Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Cant get rid of ads

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Cant get rid of ads

Unread postby RussJH » February 19th, 2015, 5:09 pm

Cleaning a machine however the browser ads wont go away. Have removed many other infections with Malwarebytes, but the ads in the browser keep returning.

Win 8.1 and FRST logs as follows

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 18-02-2015 01
Ran by Amy Moore at 2015-02-18 19:40:56
Running from C:\Users\Amy Moore\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Shockwave Player 11.6 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11.6.6.636 - Adobe Systems, Inc.)
Aloha TriPeaks (x32 Version: 2.2.0.98 - WildTangent) Hidden
Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 10.0.2208 - AVAST Software)
Bejeweled 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Build-a-lot (x32 Version: 2.2.0.98 - WildTangent) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.02 - Piriform)
CloudScout (x32 Version: 1.0.0.1 - www.CloudGuard.me) Hidden <==== ATTENTION
CloudScout Parental Control version 1.2 (HKLM-x32\...\{E1527582-8509-4011-B922-29E3FB548882}_is1) (Version: 1.2 - www.CloudGuard.me) <==== ATTENTION
Cradle of Rome 2 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Crazy Chicken Soccer (x32 Version: 2.2.0.110 - WildTangent) Hidden
CyberLink LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.3.5901 - CyberLink Corp.)
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.3.2608 - CyberLink Corp.)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.3.2527 - CyberLink Corp.)
CyberLink PowerDVD (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.8.5108 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.5.6.6119 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Energy Star (HKLM-x32\...\{FC0ADA4D-8FA5-4452-8AFF-F0A0BAC97EF7}) (Version: 1.0.9 - Hewlett-Packard Company)
Farm Frenzy (x32 Version: 2.2.0.98 - WildTangent) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 40.0.2214.111 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
Governor of Poker 2 Premium Edition (x32 Version: 2.2.0.110 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.2.1.1 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP Documentation (HKLM-x32\...\{8C1ADF61-4F87-44BC-804C-C20FC70D98BB}) (Version: 1.4.0.0 - Hewlett-Packard)
HP Quick Start (HKLM-x32\...\{574F0207-8E98-46CD-8F79-318348C98C46}) (Version: 1.0.4660.30220 - Hewlett-Packard)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.6317.4309 - Hewlett-Packard)
HP Support Assistant (HKLM-x32\...\{EE202411-2C26-49E8-9784-1BC1DBF7DE96}) (Version: 7.0.39.15 - Hewlett-Packard Company)
HP System Event Utility (HKLM-x32\...\{B2F0406F-1609-489A-8626-7DB46776AB57}) (Version: 1.0.5 - Hewlett-Packard Company)
HP Utility Center (HKLM\...\{73237EBB-B26F-4628-8754-4EFE563D72E9}) (Version: 2.1.5 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{941DE69D-6CEE-4171-8F1F-3D7E352AA498}) (Version: 1.0.6.1 - Hewlett-Packard Company)
Intel(R) Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1008 - Intel Corporation)
Intel(R) Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.1.0.1252 - Intel Corporation)
Intel(R) Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3304 - Intel Corporation)
Intel(R) Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.6.0.1030 - Intel Corporation)
Intel(R) SDK for OpenCL - CPU Only Runtime Package (HKLM-x32\...\{FCB3772C-B7D0-4933-B1A9-3707EBACC573}) (Version: 2.0.0.37149 - Intel Corporation)
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
Jewel Match 3 (x32 Version: 2.2.0.98 - WildTangent) Hidden
Jewel Quest II (x32 Version: 2.2.0.97 - WildTangent) Hidden
Mahjongg Artifacts (x32 Version: 2.2.0.110 - WildTangent) Hidden
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.98 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Power Sound Editor Free v8.5.5 (HKLM-x32\...\Power Sound Editor Free_is1) (Version: - Copyright(C) 2005-2014 PowerSE, Inc.)
Qualcomm Atheros Bluetooth Suite (64) (HKLM\...\{A84A4FB1-D703-48DB-89E0-68B6499D2801}) (Version: 8.0.0.226 - Qualcomm Atheros Communications)
Qualcomm Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 10.0 - Qualcomm Atheros)
Ranch Rush 2 - Premium Edition (x32 Version: 2.2.0.98 - WildTangent) Hidden
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.10.1226.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6849 - Realtek Semiconductor Corp.)
Realtek PCIE Card Reader (HKLM-x32\...\{0D61A55C-3ADC-409F-BF5B-A1766D1F5944}) (Version: 6.2.9200.29053 - Realtek Semiconductor Corp.)
Royal Envoy 2 Collector's Edition (x32 Version: 3.0.2.32 - WildTangent) Hidden
Skype™ 7.0 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.0.102 - Skype Technologies S.A.)
Spotify (HKU\S-1-5-21-781177400-2606171948-1399550050-1001\...\Spotify) (Version: 0.9.15.27.g87efe634 - Spotify AB)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 16.6.1.3 - Synaptics Incorporated)
Trinklit Supreme (x32 Version: 2.2.0.98 - WildTangent) Hidden
UnknownFile (HKU\S-1-5-21-781177400-2606171948-1399550050-1001\...\UnknownFile) (Version: 1.0.0.0 - UnknownFile) <==== ATTENTION!
Update Installer for WildTangent Games App (x32 Version: - WildTangent) Hidden
Vacation Quest™ - Australia (x32 Version: 3.0.2.32 - WildTangent) Hidden
Virtual Families (x32 Version: 2.2.0.98 - WildTangent) Hidden
Wedding Dash (x32 Version: 2.2.0.95 - WildTangent) Hidden
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
WildTangent Games App (HP Games) (x32 Version: 4.0.10.5 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
WinPcap 4.1.3 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2980 - CACE Technologies)
xSaver (HKLM\...\{E5E9BE83-D6B0-40EA-A289-CD8408BBA84D}) (Version: 1.0.1.2 - ClientConnect Ltd.)
Youda Jewel Shop (x32 Version: 3.0.2.32 - WildTangent) Hidden
Zuma's Revenge (x32 Version: 2.2.0.98 - WildTangent) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)


==================== Restore Points =========================

23-01-2015 16:32:20 Windows Update
01-02-2015 20:12:52 Windows Update
13-02-2015 15:47:09 Windows Update
18-02-2015 17:47:36 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 13:25 - 2013-08-22 13:25 - 00000824 ____N C:\WINDOWS\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {08AB607D-A183-43B0-ACEA-975848CD8157} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2012-09-05] (Hewlett-Packard Company)
Task: {0F4A6671-57B0-4F47-BB6B-58808C5EE141} - \SmartWeb Upgrade Trigger Task No Task File <==== ATTENTION
Task: {1A851954-30D6-4F39-817A-3DC80CAB1667} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [2013-03-04] (Realtek Semiconductor)
Task: {213B4C85-D666-4EA5-9890-65EBA2C0762D} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2012-09-27] (Hewlett-Packard Company)
Task: {25FE1211-4F14-4576-A160-652257331DDD} - System32\Tasks\MirageAgent => C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
Task: {368E26FF-81B1-4751-B131-60B8E218B65E} - System32\Tasks\Synaptics TouchPad Enhancements => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2013-05-16] (Synaptics Incorporated)
Task: {42C57A97-FF31-4D91-B5C7-FB1E0814F5AA} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-02-18] (AVAST Software)
Task: {46583C66-ED46-403C-BC55-9CE207EDB30A} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2015-02-13] (Microsoft Corporation)
Task: {541DC967-776C-458B-898C-129A3ABA298F} - \PC Performer Scheduled Scan No Task File <==== ATTENTION
Task: {5DD04F7D-1718-4DF5-B219-12F9F7B8378F} - \CloudScout No Task File <==== ATTENTION
Task: {83B58241-1C6E-4354-A1DC-0884FA28D1B3} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-01-20] (Piriform Ltd)
Task: {9A774C2A-A0E9-433F-93D9-225387490E25} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-08-17] (Google Inc.)
Task: {9C4135AF-9EA2-4D69-B24F-994A76ABDE85} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {B0E03A06-3DB9-4B2A-855D-3D2CDC4AF506} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-08-17] (Google Inc.)
Task: {D2BCEEE6-F2D6-49AE-B36E-2CC676050B95} - \avaxvavya No Task File <==== ATTENTION
Task: {D4727025-F172-457A-9EB1-A55781164987} - System32\Tasks\CLVDLauncher => C:\Program Files (x86)\CyberLink\Power2Go8\CLVDLauncher.exe [2012-07-24] (CyberLink Corp.)
Task: {E4033048-298B-4002-A4E1-46C3B66B94F2} - \PC Performer Logon Scan No Task File <==== ATTENTION
Task: {EC840CE9-179E-4DD1-A0A5-42DF0902B296} - System32\Tasks\avastBCLRestartS-1-5-21-781177400-2606171948-1399550050-1001 => Chrome.exe
Task: {F8844CF7-9F2F-4231-ACC5-8BC3A15F32D3} - System32\Tasks\CLMLSvc_P2G8 => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [2012-06-08] (CyberLink)
Task: {FF5BBB05-D45E-4BE7-918B-BE03F4F07939} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2012-09-27] (Hewlett-Packard Company)
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\Synaptics TouchPad Enhancements.job => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

==================== Loaded Modules (whitelisted) ==============

2013-05-16 02:46 - 2013-05-16 02:46 - 00011264 _____ () C:\Program Files (x86)\Bluetooth Suite\Modules\ActivateDesktopDebugger\ActivateDesktopDebugger.dll
2013-05-16 02:43 - 2013-05-16 02:43 - 00086016 _____ () C:\Program Files (x86)\Bluetooth Suite\Modules\Map\MAP.dll
2013-09-16 09:22 - 2013-09-16 09:22 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2013-05-16 03:09 - 2013-05-16 03:09 - 00012928 _____ () C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
2013-05-16 03:15 - 2013-05-16 03:15 - 00384128 _____ () C:\Program Files (x86)\Bluetooth Suite\ContactsApi.dll
2014-10-11 13:06 - 2014-10-11 13:06 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 13:05 - 2014-10-11 13:05 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2013-11-29 20:27 - 2012-06-08 03:34 - 00627216 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMediaLibrary.dll
2012-06-08 11:34 - 2012-06-08 11:34 - 00016400 _____ () C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvcPS.dll
2014-12-12 21:09 - 2014-12-12 21:09 - 00016384 _____ () C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\PSIClient\1706c668394b6917a63634ebd3bedcf2\PSIClient.ni.dll
2013-11-29 20:07 - 2012-06-26 09:41 - 01198912 _____ () C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\ACE.dll
2015-02-18 19:18 - 2015-02-18 19:18 - 02911744 _____ () C:\Program Files\AVAST Software\Avast\defs\15021800\algo.dll
2015-02-18 19:18 - 2015-02-18 19:18 - 38562088 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2015-02-18 19:13 - 2015-02-04 09:02 - 01117512 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\libglesv2.dll
2015-02-18 19:13 - 2015-02-04 09:02 - 00211272 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\libegl.dll
2015-02-18 19:13 - 2015-02-04 09:02 - 09170760 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\pdf.dll
2015-02-18 19:13 - 2015-02-04 09:02 - 14965064 _____ () C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.111\PepperFlash\pepflashplayer.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\WINDOWS\system32\msln.exe:79835b2d22ddc265ef3d87b1eea2a426
AlternateDataStreams: C:\ProgramData\Temp:373E1720
AlternateDataStreams: C:\Users\Amy Moore\OneDrive:ms-properties

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-781177400-2606171948-1399550050-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Amy Moore\AppData\Roaming\Microsoft\Windows Live Photo Gallery\Photo Gallery Wallpaper.jpg
DNS Servers: 81.218.119.15 - 199.203.35.75

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== Accounts: =============================

Administrator (S-1-5-21-781177400-2606171948-1399550050-500 - Administrator - Disabled) => C:\Users\Administrator
Amy Moore (S-1-5-21-781177400-2606171948-1399550050-1001 - Administrator - Enabled) => C:\Users\Amy Moore
Guest (S-1-5-21-781177400-2606171948-1399550050-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-781177400-2606171948-1399550050-1003 - Limited - Enabled)

==================== Faulty Device Manager Devices =============

Name: Bluetooth Audio Device
Description: Bluetooth Audio Device
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Qualcomm Atheros Communications
Service: BTATH_A2DP
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Virtual Bluetooth Support (Include Audio)
Description: Virtual Bluetooth Support (Include Audio)
Class Guid: {c7c038ad-1f2d-44d4-b2fe-d912be20e6d5}
Manufacturer: Qualcomm Atheros Communications
Service: AthBTPort
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

Name: Bluetooth LWFLT Device
Description: Bluetooth LWFLT Device
Class Guid: {c7c038ad-1f2d-44d4-b2fe-d912be20e6d5}
Manufacturer: Qualcomm Atheros Communications
Service: BTATH_LWFLT
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver


==================== Event log errors: =========================

Application errors:
==================
Error: (02/18/2015 07:20:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: DllHost.exe, version: 6.3.9600.16384, time stamp: 0x5215dfc6
Faulting module name: mfmp4srcsnk.dll, version: 12.0.9600.17334, time stamp: 0x5407ae99
Exception code: 0xc0000094
Fault offset: 0x0000000000096125
Faulting process ID: 0xba0
Faulting application start time: 0xDllHost.exe0
Faulting application path: DllHost.exe1
Faulting module path: DllHost.exe2
Report ID: DllHost.exe3
Faulting package full name: DllHost.exe4
Faulting package-relative application ID: DllHost.exe5

Error: (02/18/2015 07:20:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: DllHost.exe, version: 6.3.9600.16384, time stamp: 0x5215dfc6
Faulting module name: mfmp4srcsnk.dll, version: 12.0.9600.17334, time stamp: 0x5407ae99
Exception code: 0xc0000094
Fault offset: 0x0000000000096125
Faulting process ID: 0xd98
Faulting application start time: 0xDllHost.exe0
Faulting application path: DllHost.exe1
Faulting module path: DllHost.exe2
Report ID: DllHost.exe3
Faulting package full name: DllHost.exe4
Faulting package-relative application ID: DllHost.exe5

Error: (02/18/2015 06:38:20 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: DllHost.exe, version: 6.3.9600.16384, time stamp: 0x5215dfc6
Faulting module name: mfmp4srcsnk.dll, version: 12.0.9600.17334, time stamp: 0x5407ae99
Exception code: 0xc0000094
Fault offset: 0x0000000000096125
Faulting process ID: 0x1548
Faulting application start time: 0xDllHost.exe0
Faulting application path: DllHost.exe1
Faulting module path: DllHost.exe2
Report ID: DllHost.exe3
Faulting package full name: DllHost.exe4
Faulting package-relative application ID: DllHost.exe5

Error: (02/18/2015 06:38:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: DllHost.exe, version: 6.3.9600.16384, time stamp: 0x5215dfc6
Faulting module name: mfmp4srcsnk.dll, version: 12.0.9600.17334, time stamp: 0x5407ae99
Exception code: 0xc0000094
Fault offset: 0x0000000000096125
Faulting process ID: 0xf38
Faulting application start time: 0xDllHost.exe0
Faulting application path: DllHost.exe1
Faulting module path: DllHost.exe2
Report ID: DllHost.exe3
Faulting package full name: DllHost.exe4
Faulting package-relative application ID: DllHost.exe5

Error: (02/18/2015 05:59:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ZiZjdR0tYSEsSO.exe, version: 0.0.0.0, time stamp: 0x54a01d76
Faulting module name: ZiZjdR0tYSEsSO.exe, version: 0.0.0.0, time stamp: 0x54a01d76
Exception code: 0xc0000005
Fault offset: 0x000057d3
Faulting process ID: 0x35c
Faulting application start time: 0xZiZjdR0tYSEsSO.exe0
Faulting application path: ZiZjdR0tYSEsSO.exe1
Faulting module path: ZiZjdR0tYSEsSO.exe2
Report ID: ZiZjdR0tYSEsSO.exe3
Faulting package full name: ZiZjdR0tYSEsSO.exe4
Faulting package-relative application ID: ZiZjdR0tYSEsSO.exe5

Error: (02/18/2015 05:47:45 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddWin32ServiceFiles: Unable to back up image of service wauctla Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (02/18/2015 05:47:45 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddWin32ServiceFiles: Unable to back up image of service Update Mgr StrongSignal since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (02/18/2015 05:47:45 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddWin32ServiceFiles: Unable to back up image of service shopperz Updater since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (02/18/2015 05:47:45 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddWin32ServiceFiles: Unable to back up image of service Service Mgr StrongSignal since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.

Error: (02/18/2015 05:47:45 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddWin32ServiceFiles: Unable to back up image of service CA Service component since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.
.


System errors:
=============
Error: (02/18/2015 07:07:03 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The csrcc service failed to start due to the following error:
%%216

Error: (02/18/2015 07:07:01 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The 70F4EEDB-1367-4b4f-8247-3133551A7415 service failed to start due to the following error:
%%216

Error: (02/18/2015 07:03:28 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (02/18/2015 07:03:28 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (02/18/2015 07:03:27 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (02/18/2015 07:03:27 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (02/18/2015 07:03:27 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (02/18/2015 07:03:26 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (02/18/2015 07:03:26 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (02/18/2015 07:03:26 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.


Microsoft Office Sessions:
=========================
Error: (02/18/2015 07:20:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: DllHost.exe6.3.9600.163845215dfc6mfmp4srcsnk.dll12.0.9600.173345407ae99c00000940000000000096125ba001d04baffbbb8286C:\WINDOWS\system32\DllHost.exeC:\WINDOWS\System32\mfmp4srcsnk.dll3978bf0d-b7a3-11e4-bea9-40f02f2663c9

Error: (02/18/2015 07:20:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: DllHost.exe6.3.9600.163845215dfc6mfmp4srcsnk.dll12.0.9600.173345407ae99c00000940000000000096125d9801d04baff7e296cdC:\WINDOWS\system32\DllHost.exeC:\WINDOWS\System32\mfmp4srcsnk.dll3849cede-b7a3-11e4-bea9-40f02f2663c9

Error: (02/18/2015 06:38:20 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: DllHost.exe6.3.9600.163845215dfc6mfmp4srcsnk.dll12.0.9600.173345407ae99c00000940000000000096125154801d04baa114ad443C:\WINDOWS\system32\DllHost.exeC:\WINDOWS\System32\mfmp4srcsnk.dll4f03439e-b79d-11e4-bea7-40f02f2663c9

Error: (02/18/2015 06:38:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: DllHost.exe6.3.9600.163845215dfc6mfmp4srcsnk.dll12.0.9600.173345407ae99c00000940000000000096125f3801d04baa0369cde0C:\WINDOWS\system32\DllHost.exeC:\WINDOWS\System32\mfmp4srcsnk.dll4d3b4629-b79d-11e4-bea7-40f02f2663c9

Error: (02/18/2015 05:59:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: ZiZjdR0tYSEsSO.exe0.0.0.054a01d76ZiZjdR0tYSEsSO.exe0.0.0.054a01d76c0000005000057d335c01d04ba4a1c4e23dC:\Users\AMYMOO~1\AppData\Local\Temp\TOCFPB.tmp\ZiZjdR0tYSEsSO.exeC:\Users\AMYMOO~1\AppData\Local\Temp\TOCFPB.tmp\ZiZjdR0tYSEsSO.exee034f137-b797-11e4-bea6-40f02f2663c9

Error: (02/18/2015 05:47:45 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddWin32ServiceFiles: Unable to back up image of service wauctla Service since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.

Error: (02/18/2015 05:47:45 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddWin32ServiceFiles: Unable to back up image of service Update Mgr StrongSignal since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.

Error: (02/18/2015 05:47:45 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddWin32ServiceFiles: Unable to back up image of service shopperz Updater since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.

Error: (02/18/2015 05:47:45 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddWin32ServiceFiles: Unable to back up image of service Service Mgr StrongSignal since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.

Error: (02/18/2015 05:47:45 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description:
Details:
AddWin32ServiceFiles: Unable to back up image of service CA Service component since QueryServiceConfig API failed

System Error:
The system cannot find the file specified.


CodeIntegrity Errors:
===================================
Date: 2015-02-18 18:26:30.900
Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\ProgramData\Microsoft\Windows Defender\Definition Updates\{8EE327BB-16A5-44F7-B484-E7C03F02E7FD}\mpengine.dll that did not meet the Custom 3 / Antimalware signing level requirements.

Date: 2015-02-18 18:26:29.119
Description: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\ProgramData\Microsoft\Windows Defender\Definition Updates\{AF741054-0355-4FE7-9376-5E2400AE65D4}\mpengine.dll that did not meet the Custom 3 / Antimalware signing level requirements.


==================== Memory info ===========================

Processor: Intel(R) Pentium(R) CPU 2020M @ 2.40GHz
Percentage of memory in use: 30%
Total physical RAM: 6033.27 MB
Available physical RAM: 4219.21 MB
Total Pagefile: 6993.27 MB
Available Pagefile: 5081.27 MB
Total Virtual: 131072 MB
Available Virtual: 131071.79 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:677.84 GB) (Free:629.7 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive d: (RECOVERY) (Fixed) (Total:19.59 GB) (Free:1.93 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 698.6 GB) (Disk ID: 1E1F4777)

Partition: GPT Partition Type.

==================== End Of Log ============================

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 18-02-2015 01
Ran by Amy Moore (administrator) on AMYSPC on 19-02-2015 20:58:32
Running from C:\Users\Amy Moore\Downloads
Loaded Profiles: Amy Moore (Available profiles: Amy Moore & Administrator)
Platform: Windows 8.1 (X64) OS Language: English (United Kingdom)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/33 ... scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RTKAUDIOSERVICE64.EXE
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Windows (R) Win 7 DDK provider) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(MicroStudio) C:\Program Files (x86)\Windows Network Accelerater\v3\winvxm.exe
(Microsoftware) C:\Program Files (x86)\YouTube-Downloader\A3\youtubeserv.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler.exe
(Atheros) C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.26.9\GoogleCrashHandler64.exe
(Qualcomm Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
() C:\Program Files (x86)\Bluetooth Suite\ActivateDesktop.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
(Spotify Ltd) C:\Users\Amy Moore\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Qualcomm Atheros) C:\Program Files (x86)\Bluetooth Suite\BtTray.exe
(Microsoft Corporation) C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17477_none_fa2b7d3b9b36c7b4\TiWorker.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Farbar) C:\Users\Amy Moore\Downloads\FRST64 (1).exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [mlsStartupKey] => C:\Program Files\MLS\1.0.1.2.0.00\App\MlsUI.exe [31744 2014-08-25] (ClientConnect)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3030256 2013-05-16] (Synaptics Incorporated)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [93296 2012-07-13] (CyberLink Corp.)
HKLM-x32\...\Run: [HPMessageService] => C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPMSGSVC.exe [1045304 2013-02-25] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-02-18] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...\Policies\Explorer\Run: [BtvStack] => C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe [133248 2013-05-16] ( (Qualcomm Atheros Commnucations))
HKU\S-1-5-21-781177400-2606171948-1399550050-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7404312 2015-01-20] (Piriform Ltd)
HKU\S-1-5-21-781177400-2606171948-1399550050-1001\...\Run: [Spotify Web Helper] => C:\Users\Amy Moore\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1676344 2014-12-12] (Spotify Ltd)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-781177400-2606171948-1399550050-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
SearchScopes: HKLM -> {27773F80-B551-4FF0-9F8C-74C21EB057A3} URL = http://www.amazon.co.uk/s/ref=azs_osd_i ... -keywords={searchTerms}
SearchScopes: HKLM -> {D5BF3D39-6B3A-4A07-B419-0E30BBC6E364} URL = http://www.amazon.co.uk/s/ref=azs_osd_i ... -keywords={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {e4a1ece8-ed94-4f93-80ea-75f978ceaf24} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-781177400-2606171948-1399550050-1001 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = http://www.google.com/search?q={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
Tcpip\Parameters: [DhcpNameServer] 208.67.222.222 208.67.220.220
Tcpip\..\Interfaces\{D777DB8B-8712-478D-A609-4B68C8BA387F}: [NameServer] 81.218.119.15,199.203.35.75

FireFox:
========
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\windows\SysWOW64\Adobe\Director\np32dsw_1166636.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll ()
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-02-18]

Chrome:
=======
CHR Profile: C:\Users\Amy Moore\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Amy Moore\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-02-18]
CHR Extension: (Google Docs) - C:\Users\Amy Moore\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-18]
CHR Extension: (Google Drive) - C:\Users\Amy Moore\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-02-18]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Amy Moore\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-02-18]
CHR Extension: (YouTube) - C:\Users\Amy Moore\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-02-18]
CHR Extension: (Google Search) - C:\Users\Amy Moore\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-02-18]
CHR Extension: (Google Sheets) - C:\Users\Amy Moore\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-02-18]
CHR Extension: (AdBlock) - C:\Users\Amy Moore\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-02-18]
CHR Extension: (Avast Online Security) - C:\Users\Amy Moore\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-02-18]
CHR Extension: (Google Wallet) - C:\Users\Amy Moore\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-18]
CHR Extension: (Gmail) - C:\Users\Amy Moore\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-02-18]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-02-18]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [310912 2013-05-16] (Windows (R) Win 7 DDK provider)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-02-18] (AVAST Software)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [255040 2014-08-25] (WildTangent)
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [86528 2012-09-27] (Hewlett-Packard Company) [File not signed]
R2 HPWMISVC; C:\Program Files (x86)\Hewlett-Packard\HP System Event\HPWMISVC.exe [1039160 2013-02-01] (Hewlett-Packard Development Company, L.P.)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [165760 2012-07-18] (Intel Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [239176 2013-03-04] (Realtek Semiconductor)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2014-12-08] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-12-08] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-12-08] (Microsoft Corporation)
R2 WindowsVNT_R3; C:\Program Files (x86)\Windows Network Accelerater\v3\winvxm.exe [2973600 2014-10-20] (MicroStudio) [File not signed]
R2 YouTubeDownload_A3; C:\Program Files (x86)\YouTube-Downloader\A3\youtubeserv.exe [2971224 2015-02-12] (Microsoftware)
R2 ZAtheros Bt and Wlan Coex Agent; C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe [323584 2013-05-16] (Atheros) [File not signed]
S2 csrcc; "C:\Program Files\shopperz\csrcc.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2015-02-18] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [87912 2015-02-18] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2015-02-18] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2015-02-18] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2015-02-18] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2015-02-18] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2015-02-18] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2015-02-18] ()
R1 bsdriver; C:\WINDOWS\system32\drivers\bsdriver.sys [35832 2015-02-03] ()
S3 BTATH_LWFLT; C:\Windows\system32\DRIVERS\btath_lwflt.sys [77464 2013-05-16] (Qualcomm Atheros)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-09-24] (Microsoft Corporation)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [92536 2012-06-25] (CyberLink)
S3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [288328 2013-01-24] (Realtek Semiconductor Corp.)
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [29424 2013-05-08] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [33008 2013-05-08] (Synaptics Incorporated)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-12-08] (Microsoft Corporation)
R3 WirelessButtonDriver; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [20800 2012-08-31] (Hewlett-Packard Development Company, L.P.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-19 20:58 - 2015-02-19 20:58 - 02086912 _____ (Farbar) C:\Users\Amy Moore\Downloads\FRST64 (1).exe
2015-02-19 20:56 - 2015-02-19 20:56 - 00000000 ___RD () C:\Users\Amy Moore\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2015-02-19 20:52 - 2015-02-19 20:52 - 00688992 _____ (Swearware) C:\Users\Amy Moore\Downloads\dds.com
2015-02-19 20:51 - 2015-02-19 20:54 - 00000000 ____D () C:\AdwCleaner
2015-02-19 20:51 - 2015-02-19 20:51 - 02126848 _____ () C:\Users\Amy Moore\Downloads\AdwCleaner.exe
2015-02-19 20:07 - 2015-02-19 20:07 - 01388274 _____ (Thisisu) C:\Users\Amy Moore\Downloads\JRT.exe
2015-02-19 20:07 - 2015-02-19 20:07 - 01388274 _____ (Thisisu) C:\Users\Amy Moore\Downloads\JRT (1).exe
2015-02-19 17:31 - 2015-02-19 17:31 - 00000000 ____D () C:\Users\Amy Moore\Documents\Add-in Express
2015-02-19 17:31 - 2015-02-19 17:31 - 00000000 _____ () C:\Users\Amy Moore\Downloads\flashplayer_chrome.exe
2015-02-19 17:30 - 2015-02-19 17:40 - 00000258 __RSH () C:\Users\Amy Moore\ntuser.pol
2015-02-18 22:16 - 2015-02-18 22:16 - 00002282 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-02-18 22:16 - 2015-02-18 22:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-02-18 22:15 - 2015-02-19 20:55 - 00000914 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-18 22:15 - 2015-02-19 20:20 - 00000918 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-18 22:15 - 2015-02-18 22:15 - 00003654 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-18 22:15 - 2015-02-18 22:15 - 00000000 ____D () C:\Users\Amy Moore\AppData\Local\Deployment
2015-02-18 20:17 - 2015-02-18 19:42 - 00024064 _____ () C:\WINDOWS\zoek-delete.exe
2015-02-18 19:43 - 2015-02-18 19:43 - 00008660 _____ () C:\Users\Amy Moore\Documents\install.txt
2015-02-18 19:43 - 2015-02-18 19:07 - 00041748 _____ () C:\zoek-results2015-02-18-190719.log
2015-02-18 19:42 - 2015-02-18 19:42 - 01304576 _____ () C:\Users\Amy Moore\Downloads\zoek.exe
2015-02-18 19:40 - 2015-02-18 19:41 - 00032387 _____ () C:\Users\Amy Moore\Downloads\Addition.txt
2015-02-18 19:39 - 2015-02-19 20:58 - 00016681 _____ () C:\Users\Amy Moore\Downloads\FRST.txt
2015-02-18 19:37 - 2015-02-19 20:58 - 00000000 ____D () C:\FRST
2015-02-18 19:37 - 2015-02-18 19:37 - 02086912 _____ (Farbar) C:\Users\Amy Moore\Downloads\FRST64.exe
2015-02-18 19:28 - 2015-02-18 19:28 - 00003280 _____ () C:\WINDOWS\System32\Tasks\avastBCLRestartS-1-5-21-781177400-2606171948-1399550050-1001
2015-02-18 19:19 - 2015-02-18 19:19 - 00001987 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-02-18 19:19 - 2015-02-18 19:19 - 00000000 ____D () C:\Users\Amy Moore\AppData\Roaming\AVAST Software
2015-02-18 19:19 - 2015-02-18 19:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-02-18 19:18 - 2015-02-19 17:18 - 00004182 _____ () C:\WINDOWS\System32\Tasks\avast! Emergency Update
2015-02-18 19:18 - 2015-02-18 19:18 - 01050432 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswsnx.sys
2015-02-18 19:18 - 2015-02-18 19:18 - 00436624 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2015-02-18 19:18 - 2015-02-18 19:18 - 00364512 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2015-02-18 19:18 - 2015-02-18 19:18 - 00267632 _____ () C:\WINDOWS\system32\Drivers\aswVmm.sys
2015-02-18 19:18 - 2015-02-18 19:18 - 00116728 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStm.sys
2015-02-18 19:18 - 2015-02-18 19:18 - 00093568 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2015-02-18 19:18 - 2015-02-18 19:18 - 00087912 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswmonflt.sys
2015-02-18 19:18 - 2015-02-18 19:18 - 00065776 _____ () C:\WINDOWS\system32\Drivers\aswRvrt.sys
2015-02-18 19:18 - 2015-02-18 19:18 - 00043152 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2015-02-18 19:18 - 2015-02-18 19:18 - 00029208 _____ () C:\WINDOWS\system32\Drivers\aswHwid.sys
2015-02-18 19:17 - 2015-02-18 19:17 - 00000000 ____D () C:\Program Files\AVAST Software
2015-02-18 19:16 - 2015-02-18 19:17 - 00000000 ____D () C:\ProgramData\AVAST Software
2015-02-18 18:52 - 2015-02-18 22:10 - 00005008 _____ () C:\zoek-results.log
2015-02-18 18:31 - 2015-02-19 20:55 - 01180512 _____ () C:\WINDOWS\PFRO.log
2015-02-18 18:31 - 2015-02-19 20:55 - 00000924 _____ () C:\WINDOWS\setupact.log
2015-02-18 18:31 - 2015-02-18 18:31 - 00000000 _____ () C:\WINDOWS\setuperr.log
2015-02-18 18:27 - 2014-12-31 11:14 - 00298120 ____N (Microsoft Corporation) C:\WINDOWS\system32\MpSigStub.exe
2015-02-18 18:26 - 2015-02-18 18:26 - 00001252 _____ () C:\Users\Amy Moore\Documents\cc_20150218_182607.reg
2015-02-18 18:25 - 2015-02-18 18:25 - 00014416 _____ () C:\Users\Amy Moore\Documents\cc_20150218_182527.reg
2015-02-18 18:25 - 2015-02-18 18:25 - 00001422 _____ () C:\Users\Amy Moore\Documents\cc_20150218_182547.reg
2015-02-18 18:24 - 2015-02-18 18:24 - 00506824 _____ () C:\Users\Amy Moore\Documents\cc_20150218_182433.reg
2015-02-18 18:02 - 2015-02-18 19:35 - 00001235 _____ () C:\WINDOWS\system32\InstallUtil.InstallLog
2015-02-18 17:24 - 2015-02-18 18:39 - 00065024 ___SH () C:\Users\Amy Moore\Documents\Thumbs.db
2015-02-18 17:19 - 2015-02-19 20:57 - 00129752 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-18 17:18 - 2015-02-18 17:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-18 17:18 - 2015-02-18 17:18 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-18 17:18 - 2015-02-18 17:18 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-02-18 17:18 - 2015-01-23 04:41 - 06041600 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-02-18 17:18 - 2015-01-23 03:17 - 04300800 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-02-18 17:18 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-02-18 17:18 - 2014-11-21 06:14 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-02-18 17:18 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mbam.sys
2015-02-18 17:11 - 2015-02-18 17:11 - 00002780 _____ () C:\WINDOWS\System32\Tasks\CCleanerSkipUAC
2015-02-18 17:11 - 2015-02-18 17:11 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-02-18 17:11 - 2015-02-18 17:11 - 00000000 ____D () C:\Program Files\CCleaner
2015-02-13 15:50 - 2015-02-13 15:50 - 00000000 ____D () C:\Program Files (x86)\YouTube-Downloader
2015-02-13 13:29 - 2015-01-10 08:22 - 04175872 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2015-02-13 13:28 - 2015-01-15 22:43 - 00563504 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cng.sys
2015-02-13 13:28 - 2015-01-15 22:43 - 00177984 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ksecpkg.sys
2015-02-13 13:28 - 2015-01-14 04:22 - 00445440 _____ (Microsoft Corporation) C:\WINDOWS\system32\certcli.dll
2015-02-13 13:28 - 2015-01-14 03:53 - 00324096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\certcli.dll
2015-02-13 13:28 - 2014-12-19 08:57 - 00788680 _____ (Microsoft Corporation) C:\WINDOWS\system32\oleaut32.dll
2015-02-13 13:28 - 2014-12-19 08:25 - 00602776 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\oleaut32.dll
2015-02-13 13:28 - 2014-10-29 02:51 - 00154112 _____ (Microsoft Corporation) C:\WINDOWS\system32\msaudite.dll
2015-02-13 13:28 - 2014-10-29 02:50 - 00736768 _____ (Microsoft Corporation) C:\WINDOWS\system32\adtschema.dll
2015-02-13 13:28 - 2014-10-29 02:06 - 00736768 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\adtschema.dll
2015-02-13 13:28 - 2014-10-29 02:06 - 00154112 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msaudite.dll
2015-02-13 13:28 - 2014-10-29 01:31 - 01441792 _____ (Microsoft Corporation) C:\WINDOWS\system32\lsasrv.dll
2015-02-13 13:27 - 2015-01-13 22:11 - 01762840 _____ (Microsoft Corporation) C:\WINDOWS\system32\WindowsCodecs.dll
2015-02-13 13:27 - 2015-01-13 22:04 - 01489072 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\WindowsCodecs.dll
2015-02-13 13:27 - 2015-01-12 03:09 - 25056256 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-02-13 13:27 - 2015-01-12 02:25 - 19740160 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-02-13 13:27 - 2015-01-10 09:10 - 07472960 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2015-02-13 13:27 - 2015-01-10 09:10 - 01733440 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntdll.dll
2015-02-13 13:27 - 2015-01-10 08:28 - 01498360 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntdll.dll
2015-02-13 13:27 - 2015-01-10 07:00 - 00430080 _____ (Microsoft Corporation) C:\WINDOWS\system32\schannel.dll
2015-02-13 13:27 - 2015-01-10 06:38 - 00359424 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\schannel.dll
2015-02-13 13:27 - 2014-12-09 03:45 - 00393728 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\scesrv.dll
2015-02-13 13:27 - 2014-12-09 01:56 - 00538624 _____ (Microsoft Corporation) C:\WINDOWS\system32\scesrv.dll
2015-02-13 13:27 - 2014-12-08 23:12 - 00391526 _____ () C:\WINDOWS\system32\ApnDatabase.xml
2015-02-13 13:27 - 2014-10-29 02:02 - 00285184 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64.dll
2015-02-13 13:27 - 2014-10-29 02:02 - 00013312 _____ (Microsoft Corporation) C:\WINDOWS\system32\wow64cpu.dll
2015-02-13 13:27 - 2014-10-29 01:57 - 00016896 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntvdm64.dll
2015-02-13 13:27 - 2014-10-29 01:15 - 00014336 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ntvdm64.dll
2015-02-13 13:27 - 2014-10-29 01:15 - 00005632 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wow32.dll
2015-02-13 13:27 - 2014-10-29 01:14 - 00004096 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\user.exe
2015-02-13 13:27 - 2014-10-29 01:13 - 00025600 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\setup16.exe
2015-02-13 13:27 - 2014-10-29 01:13 - 00008704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\instnm.exe
2015-02-13 13:26 - 2015-01-12 02:48 - 02885632 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-02-13 13:26 - 2015-01-12 02:48 - 00584192 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-02-13 13:26 - 2015-01-12 02:47 - 00088064 _____ (Microsoft Corporation) C:\WINDOWS\system32\MshtmlDac.dll
2015-02-13 13:26 - 2015-01-12 02:34 - 00816128 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-02-13 13:26 - 2015-01-12 02:21 - 00490496 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtmsft.dll
2015-02-13 13:26 - 2015-01-12 02:08 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-02-13 13:26 - 2015-01-12 02:07 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-02-13 13:26 - 2015-01-12 02:05 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2015-02-13 13:26 - 2015-01-12 02:02 - 02277888 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-02-13 13:26 - 2015-01-12 01:58 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-02-13 13:26 - 2015-01-12 01:55 - 00664064 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-02-13 13:26 - 2015-01-12 01:51 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-02-13 13:26 - 2015-01-12 01:48 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-02-13 13:26 - 2015-01-12 01:48 - 00718848 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-02-13 13:26 - 2015-01-12 01:48 - 00374272 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2015-02-13 13:26 - 2015-01-12 01:46 - 02125824 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-02-13 13:26 - 2015-01-12 01:45 - 00418304 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtmsft.dll
2015-02-13 13:26 - 2015-01-12 01:43 - 14401024 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-02-13 13:26 - 2015-01-12 01:34 - 00128000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iepeers.dll
2015-02-13 13:26 - 2015-01-12 01:30 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-02-13 13:26 - 2015-01-12 01:27 - 02865152 _____ (Microsoft Corporation) C:\WINDOWS\system32\actxprxy.dll
2015-02-13 13:26 - 2015-01-12 01:27 - 02358272 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-02-13 13:26 - 2015-01-12 01:25 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-02-13 13:26 - 2015-01-12 01:23 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-02-13 13:26 - 2015-01-12 01:23 - 00688640 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-02-13 13:26 - 2015-01-12 01:23 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-02-13 13:26 - 2015-01-12 01:14 - 12829184 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-02-13 13:26 - 2015-01-12 01:14 - 01548288 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-02-13 13:26 - 2015-01-12 01:02 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-02-13 13:26 - 2015-01-12 01:00 - 01888256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-02-13 13:26 - 2015-01-12 00:56 - 01307136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-02-13 13:26 - 2015-01-12 00:55 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-02-13 13:25 - 2015-02-03 23:38 - 00227328 _____ (Microsoft Corporation) C:\WINDOWS\system32\aepdu.dll
2015-02-13 13:25 - 2015-02-03 23:08 - 00761856 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2015-02-13 13:25 - 2015-02-03 23:08 - 00414208 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2015-02-13 13:25 - 2015-02-02 23:11 - 01098752 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2015-02-13 13:25 - 2015-02-02 23:11 - 00894464 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2015-02-13 13:25 - 2015-02-02 23:11 - 00609280 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2015-02-13 13:25 - 2015-01-19 18:42 - 01487976 _____ (Microsoft Corporation) C:\WINDOWS\system32\sppobjs.dll
2015-02-10 19:04 - 2015-02-10 19:04 - 00005012 _____ () C:\WINDOWS\wauctla.InstallState
2015-02-10 19:04 - 2015-02-10 19:04 - 00000522 _____ () C:\WINDOWS\wauctla.InstallLog
2015-02-03 19:38 - 2015-02-19 17:29 - 00000000 ____D () C:\ProgramData\Windows VXM
2015-02-03 19:38 - 2015-02-03 19:38 - 00000000 ____D () C:\Program Files (x86)\Windows Network Accelerater
2015-02-03 19:36 - 2015-02-16 16:44 - 00000000 ____D () C:\ProgramData\Optimizer
2015-02-03 19:23 - 2015-02-18 21:09 - 00000000 ____D () C:\Users\Amy Moore\AppData\Roaming\Firefoxboosterweb
2015-02-03 19:23 - 2015-02-03 19:23 - 00035832 _____ () C:\WINDOWS\system32\Drivers\bsdriver.sys
2015-02-03 19:20 - 2015-02-03 19:20 - 00000000 ____D () C:\3c7f8c47-ca50-45eb-9295-f8ff12d843fd
2015-02-03 19:19 - 2015-02-03 19:19 - 00000000 ____D () C:\3e260b93-a52a-43b3-b44d-0ae70d3ef0cf
2015-02-03 19:18 - 2015-02-03 19:18 - 00000000 ____D () C:\bbd8b063-1850-4261-9108-1e14800cf173

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-19 20:55 - 2014-12-08 21:50 - 00000000 ___RD () C:\Users\Amy Moore\OneDrive
2015-02-19 20:55 - 2013-08-22 14:45 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-19 20:54 - 2014-12-08 21:44 - 01694311 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-19 20:54 - 2014-09-05 18:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\free-for-download bundle
2015-02-19 20:14 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\Help
2015-02-19 20:03 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\system32\sru
2015-02-19 19:04 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\Cursors
2015-02-19 17:53 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\WinStore
2015-02-19 17:40 - 2014-12-08 21:26 - 00000000 ____D () C:\Users\Amy Moore
2015-02-19 17:30 - 2013-08-22 15:36 - 00000000 ___HD () C:\WINDOWS\system32\GroupPolicy
2015-02-19 17:30 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\SysWOW64\GroupPolicy
2015-02-19 17:29 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\Resources
2015-02-19 17:17 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\ADFS
2015-02-19 10:04 - 2014-09-05 18:31 - 00003598 _____ () C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-781177400-2606171948-1399550050-1001
2015-02-19 02:51 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\rescache
2015-02-18 22:18 - 2014-08-17 19:36 - 00000000 ____D () C:\Users\Amy Moore\AppData\Local\CrashDumps
2015-02-18 22:16 - 2014-08-17 19:04 - 00000000 ____D () C:\Users\Amy Moore\AppData\Local\Google
2015-02-18 22:16 - 2014-08-17 19:04 - 00000000 ____D () C:\Program Files (x86)\Google
2015-02-18 22:15 - 2014-08-17 19:04 - 00003890 _____ () C:\WINDOWS\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-18 22:12 - 2014-10-01 16:47 - 00000000 ____D () C:\Users\Amy Moore\AppData\Roaming\Spotify
2015-02-18 21:09 - 2013-11-29 20:14 - 00000000 ____D () C:\Program Files (x86)\Bluetooth Suite
2015-02-18 19:27 - 2014-11-22 22:09 - 00000000 ____D () C:\Program Files (x86)\Opera
2015-02-18 19:20 - 2014-10-26 21:10 - 00000000 ____D () C:\Users\Amy Moore\AppData\Local\Windows Live
2015-02-18 19:06 - 2014-12-29 17:42 - 00000000 ____D () C:\ProgramData\internethelper_antiphishing
2015-02-18 18:44 - 2013-08-22 13:25 - 00262144 ___SH () C:\WINDOWS\system32\config\BBI
2015-02-18 18:39 - 2013-08-22 13:25 - 00262144 ___SH () C:\WINDOWS\system32\config\ELAM
2015-02-18 18:38 - 2014-06-05 19:10 - 02816512 ___SH () C:\Users\Amy Moore\Downloads\Thumbs.db
2015-02-18 18:31 - 2013-11-29 20:32 - 00000000 ____D () C:\ProgramData\Norton
2015-02-18 18:31 - 2012-07-26 08:12 - 00000000 ___HD () C:\WINDOWS\ELAMBKUP
2015-02-18 18:03 - 2013-08-22 15:36 - 00000000 ____D () C:\WINDOWS\AppReadiness
2015-02-18 17:59 - 2013-11-29 20:21 - 00000000 ____D () C:\ProgramData\Temp
2015-02-18 17:53 - 2014-10-01 16:53 - 00000000 ____D () C:\Users\Amy Moore\AppData\Local\Spotify
2015-02-18 17:47 - 2013-11-29 20:09 - 00000000 ____D () C:\Program Files (x86)\Bonjour
2015-02-18 17:15 - 2012-07-26 07:59 - 00000000 ____D () C:\WINDOWS\CbsTemp
2015-02-18 17:14 - 2014-12-08 21:15 - 00000000 ___DC () C:\WINDOWS\Panther
2015-02-18 17:14 - 2012-07-26 05:26 - 00000155 _____ () C:\WINDOWS\win.ini
2015-02-16 14:24 - 2014-09-10 18:34 - 00248328 _____ () C:\WINDOWS\system32\ScanResults.xml
2015-02-16 14:17 - 2014-10-07 06:08 - 00000464 _____ () C:\WINDOWS\system32\ScannerSettings
2015-02-13 16:12 - 2013-08-22 14:44 - 00337808 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-02-13 15:57 - 2014-08-31 12:04 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-02-13 15:51 - 2014-08-31 12:04 - 116773704 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-02-13 15:49 - 2014-12-12 07:02 - 00000000 ____D () C:\WINDOWS\system32\appraiser
2015-02-13 15:49 - 2014-09-24 18:55 - 00000000 ___SD () C:\WINDOWS\system32\CompatTel
2015-02-13 12:57 - 2014-09-24 16:21 - 00958356 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2015-02-03 19:31 - 2014-09-24 19:00 - 00714720 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-02-03 19:31 - 2014-09-24 19:00 - 00106976 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2014-10-23 16:57 - 2014-10-23 16:57 - 0000010 _____ () C:\Users\Amy Moore\AppData\Local\DSI.DAT

Some content of TEMP:
====================
C:\Users\Amy Moore\AppData\Local\Temp\Quarantine.exe
C:\Users\Amy Moore\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-02-19 18:40

==================== End Of Log ============================

very grateful for any help
RussJH
Active Member
 
Posts: 12
Joined: February 19th, 2015, 5:04 pm
Advertisement
Register to Remove

Re: Cant get rid of ads

Unread postby Cypher » February 20th, 2015, 12:04 pm

Hi and welcome to Malware Removal Forum.
My name is Cypher, and I will be helping you with your malware problems.
This may or may not, solve other issues you have with your machine.
If you no longer require help i would be grateful if you would let me know.

Before we start please note the following important guidelines.
  • If you don't know or understand something, please don't hesitate to ask.
  • Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
  • Only reply to this thread do not start another, Please continue responding until I give you the "All Clean"
    Remember, absence of symptoms does not mean the infection is all gone.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • Please DO NOT install any other software (or hardware) during the cleaning process.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start


Please click on THIS link, and follow the instructions for installing TCRB and creating a backup of your Registry.

Next.

Quick question before we continue...
It appears that your computer is connected to a server in Israel, is this something you're aware of?
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Cant get rid of ads

Unread postby RussJH » February 20th, 2015, 12:34 pm

Many thanks for the reply.

Wasn't aware of that unless it's part of my internet access via my ISP

Registry is backed up !
RussJH
Active Member
 
Posts: 12
Joined: February 19th, 2015, 5:04 pm

Re: Cant get rid of ads

Unread postby RussJH » February 20th, 2015, 12:41 pm

Yes I can see now in the network connection the DNS servers have been modified, when they should be obtained automatically
RussJH
Active Member
 
Posts: 12
Joined: February 19th, 2015, 5:04 pm

Re: Cant get rid of ads

Unread postby Cypher » February 20th, 2015, 12:59 pm

Hi,
Wasn't aware of that unless it's part of my internet access via my ISP

No problem we can take care of it.

We need to run a fix, then i need you to run further scans for me.
Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections.
Important: Save all tools i ask you to download to your Desktop, if you don't know how to do this just ask.



Uninstall programs

  • From the top or bottom right corner... a widget panel appears, select Settings.
  • Select, click Control Panel to open.
  • Depending on your current view setting ...
    • Double click on Programs and Features.
      or
    • Under Programs, click on Uninstall a program.
  • Locate the following program(s):
    UnknownFile
    CloudScout Parental Control
  • Select the program and click on Uninstall to uninstall it.
    Carefully read any prompts...
    Some uninstallers prompt in a way to trick you into keeping the program, sometimes, preventing them from being uninstalled again!
  • Repeat steps 4 - 5 for each program in the list. When finished... Close the Control Panel window.

Next.

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy and Paste the following script into Notepad, Do not include the words Code: select all
    • (Click the select all button next to code to select the entire script).
    Code: Select all
    ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
    ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
    ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
    ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
    ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
    HKU\S-1-5-21-781177400-2606171948-1399550050-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\.DEFAULT -> {e4a1ece8-ed94-4f93-80ea-75f978ceaf24} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    Tcpip\..\Interfaces\{D777DB8B-8712-478D-A609-4B68C8BA387F}: [NameServer] 81.218.119.15,199.203.35.75
    S2 csrcc; "C:\Program Files\shopperz\csrcc.exe" [X]
    C:\Users\Amy Moore\AppData\Local\Temp\Quarantine.exe
    C:\Users\Amy Moore\AppData\Local\Temp\sqlite3.dll
    CloudScout (x32 Version: 1.0.0.1 - www.CloudGuard.me ) Hidden <==== ATTENTION
    CloudScout Parental Control version 1.2 (HKLM-x32\...\{E1527582-8509-4011-B922-29E3FB548882}_is1) (Version: 1.2 - www.CloudGuard.me ) <==== ATTENTION
    Task: {0F4A6671-57B0-4F47-BB6B-58808C5EE141} - \SmartWeb Upgrade Trigger Task No Task File <==== ATTENTION
    Task: {541DC967-776C-458B-898C-129A3ABA298F} - \PC Performer Scheduled Scan No Task File <==== ATTENTION
    Task: {5DD04F7D-1718-4DF5-B219-12F9F7B8378F} - \CloudScout No Task File <==== ATTENTION
    Task: {D2BCEEE6-F2D6-49AE-B36E-2CC676050B95} - \avaxvavya No Task File <==== ATTENTION
    Task: {E4033048-298B-4002-A4E1-46C3B66B94F2} - \PC Performer Logon Scan No Task File <==== ATTENTION
    AlternateDataStreams: C:\WINDOWS\system32\msln.exe:79835b2d22ddc265ef3d87b1eea2a426
    AlternateDataStreams: C:\ProgramData\Temp:373E1720
    AlternateDataStreams: C:\Users\Amy Moore\OneDrive:ms-propertie
    
    EmptyTemp:
    CMD: ipconfig /flushdns
    
  • Save it next to FRST.exe to your Downloads folder as filename fixlist.txt
  • NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are saved in the same location or the fix will not work.
  • Right-click FRST.exe and select " Run as administrator " to run it.
  • Press the Fix button just once. Then wait.
  • When finished, it will create a Fixlog.txt log on your Desktop.
  • Please post the content of the Fixlog.txt in your next reply.

Next.

Now do what you did previously and uninstall this which was hidden.
CloudScout


Next.

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Right click on adwcleaner.exe and select " Run as administrator " to run it.
  • Click on Scan.
  • When the scan has finished, uncheck any entries you don't want to remove, then click on Clean.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Logs/Information to Post in your Next Reply

  • FRST Fixlog.txt.
  • AdwCleaner log.
  • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Cant get rid of ads

Unread postby RussJH » February 20th, 2015, 1:56 pm

Initially Nothing to uninstal in control panel, I had already done this with my previous attempts at cleaning. After FRST I uninstalled Cloudscout which had appeared in control panel.

I am still getting the following on Malwarebytes scan :

PUP.Optional.Shopperz.A in C;\Windows\system32\drivers\bsdrivers.sys
PUP.Optional.Shopperz.A in HKLM\SOFTWARE\shopperz
PUP.Optional.Shopperz.A in HKLM\SOFTWARE\WOW6432NODE\shopperz

However the browser appears to be back to normal



Logs requested below :

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-02-2015 01
Ran by Amy Moore at 2015-02-20 17:26:19 Run:1
Running from C:\Users\Amy Moore\Desktop\frst
Loaded Profiles: Amy Moore (Available profiles: Amy Moore & Administrator)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
HKU\S-1-5-21-781177400-2606171948-1399550050-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {e4a1ece8-ed94-4f93-80ea-75f978ceaf24} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Tcpip\..\Interfaces\{D777DB8B-8712-478D-A609-4B68C8BA387F}: [NameServer] 81.218.119.15,199.203.35.75
S2 csrcc; "C:\Program Files\shopperz\csrcc.exe" [X]
C:\Users\Amy Moore\AppData\Local\Temp\Quarantine.exe
C:\Users\Amy Moore\AppData\Local\Temp\sqlite3.dll
CloudScout (x32 Version: 1.0.0.1 - www.CloudGuard.me ) Hidden <==== ATTENTION
CloudScout Parental Control version 1.2 (HKLM-x32\...\{E1527582-8509-4011-B922-29E3FB548882}_is1) (Version: 1.2 - www.CloudGuard.me ) <==== ATTENTION
Task: {0F4A6671-57B0-4F47-BB6B-58808C5EE141} - \SmartWeb Upgrade Trigger Task No Task File <==== ATTENTION
Task: {541DC967-776C-458B-898C-129A3ABA298F} - \PC Performer Scheduled Scan No Task File <==== ATTENTION
Task: {5DD04F7D-1718-4DF5-B219-12F9F7B8378F} - \CloudScout No Task File <==== ATTENTION
Task: {D2BCEEE6-F2D6-49AE-B36E-2CC676050B95} - \avaxvavya No Task File <==== ATTENTION
Task: {E4033048-298B-4002-A4E1-46C3B66B94F2} - \PC Performer Logon Scan No Task File <==== ATTENTION
AlternateDataStreams: C:\WINDOWS\system32\msln.exe:79835b2d22ddc265ef3d87b1eea2a426
AlternateDataStreams: C:\ProgramData\Temp:373E1720
AlternateDataStreams: C:\Users\Amy Moore\OneDrive:ms-propertie

EmptyTemp:
CMD: ipconfig /flushdns
*****************

"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => Key deleted successfully.
"HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}" => Key deleted successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
"HKU\S-1-5-21-781177400-2606171948-1399550050-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{e4a1ece8-ed94-4f93-80ea-75f978ceaf24}" => Key deleted successfully.
HKCR\CLSID\{e4a1ece8-ed94-4f93-80ea-75f978ceaf24} => Key not found.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{D777DB8B-8712-478D-A609-4B68C8BA387F}\\NameServer => value deleted successfully.
csrcc => Error deleting Service
"C:\Users\Amy Moore\AppData\Local\Temp\Quarantine.exe" => File/Directory not found.
"C:\Users\Amy Moore\AppData\Local\Temp\sqlite3.dll" => File/Directory not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C17C9130-FA89-41BA-A52A-171E0D1F5CBC}\\SystemComponent => value deleted successfully.
CloudScout Parental Control version 1.2 (HKLM-x32\...\{E1527582-8509-4011-B922-29E3FB548882}_is1) (Version: 1.2 - www.CloudGuard.me ) <==== ATTENTION => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F4A6671-57B0-4F47-BB6B-58808C5EE141} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SmartWeb Upgrade Trigger Task => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{541DC967-776C-458B-898C-129A3ABA298F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{541DC967-776C-458B-898C-129A3ABA298F}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PC Performer Scheduled Scan" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DD04F7D-1718-4DF5-B219-12F9F7B8378F} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CloudScout => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D2BCEEE6-F2D6-49AE-B36E-2CC676050B95}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D2BCEEE6-F2D6-49AE-B36E-2CC676050B95}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avaxvavya" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E4033048-298B-4002-A4E1-46C3B66B94F2}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E4033048-298B-4002-A4E1-46C3B66B94F2}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PC Performer Logon Scan" => Key deleted successfully.
C:\WINDOWS\system32\msln.exe => ":79835b2d22ddc265ef3d87b1eea2a426" ADS removed successfully.
C:\ProgramData\Temp => ":373E1720" ADS removed successfully.
"C:\Users\Amy Moore\OneDrive" => ":ms-propertie" ADS not found.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

EmptyTemp: => Removed 98.9 MB temporary data.


The system needed a reboot.

==== End of Fixlog 17:26:26 ====
# AdwCleaner v4.111 - Logfile created 20/02/2015 at 17:37:15
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Server]
# Operating system : Windows 8.1 (x64)
# Username : Amy Moore - AMYSPC
# Running from : C:\Users\Amy Moore\Desktop\frst\adwcleaner_4.111.exe
# Option : Cleaning

***** [ Services ] *****

[#] Service Deleted : csrcc

***** [ Files / Folders ] *****

File Deleted : C:\WINDOWS\System32\drivers\bsdriver.sys

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17416


-\\ Google Chrome v40.0.2214.115


-\\ Opera v0.0.0.0


*************************

AdwCleaner[R0].txt - [7401 bytes] - [19/02/2015 20:51:15]
AdwCleaner[R1].txt - [1219 bytes] - [19/02/2015 22:09:57]
AdwCleaner[R2].txt - [1015 bytes] - [20/02/2015 17:34:59]
AdwCleaner[S0].txt - [7527 bytes] - [19/02/2015 20:54:17]
AdwCleaner[S1].txt - [952 bytes] - [20/02/2015 17:37:15]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1010 bytes] ##########
RussJH
Active Member
 
Posts: 12
Joined: February 19th, 2015, 5:04 pm

Re: Cant get rid of ads

Unread postby Cypher » February 20th, 2015, 2:08 pm

Hi,
I am still getting the following on Malwarebytes scan :

PUP.Optional.Shopperz.A in C;\Windows\system32\drivers\bsdrivers.sys
PUP.Optional.Shopperz.A in HKLM\SOFTWARE\shopperz
PUP.Optional.Shopperz.A in HKLM\SOFTWARE\WOW6432NODE\shopperz

AdwCleaner should of taken care of one of those.
File Deleted : C:\WINDOWS\System32\drivers\bsdriver.sys

Run MBAM again and let it remove them.
However the browser appears to be back to normal

That's good to hear.

I need you to run another scan for me please, this will check for any "leftovers".

ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • When prompted allow the Add-On/Active X to install.
  • Click on Run ESET Online Scanner, then elect the option YES, I accept the Terms of Use, then click Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Cant get rid of ads

Unread postby RussJH » February 20th, 2015, 3:41 pm

C:\3c7f8c47-ca50-45eb-9295-f8ff12d843fd\InstallerHelper.dll Win32/Bundlore.Q potentially unwanted application
C:\3e260b93-a52a-43b3-b44d-0ae70d3ef0cf\InstallerHelper.dll Win32/Bundlore.Q potentially unwanted application
C:\bbd8b063-1850-4261-9108-1e14800cf173\InstallerHelper.dll Win32/Bundlore.Q potentially unwanted application
C:\Program Files (x86)\Bonjour\b10a0213-acef-4521-99fa-0d6aa48db07e.dll a variant of Win32/Toolbar.CrossRider.BM potentially unwanted application
C:\ProgramData\Optimizer\program\winapp_Test002.exe a variant of Win32/Agent.WMC trojan
C:\ProgramData\Windows VXM\program\flash_update.exe a variant of Win32/DownloadAdmin.I potentially unwanted application
C:\Users\All Users\Optimizer\program\winapp_Test002.exe a variant of Win32/Agent.WMC trojan
C:\Users\All Users\Windows VXM\program\flash_update.exe a variant of Win32/DownloadAdmin.I potentially unwanted application
C:\Users\Amy Moore\AppData\Roaming\New Version Available\PowerSoundEditorFree.exe Win32/Tsingsoft.A potentially unwanted application
D:\Power Sound Editor Free\goup.exe Win32/Tsingsoft.A potentially unwanted application
RussJH
Active Member
 
Posts: 12
Joined: February 19th, 2015, 5:04 pm

Re: Cant get rid of ads

Unread postby RussJH » February 20th, 2015, 4:36 pm

These keep returning despite removal by Malwarebytes


PUP.Optional.Shopperz.A in C;\Windows\system32\drivers\bsdrivers.sys
PUP.Optional.Shopperz.A in HKLM\SOFTWARE\shopperz
PUP.Optional.Shopperz.A in HKLM\SOFTWARE\WOW6432NODE\shopperz
RussJH
Active Member
 
Posts: 12
Joined: February 19th, 2015, 5:04 pm

Re: Cant get rid of ads

Unread postby Cypher » February 21st, 2015, 7:56 am

Hi,
These keep returning despite removal by Malwarebytes

OK i need you to run a search for me.

  • Right-click FRST64.exe and select " Run as administrator " to run it.
  • When the tool opens click Yes to the disclaimer.
  • Copy and Paste the following script into the Search: box Do not include the words Code: select all
  • (Click the select all button next to code to select the entire script).
Code: Select all
Shopperz.A

  • Press the Search Registry button.
  • When finished searching a log will open on your Desktop ... Search.txt
  • Please post it in your next reply.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Cant get rid of ads

Unread postby RussJH » February 21st, 2015, 8:03 am

results :

Farbar Recovery Scan Tool (x64) Version: 18-02-2015 01
Ran by Amy Moore at 2015-02-21 12:02:34
Running from C:\Users\Amy Moore\Desktop\frst
Boot Mode: Normal

================== Search Registry: "Shopperz.A" ===========


====== End Of Search ======
RussJH
Active Member
 
Posts: 12
Joined: February 19th, 2015, 5:04 pm

Re: Cant get rid of ads

Unread postby RussJH » February 21st, 2015, 8:05 am

if I just search registry for Shopperz I get this

Farbar Recovery Scan Tool (x64) Version: 18-02-2015 01
Ran by Amy Moore at 2015-02-21 12:04:46
Running from C:\Users\Amy Moore\Desktop\frst
Boot Mode: Normal

================== Search Registry: "Shopperz" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}\LocalServer32]
""=""C:\Program Files\shopperz\grunt.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}\LocalServer32]
"ServerExecutable"="C:\Program Files\shopperz\grunt.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\LocalServer32]
""=""C:\Program Files\shopperz\csrcc.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\LocalServer32]
"ServerExecutable"="C:\Program Files\shopperz\csrcc.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]
"shopperz"="0x020000000000000000000000"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]
"shopperz64"="0x020000000000000000000000"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}\LocalServer32]
""=""C:\Program Files\shopperz\grunt.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}\LocalServer32]
"ServerExecutable"="C:\Program Files\shopperz\grunt.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\LocalServer32]
""=""C:\Program Files\shopperz\csrcc.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\LocalServer32]
"ServerExecutable"="C:\Program Files\shopperz\csrcc.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\csrcc]
"ImagePath"=""C:\Program Files\shopperz\csrcc.exe""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\csrcc]
"ImagePath"=""C:\Program Files\shopperz\csrcc.exe""
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\shopperz]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\shopperz\spdata.exe"="0x5341435001000000000000000700000028000000846814000000000001000000000000000000010600010000975FD891C99ECE0100000000000000000200000028000000000000008000000000000000000000000000000000000000540C0000000000000100000001000000"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\shopperz\wrex.exe"="0x5341435001000000000000000700000028000000889D0600D60F070001000000000000000000030671220000975FD891C99ECE01000000000000000002000000280000000000000000000000000000000000000000000000000000000F000000000000000100000001000000"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\shopperz\grunt.exe"="0x5341435001000000000000000700000028000000885B04008C5B040001000000000000000000030671220000975FD891C99ECE010000000000000000020000002800000000000000000000000000000000000000000000000000000030E50000000000000100000001000000"
[HKEY_USERS\.DEFAULT\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}]
"Name"="C:\Program Files\shopperz\wrex.exe"
[HKEY_USERS\S-1-5-19\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}]
"Name"="C:\Program Files\shopperz\wrex.exe"
[HKEY_USERS\S-1-5-20\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}]
"Name"="C:\Program Files\shopperz\wrex.exe"
[HKEY_USERS\S-1-5-21-781177400-2606171948-1399550050-1001\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-781177400-2606171948-1399550050-1001\Software\shopperz]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\shopperz]
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\shopperz\spdata.exe"="0x5341435001000000000000000700000028000000846814000000000001000000000000000000010600010000975FD891C99ECE0100000000000000000200000028000000000000008000000000000000000000000000000000000000540C0000000000000100000001000000"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\shopperz\wrex.exe"="0x5341435001000000000000000700000028000000889D0600D60F070001000000000000000000030671220000975FD891C99ECE01000000000000000002000000280000000000000000000000000000000000000000000000000000000F000000000000000100000001000000"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files\shopperz\grunt.exe"="0x5341435001000000000000000700000028000000885B04008C5B040001000000000000000000030671220000975FD891C99ECE010000000000000000020000002800000000000000000000000000000000000000000000000000000030E50000000000000100000001000000"
[HKEY_USERS\S-1-5-18\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}]
"Name"="C:\Program Files\shopperz\wrex.exe"

====== End Of Search ======
RussJH
Active Member
 
Posts: 12
Joined: February 19th, 2015, 5:04 pm

Re: Cant get rid of ads

Unread postby Cypher » February 21st, 2015, 9:13 am

Hi,
We need to run another fix, then i would like you to run another MBAM scan.
Let me know if MBAM still finds those entries.

Please download OTL by Old Timer and save it to your Desktop.

    • Right-click OTL.exe and select " Run as administrator " to run it.
    • Copy and Paste the following script into the Image textbox. Do not include the words Code: select all
    • (Click the select all button next to code to select the entire script).
      Code: Select all
      :reg
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}\LocalServer32]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\LocalServer32]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}\LocalServer32]
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\LocalServer32]
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]
      "shopperz"=-
      [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\csrcc]
      [-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\shopperz]
      [-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
      [-HKEY_USERS\.DEFAULT\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}]
      [-HKEY_USERS\S-1-5-19\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}]
      [-HKEY_USERS\S-1-5-20\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}]
      [-HKEY_USERS\S-1-5-21-781177400-2606171948-1399550050-1001\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-781177400-2606171948-1399550050-1001\Software\shopperz]
      [-HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\shopperz]
      [-HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
      [-HKEY_USERS\S-1-5-18\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}]
      
      :files
      C:\3c7f8c47-ca50-45eb-9295-f8ff12d843fd\InstallerHelper.dll 
      C:\3e260b93-a52a-43b3-b44d-0ae70d3ef0cf\InstallerHelper.dll 
      C:\bbd8b063-1850-4261-9108-1e14800cf173\InstallerHelper.dll 
      C:\Program Files (x86)\Bonjour\b10a0213-acef-4521-99fa-0d6aa48db07e.dll
      C:\ProgramData\Optimizer\program\winapp_Test002.exe 
      C:\ProgramData\Windows VXM\program\flash_update.exe
      C:\Users\All Users\Optimizer\program\winapp_Test002.exe
      C:\Users\All Users\Windows VXM\program\flash_update.exe
      C:\Users\Amy Moore\AppData\Roaming\New Version Available\PowerSoundEditorFree.exe
      C:\Program Files\shopperz
      C;\Windows\system32\drivers\bsdrivers.sys
      C\Windows\system32\drivers\bsdrivers.sys
      ipconfig /flushdns /c
      
      :commands
      [emptytemp]
      
    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Next.

    Run Malwarebytes' Anti-Malware as you did previously.


    Logs/Information to Post in your Next Reply

    • OTL Fix log.
    • MBAM log.
    • Please give me an update on your computers performance.
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns

Re: Cant get rid of ads

Unread postby RussJH » February 21st, 2015, 10:08 am

I am getting this on FRST64 registry search for Shopperz still :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]
"shopperz"="0x020000000000000000000000"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run]
"shopperz64"="0x020000000000000000000000"

The MBAM log is clear

OTL log :



All processes killed
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}\LocalServer32\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\LocalServer32\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{3CF50C82-4C4B-43e9-B1B2-15CB1BD0C193}\LocalServer32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}\LocalServer32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\csrcc\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\shopperz\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}\ not found.
Registry key HKEY_USERS\S-1-5-19\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}\ not found.
Registry key HKEY_USERS\S-1-5-20\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}\ not found.
Registry key HKEY_USERS\S-1-5-21-781177400-2606171948-1399550050-1001\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-781177400-2606171948-1399550050-1001\Software\shopperz\ deleted successfully.
Registry key HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-18\Software\shopperz\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7638A1-6962-4e44-A6B9-F40E84FD6D09}\ not found.
========== FILES ==========
C:\3c7f8c47-ca50-45eb-9295-f8ff12d843fd\InstallerHelper.dll moved successfully.
C:\3e260b93-a52a-43b3-b44d-0ae70d3ef0cf\InstallerHelper.dll moved successfully.
C:\bbd8b063-1850-4261-9108-1e14800cf173\InstallerHelper.dll moved successfully.
C:\Program Files (x86)\Bonjour\b10a0213-acef-4521-99fa-0d6aa48db07e.dll moved successfully.
C:\ProgramData\Optimizer\program\winapp_Test002.exe moved successfully.
C:\ProgramData\Windows VXM\program\flash_update.exe moved successfully.
File\Folder C:\Users\All Users\Optimizer\program\winapp_Test002.exe not found.
File\Folder C:\Users\All Users\Windows VXM\program\flash_update.exe not found.
C:\Users\Amy Moore\AppData\Roaming\New Version Available\PowerSoundEditorFree.exe moved successfully.
File\Folder C:\Program Files\shopperz not found.
File\Folder C;\Windows\system32\drivers\bsdrivers.sys not found.
File\Folder C\Windows\system32\drivers\bsdrivers.sys not found.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Amy Moore\Desktop\frst\cmd.bat deleted successfully.
C:\Users\Amy Moore\Desktop\frst\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Amy

User: Amy Moore
->Temp folder emptied: 2531826 bytes
->Temporary Internet Files folder emptied: 17041713 bytes
->Google Chrome cache emptied: 53626362 bytes
->Flash cache emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default.migrated

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 421536 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 70.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 02212015_133343

Files\Folders moved on Reboot...
C:\Users\Amy Moore\AppData\Local\Microsoft\Windows\INetCache\Low\IE\SUOARY6V\7407185e[1].htm moved successfully.
C:\Users\Amy Moore\AppData\Local\Microsoft\Windows\INetCache\Low\IE\SUOARY6V\viewtopic[3].htm moved successfully.
C:\Users\Amy Moore\AppData\Local\Microsoft\Windows\INetCache\Low\IE\6PXQZYUW\online-scanner[1].htm moved successfully.
C:\Users\Amy Moore\AppData\Local\Microsoft\Windows\INetCache\Low\AntiPhishing\4A72F430-B40C-4D36-A068-CE33ADA5ADF9.dat moved successfully.
C:\Users\Amy Moore\AppData\Local\Microsoft\Windows\INetCache\Low\MSIMGSIZ.DAT moved successfully.
C:\Users\Amy Moore\AppData\Local\Microsoft\Windows\INetCache\Low\SuggestedSites.dat moved successfully.
C:\Users\Amy Moore\AppData\Local\Microsoft\Windows\INetCache\counters.dat moved successfully.
File move failed. C:\WINDOWS\temp\_avast_\AvastLock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
RussJH
Active Member
 
Posts: 12
Joined: February 19th, 2015, 5:04 pm

Re: Cant get rid of ads

Unread postby Cypher » February 21st, 2015, 12:00 pm

Hi,
The MBAM log is clear

Good.
I am getting this on FRST64 registry search for Shopperz still :

OTL couldn't find those, lets check to see if they are still there using a different search.

Please download SystemLook from the link below and save it to your Desktop.

For 64 bit Systems

  • Right-click SystemLook.exe and select " Run as administrator " to run it.
  • Copy and paste the content of the following codebox into the main textfield: Do not include the words Code: select all
  • (Click the select all button next to code to select the entire script).
    Code: Select all
    :Regfind
    Shopperz

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
User avatar
Cypher
Admin/Teacher
Admin/Teacher
 
Posts: 15148
Joined: October 29th, 2008, 12:49 pm
Location: Land Of The Leprechauns
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware