Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My Wife's PC has malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: My Wife's PC has malware

Unread postby tnesler » November 11th, 2013, 10:06 pm

I ran FRST successfully following your instructions. Here is the Fixlog.txt file. The fix operation did not take more than a minute to process which makes me a little nervous...;-/

I have not started the infected computer yet in normal mode. I figured there was no point in doing that until you give the all clear.


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 10-11-2013 01
Ran by SYSTEM at 2013-11-11 20:01:45 Run:1
Running from D:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
(COMPANYVERS_NAME) C:\PROGRA~1\FROMDO~2\bar\1.bin\65barsvc.exe
(MindSpark) C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrchMn.exe
(VER_COMPANY_NAME) C:\Program Files\FromDocToPDF_65\bar\1.bin\65brmon.exe
HKLM\...\Run: [FromDocToPDF Search Scope Monitor] - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrchMn.exe [44784 2013-06-24] (MindSpark)
HKLM\...\Run: [FromDocToPDF_65 Browser Plugin Loader] - C:\Program Files\FromDocToPDF_65\bar\1.bin\65brmon.exe [30096 2013-06-24] (VER_COMPANY_NAME)
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {7e71ba7c-376f-11df-9e5f-00269e0b901e} - D:\LaunchU3.exe -a
MountPoints2: {de46b73d-1093-11e0-ab74-00269e0b901e} - E:\Windows\bin\eblSetup.exe
MountPoints2: {ef6316fd-2fea-11e0-abad-00269e0b901e} - D:\LaunchU3.exe -a
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml ... 57&p2= ^Y6^xdm003^YY^us&ptb=87F9B5A7-1A6A-4179-A4B1-5C9585FE55A5&si=CNrN44-Q_rcCFc1cMgodX1oAuA
URLSearchHook: HKCU - (No Name) - {4c60e5ab-5c68-4c59-abaa-885010b24b32} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark)
SearchScopes: HKCU - DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q= {searchTerms}&affID=114066&tt=2912_7&babsrc=SP_ss&mntrId=285fc8d00000000000000022fb66b6b8
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q= {searchTerms}&affID=114066&tt=2912_7&babsrc=SP_ss&mntrId=285fc8d00000000000000022fb66b6b8
SearchScopes: HKCU - {2487D5C1-0C30-4457-8532-2431C3BCB8EE} URL = http://isearch.avg.com/search?cid= {DECFAAD5-80B9-48B6-B814-2D9C0F3A1129}&mid=812065f8a3e237250d9030fa7aa40137-b60c989b9a805664a229481db4ea5b647d6c2de4&lang=en&ds=AVG&pr=fr&d=2011-10-15 14:24:37&v=9.0.0.18&sap=dsp&q={searchTerms}
BHO: Toolbar BHO - {a235e1e3-6296-4710-af39-104a7faa6c7c} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark)
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Assistant BHO - {f236ca79-3123-4afb-9f74-e98117ad5625} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark)
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKLM - FromDocToPDF - {c66a678d-5e6c-4af9-8f57-c6192f42cf74} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark)
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
FF Plugin: @FromDocToPDF_65.com/Plugin - C:\Program Files\FromDocToPDF_65\bar\1.bin\NP65Stub.dll (MindSpark)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml
FF Extension: FromDocToPDF - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\65ffxtbr@FromDocToPDF_65.com
FF Extension: Search Toolbar - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\searchtoolbar@zugo.com
FF HKLM\...\Firefox\Extensions: [65ffxtbr@FromDocToPDF_65.com] - C:\Program Files\FromDocToPDF_65\bar\1.bin
FF Extension: FromDocToPDF - C:\Program Files\FromDocToPDF_65\bar\1.bin
R2 FromDocToPDF_65Service; C:\PROGRA~1\FROMDO~2\bar\1.bin\65barsvc.exe [42504 2013-06-24] (COMPANYVERS_NAME)
2013-11-05 05:21 - 2011-02-03 20:24 - 00000000 ____D C:\Program Files\Search Toolbar
C:\Users\Kathy\AppData\Roaming\124tre.ini
C:\Users\Kathy\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install

*****************

C:\PROGRA~1\FROMDO~2\bar\1.bin\65barsvc.exe => No running process found
C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrchMn.exe => No running process found
C:\Program Files\FromDocToPDF_65\bar\1.bin\65brmon.exe => No running process found
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\FromDocToPDF Search Scope Monitor => Value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\FromDocToPDF_65 Browser Plugin Loader => Value deleted successfully.
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path) => Error: The entry should be fixed outside recovery mode.
MountPoints2: {7e71ba7c-376f-11df-9e5f-00269e0b901e} - D:\LaunchU3.exe -a => Error: The entry should be fixed outside recovery mode.
MountPoints2: {de46b73d-1093-11e0-ab74-00269e0b901e} - E:\Windows\bin\eblSetup.exe => Error: The entry should be fixed outside recovery mode.
MountPoints2: {ef6316fd-2fea-11e0-abad-00269e0b901e} - D:\LaunchU3.exe -a => Error: The entry should be fixed outside recovery mode.
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml ... 57&p2= ^Y6^xdm003^YY^us&ptb=87F9B5A7-1A6A-4179-A4B1-5C9585FE55A5&si=CNrN44-Q_rcCFc1cMgodX1oAuA => Error: The entry should be fixed outside recovery mode.
URLSearchHook: HKCU - (No Name) - {4c60e5ab-5c68-4c59-abaa-885010b24b32} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark) => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKCU - DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q= {searchTerms}&affID=114066&tt=2912_7&babsrc=SP_ss&mntrId=285fc8d00000000000000022fb66b6b8 => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q= {searchTerms}&affID=114066&tt=2912_7&babsrc=SP_ss&mntrId=285fc8d00000000000000022fb66b6b8 => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKCU - {2487D5C1-0C30-4457-8532-2431C3BCB8EE} URL = http://isearch.avg.com/search?cid= {DECFAAD5-80B9-48B6-B814-2D9C0F3A1129}&mid=812065f8a3e237250d9030fa7aa40137-b60c989b9a805664a229481db4ea5b647d6c2de4&lang=en&ds=AVG&pr=fr&d=2011-10-15 14:24:37&v=9.0.0.18&sap=dsp&q={searchTerms} => Error: The entry should be fixed outside recovery mode.
BHO: Toolbar BHO - {a235e1e3-6296-4710-af39-104a7faa6c7c} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark) => Error: The entry should be fixed outside recovery mode.
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File => Error: The entry should be fixed outside recovery mode.
BHO: Search Assistant BHO - {f236ca79-3123-4afb-9f74-e98117ad5625} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark) => Error: The entry should be fixed outside recovery mode.
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File => Error: The entry should be fixed outside recovery mode.
Toolbar: HKLM - FromDocToPDF - {c66a678d-5e6c-4af9-8f57-c6192f42cf74} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark) => Error: The entry should be fixed outside recovery mode.
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File => Error: The entry should be fixed outside recovery mode.
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File => Error: The entry should be fixed outside recovery mode.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab => Error: The entry should be fixed outside recovery mode.
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab => Error: The entry should be fixed outside recovery mode.
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab => Error: The entry should be fixed outside recovery mode.
FF Plugin: @FromDocToPDF_65.com/Plugin - C:\Program Files\FromDocToPDF_65\bar\1.bin\NP65Stub.dll (MindSpark) => Error: The entry should be fixed outside recovery mode.
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml => Error: The entry should be fixed outside recovery mode.
FF Extension: FromDocToPDF - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\65ffxtbr@FromDocToPDF_65.com => Error: The entry should be fixed outside recovery mode.
FF Extension: Search Toolbar - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\searchtoolbar@zugo.com => Error: The entry should be fixed outside recovery mode.
FF HKLM\...\Firefox\Extensions: [65ffxtbr@FromDocToPDF_65.com] - C:\Program Files\FromDocToPDF_65\bar\1.bin => Error: The entry should be fixed outside recovery mode.
FF Extension: FromDocToPDF - C:\Program Files\FromDocToPDF_65\bar\1.bin => Error: The entry should be fixed outside recovery mode.
FromDocToPDF_65Service => Service deleted successfully.
C:\Program Files\Search Toolbar => Moved successfully.
C:\Users\Kathy\AppData\Roaming\124tre.ini => Moved successfully.
C:\Users\Kathy\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Program Files\Google\Desktop\Install => Deleted successfully.

==== End of Fixlog ====
Last edited by tnesler on November 12th, 2013, 9:42 am, edited 1 time in total.
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am
Advertisement
Register to Remove

Re: My Wife's PC has malware

Unread postby nunped » November 12th, 2013, 6:24 am

Hi tnesler,

Good job! It cleaned a few things. Let's try on normal mode, now:
  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
  • Copy/Paste the contents of the code box below into Notepad (Do not include the words "Code: Select all", click "select all" to select all the content of the box)
Code: Select all
C:\PROGRA~1\FROMDO~2\bar\1.bin\65barsvc.exe
C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrchMn.exe
C:\Program Files\FromDocToPDF_65\bar\1.bin\65brmon.exe
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {7e71ba7c-376f-11df-9e5f-00269e0b901e} - D:\LaunchU3.exe -a
MountPoints2: {de46b73d-1093-11e0-ab74-00269e0b901e} - E:\Windows\bin\eblSetup.exe
MountPoints2: {ef6316fd-2fea-11e0-abad-00269e0b901e} - D:\LaunchU3.exe -a
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml ... 57&p2= ^Y6^xdm003^YY^us&ptb=87F9B5A7-1A6A-4179-A4B1-5C9585FE55A5&si=CNrN44-Q_rcCFc1cMgodX1oAuA
URLSearchHook: HKCU - (No Name) - {4c60e5ab-5c68-4c59-abaa-885010b24b32} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark)
SearchScopes: HKCU - DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q= {searchTerms}&affID=114066&tt=2912_7&babsrc=SP_ss&mntrId=285fc8d00000000000000022fb66b6b8
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q= {searchTerms}&affID=114066&tt=2912_7&babsrc=SP_ss&mntrId=285fc8d00000000000000022fb66b6b8
SearchScopes: HKCU - {2487D5C1-0C30-4457-8532-2431C3BCB8EE} URL = http://isearch.avg.com/search?cid= {DECFAAD5-80B9-48B6-B814-2D9C0F3A1129}&mid=812065f8a3e237250d9030fa7aa40137-b60c989b9a805664a229481db4ea5b647d6c2de4&lang=en&ds=AVG&pr=fr&d=2011-10-15 14:24:37&v=9.0.0.18&sap=dsp&q={searchTerms}
BHO: Toolbar BHO - {a235e1e3-6296-4710-af39-104a7faa6c7c} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark)
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Assistant BHO - {f236ca79-3123-4afb-9f74-e98117ad5625} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark)
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKLM - FromDocToPDF - {c66a678d-5e6c-4af9-8f57-c6192f42cf74} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark)
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
FF Plugin: @FromDocToPDF_65.com/Plugin - C:\Program Files\FromDocToPDF_65\bar\1.bin\NP65Stub.dll (MindSpark)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml
FF Extension: FromDocToPDF - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\65ffxtbr@FromDocToPDF_65.com
FF Extension: Search Toolbar - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\searchtoolbar@zugo.com
FF HKLM\...\Firefox\Extensions: [65ffxtbr@FromDocToPDF_65.com] - C:\Program Files\FromDocToPDF_65\bar\1.bin
FF Extension: FromDocToPDF - C:\Program Files\FromDocToPDF_65\bar\1.bin

  • Save it as fix fixlist.txt in your Desktop.
  • Ran frst.exe (It should also be saved in your Desktop)
  • Press fix.
  • Post me the log it creates.

Step 2 - aswMBR - Scan
Please download aswMBR.exe ... © Avast Software ( 511KB ). Save it to your desktop.
  1. Right click the aswMBR.exe icon and select "run as administrator" to run it.
  2. aswmbr uses Avast's virus definition, if prompted to download definitions, reply Yes.
    It may take some time for these definitions to download, please be patient.
  3. Make sure Quick Scan is set in the options, then click the "Scan" button to start the scan.
    The scan wil take a few minutes, please be patient.
  4. On completion, "Scan finished successfully" will be displayed. Press the "Save log" button.
  5. You'll be prompted to save a file named "aswMBR.txt". Save it to your desktop.
  6. Please copy and paste the contents of aswMBR.txt in your next reply.
Note: A file will be created and placed on your desktop when you execute aswMBR, named MBR.dat
This is a copy of your MBR record, before any changes, to be used to recover MBR to previous condition, if problem exist after changes.
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: My Wife's PC has malware

Unread postby tnesler » November 12th, 2013, 9:41 am

Will do.
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: My Wife's PC has malware

Unread postby tnesler » November 12th, 2013, 11:41 pm

Here are the results of my scans. No errors encountered.

FixLog.Txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 10-11-2013 01
Ran by Kathy at 2013-11-12 19:15:54 Run:2
Running from C:\Users\Kathy\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
C:\PROGRA~1\FROMDO~2\bar\1.bin\65barsvc.exe
C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrchMn.exe
C:\Program Files\FromDocToPDF_65\bar\1.bin\65brmon.exe
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
MountPoints2: {7e71ba7c-376f-11df-9e5f-00269e0b901e} - D:\LaunchU3.exe -a
MountPoints2: {de46b73d-1093-11e0-ab74-00269e0b901e} - E:\Windows\bin\eblSetup.exe
MountPoints2: {ef6316fd-2fea-11e0-abad-00269e0b901e} - D:\LaunchU3.exe -a
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.mywebsearch.com/index.jhtml ... 57&p2= ^Y6^xdm003^YY^us&ptb=87F9B5A7-1A6A-4179-A4B1-5C9585FE55A5&si=CNrN44-Q_rcCFc1cMgodX1oAuA
URLSearchHook: HKCU - (No Name) - {4c60e5ab-5c68-4c59-abaa-885010b24b32} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark)
SearchScopes: HKCU - DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q= {searchTerms}&affID=114066&tt=2912_7&babsrc=SP_ss&mntrId=285fc8d00000000000000022fb66b6b8
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q= {searchTerms}&affID=114066&tt=2912_7&babsrc=SP_ss&mntrId=285fc8d00000000000000022fb66b6b8
SearchScopes: HKCU - {2487D5C1-0C30-4457-8532-2431C3BCB8EE} URL = http://isearch.avg.com/search?cid= {DECFAAD5-80B9-48B6-B814-2D9C0F3A1129}&mid=812065f8a3e237250d9030fa7aa40137-b60c989b9a805664a229481db4ea5b647d6c2de4&lang=en&ds=AVG&pr=fr&d=2011-10-15 14:24:37&v=9.0.0.18&sap=dsp&q={searchTerms}
BHO: Toolbar BHO - {a235e1e3-6296-4710-af39-104a7faa6c7c} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark)
BHO: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Assistant BHO - {f236ca79-3123-4afb-9f74-e98117ad5625} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark)
Toolbar: HKLM - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKLM - FromDocToPDF - {c66a678d-5e6c-4af9-8f57-c6192f42cf74} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65bar.dll (MindSpark)
Toolbar: HKCU - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKCU - No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
FF Plugin: @FromDocToPDF_65.com/Plugin - C:\Program Files\FromDocToPDF_65\bar\1.bin\NP65Stub.dll (MindSpark)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml
FF Extension: FromDocToPDF - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\65ffxtbr@FromDocToPDF_65.com
FF Extension: Search Toolbar - C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\searchtoolbar@zugo.com
FF HKLM\...\Firefox\Extensions: [65ffxtbr@FromDocToPDF_65.com] - C:\Program Files\FromDocToPDF_65\bar\1.bin
FF Extension: FromDocToPDF - C:\Program Files\FromDocToPDF_65\bar\1.bin
*****************

C:\PROGRA~1\FROMDO~2\bar\1.bin\65barsvc.exe => Moved successfully.
C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrchMn.exe => Moved successfully.
C:\Program Files\FromDocToPDF_65\bar\1.bin\65brmon.exe => Moved successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7e71ba7c-376f-11df-9e5f-00269e0b901e} => Key deleted successfully.
HKCR\CLSID\{7e71ba7c-376f-11df-9e5f-00269e0b901e} => Key not found.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{de46b73d-1093-11e0-ab74-00269e0b901e} => Key deleted successfully.
HKCR\CLSID\{de46b73d-1093-11e0-ab74-00269e0b901e} => Key not found.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ef6316fd-2fea-11e0-abad-00269e0b901e} => Key deleted successfully.
HKCR\CLSID\{ef6316fd-2fea-11e0-abad-00269e0b901e} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{4c60e5ab-5c68-4c59-abaa-885010b24b32} => Value deleted successfully.
HKCR\CLSID\{4c60e5ab-5c68-4c59-abaa-885010b24b32} => Key deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2487D5C1-0C30-4457-8532-2431C3BCB8EE} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{2487D5C1-0C30-4457-8532-2431C3BCB8EE} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a235e1e3-6296-4710-af39-104a7faa6c7c} => Key deleted successfully.
HKCR\CLSID\{a235e1e3-6296-4710-af39-104a7faa6c7c} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key deleted successfully.
HKCR\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f236ca79-3123-4afb-9f74-e98117ad5625} => Key deleted successfully.
HKCR\CLSID\{f236ca79-3123-4afb-9f74-e98117ad5625} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => Value deleted successfully.
HKCR\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{c66a678d-5e6c-4af9-8f57-c6192f42cf74} => Value deleted successfully.
HKCR\CLSID\{c66a678d-5e6c-4af9-8f57-c6192f42cf74} => Key deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => Value deleted successfully.
HKCR\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Value deleted successfully.
HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93} => Key deleted successfully.
HKCR\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} => Key deleted successfully.
HKCR\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} => Key deleted successfully.
HKCR\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} => Key deleted successfully.
HKLM\Software\MozillaPlugins\@FromDocToPDF_65.com/Plugin => Key deleted successfully.
C:\Program Files\FromDocToPDF_65\bar\1.bin\NP65Stub.dll => Moved successfully.
C:\Program Files\mozilla firefox\searchplugins\babylon.xml => Moved successfully.
C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\65ffxtbr@FromDocToPDF_65.com => Moved successfully.
C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\Extensions\searchtoolbar@zugo.com => Moved successfully.
HKLM\Software\Mozilla\Firefox\Extensions\\65ffxtbr@FromDocToPDF_65.com => Value deleted successfully.
C:\Program Files\FromDocToPDF_65\bar\1.bin => Moved successfully.

==== End of Fixlog ====

Now the aswMBR.Txt file

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-11-12 20:36:03
-----------------------------
20:36:03.882 OS Version: Windows 6.0.6002 Service Pack 2
20:36:03.882 Number of processors: 1 586 0x170A
20:36:03.882 ComputerName: KATHYS-PC UserName: Kathy
20:36:05.832 Initialize success
20:36:49.169 AVAST engine defs: 13111200
20:36:53.537 The log file has been saved successfully to "C:\Users\Kathy\Documents\aswMBR.txt"
20:44:12.483 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
20:44:12.483 Disk 0 Vendor: TOSHIBA_ FG00 Size: 238475MB BusType: 3
20:44:12.826 Disk 0 MBR read successfully
20:44:12.842 Disk 0 MBR scan
20:44:12.858 Disk 0 Windows VISTA default MBR code
20:44:12.982 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12288 MB offset 2048
20:44:13.045 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 226185 MB offset 25167872
20:44:13.123 Disk 0 scanning sectors +488394752
20:44:13.560 Disk 0 scanning C:\Windows\system32\drivers
20:44:53.355 Service scanning
20:45:23.713 Service MpKsl7452baeb c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{368B2A33-9669-4978-8544-B3A33CE8147B}\MpKsl7452baeb.sys **LOCKED** 32
20:46:12.993 Modules scanning
20:46:51.541 Disk 0 trace - called modules:
20:46:51.588 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
20:46:51.603 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85d46530]
20:46:51.619 3 CLASSPNP.SYS[87fb88b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x843f5028]
20:46:52.804 AVAST engine scan C:\Windows
20:47:36.063 AVAST engine scan C:\Windows\system32
20:56:37.477 AVAST engine scan C:\Windows\system32\drivers
20:57:48.504 AVAST engine scan C:\Users\Kathy
21:25:00.388 AVAST engine scan C:\ProgramData
21:31:13.400 Scan finished successfully
21:35:02.938 Disk 0 MBR has been saved successfully to "C:\Users\Kathy\Documents\MBR.dat"
21:35:03.048 The log file has been saved successfully to "C:\Users\Kathy\Documents\aswMBR.txt"
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: My Wife's PC has malware

Unread postby nunped » November 13th, 2013, 5:16 am

Hi tnesler,

Lets continue:
Step 1 - AdwCleaner Download and Run
Click on this link to download : ADWCleaner
Click on the Download Now button and save it to your desktop.
NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.
Close your browser and double click on this icon on your desktop:
Image
You will then see the screen below. Click on the Scan button (as indicated), accept any prompts that appear and allow it to run.
It may take several minutes to complete. When it is done click on the Clean button, accept any prompts that appear and allow the system to reboot.
You will then be presented with the report. Copy & Paste it into your next post.
Image

Step 2 - OTL
If you still have it, ignore the download portion of the instructions:
Please download OTL by Old Timer. Save it to your Desktop.
If you can't download the exe file, try these links:
http://oldtimer.geekstogo.com/OTL.com
http://oldtimer.geekstogo.com/OTL.scr
  • Right-click OTL.exe (or OTL.com or OTL.scr) and select "Run as Administrator" to launch the program.
  • Click the Scan All Users checkbox.
    Leave the remaining selections to the default settings.
  • Click on Run Scan at the top left hand corner.
  • When done, a Notepad file will open.
  • Please post the contents of OTL.txt in your next reply.

Step 3 - SystemLook
Please download SystemLook from the link below and save it to your Desktop.

For 32 bit Systems

For 64 bit Systems
  • Right-click SystemLook.exe and select "Run as Administrator" to run it.
  • Copy and paste the content of the following codebox into the main textfield:
    Code: Select all
    :filefind
    *Fun4IM*
    *Bandoo*
    *Searchqu*
    *iLivid*
    *whitesmoke*
    *datamngr*
    *trolltech*
    *doctopdf*
    
    :folderfind
    *Fun4IM*
    *Bandoo*
    *Searchqu*
    *iLivid*
    *whitesmoke*
    *datamngr*
    *trolltech*
    *doctopdf*
    
    :Regfind
    Fun4IM
    Bandoo
    Searchqu
    iLivid
    whitesmoke
    datamngr
    kelkoopartners
    trolltech
    doctopdf
    
  • Click the Look button to start the scan.
    The scan may take 15 minutes or a bit more to run on a large machine. Please be patient.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: My Wife's PC has malware

Unread postby tnesler » November 13th, 2013, 2:51 pm

Here are the results of the three scans/fixes:

# AdwCleaner v3.012 - Report created 13/11/2013 at 12:07:41
# Updated 11/11/2013 by Xplode
# Operating System : Windows Vista (TM) Home Premium Service Pack 2 (32 bits)
# Username : Kathy - KATHYS-PC
# Running from : C:\Users\Kathy\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr
Key Deleted : HKLM\SOFTWARE\Classes\bbylntlbr.bbylntlbrHlpr.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.DynamicBarButton
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.DynamicBarButton.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.FeedManager
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.FeedManager.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.HTMLMenu
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.HTMLMenu.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.HTMLPanel
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.HTMLPanel.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.MultipleButton
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.MultipleButton.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.PseudoTransparentPlugin
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.PseudoTransparentPlugin.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.Radio
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.Radio.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.RadioSettings
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.RadioSettings.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.ScriptButton
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.ScriptButton.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.SettingsPlugin
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.SettingsPlugin.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.ThirdPartyInstaller
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.ThirdPartyInstaller.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.ToolbarProtector
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.ToolbarProtector.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.UrlAlertButton
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.UrlAlertButton.1
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.XMLSessionPlugin
Key Deleted : HKLM\SOFTWARE\Classes\FromDocToPDF_65.XMLSessionPlugin.1
Key Deleted : HKLM\SOFTWARE\Classes\Inbox.AppServer
Key Deleted : HKLM\SOFTWARE\Classes\Inbox.IBX404
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\inbox
Key Deleted : HKLM\SOFTWARE\Classes\speedupmypc
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{017D68F2-19B3-41AE-9D8A-8B09DBD25479}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2BD4465D-669A-42E6-B449-636B0B10EBB8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3700B685-D795-4E17-9B78-73BCEE5D4086}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3E6260AC-BC6F-44B4-942B-1568C367543A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{504B4AA9-9952-4490-B0E1-80A5321C35F7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{72D05120-DF65-4C27-921E-899B5267FEF2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8AD40E5E-9FD9-4F5E-B4D1-DDF2C921DCE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A0CF6CB9-2276-4F30-B841-05A67067ACE0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE84501A-2CB6-41D6-B3A7-9679BDBDFA0B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AFA196F4-80E5-47AD-B7BC-C671487D36FB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B7FD68F7-D28B-431E-9EE8-E45D915B7F17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC7E25D7-4681-46A3-AF5A-9A1B865783ED}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CBBEA4B9-B183-47AC-8B1F-FD526AC99A8D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CD1D181E-C654-4CA5-9D09-B3648537FD7D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E0C3A839-0E5E-4EBC-9F8F-E56F8FC732CE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E1C4699E-5E74-4F30-A4A2-378E45D44F07}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E46C8196-B634-44A1-AF6E-957C64278AB1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F96EE2EF-FE15-4878-AECD-BC367F12C70F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FC2B119B-2352-4E7A-9197-B9E1BBADE61B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{36B445BF-1B84-466A-A623-A360A8CFF8C3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6CBF5C01-C876-481B-867E-111CB1D2A7D6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D97143C2-4282-496B-BDC4-7EC852F1497C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{1747AE4D-0A83-4336-84D4-48500BF1554F}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2C9D27D8-C81E-4968-8026-E725E01650C1}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3BB1BA04-1B88-4690-9AD3-0D38412F5FF1}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3EFEC319-72E8-42AA-AC38-8CF8A0661CDD}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4D8AEB1D-4ED4-44AC-A039-4775B2575DB0}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{542EAC56-BF4B-46A7-943E-0A4C2CBA34EA}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6191571E-F7EE-47C3-B229-2DFAC70DB5D2}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74C02D12-FAEE-4834-80D2-5B7D2480AD61}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{840AE8AE-D547-433E-985C-6BF6C74F5084}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A85ACA7E-5CD2-461B-877A-994CCCCF491C}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{BF6FDBB8-7CD5-402D-AB4F-E4F13D3490C8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E3CDDB72-3ADC-4920-B42B-68A8C29FA942}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BC7E25D7-4681-46A3-AF5A-9A1B865783ED}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2BD4465D-669A-42E6-B449-636B0B10EBB8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8AD40E5E-9FD9-4F5E-B4D1-DDF2C921DCE3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{BC7E25D7-4681-46A3-AF5A-9A1B865783ED}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CBBEA4B9-B183-47AC-8B1F-FD526AC99A8D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{E1C4699E-5E74-4F30-A4A2-378E45D44F07}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FC2B119B-2352-4E7A-9197-B9E1BBADE61B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{36B445BF-1B84-466A-A623-A360A8CFF8C3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6CBF5C01-C876-481B-867E-111CB1D2A7D6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{701F5C41-BB30-46DA-A56B-68784B0B762B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A3B975A0-F679-444E-9D94-6D292FA53140}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D97143C2-4282-496B-BDC4-7EC852F1497C}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0C3A839-0E5E-4EBC-9F8F-E56F8FC732CE}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Zugo
Key Deleted : HKCU\Software\AppDataLow\Software\FromDocToPDF_65
Key Deleted : HKLM\Software\Babylon
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\FromDocToPDF_65
Key Deleted : HKLM\Software\Inbox Toolbar
Key Deleted : HKLM\Software\InstallIQ
Key Deleted : HKLM\Software\Uniblue
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\08121C32A9C319F4CB0C11FF059552A4

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16514

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page Restore]

-\\ Mozilla Firefox v14.0.1 (en-US)

[ File : C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\prefs.js ]

Line Deleted : user_pref("extensions.BabylonToolbar_i.aflt", "babsst");
Line Deleted : user_pref("extensions.BabylonToolbar_i.babExt", "");
Line Deleted : user_pref("extensions.BabylonToolbar_i.babTrack", "affID=114066&tt=2912_7");
Line Deleted : user_pref("extensions.BabylonToolbar_i.hardId", "285fc8d00000000000000022fb66b6b8");
Line Deleted : user_pref("extensions.BabylonToolbar_i.id", "285fc8d00000000000000022fb66b6b8");
Line Deleted : user_pref("extensions.BabylonToolbar_i.instlDay", "15539");
Line Deleted : user_pref("extensions.BabylonToolbar_i.instlRef", "sst");
Line Deleted : user_pref("extensions.BabylonToolbar_i.prdct", "BabylonToolbar");
Line Deleted : user_pref("extensions.BabylonToolbar_i.prtnrId", "babylon");
Line Deleted : user_pref("extensions.BabylonToolbar_i.smplGrp", "none");
Line Deleted : user_pref("extensions.BabylonToolbar_i.srcExt", "ss");
Line Deleted : user_pref("extensions.BabylonToolbar_i.tlbrId", "base");
Line Deleted : user_pref("extensions.BabylonToolbar_i.vrsn", "1.5.3.17");
Line Deleted : user_pref("extensions.BabylonToolbar_i.vrsnTs", "1.5.3.1710:23:16");
Line Deleted : user_pref("extensions.BabylonToolbar_i.vrsni", "1.5.3.17");

*************************

AdwCleaner[R0].txt - [13554 octets] - [13/11/2013 11:58:21]
AdwCleaner[R1].txt - [12299 octets] - [13/11/2013 12:06:45]
AdwCleaner[S0].txt - [1316 octets] - [13/11/2013 12:02:30]
AdwCleaner[S1].txt - [12367 octets] - [13/11/2013 12:07:41]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [12428 octets] ##########

********************************** OTL Log *********************

OTL logfile created on: 11/13/2013 12:17:12 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Kathy\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.93 Gb Total Physical Memory | 0.99 Gb Available Physical Memory | 51.08% Memory free
4.10 Gb Paging File | 3.02 Gb Available in Paging File | 73.68% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220.88 Gb Total Space | 139.42 Gb Free Space | 63.12% Space Free | Partition Type: NTFS

Computer Name: KATHYS-PC | User Name: Kathy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/11/07 18:13:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kathy\Desktop\OTL.exe
PRC - [2013/10/09 09:58:16 | 003,275,136 | ---- | M] (Skype Technologies S.A.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2013/09/12 17:39:59 | 000,295,512 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\real\realplayer\Update\realsched.exe
PRC - [2013/08/14 14:19:24 | 000,039,056 | ---- | M] () -- C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
PRC - [2013/08/12 09:12:38 | 000,295,376 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\NisSrv.exe
PRC - [2013/08/12 09:12:38 | 000,022,208 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/05/24 18:47:30 | 027,776,968 | ---- | M] (Dropbox, Inc.) -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\Dropbox.exe
PRC - [2013/01/27 09:04:34 | 000,166,880 | ---- | M] (Soluto) -- C:\Program Files\Soluto\SolutoLauncherService.exe
PRC - [2013/01/27 09:04:32 | 000,553,440 | ---- | M] (Soluto) -- C:\Program Files\Soluto\SolutoService.exe
PRC - [2013/01/27 09:04:30 | 001,229,280 | ---- | M] (Soluto) -- c:\Program Files\Soluto\Soluto.exe
PRC - [2010/03/24 20:50:00 | 002,516,296 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2010/03/02 19:52:00 | 000,140,640 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
PRC - [2009/11/08 22:18:00 | 000,065,216 | ---- | M] (WordWeb Software) -- C:\Program Files\WordWeb\wweb32.exe
PRC - [2009/07/31 10:49:54 | 000,200,704 | ---- | M] () -- C:\Windows\PLFSetI.exe
PRC - [2009/06/18 19:00:24 | 000,723,488 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
PRC - [2009/06/18 19:00:24 | 000,703,008 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
PRC - [2009/06/18 19:00:22 | 000,453,152 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
PRC - [2009/04/29 16:09:14 | 000,237,568 | ---- | M] (AlcorMicro Co., Ltd.) -- C:\Program Files\Selective Suspend Driver\AmIcoSinglun.exe
PRC - [2009/04/11 00:28:15 | 000,117,248 | ---- | M] () -- \\?\C:\Windows\System32\wbem\WMIADAP.EXE
PRC - [2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/16 17:14:00 | 000,565,248 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer VCM\AcerVCM.exe
PRC - [2009/02/11 18:38:40 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2009/02/11 18:38:38 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/02/05 09:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer VCM\RS_Service.exe
PRC - [2008/09/15 03:57:04 | 000,262,360 | ---- | M] (Data Perceptions / PowerProgrammer) -- C:\Windows\System32\WebUpdateSvc4.exe
PRC - [2004/06/09 13:27:34 | 000,471,040 | ---- | M] (PalmSource, Inc) -- C:\Program Files\palmOne\Hotsync.exe


========== Modules (No Company Name) ==========

MOD - [2013/10/13 03:22:41 | 000,039,936 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGRSPProbe\4de87dcff56b1cc480bc9489122b35e0\PCGRSPProbe.ni.dll
MOD - [2013/10/13 03:22:39 | 000,055,296 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGUsersCenter\f5bad3277e4eb7b75277bb33f6d8e325\PCGUsersCenter.ni.dll
MOD - [2013/10/13 03:22:37 | 000,156,160 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGAppControlPlugin#\4e76c0ef0b27898e1287e1992c35cf6b\PCGAppControlPluginLoader.ni.dll
MOD - [2013/10/13 03:22:34 | 003,510,272 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGClientCommon\1a0c08e04a85290bfc9711006f51bbf1\PCGClientCommon.ni.dll
MOD - [2013/10/13 03:22:22 | 000,157,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGBootVisualizingC#\5fe86020912d2e6925231ba54be932f3\PCGBootVisualizingCommon.ni.dll
MOD - [2013/10/13 03:22:19 | 000,221,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGDriverProbe\730d462a7e3a215f3ed446a536604690\PCGDriverProbe.ni.dll
MOD - [2013/10/13 03:21:09 | 000,068,096 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGConfiguration\f3880f6048502089cfad0cb7bb86e67c\PCGConfiguration.ni.dll
MOD - [2013/10/13 03:21:06 | 002,617,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGDatabase\92e575065f18cf53803222d76c14fa4a\PCGDatabase.ni.dll
MOD - [2013/10/13 03:20:57 | 001,550,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGAzureShared\1f8ab68728e907a1baad5cda57dda0a9\PCGAzureShared.ni.dll
MOD - [2013/10/13 03:20:52 | 001,197,056 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGCommunication\3f02b42d4f0ea21dd631f3433d6b9b91\PCGCommunication.ni.dll
MOD - [2013/10/13 03:18:46 | 000,188,416 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGPrestoSerializer\2e1807f7639b94cb03fc048c33c7d8ba\PCGPrestoSerializer.ni.dll
MOD - [2013/10/13 03:18:42 | 002,128,384 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Newtonsoft.Json.Net#\c7d17aafbcdcc3aa47f35d53f325bda8\Newtonsoft.Json.Net35.ni.dll
MOD - [2013/10/13 03:18:19 | 002,731,520 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGFramework\d1c2b9f1041e0151787073a4b1888746\PCGFramework.ni.dll
MOD - [2013/10/13 03:17:49 | 001,620,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Soluto\ddd7b435f33a355a1d6d5977fe3ab7b3\Soluto.ni.exe
MOD - [2013/10/13 03:13:11 | 000,978,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\f453ecc6bb7fc8d52d61247676944623\System.Configuration.ni.dll
MOD - [2013/10/13 03:08:16 | 012,434,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\73d9bc894522543b561a0342dac87c06\System.Windows.Forms.ni.dll
MOD - [2013/10/13 03:07:54 | 002,518,016 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\3815d0ee28da0b5a6e6c1f083ef437f6\System.Data.Linq.ni.dll
MOD - [2013/10/13 03:07:47 | 002,295,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\ab40b51ac49fbee9a48b5b74ff78d5d6\System.Core.ni.dll
MOD - [2013/08/16 19:14:17 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\5974034f0f53755b11bde4c9698261cb\System.ServiceProcess.ni.dll
MOD - [2013/08/16 19:13:48 | 011,820,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\59eba2680c01c33b2b3f5385979e32c6\System.Web.ni.dll
MOD - [2013/08/16 16:54:30 | 002,327,552 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Community.CsharpSql#\6c07f76ab73ce7b4dc02ccfec040ddc3\Community.CsharpSqlite.ni.dll
MOD - [2013/08/16 16:40:00 | 000,656,896 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGPostBootResources\05f479f87e6ac55f0fd3cd6ae1c10739\PCGPostBootResources.ni.dll
MOD - [2013/08/16 16:39:59 | 000,051,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGHIDProbe\c3d6831db800db604e16702ac6a0d091\PCGHIDProbe.ni.dll
MOD - [2013/08/16 16:32:52 | 000,048,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGAzureEntityFrame#\6260744bbbdeb48359e51f5d24f8cf3d\PCGAzureEntityFramework.ni.dll
MOD - [2013/08/16 16:32:42 | 001,707,008 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGPreCompiled\074b1bcfde67d61ff1989f4818b0f419\PCGPreCompiled.ni.dll
MOD - [2013/08/16 15:17:43 | 000,596,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Ionic.Zip.Reduced\36bdd5973166173b1547256acbedb674\Ionic.Zip.Reduced.ni.dll
MOD - [2013/08/16 11:48:46 | 005,462,016 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\09f5b3f7a363b742a73937e818595597\System.Xml.ni.dll
MOD - [2013/08/16 11:46:37 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\c0df7e124d8d5e2821fd7d3921d404f7\System.Drawing.ni.dll
MOD - [2013/08/16 11:39:26 | 007,977,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\d7153acb7b6ccb5a6a886d6f0ab732b1\System.ni.dll
MOD - [2013/07/23 18:40:08 | 000,202,240 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGWuInfo\fe73c0ce3b7f9f61db4b2f8453521a2d\PCGWuInfo.ni.dll
MOD - [2013/07/23 18:40:07 | 000,100,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Interop.IWshRuntime#\449c932b29b1df04449197f0693226a0\Interop.IWshRuntimeLibrary.ni.dll
MOD - [2013/07/11 12:12:33 | 011,497,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\6a938df70a8b7996a3890b4f34c83906\mscorlib.ni.dll
MOD - [2013/03/13 14:48:52 | 024,978,944 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\libcef.dll
MOD - [2013/01/27 09:00:18 | 000,077,880 | ---- | M] () -- c:\Program Files\Soluto\PCGDllExportInspector.dll
MOD - [2012/11/13 17:32:50 | 003,558,400 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Dropbox\bin\wxmsw28uh_vc.dll
MOD - [2009/08/19 19:59:06 | 000,022,736 | ---- | M] () -- C:\Program Files\WordWeb\WUCNT.dll
MOD - [2009/07/31 10:49:54 | 000,200,704 | ---- | M] () -- C:\Windows\PLFSetI.exe


========== Services (SafeList) ==========

SRV - [2013/10/09 09:58:16 | 003,275,136 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2013/10/08 13:07:50 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/08/14 14:19:24 | 000,039,056 | ---- | M] () [Auto | Running] -- C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe -- (RealNetworks Downloader Resolver Service)
SRV - [2013/08/12 09:12:38 | 000,295,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2013/08/12 09:12:38 | 000,022,208 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2013/01/27 09:04:34 | 000,166,880 | ---- | M] (Soluto) [Auto | Running] -- C:\Program Files\Soluto\SolutoLauncherService.exe -- (SolutoLauncherService)
SRV - [2013/01/27 09:04:32 | 000,553,440 | ---- | M] (Soluto) [Auto | Running] -- C:\Program Files\Soluto\SolutoService.exe -- (SolutoService)
SRV - [2013/01/27 09:00:18 | 001,239,552 | ---- | M] (Soluto) [On_Demand | Stopped] -- C:\Program Files\Soluto\SolutoRemoteService.exe -- (SolutoRemoteService)
SRV - [2012/07/13 18:17:12 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice_tmp.exe -- (MozillaMaintenance)
SRV - [2012/07/13 12:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2009/06/18 19:00:24 | 000,723,488 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe -- (ePowerSvc)
SRV - [2009/02/11 18:38:40 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
SRV - [2009/02/05 09:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer VCM\RS_Service.exe -- (RS_Service)
SRV - [2008/09/15 03:57:04 | 000,262,360 | ---- | M] (Data Perceptions / PowerProgrammer) [Auto | Running] -- C:\Windows\System32\WebUpdateSvc4.exe -- (WebUpdate4)
SRV - [2008/01/20 20:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\LV302V32.SYS -- (PID_PEPI)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lv302af.sys -- (pepifilter)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\npbgsgld.sys -- (npbgsgld)
DRV - File not found [Kernel | Auto | Stopped] -- System32\Drivers\Lxarscan.sys -- (LXARScan)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvrs.sys -- (LVRS)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Running] -- C:\Windows\TEMP\cpuz136\cpuz136_x32.sys -- (cpuz136)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\TEMP\cpuz135\cpuz135_x32.sys -- (cpuz135)
DRV - [2013/11/13 12:12:54 | 000,040,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{368B2A33-9669-4978-8544-B3A33CE8147B}\MpKsld22ae3be.sys -- (MpKsld22ae3be)
DRV - [2013/06/18 20:50:08 | 000,107,392 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2013/01/27 08:59:58 | 000,051,144 | ---- | M] (Soluto LTD.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\Soluto.sys -- (Soluto)
DRV - [2010/03/28 18:24:37 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2009/04/27 02:16:04 | 000,050,176 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C60x86.sys -- (L1C)
DRV - [2009/04/07 21:14:40 | 000,014,848 | ---- | M] (Alcor Micro, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SSUSB.sys -- (SSUSB)
DRV - [2009/03/30 15:35:12 | 000,010,752 | ---- | M] (Alcor Micro, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SSDISK.sys -- (SSDISK)
DRV - [2009/03/03 20:49:22 | 004,232,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32)
DRV - [2008/12/04 12:25:38 | 000,112,640 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
DRV - [2008/09/30 21:50:50 | 000,010,504 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Program Files\GridVista\DPMemGridVista.sys -- (DPMemGridVista)
DRV - [2003/10/01 08:29:50 | 000,069,632 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\OEM\factory\int15.sys -- (int15.sys)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACA ... 5w47j1r735
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACA ... 5w47j1r735
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com/?ocid=EIE9HP&PC=UP50
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2E 76 D4 7F 21 E0 CE 01 [binary data]
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rlz=1I7ACAW_en&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-1403424136-2531779536-1460617787-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.4.8.20120412011105
FF - prefs.js..extensions.enabledAddons: amznUWL2@amazon.com:1.10
FF - prefs.js..extensions.enabledAddons: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:6.11.0.13348
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=16.0.3.51: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.3.3: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.3.3: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlpepperflashvideoshim;version=1.3.3: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=16.0.3.51: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Kathy\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll (Amazon.com, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013/09/12 17:42:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ [2013/09/12 17:42:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/17 18:17:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/09/12 17:40:57 | 000,000,000 | ---D | M]

[2010/03/24 18:34:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Extensions
[2013/11/13 12:05:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\extensions
[2010/06/07 17:36:07 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/10/06 21:11:02 | 000,243,287 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\extensions\amznUWL2@amazon.com.xpi
[2011/02/03 20:24:38 | 000,001,919 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\searchplugins\bing-zugo.xml
[2012/07/17 18:17:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/10/20 14:09:47 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2013/04/24 11:44:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/10/20 14:09:46 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
File not found (No name found) -- C:\USERS\KATHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\OJYRVPN2.DEFAULT\EXTENSIONS\{635ABD67-4FE9-1B23-4F01-E679FA7484C1}
[2012/07/13 18:17:47 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/03/18 12:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/03/18 12:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2013/09/12 17:40:31 | 000,124,504 | ---- | M] (RealPlayer) -- C:\Program Files\mozilla firefox\plugins\nprpplugin.dll
[2012/07/13 18:16:36 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/07/13 18:16:36 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2006/09/18 15:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealNetworks Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe ()
O4 - HKLM..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe (Acer Incorporated)
O4 - HKLM..\Run: [AmIcoSinglun] C:\Program Files\Selective Suspend Driver\AmIcoSinglun.exe (AlcorMicro Co., Ltd.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PLFSetI] C:\Windows\PLFSetI.exe ()
O4 - HKLM..\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12 File not found
O4 - Startup: C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Kathy\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O13 - gopher Prefix: missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1A48B34A-7608-4D4D-AFC9-BC7194A9B2B1}: DhcpNameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B5DF368C-F419-4932-BD75-7A02B9585635}: DhcpNameServer = 192.168.10.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (c:\windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (c:\program files\soluto\soluto.exe /userinit) - c:\program files\soluto\soluto.exe (Soluto)
O24 - Desktop WallPaper: C:\Users\Kathy\Pictures\Lighthouse.jpg
O24 - Desktop BackupWallPaper: C:\Users\Kathy\Pictures\Lighthouse.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/11/13 12:16:53 | 000,000,000 | ---D | C] -- C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD
[2013/11/13 11:58:15 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2013/11/12 19:23:42 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Users\Kathy\Desktop\aswMBR.exe
[2013/11/11 07:33:52 | 000,000,000 | ---D | C] -- C:\FRST
[2013/11/11 07:31:47 | 000,754,688 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\webservices.dll
[2013/11/11 07:28:43 | 001,090,275 | ---- | C] (Farbar) -- C:\Users\Kathy\Desktop\FRST.exe
[2013/11/11 07:27:07 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/11/10 21:58:32 | 000,000,000 | --SD | C] -- C:\ComboFix
[2013/11/08 18:51:01 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/11/08 18:51:01 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/11/08 18:51:01 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/11/08 18:48:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/11/08 18:48:11 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/11/08 18:47:11 | 005,145,633 | R--- | C] (Swearware) -- C:\Users\Kathy\Desktop\ComboFix.exe
[2013/11/07 18:13:01 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Kathy\Desktop\OTL.exe
[2013/11/07 18:10:00 | 004,121,952 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Kathy\Desktop\tdsskiller.exe
[2011/06/10 11:44:36 | 003,080,864 | ---- | C] (Adobe Systems, Inc.) -- C:\Program Files\install_flash_player.exe
[1964/01/03 08:35:38 | 000,053,248 | ---- | C] (Silitek Corp.) -- C:\Program Files\ACMonitor_X73.exe
[4 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/11/13 12:22:01 | 000,000,928 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000UA.job
[2013/11/13 12:17:54 | 000,618,148 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/11/13 12:17:54 | 000,109,218 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/11/13 12:12:53 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/11/13 12:12:52 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/11/13 12:09:43 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/11/13 12:09:02 | 2072,993,792 | -HS- | M] () -- C:\hiberfil.sys
[2013/11/13 12:06:24 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/11/13 10:58:44 | 000,075,264 | ---- | M] () -- C:\Users\Kathy\Desktop\SystemLook.exe
[2013/11/13 10:58:14 | 001,085,542 | ---- | M] () -- C:\Users\Kathy\Desktop\AdwCleaner.exe
[2013/11/12 21:35:03 | 000,000,512 | ---- | M] () -- C:\Users\Kathy\Documents\MBR.dat
[2013/11/12 21:21:01 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000Core.job
[2013/11/12 19:21:24 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Users\Kathy\Desktop\aswMBR.exe
[2013/11/12 12:51:07 | 000,000,955 | ---- | M] () -- C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2013/11/11 07:21:42 | 001,090,275 | ---- | M] (Farbar) -- C:\Users\Kathy\Desktop\FRST.exe
[2013/11/08 17:31:18 | 005,145,633 | R--- | M] (Swearware) -- C:\Users\Kathy\Desktop\ComboFix.exe
[2013/11/07 18:13:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kathy\Desktop\OTL.exe
[2013/11/07 18:10:04 | 004,121,952 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Kathy\Desktop\tdsskiller.exe
[2013/11/04 21:28:52 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/11/04 18:39:22 | 264,443,960 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2013/10/25 13:15:45 | 001,822,775 | ---- | M] () -- C:\Users\Kathy\Desktop\ColoringPages.pdf
[2013/10/25 11:53:07 | 000,002,637 | ---- | M] () -- C:\Users\Kathy\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word 2010.lnk
[2013/10/16 02:03:05 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[4 C:\*.tmp files -> C:\*.tmp -> ]
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/11/13 11:55:38 | 001,085,542 | ---- | C] () -- C:\Users\Kathy\Desktop\AdwCleaner.exe
[2013/11/13 11:53:52 | 000,075,264 | ---- | C] () -- C:\Users\Kathy\Desktop\SystemLook.exe
[2013/11/12 21:35:02 | 000,000,512 | ---- | C] () -- C:\Users\Kathy\Documents\MBR.dat
[2013/11/12 12:51:07 | 000,000,955 | ---- | C] () -- C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2013/11/11 07:25:05 | 2072,993,792 | -HS- | C] () -- C:\hiberfil.sys
[2013/11/08 18:51:01 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/11/08 18:51:01 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/11/08 18:51:01 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/11/08 18:51:01 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/11/08 18:51:01 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/11/04 21:28:52 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/10/25 13:15:45 | 001,822,775 | ---- | C] () -- C:\Users\Kathy\Desktop\ColoringPages.pdf
[2012/09/19 13:54:47 | 000,047,633 | ---- | C] () -- C:\Windows\System32\wuwuninst.exe
[2012/07/17 18:27:14 | 000,000,193 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
[2012/07/14 22:03:55 | 000,027,520 | ---- | C] () -- C:\Users\Kathy\AppData\Local\dt.dat
[2011/04/06 14:54:18 | 000,000,680 | ---- | C] () -- C:\Users\Kathy\AppData\Local\d3d9caps.dat
[2010/06/14 17:14:02 | 000,000,000 | ---- | C] () -- C:\Users\Kathy\AppData\Local\prvlcl.dat
[2010/03/24 18:44:53 | 000,020,480 | ---- | C] () -- C:\Users\Kathy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/23 20:25:09 | 000,000,210 | ---- | C] () -- C:\Users\Kathy\AppData\Roaming\wklnhst.dat
[2001/07/20 09:48:06 | 000,008,116 | ---- | C] () -- C:\Program Files\OSLO3071b2.USB
[2000/12/05 14:56:34 | 000,114,688 | ---- | C] () -- C:\Program Files\lxarscan.dll
[2000/01/11 11:50:48 | 000,000,047 | ---- | C] () -- C:\Program Files\ACMonitor_X73.ini
[1964/01/18 07:07:18 | 000,000,768 | ---- | C] () -- C:\Program Files\x73_lut.dat
[1964/01/03 08:25:18 | 000,001,437 | ---- | C] () -- C:\Program Files\gtx73.ini

========== ZeroAccess Check ==========

[2006/11/02 06:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 11:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 00:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 00:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== Alternate Data Streams ==========

@Alternate Data Stream - 177 bytes -> C:\ProgramData\TEMP:DCAF903C
@Alternate Data Stream - 173 bytes -> C:\ProgramData\TEMP:F94CB4DD
@Alternate Data Stream - 169 bytes -> C:\ProgramData\TEMP:B623B5B8
@Alternate Data Stream - 163 bytes -> C:\ProgramData\TEMP:F7862839
@Alternate Data Stream - 160 bytes -> C:\ProgramData\TEMP:8750DCE4
@Alternate Data Stream - 157 bytes -> C:\ProgramData\TEMP:798A3728
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:51574724
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:94188BC6
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:BB24555F
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:B203B914
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:3064D21D
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:9E22BBE8
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:131C0EE9
@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:ABE89FFE
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:CE0A077E
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:35759C73

< End of report >

*************************************
SystemLook 04.09.10 by jpshortstuff
Log created at 12:32 on 13/11/2013 by Kathy
Administrator - Elevation successful

========== filefind ==========

Searching for "*Fun4IM*"
No files found.

Searching for "*Bandoo*"
No files found.

Searching for "*Searchqu*"
No files found.

Searching for "*iLivid*"
No files found.

Searching for "*whitesmoke*"
No files found.

Searching for "*datamngr*"
No files found.

Searching for "*trolltech*"
No files found.

Searching for "*doctopdf*"
No files found.

========== folderfind ==========

Searching for "*Fun4IM*"
No folders found.

Searching for "*Bandoo*"
No folders found.

Searching for "*Searchqu*"
No folders found.

Searching for "*iLivid*"
No folders found.

Searching for "*whitesmoke*"
No folders found.

Searching for "*datamngr*"
No folders found.

Searching for "*trolltech*"
No folders found.

Searching for "*doctopdf*"
C:\AdwCleaner\Quarantine\C\Program Files\FromDocToPDF_65 d------ [18:02 13/11/2013]
C:\AdwCleaner\Quarantine\C\Users\Kathy\AppData\LocalLow\FromDocToPDF_65 d------ [18:05 13/11/2013]
C:\FRST\Quarantine\65ffxtbr@FromDocToPDF_65.com d------ [02:13 25/06/2013]

========== Regfind ==========

Searching for "Fun4IM"
No data found.

Searching for "Bandoo"
No data found.

Searching for "Searchqu"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AB310581-AC80-11D1-8DF3-00C04FB6EF63}]
@="ISearchQueryHelper"

Searching for "iLivid"
No data found.

Searching for "whitesmoke"
No data found.

Searching for "datamngr"
No data found.

Searching for "kelkoopartners"
No data found.

Searching for "trolltech"
[HKEY_CURRENT_USER\Software\Trolltech]
[HKEY_CURRENT_USER\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]
[HKEY_USERS\S-1-5-21-1403424136-2531779536-1460617787-1000\Software\Trolltech]
[HKEY_USERS\S-1-5-21-1403424136-2531779536-1460617787-1000\Software\Trolltech\OrganizationDefaults\Qt Factory Cache 4.7\com.trolltech.Qt.QImageIOHandlerFactoryInterface:]

Searching for "doctopdf"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ea93e43_0]
@="{0.0.0.00000000}.{010fa6d2-b5fe-4e09-a1e6-bc4510bd192b}|\Device\HarddiskVolume2\Program Files\FromDocToPDF_65\bar\1.bin\65skplay.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\Kathy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83AI4GJC\FromDocToPDFSetup2.5.12.0.^Y6^man000^YY^.exe"="FromDocToPDF"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ffa72ec-9fd9-4b2b-92a5-68b60885fd8a}\InprocServer32]
@="C:\Program Files\FromDocToPDF_65\bar\1.bin\65httpct.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FromDocToPDF_65bar Uninstall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FromDocToPDF_65bar Uninstall]
"DisplayName"="FromDocToPDF Toolbar"
[HKEY_USERS\S-1-5-21-1403424136-2531779536-1460617787-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ea93e43_0]
@="{0.0.0.00000000}.{010fa6d2-b5fe-4e09-a1e6-bc4510bd192b}|\Device\HarddiskVolume2\Program Files\FromDocToPDF_65\bar\1.bin\65skplay.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-1403424136-2531779536-1460617787-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\Kathy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83AI4GJC\FromDocToPDFSetup2.5.12.0.^Y6^man000^YY^.exe"="FromDocToPDF"
[HKEY_USERS\S-1-5-21-1403424136-2531779536-1460617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\Kathy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83AI4GJC\FromDocToPDFSetup2.5.12.0.^Y6^man000^YY^.exe"="FromDocToPDF"

-= EOF =-
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: My Wife's PC has malware

Unread postby nunped » November 13th, 2013, 7:14 pm

Hello tnesler,

Step 1
  • Right click OTL.exe and select "Run as Administrator" to launch the program.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
    Do not include the words "Code: Select all". Press "Select all" to automatically select all the text on the box.
Code: Select all
:commands
[createrestorepoint]

:OTL
IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =
@Alternate Data Stream - 177 bytes -> C:\ProgramData\TEMP:DCAF903C
@Alternate Data Stream - 173 bytes -> C:\ProgramData\TEMP:F94CB4DD
@Alternate Data Stream - 169 bytes -> C:\ProgramData\TEMP:B623B5B8
@Alternate Data Stream - 163 bytes -> C:\ProgramData\TEMP:F7862839
@Alternate Data Stream - 160 bytes -> C:\ProgramData\TEMP:8750DCE4
@Alternate Data Stream - 157 bytes -> C:\ProgramData\TEMP:798A3728
@Alternate Data Stream - 142 bytes -> C:\ProgramData\TEMP:51574724
@Alternate Data Stream - 141 bytes -> C:\ProgramData\TEMP:94188BC6
@Alternate Data Stream - 125 bytes -> C:\ProgramData\TEMP:BB24555F
@Alternate Data Stream - 119 bytes -> C:\ProgramData\TEMP:B203B914
@Alternate Data Stream - 117 bytes -> C:\ProgramData\TEMP:3064D21D
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:9E22BBE8
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:131C0EE9
@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:ABE89FFE
@Alternate Data Stream - 105 bytes -> C:\ProgramData\TEMP:CE0A077E
@Alternate Data Stream - 103 bytes -> C:\ProgramData\TEMP:35759C73

:reg
[-HKEY_CURRENT_USER\Software\Trolltech]
[-HKEY_USERS\S-1-5-21-1403424136-2531779536-1460617787-1000\Software\Trolltech]
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\Kathy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83AI4GJC\FromDocToPDFSetup2.5.12.0.^Y6^man000^YY^.exe"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ffa72ec-9fd9-4b2b-92a5-68b60885fd8a}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FromDocToPDF_65bar Uninstall]
[HKEY_USERS\S-1-5-21-1403424136-2531779536-1460617787-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ea93e43_0]
@=-
[HKEY_USERS\S-1-5-21-1403424136-2531779536-1460617787-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\Kathy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83AI4GJC\FromDocToPDFSetup2.5.12.0.^Y6^man000^YY^.exe"=-
[HKEY_USERS\S-1-5-21-1403424136-2531779536-1460617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Users\Kathy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\83AI4GJC\FromDocToPDFSetup2.5.12.0.^Y6^man000^YY^.exe"=-

:files
ipconfig /flushdns /c

:commands
[emptytemp]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

After it reboots, please have another go at ComboFix:
Download and Run ComboFix
  • Please delete your version and download ComboFix. (Alternate site: here)
    **IMPORTANT !!! Save ComboFix.exe to your Desktop**
  • Please disable any Antivirus or Firewall you have active, as shown in this topic. Please close all open application windows.
  • Double click on ComboFix.exe & follow the prompts
  • If not already installed... Press "Yes" to any "Recovery Console" prompts.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
    When finished, Notepad will open a log file called "ComboFix.txt".
  • Please copy/paste the contents of ComboFix.txt in your next reply.

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: My Wife's PC has malware

Unread postby tnesler » November 14th, 2013, 8:19 am

I ran the OTL with the script but it got hung twice and did not complete. The Frist time I ran it, it seemed to go through the script and then the hard drive continued to churn for over an hour before I ended it using the Task manager. I ran it again, and the script went through very quickly but it still did not complete so I killed that run as well. Neither run produced any logs...:-(

I ran combofix and it completed normally. Here is the log for that utility. Combofix insisted that MSE was still running but I ran it anyway.

ComboFix 13-11-12.01 - Kathy 11/13/2013 22:19:39.1.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1978.492 [GMT -6:00]
Running from: c:\users\Kathy\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\DFR400B.tmp
C:\DFRE253.tmp
C:\DFREC11.tmp
C:\DFRF651.tmp
c:\users\Kathy\AppData\Local\Microsoft\Windows\Temporary Internet Files\{E4960F43-D5C8-45B4-B046-E03CA3771FEB}.xps
c:\users\Kathy\AppData\Roaming\.#
c:\users\Kathy\AppData\Roaming\.#\MBX@126C@2C2928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@126C@2C2958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@126C@2C2988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1294@1CF2928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1294@1CF2958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1294@1CF2988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1338@1812928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1338@1812958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1338@1812988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1380@1CF2928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1380@1CF2958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1380@1CF2988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@13EC@17E2928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@13EC@17E2958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@13EC@17E2988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@14F4@3B2928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@14F4@3B2958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@14F4@3B2988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1668@262928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1668@262958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1668@262988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1694@1BC2928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1694@1BC2958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@1694@1BC2988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@16CC@382928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@16CC@382958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@16CC@382988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@304@1D22928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@304@1D22958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@304@1D22988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@3A0@1862928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@3A0@1862958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@3A0@1862988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@56C@1732928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@56C@1732958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@56C@1732988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@7FC@1862928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@7FC@1862958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@7FC@1862988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@81C@17D2928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@81C@17D2958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@81C@17D2988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@8C4@1B22928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@8C4@1B22958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@8C4@1B22988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@90C@642928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@90C@642958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@90C@642988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@98@D72928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@98@D72958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@98@D72988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@A00@1A62928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@A00@1A62958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@A00@1A62988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@AE0@1812928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@AE0@1812958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@AE0@1812988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@AE8@17B2928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@AE8@17B2958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@AE8@17B2988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@B6C@1C32928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@B6C@1C32958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@B6C@1C32988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@C44@1822928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@C44@1822958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@C44@1822988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@CB0@1B92928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@CB0@1B92958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@CB0@1B92988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@CE8@1CB2928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@CE8@1CB2958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@CE8@1CB2988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@D24@1CC2928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@D24@1CC2958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@D24@1CC2988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@D64@1AD2928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@D64@1AD2958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@D64@1AD2988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@E28@16B2928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@E28@16B2958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@E28@16B2988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F2C@1B92928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F2C@1B92958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F2C@1B92988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F6C@1702928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F6C@1702958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F6C@1702988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F70@1B32928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F70@1B32958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F70@1B32988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F80@1B22928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F80@1B22958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F80@1B22988.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F88@242928.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F88@242958.###
c:\users\Kathy\AppData\Roaming\.#\MBX@F88@242988.###
c:\users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\searchplugins\bing-zugo.xml
c:\windows\system32\FlashPlayerApp.exe
.
.
((((((((((((((((((((((((( Files Created from 2013-10-14 to 2013-11-14 )))))))))))))))))))))))))))))))
.
.
2013-11-14 04:36 . 2013-11-14 04:38 -------- d-----w- c:\users\Kathy\AppData\Local\temp
2013-11-14 04:36 . 2013-11-14 04:36 -------- d-----w- c:\users\Guest\AppData\Local\temp
2013-11-14 04:36 . 2013-11-14 04:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-11-14 04:08 . 2013-11-14 04:08 40392 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CA469631-9367-423D-805F-E2E001EF850A}\MpKsl807c336a.sys
2013-11-14 02:51 . 2013-11-14 02:51 -------- d-----w- C:\_OTL
2013-11-14 02:03 . 2013-10-14 06:39 7796464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CA469631-9367-423D-805F-E2E001EF850A}\mpengine.dll
2013-11-13 17:58 . 2013-11-13 18:07 -------- d-----w- C:\AdwCleaner
2013-11-13 01:11 . 2013-10-14 06:39 7796464 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-11-11 13:33 . 2013-11-11 13:33 -------- d-----w- C:\FRST
2013-11-11 13:31 . 2009-08-04 08:02 754688 ----a-w- c:\windows\system32\webservices.dll
2013-11-06 13:17 . 2013-10-18 03:03 719224 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E18DFBE4-C6F7-4B5D-8E17-FE9A89E8154A}\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-10-18 03:03 . 2012-08-14 02:25 719224 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2013-10-08 19:07 . 2011-09-09 19:21 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-22 10:22 . 2013-10-13 08:13 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-09-22 10:14 . 2013-10-13 08:13 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-09-22 10:13 . 2013-10-13 08:13 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-09-22 10:08 . 2013-10-13 08:13 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-09-22 10:06 . 2013-10-13 08:14 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-09-22 10:03 . 2013-10-13 08:14 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-09-12 23:39 . 2012-12-23 05:13 499712 ----a-w- c:\windows\system32\msvcp71.dll
2013-09-12 23:39 . 2012-12-23 05:13 348160 ----a-w- c:\windows\system32\msvcr71.dll
2013-08-29 07:36 . 2013-10-10 18:21 2050048 ----a-w- c:\windows\system32\win32k.sys
2013-08-27 02:47 . 2013-10-10 18:21 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2013-08-27 02:47 . 2013-10-10 18:21 189952 ----a-w- c:\windows\system32\d3d10core.dll
2013-08-27 02:47 . 2013-10-10 18:21 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2013-08-27 02:47 . 2013-10-10 18:21 1029120 ----a-w- c:\windows\system32\d3d10.dll
2013-08-27 01:52 . 2013-10-10 18:21 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2013-08-27 01:50 . 2013-10-10 18:21 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2013-08-27 01:32 . 2013-10-10 18:21 683008 ----a-w- c:\windows\system32\d2d1.dll
2013-08-27 01:28 . 2013-10-10 18:21 1069056 ----a-w- c:\windows\system32\DWrite.dll
2013-08-27 01:28 . 2013-10-10 18:21 798208 ----a-w- c:\windows\system32\FntCache.dll
2011-06-10 17:44 . 2011-06-10 17:44 3080864 ----a-w- c:\program files\install_flash_player.exe
2001-05-11 16:39 . 1964-01-03 14:35 53248 ----a-w- c:\program files\ACMonitor_X73.exe
2001-05-08 21:36 . 2000-12-05 20:56 114688 ----a-w- c:\program files\lxarscan.dll
2012-07-14 00:17 . 2011-12-08 00:25 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Kathy\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Kathy\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Kathy\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2013-05-25 00:36 130736 ----a-w- c:\users\Kathy\AppData\Roaming\Dropbox\bin\DropboxExt.19.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-12 186904]
"AmIcoSinglun"="c:\program files\Selective Suspend Driver\AmIcoSinglun.exe" [2009-04-29 237568]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-09 7539232]
"Acer ePower Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2009-06-19 703008]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"PLFSetI"="c:\windows\PLFSetI.exe" [2009-07-31 200704]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-03-25 2516296]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2010-03-03 140640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-08-12 995176]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-09-12 295512]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-07-31 38872]
"Soluto"="c:\program files\soluto\soluto.exe" [2013-01-27 1229280]
.
c:\users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Kathy\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup [2013-5-24 27776968]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Acer VCM.lnk - c:\program files\Acer\Acer VCM\AcerVCM.exe [2009-6-27 565248]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
backupExtension=.CommonStartup
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL807C336A
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2013-11-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-28 19:07]
.
2013-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000Core.job
- c:\users\Kathy\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-24 02:16]
.
2013-11-14 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000UA.job
- c:\users\Kathy\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-01-24 02:16]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACA ... 5w47j1r735
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.10.1
FF - ProfilePath - c:\users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\
FF - ExtSQL: !HIDDEN! 2010-03-26 14:45; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: !HIDDEN! 2013-06-24 21:13; 65ffxtbr@FromDocToPDF_65.com; c:\program files\FromDocToPDF_65\bar\1.bin
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-11-13 22:38
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2013-11-13 22:42:32
ComboFix-quarantined-files.txt 2013-11-14 04:42
.
Pre-Run: 149,666,500,608 bytes free
Post-Run: 150,086,250,496 bytes free
.
- - End Of File - - 90DD15E93310FDBCA6CF874C72BE2276
5C616939100B85E558DA92B899A0FC36
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: My Wife's PC has malware

Unread postby nunped » November 14th, 2013, 10:43 am

Hi tnesler,

How is the computer behaving?


Open OTL as before and click on "Quick Scan" to see what it has removed with the fix. Then post me the log.

After that...
ESET NOD32 Online Scan
Note: If using Mozilla Firefox you will need to download "esetsmartinstaller_enu.exe" when prompted... then right click on it and select "run as administrator" to install.
Please temporarily disable your Anti-virus real-time protection. If active, it could impact the online scan.
Do NOT use the computer while the scan is running... make sure all other programs and windows are closed!


Please go to ESET Online Scanner - © ESET All Rights Reserved... to run an online scan.
  • Click the [Run ESET Online Scanner] button.
  • Read the End User License Agreement and check the box: [Yes, I accept the terms of use].
  • Click the green [Start] button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
    If your browser blocks or halts a download, please allow it to download any required files.
  • Under scan settings:
    • Check "Scan archives"
    • Remove found threats is UNCHECKED
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the [Start] button.
    ESET will install itself, download virus signature database updates and begin scanning your computer.
    The scan will take a while so please be patient. Do NOT use the computer while the scan is running.
  • When the scan completes, press the text: Image
  • Press the text: Image ... then save the file to your desktop as ESETScan.txt.
  • Press the [Back] button, then press the [Finish] button.
  • Copy and paste the contents of ESETScan.txt in your next reply.
    Note: If no threats are found, there is no option to create a log. Just report back to me there was nothing found.

Remember to enable your Anti-virus protection before continuing!
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: My Wife's PC has malware

Unread postby tnesler » November 15th, 2013, 12:00 am

Here are the Log files you requested. Unfortunately, I still can't start MSE successfully. See the error message I receive when I start the computer up.

My fear is that every time I access the internet, a new set of malware is being loaded...:-(

OTL logfile created on: 11/14/2013 6:30:37 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Kathy\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.93 Gb Total Physical Memory | 1.08 Gb Available Physical Memory | 55.82% Memory free
4.10 Gb Paging File | 3.03 Gb Available in Paging File | 74.06% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 220.88 Gb Total Space | 140.51 Gb Free Space | 63.61% Space Free | Partition Type: NTFS

Computer Name: KATHYS-PC | User Name: Kathy | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/11/07 18:13:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kathy\Desktop\OTL.exe
PRC - [2013/10/09 09:58:16 | 003,275,136 | ---- | M] (Skype Technologies S.A.) -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
PRC - [2013/08/14 14:19:24 | 000,039,056 | ---- | M] () -- C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
PRC - [2013/08/12 09:12:38 | 000,022,208 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe
PRC - [2013/01/27 09:04:34 | 000,166,880 | ---- | M] (Soluto) -- C:\Program Files\Soluto\SolutoLauncherService.exe
PRC - [2013/01/27 09:04:32 | 000,553,440 | ---- | M] (Soluto) -- C:\Program Files\Soluto\SolutoService.exe
PRC - [2013/01/27 09:04:30 | 001,229,280 | ---- | M] (Soluto) -- C:\Program Files\Soluto\Soluto.exe
PRC - [2010/03/24 20:50:00 | 002,516,296 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2010/03/02 19:52:00 | 000,140,640 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
PRC - [2009/07/31 10:49:54 | 000,200,704 | ---- | M] () -- C:\Windows\PLFSetI.exe
PRC - [2009/06/18 19:00:24 | 000,723,488 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
PRC - [2009/06/18 19:00:24 | 000,703,008 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
PRC - [2009/06/18 19:00:22 | 000,453,152 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
PRC - [2009/04/29 16:09:14 | 000,237,568 | ---- | M] (AlcorMicro Co., Ltd.) -- C:\Program Files\Selective Suspend Driver\AmIcoSinglun.exe
PRC - [2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/16 17:14:00 | 000,565,248 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer VCM\AcerVCM.exe
PRC - [2009/02/11 18:38:40 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2009/02/11 18:38:38 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2009/02/05 09:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) -- C:\Program Files\Acer\Acer VCM\RS_Service.exe
PRC - [2008/09/15 03:57:04 | 000,262,360 | ---- | M] (Data Perceptions / PowerProgrammer) -- C:\Windows\System32\WebUpdateSvc4.exe


========== Modules (No Company Name) ==========

MOD - [2013/10/13 03:22:41 | 000,039,936 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGRSPProbe\4de87dcff56b1cc480bc9489122b35e0\PCGRSPProbe.ni.dll
MOD - [2013/10/13 03:22:39 | 000,055,296 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGUsersCenter\f5bad3277e4eb7b75277bb33f6d8e325\PCGUsersCenter.ni.dll
MOD - [2013/10/13 03:22:37 | 000,156,160 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGAppControlPlugin#\4e76c0ef0b27898e1287e1992c35cf6b\PCGAppControlPluginLoader.ni.dll
MOD - [2013/10/13 03:22:34 | 003,510,272 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGClientCommon\1a0c08e04a85290bfc9711006f51bbf1\PCGClientCommon.ni.dll
MOD - [2013/10/13 03:22:22 | 000,157,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGBootVisualizingC#\5fe86020912d2e6925231ba54be932f3\PCGBootVisualizingCommon.ni.dll
MOD - [2013/10/13 03:22:19 | 000,221,696 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGDriverProbe\730d462a7e3a215f3ed446a536604690\PCGDriverProbe.ni.dll
MOD - [2013/10/13 03:21:09 | 000,068,096 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGConfiguration\f3880f6048502089cfad0cb7bb86e67c\PCGConfiguration.ni.dll
MOD - [2013/10/13 03:21:06 | 002,617,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGDatabase\92e575065f18cf53803222d76c14fa4a\PCGDatabase.ni.dll
MOD - [2013/10/13 03:20:57 | 001,550,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGAzureShared\1f8ab68728e907a1baad5cda57dda0a9\PCGAzureShared.ni.dll
MOD - [2013/10/13 03:20:52 | 001,197,056 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGCommunication\3f02b42d4f0ea21dd631f3433d6b9b91\PCGCommunication.ni.dll
MOD - [2013/10/13 03:18:46 | 000,188,416 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGPrestoSerializer\2e1807f7639b94cb03fc048c33c7d8ba\PCGPrestoSerializer.ni.dll
MOD - [2013/10/13 03:18:42 | 002,128,384 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Newtonsoft.Json.Net#\c7d17aafbcdcc3aa47f35d53f325bda8\Newtonsoft.Json.Net35.ni.dll
MOD - [2013/10/13 03:18:19 | 002,731,520 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGFramework\d1c2b9f1041e0151787073a4b1888746\PCGFramework.ni.dll
MOD - [2013/10/13 03:17:49 | 001,620,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Soluto\ddd7b435f33a355a1d6d5977fe3ab7b3\Soluto.ni.exe
MOD - [2013/10/13 03:13:11 | 000,978,944 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\f453ecc6bb7fc8d52d61247676944623\System.Configuration.ni.dll
MOD - [2013/10/13 03:08:16 | 012,434,432 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\73d9bc894522543b561a0342dac87c06\System.Windows.Forms.ni.dll
MOD - [2013/10/13 03:07:54 | 002,518,016 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\3815d0ee28da0b5a6e6c1f083ef437f6\System.Data.Linq.ni.dll
MOD - [2013/10/13 03:07:47 | 002,295,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\ab40b51ac49fbee9a48b5b74ff78d5d6\System.Core.ni.dll
MOD - [2013/08/16 19:14:17 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\5974034f0f53755b11bde4c9698261cb\System.ServiceProcess.ni.dll
MOD - [2013/08/16 19:13:48 | 011,820,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\59eba2680c01c33b2b3f5385979e32c6\System.Web.ni.dll
MOD - [2013/08/16 16:54:30 | 002,327,552 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Community.CsharpSql#\6c07f76ab73ce7b4dc02ccfec040ddc3\Community.CsharpSqlite.ni.dll
MOD - [2013/08/16 16:40:00 | 000,656,896 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGPostBootResources\05f479f87e6ac55f0fd3cd6ae1c10739\PCGPostBootResources.ni.dll
MOD - [2013/08/16 16:39:59 | 000,051,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGHIDProbe\c3d6831db800db604e16702ac6a0d091\PCGHIDProbe.ni.dll
MOD - [2013/08/16 16:32:52 | 000,048,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGAzureEntityFrame#\6260744bbbdeb48359e51f5d24f8cf3d\PCGAzureEntityFramework.ni.dll
MOD - [2013/08/16 16:32:42 | 001,707,008 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGPreCompiled\074b1bcfde67d61ff1989f4818b0f419\PCGPreCompiled.ni.dll
MOD - [2013/08/16 15:17:43 | 000,596,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Ionic.Zip.Reduced\36bdd5973166173b1547256acbedb674\Ionic.Zip.Reduced.ni.dll
MOD - [2013/08/16 11:48:46 | 005,462,016 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\09f5b3f7a363b742a73937e818595597\System.Xml.ni.dll
MOD - [2013/08/16 11:46:37 | 001,593,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\c0df7e124d8d5e2821fd7d3921d404f7\System.Drawing.ni.dll
MOD - [2013/08/16 11:39:26 | 007,977,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\d7153acb7b6ccb5a6a886d6f0ab732b1\System.ni.dll
MOD - [2013/07/23 18:40:08 | 000,202,240 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PCGWuInfo\fe73c0ce3b7f9f61db4b2f8453521a2d\PCGWuInfo.ni.dll
MOD - [2013/07/23 18:40:07 | 000,100,864 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Interop.IWshRuntime#\449c932b29b1df04449197f0693226a0\Interop.IWshRuntimeLibrary.ni.dll
MOD - [2013/07/11 12:12:33 | 011,497,984 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\6a938df70a8b7996a3890b4f34c83906\mscorlib.ni.dll
MOD - [2013/01/27 09:00:18 | 000,077,880 | ---- | M] () -- C:\Program Files\Soluto\PCGDllExportInspector.dll
MOD - [2009/07/31 10:49:54 | 000,200,704 | ---- | M] () -- C:\Windows\PLFSetI.exe


========== Services (SafeList) ==========

SRV - [2013/10/09 09:58:16 | 003,275,136 | ---- | M] (Skype Technologies S.A.) [Auto | Running] -- C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe -- (Skype C2C Service)
SRV - [2013/10/08 13:07:50 | 000,257,416 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2013/08/14 14:19:24 | 000,039,056 | ---- | M] () [Auto | Running] -- C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe -- (RealNetworks Downloader Resolver Service)
SRV - [2013/08/12 09:12:38 | 000,295,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\NisSrv.exe -- (NisSrv)
SRV - [2013/08/12 09:12:38 | 000,022,208 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\MsMpEng.exe -- (MsMpSvc)
SRV - [2013/01/27 09:04:34 | 000,166,880 | ---- | M] (Soluto) [Auto | Running] -- C:\Program Files\Soluto\SolutoLauncherService.exe -- (SolutoLauncherService)
SRV - [2013/01/27 09:04:32 | 000,553,440 | ---- | M] (Soluto) [Auto | Running] -- C:\Program Files\Soluto\SolutoService.exe -- (SolutoService)
SRV - [2013/01/27 09:00:18 | 001,239,552 | ---- | M] (Soluto) [On_Demand | Stopped] -- C:\Program Files\Soluto\SolutoRemoteService.exe -- (SolutoRemoteService)
SRV - [2012/07/13 18:17:12 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice_tmp.exe -- (MozillaMaintenance)
SRV - [2012/07/13 12:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2009/06/18 19:00:24 | 000,723,488 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe -- (ePowerSvc)
SRV - [2009/02/11 18:38:40 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON)
SRV - [2009/02/05 09:14:56 | 000,237,568 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer VCM\RS_Service.exe -- (RS_Service)
SRV - [2008/09/15 03:57:04 | 000,262,360 | ---- | M] (Data Perceptions / PowerProgrammer) [Auto | Running] -- C:\Windows\System32\WebUpdateSvc4.exe -- (WebUpdate4)
SRV - [2008/01/20 20:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\LV302V32.SYS -- (PID_PEPI)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lv302af.sys -- (pepifilter)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\npbgsgld.sys -- (npbgsgld)
DRV - File not found [Kernel | Auto | Stopped] -- System32\Drivers\Lxarscan.sys -- (LXARScan)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\lvrs.sys -- (LVRS)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Running] -- C:\Windows\TEMP\cpuz136\cpuz136_x32.sys -- (cpuz136)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\TEMP\cpuz135\cpuz135_x32.sys -- (cpuz135)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Kathy\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2013/11/14 15:37:31 | 000,040,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CA469631-9367-423D-805F-E2E001EF850A}\MpKsl880bab26.sys -- (MpKsl880bab26)
DRV - [2013/11/14 14:41:43 | 000,040,392 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CA469631-9367-423D-805F-E2E001EF850A}\MpKsl07e2be84.sys -- (MpKsl07e2be84)
DRV - [2013/06/18 20:50:08 | 000,107,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2013/01/27 08:59:58 | 000,051,144 | ---- | M] (Soluto LTD.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\Soluto.sys -- (Soluto)
DRV - [2010/03/28 18:24:37 | 000,016,694 | ---- | M] (PalmSource, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PalmUSBD.sys -- (PalmUSBD)
DRV - [2009/04/27 02:16:04 | 000,050,176 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\L1C60x86.sys -- (L1C)
DRV - [2009/04/07 21:14:40 | 000,014,848 | ---- | M] (Alcor Micro, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SSUSB.sys -- (SSUSB)
DRV - [2009/03/30 15:35:12 | 000,010,752 | ---- | M] (Alcor Micro, Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SSDISK.sys -- (SSDISK)
DRV - [2009/03/03 20:49:22 | 004,232,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32)
DRV - [2008/12/04 12:25:38 | 000,112,640 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService)
DRV - [2008/09/30 21:50:50 | 000,010,504 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Program Files\GridVista\DPMemGridVista.sys -- (DPMemGridVista)
DRV - [2003/10/01 08:29:50 | 000,069,632 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\OEM\factory\int15.sys -- (int15.sys)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACA ... 5w47j1r735
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 2E 76 D4 7F 21 E0 CE 01 [binary data]
IE - HKCU\..\SearchScopes,DefaultScope = {3086E760-46D6-4731-A5BB-1DEA36ABDBED}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{3086E760-46D6-4731-A5BB-1DEA36ABDBED}: "URL" = https://www.google.com/search?q={searchTerms}
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rlz=1I7ACAW_en&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.4.8.20120412011105
FF - prefs.js..extensions.enabledAddons: amznUWL2@amazon.com:1.10
FF - prefs.js..extensions.enabledAddons: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}:6.11.0.13348
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_9_900_117.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/MycameraPlugin: C:\Program Files\Canon\MyCamera Download Plugin\NPCIG.dll (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8051.1204: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=16.0.3.51: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlchromebrowserrecordext;version=1.3.3: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlhtml5videoshim;version=1.3.3: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprndlpepperflashvideoshim;version=1.3.3: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=16.0.3.51: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\@realnetworks.com/npdlplugin;version=1: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@Skype Limited.com/Facebook Video Calling Plugin: C:\Users\Kathy\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
FF - HKCU\Software\MozillaPlugins\amazon.com/AmazonMP3DownloaderPlugin: C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll (Amazon.com, Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013/09/12 17:42:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ [2013/09/12 17:42:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/07/17 18:17:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 14.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/09/12 17:40:57 | 000,000,000 | ---D | M]

[2010/03/24 18:34:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Extensions
[2013/11/13 12:05:41 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\extensions
[2010/06/07 17:36:07 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/10/06 21:11:02 | 000,243,287 | ---- | M] () (No name found) -- C:\Users\Kathy\AppData\Roaming\Mozilla\Firefox\Profiles\ojyrvpn2.default\extensions\amznUWL2@amazon.com.xpi
[2012/07/17 18:17:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/10/20 14:09:47 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2013/04/24 11:44:23 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\browser\extensions
[2013/10/20 14:09:46 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
File not found (No name found) -- C:\USERS\KATHY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\OJYRVPN2.DEFAULT\EXTENSIONS\{635ABD67-4FE9-1B23-4F01-E679FA7484C1}
[2012/07/13 18:17:47 | 000,136,672 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/03/18 12:32:12 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2011/11/10 05:54:13 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011/03/18 12:32:14 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2013/09/12 17:40:31 | 000,124,504 | ---- | M] (RealPlayer) -- C:\Program Files\mozilla firefox\plugins\nprpplugin.dll
[2012/07/13 18:16:36 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/07/13 18:16:36 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2013/11/13 22:37:51 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (RealNetworks Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe ()
O4 - HKLM..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe (Acer Incorporated)
O4 - HKLM..\Run: [AmIcoSinglun] C:\Program Files\Selective Suspend Driver\AmIcoSinglun.exe (AlcorMicro Co., Ltd.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PLFSetI] C:\Windows\PLFSetI.exe ()
O4 - HKLM..\Run: [Soluto] c:\program files\soluto\soluto.exe (Soluto)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html File not found
O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1A48B34A-7608-4D4D-AFC9-BC7194A9B2B1}: DhcpNameServer = 192.168.10.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B5DF368C-F419-4932-BD75-7A02B9585635}: DhcpNameServer = 192.168.10.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Kathy\Pictures\Lighthouse.jpg
O24 - Desktop BackupWallPaper: C:\Users\Kathy\Pictures\Lighthouse.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 15:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/11/13 22:42:47 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2013/11/13 22:42:35 | 000,000,000 | ---D | C] -- C:\Users\Kathy\AppData\Local\temp
[2013/11/13 22:36:24 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2013/11/13 22:12:47 | 000,000,000 | ---D | C] -- C:\Users\Kathy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\CyberLink PowerDVD
[2013/11/13 20:51:20 | 000,000,000 | ---D | C] -- C:\_OTL
[2013/11/13 11:58:15 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2013/11/12 19:23:42 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Users\Kathy\Desktop\aswMBR.exe
[2013/11/11 07:33:52 | 000,000,000 | ---D | C] -- C:\FRST
[2013/11/11 07:28:43 | 001,090,275 | ---- | C] (Farbar) -- C:\Users\Kathy\Desktop\FRST.exe
[2013/11/08 18:51:01 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2013/11/08 18:51:01 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2013/11/08 18:51:01 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2013/11/08 18:48:25 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/11/08 18:48:11 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2013/11/08 18:47:11 | 005,147,957 | R--- | C] (Swearware) -- C:\Users\Kathy\Desktop\ComboFix.exe
[2013/11/07 18:13:01 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Kathy\Desktop\OTL.exe
[2013/11/07 18:10:00 | 004,121,952 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\Kathy\Desktop\tdsskiller.exe
[2011/06/10 11:44:36 | 003,080,864 | ---- | C] (Adobe Systems, Inc.) -- C:\Program Files\install_flash_player.exe
[1964/01/03 08:35:38 | 000,053,248 | ---- | C] (Silitek Corp.) -- C:\Program Files\ACMonitor_X73.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/11/14 18:28:11 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2013/11/14 18:28:08 | 000,000,928 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000UA.job
[2013/11/14 18:28:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/11/14 18:27:58 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2013/11/14 18:27:58 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2013/11/14 15:34:58 | 000,618,148 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/11/14 15:34:57 | 000,109,218 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/11/14 15:25:11 | 2075,045,888 | -HS- | M] () -- C:\hiberfil.sys
[2013/11/13 22:37:51 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2013/11/13 22:11:08 | 005,147,957 | R--- | M] (Swearware) -- C:\Users\Kathy\Desktop\ComboFix.exe
[2013/11/13 21:21:24 | 000,000,906 | ---- | M] () -- C:\Windows\tasks\FacebookUpdateTaskUserS-1-5-21-1403424136-2531779536-1460617787-1000Core.job
[2013/11/13 10:58:44 | 000,075,264 | ---- | M] () -- C:\Users\Kathy\Desktop\SystemLook.exe
[2013/11/13 10:58:14 | 001,085,542 | ---- | M] () -- C:\Users\Kathy\Desktop\AdwCleaner.exe
[2013/11/12 21:35:03 | 000,000,512 | ---- | M] () -- C:\Users\Kathy\Documents\MBR.dat
[2013/11/12 19:21:24 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Users\Kathy\Desktop\aswMBR.exe
[2013/11/11 07:21:42 | 001,090,275 | ---- | M] (Farbar) -- C:\Users\Kathy\Desktop\FRST.exe
[2013/11/07 18:13:02 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Kathy\Desktop\OTL.exe
[2013/11/07 18:10:04 | 004,121,952 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\Kathy\Desktop\tdsskiller.exe
[2013/11/04 21:28:52 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/11/04 18:39:22 | 264,443,960 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2013/10/25 13:15:45 | 001,822,775 | ---- | M] () -- C:\Users\Kathy\Desktop\ColoringPages.pdf
[2013/10/25 11:53:07 | 000,002,637 | ---- | M] () -- C:\Users\Kathy\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word 2010.lnk
[2013/10/16 02:03:05 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/11/13 12:14:26 | 000,218,228 | ---- | C] () -- C:\Windows\System32\WFP.TMF
[2013/11/13 11:55:38 | 001,085,542 | ---- | C] () -- C:\Users\Kathy\Desktop\AdwCleaner.exe
[2013/11/13 11:53:52 | 000,075,264 | ---- | C] () -- C:\Users\Kathy\Desktop\SystemLook.exe
[2013/11/12 21:35:02 | 000,000,512 | ---- | C] () -- C:\Users\Kathy\Documents\MBR.dat
[2013/11/11 07:25:05 | 2075,045,888 | -HS- | C] () -- C:\hiberfil.sys
[2013/11/08 18:51:01 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2013/11/08 18:51:01 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2013/11/08 18:51:01 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2013/11/08 18:51:01 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2013/11/08 18:51:01 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2013/11/04 21:28:52 | 000,000,910 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/10/25 13:15:45 | 001,822,775 | ---- | C] () -- C:\Users\Kathy\Desktop\ColoringPages.pdf
[2012/09/19 13:54:47 | 000,047,633 | ---- | C] () -- C:\Windows\System32\wuwuninst.exe
[2012/07/17 18:27:14 | 000,000,193 | ---- | C] () -- C:\ProgramData\Microsoft.SqlServer.Compact.351.32.bc
[2012/07/14 22:03:55 | 000,027,520 | ---- | C] () -- C:\Users\Kathy\AppData\Local\dt.dat
[2011/04/06 14:54:18 | 000,000,680 | ---- | C] () -- C:\Users\Kathy\AppData\Local\d3d9caps.dat
[2010/06/14 17:14:02 | 000,000,000 | ---- | C] () -- C:\Users\Kathy\AppData\Local\prvlcl.dat
[2010/03/24 18:44:53 | 000,020,480 | ---- | C] () -- C:\Users\Kathy\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/23 20:25:09 | 000,000,210 | ---- | C] () -- C:\Users\Kathy\AppData\Roaming\wklnhst.dat
[2001/07/20 09:48:06 | 000,008,116 | ---- | C] () -- C:\Program Files\OSLO3071b2.USB
[2000/12/05 14:56:34 | 000,114,688 | ---- | C] () -- C:\Program Files\lxarscan.dll
[2000/01/11 11:50:48 | 000,000,047 | ---- | C] () -- C:\Program Files\ACMonitor_X73.ini
[1964/01/18 07:07:18 | 000,000,768 | ---- | C] () -- C:\Program Files\x73_lut.dat
[1964/01/03 08:25:18 | 000,001,437 | ---- | C] () -- C:\Program Files\gtx73.ini

========== ZeroAccess Check ==========

[2006/11/02 06:54:22 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/08 11:47:00 | 011,586,048 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/04/11 00:28:19 | 000,614,912 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/04/11 00:28:25 | 000,347,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2011/08/21 12:37:52 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Acer
[2009/06/27 20:08:18 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Acer GameZone Console
[2010/05/24 13:18:09 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Amazon
[2010/11/18 13:28:19 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Canon
[2013/11/14 14:40:44 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Dropbox
[2010/04/14 16:14:25 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\EA
[2010/03/23 20:18:51 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\eSobi
[2011/02/03 20:40:52 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\FreeAudioPack
[2010/06/07 18:06:00 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\GameBlend
[2010/03/28 18:24:40 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\HotSync
[2010/03/23 17:04:10 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Leadertech
[2010/05/17 20:20:23 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\NCH Swift Sound
[2010/04/13 17:37:40 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\PlayFirst
[2012/07/18 04:33:04 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Soluto
[2010/03/23 20:26:13 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Template
[2013/08/15 20:27:10 | 000,000,000 | ---D | M] -- C:\Users\Kathy\AppData\Roaming\Windows Live Writer

========== Purity Check ==========

< End of report >

+++++++++++++Here is the EsetScan Log +++++++++++++++++++++

C:\converter\AudioConverter.exe a variant of Win32/InstallCore.A application
C:\FRST\Quarantine\65brmon.exe Win32/Toolbar.MyWebSearch.W application
C:\FRST\Quarantine\65SrchMn.exe Win32/Toolbar.MyWebSearch.W application
C:\FRST\Quarantine\NP65Stub.dll Win32/Toolbar.MyWebSearch.T application
C:\FRST\Quarantine\1.bin\65auxstb.dll Win32/Toolbar.MyWebSearch.W application
C:\FRST\Quarantine\1.bin\65bar.dll Win32/Toolbar.MyWebSearch.W application
C:\FRST\Quarantine\1.bin\65bprtct.dll Win32/Toolbar.MyWebSearch.W application
C:\FRST\Quarantine\1.bin\65datact.dll a variant of Win32/Toolbar.MyWebSearch.A application
C:\FRST\Quarantine\1.bin\65htmlmu.dll probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\FRST\Quarantine\1.bin\65ieovr.dll probably a variant of Win32/Toolbar.MyWebSearch.P application
C:\FRST\Quarantine\1.bin\65impipe.exe Win32/Toolbar.MyWebSearch.W application
C:\FRST\Quarantine\1.bin\65Plugin.dll probably a variant of Win32/Toolbar.MyWebSearch application
C:\FRST\Quarantine\1.bin\65reghk.dll Win32/Toolbar.MyWebSearch.W application
C:\FRST\Quarantine\1.bin\65skin.dll a variant of Win32/Toolbar.MyWebSearch.P application
C:\FRST\Quarantine\1.bin\65skplay.exe Win32/Toolbar.MyWebSearch.W application
C:\FRST\Quarantine\1.bin\AppIntegrator64.exe Win64/Toolbar.MyWebSearch.A application
C:\FRST\Quarantine\1.bin\AppIntegratorStub64.dll Win64/Toolbar.MyWebSearch.A application
C:\FRST\Quarantine\1.bin\CREXT.DLL Win32/Toolbar.MyWebSearch.W application
C:\FRST\Quarantine\1.bin\CrExtP65.exe Win32/Toolbar.MyWebSearch.W application
C:\FRST\Quarantine\1.bin\Hpg64.dll Win64/Toolbar.MyWebSearch.A application
C:\FRST\Quarantine\1.bin\T8HTML.DLL probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\FRST\Quarantine\1.bin\T8TICKER.DLL Win32/Toolbar.MyWebSearch.W application
C:\FRST\Quarantine\Search Toolbar\SearchToolbarUpdater.exe Win32/Toolbar.Zugo application
C:\Users\Kathy\Downloads\Setup_FreeConverter.exe Win32/Toolbar.Widgi application

End of Report.
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: My Wife's PC has malware

Unread postby nunped » November 16th, 2013, 5:23 am

Hi tnesler,
My fear is that every time I access the internet, a new set of malware is being loaded...:-(

I understand your fears, but as long as you keep it safe you *shouldn't* catch new infections. I'll give you some hints after we end up cleaning. Your new set of logs is looking good, and doesn't show any signs of new infections. But, because of the kind of infection you had/have, we can never be sure that everything is as it should be.
Let's try to clean it as best as we can.

The problem with MSE could be created by some modifications induced by the infection. Please, try the following steps:
Step 1 - Uninstall Programs
  • Click on Start
  • Copy and paste the value below, into the Start Search entry box:
    appwiz.cpl
      Depending on your current view setting ...
    • Double click on Programs and Features.
    • Under Programs, click on Uninstall a program.
  • Locate the following programs. If you don't find one, proceed to the next:
    Microsoft Security Essentials
    Adobe Reader 9.5.2
    FromDocToPDF Toolbar
    Java(TM) 6 Update 30
    Search Toolbar

  • Select the program and click on Uninstall to uninstall it.
  • Repeat steps 3 - 4 for each program in the list.
  • Reboot your computer after this.

Step 2 - Reinstall Microsoft Security Essentials

Step 3 - Online Multi Antivirus file scan
Please go to Virus Total and upload -only one file per scan- the following file(s) for scanning:
C:\Users\Kathy\Downloads\Setup_FreeConverter.exe
C:\converter\AudioConverter.exe


  • Press the Browse button and navigate to -one- of the files in the list.
  • Double click the located file name. The file name should now appear in the online scanner's text entry box.
  • Click on Send File button.
  • The file will be queued, uploaded and scanned by various antivirus scanners. This may take a few minutes.
      If you receive the message: File has already been analysed:
      Please press the Reanalyse file now button, so your file will be scanned.
  • When all scans have completed the results page is displayed
  • Please highlight and copy the page web address link from your browser window.
    Example of web address :
    Image
  • Please repeat this procedure for each file listed above.
  • Paste the Web address link(s) for the scan results in your next reply.
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: My Wife's PC has malware

Unread postby tnesler » November 16th, 2013, 10:35 pm

Things are looking good now since I reinstalled MSE. I have no problems starting it now.

I uninstalled it, Adobe reader and J2SE runtime. I did not show the others in my Add/Remove Programs.

Here are the links for the two questionable files:

https://www.virustotal.com/en/file/2468 ... 384653901/

https://www.virustotal.com/en/file/bca1 ... 384655244/

I was a litttle confused with your instructions for this part because I was expecting a results page to have the link on it rather than copy the link to the results page...;-/

Are we ready for cleanup?
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: My Wife's PC has malware

Unread postby nunped » November 17th, 2013, 1:51 pm

Hi tnesler,

Ok, we should be good to go! Don't forget that due to the infection you had, there's no way to be sure that it's completely clean. I still advise you not to use this computer for online banking. Safest course would be to format it when it's convenient to you.

A few clean-up steps:

Adobe Reader
You can download the newest version from here: http://get.adobe.com/reader/
Caution: Be careful to UNCHECK any other (prechecked) software offers before you install!

Java
Download the newest Java version from:
http://www.oracle.com/technetwork/java/ ... 38363.html
Caution: Be careful to UNCHECK any other (prechecked) software offers before you install!

Uninstall Combofix
  • Click on Start >> Run...
  • Now type in ComboFix /Uninstall into the box and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
    Image
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

OTL-Cleanup
You should still have this on your desktop, if so, please ignore the download instructions.
Please download OTL Save it to your Desktop.
  1. Right click on OTL.exe select "Run As Administrator" to run it
  2. Press the CleanUp button.
  3. When done, you will be prompted to reboot your system to finish file removal... please select OK to reboot your computer.
If you did not reboot your computer normally, please do so now, before continuing.

Don't forget to re-enable your security programs!

Stay informed.
To help minimize the chances of becoming re-infected, please read.
Computer Security - a short guide to staying safer online

If your computer is running slowly after your clean up, please read.
What to do if your Computer is running slowly

Please reply to this post so I know you have read it. If you don't have any further questions this thread will be closed.

Safe surfing! ;)
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal

Re: My Wife's PC has malware

Unread postby tnesler » November 17th, 2013, 4:06 pm

I reinstalled Adobe Reader 10 but I decided not to install the JRE. I have heard that you are supposed to disable this software in your browser to prevent hackers so I will wait to see if my wife even needs this pkg these days.

Strangely, this version of Vista does not have a Run box, so I was unable to remove ComboFix using the method you described. I skipped ahead and ran the OTL cleamup program. After it rebooted, ComboFix was gone. I don't know if that is a a problem or not.

I manually removed some log files and ADWCleaner.exe off of the desktop. So I think I am back to square zero now.

Just out of curiousity, do you recommend any commercial Malware products to prevent future infections? I know there are no guarantees, but it would be nice to have some protection.

Thankyou for your patient and careful assistance!
tnesler
Regular Member
 
Posts: 33
Joined: September 12th, 2013, 11:42 am

Re: My Wife's PC has malware

Unread postby nunped » November 17th, 2013, 8:45 pm

I personally use:

Malwarebytes Anti-Malware: http://www.malwarebytes.org/mwb-download/
MyWOT, which is a good guide to avoid dubious internet sites: http://www.mywot.com/en/download
Winpatrol, it keeps an eye on a lot of things in your system: http://www.winpatrol.com/

You are very welcome!
User avatar
nunped
MRU Honors Grad Emeritus
 
Posts: 1210
Joined: August 17th, 2011, 5:03 pm
Location: Portugal
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware