Solved I need help with very strange Chinese SPAM/Malware

bellisimo · 2014/05/26

Here's the combofix scan, broni:

ComboFix 14-05-26.02 - a 05/27/2014 0:17.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8142.3941 [GMT -5:00]
Running from: c:\users\a\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\a\AppData\Local\assembly\tmp
c:\windows\SysWow64\hookdll.dll
.
.
((((((((((((((((((((((((( Files Created from 2014-04-27 to 2014-05-27 )))))))))))))))))))))))))))))))
.
.
2014-05-27 04:06 . 2014-05-27 04:23 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-05-25 20:43 . 2014-05-25 20:43 -------- d-----w- c:\program files (x86)\Common Files\Java
2014-05-25 20:42 . 2014-05-25 20:42 313256 ----a-w- c:\windows\system32\javaws.exe
2014-05-25 20:42 . 2014-05-25 20:42 111016 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2014-05-25 20:42 . 2014-05-25 20:42 191400 ----a-w- c:\windows\system32\javaw.exe
2014-05-25 20:42 . 2014-05-25 20:42 190888 ----a-w- c:\windows\system32\java.exe
2014-05-18 06:09 . 2014-05-18 06:09 -------- d-----w- c:\programdata\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-05-18 06:09 . 2014-05-18 06:09 -------- d-----w- c:\program files\iTunes
2014-05-18 06:09 . 2014-05-18 06:09 -------- d-----w- c:\program files (x86)\iTunes
2014-05-18 06:09 . 2014-05-18 06:09 -------- d-----w- c:\program files\iPod
2014-05-15 05:21 . 2014-05-06 05:14 97280 ----a-w- c:\windows\system32\mshtmled.dll
2014-05-15 05:21 . 2014-05-06 05:14 19274752 ----a-w- c:\windows\system32\mshtml.dll
2014-05-15 05:21 . 2014-05-06 03:37 2706432 ----a-w- c:\windows\system32\mshtml.tlb
2014-05-15 05:21 . 2014-05-06 03:26 2706432 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-05-15 02:28 . 2014-03-25 02:43 14175744 ----a-w- c:\windows\system32\shell32.dll
2014-05-15 02:28 . 2014-05-09 06:14 477184 ----a-w- c:\windows\system32\aepdu.dll
2014-05-15 02:28 . 2014-05-09 06:11 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-05-06 05:39 . 2014-05-15 16:15 -------- d-s---w- c:\windows\system32\CompatTel
2014-05-04 19:33 . 2014-05-04 19:33 -------- d-----w- c:\users\a\AppData\Local\IAC
2014-05-01 04:19 . 2014-05-09 21:37 -------- d-----w- c:\users\a\AppData\Local\Blockless
2014-04-28 15:27 . 2014-04-28 15:27 102704 ----a-w- c:\windows\system32\drivers\KNBDrv64.sys
2014-04-28 15:27 . 2014-04-28 15:27 102704 ----a-w- c:\windows\system32\drivers\knbdrv.sys
2014-04-28 15:27 . 2014-04-30 05:32 -------- d-----w- c:\users\a\AppData\Local\liebao
2014-04-28 15:24 . 2014-04-28 15:24 -------- d-----w- c:\users\a\AppData\Local\Kingsoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-27 04:17 . 2014-04-19 06:53 119000 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-17 16:27 . 2014-02-01 16:02 70832 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-05-17 16:27 . 2014-02-01 16:02 692400 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-05-15 05:20 . 2013-08-02 20:46 93223848 ----a-w- c:\windows\system32\MRT.exe
2014-04-28 15:27 . 2014-03-19 04:31 85352 ----a-w- c:\windows\system32\drivers\ksapi.sys
2014-03-17 01:57 . 2014-03-17 01:57 2876528 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2014-03-17 01:57 . 2014-03-17 01:57 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2014-03-13 06:33 . 2014-04-09 17:29 51712 ----a-w- c:\windows\system32\ie4uinit.exe
2014-03-13 06:33 . 2014-04-09 17:29 2238976 ----a-w- c:\windows\system32\wininet.dll
2014-03-13 06:33 . 2014-04-09 17:29 1365504 ----a-w- c:\windows\system32\urlmon.dll
2014-03-13 06:32 . 2014-04-09 17:29 197120 ----a-w- c:\windows\system32\msrating.dll
2014-03-13 06:32 . 2014-04-09 17:29 603136 ----a-w- c:\windows\system32\msfeeds.dll
2014-03-13 06:32 . 2014-04-09 17:29 53760 ----a-w- c:\windows\system32\jsproxy.dll
2014-03-13 06:32 . 2014-04-09 17:29 855552 ----a-w- c:\windows\system32\jscript.dll
2014-03-13 06:32 . 2014-04-09 17:29 3959808 ----a-w- c:\windows\system32\jscript9.dll
2014-03-13 06:31 . 2014-04-09 17:29 526336 ----a-w- c:\windows\system32\ieui.dll
2014-03-13 06:31 . 2014-04-09 17:29 67072 ----a-w- c:\windows\system32\iesetup.dll
2014-03-13 06:31 . 2014-04-09 17:29 15404544 ----a-w- c:\windows\system32\ieframe.dll
2014-03-13 06:31 . 2014-04-09 17:29 2648576 ----a-w- c:\windows\system32\iertutil.dll
2014-03-13 06:31 . 2014-04-09 17:29 39936 ----a-w- c:\windows\system32\iernonce.dll
2014-03-13 06:31 . 2014-04-09 17:29 136704 ----a-w- c:\windows\system32\iesysprep.dll
2014-03-13 05:10 . 2014-04-09 17:29 1766400 ----a-w- c:\windows\SysWow64\wininet.dll
2014-03-13 05:09 . 2014-04-09 17:29 2877952 ----a-w- c:\windows\SysWow64\jscript9.dll
2014-03-13 05:09 . 2014-04-09 17:29 61440 ----a-w- c:\windows\SysWow64\iesetup.dll
2014-03-13 05:09 . 2014-04-09 17:29 109056 ----a-w- c:\windows\SysWow64\iesysprep.dll
2014-03-13 03:59 . 2014-04-09 17:29 89600 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2014-03-13 03:51 . 2014-04-09 17:29 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2014-03-04 09:44 . 2014-04-09 17:28 362496 ----a-w- c:\windows\system32\wow64win.dll
2014-03-04 09:44 . 2014-04-09 17:28 243712 ----a-w- c:\windows\system32\wow64.dll
2014-03-04 09:44 . 2014-04-09 17:28 13312 ----a-w- c:\windows\system32\wow64cpu.dll
2014-03-04 09:44 . 2014-04-09 17:28 16384 ----a-w- c:\windows\system32\ntvdm64.dll
2014-03-04 09:44 . 2014-04-09 17:28 1163264 ----a-w- c:\windows\system32\kernel32.dll
2014-03-04 09:17 . 2014-04-09 17:28 14336 ----a-w- c:\windows\SysWow64\ntvdm64.dll
2014-03-04 09:17 . 2014-04-09 17:28 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2014-03-04 09:16 . 2014-04-09 17:28 25600 ----a-w- c:\windows\SysWow64\setup16.exe
2014-03-04 09:16 . 2014-04-09 17:28 5120 ----a-w- c:\windows\SysWow64\wow32.dll
2014-03-04 08:09 . 2014-04-09 17:28 7680 ----a-w- c:\windows\SysWow64\instnm.exe
2014-03-04 08:09 . 2014-04-09 17:28 2048 ----a-w- c:\windows\SysWow64\user.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@= "{F241C880-6982-4CE5-8CF7-7085BA96DA5A} "
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-08-01 01:45 220632 ----a-w- c:\users\a\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@= "{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} "
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-08-01 01:45 220632 ----a-w- c:\users\a\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@= "{BBACC218-34EA-4666-9D7A-C78F2274A524} "
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-08-01 01:45 220632 ----a-w- c:\users\a\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC "= "c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-11-16 641704]
"EMET 4.1 Agent "= "c:\program files (x86)\EMET 4.1\EMET_agent.exe" [2013-11-21 78992]
"iTunesHelper "= "c:\program files (x86)\iTunes\iTunesHelper.exe" [2014-05-15 152392]
"SunJavaUpdateSched "= "c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2014-03-18 224128]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files (x86)\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser "= 3 (0x3)
"EnableUIADesktopToggle "= 0 (0x0)
"PromptOnSecureDesktop "= 0 (0x0)
"EnableLinkedConnections "= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs "=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=" "
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc]
@=" "
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 afcdp;afcdp;c:\windows\system32\DRIVERS\afcdp.sys;c:\windows\SYSNATIVE\DRIVERS\afcdp.sys [x]
R3 afcdpsrv;Acronis Nonstop Backup Service;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe;c:\program files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [x]
R3 DKRtWrt;DKRtWrt;c:\windows\system32\DRIVERS\DKRtWrt.sys;c:\windows\SYSNATIVE\DRIVERS\DKRtWrt.sys [x]
R3 KNBDrv;KNBDrv;c:\windows\system32\drivers\knbdrv.sys;c:\windows\SYSNATIVE\drivers\knbdrv.sys [x]
R3 ksapi64;ksapi64;c:\windows\system32\drivers\ksapi64.sys;c:\windows\SYSNATIVE\drivers\ksapi64.sys [x]
R3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys;c:\windows\SYSNATIVE\DRIVERS\SWDUMon.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
R3 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S0 bootsafe;bootsafe;c:\windows\system32\Drivers\bootsafe64.sys;c:\windows\SYSNATIVE\Drivers\bootsafe64.sys [x]
S0 DKDFM;Device Filter Manager Driver;c:\windows\system32\drivers\DKDFM.sys;c:\windows\SYSNATIVE\drivers\DKDFM.sys [x]
S0 DKTLFSMF;Telemetry File System Mini Filter Driver;c:\windows\system32\drivers\DKTLFSMF.sys;c:\windows\SYSNATIVE\drivers\DKTLFSMF.sys [x]
S0 fltsrv;Acronis Storage Filter Management;c:\windows\system32\DRIVERS\fltsrv.sys;c:\windows\SYSNATIVE\DRIVERS\fltsrv.sys [x]
S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 KAVBootC;KAVBootC;c:\windows\system32\drivers\kavbootc64.sys;c:\windows\SYSNATIVE\drivers\kavbootc64.sys [x]
S0 tib;Acronis TIB Manager;c:\windows\system32\DRIVERS\tib.sys;c:\windows\SYSNATIVE\DRIVERS\tib.sys [x]
S0 tib_mounter;Acronis TIB Mounter;c:\windows\system32\DRIVERS\tib_mounter.sys;c:\windows\SYSNATIVE\DRIVERS\tib_mounter.sys [x]
S0 vididr;Acronis Virtual Disk;c:\windows\system32\DRIVERS\vididr.sys;c:\windows\SYSNATIVE\DRIVERS\vididr.sys [x]
S0 vidsflt;Acronis Disk Storage Filter;c:\windows\system32\DRIVERS\vidsflt.sys;c:\windows\SYSNATIVE\DRIVERS\vidsflt.sys [x]
S1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx64.sys;c:\windows\SYSNATIVE\drivers\avgtpx64.sys [x]
S1 netfilter64;netfilter64;c:\windows\system32\drivers\netfilter64.sys;c:\windows\SYSNATIVE\drivers\netfilter64.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 DGPNPSEV;DriverGenius PNP Service;f:\program files\MyDrivers\DriverGenius2013\DgService.exe;f:\program files\MyDrivers\DriverGenius2013\DgService.exe [x]
S2 DgSafe;DgSafe;c:\windows\system32\drivers\DgSafe.sys;c:\windows\SYSNATIVE\drivers\DgSafe.sys [x]
S2 DTSAudioSvc;DTSAudioSvc;c:\program files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe;c:\program files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe [x]
S2 Intel(R) PROSet Monitoring Service;Intel(R) PROSet Monitoring Service;c:\windows\system32\IProsetMonitor.exe;c:\windows\SYSNATIVE\IProsetMonitor.exe [x]
S2 kisknl;kisknl;c:\windows\system32\drivers\kisknl.sys;c:\windows\SYSNATIVE\drivers\kisknl.sys [x]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe;c:\program files (x86)\Secunia\PSI\PSIA.exe [x]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe;c:\program files (x86)\Secunia\PSI\sua.exe [x]
S2 syncagentsrv;Acronis Sync Agent Service;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe;c:\program files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe [x]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys;c:\windows\SYSNATIVE\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys;c:\windows\SYSNATIVE\DRIVERS\asmtxhci.sys [x]
S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys;c:\windows\SYSNATIVE\DRIVERS\psi_mf.sys [x]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys;c:\windows\SYSNATIVE\DRIVERS\wdcsam64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGTP
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-18 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-02-27 16:27]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@= "{F241C880-6982-4CE5-8CF7-7085BA96DA5A} "
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-08-01 01:45 244696 ----a-w- c:\users\a\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@= "{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} "
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-08-01 01:45 244696 ----a-w- c:\users\a\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@= "{BBACC218-34EA-4666-9D7A-C78F2274A524} "
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-08-01 01:45 244696 ----a-w- c:\users\a\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\amd64\SkyDriveShell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncError]
@= "{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED} "
[HKEY_CLASSES_ROOT\CLSID\{934BC6C0-FEC2-4df5-A100-961DE2C8A0ED}]
2013-03-28 02:37 2818800 ----a-w- c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncInProgress]
@= "{00F848DC-B1D4-4892-9C25-CAADC86A215D} "
[HKEY_CLASSES_ROOT\CLSID\{00F848DC-B1D4-4892-9C25-CAADC86A215D}]
2013-03-28 02:37 2818800 ----a-w- c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\AcronisSyncOk]
@= "{71573297-552E-46fc-BE3D-3DFAF88D47B7} "
[HKEY_CLASSES_ROOT\CLSID\{71573297-552E-46fc-BE3D-3DFAF88D47B7}]
2013-03-28 02:37 2818800 ----a-w- c:\program files (x86)\Acronis\TrueImageHome\tishell64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis Scheduler2 Service "= "c:\program files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [2013-02-15 516928]
"AdobeAAMUpdater-1.0 "= "c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2013-12-10 472984]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://www.google.ca/
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
Trusted Zone: google.ca\www
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{0A40FBDD-0CB3-40AF-B79D-DF9F8FBAD2EB}: NameServer = 108.171.182.159,108.171.177.124
TCP: Interfaces\{398F358A-DB6A-4710-80FC-A933143285B5}: NameServer = 108.171.182.159,108.171.177.124
FF - ProfilePath - c:\users\a\AppData\Roaming\Mozilla\Firefox\Profiles\trvt8chr.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-kxesc - c:\program files (x86)\kingsoft\kingsoft antiviruskxetray.exe
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)
Toolbar-Locked - (no file)
AddRemove-VisualBee for Microsoft PowerPoint - c:\users\a\AppData\Local\VisualBeeExe\uninst.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe,-101 "
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled "=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@= "c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_13_0_0_214_ActiveX.exe "
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker5 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe,-101 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled "=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@= "Shockwave Flash Object "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx "
"ThreadingModel "= "Apartment "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@= "0 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@= "ShockwaveFlash.ShockwaveFlash.13 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@= "{D27CDB6B-AE6D-11cf-96B8-444553540000} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@= "1.0 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@= "ShockwaveFlash.ShockwaveFlash "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@= "Macromedia Flash Factory Object "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx "
"ThreadingModel "= "Apartment "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@= "FlashFactory.FlashFactory.1 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@= "c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_13_0_0_214.ocx, 1 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@= "{D27CDB6B-AE6D-11cf-96B8-444553540000} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@= "1.0 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@= "FlashFactory.FlashFactory "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker5 "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue "=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue "=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-05-27 00:21:33
ComboFix-quarantined-files.txt 2014-05-27 05:21
.
Pre-Run: 198,159,454,208 bytes free
Post-Run: 197,658,206,208 bytes free
.
- - End Of File - - 05F1F3FC247F986DD9B3EDC128C80281
A36C5E4F47E84449FF07ED3517B43A31

bellisimo · 2014/05/26

Hi broni,

When I downloaded my AVG to reinstall it just now, the same Chinese malware tried to interfere, so my system is still infected.

bellisimo · 2014/05/27

Hi broni,

I'm going to turn in for the night, but I thought you should know that I clicked on the buttons of Rogue Killer and under the DNS button I found several undeleted files and made the following report, in case it's important:

RogueKiller V8.8.15 [Mar 27 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : a [Admin rights]
Mode : Remove -- Date : 05/27/2014 01:22:57
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤
-> F:\windows\system32\config\SYSTEM | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> F:\windows\system32\config\SOFTWARE | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> F:\windows\system32\config\SECURITY | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> F:\Documents and Settings\a\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> F:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> F:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> F:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - F:] | SYSTEMINFO [Sys - C:] [Sys32 - FOUND] | USERINFO [Startup - FOUND]
-> G:\Documents and Settings\Administrator\NTUSER.DAT | DRVINFO [Drv - G:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
-> G:\Documents and Settings\Bert Bell\NTUSER.DAT | DRVINFO [Drv - G:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
-> G:\Documents and Settings\Default User\NTUSER.DAT | DRVINFO [Drv - G:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
-> G:\Documents and Settings\LocalService\NTUSER.DAT | DRVINFO [Drv - G:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
-> G:\Documents and Settings\NetworkService\NTUSER.DAT | DRVINFO [Drv - G:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - FOUND]
-> H:\windows\system32\config\SYSTEM | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> H:\windows\system32\config\SOFTWARE | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]
-> H:\windows\system32\config\SECURITY | DRVINFO [Drv - H:] | SYSTEMINFO [Sys - NO_SYS] [Sys32 - NOT_FOUND] | USERINFO [Startup - NOT_FOUND]

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) SanDisk SDSSDH2256G ATA Device +++++
--- User ---
[MBR] 86b26a104223c5f8e26229c0335f8a08
[BSP] 478bd86baff27e9a6f1e98527ac07c17 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 244096 MB
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: (\\.\PHYSICALDRIVE1 @ IDE) ST31000524AS ATA Device +++++
--- User ---
[MBR] 488f113d06f47f98a5aaf6f5198ef189
[BSP] 06f4e51151f20a9a21b7a52578931521 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 MB
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive2: (\\.\PHYSICALDRIVE2 @ IDE) Hitachi HDS721010DLE630 ATA Device +++++
--- User ---
[MBR] 7d2dfedcfd475e7660332ed2771083c9
[BSP] 36b66c9a3bb76e735c65e325c4c90997 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 476938 MB
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive3: (\\.\PHYSICALDRIVE3 @ USB) WD My Passport 0748 USB Device +++++
--- User ---
[MBR] b6d7c2cbe2f993245ca02ead3741ca4e
[BSP] 06407b54e3dc4a35bb488ba6f00e41b3 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1907696 MB
User = LL1 ... OK!
Error reading LL2 MBR! ([0x32] The request is not supported. )

Finished : << RKreport[0]_D_05272014_012257.txt >>
RKreport[0]_D_05262014_230022.txt;RKreport[0]_D_05272014_011859.txt;RKreport[0]_S_05262014_225923.txt
RKreport[0]_S_05272014_011821.txt;RKreport[0]_S_05272014_012108.txt;RKreport[0]_S_05272014_012232.txt

bellisimo · 2014/05/27

Hi again, broni,

Concerning my last post, I noticed that Rogue Killer gave an instruction to Fix DNS, so I followed the instruction and the files were replaced.

broni · 2014/05/27

Please re-read my rules posted in my reply #4 especially:

Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
Click to expand...

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.

Double click on adwcleaner.exe to run the tool.

Click on Scan button.

When the scan has finished click on Clean button.

Your computer will be rebooted automatically. A text file will open after the restart.

Please post the contents of that logfile with your next reply.

You can find the logfile at C:\AdwCleaner[S1].txt as well.

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator ".

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Post the contents of JRT.txt into your next message.

Download OTL to your Desktop.
Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

bellisimo · 2014/05/27

Hi Broni,

Here's the AdwCleaner Report:

# AdwCleaner v3.211 - Report created 27/05/2014 at 21:57:28
# Updated 26/05/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : a - BBELL-PC
# Running from : C:\Users\a\Desktop\AdwCleaner (5).exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Windows\Installer\{813BA625-B0FA-48D8-9B75-59759C88C219}
Folder Deleted : C:\Users\a\appData\Local\iac
Folder Deleted : C:\Users\a\appData\Roaming\1H1Q
Folder Deleted : C:\Users\a\appData\Roaming\DownLite

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\fgeapihpgbepllencafcpkfbjlkogfan
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4ED063C9-4A0B-4B44-A9DC-23AFF424A0D3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C358B3D0-B911-41E3-A276-E7D43A6BA56D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{0F2C9A6B-A0ED-4189-B086-C0E76D80EB91}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2F4D7835-42B0-4BA7-9587-1B01393F78EE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{164EA1FC-B0A0-4202-8C65-E4BA4D54A3AE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{89B7AE32-9C52-41D6-A64D-14D7BDEC9C58}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FA460720-7B38-421D-981C-66F0AE288FB9}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{30CBDB40-5B21-481B-A09B-F87CEF73F020}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{952EEDFD-A98B-4670-9BDD-3634C8846FC1}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{77AA745B-F4F8-45DA-9B14-61D2D95054C8}
Key Deleted : HKCU\Software\SecuredDownload
Key Deleted : HKCU\Software\TENCENT
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\Software\TENCENT
Key Deleted : HKLM\Software\Classes\Installer\Features\526AB318AF0B8D84B9579557C9882C91

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16866

-\\ Mozilla Firefox v28.0 (en-US)

[ File : C:\Users\a\appData\Roaming\Mozilla\Firefox\Profiles\trvt8chr.default\prefs.js ]

-\\ Google Chrome v

*************************

AdwCleaner[R0].txt - [5714 octets] - [28/11/2013 18:36:10]
AdwCleaner[R1].txt - [1058 octets] - [01/12/2013 00:32:52]
AdwCleaner[R2].txt - [4016 octets] - [24/02/2014 09:30:50]
AdwCleaner[R3].txt - [7534 octets] - [24/02/2014 09:49:41]
AdwCleaner[R4].txt - [1250 octets] - [24/02/2014 09:56:11]
AdwCleaner[R5].txt - [5932 octets] - [24/02/2014 10:06:38]
AdwCleaner[R6].txt - [3800 octets] - [27/05/2014 21:53:04]
AdwCleaner[S0].txt - [4878 octets] - [28/11/2013 18:39:57]
AdwCleaner[S1].txt - [1122 octets] - [01/12/2013 00:35:16]
AdwCleaner[S2].txt - [6448 octets] - [24/02/2014 09:53:30]
AdwCleaner[S3].txt - [1312 octets] - [24/02/2014 09:57:28]
AdwCleaner[S4].txt - [5422 octets] - [24/02/2014 10:08:18]
AdwCleaner[S5].txt - [3548 octets] - [27/05/2014 21:57:28]

########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt - [3608 octets] ##########

bellisimo · 2014/05/27

Here's the JRT scan:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by a on Tue 05/27/2014 at 22:07:06.22
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 05/27/2014 at 22:12:16.12
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

bellisimo · 2014/05/27

Hi Broni,
This is the only OTL scan I see. I couldn't tell where one ended and the other began:

OTL logfile created on: 5/27/2014 10:19:27 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\a\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16866)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.95 Gb Total Physical Memory | 4.12 Gb Available Physical Memory | 51.83% Memory free
15.90 Gb Paging File | 11.71 Gb Available in Paging File | 73.66% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 238.37 Gb Total Space | 182.40 Gb Free Space | 76.52% Space Free | Partition Type: NTFS
Drive F: | 465.76 Gb Total Space | 452.78 Gb Free Space | 97.21% Space Free | Partition Type: NTFS
Drive G: | 931.50 Gb Total Space | 863.28 Gb Free Space | 92.68% Space Free | Partition Type: NTFS
Drive H: | 1862.98 Gb Total Space | 711.66 Gb Free Space | 38.20% Space Free | Partition Type: NTFS

Computer Name: BBELL-PC | User Name: a | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/05/27 22:15:43 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\a\Downloads\OTL.exe
PRC - [2014/05/13 14:19:46 | 001,473,792 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2014\avgfws.exe
PRC - [2014/05/13 14:18:32 | 005,181,456 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2014\avgui.exe
PRC - [2014/05/13 14:15:28 | 000,292,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
PRC - [2014/04/04 16:54:06 | 000,617,112 | ---- | M] (Kingsoft Corporation) -- F:\Program Files\MyDrivers\DriverGenius2013\ksoft\kgeniustray.exe
PRC - [2014/04/04 16:51:29 | 000,326,000 | ---- | M] (MyDrivers.com) -- F:\Program Files\MyDrivers\DriverGenius2013\dgservice.exe
PRC - [2013/03/20 18:28:20 | 007,084,672 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
PRC - [2011/01/10 09:24:20 | 000,993,848 | ---- | M] (Secunia) -- C:\Program Files (x86)\Secunia\PSI\psia.exe
PRC - [2011/01/10 09:24:20 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files (x86)\Secunia\PSI\sua.exe
PRC - [2011/01/10 09:24:20 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files (x86)\Secunia\PSI\psi_tray.exe

========== Modules (No Company Name) ==========

MOD - [2014/01/27 13:37:15 | 000,589,168 | ---- | M] () -- F:\Program Files\MyDrivers\DriverGenius2013\ksoft\ksfskin.dll
MOD - [2014/01/27 13:37:15 | 000,081,280 | ---- | M] () -- F:\Program Files\MyDrivers\DriverGenius2013\ksoft\zlib1.dll
MOD - [2014/01/20 13:17:04 | 000,073,544 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2014/01/20 13:16:38 | 001,044,808 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2013/11/21 10:14:02 | 000,080,528 | ---- | M] () -- C:\Program Files (x86)\EMET 4.1\EMET_CE.dll

========== Services (SafeList) ==========

SRV - [2014/05/17 11:27:54 | 000,257,712 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014/05/13 14:23:04 | 003,644,432 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2014/05/13 14:19:46 | 001,473,792 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2014\avgfws.exe -- (avgfws)
SRV - [2014/05/13 14:15:28 | 000,292,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe -- (avgwd)
SRV - [2014/04/04 16:51:29 | 000,326,000 | ---- | M] (MyDrivers.com) [Auto | Running] -- F:\Program Files\MyDrivers\DriverGenius2013\dgservice.exe -- (DGPNPSEV)
SRV - [2014/02/27 11:37:36 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2014/02/07 05:41:21 | 005,093,216 | ---- | M] (TeamViewer GmbH) [On_Demand | Stopped] -- C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe -- (TeamViewer8)
SRV - [2013/12/21 01:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013/09/14 08:08:16 | 003,783,672 | ---- | M] (Acronis) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2013/09/11 21:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2013/03/20 18:28:20 | 007,084,672 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe -- (syncagentsrv)
SRV - [2013/02/15 12:01:52 | 001,143,720 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2011/01/10 09:24:20 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files (x86)\Secunia\PSI\psia.exe -- (Secunia PSI Agent)
SRV - [2011/01/10 09:24:20 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files (x86)\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2000/02/11 12:20:16 | 000,491,578 | ---- | M] (Wacom Technology, Corp.) [Auto | Stopped] -- C:\Windows\SysWOW64\Tablet.exe -- (TabletService)

========== Driver Services (SafeList) ==========

DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,NewTabPageShow = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.google.com
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{67C334C0-408D-4E6D-B5A7-0ADD6AFFA252}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}

IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.ca/
IE - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
IE - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:28.0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@kingsfot.com/npkws: C:\Program Files (x86)\kingsoft\kingsoft antivirus\npkws.dll File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=16.4.3508.0205: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.1: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.2: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\@wacom.com/wacom-plugin,version=1.1.0.10: C:\Program Files (x86)\TabletPlugins\npwacom.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll File not found
FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll File not found
FF - HKCU\Software\MozillaPlugins\wacom.com/WacomTabletPlugin: C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 28.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 28.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{8492baab-62ca-4e2c-983b-dfef7cae8082}: C:\Program Files (x86)\PassShow\154.xpi

[2013/11/18 23:24:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\a\AppData\Roaming\Mozilla\Extensions
[2013/11/18 23:24:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\a\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2014/05/04 15:58:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\a\AppData\Roaming\Mozilla\Firefox\Profiles\trvt8chr.default\extensions
[2014/02/27 11:37:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2014/02/27 11:37:37 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

O1 HOSTS File: ([2014/05/27 01:33:51 | 000,000,741 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (WOT Helper) - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll ()
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll ()
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll ()
O4 - HKLM..\Run: [AVG_UI] C:\Program Files (x86)\AVG\AVG2014\avgui.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [EMET 4.1 Agent] C:\Program Files (x86)\EMET 4.1\EMET_agent.exe (Microsoft Corporation)
O4 - HKLM..\Run: [kxesc] "c:\program files (x86)\kingsoft\kingsoft antiviruskxetray.exe" -autorun File not found
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - Reg Error: Key error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\..Trusted Domains: google.ca ([www] https in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0A40FBDD-0CB3-40AF-B79D-DF9F8FBAD2EB}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0A40FBDD-0CB3-40AF-B79D-DF9F8FBAD2EB}: Domain = Blockless
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{398F358A-DB6A-4710-80FC-A933143285B5}: Domain = Blockless
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D6519705-1949-4980-9DF6-E96A2938CE7C}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D6519705-1949-4980-9DF6-E96A2938CE7C}: Domain = Blockless
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll ()
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2014/01/27 16:10:12 | 000,000,000 | ---- | M] () - F:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2013/07/21 06:43:23 | 000,000,000 | ---- | M] () - H:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2014/05/27 00:45:11 | 000,000,000 | ---D | C] -- C:\Users\a\AppData\Roaming\AVG2014
[2014/05/27 00:42:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
[2014/05/27 00:42:41 | 000,000,000 | -H-D | C] -- C:\$AVG
[2014/05/27 00:42:41 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2014
[2014/05/27 00:42:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG
[2014/05/27 00:38:58 | 000,000,000 | ---D | C] -- C:\Users\a\AppData\Local\Avg2014
[2014/05/27 00:21:38 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2014/05/27 00:21:36 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2014/05/27 00:16:45 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2014/05/27 00:16:45 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2014/05/27 00:16:45 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2014/05/27 00:16:37 | 000,000,000 | ---D | C] -- C:\Qoobox
[2014/05/27 00:16:23 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2014/05/27 00:15:04 | 005,200,919 | R--- | C] (Swearware) -- C:\Users\a\Desktop\ComboFix.exe
[2014/05/27 00:04:50 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2014/05/26 23:52:28 | 001,940,216 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\a\Desktop\rkill.exe
[2014/05/26 23:49:07 | 011,519,096 | ---- | C] (OPSWAT, Inc.) -- C:\Users\a\Desktop\AppRemover.exe
[2014/05/26 23:06:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2014/05/26 23:04:56 | 000,000,000 | ---D | C] -- C:\Users\a\Desktop\mbar
[2014/05/26 22:55:15 | 000,000,000 | ---D | C] -- C:\Users\a\Desktop\RK_Quarantine
[2014/05/25 15:43:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2014/05/25 15:42:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
[2014/05/18 01:09:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2014/05/18 01:09:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2014/05/18 01:09:15 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
[2014/05/15 00:21:09 | 000,080,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2014/05/14 21:27:55 | 003,969,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2014/05/14 21:27:55 | 003,914,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2014/05/14 21:27:54 | 000,538,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\objsel.dll
[2014/05/14 21:27:54 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cngprovider.dll
[2014/05/14 21:27:54 | 000,049,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\adprovider.dll
[2014/05/14 21:27:54 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\capiprovider.dll
[2014/05/14 21:27:54 | 000,047,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dpapiprovider.dll
[2014/05/14 21:27:54 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dimsroam.dll
[2014/05/14 21:27:54 | 000,035,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wincredprovider.dll
[2014/04/30 23:19:36 | 000,000,000 | ---D | C] -- C:\Users\a\AppData\Local\Blockless
[2014/04/28 10:27:40 | 000,000,000 | ---D | C] -- C:\Users\a\AppData\Local\liebao
[2014/04/28 10:24:08 | 000,000,000 | ---D | C] -- C:\Users\a\AppData\Local\Kingsoft
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014/05/27 21:59:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/05/27 21:59:19 | 2107,809,791 | -HS- | M] () -- C:\hiberfil.sys
[2014/05/27 21:40:11 | 001,327,971 | ---- | M] () -- C:\Users\a\Desktop\AdwCleaner (5).exe
[2014/05/27 20:42:10 | 000,000,612 | ---- | M] () -- C:\Users\a\Desktop\I need help with very strange Chinese SPAM-Malware - WindowsBBS Forum.website
[2014/05/27 17:47:06 | 000,000,471 | ---- | M] () -- C:\Users\a\Desktop\Outlook - Copy.website
[2014/05/27 00:15:04 | 005,200,919 | R--- | M] (Swearware) -- C:\Users\a\Desktop\ComboFix.exe
[2014/05/26 23:54:05 | 000,001,118 | ---- | M] () -- C:\Users\a\Desktop\iExplore - Shortcut.lnk
[2014/05/26 23:52:28 | 001,940,216 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\a\Desktop\rkill.exe
[2014/05/26 23:49:09 | 011,519,096 | ---- | M] (OPSWAT, Inc.) -- C:\Users\a\Desktop\AppRemover.exe
[2014/05/26 19:27:11 | 000,000,458 | ---- | M] () -- C:\Users\a\Documents\Updated AVG scan.csv
[2014/05/26 15:29:09 | 000,000,452 | ---- | M] () -- C:\Users\a\Desktop\eBible.website
[2014/05/26 15:27:21 | 000,000,464 | ---- | M] () -- C:\Users\a\Desktop\windows-oem.com.website
[2014/05/26 15:26:46 | 000,000,522 | ---- | M] () -- C:\Users\a\Desktop\Inbox (1) - bbbellisimo@gmail.com - Gmail.website
[2014/05/22 18:36:51 | 000,000,550 | ---- | M] () -- C:\Users\a\Desktop\max mclean audio bible - YouTube.website
[2014/05/20 19:05:04 | 000,000,455 | ---- | M] () -- C:\Users\a\Desktop\See how many carbs, proteins, and fats you need to build muscle.website
[2014/05/18 17:06:15 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/05/17 11:27:53 | 000,692,400 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2014/05/17 11:27:53 | 000,070,832 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2014/05/10 00:56:08 | 000,000,713 | ---- | M] () -- C:\Users\a\Desktop\Visual Impact of Wet AMD—LUCENTIS (ranibizumab injection).website
[2014/05/05 22:48:50 | 000,080,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2014/05/05 10:52:11 | 000,000,427 | ---- | M] () -- C:\Users\a\Desktop\192.168.2.1.website
[2014/05/04 18:29:26 | 000,000,546 | ---- | M] () -- C:\Users\a\Desktop\How to run the System File Checker Tool in Windows 7 - YouTube.website
[2014/04/30 00:51:23 | 000,000,341 | ---- | M] () -- C:\Users\a\Desktop\Commentaries Matthew Henry.website
[2014/04/28 10:26:01 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job_
[2014/04/28 00:03:55 | 000,000,515 | ---- | M] () -- C:\Users\a\Desktop\among the stones by Bert Bell.website
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2014/05/27 21:40:09 | 001,327,971 | ---- | C] () -- C:\Users\a\Desktop\AdwCleaner (5).exe
[2014/05/27 00:16:45 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2014/05/27 00:16:45 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2014/05/27 00:16:45 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2014/05/27 00:16:45 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2014/05/27 00:16:45 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2014/05/26 23:54:05 | 000,001,118 | ---- | C] () -- C:\Users\a\Desktop\iExplore - Shortcut.lnk
[2014/05/26 19:27:11 | 000,000,458 | ---- | C] () -- C:\Users\a\Documents\Updated AVG scan.csv
[2014/05/26 01:32:30 | 000,000,612 | ---- | C] () -- C:\Users\a\Desktop\I need help with very strange Chinese SPAM-Malware - WindowsBBS Forum.website
[2014/05/20 19:05:04 | 000,000,455 | ---- | C] () -- C:\Users\a\Desktop\See how many carbs, proteins, and fats you need to build muscle.website
[2014/05/05 10:45:01 | 000,000,427 | ---- | C] () -- C:\Users\a\Desktop\192.168.2.1.website
[2014/05/02 13:49:37 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/04/30 10:07:52 | 000,000,471 | ---- | C] () -- C:\Users\a\Desktop\Outlook - Copy.website
[2014/04/30 00:51:23 | 000,000,341 | ---- | C] () -- C:\Users\a\Desktop\Commentaries Matthew Henry.website
[2014/02/23 23:58:56 | 000,000,132 | ---- | C] () -- C:\Users\a\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2014/01/31 14:19:16 | 000,000,058 | ---- | C] () -- C:\Users\a\AppData\Roaming\WB.CFG
[2014/01/25 02:18:14 | 000,000,484 | ---- | C] () -- C:\Windows\SysWow64\wacom.dat
[2014/01/25 02:18:10 | 000,053,248 | ---- | C] () -- C:\Windows\SysWow64\TabUnst.dll
[2014/01/25 02:18:10 | 000,015,744 | ---- | C] () -- C:\Windows\SysWow64\wintab.dll
[2014/01/25 01:10:44 | 000,000,198 | ---- | C] () -- C:\Windows\PowerReg.dat
[2013/11/27 20:27:19 | 000,000,132 | ---- | C] () -- C:\Users\a\AppData\Roaming\Adobe BMP Format CS5 Prefs
[2013/11/26 04:47:59 | 000,005,120 | ---- | C] () -- C:\Users\a\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/11/18 23:24:15 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2013/11/17 16:56:03 | 000,000,017 | ---- | C] () -- C:\Users\a\AppData\Local\resmon.resmoncfg
[2013/08/27 21:53:35 | 000,000,066 | ---- | C] () -- C:\Windows\ESPR200.ini
[2013/08/01 16:07:07 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2013/07/31 20:49:16 | 000,774,592 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013/07/31 15:37:39 | 000,000,000 | ---- | C] () -- C:\Windows\lgfwup.ini
[2013/07/31 14:58:09 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2012/11/16 15:01:08 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2012/11/16 15:01:08 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat

========== ZeroAccess Check ==========

[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
" " = C:\Windows\SysNative\shell32.dll -- [2014/03/24 21:43:12 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
" " = %SystemRoot%\system32\shell32.dll -- [2014/03/24 21:09:54 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
" " = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
" " = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 22:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
" " = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== Files - Unicode (All) ==========
[2014/05/20 21:43:06 | 000,000,806 | ---- | M] ()(C:\Users\a\Desktop\? Lose 50 Pounds Fast With This Ski-Step Workout At Home - YouTube.website) -- C:\Users\a\Desktop\▶ Lose 50 Pounds Fast With This Ski-Step Workout At Home - YouTube.website
[2014/05/20 20:57:20 | 000,000,806 | ---- | C] ()(C:\Users\a\Desktop\? Lose 50 Pounds Fast With This Ski-Step Workout At Home - YouTube.website) -- C:\Users\a\Desktop\▶ Lose 50 Pounds Fast With This Ski-Step Workout At Home - YouTube.website
[2014/03/22 23:18:51 | 000,001,004 | ---- | M] ()(C:\Users\a\Desktop\? Adobe Photoshop CS6 Full Download with Keygen + Crack Serials [Windows & MAC] - Video Dailymotion.website) -- C:\Users\a\Desktop\▶ Adobe Photoshop CS6 Full Download with Keygen + Crack Serials [Windows & MAC] - Video Dailymotion.website
[2014/03/13 15:56:48 | 000,001,004 | ---- | C] ()(C:\Users\a\Desktop\? Adobe Photoshop CS6 Full Download with Keygen + Crack Serials [Windows & MAC] - Video Dailymotion.website) -- C:\Users\a\Desktop\▶ Adobe Photoshop CS6 Full Download with Keygen + Crack Serials [Windows & MAC] - Video Dailymotion.website

========== Alternate Data Streams ==========

@Alternate Data Stream - 7886 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_4OLFavIE91410631431
@Alternate Data Stream - 7886 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_3SkyDriveFav-324886575
@Alternate Data Stream - 7886 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_0OLFavIE91284348923
@Alternate Data Stream - 34494 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_1OCalFavIE91545382048
@Alternate Data Stream - 16 bytes -> C:\Users\a\Downloads:Shareaza.GUID
@Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:5C321E34
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:373E1720
@Alternate Data Stream - 1150 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_2PeopleFav1370390283

< End of report >

bellisimo · 2014/05/27

Broni,

The Chinese malware just appeared for the first time today

broni · 2014/05/27

Reset Internet Explorer.
Go here: http://support.microsoft.com/kb/923737 and run "FixIt" procedure.
You can use ANY browser to download "FixIt" file.
Make sure you follow ALL steps listed there.

Run OTL

Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following
Code:
:OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O9 - Extra Button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - Reg Error: Key error. File not found
O15 - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\..Trusted Domains: google.ca ([www] https in Trusted sites)
@Alternate Data Stream - 7886 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_4OLFavIE91410631431
@Alternate Data Stream - 7886 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_3SkyDriveFav-324886575
@Alternate Data Stream - 7886 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_0OLFavIE91284348923
@Alternate Data Stream - 34494 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_1OCalFavIE91545382048
@Alternate Data Stream - 16 bytes -> C:\Users\a\Downloads:Shareaza.GUID
@Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:5C321E34
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:373E1720
@Alternate Data Stream - 1150 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_2PeopleFav1370390283

:Services

:Reg

:Files
C:\FRST

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
Then click the [color= "#FF0000"]Run Fix[/color] button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.

NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

Last scans...

Download Security Check from here or here and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:

Internet Services

Windows Firewall

System Restore

Security Center

Windows Update

Windows Defender

Other Services

Press "Scan ".

It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Click on "Run ESET Online Scanner" button.

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, click on List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.

bellisimo · 2014/05/27

Hi Broni,

I'm running the OTL scan now. The malware is really trying to stop me from downloading these programs.

bellisimo · 2014/05/27

OTL scan (First half):
OTL logfile created on: 5/27/2014 11:18:49 PM - Run 2
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\a\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16866)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

7.95 Gb Total Physical Memory | 3.55 Gb Available Physical Memory | 44.61% Memory free
15.90 Gb Paging File | 11.25 Gb Available in Paging File | 70.75% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 238.37 Gb Total Space | 182.82 Gb Free Space | 76.69% Space Free | Partition Type: NTFS
Drive F: | 465.76 Gb Total Space | 452.75 Gb Free Space | 97.21% Space Free | Partition Type: NTFS
Drive G: | 931.50 Gb Total Space | 863.28 Gb Free Space | 92.68% Space Free | Partition Type: NTFS
Drive H: | 1862.98 Gb Total Space | 711.66 Gb Free Space | 38.20% Space Free | Partition Type: NTFS

Computer Name: BBELL-PC | User Name: a | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2014/05/27 23:17:33 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\a\Downloads\OTL (1).exe
PRC - [2014/05/27 22:15:43 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\a\Downloads\OTL.exe
PRC - [2014/05/13 14:19:46 | 001,473,792 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2014\avgfws.exe
PRC - [2014/05/13 14:18:32 | 005,181,456 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2014\avgui.exe
PRC - [2014/05/13 14:15:28 | 000,292,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
PRC - [2014/04/04 16:54:06 | 000,617,112 | ---- | M] (Kingsoft Corporation) -- F:\Program Files\MyDrivers\DriverGenius2013\ksoft\kgeniustray.exe
PRC - [2014/04/04 16:51:29 | 000,326,000 | ---- | M] (MyDrivers.com) -- F:\Program Files\MyDrivers\DriverGenius2013\dgservice.exe
PRC - [2013/03/20 18:28:20 | 007,084,672 | ---- | M] (Acronis) -- C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe
PRC - [2011/01/10 09:24:20 | 000,993,848 | ---- | M] (Secunia) -- C:\Program Files (x86)\Secunia\PSI\psia.exe
PRC - [2011/01/10 09:24:20 | 000,399,416 | ---- | M] (Secunia) -- C:\Program Files (x86)\Secunia\PSI\sua.exe
PRC - [2011/01/10 09:24:20 | 000,291,896 | ---- | M] (Secunia) -- C:\Program Files (x86)\Secunia\PSI\psi_tray.exe

========== Modules (No Company Name) ==========

MOD - [2014/01/27 13:37:15 | 000,589,168 | ---- | M] () -- F:\Program Files\MyDrivers\DriverGenius2013\ksoft\ksfskin.dll
MOD - [2014/01/27 13:37:15 | 000,081,280 | ---- | M] () -- F:\Program Files\MyDrivers\DriverGenius2013\ksoft\zlib1.dll
MOD - [2014/01/20 13:17:04 | 000,073,544 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2014/01/20 13:16:38 | 001,044,808 | ---- | M] () -- C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2013/11/21 10:14:02 | 000,080,528 | ---- | M] () -- C:\Program Files (x86)\EMET 4.1\EMET_CE.dll

========== Services (SafeList) ==========

SRV:64bit: - [2013/10/10 17:54:28 | 000,144,152 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCore64.exe -- (!SASCORE)
SRV:64bit: - [2013/05/27 00:50:47 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2013/05/09 04:22:38 | 000,193,288 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Windows\SysNative\IPROSetMonitor.exe -- (Intel(R)
SRV:64bit: - [2012/11/16 15:44:58 | 000,238,080 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2012/10/02 13:41:44 | 000,240,584 | ---- | M] (DTS, Inc) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe -- (DTSAudioSvc)
SRV:64bit: - [2012/07/27 17:27:52 | 002,721,656 | ---- | M] (Condusiv Technologies) [On_Demand | Stopped] -- C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe -- (Diskeeper)
SRV - [2014/05/17 11:27:54 | 000,257,712 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2014/05/13 14:23:04 | 003,644,432 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Stopped] -- C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe -- (AVGIDSAgent)
SRV - [2014/05/13 14:19:46 | 001,473,792 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2014\avgfws.exe -- (avgfws)
SRV - [2014/05/13 14:15:28 | 000,292,424 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe -- (avgwd)
SRV - [2014/04/04 16:51:29 | 000,326,000 | ---- | M] (MyDrivers.com) [Auto | Running] -- F:\Program Files\MyDrivers\DriverGenius2013\dgservice.exe -- (DGPNPSEV)
SRV - [2014/02/27 11:37:36 | 000,119,408 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2014/02/07 05:41:21 | 005,093,216 | ---- | M] (TeamViewer GmbH) [On_Demand | Stopped] -- C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe -- (TeamViewer8)
SRV - [2013/12/21 01:04:16 | 000,065,432 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2013/09/14 08:08:16 | 003,783,672 | ---- | M] (Acronis) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe -- (afcdpsrv)
SRV - [2013/09/11 21:21:54 | 000,105,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2013/03/20 18:28:20 | 007,084,672 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\SyncAgent\syncagentsrv.exe -- (syncagentsrv)
SRV - [2013/02/15 12:01:52 | 001,143,720 | ---- | M] (Acronis) [Auto | Running] -- C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2011/01/10 09:24:20 | 000,993,848 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files (x86)\Secunia\PSI\psia.exe -- (Secunia PSI Agent)
SRV - [2011/01/10 09:24:20 | 000,399,416 | ---- | M] (Secunia) [Auto | Running] -- C:\Program Files (x86)\Secunia\PSI\sua.exe -- (Secunia Update Agent)
SRV - [2010/02/19 13:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
SRV - [2009/06/10 16:23:09 | 000,066,384 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2000/02/11 12:20:16 | 000,491,578 | ---- | M] (Wacom Technology, Corp.) [Auto | Stopped] -- C:\Windows\SysWOW64\Tablet.exe -- (TabletService)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2014/05/13 14:20:26 | 000,235,800 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (Avgldx64)
DRV:64bit: - [2014/05/13 14:20:06 | 000,273,176 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtdia.sys -- (Avgtdia)
DRV:64bit: - [2014/05/13 14:06:06 | 000,323,352 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgloga.sys -- (Avgloga)
DRV:64bit: - [2014/05/13 14:05:40 | 000,191,768 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgidsha.sys -- (AVGIDSHA)
DRV:64bit: - [2014/05/13 14:05:08 | 000,152,344 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgdiska.sys -- (Avgdiska)
DRV:64bit: - [2014/05/13 14:05:06 | 000,130,328 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgmfx64.sys -- (Avgmfx64)
DRV:64bit: - [2014/05/13 14:04:56 | 000,236,312 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\avgidsdrivera.sys -- (AVGIDSDriver)
DRV:64bit: - [2014/05/13 14:04:30 | 000,031,512 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgrkx64.sys -- (Avgrkx64)
DRV:64bit: - [2014/04/28 10:27:43 | 000,102,704 | ---- | M] (Kingsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\knbdrv.sys -- (KNBDrv)
DRV:64bit: - [2014/04/27 13:09:42 | 000,033,128 | ---- | M] (Kingsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\bootsafe64.sys -- (bootsafe)
DRV:64bit: - [2014/04/27 12:45:04 | 000,225,080 | ---- | M] (Kingsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\kisknl.sys -- (kisknl)
DRV:64bit: - [2014/04/27 12:45:04 | 000,056,680 | ---- | M] (Kingsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\ksapi64.sys -- (ksapi64)
DRV:64bit: - [2014/04/27 12:45:04 | 000,031,848 | ---- | M] (Kingsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\kavbootc64.sys -- (KAVBootC)
DRV:64bit: - [2014/02/24 10:10:22 | 000,016,152 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\SWDUMon.sys -- (SWDUMon)
DRV:64bit: - [2014/01/27 13:37:15 | 000,399,632 | ---- | M] (MyDrivers.com) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\DgSafe.sys -- (DgSafe)
DRV:64bit: - [2013/12/17 16:09:02 | 000,061,592 | ---- | M] (NetFilterSDK.com) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\netfilter64.sys -- (netfilter64)
DRV:64bit: - [2013/11/25 19:48:49 | 000,046,368 | ---- | M] (AVG Technologies) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgtpx64.sys -- (avgtp)
DRV:64bit: - [2013/09/26 10:44:54 | 000,057,144 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avgfwd6a.sys -- (Avgfwfd)
DRV:64bit: - [2013/09/14 08:08:16 | 000,367,200 | ---- | M] (Acronis) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\afcdp.sys -- (afcdp)
DRV:64bit: - [2013/09/14 08:08:15 | 001,462,560 | ---- | M] (Acronis International GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\tdrpman.sys -- (tdrpman)
DRV:64bit: - [2013/09/14 08:08:14 | 001,120,032 | ---- | M] (Acronis International GmbH) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tib.sys -- (tib)
DRV:64bit: - [2013/09/14 08:08:14 | 000,183,224 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\tib_mounter.sys -- (tib_mounter)
DRV:64bit: - [2013/09/14 08:08:13 | 000,161,568 | ---- | M] (Acronis International GmbH) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vididr.sys -- (vididr)
DRV:64bit: - [2013/09/14 08:08:13 | 000,117,024 | ---- | M] (Acronis International GmbH) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vidsflt.sys -- (vidsflt)
DRV:64bit: - [2013/09/14 08:08:12 | 000,233,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\snapman.sys -- (snapman)
DRV:64bit: - [2013/09/14 08:08:11 | 000,108,832 | ---- | M] (Acronis International GmbH) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\fltsrv.sys -- (fltsrv)
DRV:64bit: - [2013/06/07 22:28:38 | 000,107,368 | ---- | M] (LogMeIn, Inc.) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\LMIRfsClientNP.dll -- (LMIRfsClientNP)
DRV:64bit: - [2013/05/13 15:36:06 | 000,050,864 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\point64.sys -- (Point64)
DRV:64bit: - [2013/04/30 09:57:00 | 000,072,216 | ---- | M] (LogMeIn, Inc.) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\LMIRfsDriver.sys -- (LMIRfsDriver)
DRV:64bit: - [2013/04/30 09:56:42 | 000,011,552 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\lmimirr.sys -- (lmimirr)
DRV:64bit: - [2013/02/21 00:14:03 | 000,495,888 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\e1c62x64.sys -- (e1cexpress)
DRV:64bit: - [2013/02/06 00:06:06 | 000,057,840 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\fssfltr.sys -- (fssfltr)
DRV:64bit: - [2012/12/04 08:21:10 | 000,791,608 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\iusb3xhc.sys -- (iusb3xhc)
DRV:64bit: - [2012/12/04 08:21:10 | 000,020,024 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iusb3hcs.sys -- (iusb3hcs)
DRV:64bit: - [2012/12/04 08:21:09 | 000,358,456 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\iusb3hub.sys -- (iusb3hub)
DRV:64bit: - [2012/11/16 16:08:32 | 011,922,944 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (amdkmdag)
DRV:64bit: - [2012/11/16 14:39:12 | 000,359,936 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmpag.sys -- (amdkmdap)
DRV:64bit: - [2012/08/21 13:01:20 | 000,033,240 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV:64bit: - [2012/07/17 20:12:08 | 000,062,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\HECIx64.sys -- (MEIx64)
DRV:64bit: - [2012/07/09 14:24:58 | 000,106,832 | ---- | M] (Condusiv Technologies) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\DKTLFSMF.sys -- (DKTLFSMF)
DRV:64bit: - [2012/06/18 18:44:34 | 000,052,048 | ---- | M] (Condusiv Technologies) [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\DKRtWrt.sys -- (DKRtWrt)
DRV:64bit: - [2012/06/05 15:45:16 | 000,237,968 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\RtHDMIVX.sys -- (RTHDMIAzAudService)
DRV:64bit: - [2012/04/05 02:02:54 | 000,040,752 | ---- | M] (Condusiv Technologies) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\DKDFM.sys -- (DKDFM)
DRV:64bit: - [2012/03/01 01:46:16 | 000,023,408 | ---- | M] (Microsoft Corporation) [Recognizer | Boot | Unknown] -- C:\Windows\SysNative\drivers\fs_rec.sys -- (Fs_Rec)
DRV:64bit: - [2012/02/21 17:46:18 | 000,396,776 | ---- | M] (ASMedia Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\asmtxhci.sys -- (asmtxhci)
DRV:64bit: - [2012/02/21 17:46:18 | 000,130,536 | ---- | M] (ASMedia Technology Inc) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\asmthub3.sys -- (asmthub3)
DRV:64bit: - [2011/11/16 12:32:08 | 001,667,648 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\netr28ux.sys -- (netr28ux)
DRV:64bit: - [2011/07/22 11:26:56 | 000,014,928 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2011/07/12 16:55:18 | 000,012,368 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2011/03/11 01:41:12 | 000,107,904 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2011/03/11 01:41:12 | 000,027,008 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2010/11/20 22:24:33 | 000,059,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV:64bit: - [2010/11/20 22:24:15 | 000,146,432 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\rmcast.sys -- (RMCAST)
DRV:64bit: - [2010/11/20 22:23:47 | 000,078,720 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2010/11/20 22:23:47 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\TsUsbGD.sys -- (TsUsbGD)
DRV:64bit: - [2010/09/01 03:30:58 | 000,017,976 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\psi_mf.sys -- (PSI)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/06/19 21:09:57 | 001,394,688 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2008/05/06 16:06:00 | 000,014,464 | ---- | M] (Western Digital Technologies) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\wdcsam64.sys -- (WDC_SAM)
DRV - [2009/07/13 20:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\wimmount.sys -- (WIMMount)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=ir_14_14_ie&cd=2XzuyEtN2Y1L1QzutAtDzzyD0AzytA0C0AtD0E0D0BtA0E0BtN0D0Tzu0SzztBtCtN1L2XzutBtFtCzztFzztFtDtN1L1CzutCyEtDtAtDyD1V1QtN1L1G1B1V1N2Y1L1Qzu2SyB0FyCtBtDtCyDtAtGyCtDyBtBtG0ByD0D0EtGtAtDtC0BtGtBtBzy0B0A0AyCtC0AyB0Ezy2QtN1M1F1B2Z1V1N2Y1L1Qzu2StCzzzztCtAyDzyyEtG0D0Dzy0CtGyEtCzyyDtG0B0C0AyBtGtCzzzztDtD0DtCtBtDtA0A0C2Q&cr=76446987&ir=
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,NewTabPageShow = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.google.com
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{67C334C0-408D-4E6D-B5A7-0ADD6AFFA252}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://g.msn.com/1me10IE11ENUS/MCM_WCP
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.google.ca/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:28.0
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_12_0_0_77.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=11.5.2: C:\Program Files\Java\jre8\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=11.5.2: C:\Program Files\Java\jre8\bin\plugin2\npjp2.dll (Oracle Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:64bit: - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll File not found
FF:64bit: - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect_x86_64: C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll File not found
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_12_0_0_77.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@kingsfot.com/npkws: C:\Program Files (x86)\kingsoft\kingsoft antivirus\npkws.dll File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=16.4.3508.0205: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.1: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.2: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\@wacom.com/wacom-plugin,version=1.1.0.10: C:\Program Files (x86)\TabletPlugins\npwacom.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll File not found
FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll File not found
FF - HKCU\Software\MozillaPlugins\wacom.com/WacomTabletPlugin: C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 28.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 28.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{8492baab-62ca-4e2c-983b-dfef7cae8082}: C:\Program Files (x86)\PassShow\154.xpi

[2013/11/18 23:24:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\a\AppData\Roaming\Mozilla\Extensions
[2013/11/18 23:24:15 | 000,000,000 | ---D | M] (No name found) -- C:\Users\a\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2014/05/04 15:58:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\a\AppData\Roaming\Mozilla\Firefox\Profiles\trvt8chr.default\extensions
[2014/02/27 11:37:34 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2014/02/27 11:37:37 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

bellisimo · 2014/05/27

OTL scan (2nd half):
O1 HOSTS File: ([2014/05/27 01:33:51 | 000,000,741 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O3:64bit: - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (WOT) - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll ()
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (WOT) - {71576546-354D-41C9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll ()
O4:64bit: - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4:64bit: - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG_UI] C:\Program Files (x86)\AVG\AVG2014\avgui.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [EMET 4.1 Agent] C:\Program Files (x86)\EMET 4.1\EMET_agent.exe (Microsoft Corporation)
O4 - HKLM..\Run: [kxesc] "c:\program files (x86)\kingsoft\kingsoft antiviruskxetray.exe" -autorun File not found
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - Reg Error: Key error. File not found
O9 - Extra 'Tools' menuitem : @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - Reg Error: Key error. File not found
O10:64bit: - NameSpace_Catalog5\Catalog_Entries64\000000000009 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000009 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: google.ca ([www] https in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0A40FBDD-0CB3-40AF-B79D-DF9F8FBAD2EB}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0A40FBDD-0CB3-40AF-B79D-DF9F8FBAD2EB}: Domain = Blockless
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{398F358A-DB6A-4710-80FC-A933143285B5}: Domain = Blockless
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D6519705-1949-4980-9DF6-E96A2938CE7C}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D6519705-1949-4980-9DF6-E96A2938CE7C}: Domain = Blockless
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O18:64bit: - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll ()
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\wot {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll ()
O18:64bit: - Protocol\Filter\text/xml - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2014/01/27 16:10:12 | 000,000,000 | ---- | M] () - F:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2013/07/21 06:43:23 | 000,000,000 | ---- | M] () - H:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2014/05/27 00:45:11 | 000,000,000 | ---D | C] -- C:\Users\a\AppData\Roaming\AVG2014
[2014/05/27 00:42:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
[2014/05/27 00:42:41 | 000,000,000 | -H-D | C] -- C:\$AVG
[2014/05/27 00:42:41 | 000,000,000 | ---D | C] -- C:\ProgramData\AVG2014
[2014/05/27 00:42:19 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AVG
[2014/05/27 00:38:58 | 000,000,000 | ---D | C] -- C:\Users\a\AppData\Local\Avg2014
[2014/05/27 00:21:38 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2014/05/27 00:21:36 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2014/05/27 00:16:45 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2014/05/27 00:16:45 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2014/05/27 00:16:45 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2014/05/27 00:16:37 | 000,000,000 | ---D | C] -- C:\Qoobox
[2014/05/27 00:16:23 | 000,000,000 | ---D | C] -- C:\Windows\erdnt
[2014/05/27 00:15:04 | 005,200,919 | R--- | C] (Swearware) -- C:\Users\a\Desktop\ComboFix.exe
[2014/05/27 00:04:50 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2014/05/26 23:52:28 | 001,940,216 | ---- | C] (Bleeping Computer, LLC) -- C:\Users\a\Desktop\rkill.exe
[2014/05/26 23:49:07 | 011,519,096 | ---- | C] (OPSWAT, Inc.) -- C:\Users\a\Desktop\AppRemover.exe
[2014/05/26 23:06:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
[2014/05/26 23:04:56 | 000,000,000 | ---D | C] -- C:\Users\a\Desktop\mbar
[2014/05/26 22:55:15 | 000,000,000 | ---D | C] -- C:\Users\a\Desktop\RK_Quarantine
[2014/05/25 15:43:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2014/05/25 15:42:59 | 000,313,256 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\javaws.exe
[2014/05/25 15:42:56 | 000,191,400 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\javaw.exe
[2014/05/25 15:42:56 | 000,190,888 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\java.exe
[2014/05/25 15:42:56 | 000,111,016 | ---- | C] (Oracle Corporation) -- C:\Windows\SysNative\WindowsAccessBridge-64.dll
[2014/05/25 15:42:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
[2014/05/18 01:09:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
[2014/05/18 01:09:15 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2014/05/18 01:09:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\iTunes
[2014/05/18 01:09:15 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2014/05/18 01:09:15 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
[2014/05/15 00:21:09 | 000,097,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2014/05/15 00:21:09 | 000,080,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2014/05/14 21:28:03 | 000,477,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aepdu.dll
[2014/05/14 21:28:03 | 000,424,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\aeinv.dll
[2014/05/14 21:27:55 | 005,550,016 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2014/05/14 21:27:55 | 003,969,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2014/05/14 21:27:55 | 003,914,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2014/05/14 21:27:55 | 001,460,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\lsasrv.dll
[2014/05/14 21:27:55 | 000,722,944 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\objsel.dll
[2014/05/14 21:27:55 | 000,455,168 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\winlogon.exe
[2014/05/14 21:27:54 | 000,538,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\objsel.dll
[2014/05/14 21:27:54 | 000,424,960 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\KernelBase.dll
[2014/05/14 21:27:54 | 000,136,192 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sspicli.dll
[2014/05/14 21:27:54 | 000,057,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\cngprovider.dll
[2014/05/14 21:27:54 | 000,056,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\adprovider.dll
[2014/05/14 21:27:54 | 000,053,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\capiprovider.dll
[2014/05/14 21:27:54 | 000,052,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dpapiprovider.dll
[2014/05/14 21:27:54 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\cngprovider.dll
[2014/05/14 21:27:54 | 000,049,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\adprovider.dll
[2014/05/14 21:27:54 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\capiprovider.dll
[2014/05/14 21:27:54 | 000,047,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dpapiprovider.dll
[2014/05/14 21:27:54 | 000,044,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\dimsroam.dll
[2014/05/14 21:27:54 | 000,039,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\wincredprovider.dll
[2014/05/14 21:27:54 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\dimsroam.dll
[2014/05/14 21:27:54 | 000,035,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\wincredprovider.dll
[2014/05/14 21:27:54 | 000,029,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\sspisrv.dll
[2014/05/14 21:27:54 | 000,028,160 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secur32.dll
[2014/05/13 14:20:26 | 000,235,800 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgldx64.sys
[2014/05/13 14:20:06 | 000,273,176 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgtdia.sys
[2014/05/13 14:06:06 | 000,323,352 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgloga.sys
[2014/05/13 14:05:40 | 000,191,768 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgidsha.sys
[2014/05/13 14:05:08 | 000,152,344 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgdiska.sys
[2014/05/13 14:05:06 | 000,130,328 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgmfx64.sys
[2014/05/13 14:04:56 | 000,236,312 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgidsdrivera.sys
[2014/05/13 14:04:30 | 000,031,512 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgrkx64.sys
[2014/05/06 00:39:50 | 000,000,000 | --SD | C] -- C:\Windows\SysNative\CompatTel
[2014/04/30 23:19:36 | 000,000,000 | ---D | C] -- C:\Users\a\AppData\Local\Blockless
[2014/04/28 10:27:43 | 000,102,704 | ---- | C] (Kingsoft Corporation) -- C:\Windows\SysNative\drivers\KNBDrv64.sys
[2014/04/28 10:27:43 | 000,102,704 | ---- | C] (Kingsoft Corporation) -- C:\Windows\SysNative\drivers\knbdrv.sys
[2014/04/28 10:27:40 | 000,000,000 | ---D | C] -- C:\Users\a\AppData\Local\liebao
[2014/04/28 10:24:08 | 000,000,000 | ---D | C] -- C:\Users\a\AppData\Local\Kingsoft
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014/05/27 23:14:43 | 000,000,405 | ---- | M] () -- C:\Users\a\Desktop\How to reset Internet Explorer settings.website
[2014/05/27 23:05:06 | 000,000,449 | ---- | M] () -- C:\Users\a\Desktop\Fix Internet Explorer issues to make IE fast, safe and stable.website
[2014/05/27 22:06:30 | 000,029,136 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2014/05/27 22:06:30 | 000,029,136 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2014/05/27 22:03:45 | 000,782,470 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2014/05/27 22:03:45 | 000,662,384 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2014/05/27 22:03:45 | 000,122,252 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2014/05/27 21:59:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/05/27 21:59:19 | 2107,809,791 | -HS- | M] () -- C:\hiberfil.sys
[2014/05/27 21:40:11 | 001,327,971 | ---- | M] () -- C:\Users\a\Desktop\AdwCleaner (5).exe
[2014/05/27 20:42:10 | 000,000,612 | ---- | M] () -- C:\Users\a\Desktop\I need help with very strange Chinese SPAM-Malware - WindowsBBS Forum.website
[2014/05/27 17:47:06 | 000,000,471 | ---- | M] () -- C:\Users\a\Desktop\Outlook - Copy.website
[2014/05/27 01:33:51 | 000,000,741 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2014/05/27 00:15:04 | 005,200,919 | R--- | M] (Swearware) -- C:\Users\a\Desktop\ComboFix.exe
[2014/05/26 23:54:05 | 000,001,118 | ---- | M] () -- C:\Users\a\Desktop\iExplore - Shortcut.lnk
[2014/05/26 23:52:28 | 001,940,216 | ---- | M] (Bleeping Computer, LLC) -- C:\Users\a\Desktop\rkill.exe
[2014/05/26 23:49:09 | 011,519,096 | ---- | M] (OPSWAT, Inc.) -- C:\Users\a\Desktop\AppRemover.exe
[2014/05/26 19:27:11 | 000,000,458 | ---- | M] () -- C:\Users\a\Documents\Updated AVG scan.csv
[2014/05/26 15:29:09 | 000,000,452 | ---- | M] () -- C:\Users\a\Desktop\eBible.website
[2014/05/26 15:27:21 | 000,000,464 | ---- | M] () -- C:\Users\a\Desktop\windows-oem.com.website
[2014/05/26 15:26:46 | 000,000,522 | ---- | M] () -- C:\Users\a\Desktop\Inbox (1) - bbbellisimo@gmail.com - Gmail.website
[2014/05/25 15:42:53 | 000,111,016 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\WindowsAccessBridge-64.dll
[2014/05/25 15:42:52 | 000,313,256 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\javaws.exe
[2014/05/25 15:42:52 | 000,191,400 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\javaw.exe
[2014/05/25 15:42:52 | 000,190,888 | ---- | M] (Oracle Corporation) -- C:\Windows\SysNative\java.exe
[2014/05/22 18:36:51 | 000,000,550 | ---- | M] () -- C:\Users\a\Desktop\max mclean audio bible - YouTube.website
[2014/05/20 19:05:04 | 000,000,455 | ---- | M] () -- C:\Users\a\Desktop\See how many carbs, proteins, and fats you need to build muscle.website
[2014/05/18 17:06:15 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/05/17 11:27:53 | 000,692,400 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerApp.exe
[2014/05/17 11:27:53 | 000,070,832 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
[2014/05/13 14:20:26 | 000,235,800 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgldx64.sys
[2014/05/13 14:20:06 | 000,273,176 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgtdia.sys
[2014/05/13 14:06:06 | 000,323,352 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgloga.sys
[2014/05/13 14:05:40 | 000,191,768 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgidsha.sys
[2014/05/13 14:05:08 | 000,152,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgdiska.sys
[2014/05/13 14:05:06 | 000,130,328 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgmfx64.sys
[2014/05/13 14:04:56 | 000,236,312 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgidsdrivera.sys
[2014/05/13 14:04:30 | 000,031,512 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgrkx64.sys
[2014/05/10 00:56:08 | 000,000,713 | ---- | M] () -- C:\Users\a\Desktop\Visual Impact of Wet AMD—LUCENTIS (ranibizumab injection).website
[2014/05/09 01:14:03 | 000,477,184 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\aepdu.dll
[2014/05/09 01:11:23 | 000,424,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\aeinv.dll
[2014/05/06 00:14:19 | 000,097,280 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\mshtmled.dll
[2014/05/05 22:48:50 | 000,080,384 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWow64\mshtmled.dll
[2014/05/05 10:52:11 | 000,000,427 | ---- | M] () -- C:\Users\a\Desktop\192.168.2.1.website
[2014/05/04 18:29:26 | 000,000,546 | ---- | M] () -- C:\Users\a\Desktop\How to run the System File Checker Tool in Windows 7 - YouTube.website
[2014/04/30 00:51:23 | 000,000,341 | ---- | M] () -- C:\Users\a\Desktop\Commentaries Matthew Henry.website
[2014/04/28 10:27:43 | 000,102,704 | ---- | M] (Kingsoft Corporation) -- C:\Windows\SysNative\drivers\KNBDrv64.sys
[2014/04/28 10:27:43 | 000,102,704 | ---- | M] (Kingsoft Corporation) -- C:\Windows\SysNative\drivers\knbdrv.sys
[2014/04/28 10:27:43 | 000,085,352 | ---- | M] (Kingsoft Corporation) -- C:\Windows\SysNative\drivers\ksapi.sys
[2014/04/28 10:26:01 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job_
[2014/04/28 00:03:55 | 000,000,515 | ---- | M] () -- C:\Users\a\Desktop\among the stones by Bert Bell.website
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2014/05/27 23:14:43 | 000,000,405 | ---- | C] () -- C:\Users\a\Desktop\How to reset Internet Explorer settings.website
[2014/05/27 23:05:06 | 000,000,449 | ---- | C] () -- C:\Users\a\Desktop\Fix Internet Explorer issues to make IE fast, safe and stable.website
[2014/05/27 21:40:09 | 001,327,971 | ---- | C] () -- C:\Users\a\Desktop\AdwCleaner (5).exe
[2014/05/27 00:16:45 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2014/05/27 00:16:45 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2014/05/27 00:16:45 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2014/05/27 00:16:45 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2014/05/27 00:16:45 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2014/05/26 23:54:05 | 000,001,118 | ---- | C] () -- C:\Users\a\Desktop\iExplore - Shortcut.lnk
[2014/05/26 19:27:11 | 000,000,458 | ---- | C] () -- C:\Users\a\Documents\Updated AVG scan.csv
[2014/05/26 01:32:30 | 000,000,612 | ---- | C] () -- C:\Users\a\Desktop\I need help with very strange Chinese SPAM-Malware - WindowsBBS Forum.website
[2014/05/20 19:05:04 | 000,000,455 | ---- | C] () -- C:\Users\a\Desktop\See how many carbs, proteins, and fats you need to build muscle.website
[2014/05/05 10:45:01 | 000,000,427 | ---- | C] () -- C:\Users\a\Desktop\192.168.2.1.website
[2014/05/02 13:49:37 | 000,000,830 | ---- | C] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/04/30 10:07:52 | 000,000,471 | ---- | C] () -- C:\Users\a\Desktop\Outlook - Copy.website
[2014/04/30 00:51:23 | 000,000,341 | ---- | C] () -- C:\Users\a\Desktop\Commentaries Matthew Henry.website
[2014/02/23 23:58:56 | 000,000,132 | ---- | C] () -- C:\Users\a\AppData\Roaming\Adobe PNG Format CS5 Prefs
[2014/01/31 14:19:16 | 000,000,058 | ---- | C] () -- C:\Users\a\AppData\Roaming\WB.CFG
[2014/01/25 02:18:14 | 000,000,484 | ---- | C] () -- C:\Windows\SysWow64\wacom.dat
[2014/01/25 02:18:10 | 000,053,248 | ---- | C] () -- C:\Windows\SysWow64\TabUnst.dll
[2014/01/25 02:18:10 | 000,015,744 | ---- | C] () -- C:\Windows\SysWow64\wintab.dll
[2014/01/25 01:10:44 | 000,000,198 | ---- | C] () -- C:\Windows\PowerReg.dat
[2013/11/27 20:27:19 | 000,000,132 | ---- | C] () -- C:\Users\a\AppData\Roaming\Adobe BMP Format CS5 Prefs
[2013/11/26 04:47:59 | 000,005,120 | ---- | C] () -- C:\Users\a\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2013/11/18 23:24:15 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2013/11/17 16:56:03 | 000,000,017 | ---- | C] () -- C:\Users\a\AppData\Local\resmon.resmoncfg
[2013/08/27 21:53:35 | 000,000,066 | ---- | C] () -- C:\Windows\ESPR200.ini
[2013/08/01 16:07:07 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2013/07/31 20:49:16 | 000,774,592 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2013/07/31 15:37:39 | 000,000,000 | ---- | C] () -- C:\Windows\lgfwup.ini
[2013/07/31 14:58:09 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2012/11/16 15:01:08 | 000,204,952 | ---- | C] () -- C:\Windows\SysWow64\ativvsvl.dat
[2012/11/16 15:01:08 | 000,157,144 | ---- | C] () -- C:\Windows\SysWow64\ativvsva.dat

========== ZeroAccess Check ==========

[2009/07/13 23:55:00 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32] /64

[HKEY_CURRENT_USER\Software\Classes\Wow6432node\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32] /64
" " = C:\Windows\SysNative\shell32.dll -- [2014/03/24 21:43:12 | 014,175,744 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
" " = %SystemRoot%\system32\shell32.dll -- [2014/03/24 21:09:54 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32] /64
" " = C:\Windows\SysNative\wbem\fastprox.dll -- [2009/07/13 20:40:51 | 000,909,312 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
" " = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 22:24:25 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32] /64
" " = C:\Windows\SysNative\wbem\wbemess.dll -- [2009/07/13 20:41:56 | 000,505,856 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]

========== Custom Scans ==========

< >

< Code: >

< :OTL >

< O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. >

< O3 - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. >

< O9 - Extra Button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - Reg Error: Key error. File not found >

< O15 - HKU\S-1-5-21-3515260364-511150161-3207003695-1000\..Trusted Domains: google.ca ([www] https in Trusted sites) >

< @Alternate Data Stream - 7886 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_4OLFavIE91410631431 >

< @Alternate Data Stream - 7886 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_3SkyDriveFav-324886575 >

< @Alternate Data Stream - 7886 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_0OLFavIE91284348923 >

< @Alternate Data Stream - 34494 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_1OCalFavIE91545382048 >

< @Alternate Data Stream - 16 bytes -> C:\Users\a\Downloads:Shareaza.GUID >

< @Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:5C321E34 >

< @Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:373E1720 >

< @Alternate Data Stream - 1150 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_2PeopleFav1370390283 >

< >

< :Services >

< >

< :Reg >

< >

< :Files >

< C:\FRST >

< >

< :Commands >

< [purity] >

< [emptytemp] >

< [emptyjava] >

< [emptyflash] >

< [Reboot] >

========== Files - Unicode (All) ==========
[2014/05/20 21:43:06 | 000,000,806 | ---- | M] ()(C:\Users\a\Desktop\? Lose 50 Pounds Fast With This Ski-Step Workout At Home - YouTube.website) -- C:\Users\a\Desktop\▶ Lose 50 Pounds Fast With This Ski-Step Workout At Home - YouTube.website
[2014/05/20 20:57:20 | 000,000,806 | ---- | C] ()(C:\Users\a\Desktop\? Lose 50 Pounds Fast With This Ski-Step Workout At Home - YouTube.website) -- C:\Users\a\Desktop\▶ Lose 50 Pounds Fast With This Ski-Step Workout At Home - YouTube.website
[2014/03/22 23:18:51 | 000,001,004 | ---- | M] ()(C:\Users\a\Desktop\? Adobe Photoshop CS6 Full Download with Keygen + Crack Serials [Windows & MAC] - Video Dailymotion.website) -- C:\Users\a\Desktop\▶ Adobe Photoshop CS6 Full Download with Keygen + Crack Serials [Windows & MAC] - Video Dailymotion.website
[2014/03/13 15:56:48 | 000,001,004 | ---- | C] ()(C:\Users\a\Desktop\? Adobe Photoshop CS6 Full Download with Keygen + Crack Serials [Windows & MAC] - Video Dailymotion.website) -- C:\Users\a\Desktop\▶ Adobe Photoshop CS6 Full Download with Keygen + Crack Serials [Windows & MAC] - Video Dailymotion.website

========== Alternate Data Streams ==========

@Alternate Data Stream - 7886 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_4OLFavIE91410631431
@Alternate Data Stream - 7886 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_3SkyDriveFav-324886575
@Alternate Data Stream - 7886 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_0OLFavIE91284348923
@Alternate Data Stream - 34494 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_1OCalFavIE91545382048
@Alternate Data Stream - 16 bytes -> C:\Users\a\Downloads:Shareaza.GUID
@Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:5C321E34
@Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:373E1720
@Alternate Data Stream - 1150 bytes -> C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_2PeopleFav1370390283

< End of report >

bellisimo · 2014/05/28

It's 1 am here, Broni, and I'm turning in for the night. Just now, I had another bit of interference from the Chinese malware, so I guess it's a tough one

broni · 2014/05/28

1. Did you reset IE?

2. OTL log is incorrect. You clicked on "Scan" button instead of "Fix" button.
Redo.

bellisimo · 2014/05/28

Sorry about the OTL. I did reset IE.

Here's the OTL Fix scan:

All processes killed
Error: Unable to interpret < > in the current context!
Error: Unable to interpret <Code: > in the current context!
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Registry value HKEY_USERS\S-1-5-21-3515260364-511150161-3207003695-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{219C3416-8CB2-491a-A3C7-D9FCDDC9D600}\ not found.
Registry key HKEY_USERS\S-1-5-21-3515260364-511150161-3207003695-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\google.ca\www\ deleted successfully.
ADS C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_4OLFavIE91410631431 deleted successfully.
ADS C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_3SkyDriveFav-324886575 deleted successfully.
ADS C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_0OLFavIE91284348923 deleted successfully.
ADS C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_1OCalFavIE91545382048 deleted successfully.
Unable to delete ADS C:\Users\a\Downloads:Shareaza.GUID .
ADS C:\ProgramData\Temp:5C321E34 deleted successfully.
ADS C:\ProgramData\Temp:373E1720 deleted successfully.
ADS C:\Users\a\Desktop\Outlook - Copy.website:TASKICON_2PeopleFav1370390283 deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File\Folder C:\FRST not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: a
->Temp folder emptied: 10857686 bytes
->Temporary Internet Files folder emptied: 392565037 bytes
->Java cache emptied: 201506 bytes
->FireFox cache emptied: 15897733 bytes
->Flash cache emptied: 1418 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 57472 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 57472 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Rosedale Productions
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 114380 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 120641337 bytes
RecycleBin emptied: 333051348 bytes

Total Files Cleaned = 833.00 mb

[EMPTYJAVA]

User: a
->Java cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: LogMeInRemoteUser

User: Public

User: Rosedale Productions

Total Java Files Cleaned = 0.00 mb

[EMPTYFLASH]

User: a
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LogMeInRemoteUser
->Flash cache emptied: 0 bytes

User: Public

User: Rosedale Productions

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 05282014_220319

Files\Folders moved on Reboot...
C:\Users\a\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZBVRZHKM\RteFrameResources[1].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N57PJVC9\xmlProxy[1].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\N57PJVC9\xmlProxy[2].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FVVN36C6\default[1].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FVVN36C6\fastbutton[1].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FVVN36C6\telemetry-iframe-outlook[4].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BGXUF31S\swe-iframe[4].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BGXUF31S\V80PAcvrynR[1].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BGXUF31S\xmlProxy[1].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\62318RR4\outlook[1].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\62318RR4\postmessageRelay[1].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\62318RR4\xmlProxy[1].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3MTUY1HX\like[1].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3MTUY1HX\telemetry-iframe-outlook[3].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3B7GH7KH\107647-active-i-need-help-very-strange-chinese-spam-malware-2[1].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3B7GH7KH\GFXHasherAjaxIFrame_e8u3OtQonFhEjc0Yi_3RCA2[1].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3B7GH7KH\GFXHasherVerification[1].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3B7GH7KH\V80PAcvrynR[2].htm moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT moved successfully.
C:\Users\a\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

broni · 2014/05/28

I had another bit of interference from the Chinese malware
Click to expand...

What exactly happens?

bellisimo · 2014/05/28

Two things happen. Usually, when I do a Google search, at the top of my screen I can see on the little search tab that it's working, but then, suddenly the Google search tab changes from Google to all Chinese characters. I close it our and try again. It most often works on the second try, but not always. That's happens most of the time.

What happened last night is one that don't see nearly as often as the other. It shows up just above the clock in the lower left corner. It's a small rectangular shape about the size of a business card with a graphic of a garbage can or trash can with some Chinese characters next to it. It reminds me of the recycle bin.

In both cases, I click on the X in the corner and delete them. Do you want me to send you screenshots of them? I saved a couple of them in My Pictures.

broni · 2014/05/28

Does it happen in IE only?
Did you check other browser(s)?

bellisimo · 2014/05/28

Yes, in IE only.

Log in or Sign up

Solved I need help with very strange Chinese SPAM/Malware

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

broni Moderator Malware Analyst

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

broni Moderator Malware Analyst

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

broni Moderator Malware Analyst

bellisimo Well-Known Member Thread Starter

broni Moderator Malware Analyst

bellisimo Well-Known Member Thread Starter

broni Moderator Malware Analyst

bellisimo Well-Known Member Thread Starter

Share This Page

Log in or Sign up

Solved I need help with very strange Chinese SPAM/Malware

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

broni Moderator Malware Analyst

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

broni Moderator Malware Analyst

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

bellisimo Well-Known Member Thread Starter

broni Moderator Malware Analyst

bellisimo Well-Known Member Thread Starter

broni Moderator Malware Analyst

bellisimo Well-Known Member Thread Starter

broni Moderator Malware Analyst

bellisimo Well-Known Member Thread Starter

Share This Page

Useful Searches