Don't ever run a Registry Helper/Cleaner/Booster/Optimizer, etc. or you may lose your system.
Good Luck.

Welcome. :)

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Make sure that under Optional Scans, there is a checkmark on Addition.txt and Shortcut.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• It also make another two logs (Addition.txt and Shortcut.txt). Please attach these to your reply.

While on FRST,

Type the following in the edit box on FRST, after "Search:".

rpcss.dll

It then should look like:

Search: rpcss.dll

Click Search Files button and post the log (Search.txt) it makes in the location FRST is saved..

Hello Tobo27,

Just checking in - how're you getting on?

DeckardCain,
-------------------------------------------------------------
AdwCleaner Download and Run

Download AdwCleaner and save it to your desktop or somewhere you can find it.
Take care NOT to click on any ad, like from PC Optimizer Pro. The correct link is the button labeled "Download from Bleeping Computer".
NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

Close your browser and double click on this icon on your desktop:



You will then see the screen below. Click on the Scan button (as indicated), accept any prompts that appear and allow it to run.
It may take several minutes to complete.
When it is done, click on the Clean button, accept any prompts that appear and allow the system to Reboot.
You will then be presented with the report. Copy & Paste it into a reply here.


If you lose track of the log, it is saved in this folder C:\AdwCleaner\
The filename will be adwcleaner[xx].txt where [xx] will be S1, or S2, etc. whichever filename is newest.
-----------------------------------------------------------
Download and Run the Farbar Scan Tool

• Download FRST64 and save to your Desktop.
  
• Double click Frst64.exe to launch it.
• FRST64 will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • When finished scanning, 2 logs will open on your Desktop, FRST.txt and Addition.txt
  • Please post them in your next reply.

Feel free to use separate replies if it's more convenient.
---------------------------------------------------
So, In Your Replies, we will be looking for the following :
The contents of:

• FRST.txt
• Addition.txt
• The log from AdwCleaner

Please feel free to use separate replies.

askey127

This is the important part of the log. It shows you had a Rootkit infection which you correctly selected for it to cure.

Could you please now attach the log from the last scan you did so I can check it shows a clean result.


20:13:51.0327 0x0c80 Detected object count: 1
20:13:51.0327 0x0c80 Actual detected object count: 1
20:15:07.0624 0x0c80 \Device\Harddisk0\DR0\Partition1 - copied to quarantine
20:15:07.0624 0x0c80 \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b ) - will be cured on reboot
20:15:07.0644 0x0c80 \Device\Harddisk0\DR0\Partition1 - ok
20:15:07.0644 0x0c80 \Device\Harddisk0\DR0\Partition1 ( Rootkit.Boot.Cidox.b ) - User select action: Cure
20:15:07.0824 0x0c80 KLMD registered as C:\Windows\system32\drivers\94578081.sys
20:15:16.0266 0x2458 Deinitialize success

Hi whiteflag,
-------------------------------------------------------------
In order to receive any help here, you should read this first, and follow the directions.
Everyone Must Read This BEFORE posting for help in this forum.
http://forums.techguy.org/virus-othe...e-posting.html
It calls for only two things:

• Run the Sysinfo program and copy the results
• Describe what is happening with the machine that caused you to seek help.

You have already given a good description of the problem. Just follow with the short results from SysInfo
-------------------------------------------------------------
If you have a program listed in Control Panel > Programs and Features that is named TextEnhance, go ahead and Uninstall it.

Which browser do you normally use?

askey127

Thank you, it's a big relief. I did it all before posting here!

Hello spoochface,

Welcome to the TSG Malware forum.

Please download Farbar Recovery Scan Tool from here and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will produce a log called (FRST.txt) in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run, it makes also another log (Addition.txt). Please also paste that into your reply.

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

• Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Files
  
  
  Code:

  ---

  :Files
C:\$Recycle.Bin\S-1-5-21-1014584579-3983541114-3885094704-1001\$RGJ74OS.exe
C:\Program Files (x86)\TeamViewer\Version8\Patch.exe
C:\ProgramData\Microsoft\Windows NT\MSSyn\ssyncer.exe
C:\ProgramData\Microsoft\Windows NT\MSSyn\svchost.exe
C:\Users\All Users\Microsoft\Windows NT\MSSyn\ssyncer.exe
C:\Users\All Users\Microsoft\Windows NT\MSSyn\svchost.exe
C:\Users\Machuca\AppData\Roaming\62656vi.exe
C:\Users\Machuca\AppData\Roaming\bugfxa\wcgfvx.exe
C:\Users\Machuca\WTEZH\3562.vbs
C:\Users\Machuca\WTEZH\start.cmd
C:\Windows\System32\rserver30\rserver3.exe
C:\Windows\SysWOW64\rserver30\rserver3.exe
D:\Newsbin Download\ADOBE_PHOTOSHOP_CS4_Alien_Skin_Plugin_Pack_[UPDATED][DEC_2009][RBS]\ADOBE.PHOTOSHOP.CS4-Alien.Skin.Plugin.Pack-[UPDATED][DEC.2009][RBS]\Alien.Skin-Bokeh.v1.0.2.Incl.KeyGen-CORE\KeyGen\KeyGen-CORE.exe
D:\Newsbin Download\ADOBE_PHOTOSHOP_CS4_Alien_Skin_Plugin_Pack_[UPDATED][DEC_2009][RBS]\ADOBE.PHOTOSHOP.CS4-Alien.Skin.Plugin.Pack-[UPDATED][DEC.2009][RBS]\Alien.Skin-Snap.Art.v2.0.2.Incl.KeyGEn-CORE\KeyGen\KeyGen-CORE.exe
D:\Newsbin Download\Radmin.v3.4.Keymaker.and.Patch.Only.FIXED-EMBRACE\famatech_radmin_server_v34_keymaker_by_embrace_fixed.exe
D:\SABnzbd Download\downloaded\2013-04-05_03_35_59\SUG.BLuRS.SNODD-WooT.exe
D:\SABnzbd Download\downloaded\2013-06-10_09_57_57\Foldersizes 6.1.71 Professional Edition (x86.x64).exe
D:\SABnzbd Download\downloaded\Acronis True Image 2013.rar (1)\Setup.exe
D:\SABnzbd Download\downloaded\Acronis-True-Image-Home-2014-17-5560-Retail-Boot-CD.rar\Acronis True Image Home 2014-17-5560 & Retail Boot CD.exe
D:\SABnzbd Download\downloaded\Bigasoft iPad Video Converter v3 7 18 4668 Incl Keymaker BLiZZARD\Bigasoft.iPad.Video.Converter.v3.7.18.4668.Incl.Keymaker-BLiZZARD\keygen.exe
D:\SABnzbd Download\downloaded\Key.Metric.Software.FolderSizes.v7.1.75.Enterprise.Edit ion.Incl.Keymaker-ZWT.par2 (1)\keygen.exe
D:\SABnzbd Download\downloaded\Malwarebytes Anti-Malware PRO - Fullversion.rar\Malwarebytes Anti-Malware PRO - Fullversion.exe
D:\SABnzbd Download\downloaded\MiniTool.Partition.Wizard.Server.v8.1.1.Retail.Incl.Key gen-BRD.rar\MiniTool.Partition.Wizard.Server.v8.1.1.Retail.Incl.Keygen-BRD.exe
D:\SABnzbd Download\downloaded\Ontrack EasyRecovery Enterprise v11.0.2.0 Incl Crack - {Tbay}.rar\Ontrack EasyRecovery Enterprise v11.0.2.0 Incl Crack - {Tbay}.exe
D:\SABnzbd Download\downloaded\Rar-Password-Unlocker-4.2.0.0.zip\Rar Password Unlocker 4.2.0.0.exe
D:\SABnzbd Download\downloaded\RAR.Password.Recovery.Magic.v6.1.1.328-BEAN.zip\RAR.Password.Recovery.Magic.v6.1.1.328-BEAN.exe
D:\SABnzbd Download\downloaded\TeamViewer v8.0.20768 Enterprise Multilingual Incl Crack - [MUMBAI].rar\Crack\TeamViewer.exe
D:\SABnzbd Download\downloaded\VanDyke SecureCRT v6 7 4 354 Incl Patch And Keymaker ZWT\keygen.exe
D:\SABnzbd Download\downloaded\_FAILED_Acronis True Image 2013.rar\Setup.exe
D:\SABnzbd Download\downloaded\_UNPACK_Acronis True Image 2013.rar (2)\Setup.exe
D:\Software\Anti-Spyware Removal Tools\Malwarebytes Antimalware\Key\Medicinas\medicinas\KG.exe
D:\Software\AOMEI Partition Assistant Lite Edition\cbsidlm-cbsi183-AOMEI_Partition_Assistant_Lite_Edition-BP-75629288.exe
D:\Software\CDBurnerXP\cdbxp_setup_4.3.9.2783.exe
D:\Software\CDBurnerXP\cdbxp_setup_4.4.0.2838.exe
D:\Software\CDBurnerXP\cdbxp_setup_4.4.0.2905.exe
D:\Software\CDBurnerXP\cdbxp_setup_4.4.1.3099.exe
D:\Software\CDBurnerXP\cdbxp_setup_4.4.1.3341.exe
D:\Software\CDBurnerXP\cdbxp_setup_4.5.1.3868.exe
D:\Software\Daemon Tools\DAEMONToolsPro510-0333.exe
D:\Software\Dameware\Dameware.NT.Utilities.v6.6.1.1.Incl.Keymaker-EMBRACE\keygen.exe
D:\Software\FLV Media Player\FLV_Media_Player.exe
D:\Software\Ophcrack\ophcrack-win32-installer-3.3.1.exe
D:\Software\Port Scanner - Free\cnet_FreePortScanner_exe.exe
D:\Software\System Tuning\CCleaner\ccsetup400.exe
D:\Software\TeamViewer\TeamViewer 8 Professional\Patch.exe
D:\Software\VIO Player\vioplayer2_d5590948.exe
D:\Software\WinGuggle_unlockWinKeys\cbsidlm-tr1_11-WinGuggle-SEO-10795752.exe
D:\Software\Zip Opener\ZipOpenerSetup.exe

:Commands
[EmptyTemp]

  ---

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Next,

Read the following link before we continue and run Combofix:

ComboFix usage, Questions, Help? - Look here

Next,

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

http://www.infospyware.net/antimalware/combofix/

• Ensure that Combofix is saved directly to the Desktop <--- Very important
  
• Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
  
• Close any open browsers and any other programs you might have running
  
• Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
  
• Instructions for running Combofix available here http://www.bleepingcomputer.com/comb...o-use-combofix if required.
  
• If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  
• When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended.

*EXTRA NOTES*

• If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
• If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
• If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Let me see both logs in your next reply, also give an update on any remaining issues or concerns...

Kevin...

Hi sorry to have to clutter your forums with a thread

anyways I've been having this issue lately so I searched it up on google and came across this thread http://forums.techguy.org/virus-othe...w-minutes.html

Funny thing is, I'm getting this exact same issue however weird it may sound with all of the same symptoms all the way down to the 1-3 minute freezes, distorted slow motion sound, and the suspicious fact that it happens unusually often while on youtube (also quite commonly on games)

I'm not sure if this is a malware issue or maybe a hardware issue or what, however I suspicion that it may have something to do with my CPU. This PC has been sitting in the hot garage for about a year before I used it, and I even replaced the thermal paste so I'm not sure if the heat had anything to do with the cause of this issue. Also it worked fine the last time I used it, never had these hangs.

I'll probably be doing a complete HDD wipe and windows reinstall at the end of this week after my classes end for the semester and I can finish my projects, that way I can weed out if it's caused by any malware. Although I still appreciate any ones input or help on my situation!

Thanks in advance,

Ziggy

Hi,
I recently noted that wmiprvse.exe is periodically, every few seconds spikes to consuming around 20% of my CPU (Windows 7).
I browsed the internet already but didnt find a solution. I found that when restarting the WMI service, or killing the related svchost.exe process, the pattern disappears. However, when I restart my PC it returns. I tried to disable all startup programs and services but found nothing that caused it. It just seems to be the WMI service itself.

Also I did a full scan with McAfee.

Please help.

Those last two logs are clean.

Go into Msconfig and put a check mark back next to movilegeni Daemon, reboot the system and do another scan with FRST and post the log. This will put the run key for the process back into the log which we can then remove with a short script. NOTE: FRST will only produce one log with this run which is all I need to see.

The fact that the process was disabled is most probably why it didn't get detected by either Malwarebytes or Adwcleaner.

Hi and welcome to TSG.

Costmin is one of many Adware products that get bundled with free software, you should always be carefull when installing free software and look out for the option of a custom install and uncheck any boxes next to items that come with the software so they don't get installed.

These two scans should take care of it, please re-enable the extension so it is more easily detected before running these scans. Please follow the instructions carefully and post the logs produced.


SCAN 1
Click on this link to download : ADWCleaner Click on the Download Now button and save it to your desktop.

NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

Close your browser and double click on this icon on your desktop:

You will then see the screen below, click on the Scan button (as indicated), accept any prompts that appear and allow it to run, it may take several minutes to complete, when it is done click on the Clean button, accept any prompts that appear and allow the system to reboot. You will then be presented with the report, Copy & Paste it into your next post.

NOTE: If for any reason the report does not appear, open Windows Explorer and click on the C: drive in the left pane, in the right pane you should find a new folder called Adwcleaner, double click on it and you will see the saved logs. Find the log that has a number in brackets starting with an S NOT R, similar to this: Adwcleaner[S1], double click on the one with the highest number and the log will open, Copy & Paste it into your reply.




SCAN 2
Download Malwarebytes from here: Malwarebytes if you do not already have it and save the download to your desktop and install it. Once installed, open the program by double clicking on the icon and click on Update Now in the line where Database Version: is shown.

• Before you run the scan click on Settings and then Detection and Protection in the left pane.
• At the next window make sure there are check marks next to all three of the items below Detection Options.
• Also, under Non-Malware detections: set it to Treat detections as Malware
• When done click on the Scan button and then make sure Threat Scan is selected, then click on the Scan Now button.
• Shut down all browsers and any running programs and leave the system undisturbed while the scan is running, the time it takes to complete will depend on the amount of data that is on your system, on most systems it will be about 10 to 20 minutes.
• When the scan completes it will tell you and show a window with a list of the detected items. They should all show Quarantine under the Action column, check to make sure. Then click on the Apply Actions button, accept any prompts that appear and allow it to reboot if requested.
• Then click on the History button at the top of the window. (If the system rebooted you will first need to double click on the Malwarebytes icon to re-open it).
• Click on Application Logs in the left pane. It will show a list of logs, you must find the Scan log, not the Protection Log, with today's date on it, it should be the one at the top of the list, click on the box at the beginning of the line so a check mark appears then click on View just above the list. When the next window opens click on Copy to Clipboard. If the View button is grayed out click on the word 'Scan Log' so the line gets highlighted, the View button should then be available.
• Immediately come back here, right click inside the message box and select Paste, the log should appear. Add any other information asked for and submit the post.

Thanks Asky, I'll do this on Friday. I put my laptop away and will be at work all day tomorrow.

You're welcome.

I am having a problem on certain websites with sort of a pop up. It shows up at the top of a page, it has the name of the website and says it offers coupons, discount, what have you. It will show up on the same web site pages, but over time there are more and more pages where it will show up. After going though some different pages of the same web site it disappears.

I clicked on the little cross in right top corner, on '"yes" and "no" every time but where ever I click, there is no reaction. It just sits there.

I cannot make a screen shot (or do not know how) but I have made pictures, and posted them here. (If it is possible to have the pic show up here please let me know how.)

There are 3 pics that are self explanatory.

https://img0.etsystatic.com/041/0/52...8kskoko48o.jpg

https://img1.etsystatic.com/031/0/52...k4koc088kk.jpg

https://img1.etsystatic.com/032/0/52...sw4gcs4ksk.jpg

I have WIndows 7 with all updates, and IE11.

If I have forgotten anything, let me know and I will post it.

Many thanks!
Milli.

1) can i have a RAT/ remote access trojan - piece of malware on my usb flash drive now if i previously had files on there and there had been a RAT on the flash drive previously, but there are no more files/ documents on there now?

I don't actually know that there had been any malware previously, but I don't know either way, yes or no either.

- another way to say the same thing would be: Can a RAT be on a flash drive that does Not have any files on it, though it used to have files on it; files have only been "deleted" from the flash drive (not permanently removed with something that would wipe the flash drive clean (the "hard-drive" part of the flash drive - whatever you would call that)

2) how can you clean a flash drive so that there is no trace of any possible virus/ trojan / malware?

thanks!
lolly

thanks but just changing username and password will not Remove the malware on there now.....

- what might i do to clean my fb account?
- once i login those 'phone home' RATs kick in; i would doubt changing my username/ password would prevent that...


thx

I have a friends laptop that was highly infected that I have been trying to clean up for them. I have used Malwarebytes, Superantispyware, Adwcleaner, Junk Removal Tool and ComboFix. I will post my ComboFix results in hopes someone could direct me how to cure this bs browser hijacker. Thanks.


ComboFix 14-07-24.01 - Stormin 07/24/2014 19:05:21.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1900.595 [GMT -4:00]
Running from: G:\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Disabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-06-24 to 2014-07-24 )))))))))))))))))))))))))))))))
.
.
2014-07-24 23:38 . 2014-07-24 23:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-07-24 23:18 . 2014-07-24 23:18 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DC80FBDB-E3A9-4F10-A20D-E6F16622CD73}\offreg.dll
2014-07-24 23:01 . 2014-07-14 08:12 10924376 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{DC80FBDB-E3A9-4F10-A20D-E6F16622CD73}\mpengine.dll
2014-07-22 01:09 . 2014-07-22 01:09 -------- d-----w- c:\users\Stormin\AppData\Roaming\AVAST Software
2014-07-22 01:06 . 2014-07-22 01:06 427360 ----a-w- c:\windows\system32\drivers\aswsp.sys
2014-07-22 01:06 . 2014-07-22 01:06 92008 ----a-w- c:\windows\system32\drivers\aswStm.sys
2014-07-22 01:06 . 2014-07-22 01:06 224896 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-07-22 01:06 . 2014-07-22 01:06 1041168 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-07-22 01:06 . 2014-07-22 01:06 79184 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-07-22 01:06 . 2014-07-22 01:06 65776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-07-22 01:06 . 2014-07-22 01:06 29208 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-07-22 01:06 . 2014-07-22 01:06 93568 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-07-22 01:06 . 2014-07-22 01:06 307344 ----a-w- c:\windows\system32\aswBoot.exe
2014-07-22 01:06 . 2014-07-22 01:06 43152 ----a-w- c:\windows\avastSS.scr
2014-07-22 01:01 . 2014-07-22 01:01 -------- d-----w- c:\program files\AVAST Software
2014-07-22 00:48 . 2014-07-22 01:01 -------- d-----w- c:\programdata\AVAST Software
2014-07-22 00:43 . 2014-07-22 00:43 -------- d-sh--w- c:\windows\SysWow64\AI_RecycleBin
2014-07-22 00:43 . 2014-07-22 00:43 -------- d-----w- C:\AI_RecycleBin
2014-07-22 00:17 . 2014-07-22 00:17 -------- d-----w- c:\program files\CCleaner
2014-07-21 02:46 . 2014-07-21 02:46 -------- d-----w- c:\programdata\Licenses
2014-07-21 02:45 . 2014-07-21 02:45 -------- d-----w- c:\users\Stormin\AppData\Roaming\Simply Super Software
2014-07-21 02:45 . 2014-07-21 02:45 -------- d-----w- c:\program files (x86)\Trojan Remover
2014-07-21 02:45 . 2014-07-21 02:45 -------- d-----w- c:\programdata\Simply Super Software
2014-07-21 02:26 . 2014-07-21 02:26 -------- d-----w- c:\program files\7-Zip
2014-07-21 02:21 . 2014-07-21 02:39 -------- d-----w- c:\program files\HitmanPro
2014-07-21 02:08 . 2014-07-21 02:08 -------- d-sh--w- c:\users\Stormin\AppData\Local\EmieUserList
2014-07-21 02:08 . 2014-07-21 02:08 -------- d-sh--w- c:\users\Stormin\AppData\Local\EmieSiteList
2014-07-21 01:29 . 2014-07-21 01:29 -------- d-----w- c:\windows\ERUNT
2014-07-21 01:21 . 2010-08-30 12:34 536576 ----a-w- c:\windows\SysWow64\sqlite3.dll
2014-07-21 01:20 . 2014-07-21 22:10 -------- d-----w- C:\AdwCleaner
2014-07-20 19:48 . 2014-07-20 19:48 -------- d-----w- c:\program files (x86)\ESET
2014-07-20 19:30 . 2014-07-20 19:30 -------- d-s---w- c:\windows\system32\CompatTel
2014-07-17 01:26 . 2014-07-17 01:26 -------- d-----w- c:\users\Stormin\AppData\Roaming\SUPERAntiSpyware.com
2014-07-17 01:26 . 2014-07-17 01:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2014-07-17 01:26 . 2014-07-17 01:26 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2014-07-17 00:44 . 2014-06-06 10:10 624128 ----a-w- c:\windows\system32\qedit.dll
2014-07-17 00:44 . 2014-06-06 09:44 509440 ----a-w- c:\windows\SysWow64\qedit.dll
2014-07-17 00:44 . 2014-05-30 06:45 497152 ----a-w- c:\windows\system32\drivers\afd.sys
2014-07-17 00:41 . 2014-06-30 02:09 519168 ----a-w- c:\windows\system32\aepdu.dll
2014-07-17 00:41 . 2014-06-30 02:04 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-07-17 00:41 . 2014-02-04 02:35 274880 ----a-w- c:\windows\system32\drivers\msiscsi.sys
2014-07-17 00:41 . 2014-02-04 02:35 190912 ----a-w- c:\windows\system32\drivers\storport.sys
2014-07-17 00:41 . 2014-02-04 02:35 27584 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2014-07-17 00:41 . 2014-02-04 02:28 2048 ----a-w- c:\windows\system32\iologmsg.dll
2014-07-17 00:41 . 2014-02-04 02:00 2048 ----a-w- c:\windows\SysWow64\iologmsg.dll
2014-07-17 00:39 . 2014-03-25 02:43 14175744 ----a-w- c:\windows\system32\shell32.dll
2014-07-17 00:38 . 2014-07-21 01:43 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-07-17 00:36 . 2014-05-12 11:26 91352 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-07-17 00:36 . 2014-05-12 11:26 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-07-17 00:36 . 2014-05-12 11:25 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-07-17 00:36 . 2014-07-17 00:37 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-07-17 00:19 . 2014-06-03 10:02 1354240 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2014-07-17 00:18 . 2014-06-03 09:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2014-07-17 00:18 . 2014-04-25 02:34 801280 ----a-w- c:\windows\system32\usp10.dll
2014-07-17 00:18 . 2014-04-25 02:06 626688 ----a-w- c:\windows\SysWow64\usp10.dll
2014-07-17 00:13 . 2014-05-30 08:08 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-07-17 00:06 . 2014-06-19 00:53 48640 ----a-w- c:\program files\Internet Explorer\DiagnosticsHub_is.dll
2014-07-17 00:05 . 2014-06-18 23:50 977408 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2014-07-17 00:05 . 2014-06-19 00:14 940032 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-07-17 00:05 . 2014-06-19 01:39 23464448 ----a-w- c:\windows\system32\mshtml.dll
2014-07-17 00:05 . 2014-06-05 14:45 1460736 ----a-w- c:\windows\system32\lsasrv.dll
2014-07-17 00:05 . 2014-04-12 02:22 155072 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-07-17 00:05 . 2014-04-12 02:22 95680 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2014-07-17 00:05 . 2014-04-12 02:19 136192 ----a-w- c:\windows\system32\sspicli.dll
2014-07-17 00:05 . 2014-04-12 02:19 31232 ----a-w- c:\windows\system32\lsass.exe
2014-07-17 00:05 . 2014-04-12 02:19 29184 ----a-w- c:\windows\system32\sspisrv.dll
2014-07-17 00:05 . 2014-04-12 02:19 28160 ----a-w- c:\windows\system32\secur32.dll
2014-07-17 00:05 . 2014-06-05 14:26 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2014-07-17 00:05 . 2014-06-05 14:25 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2014-07-16 23:36 . 2014-03-04 09:44 243712 ----a-w- c:\windows\system32\wow64.dll
2014-07-16 23:36 . 2014-03-04 09:44 1163264 ----a-w- c:\windows\system32\kernel32.dll
2014-07-16 23:36 . 2014-03-04 09:44 362496 ----a-w- c:\windows\system32\wow64win.dll
2014-07-16 23:36 . 2014-03-04 09:44 13312 ----a-w- c:\windows\system32\wow64cpu.dll
2014-07-16 23:36 . 2014-03-04 09:44 16384 ----a-w- c:\windows\system32\ntvdm64.dll
2014-07-16 23:36 . 2014-03-04 09:17 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2014-07-16 23:36 . 2014-03-04 09:16 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2014-07-16 23:36 . 2014-03-04 09:16 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2014-07-16 23:36 . 2014-03-04 08:09 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2014-07-16 23:36 . 2014-03-04 08:09 2048 ----a-w- c:\windows\SysWow64\user.exe
2014-07-16 23:35 . 2014-01-24 02:37 1684928 ----a-w- c:\windows\system32\drivers\ntfs.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-07-17 00:41 . 2013-05-31 15:33 699056 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-07-17 00:41 . 2013-04-13 12:32 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-06-26 21:40 . 2014-02-23 19:32 96441528 ----a-w- c:\windows\system32\MRT.exe
2014-02-20 22:16 . 2014-02-20 22:16 49940480 ----a-w- c:\program files (x86)\GUTF98B.tmp
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-09-14 283160]
"TrojanScanner"="c:\program files (x86)\Trojan Remover\Trjscan.exe" [2014-05-22 1666432]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-07-22 4086432]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallDeleteDir"="rmdir" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCO RE]
@=""
.
R1 txveqxio;txveqxio;c:\windows\system32\drivers\txveqxio.sys;c:\windows\SYSNA TIVE\drivers\txveqxio.sys [x]
R2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\d rivers\aswStm.sys [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe ;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 HitmanPro36CrusaderBoot;HitmanPro 3.6 Crusader (Boot);f:\hitmanpro36_x64.exe;f:\HitmanPro36_x64.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCo llector.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIV E\drivers\rdpvideominiport.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSN ATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSN ATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows \SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNA TIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers \TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drive rs\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\Wa tAdminSvc.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\d rivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\driv ers\aswSP.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\dri vers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SY SNATIVE\drivers\aswMonFlt.sys [x]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe;c:\program files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 HPWMISVC;HPWMISVC;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 IconMan_R;IconMan_R;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe;c:\program files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [x]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S3 clwvd;CyberLink WebCam Virtual Driver;c:\windows\system32\DRIVERS\clwvd.sys;c:\windows\SYSNATIVE\DRIVERS\c lwvd.sys [x]
S3 RSPCIESTOR;Realtek PCIE CardReader Driver;c:\windows\system32\DRIVERS\RtsPStor.sys;c:\windows\SYSNATIVE\DRIVER S\RtsPStor.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVER S\Rt64win7.sys [x]
S3 RTL8192Ce;Realtek Wireless LAN 802.11n PCI-E NIC Driver;c:\windows\system32\DRIVERS\rtl8192Ce.sys;c:\windows\SYSNATIVE\DRIVE RS\rtl8192Ce.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWRVRT
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-03-23 22:48 1150280 ----a-w- c:\program files (x86)\Google\Chrome\Application\33.0.1750.154\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-07-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-05-31 00:41]
.
2014-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-17 14:50]
.
2014-07-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-04-17 14:50]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-07-22 01:06 634872 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2011-01-11 6602856]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SetDefault"="c:\program files\Hewlett-Packard\HP LaunchBox\SetDefault.exe" [2011-06-27 42808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2014-01-30 171992]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2014-01-30 399832]
"Persistence"="c:\windows\system32\igfxpers.exe" [2014-01-30 442328]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uSearchAssistant = www.google.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226} - c:\program files (x86)\InstallShield Installation Information\{CA43FE4F-9FF2-4AD7-88F0-CC3BAC17B226}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\HitmanPro36CrusaderBoot]
"ImagePath"="\"f:\hitmanpro36_x64.exe\" /crusader:boot"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_ 0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.e xe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_ 0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.e xe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.14"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-07-24 19:41:29
ComboFix-quarantined-files.txt 2014-07-24 23:41
ComboFix2.txt 2014-07-22 00:10
ComboFix3.txt 2014-07-21 22:48
.
Pre-Run: 235,782,152,192 bytes free
Post-Run: 236,488,232,960 bytes free
.
- - End Of File - - 633750BA295F124A9C50F5F2499E24DE

xwurzelx,
You have obsolete Java and Adobe Reader which can get your computer infected.
We will install replacements later.
As you know, your Adobe stuff is not genuine. I won't deal with anything about it.
------------------------------------------------
Remove Programs Using Control Panel
From Start, Control Panel, click on Programs and Features
Click each Entry, as follows, one by one, if it exists, choose Uninstall, and give permission to Continue:

McAfee Security Scan Plus
Java(TM) 6 Update 32
Java 7 Update 9
Software Updater
Pando Media Booster
Adobe Reader X
IL Download Manager
Inkscape 0.48.4
Unity Web Player

Take extra care in answering questions posed by any Uninstaller.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
----------------------------------------------
Perform a Custom Fix with OTL
[b]Right click OTL on your desktop, and choose "Run as administrator" to open it.

• In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
  
  Code:

  ---

  :Commands
[CREATERESTOREPOINT]

:OTL
SRV:64bit: - [2014/04/09 14:13:48 | 000,289,256 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.8.150\McCHSvc.exe -- (McComponentHostService)
IE - HKU\S-1-5-21-1969685697-2450561453-3541330301-1000\..\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}: "URL" = http://nortonsafe.search.ask.com/web?q={SEARCHTERMS}&o=APN10506&l=dis&prt=NIS&chn=retail&geo=GB&ver=20&local e=en_GB&gct=kwd&qsrc=2869
FF - HKLM\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin: C:\Program Files\McAfee Security Scan\3.8.141\npMcAfeeMss.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{e4f94d1e-2f53-401e-8885-681602c0ddd8}: C:\ProgramData\McAfee Security Scan\Extensions\{e4f94d1e-2f53-401e-8885-681602c0ddd8}.xpi [2014/04/04 11:36:14 | 000,010,691 | ---- | M] ()
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - Extension: McAfee Security Scan+ = C:\Users\Tom\AppData\Local\Google\Chrome\User Data\Default\Extensions\bopakagnckmlgajfccecajhnimjiiedh\3.8.141.12_0\
O2:64bit: - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files (x86)\Hotspot Shield\HssIE\HssIE_64.dll File not found
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: clonewarsadventures.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: freerealms.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: soe.com ([]* in )
O15 - HKU\S-1-5-20\..Trusted Domains: sony.com ([]* in )
O15 - HKU\S-1-5-21-1969685697-2450561453-3541330301-1000\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1969685697-2450561453-3541330301-1000\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1969685697-2450561453-3541330301-1000\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1969685697-2450561453-3541330301-1000\..Trusted Domains: sony.com ([]* in Trusted sites)
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
[2014/06/18 17:22:07 | 000,000,000 | ---D | M] -- C:\Users\Tom\AppData\Roaming\inkscape

:Files
ipconfig /flushdns /c

:Commands
[emptyjava]
[emptyflash]
[EMPTYTEMP]

  ---

• Then click the Run Fix button at the top.
• Let the program run unhindered, and click to allow the Reboot when it is done.
  When the computer Reboots, and you start your usual account, a Notepad text file will appear.
• That is the FIX log file. Copy the contents of that file and post it in your next reply.
  It will also be available and named by timestamp here: C:\_OTL\Moved Files\mmddyyyy_hhmmss.log

-------------------------------------------------------------
AdwCleaner Download and Run

Download AdwCleaner and save it to your desktop or somewhere you can find it.
Take care NOT to click on any ad, like from PC Optimizer Pro. The correct link is the button labeled "Download from Bleeping Computer".
NOTE: If using Internet Explorer and you get an alert that stops the program downloading click on Tools > Smartscreen Filter > Turn off Smartscreen Filter then click on OK in the box that opens. Then click on the link again.

Close your browser and double click on this icon on your desktop:



You will then see the screen below. Click on the Scan button (as indicated), accept any prompts that appear and allow it to run.
It may take several minutes to complete.
When it is done, click on the Clean button, accept any prompts that appear and allow the system to Reboot.
You will then be presented with the report. Copy & Paste it into a reply here.


If you lose track of the log, it is saved in this folder C:\AdwCleaner\
The filename will be adwcleaner[xx].txt where [xx] will be S1, or S2, etc. whichever filename is newest.

askey127