I am running windows 7 64bit. I have some how got an infection that is more annoying than anything. it also prevents me seeing my emails.
here are the requested files
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-10-2014 02
Ran by bob at 2014-10-16 18:38:19
Running from C:\Users\bob\Downloads
Boot Mode: Normal
==========================================================
==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: Avira Desktop (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Desktop (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Avira (HKLM-x32\...\{70e83cd8-4bd5-4039-ab5a-6b94a8abb641}) (Version: 1.1.21.25162 - Avira Operations GmbH & Co. KG)
Avira (x32 Version: 1.1.21.25162 - Avira Operations GmbH & Co. KG) Hidden
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.7.306 - Avira)
CCleaner (HKLM\...\CCleaner) (Version: 4.18 - Piriform)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (Version: 2.3.188.0 - Microsoft Corporation) Hidden
Microsoft Office 2000 Disc 2 (HKLM-x32\...\{00040409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Microsoft Office 2000 Professional (HKLM-x32\...\{00010409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Mozilla Firefox 33.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 33.0 (x86 en-US)) (Version: 33.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
MySafeProxy for Internet Explorer (HKLM-x32\...\{2535ED3F-5ADD-4A65-B07F-82F04C7358E7}) (Version: 1.0.6 - XTRM Group Ltd.) <==== ATTENTION
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 1.10.0 - Tweaking.com)
Winmail Opener 1.6 (HKLM-x32\...\Winmail Opener) (Version: 1.6 - Eolsoft)
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
==================== Restore Points =========================
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-14 03:34 - 2009-06-10 22:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {19D05799-C6F0-49F9-8756-64245DF0F8D7} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => e:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe
Task: {1B3A4F88-C2B0-4170-91D0-FD0009B6651D} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {1BFA6744-5FA6-4082-8118-3FDB36FBA4A5} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => e:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
Task: {20568BB1-CA37-4B16-82CB-EE29E60803A6} - System32\Tasks\QY => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: {2461709F-58F4-4CA7-8823-E313EF703079} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-09-26] (Piriform Ltd)
Task: {50C1DDE9-FB3E-4F2D-A08F-7EA74C58C636} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => e:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Task: {5BBF8C73-79F5-4650-AB9D-22119F7DD850} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: {88B59773-FA55-400B-9B80-330CAFA40F8A} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-10] (Adobe Systems Incorporated)
Task: {948DF117-18EC-4442-A415-819AABA42F2C} - System32\Tasks\XZQE => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION
Task: {ADFE47E4-26E3-4342-A0E1-E13C34674D6D} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2014-03-19] (Microsoft)
Task: {B0F8CCCA-0011-44CC-9C3E-300C8E7D2F4D} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {D72FD250-F0A7-4457-ACE4-F07F620D8580} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\QY.job => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: C:\Windows\Tasks\XZQE.job => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION
==================== Loaded Modules (whitelisted) =============
2014-10-13 18:07 - 2014-10-13 18:07 - 00129061 _____ () C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe
2014-10-13 18:07 - 2014-10-13 18:07 - 00310309 _____ () C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe
2014-10-13 18:08 - 2014-10-13 18:08 - 00060453 _____ () C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe
2014-08-27 15:00 - 2014-08-27 15:00 - 00139056 _____ () C:\Program Files (x86)\Avira\My Avira\Avira.OE.NativeCore.dll
2014-08-06 20:04 - 2014-05-13 12:04 - 00109400 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-08-06 20:04 - 2014-05-13 12:04 - 00416600 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2014-08-06 20:04 - 2014-05-13 12:04 - 00167768 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-08-06 20:04 - 2012-08-23 10:38 - 00574840 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2014-08-06 20:04 - 2012-04-03 17:06 - 00565640 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2014-08-27 15:00 - 2014-08-27 15:00 - 00066864 _____ () C:\Program Files (x86)\Avira\My Avira\Avira.OE.AvConnectorNative.dll
2014-10-15 17:04 - 2014-10-15 17:04 - 03649648 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2014-09-10 17:51 - 2014-09-10 17:51 - 16825520 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll
2014-08-06 19:30 - 2014-08-27 15:00 - 00052472 _____ () C:\Users\bob\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
==================== EXE Association (whitelisted) =============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
==================== MSCONFIG/TASK MANAGER disabled items =========
(Currently there is no automatic fix for this section.)
MSCONFIG\startupreg: avgnt => "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
MSCONFIG\startupreg: Avira Systray => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
MSCONFIG\startupreg: SDTray => "e:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
========================= Accounts: ==========================
Administrator (S-1-5-21-2632905467-853276935-2808178832-500 - Administrator - Disabled)
bob (S-1-5-21-2632905467-853276935-2808178832-1000 - Administrator - Enabled) => C:\Users\bob
Guest (S-1-5-21-2632905467-853276935-2808178832-501 - Limited - Disabled)
==================== Faulty Device Manager Devices =============
==================== Event log errors: =========================
Application errors:
==================
Error: (10/13/2014 06:09:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 32.0.3.5379, time stamp: 0x54224e6b
Faulting module name: mozalloc.dll, version: 32.0.3.5379, time stamp: 0x54221b67
Exception code: 0x80000003
Fault offset: 0x0000141b
Faulting process id: 0x280
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3
Error: (10/13/2014 10:54:02 AM) (Source: MsiInstaller) (EventID: 11309) (User: bob-PC)
Description: Product: Google Update Helper -- Error 1309. Error reading from file: C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\Google\Update\RequiredFile.txt. System error 3. Verify that the file exists and that you can access it.
Error: (10/01/2014 05:13:57 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
Error: (10/01/2014 05:11:34 PM) (Source: MsiInstaller) (EventID: 11706) (User: bob-PC)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional. The Windows installer cannot continue.
Error: (08/29/2014 07:21:38 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.
Error: (08/06/2014 08:00:37 PM) (Source: MouseKeyboardCenter) (EventID: 0) (User: )
Description: Unknown Node:#text -->
Error: (08/06/2014 11:57:06 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (1404) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.
Error: (08/06/2014 11:57:03 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (1416) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.
Error: (08/06/2014 11:31:08 AM) (Source: VSS) (EventID: 12305) (User: )
Description: Volume Shadow Copy Service error: Volume/disk not connected or not found.
Error context: CreateFileW(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2,0xc0000000,0x00000003,...).
Operation:
Processing PostFinalCommitSnapshots
Context:
Execution Context: System Provider
System errors:
=============
Error: (10/16/2014 06:03:52 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.
Error: (10/15/2014 05:28:32 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.
Error: (10/15/2014 05:03:18 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.
Error: (10/15/2014 09:38:42 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.
Error: (10/14/2014 06:00:45 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.
Error: (10/14/2014 11:51:40 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.
Error: (10/13/2014 07:05:03 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.
Error: (10/13/2014 06:46:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Wajam Internet Enhancer Service service terminated unexpectedly. It has done this 1 time(s).
Error: (10/13/2014 06:46:39 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MySafeProxy Monitor service terminated unexpectedly. It has done this 1 time(s).
Error: (10/13/2014 06:07:53 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1053MSIServer{000C101C-0000-0000-C000-000000000046}
Microsoft Office Sessions:
=========================
Error: (10/13/2014 06:09:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe32.0.3.537954224e6bmozalloc.dll32.0.3.537954221b67800000030000141b28001cfe7078aef2730C:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Program Files (x86)\Mozilla Firefox\mozalloc.dllb935cc55-52fb-11e4-98a3-000129233516
Error: (10/13/2014 10:54:02 AM) (Source: MsiInstaller) (EventID: 11309) (User: bob-PC)
Description: Product: Google Update Helper -- Error 1309. Error reading from file: C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\Google\Update\RequiredFile.txt. System error 3. Verify that the file exists and that you can access it.(NULL)(NULL)(NULL)(NULL)(NULL)
Error: (10/01/2014 05:13:57 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"H:\WPN111.exe
Error: (10/01/2014 05:11:34 PM) (Source: MsiInstaller) (EventID: 11706) (User: bob-PC)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional. The Windows installer cannot continue.(NULL)(NULL)(NULL)(NULL)(NULL)
Error: (08/29/2014 07:21:38 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"H:\WPN111.exe
Error: (08/06/2014 08:00:37 PM) (Source: MouseKeyboardCenter) (EventID: 0) (User: )
Description: Unknown Node:#text -->
Error: (08/06/2014 11:57:06 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail1404WindowsMail0:
Error: (08/06/2014 11:57:03 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail1416WindowsMail0:
Error: (08/06/2014 11:31:08 AM) (Source: VSS) (EventID: 12305) (User: )
Description: CreateFileW(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2,0xc0000000,0x00000003,...)
Operation:
Processing PostFinalCommitSnapshots
Context:
Execution Context: System Provider
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-10-2014 02
Ran by bob (administrator) on BOB-PC on 16-10-2014 18:37:42
Running from C:\Users\bob\Downloads
Loaded Profile: bob (Available profiles: bob)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Safer-Networking Ltd.) E:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Safer-Networking Ltd.) E:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe
(Safer-Networking Ltd.) E:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
() C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avcenter.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avscan.exe
==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [703736 2014-10-16] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [164656 2014-08-27] (Avira Operations GmbH & Co. KG)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-2632905467-853276935-2808178832-1000\...\Run: [Spybot-S&D Cleaning] => E:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-2632905467-853276935-2808178832-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [6482200 2014-09-26] (Piriform Ltd)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2014-08-06] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> E:\Office\OSA9.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean64.exe
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
ProxyEnable: Internet Explorer proxy is enabled.
ProxyServer: http=127.0.0.1:20194
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: http\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
FireFox:
========
FF ProfilePath: C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\q42j5mhf.default
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Extension: Avira Browser Safety - C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\q42j5mhf.default\Extensions\abs@avira.com [2014-09-30]
Chrome:
=======
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-10-16] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-10-16] (Avira Operations GmbH & Co. KG)
R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [160048 2014-08-27] (Avira Operations GmbH & Co. KG)
R2 Direct3dTextWin32; C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe [60453 2014-10-13] () [File not signed]
R2 SDScannerService; e:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; e:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; e:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-16] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-16] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-23] (Avira Operations GmbH & Co. KG)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-10-16 18:37 - 2014-10-16 18:38 - 00008377 _____ () C:\Users\bob\Downloads\FRST.txt
2014-10-16 18:36 - 2014-10-16 18:37 - 00000000 ____D () C:\FRST
2014-10-16 18:35 - 2014-10-16 18:36 - 02111488 _____ (Farbar) C:\Users\bob\Downloads\FRST64.exe
2014-10-16 18:29 - 2014-10-16 18:30 - 01170056 _____ (Zugara Investments Limited ) C:\Users\bob\Downloads\file.exe
2014-10-16 18:27 - 2014-10-16 18:27 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-BOB-PC-Microsoft-Windows-7-Ultimate-(64-bit).dat
2014-10-16 18:27 - 2014-10-16 18:27 - 00000000 ____D () C:\RegBackup
2014-10-16 18:26 - 2014-10-16 18:26 - 00000545 _____ () C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2014-10-16 18:26 - 2014-10-16 18:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2014-10-16 18:25 - 2014-10-16 18:25 - 04215184 _____ () C:\Users\bob\Downloads\tweaking.com_registry_backup_setup.exe
2014-10-15 17:26 - 2014-10-15 17:26 - 00000318 _____ () C:\Windows\PFRO.log
2014-10-15 17:20 - 2014-10-15 17:25 - 00000000 ____D () C:\AdwCleaner
2014-10-15 17:19 - 2014-10-15 17:19 - 01976320 _____ () C:\Users\bob\Downloads\adwcleaner_4.000.exe
2014-10-15 17:04 - 2014-10-15 17:04 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-10-15 17:01 - 2014-10-16 18:02 - 00000168 _____ () C:\Windows\setupact.log
2014-10-15 17:01 - 2014-10-15 17:01 - 00000000 _____ () C:\Windows\setuperr.log
2014-10-15 10:16 - 2014-10-15 10:16 - 00043144 _____ () C:\Users\bob\Documents\cc_20141015_101616.reg
2014-10-15 10:13 - 2014-10-15 10:13 - 04965896 _____ (Piriform Ltd) C:\Users\bob\Downloads\ccsetup418.exe
2014-10-15 10:13 - 2014-10-15 10:13 - 00002768 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-10-15 10:13 - 2014-10-15 10:13 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-10-15 10:13 - 2014-10-15 10:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2014-10-15 10:13 - 2014-10-15 10:13 - 00000000 ____D () C:\Program Files\CCleaner
2014-10-14 18:08 - 2014-10-14 18:08 - 00000000 ____D () C:\Users\bob\AppData\Local\CheckCode
2014-10-13 19:02 - 2014-10-13 19:02 - 00007246 _____ () C:\Windows\wininit.ini
2014-10-13 18:13 - 2014-10-13 18:13 - 00000045 _____ () C:\Users\bob\AppData\Roaming\WB.CFG
2014-10-13 18:09 - 2014-10-13 18:09 - 00000000 ____D () C:\Users\bob\AppData\Local\Deployment
2014-10-13 18:08 - 2014-10-13 18:08 - 00001905 _____ () C:\Users\bob\Desktop\FastPlayer.lnk
2014-10-13 18:08 - 2014-10-13 18:08 - 00000000 ____D () C:\Windows\SysWOW64\Direct3dTextWin32
2014-10-13 18:08 - 2014-10-13 18:08 - 00000000 ____D () C:\Users\bob\AppData\Local\fastplayer
2014-10-13 18:08 - 2014-10-13 18:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastPlayer
2014-10-13 10:54 - 2014-10-16 18:02 - 00001326 _____ () C:\Windows\Tasks\XZQE.job
2014-10-13 10:54 - 2014-10-16 18:02 - 00001322 _____ () C:\Windows\Tasks\QY.job
2014-10-13 10:54 - 2014-10-13 10:54 - 00004344 _____ () C:\Windows\System32\Tasks\XZQE
2014-10-13 10:54 - 2014-10-13 10:54 - 00004340 _____ () C:\Windows\System32\Tasks\QY
2014-10-13 10:54 - 2014-10-13 10:54 - 00000000 ____D () C:\Users\bob\AppData\Local\com
2014-10-06 11:50 - 2014-10-13 18:09 - 00000000 ____D () C:\Users\bob\AppData\Local\Apps\2.0
2014-10-03 16:31 - 2014-10-03 16:31 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2014-10-01 22:04 - 2014-09-25 03:08 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-10-01 22:04 - 2014-09-25 02:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2014-09-28 17:30 - 2014-09-09 23:11 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-09-28 17:30 - 2014-09-09 22:47 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-10-16 18:14 - 2014-08-12 17:45 - 00043064 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2014-10-16 18:14 - 2014-08-11 18:13 - 00131608 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-10-16 18:14 - 2014-08-11 18:13 - 00119272 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-10-16 18:10 - 2009-07-14 05:45 - 00020800 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-16 18:10 - 2009-07-14 05:45 - 00020800 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-16 18:09 - 2009-07-14 06:13 - 00781790 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-16 18:07 - 2014-08-05 21:20 - 01974631 _____ () C:\Windows\WindowsUpdate.log
2014-10-16 18:02 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-15 22:51 - 2014-08-06 18:24 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-15 17:26 - 2014-08-06 18:21 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-10-15 10:14 - 2014-08-05 22:14 - 00000000 ____D () C:\Windows\Panther
2014-10-14 11:52 - 2014-08-06 22:26 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-13 19:02 - 2014-08-06 20:04 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-10-13 11:13 - 2014-08-06 18:21 - 00001135 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-10-04 19:44 - 2009-07-14 06:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2014-10-03 16:56 - 2014-08-17 21:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools
2014-10-03 16:56 - 2014-08-17 21:17 - 00000000 ____D () C:\Program Files (x86)\Snapshot Viewer
2014-10-01 17:05 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\system32\NDF
Some content of TEMP:
====================
C:\Users\bob\AppData\Local\Temp\avgnt.exe
C:\Users\bob\AppData\Local\Temp\Quarantine.exe
C:\Users\bob\AppData\Local\Temp\sqlite3.dll
==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
LastRegBack: 2014-08-05 21:15
==================== End Of Log ============================
aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-10-16 18:42:14
-----------------------------
18:42:14.850 OS Version: Windows x64 6.1.7601 Service Pack 1
18:42:14.851 Number of processors: 2 586 0xF0D
18:42:14.851 ComputerName: BOB-PC UserName: bob
18:42:15.047 Initialize success
18:42:15.097 VM: initialized successfully
18:42:15.112 VM: Intel CPU virtualization not supported
18:43:27.925 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2
18:43:27.928 Disk 0 Vendor: ST3320820AS 3.AAD Size: 305245MB BusType: 3
18:43:27.933 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-7
18:43:27.937 Disk 1 Vendor: SanDisk_SSD_U100_32GB 10.50.00 Size: 30533MB BusType: 3
18:43:27.943 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP4T1L0-8
18:43:27.948 Disk 2 Vendor: MAXTOR_4K060H3 A08.1500 Size: 57259MB BusType: 3
18:43:27.961 Disk 1 MBR read successfully
18:43:27.966 Disk 1 MBR scan
18:43:27.970 Disk 1 Windows 7 default MBR code
18:43:27.975 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
18:43:27.979 Disk 1 Boot: NTFS code=1
18:43:27.983 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 30431 MB offset 206848
18:43:28.336 Disk 1 scanning C:\Windows\system32\drivers
18:43:30.045 Service scanning
18:43:33.144 Modules scanning
18:43:33.152 Disk 1 trace - called modules:
18:43:33.160 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
18:43:33.167 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8004907100]
18:43:33.175 3 CLASSPNP.SYS[fffff880015be43f] -> nt!IofCallDriver -> [0xfffffa80047c3520]
18:43:33.175 5 ACPI.sys[fffff88000f9d7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-7[0xfffffa80047bc060]
18:43:33.183 Scan finished successfully
18:44:36.131 Disk 1 MBR has been saved successfully to "C:\Users\bob\Downloads\MBR.dat"
18:44:36.139 The log file has been saved successfully to "C:\Users\bob\Downloads\aswMBR.txt"
aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-10-17 10:24:40
-----------------------------
10:24:40.780 OS Version: Windows x64 6.1.7601 Service Pack 1
10:24:40.781 Number of processors: 2 586 0xF0D
10:24:40.781 ComputerName: BOB-PC UserName: bob
10:24:41.142 Initialize success
10:24:41.167 VM: initialized successfully
10:24:41.185 VM: Intel CPU virtualization not supported
10:24:49.038 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2
10:24:49.042 Disk 0 Vendor: ST3320820AS 3.AAD Size: 305245MB BusType: 3
10:24:49.046 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-7
10:24:49.051 Disk 1 Vendor: SanDisk_SSD_U100_32GB 10.50.00 Size: 30533MB BusType: 3
10:24:49.057 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP4T1L0-9
10:24:49.062 Disk 2 Vendor: MAXTOR_4K060H3 A08.1500 Size: 57259MB BusType: 3
10:24:49.077 Disk 1 MBR read successfully
10:24:49.082 Disk 1 MBR scan
10:24:49.084 Disk 1 Windows 7 default MBR code
10:24:49.088 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
10:24:49.092 Disk 1 Boot: NTFS code=1
10:24:49.096 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 30431 MB offset 206848
10:24:49.109 Disk 1 scanning C:\Windows\system32\drivers
10:24:50.893 Service scanning
10:24:54.015 Modules scanning
10:24:54.026 Disk 1 trace - called modules:
10:24:54.038 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
10:24:54.045 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8004922790]
10:24:54.054 3 CLASSPNP.SYS[fffff880013aa43f] -> nt!IofCallDriver -> [0xfffffa80047d8520]
10:24:54.062 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-7[0xfffffa80047e8680]
10:24:54.068 Scan finished successfully
10:25:13.498 Disk 1 MBR has been saved successfully to "C:\Users\bob\Downloads\MBR.dat"
10:25:13.552 The log file has been saved successfully to "C:\Users\bob\Downloads\aswMBR.txt"
any help very much appreciated. I have run Malewarebyts. spybot, adwcleaner. ccleaner. but still have the same problem.