - 2009-06-10 21:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0DE36395-33A5-452F-BBF8-BB29BA7266B8} - System32\Tasks\FQOBU => C:\Users\Lorraine\AppData\Roaming\FQOBU.exe <==== ATTENTION
Task: {0EE5E791-4488-4440-9B9C-C4E5DCCEECC7} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {1DE710E2-141C-4034-AD76-8EA2325EE3DD} - System32\Tasks\DZYYbmv5HuqvCTn => C:\Users\Lorraine\AppData\Roaming\FGnAgzr\zjQ6gRG.exe
Task: {24143120-6877-4993-953E-E0652B35AF20} - System32\Tasks\KMWYFE => C:\Users\Lorraine\AppData\Roaming\KMWYFE.exe <==== ATTENTION
Task: {25DD725C-7F77-4548-85B0-4D7DF5096504} - System32\Tasks\Hybrid => C:\IORRT\IORRT.bat [2014-10-22] ()
Task: {25E24669-CD12-47B4-86B7-70E78F4F579E} - System32\Tasks\3yNnDkueHGJ0nEf => C:\Users\Lorraine\AppData\Roaming\noFaNjf\TOZ39fp.exe [2015-01-14] ( )
Task: {27866BC3-16E9-48AB-B28A-14EF30CB1EBB} - \05719bba-a182-42d3-9110-570e1a8819a8-4 No Task File <==== ATTENTION
Task: {2B9345BF-E6C6-4F32-A7E7-F5BB1EBBDAAC} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2348153390-1346638800-1696268739-1000Core => C:\Users\Lorraine\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-23] (Google Inc.)
Task: {370467BF-110F-4714-BD33-D5E166DBFE1A} - System32\Tasks\IR5 => cmd.exe /c cscript.exe /b C:\Windows\System32\slmgr.vbs /rearm &amp;&amp; net stop sppsvc &amp;&amp; net start sppsvc
Task: {436C8D1B-6A94-4439-BC00-EF2AD527BAE7} - System32\Tasks\EPSON XP-312 313 315 Series Update {3D5B7A95-2F35-40B4-AAE2-DD2B4F1B2E83} => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FTSLFE.EXE [2013-02-28] (SEIKO EPSON CORPORATION)
Task: {496100C8-EB0E-463F-AEEE-5563DFE59381} - \96e1f90a-b093-42e1-b7bb-db82e2740f78-1 No Task File <==== ATTENTION
Task: {5111150C-A8E7-48A6-AD60-449E12FCF5E8} - System32\Tasks\IORRT => C:\IORRT\IORRT.bat [2014-10-22] ()
Task: {52B06DE6-F643-4C2F-83D2-07990013BD30} - \23140e48-208d-414b-9c88-2020b4a80c85-7 No Task File <==== ATTENTION
Task: {53B89DBA-2692-4F48-A684-990979F231F0} - System32\Tasks\EPSON XP-312 313 315 Series Invitation {E3F2510D-691C-4559-AA4D-80EACF8CF34D} => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FTSLFE.EXE [2013-02-28] (SEIKO EPSON CORPORATION)
Task: {56C8988E-EE31-4B72-9FA2-FF87A25F9D81} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2348153390-1346638800-1696268739-1000UA => C:\Users\Lorraine\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-23] (Google Inc.)
Task: {713928A7-646E-473F-A446-85C897D91126} - System32\Tasks\EPSON XP-312 313 315 Series Update {E3F2510D-691C-4559-AA4D-80EACF8CF34D} => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FTSLFE.EXE [2013-02-28] (SEIKO EPSON CORPORATION)
Task: {866D0500-1007-4894-8791-EAFFE503BC5F} - System32\Tasks\{2B457CAE-5F3F-46CD-86D9-C92299B79154} => pcalua.exe -a C:\Users\Lorraine\AppData\Roaming\webssearches\UninstallManager.exe -c -ptid=ill <==== ATTENTION
Task: {97B11FCD-1841-4415-A813-D38C27649859} - System32\Tasks\69UL7s2jKYgUYn1 => C:\Users\Lorraine\AppData\Roaming\VzyXdm5\TfcIl67.exe
Task: {A40CEBA3-D66B-4C8A-8D69-5C59DB8BF7BC} - \68b93107-26be-4261-b20c-cd026d23dd77-2 No Task File <==== ATTENTION
Task: {C0135018-D35B-4B38-A8C4-DE95C28BE30C} - System32\Tasks\MWYJXWQSR => C:\ProgramData\07ef66f0e2664a29a2d1d971bbd8e35b\07ef66f0e2664a29a2d1d971bbd8e35b.exe
Task: {C1020D0E-014A-4F47-9983-1CE283C799D6} - System32\Tasks\EPSON XP-312 313 315 Series Invitation {3D5B7A95-2F35-40B4-AAE2-DD2B4F1B2E83} => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FTSLFE.EXE [2013-02-28] (SEIKO EPSON CORPORATION)
Task: {C9D84765-1514-4585-B976-D7D70F50771E} - \23140e48-208d-414b-9c88-2020b4a80c85-5_user No Task File <==== ATTENTION
Task: {D67D421C-81A0-4B8F-A770-F7388770EEEB} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {E2B2FDA5-05B3-45BB-8263-D088767FE17F} - \DonutQuotes No Task File <==== ATTENTION

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\EPSON XP-312 313 315 Series Invitation {3D5B7A95-2F35-40B4-AAE2-DD2B4F1B2E83}.job => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FTSLFE.EXE
Task: C:\Windows\Tasks\EPSON XP-312 313 315 Series Invitation {E3F2510D-691C-4559-AA4D-80EACF8CF34D}.job => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FTSLFE.EXE
Task: C:\Windows\Tasks\EPSON XP-312 313 315 Series Update {3D5B7A95-2F35-40B4-AAE2-DD2B4F1B2E83}.job => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FTSLFE.EXE
Task: C:\Windows\Tasks\EPSON XP-312 313 315 Series Update {E3F2510D-691C-4559-AA4D-80EACF8CF34D}.job => C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FTSLFE.EXE
Task: C:\Windows\Tasks\FQOBU.job => C:\Users\Lorraine\AppData\Roaming\FQOBU.exe <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2348153390-1346638800-1696268739-1000Core.job => C:\Users\Lorraine\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2348153390-1346638800-1696268739-1000UA.job => C:\Users\Lorraine\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\KMWYFE.job => C:\Users\Lorraine\AppData\Roaming\KMWYFE.exe <==== ATTENTION

==================== Loaded Modules (whitelisted) =============

2013-09-04 23:14 - 2013-09-04 23:14 - 04300456 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ColorMedia => ""="service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: 3D BubbleSound => "C:\Program Files\BubbleSound\3D BubbleSound.exe"
MSCONFIG\startupreg: Obrona Block Ads => "C:\Users\Lorraine\AppData\Local\Obrona Block Ads\ObronaBlockAds.exe" --hidden
MSCONFIG\startupreg: SpeedItupFree => "C:\Program Files\SpeedItup Free\speeditupfree.exe"
MSCONFIG\startupreg: WindApp => "C:\Users\Lorraine\AppData\Roaming\Store\WindApp\WindApp.exe" /winstartup

========================= Accounts: ==========================

Administrator (S-1-5-21-2348153390-1346638800-1696268739-500 - Administrator - Disabled)
Guest (S-1-5-21-2348153390-1346638800-1696268739-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2348153390-1346638800-1696268739-1002 - Limited - Enabled)
Lorraine (S-1-5-21-2348153390-1346638800-1696268739-1000 - Administrator - Enabled) => C:\Users\Lorraine

==================== Faulty Device Manager Devices =============

Name: Microsoft Virtual WiFi Miniport Adapter
Description: Microsoft Virtual WiFi Miniport Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: vwifimp
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (01/28/2015 08:11:29 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/27/2015 11:25:04 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (01/27/2015 10:53:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000274,SYSTEM\CurrentControlSet\Services\VSS\Diag\VssvcPublisher,0,REG_BINARY,02A8F920.64). hr = 0x80070005, Access is denied.
.

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x000002b4,(null),0,REG_BINARY,010EEF50.64). hr = 0x80070005, Access is denied.
.


Operation:
BackupShutdown Event

Context:
Execution Context: Writer
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {7c1c8a66-8773-449e-b81b-f5af5c7a7c39}

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000784,(null),0,REG_BINARY,00E1ECF8.64). hr = 0x80070005, Access is denied.
.


Operation:
BackupShutdown Event

Context:
Execution Context: Writer
Writer Class Id: {a6ad56c2-b509-4e6c-bb19-49d8f43532f0}
Writer Name: WMI Writer
Writer Instance ID: {022ab69a-5258-467d-ac4a-87ca3b63418b}

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x000002b4,(null),0,REG_BINARY,010EEF3C.64). hr = 0x80070005, Access is denied.
.


Operation:
BackupShutdown Event

Context:
Execution Context: Writer
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {7c1c8a66-8773-449e-b81b-f5af5c7a7c39}

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x00000adc,(null),0,REG_BINARY,040EEEB0.64). hr = 0x80070005, Access is denied.
.


Operation:
BackupShutdown Event

Context:
Execution Context: Writer
Writer Class Id: {cd3f2362-8bef-46c7-9181-d62844cdc0b2}
Writer Name: MSSearch Service Writer
Writer Instance ID: {81b56e7e-2b9d-4843-a3bd-fedb963b0d08}

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x000001a8,(null),0,REG_BINARY,0117F5E8.64). hr = 0x80070005, Access is denied.
.


Operation:
BackupShutdown Event

Context:
Execution Context: Writer
Writer Class Id: {afbab4a2-367d-4d15-a586-71dbb18f8485}
Writer Name: Registry Writer
Writer Instance ID: {b4e698f4-04a4-415a-b2e8-19af277e74be}

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine RegSetValueExW(0x000001c0,(null),0,REG_BINARY,00DCF968.64). hr = 0x80070005, Access is denied.
.


Operation:
BackupShutdown Event

Context:
Execution Context: Writer
Writer Class Id: {542da469-d3e1-473c-9f4f-7847f01fc64f}
Writer Name: COM+ REGDB Writer
Writer Instance ID: {ec88804f-9b4f-4669-b6f0-7781a870e2f9}


System errors:
=============
Error: (01/27/2015 10:52:19 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The HitmanPro 3.7 Crusader (Boot) service terminated with service-specific error %%0.

Error: (01/27/2015 08:52:26 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Software Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (01/27/2015 08:52:26 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (01/27/2015 08:52:26 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (01/27/2015 08:52:26 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Office Software Protection Platform service terminated unexpectedly. It has done this 1 time(s).

Error: (01/27/2015 08:52:26 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Epson Scanner Service service terminated unexpectedly. It has done this 1 time(s).

Error: (01/27/2015 08:52:26 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Adobe Acrobat Update Service service terminated unexpectedly. It has done this 1 time(s).

Error: (01/27/2015 08:52:26 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Error: (01/27/2015 08:30:45 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The globalUpdate Update Service (globalUpdate) service failed to start due to the following error:
%%2

Error: (01/27/2015 08:18:52 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The globalUpdate Update Service (globalUpdate) service failed to start due to the following error:
%%2


Microsoft Office Sessions:
=========================
Error: (01/28/2015 08:11:29 PM) (Source: Customer Experience Improvement Program) (EventID: 1008) (User: )
Description: 80004005

Error: (01/27/2015 11:25:04 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195"C:\Program Files\EPSON Software\Easy Photo Print\EPQuicker.exe

Error: (01/27/2015 10:53:16 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x00000274,SYSTEM\CurrentControlSet\Services\VSS\Diag\VssvcPublisher,0,REG_BINARY,02A8F920.64)0x80070005, Access is denied.

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x000002b4,(null),0,REG_BINARY,010EEF50.64)0x80070005, Access is denied.


Operation:
BackupShutdown Event

Context:
Execution Context: Writer
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {7c1c8a66-8773-449e-b81b-f5af5c7a7c39}

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x00000784,(null),0,REG_BINARY,00E1ECF8.64)0x80070005, Access is denied.


Operation:
BackupShutdown Event

Context:
Execution Context: Writer
Writer Class Id: {a6ad56c2-b509-4e6c-bb19-49d8f43532f0}
Writer Name: WMI Writer
Writer Instance ID: {022ab69a-5258-467d-ac4a-87ca3b63418b}

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x000002b4,(null),0,REG_BINARY,010EEF3C.64)0x80070005, Access is denied.


Operation:
BackupShutdown Event

Context:
Execution Context: Writer
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {7c1c8a66-8773-449e-b81b-f5af5c7a7c39}

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x00000adc,(null),0,REG_BINARY,040EEEB0.64)0x80070005, Access is denied.


Operation:
BackupShutdown Event

Context:
Execution Context: Writer
Writer Class Id: {cd3f2362-8bef-46c7-9181-d62844cdc0b2}
Writer Name: MSSearch Service Writer
Writer Instance ID: {81b56e7e-2b9d-4843-a3bd-fedb963b0d08}

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x000001a8,(null),0,REG_BINARY,0117F5E8.64)0x80070005, Access is denied.


Operation:
BackupShutdown Event

Context:
Execution Context: Writer
Writer Class Id: {afbab4a2-367d-4d15-a586-71dbb18f8485}
Writer Name: Registry Writer
Writer Instance ID: {b4e698f4-04a4-415a-b2e8-19af277e74be}

Error: (01/27/2015 10:49:21 PM) (Source: VSS) (EventID: 8193) (User: )
Description: RegSetValueExW(0x000001c0,(null),0,REG_BINARY,00DCF968.64)0x80070005, Access is denied.


Operation:
BackupShutdown Event

Context:
Execution Context: Writer
Writer Class Id: {542da469-d3e1-473c-9f4f-7847f01fc64f}
Writer Name: COM+ REGDB Writer
Writer Instance ID: {ec88804f-9b4f-4669-b6f0-7781a870e2f9}


==================== Memory info ===========================

Processor: Intel® Core™2 Duo CPU T6570 @ 2.10GHz
Percentage of memory in use: 37%
Total physical RAM: 3037.09 MB
Available physical RAM: 1909.08 MB
Total Pagefile: 6072.47 MB
Available Pagefile: 4983.61 MB
Total Virtual: 2047.88 MB
Available Virtual: 1904.55 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.79 GB) (Free:33.73 GB) NTFS
Drive d: (Driving_Test) (CDROM) (Total:0.67 GB) (Free:0 GB) UDF

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: ECE79102)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================
 
 
Thanks for looking.

Attached Files


Edited by Oh My!, 29 January 2015 - 10:34 AM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,380 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:02 AM

Posted 29 January 2015 - 10:42 AM

Greetings fistikuffs and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Your computer is heavily infected. There is evidence of pirated software on your system and I am going to request you remove it before we take any further steps. Please let me know if you are willing to remove it and, if so, let me know when that has been accomplished and we will address your issues.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#3 fistikuffs

fistikuffs
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 29 January 2015 - 10:48 AM

Hi Gary,

 

my name is Shane and I appreciate the assistance. As I mentioned this is my sister's laptop, I'm unaware of what pirated software she maybe using however I'm happy to remove anything that you noticed that is pirated before proceeding with any fixes. Can you tell me what software you have concerns about or should I have a look at this myself?

 

Thanks again,

 

Shane



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,380 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:02 AM

Posted 29 January 2015 - 03:28 PM

Hi Shane,

 

Please ask your sister to uninstall the following program unless she has a valid Product Key.

 

Microsoft Office Professional Plus 2010


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#5 fistikuffs

fistikuffs
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 30 January 2015 - 09:59 AM

Hi Gary,

 

Just to keep you updated, I tried to remove Office yesterday but I'm getting corruption errors and requests for the original media in order to progress but of course she doesn't have the original media. I have removed the program that was activating Office so now Office is requesting a licence key. I'll try again this evening although I fear our troubleshooting may end at this point.

 

I'll update again tomorrow or sooner if I have success.

 

Thanks again,

 

Shane



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,380 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:02 AM

Posted 30 January 2015 - 10:03 AM

Thanks Shane,

Your willingness to remove it is close enough for now. I don't want to hold up cleaning the computer because it is heavily infected. I guess it is possible the infection might prevent the uninstall but who knows. I will leave the final deletion up to you.

I am going to revisit my proposed fix for you and will be posting it shortly. Thanks for your efforts.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,380 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:02 AM

Posted 30 January 2015 - 10:26 AM

Hi Shane,

Please consider and do this.

===================================================

P2P Warning

--------------------

Going over your logs I noticed that you have µTorrent installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities. .

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

Please create a System Restore Point

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:50758;https=127.0.0.1:50758
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:50758;https=127.0.0.1:50758
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Toolbar: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
2015-01-25 11:40 - 2015-01-28 19:15 - 00001348 _____ () C:\Windows\Tasks\FQOBU.job
2015-01-25 11:40 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\6dae5d2a-778f-4c1f-b806-536bc6946d94
2015-01-25 11:12 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\b61a9aa1-c6a2-4fdf-8e76-b62bc216dc2b
2015-01-23 21:19 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\5ec9981e-2ee6-479f-8d6a-cd8274228a53
2015-01-22 20:34 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\b85a2eed-d376-4a88-a8d3-95279e1e8137
2015-01-18 19:25 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\a4aba71c-b51e-401b-99e2-28dd1bc2ab59
2015-01-17 15:59 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\4ff07ec6-a13b-41f4-bf55-c36d092a4973
2015-01-14 18:53 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\20d59262-3625-45bc-b106-ff97f6778bf6
2015-01-26 20:59 - 2014-10-28 07:03 - 00000000 ____D () C:\ProgramData\cab4fbb2-1ac7-44d2-9b7d-0c921d8827f4
2015-01-14 18:41 - 2015-01-26 20:59 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\VzyXdm5
2015-01-14 18:41 - 2015-01-26 20:59 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\noFaNjf
2015-01-26 20:59 - 2014-12-14 11:41 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\kGC4mgU
2015-01-26 20:59 - 2014-11-14 20:10 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\FGnAgzr
C:\Users\Lorraine\AppData\Local\Temp\1F930CC8-E339-2FC0-3339-A4A1A5F8D188.dll
C:\Users\Lorraine\AppData\Local\Temp\46209AC9-174E-C925-70D8-6734ED8E7FC6.dll
C:\Users\Lorraine\AppData\Local\Temp\965C2210-0E12-AE99-A163-581506C0F4C9.dll
C:\Users\Lorraine\AppData\Local\Temp\AAZWKJXEi6.exe
C:\Users\Lorraine\AppData\Local\Temp\Bootstrapper.exe
C:\Users\Lorraine\AppData\Local\Temp\CloudBackup7388.exe
C:\Users\Lorraine\AppData\Local\Temp\ICReinstall_download.exe
C:\Users\Lorraine\AppData\Local\Temp\install_reader11_en_gtba_chra_dy_aaa_aih.exe
C:\Users\Lorraine\AppData\Local\Temp\lPCTZ9eWyh.exe
C:\Users\Lorraine\AppData\Local\Temp\optprosetup.exe
C:\Users\Lorraine\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Lorraine\AppData\Local\Temp\row3zMIyrr.exe
C:\Users\Lorraine\AppData\Local\Temp\Runner2.exe
C:\Users\Lorraine\AppData\Local\Temp\Runner4.exe
C:\Users\Lorraine\AppData\Local\Temp\SpOrder.dll
C:\Users\Lorraine\AppData\Local\Temp\utt4D20.tmp.exe
C:\Users\Lorraine\AppData\Local\Temp\uttE538.tmp.exe
C:\Users\Lorraine\AppData\Local\Temp\vcredist_x86.exe
C:\Users\Lorraine\AppData\Local\Temp\VOPackage_1712.exe
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{7c6e29bc-8b8b-4c3d-859e-af6cd158be0f}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c0-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c1-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c2-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c3-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c4-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c5-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c8-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c9-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969d6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> "C:\Users\Lorraine\AppData\Local\Vosteran\Application\31.0.1650.23\delegate_execute.exe" No File
Task: {0DE36395-33A5-452F-BBF8-BB29BA7266B8} - System32\Tasks\FQOBU => C:\Users\Lorraine\AppData\Roaming\FQOBU.exe <==== ATTENTION
Task: {1DE710E2-141C-4034-AD76-8EA2325EE3DD} - System32\Tasks\DZYYbmv5HuqvCTn => C:\Users\Lorraine\AppData\Roaming\FGnAgzr\zjQ6gRG.exe
Task: {24143120-6877-4993-953E-E0652B35AF20} - System32\Tasks\KMWYFE => C:\Users\Lorraine\AppData\Roaming\KMWYFE.exe <==== ATTENTION
Task: {25E24669-CD12-47B4-86B7-70E78F4F579E} - System32\Tasks\3yNnDkueHGJ0nEf => C:\Users\Lorraine\AppData\Roaming\noFaNjf\TOZ39fp.exe [2015-01-14] ( )
Task: {27866BC3-16E9-48AB-B28A-14EF30CB1EBB} - \05719bba-a182-42d3-9110-570e1a8819a8-4 No Task File <==== ATTENTION
Task: {496100C8-EB0E-463F-AEEE-5563DFE59381} - \96e1f90a-b093-42e1-b7bb-db82e2740f78-1 No Task File <==== ATTENTION
Task: {52B06DE6-F643-4C2F-83D2-07990013BD30} - \23140e48-208d-414b-9c88-2020b4a80c85-7 No Task File <==== ATTENTION
Task: C:\Windows\Tasks\FQOBU.job => C:\Users\Lorraine\AppData\Roaming\FQOBU.exe <==== ATTENTION
AppInit_DLLs: C:/PROGRA~2/{D4053~1/171~1.0/caso.dll => C:/PROGRA~2/{D4053~1/171~1.0/caso.dll [649216 2015-01-25] ()
Task: C:\Windows\Tasks\KMWYFE.job => C:\Users\Lorraine\AppData\Roaming\KMWYFE.exe <==== ATTENTION
C:\Users\Lorraine\AppData\Roaming\KMWYFE.exe
C:\Users\Lorraine\AppData\Roaming\FGnAgzr\zjQ6gRG.exe
C:\Users\Lorraine\AppData\Roaming\noFaNjf
C:/PROGRA~2/{D4053~1/171~1.0/caso.dll
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • System Summary Information
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#8 fistikuffs

fistikuffs
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 30 January 2015 - 11:29 AM

Thanks Gary. I'll follow the steps as outlined later this evening and will report back as requested,

 

All the best,

 

Shane



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,380 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:02 AM

Posted 30 January 2015 - 12:06 PM

Very good, I am eager to attack it. :)
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#10 fistikuffs

fistikuffs
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 30 January 2015 - 03:54 PM

Hi Gary,

 

As requested, the fix.log is below. I've also removed Utorrent and screen capped your advice and sent it to the user in question. As for the performance, I've noticed that the proxy issue appears to be resolved, both IE and Chrome can browse the internet again :) I realize we may not be out of the woods just yet though.

 

I'm having a problem with attaching the output from msinfo32. The zipped file is 154kb, it's over 4mb when uncompressed. For comparison, my msinfo32 output is a little over 1.5mb. I packed it with 7zip rather than windows built in compressor  which brought the file size down to 145kb, still way over the 7.37kb limit for posts. Splitting obviously isn't an option so please let me know how you'd like me to get this info to you.

 

Here is the fix.log

 

GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:50758;https=127.0.0.1:50758
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:50758;https=127.0.0.1:50758
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Toolbar: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
2015-01-25 11:40 - 2015-01-28 19:15 - 00001348 _____ () C:\Windows\Tasks\FQOBU.job
2015-01-25 11:40 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\6dae5d2a-778f-4c1f-b806-536bc6946d94
2015-01-25 11:12 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\b61a9aa1-c6a2-4fdf-8e76-b62bc216dc2b
2015-01-23 21:19 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\5ec9981e-2ee6-479f-8d6a-cd8274228a53
2015-01-22 20:34 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\b85a2eed-d376-4a88-a8d3-95279e1e8137
2015-01-18 19:25 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\a4aba71c-b51e-401b-99e2-28dd1bc2ab59
2015-01-17 15:59 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\4ff07ec6-a13b-41f4-bf55-c36d092a4973
2015-01-14 18:53 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\20d59262-3625-45bc-b106-ff97f6778bf6
2015-01-26 20:59 - 2014-10-28 07:03 - 00000000 ____D () C:\ProgramData\cab4fbb2-1ac7-44d2-9b7d-0c921d8827f4
2015-01-14 18:41 - 2015-01-26 20:59 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\VzyXdm5
2015-01-14 18:41 - 2015-01-26 20:59 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\noFaNjf
2015-01-26 20:59 - 2014-12-14 11:41 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\kGC4mgU
2015-01-26 20:59 - 2014-11-14 20:10 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\FGnAgzr
C:\Users\Lorraine\AppData\Local\Temp\1F930CC8-E339-2FC0-3339-A4A1A5F8D188.dll
C:\Users\Lorraine\AppData\Local\Temp\46209AC9-174E-C925-70D8-6734ED8E7FC6.dll
C:\Users\Lorraine\AppData\Local\Temp\965C2210-0E12-AE99-A163-581506C0F4C9.dll
C:\Users\Lorraine\AppData\Local\Temp\AAZWKJXEi6.exe
C:\Users\Lorraine\AppData\Local\Temp\Bootstrapper.exe
C:\Users\Lorraine\AppData\Local\Temp\CloudBackup7388.exe
C:\Users\Lorraine\AppData\Local\Temp\ICReinstall_download.exe
C:\Users\Lorraine\AppData\Local\Temp\install_reader11_en_gtba_chra_dy_aaa_aih.exe
C:\Users\Lorraine\AppData\Local\Temp\lPCTZ9eWyh.exe
C:\Users\Lorraine\AppData\Local\Temp\optprosetup.exe
C:\Users\Lorraine\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Lorraine\AppData\Local\Temp\row3zMIyrr.exe
C:\Users\Lorraine\AppData\Local\Temp\Runner2.exe
C:\Users\Lorraine\AppData\Local\Temp\Runner4.exe
C:\Users\Lorraine\AppData\Local\Temp\SpOrder.dll
C:\Users\Lorraine\AppData\Local\Temp\utt4D20.tmp.exe
C:\Users\Lorraine\AppData\Local\Temp\uttE538.tmp.exe
C:\Users\Lorraine\AppData\Local\Temp\vcredist_x86.exe
C:\Users\Lorraine\AppData\Local\Temp\VOPackage_1712.exe
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{7c6e29bc-8b8b-4c3d-859e-af6cd158be0f}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c0-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c1-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c2-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c3-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c4-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c5-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c8-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c9-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969d6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> "C:\Users\Lorraine\AppData\Local\Vosteran\Application\31.0.1650.23\delegate_execute.exe" No File
Task: {0DE36395-33A5-452F-BBF8-BB29BA7266B8} - System32\Tasks\FQOBU => C:\Users\Lorraine\AppData\Roaming\FQOBU.exe <==== ATTENTION
Task: {1DE710E2-141C-4034-AD76-8EA2325EE3DD} - System32\Tasks\DZYYbmv5HuqvCTn => C:\Users\Lorraine\AppData\Roaming\FGnAgzr\zjQ6gRG.exe
Task: {24143120-6877-4993-953E-E0652B35AF20} - System32\Tasks\KMWYFE => C:\Users\Lorraine\AppData\Roaming\KMWYFE.exe <==== ATTENTION
Task: {25E24669-CD12-47B4-86B7-70E78F4F579E} - System32\Tasks\3yNnDkueHGJ0nEf => C:\Users\Lorraine\AppData\Roaming\noFaNjf\TOZ39fp.exe [2015-01-14] ( )
Task: {27866BC3-16E9-48AB-B28A-14EF30CB1EBB} - \05719bba-a182-42d3-9110-570e1a8819a8-4 No Task File <==== ATTENTION
Task: {496100C8-EB0E-463F-AEEE-5563DFE59381} - \96e1f90a-b093-42e1-b7bb-db82e2740f78-1 No Task File <==== ATTENTION
Task: {52B06DE6-F643-4C2F-83D2-07990013BD30} - \23140e48-208d-414b-9c88-2020b4a80c85-7 No Task File <==== ATTENTION
Task: C:\Windows\Tasks\FQOBU.job => C:\Users\Lorraine\AppData\Roaming\FQOBU.exe <==== ATTENTION
AppInit_DLLs: C:/PROGRA~2/{D4053~1/171~1.0/caso.dll => C:/PROGRA~2/{D4053~1/171~1.0/caso.dll [649216 2015-01-25] ()
Task: C:\Windows\Tasks\KMWYFE.job => C:\Users\Lorraine\AppData\Roaming\KMWYFE.exe <==== ATTENTION
C:\Users\Lorraine\AppData\Roaming\KMWYFE.exe
C:\Users\Lorraine\AppData\Roaming\FGnAgzr\zjQ6gRG.exe
C:\Users\Lorraine\AppData\Roaming\noFaNjf
C:/PROGRA~2/{D4053~1/171~1.0/caso.dll


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,380 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:02 AM

Posted 30 January 2015 - 04:05 PM

I have to leave for a couple of hours but just wanted to touch base. Don't worry about the System Information for now. If we really need it we can figure it out.

 

This isn't really the entire fix log. Are you sure you copied the entire document? It should indicate what FRST did with each entry, i.e. deleted, moved, etc....


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#12 fistikuffs

fistikuffs
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 30 January 2015 - 04:23 PM

Hi Gary,

 

Sorry about that. I did a manual selection instead of ctrl a! Here's the full fix.log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-01-2015 01
Ran by Lorraine at 2015-01-30 20:16:06 Run:1
Running from C:\Users\Lorraine\Desktop
Loaded Profiles: Lorraine (Available profiles: Lorraine)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
ProxyEnable: [HKLM] => ProxyEnable is set.
ProxyServer: [HKLM] => http=127.0.0.1:50758;https=127.0.0.1:50758
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:50758;https=127.0.0.1:50758
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
Toolbar: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
2015-01-25 11:40 - 2015-01-28 19:15 - 00001348 _____ () C:\Windows\Tasks\FQOBU.job
2015-01-25 11:40 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\6dae5d2a-778f-4c1f-b806-536bc6946d94
2015-01-25 11:12 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\b61a9aa1-c6a2-4fdf-8e76-b62bc216dc2b
2015-01-23 21:19 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\5ec9981e-2ee6-479f-8d6a-cd8274228a53
2015-01-22 20:34 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\b85a2eed-d376-4a88-a8d3-95279e1e8137
2015-01-18 19:25 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\a4aba71c-b51e-401b-99e2-28dd1bc2ab59
2015-01-17 15:59 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\4ff07ec6-a13b-41f4-bf55-c36d092a4973
2015-01-14 18:53 - 2015-01-26 20:59 - 00000000 ____D () C:\Program Files\20d59262-3625-45bc-b106-ff97f6778bf6
2015-01-26 20:59 - 2014-10-28 07:03 - 00000000 ____D () C:\ProgramData\cab4fbb2-1ac7-44d2-9b7d-0c921d8827f4
2015-01-14 18:41 - 2015-01-26 20:59 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\VzyXdm5
2015-01-14 18:41 - 2015-01-26 20:59 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\noFaNjf
2015-01-26 20:59 - 2014-12-14 11:41 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\kGC4mgU
2015-01-26 20:59 - 2014-11-14 20:10 - 00000000 ____D () C:\Users\Lorraine\AppData\Roaming\FGnAgzr
C:\Users\Lorraine\AppData\Local\Temp\1F930CC8-E339-2FC0-3339-A4A1A5F8D188.dll
C:\Users\Lorraine\AppData\Local\Temp\46209AC9-174E-C925-70D8-6734ED8E7FC6.dll
C:\Users\Lorraine\AppData\Local\Temp\965C2210-0E12-AE99-A163-581506C0F4C9.dll
C:\Users\Lorraine\AppData\Local\Temp\AAZWKJXEi6.exe
C:\Users\Lorraine\AppData\Local\Temp\Bootstrapper.exe
C:\Users\Lorraine\AppData\Local\Temp\CloudBackup7388.exe
C:\Users\Lorraine\AppData\Local\Temp\ICReinstall_download.exe
C:\Users\Lorraine\AppData\Local\Temp\install_reader11_en_gtba_chra_dy_aaa_aih.exe
C:\Users\Lorraine\AppData\Local\Temp\lPCTZ9eWyh.exe
C:\Users\Lorraine\AppData\Local\Temp\optprosetup.exe
C:\Users\Lorraine\AppData\Local\Temp\ReimagePackage.exe
C:\Users\Lorraine\AppData\Local\Temp\row3zMIyrr.exe
C:\Users\Lorraine\AppData\Local\Temp\Runner2.exe
C:\Users\Lorraine\AppData\Local\Temp\Runner4.exe
C:\Users\Lorraine\AppData\Local\Temp\SpOrder.dll
C:\Users\Lorraine\AppData\Local\Temp\utt4D20.tmp.exe
C:\Users\Lorraine\AppData\Local\Temp\uttE538.tmp.exe
C:\Users\Lorraine\AppData\Local\Temp\vcredist_x86.exe
C:\Users\Lorraine\AppData\Local\Temp\VOPackage_1712.exe
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{7c6e29bc-8b8b-4c3d-859e-af6cd158be0f}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c0-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c1-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c2-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c3-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c4-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c5-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c8-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c9-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969d6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\Lorraine\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}\localserver32 -> "C:\Users\Lorraine\AppData\Local\Vosteran\Application\31.0.1650.23\delegate_execute.exe" No File
Task: {0DE36395-33A5-452F-BBF8-BB29BA7266B8} - System32\Tasks\FQOBU => C:\Users\Lorraine\AppData\Roaming\FQOBU.exe <==== ATTENTION
Task: {1DE710E2-141C-4034-AD76-8EA2325EE3DD} - System32\Tasks\DZYYbmv5HuqvCTn => C:\Users\Lorraine\AppData\Roaming\FGnAgzr\zjQ6gRG.exe
Task: {24143120-6877-4993-953E-E0652B35AF20} - System32\Tasks\KMWYFE => C:\Users\Lorraine\AppData\Roaming\KMWYFE.exe <==== ATTENTION
Task: {25E24669-CD12-47B4-86B7-70E78F4F579E} - System32\Tasks\3yNnDkueHGJ0nEf => C:\Users\Lorraine\AppData\Roaming\noFaNjf\TOZ39fp.exe [2015-01-14] ( )
Task: {27866BC3-16E9-48AB-B28A-14EF30CB1EBB} - \05719bba-a182-42d3-9110-570e1a8819a8-4 No Task File <==== ATTENTION
Task: {496100C8-EB0E-463F-AEEE-5563DFE59381} - \96e1f90a-b093-42e1-b7bb-db82e2740f78-1 No Task File <==== ATTENTION
Task: {52B06DE6-F643-4C2F-83D2-07990013BD30} - \23140e48-208d-414b-9c88-2020b4a80c85-7 No Task File <==== ATTENTION
Task: C:\Windows\Tasks\FQOBU.job => C:\Users\Lorraine\AppData\Roaming\FQOBU.exe <==== ATTENTION
AppInit_DLLs: C:/PROGRA~2/{D4053~1/171~1.0/caso.dll => C:/PROGRA~2/{D4053~1/171~1.0/caso.dll [649216 2015-01-25] ()
Task: C:\Windows\Tasks\KMWYFE.job => C:\Users\Lorraine\AppData\Roaming\KMWYFE.exe <==== ATTENTION
C:\Users\Lorraine\AppData\Roaming\KMWYFE.exe
C:\Users\Lorraine\AppData\Roaming\FGnAgzr\zjQ6gRG.exe
C:\Users\Lorraine\AppData\Roaming\noFaNjf
C:/PROGRA~2/{D4053~1/171~1.0/caso.dll
*****************
 
C:\Windows\system32\GroupPolicy\Machine => Moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => Moved successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value deleted successfully.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77}" => Key deleted successfully.
HKCR\CLSID\{DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} => Key not found. 
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-2348153390-1346638800-1696268739-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found. 
C:\Windows\Tasks\FQOBU.job => Moved successfully.
C:\Program Files\6dae5d2a-778f-4c1f-b806-536bc6946d94 => Moved successfully.
C:\Program Files\b61a9aa1-c6a2-4fdf-8e76-b62bc216dc2b => Moved successfully.
C:\Program Files\5ec9981e-2ee6-479f-8d6a-cd8274228a53 => Moved successfully.
C:\Program Files\b85a2eed-d376-4a88-a8d3-95279e1e8137 => Moved successfully.
C:\Program Files\a4aba71c-b51e-401b-99e2-28dd1bc2ab59 => Moved successfully.
C:\Program Files\4ff07ec6-a13b-41f4-bf55-c36d092a4973 => Moved successfully.
C:\Program Files\20d59262-3625-45bc-b106-ff97f6778bf6 => Moved successfully.
C:\ProgramData\cab4fbb2-1ac7-44d2-9b7d-0c921d8827f4 => Moved successfully.
C:\Users\Lorraine\AppData\Roaming\VzyXdm5 => Moved successfully.
C:\Users\Lorraine\AppData\Roaming\noFaNjf => Moved successfully.
C:\Users\Lorraine\AppData\Roaming\kGC4mgU => Moved successfully.
C:\Users\Lorraine\AppData\Roaming\FGnAgzr => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\1F930CC8-E339-2FC0-3339-A4A1A5F8D188.dll => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\46209AC9-174E-C925-70D8-6734ED8E7FC6.dll => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\965C2210-0E12-AE99-A163-581506C0F4C9.dll => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\AAZWKJXEi6.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\Bootstrapper.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\CloudBackup7388.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\ICReinstall_download.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\install_reader11_en_gtba_chra_dy_aaa_aih.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\lPCTZ9eWyh.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\optprosetup.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\ReimagePackage.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\row3zMIyrr.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\Runner2.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\Runner4.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\SpOrder.dll => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\utt4D20.tmp.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\uttE538.tmp.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\vcredist_x86.exe => Moved successfully.
C:\Users\Lorraine\AppData\Local\Temp\VOPackage_1712.exe => Moved successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}" => Key deleted successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{7c6e29bc-8b8b-4c3d-859e-af6cd158be0f}" => Key deleted successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c0-f192-11d4-a65f-0040963251e5}" => Key deleted successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c1-f192-11d4-a65f-0040963251e5}" => Key deleted successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c2-f192-11d4-a65f-0040963251e5}" => Key deleted successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c3-f192-11d4-a65f-0040963251e5}" => Key deleted successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c4-f192-11d4-a65f-0040963251e5}" => Key deleted successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c5-f192-11d4-a65f-0040963251e5}" => Key deleted successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c6-f192-11d4-a65f-0040963251e5}" => Key deleted successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c8-f192-11d4-a65f-0040963251e5}" => Key deleted successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969c9-f192-11d4-a65f-0040963251e5}" => Key deleted successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}" => Key deleted successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{88d969d6-f192-11d4-a65f-0040963251e5}" => Key deleted successfully.
"HKU\S-1-5-21-2348153390-1346638800-1696268739-1000_Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{0DE36395-33A5-452F-BBF8-BB29BA7266B8}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0DE36395-33A5-452F-BBF8-BB29BA7266B8}" => Key deleted successfully.
C:\Windows\System32\Tasks\FQOBU => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\FQOBU" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1DE710E2-141C-4034-AD76-8EA2325EE3DD}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1DE710E2-141C-4034-AD76-8EA2325EE3DD}" => Key deleted successfully.
C:\Windows\System32\Tasks\DZYYbmv5HuqvCTn => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\DZYYbmv5HuqvCTn" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{24143120-6877-4993-953E-E0652B35AF20}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{24143120-6877-4993-953E-E0652B35AF20}" => Key deleted successfully.
C:\Windows\System32\Tasks\KMWYFE => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\KMWYFE" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{25E24669-CD12-47B4-86B7-70E78F4F579E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{25E24669-CD12-47B4-86B7-70E78F4F579E}" => Key deleted successfully.
C:\Windows\System32\Tasks\3yNnDkueHGJ0nEf => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\3yNnDkueHGJ0nEf" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{27866BC3-16E9-48AB-B28A-14EF30CB1EBB}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{27866BC3-16E9-48AB-B28A-14EF30CB1EBB}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\05719bba-a182-42d3-9110-570e1a8819a8-4" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{496100C8-EB0E-463F-AEEE-5563DFE59381}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{496100C8-EB0E-463F-AEEE-5563DFE59381}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\96e1f90a-b093-42e1-b7bb-db82e2740f78-1" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{52B06DE6-F643-4C2F-83D2-07990013BD30}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{52B06DE6-F643-4C2F-83D2-07990013BD30}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\23140e48-208d-414b-9c88-2020b4a80c85-7" => Key deleted successfully.
C:\Windows\Tasks\FQOBU.job not found.
"C:/PROGRA~2/{D4053~1/171~1.0/caso.dll" => Value Data removed successfully.
C:\Windows\Tasks\KMWYFE.job => Moved successfully.
"C:\Users\Lorraine\AppData\Roaming\KMWYFE.exe" => File/Directory not found.
"C:\Users\Lorraine\AppData\Roaming\FGnAgzr\zjQ6gRG.exe" => File/Directory not found.
"C:\Users\Lorraine\AppData\Roaming\noFaNjf" => File/Directory not found.
C:/PROGRA~2/{D4053~1/171~1.0/caso.dll => Error: No automatic fix found for this entry.
 
 
The system needed a reboot. 
 
==== End of Fixlog 20:16:10 ====
 
Apologies again and thanks,
 
Shane


#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,380 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:02 AM

Posted 30 January 2015 - 05:38 PM

No problem Shane. That looks good.

Please do these things.

===================================================

Junkware Removal Tool by thisisu

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

9-Lab Removal Tool

--------------------
  • Download 9-Lab Removal Tool for either 64 bit or 32 bit computers and save it to your Desktop
  • Double click the rmtool-setup icon
  • Click Next, I Agree, then Install
  • Click Finish to automatically lauch the program
  • Click Settings, then place a check mark in Open log file immediately after saving
  • Click Scanner, then Full scan
  • When completed click Show Results
  • Click Clean
  • Close the window without clicking Save Log (it has already been saved)
  • Copy and paste the contents of the 9lab log in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message attempt to run the program in Safe Mode
  • Press any key to start the program
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Junkware log
  • 9lab log
  • Security Check log
  • Update on your computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#14 fistikuffs

fistikuffs
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 31 January 2015 - 06:44 AM

Hi Gary,

 

I've ran JRT and the 9-Lab removal tool, the logs are below. The JRT log doesn't seem to have a lot of info in it so hopefully I didn't do something wrong. 

 

Security check won't run, it gives the message: Unsupported Operating System. I can't run it in Safe Mode as I'm remotely accessing this pc. When my sister is home later I'll talk her through running Security Check in safe mode and I'll post the log.:

 

JRT:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Professional x86
Ran by Lorraine on 31/01/2015 at 10:44:55.44
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 31/01/2015 at 10:46:56.59
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
9-Lab removal:
 
9-lab Removal Tool 1.0.0.25 BETA
9-lab.com
 
Database version: 95.28160
 
Windows 7 Service Pack 1 (Version 6.1, Build 7601, 32-bit Edition)
Internet Explorer 9.11.9600.17501
Lorraine :: LORRAINE-PC not implemented yet
 
31/01/2015 11:07:22
9lab-log-2015-01-31 (11-07-22).txt
 
Scan type: 
Objects scanned: 21675
Time Elapsed: 17 m 52 s
 
Registry Keys detected: 28
Virtool.RPL.Gen.rc [\software\classes\interface\{79fb5fc8-44b9-4af5-badd-cce547f953e5}]
Virtool.RPL.Gen.vb [\software\classes\583e31c01eeb0132f0d1712b8d7ccf2e0064755.sandbox]
Virtool.RPL.Gen.vb [\software\classes\583e31c01eeb0132f0d1712b8d7ccf2e0064755.bho]
Virtool.RPL.Gen.vb [\software\maxpower]
Virtool.RPL.Gen.vb [\software\classes\interface\{9b41579a-1996-42f9-8f84-7b7786818cef}]
Virtool.RPL.Gen.sm [\software\classes\mime\database\content type\application/x-vnd.google.oneclickctrl.10]
Virtool.RPL.Gen.sm [\software\classes\interface\{ed0b64d4-bf27-4521-ad27-190f49bf5ea7}]
Virtool.RPL.Gen.sm [\software\classes\interface\{e3f3e8f9-f747-4dd6-ba6b-82a6ce1e0860}]
Virtool.RPL.Gen.sm [\software\classes\interface\{dd1f043f-abc8-4643-8b95-d2c5b22bb019}]
Virtool.RPL.Gen.sm [\software\classes\interface\{d14d64bc-a0e4-42e3-bb72-fb41ea43c198}]
Virtool.RPL.Gen.sm [\software\classes\interface\{a8f7d0a5-7074-40b8-9bdc-1174bdd0a132}]
Virtool.RPL.Gen.sm [\software\classes\interface\{a78edafb-926f-4d93-ab13-8232d7378eb1}]
Virtool.RPL.Gen.sm [\software\classes\interface\{a6d54287-7939-466a-8579-92546d946c8c}]
Virtool.RPL.Gen.sm [\software\classes\interface\{9b9a45f4-18fc-484a-baca-076d78273d8e}]
Virtool.RPL.Gen.sm [\software\classes\interface\{9b4f7cfe-987d-410e-a8e4-20182e0b3c24}]
Virtool.RPL.Gen.sm [\software\classes\interface\{823ae2eb-e62c-4847-b192-c99b91b92416}]
Virtool.RPL.Gen.sm [\software\classes\interface\{8120d9d6-785c-4413-9c0c-df2028c56fad}]
Virtool.RPL.Gen.sm [\software\classes\interface\{59d188fa-757a-424e-8c93-f58ffd896bd7}]
Virtool.RPL.Gen.sm [\software\classes\interface\{555d7146-94a8-4c94-ae76-c39cdc7f7705}]
Virtool.RPL.Gen.sm [\software\classes\interface\{4517d94c-19ba-46fa-be66-2a30ceac4a85}]
Virtool.RPL.Gen.sm [\software\classes\interface\{3cc60715-d6c5-429d-830e-43fa3f86c61d}]
Virtool.RPL.Gen.sm [\software\classes\interface\{3a807417-b46d-4d37-8c9a-19ac6de204f9}]
Virtool.RPL.Gen.sm [\software\classes\interface\{224fe662-1e6d-4bc0-aebb-9e2fb4057be9}]
Virtool.RPL.Gen.sm [\software\classes\interface\{212e6d43-6062-492a-b8cc-144669ff11ed}]
Virtool.RPL.Gen.sm [\software\classes\interface\{0c40f472-7407-4467-8914-1dea7c326972}]
Virtool.RPL.Gen.sm [\software\classes\interface\{07f41522-af7d-4f26-b394-094f059fdb8a}]
Virtool.RPL.Gen.sm [\software\classes\interface\{0522d9a4-4d57-437d-978d-e5b3b6c9005d}]
Virtool.RPL.Gen.vb [\software\classes\interface\{023e9ec8-b147-40eb-b0b3-df90618fb371}]
 
 
Files detected: 28
Virtool.RPL.Gen.rc [\software\classes\interface\{79fb5fc8-44b9-4af5-badd-cce547f953e5}]
Virtool.RPL.Gen.vb [\software\classes\583e31c01eeb0132f0d1712b8d7ccf2e0064755.sandbox]
Virtool.RPL.Gen.vb [\software\classes\583e31c01eeb0132f0d1712b8d7ccf2e0064755.bho]
Virtool.RPL.Gen.vb [\software\maxpower]
Virtool.RPL.Gen.vb [\software\classes\interface\{9b41579a-1996-42f9-8f84-7b7786818cef}]
Virtool.RPL.Gen.sm [\software\classes\mime\database\content type\application/x-vnd.google.oneclickctrl.10]
Virtool.RPL.Gen.sm [\software\classes\interface\{ed0b64d4-bf27-4521-ad27-190f49bf5ea7}]
Virtool.RPL.Gen.sm [\software\classes\interface\{e3f3e8f9-f747-4dd6-ba6b-82a6ce1e0860}]
Virtool.RPL.Gen.sm [\software\classes\interface\{dd1f043f-abc8-4643-8b95-d2c5b22bb019}]
Virtool.RPL.Gen.sm [\software\classes\interface\{d14d64bc-a0e4-42e3-bb72-fb41ea43c198}]
Virtool.RPL.Gen.sm [\software\classes\interface\{a8f7d0a5-7074-40b8-9bdc-1174bdd0a132}]
Virtool.RPL.Gen.sm [\software\classes\interface\{a78edafb-926f-4d93-ab13-8232d7378eb1}]
Virtool.RPL.Gen.sm [\software\classes\interface\{a6d54287-7939-466a-8579-92546d946c8c}]
Virtool.RPL.Gen.sm [\software\classes\interface\{9b9a45f4-18fc-484a-baca-076d78273d8e}]
Virtool.RPL.Gen.sm [\software\classes\interface\{9b4f7cfe-987d-410e-a8e4-20182e0b3c24}]
Virtool.RPL.Gen.sm [\software\classes\interface\{823ae2eb-e62c-4847-b192-c99b91b92416}]
Virtool.RPL.Gen.sm [\software\classes\interface\{8120d9d6-785c-4413-9c0c-df2028c56fad}]
Virtool.RPL.Gen.sm [\software\classes\interface\{59d188fa-757a-424e-8c93-f58ffd896bd7}]
Virtool.RPL.Gen.sm [\software\classes\interface\{555d7146-94a8-4c94-ae76-c39cdc7f7705}]
Virtool.RPL.Gen.sm [\software\classes\interface\{4517d94c-19ba-46fa-be66-2a30ceac4a85}]
Virtool.RPL.Gen.sm [\software\classes\interface\{3cc60715-d6c5-429d-830e-43fa3f86c61d}]
Virtool.RPL.Gen.sm [\software\classes\interface\{3a807417-b46d-4d37-8c9a-19ac6de204f9}]
Virtool.RPL.Gen.sm [\software\classes\interface\{224fe662-1e6d-4bc0-aebb-9e2fb4057be9}]
Virtool.RPL.Gen.sm [\software\classes\interface\{212e6d43-6062-492a-b8cc-144669ff11ed}]
Virtool.RPL.Gen.sm [\software\classes\interface\{0c40f472-7407-4467-8914-1dea7c326972}]
Virtool.RPL.Gen.sm [\software\classes\interface\{07f41522-af7d-4f26-b394-094f059fdb8a}]
Virtool.RPL.Gen.sm [\software\classes\interface\{0522d9a4-4d57-437d-978d-e5b3b6c9005d}]
Virtool.RPL.Gen.vb [\software\classes\interface\{023e9ec8-b147-40eb-b0b3-df90618fb371}]
Malware.MPL.Gen.sm [c:\users\lorraine\appdata\local\dsisetup18815432.exe]
Malware.Win32.Gen.bot!s1 [C:\FRST\Quarantine\C\Users\Lorraine\AppData\Roaming\noFaNjf\TOZ39fp.exe]
Malware.Win32.Gen.sm!s1 [C:\Program Files\Optimizer Pro 3.33\OptProReminder.exe]
Virtool.Win32.Gen.vb!i [C:\Users\Lorraine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2JOGFH3W\OrbiterInstaller[1].exe]
Virtool.Win32.Gen.vb!i [C:\Users\Lorraine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4NRWCN1Z\SmartWebInstaller[1].exe]
Malware.Win32.Gen.sm!i [C:\Users\Lorraine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G3SJ9BXM\VuuPC2-20141229[1].exe]
Malware.Win32.Gen.sm!s5 [C:\Users\Lorraine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z7QLD8S2\the_hobbit_downloader.exe]
Malware.Win32.Gen.680B.sm!ff [C:\Users\Lorraine\AppData\Local\Temp\48F2tmp\vopackage.exe]
Trojan.Win32.Gen.vb!i [C:\Users\Lorraine\AppData\Local\Temp\48F3tmp\speedupmypc.exe]
Malware.Win32.Gen.bot!s1 [C:\Users\Lorraine\AppData\Local\Temp\d142cbad91914b5995ca83390c89115f\467c795afffd427384c076f5ed645b791120\wsrv.exe]
Malware.Win32.Gen.bot!s1 [C:\Users\Lorraine\AppData\Local\Temp\d142cbad91914b5995ca83390c89115f\523aa5da768e41b8be8835bab89db3281103\trustedwinman.exe]
Malware.Win32.Gen.bot!s1 [C:\Users\Lorraine\AppData\Local\Temp\d142cbad91914b5995ca83390c89115f\6484a7443d2e452e992adcf2b84fbbfc1125\winsrvinst.exe]
Malware.Win32.Gen.bot!s1 [C:\Users\Lorraine\AppData\Local\Temp\d142cbad91914b5995ca83390c89115f\be7d544b39314b81a58656b9283a082738\winman.exe]
Malware.Win32.Gen.bot!s1 [C:\Users\Lorraine\AppData\Local\Temp\d142cbad91914b5995ca83390c89115f\ed947c254d30423c809d20d3e82647161067\winsrvinst.exe]
Malware.Win32.Gen.bot!s1 [C:\Users\Lorraine\AppData\Local\Temp\d142cbad91914b5995ca83390c89115f\f05cba5b8c36427cb2552a20ba3049d81101\wsint.exe]
Malware.Win32.Gen.bot!s1 [C:\Users\Lorraine\AppData\Local\Temp\d142cbad91914b5995ca83390c89115f\f3eccb10c445470a8d6436070fcff11f1153\winman.exe]
Malware.Win32.Gen.bot!s1 [C:\Users\Lorraine\AppData\Local\Temp\d142cbad91914b5995ca83390c89115f\iman2.exe]
Malware.Win32.Gen.sm!s5 [C:\Users\Lorraine\AppData\Local\Temp\fGvOxp1LIU.tmp]
Virtool.Win32.Gen.vb!s1 [C:\Users\Lorraine\AppData\Local\Temp\is-269BV.tmp\InstallerExtensions.dll]
Virtool.Win32.Gen.vb!s1 [C:\Users\Lorraine\AppData\Local\Temp\is-GS8PD.tmp\InstallerExtensions.dll]
Virtool.Win32.Gen.vb!s1 [C:\Users\Lorraine\AppData\Local\Temp\is-PMI8A.tmp\InstallerExtensions.dll]
Trojan.Win32.Gen.vb!i [C:\Users\Lorraine\AppData\Local\Temp\is-PMI8A.tmp\SpeedUpMyPC-standalone-setup.exe]
Virtool.Win32.Gen.vb!s1 [C:\Users\Lorraine\AppData\Local\Temp\is-U8K2L.tmp\InstallerExtensions.dll]
Trojan.Win32.Gen.vb!i [C:\Users\Lorraine\AppData\Local\Temp\is-U8K2L.tmp\sp-standalone-setup.exe]
Virtool.Win32.Gen.sm [C:\Users\Lorraine\AppData\Local\Temp\nscF45D.tmp\StdUtils.dll]
Malware.Win32.Gen.629F.sm!ff [C:\Users\Lorraine\AppData\Local\Temp\nscF45D.tmp\webplayer.exe]
Malware.Win32.Gen.sm!s5 [C:\Users\Lorraine\AppData\Local\Temp\WvnFdkV7XD.tmp]
Malware.Win32.Gen.bot!s1 [C:\Users\Lorraine\Downloads\setup (2).exe]
 
Thanks,
 
Shane


#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,380 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:09:02 AM

Posted 31 January 2015 - 08:43 AM

Hi Shane,

 

You didn't do anything wrong with JRT.

 

As far as the Security Check, reboot the computer then try to run it again in Normal Boot.


Edited by Oh My!, 31 January 2015 - 08:46 AM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users