unwanted windows poping up

**bobbym** · 2014-10-17, 11:30

I am running windows 7 64bit. I have some how got an infection that is more annoying than anything. it also prevents me seeing my emails.

here are the requested files

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-10-2014 02
Ran by bob at 2014-10-16 18:38:19
Running from C:\Users\bob\Downloads
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Desktop (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Desktop (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Avira (HKLM-x32\...\{70e83cd8-4bd5-4039-ab5a-6b94a8abb641}) (Version: 1.1.21.25162 - Avira Operations GmbH & Co. KG)
Avira (x32 Version: 1.1.21.25162 - Avira Operations GmbH & Co. KG) Hidden
Avira Free Antivirus (HKLM-x32\...\Avira AntiVir Desktop) (Version: 14.0.7.306 - Avira)
CCleaner (HKLM\...\CCleaner) (Version: 4.18 - Piriform)
Intel(R) Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version: 8.15.10.1930 - Intel Corporation)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Mouse and Keyboard Center (HKLM\...\Microsoft Mouse and Keyboard Center) (Version: 2.3.188.0 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (Version: 2.3.188.0 - Microsoft Corporation) Hidden
Microsoft Office 2000 Disc 2 (HKLM-x32\...\{00040409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Microsoft Office 2000 Professional (HKLM-x32\...\{00010409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.2720 - Microsoft Corporation)
Mozilla Firefox 33.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 33.0 (x86 en-US)) (Version: 33.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
MySafeProxy for Internet Explorer (HKLM-x32\...\{2535ED3F-5ADD-4A65-B07F-82F04C7358E7}) (Version: 1.0.6 - XTRM Group Ltd.) <==== ATTENTION
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Tweaking.com - Registry Backup (HKLM-x32\...\Tweaking.com - Registry Backup) (Version: 1.10.0 - Tweaking.com)
Winmail Opener 1.6 (HKLM-x32\...\Winmail Opener) (Version: 1.6 - Eolsoft)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points =========================

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:34 - 2009-06-10 22:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {19D05799-C6F0-49F9-8756-64245DF0F8D7} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => e:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe
Task: {1B3A4F88-C2B0-4170-91D0-FD0009B6651D} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {1BFA6744-5FA6-4082-8118-3FDB36FBA4A5} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => e:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
Task: {20568BB1-CA37-4B16-82CB-EE29E60803A6} - System32\Tasks\QY => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: {2461709F-58F4-4CA7-8823-E313EF703079} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-09-26] (Piriform Ltd)
Task: {50C1DDE9-FB3E-4F2D-A08F-7EA74C58C636} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => e:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Task: {5BBF8C73-79F5-4650-AB9D-22119F7DD850} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: {88B59773-FA55-400B-9B80-330CAFA40F8A} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-10] (Adobe Systems Incorporated)
Task: {948DF117-18EC-4442-A415-819AABA42F2C} - System32\Tasks\XZQE => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION
Task: {ADFE47E4-26E3-4342-A0E1-E13C34674D6D} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2014-03-19] (Microsoft)
Task: {B0F8CCCA-0011-44CC-9C3E-300C8E7D2F4D} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2014-03-19] (Microsoft Corporation)
Task: {D72FD250-F0A7-4457-ACE4-F07F620D8580} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2014-03-19] (Microsoft Corporation)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\QY.job => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: C:\Windows\Tasks\XZQE.job => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION

==================== Loaded Modules (whitelisted) =============

2014-10-13 18:07 - 2014-10-13 18:07 - 00129061 _____ () C:\Users\bob\AppData\Local\MetafileODBCRoot\MetafileODBCRoot.exe
2014-10-13 18:07 - 2014-10-13 18:07 - 00310309 _____ () C:\Users\bob\AppData\Local\MetafileODBCRoot\JAVAKeyboardNative.exe
2014-10-13 18:08 - 2014-10-13 18:08 - 00060453 _____ () C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe
2014-08-27 15:00 - 2014-08-27 15:00 - 00139056 _____ () C:\Program Files (x86)\Avira\My Avira\Avira.OE.NativeCore.dll
2014-08-06 20:04 - 2014-05-13 12:04 - 00109400 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-08-06 20:04 - 2014-05-13 12:04 - 00416600 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\DEC150.bpl
2014-08-06 20:04 - 2014-05-13 12:04 - 00167768 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-08-06 20:04 - 2012-08-23 10:38 - 00574840 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\sqlite3.dll
2014-08-06 20:04 - 2012-04-03 17:06 - 00565640 _____ () e:\Program Files (x86)\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2014-08-27 15:00 - 2014-08-27 15:00 - 00066864 _____ () C:\Program Files (x86)\Avira\My Avira\Avira.OE.AvConnectorNative.dll
2014-10-15 17:04 - 2014-10-15 17:04 - 03649648 _____ () C:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2014-09-10 17:51 - 2014-09-10 17:51 - 16825520 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll
2014-08-06 19:30 - 2014-08-27 15:00 - 00052472 _____ () C:\Users\bob\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: avgnt => "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
MSCONFIG\startupreg: Avira Systray => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
MSCONFIG\startupreg: SDTray => "e:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"

========================= Accounts: ==========================

Administrator (S-1-5-21-2632905467-853276935-2808178832-500 - Administrator - Disabled)
bob (S-1-5-21-2632905467-853276935-2808178832-1000 - Administrator - Enabled) => C:\Users\bob
Guest (S-1-5-21-2632905467-853276935-2808178832-501 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (10/13/2014 06:09:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 32.0.3.5379, time stamp: 0x54224e6b
Faulting module name: mozalloc.dll, version: 32.0.3.5379, time stamp: 0x54221b67
Exception code: 0x80000003
Fault offset: 0x0000141b
Faulting process id: 0x280
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (10/13/2014 10:54:02 AM) (Source: MsiInstaller) (EventID: 11309) (User: bob-PC)
Description: Product: Google Update Helper -- Error 1309. Error reading from file: C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\Google\Update\RequiredFile.txt. System error 3. Verify that the file exists and that you can access it.

Error: (10/01/2014 05:13:57 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (10/01/2014 05:11:34 PM) (Source: MsiInstaller) (EventID: 11706) (User: bob-PC)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional. The Windows installer cannot continue.

Error: (08/29/2014 07:21:38 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"1".
Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (08/06/2014 08:00:37 PM) (Source: MouseKeyboardCenter) (EventID: 0) (User: )
Description: Unknown Node:#text -->

Error: (08/06/2014 11:57:06 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (1404) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (08/06/2014 11:57:03 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail (1416) WindowsMail0: The backup has been stopped because it was halted by the client or the connection with the client failed.

Error: (08/06/2014 11:31:08 AM) (Source: VSS) (EventID: 12305) (User: )
Description: Volume Shadow Copy Service error: Volume/disk not connected or not found.
Error context: CreateFileW(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2,0xc0000000,0x00000003,...).

Operation:
Processing PostFinalCommitSnapshots

Context:
Execution Context: System Provider

System errors:
=============
Error: (10/16/2014 06:03:52 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/15/2014 05:28:32 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/15/2014 05:03:18 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/15/2014 09:38:42 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/14/2014 06:00:45 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/14/2014 11:51:40 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/13/2014 07:05:03 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The MetafileODBCRoot.exe service hung on starting.

Error: (10/13/2014 06:46:47 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Wajam Internet Enhancer Service service terminated unexpectedly. It has done this 1 time(s).

Error: (10/13/2014 06:46:39 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MySafeProxy Monitor service terminated unexpectedly. It has done this 1 time(s).

Error: (10/13/2014 06:07:53 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1053MSIServer{000C101C-0000-0000-C000-000000000046}

Microsoft Office Sessions:
=========================
Error: (10/13/2014 06:09:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe32.0.3.537954224e6bmozalloc.dll32.0.3.537954221b67800000030000141b28001cfe7078aef2730C:\Program Files (x86)\Mozilla Firefox\plugin-container.exeC:\Program Files (x86)\Mozilla Firefox\mozalloc.dllb935cc55-52fb-11e4-98a3-000129233516

Error: (10/13/2014 10:54:02 AM) (Source: MsiInstaller) (EventID: 11309) (User: bob-PC)
Description: Product: Google Update Helper -- Error 1309. Error reading from file: C:\Program Files (x86)\globalUpdate\Update\1.3.25.0\Google\Update\RequiredFile.txt. System error 3. Verify that the file exists and that you can access it.(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (10/01/2014 05:13:57 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"H:\WPN111.exe

Error: (10/01/2014 05:11:34 PM) (Source: MsiInstaller) (EventID: 11706) (User: bob-PC)
Description: Product: Microsoft Office 2000 Professional -- Error 1706. No valid source could be found for product Microsoft Office 2000 Professional. The Windows installer cannot continue.(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (08/29/2014 07:21:38 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.MFC,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0"H:\WPN111.exe

Error: (08/06/2014 08:00:37 PM) (Source: MouseKeyboardCenter) (EventID: 0) (User: )
Description: Unknown Node:#text -->

Error: (08/06/2014 11:57:06 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail1404WindowsMail0:

Error: (08/06/2014 11:57:03 AM) (Source: ESENT) (EventID: 215) (User: )
Description: WinMail1416WindowsMail0:

Error: (08/06/2014 11:31:08 AM) (Source: VSS) (EventID: 12305) (User: )
Description: CreateFileW(\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2,0xc0000000,0x00000003,...)

Operation:
Processing PostFinalCommitSnapshots

Context:
Execution Context: System Provider

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 15-10-2014 02
Ran by bob (administrator) on BOB-PC on 16-10-2014 18:37:42
Running from C:\Users\bob\Downloads
Loaded Profile: bob (Available profiles: bob)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(Safer-Networking Ltd.) E:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Safer-Networking Ltd.) E:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe
(Safer-Networking Ltd.) E:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
() C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_15_0_0_152.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avcenter.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avscan.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [703736 2014-10-16] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe [164656 2014-08-27] (Avira Operations GmbH & Co. KG)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-2632905467-853276935-2808178832-1000\...\Run: [Spybot-S&D Cleaning] => E:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-2632905467-853276935-2808178832-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [6482200 2014-09-26] (Piriform Ltd)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2014-08-06] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> E:\Office\OSA9.EXE (Microsoft Corporation)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: Internet Explorer proxy is enabled.
ProxyServer: http=127.0.0.1:20194
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: http\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\q42j5mhf.default
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Extension: Avira Browser Safety - C:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\q42j5mhf.default\Extensions\abs@avira.com [2014-09-30]

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [431920 2014-10-16] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [431920 2014-10-16] (Avira Operations GmbH & Co. KG)
R2 Avira.OE.ServiceHost; C:\Program Files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [160048 2014-08-27] (Avira Operations GmbH & Co. KG)
R2 Direct3dTextWin32; C:\Windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe [60453 2014-10-13] () [File not signed]
R2 SDScannerService; e:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; e:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; e:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [119272 2014-10-16] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131608 2014-10-16] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2014-07-23] (Avira Operations GmbH & Co. KG)
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-16 18:37 - 2014-10-16 18:38 - 00008377 _____ () C:\Users\bob\Downloads\FRST.txt
2014-10-16 18:36 - 2014-10-16 18:37 - 00000000 ____D () C:\FRST
2014-10-16 18:35 - 2014-10-16 18:36 - 02111488 _____ (Farbar) C:\Users\bob\Downloads\FRST64.exe
2014-10-16 18:29 - 2014-10-16 18:30 - 01170056 _____ (Zugara Investments Limited ) C:\Users\bob\Downloads\file.exe
2014-10-16 18:27 - 2014-10-16 18:27 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-BOB-PC-Microsoft-Windows-7-Ultimate-(64-bit).dat
2014-10-16 18:27 - 2014-10-16 18:27 - 00000000 ____D () C:\RegBackup
2014-10-16 18:26 - 2014-10-16 18:26 - 00000545 _____ () C:\Users\Public\Desktop\Tweaking.com - Registry Backup.lnk
2014-10-16 18:26 - 2014-10-16 18:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2014-10-16 18:25 - 2014-10-16 18:25 - 04215184 _____ () C:\Users\bob\Downloads\tweaking.com_registry_backup_setup.exe
2014-10-15 17:26 - 2014-10-15 17:26 - 00000318 _____ () C:\Windows\PFRO.log
2014-10-15 17:20 - 2014-10-15 17:25 - 00000000 ____D () C:\AdwCleaner
2014-10-15 17:19 - 2014-10-15 17:19 - 01976320 _____ () C:\Users\bob\Downloads\adwcleaner_4.000.exe
2014-10-15 17:04 - 2014-10-15 17:04 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2014-10-15 17:01 - 2014-10-16 18:02 - 00000168 _____ () C:\Windows\setupact.log
2014-10-15 17:01 - 2014-10-15 17:01 - 00000000 _____ () C:\Windows\setuperr.log
2014-10-15 10:16 - 2014-10-15 10:16 - 00043144 _____ () C:\Users\bob\Documents\cc_20141015_101616.reg
2014-10-15 10:13 - 2014-10-15 10:13 - 04965896 _____ (Piriform Ltd) C:\Users\bob\Downloads\ccsetup418.exe
2014-10-15 10:13 - 2014-10-15 10:13 - 00002768 _____ () C:\Windows\System32\Tasks\CCleanerSkipUAC
2014-10-15 10:13 - 2014-10-15 10:13 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-10-15 10:13 - 2014-10-15 10:13 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2014-10-15 10:13 - 2014-10-15 10:13 - 00000000 ____D () C:\Program Files\CCleaner
2014-10-14 18:08 - 2014-10-14 18:08 - 00000000 ____D () C:\Users\bob\AppData\Local\CheckCode
2014-10-13 19:02 - 2014-10-13 19:02 - 00007246 _____ () C:\Windows\wininit.ini
2014-10-13 18:13 - 2014-10-13 18:13 - 00000045 _____ () C:\Users\bob\AppData\Roaming\WB.CFG
2014-10-13 18:09 - 2014-10-13 18:09 - 00000000 ____D () C:\Users\bob\AppData\Local\Deployment
2014-10-13 18:08 - 2014-10-13 18:08 - 00001905 _____ () C:\Users\bob\Desktop\FastPlayer.lnk
2014-10-13 18:08 - 2014-10-13 18:08 - 00000000 ____D () C:\Windows\SysWOW64\Direct3dTextWin32
2014-10-13 18:08 - 2014-10-13 18:08 - 00000000 ____D () C:\Users\bob\AppData\Local\fastplayer
2014-10-13 18:08 - 2014-10-13 18:08 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastPlayer
2014-10-13 10:54 - 2014-10-16 18:02 - 00001326 _____ () C:\Windows\Tasks\XZQE.job
2014-10-13 10:54 - 2014-10-16 18:02 - 00001322 _____ () C:\Windows\Tasks\QY.job
2014-10-13 10:54 - 2014-10-13 10:54 - 00004344 _____ () C:\Windows\System32\Tasks\XZQE
2014-10-13 10:54 - 2014-10-13 10:54 - 00004340 _____ () C:\Windows\System32\Tasks\QY
2014-10-13 10:54 - 2014-10-13 10:54 - 00000000 ____D () C:\Users\bob\AppData\Local\com
2014-10-06 11:50 - 2014-10-13 18:09 - 00000000 ____D () C:\Users\bob\AppData\Local\Apps\2.0
2014-10-03 16:31 - 2014-10-03 16:31 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf
2014-10-01 22:04 - 2014-09-25 03:08 - 00371712 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2014-10-01 22:04 - 2014-09-25 02:40 - 00519680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\qdvd.dll
2014-09-28 17:30 - 2014-09-09 23:11 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-09-28 17:30 - 2014-09-09 22:47 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-16 18:14 - 2014-08-12 17:45 - 00043064 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avnetflt.sys
2014-10-16 18:14 - 2014-08-11 18:13 - 00131608 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avipbb.sys
2014-10-16 18:14 - 2014-08-11 18:13 - 00119272 _____ (Avira Operations GmbH & Co. KG) C:\Windows\system32\Drivers\avgntflt.sys
2014-10-16 18:10 - 2009-07-14 05:45 - 00020800 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-16 18:10 - 2009-07-14 05:45 - 00020800 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-16 18:09 - 2009-07-14 06:13 - 00781790 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-16 18:07 - 2014-08-05 21:20 - 01974631 _____ () C:\Windows\WindowsUpdate.log
2014-10-16 18:02 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-15 22:51 - 2014-08-06 18:24 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-15 17:26 - 2014-08-06 18:21 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2014-10-15 10:14 - 2014-08-05 22:14 - 00000000 ____D () C:\Windows\Panther
2014-10-14 11:52 - 2014-08-06 22:26 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-13 19:02 - 2014-08-06 20:04 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-10-13 11:13 - 2014-08-06 18:21 - 00001135 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2014-10-04 19:44 - 2009-07-14 06:09 - 00000000 ____D () C:\Windows\System32\Tasks\WPD
2014-10-03 16:56 - 2014-08-17 21:25 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools
2014-10-03 16:56 - 2014-08-17 21:17 - 00000000 ____D () C:\Program Files (x86)\Snapshot Viewer
2014-10-01 17:05 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\system32\NDF

Some content of TEMP:
====================
C:\Users\bob\AppData\Local\Temp\avgnt.exe
C:\Users\bob\AppData\Local\Temp\Quarantine.exe
C:\Users\bob\AppData\Local\Temp\sqlite3.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-08-05 21:15

==================== End Of Log ============================

aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-10-16 18:42:14
-----------------------------
18:42:14.850 OS Version: Windows x64 6.1.7601 Service Pack 1
18:42:14.851 Number of processors: 2 586 0xF0D
18:42:14.851 ComputerName: BOB-PC UserName: bob
18:42:15.047 Initialize success
18:42:15.097 VM: initialized successfully
18:42:15.112 VM: Intel CPU virtualization not supported
18:43:27.925 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2
18:43:27.928 Disk 0 Vendor: ST3320820AS 3.AAD Size: 305245MB BusType: 3
18:43:27.933 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-7
18:43:27.937 Disk 1 Vendor: SanDisk_SSD_U100_32GB 10.50.00 Size: 30533MB BusType: 3
18:43:27.943 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP4T1L0-8
18:43:27.948 Disk 2 Vendor: MAXTOR_4K060H3 A08.1500 Size: 57259MB BusType: 3
18:43:27.961 Disk 1 MBR read successfully
18:43:27.966 Disk 1 MBR scan
18:43:27.970 Disk 1 Windows 7 default MBR code
18:43:27.975 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
18:43:27.979 Disk 1 Boot: NTFS code=1
18:43:27.983 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 30431 MB offset 206848
18:43:28.336 Disk 1 scanning C:\Windows\system32\drivers
18:43:30.045 Service scanning
18:43:33.144 Modules scanning
18:43:33.152 Disk 1 trace - called modules:
18:43:33.160 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
18:43:33.167 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8004907100]
18:43:33.175 3 CLASSPNP.SYS[fffff880015be43f] -> nt!IofCallDriver -> [0xfffffa80047c3520]
18:43:33.175 5 ACPI.sys[fffff88000f9d7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-7[0xfffffa80047bc060]
18:43:33.183 Scan finished successfully
18:44:36.131 Disk 1 MBR has been saved successfully to "C:\Users\bob\Downloads\MBR.dat"
18:44:36.139 The log file has been saved successfully to "C:\Users\bob\Downloads\aswMBR.txt"

aswMBR version 1.0.1.2041 Copyright(c) 2014 AVAST Software
Run date: 2014-10-17 10:24:40
-----------------------------
10:24:40.780 OS Version: Windows x64 6.1.7601 Service Pack 1
10:24:40.781 Number of processors: 2 586 0xF0D
10:24:40.781 ComputerName: BOB-PC UserName: bob
10:24:41.142 Initialize success
10:24:41.167 VM: initialized successfully
10:24:41.185 VM: Intel CPU virtualization not supported
10:24:49.038 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2
10:24:49.042 Disk 0 Vendor: ST3320820AS 3.AAD Size: 305245MB BusType: 3
10:24:49.046 Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T1L0-7
10:24:49.051 Disk 1 Vendor: SanDisk_SSD_U100_32GB 10.50.00 Size: 30533MB BusType: 3
10:24:49.057 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP4T1L0-9
10:24:49.062 Disk 2 Vendor: MAXTOR_4K060H3 A08.1500 Size: 57259MB BusType: 3
10:24:49.077 Disk 1 MBR read successfully
10:24:49.082 Disk 1 MBR scan
10:24:49.084 Disk 1 Windows 7 default MBR code
10:24:49.088 Disk 1 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
10:24:49.092 Disk 1 Boot: NTFS code=1
10:24:49.096 Disk 1 Partition 2 00 07 HPFS/NTFS NTFS 30431 MB offset 206848
10:24:49.109 Disk 1 scanning C:\Windows\system32\drivers
10:24:50.893 Service scanning
10:24:54.015 Modules scanning
10:24:54.026 Disk 1 trace - called modules:
10:24:54.038 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
10:24:54.045 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa8004922790]
10:24:54.054 3 CLASSPNP.SYS[fffff880013aa43f] -> nt!IofCallDriver -> [0xfffffa80047d8520]
10:24:54.062 5 ACPI.sys[fffff88000e0b7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T1L0-7[0xfffffa80047e8680]
10:24:54.068 Scan finished successfully
10:25:13.498 Disk 1 MBR has been saved successfully to "C:\Users\bob\Downloads\MBR.dat"
10:25:13.552 The log file has been saved successfully to "C:\Users\bob\Downloads\aswMBR.txt"

any help very much appreciated. I have run Malewarebyts. spybot, adwcleaner. ccleaner. but still have the same problem.

**Juliet** · 2014-10-17, 14:08

Use Add/Remove programs to Uninstall
MySafeProxy
Wajam Internet Enhancer

Running from C:\Users\bob\Downloads

Please go to your downloads folders and locate Farbar's Recovery Scan Tool, right click and select CUT
Now, go to an empty spot on your desktop, right click and select PASTE

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CloseProcesses:
MySafeProxy for Internet Explorer (HKLM-x32\...\{2535ED3F-5ADD-4A65-B07F-82F04C7358E7}) (Version: 1.0.6 - XTRM Group Ltd.) <==== ATTENTION
Task: {20568BB1-CA37-4B16-82CB-EE29E60803A6} - System32\Tasks\QY => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: {948DF117-18EC-4442-A415-819AABA42F2C} - System32\Tasks\XZQE => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION
C:\Users\bob\AppData\Roaming\QY.exe
C:\Users\bob\AppData\Roaming\XZQE.exe
Task: C:\Windows\Tasks\QY.job => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: C:\Windows\Tasks\XZQE.job => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
2014-10-13 10:54 - 2014-10-16 18:02 - 00001326 _____ () C:\Windows\Tasks\XZQE.job
2014-10-13 10:54 - 2014-10-16 18:02 - 00001322 _____ () C:\Windows\Tasks\QY.job
2014-10-13 10:54 - 2014-10-13 10:54 - 00004344 _____ () C:\Windows\System32\Tasks\XZQE
2014-10-13 10:54 - 2014-10-13 10:54 - 00004340 _____ () C:\Windows\System32\Tasks\QY
C:\Users\bob\AppData\Local\Temp\avgnt.exe
C:\Users\bob\AppData\Local\Temp\Quarantine.exe
C:\Users\bob\AppData\Local\Temp\sqlite3.dll
EmptyTemp:
Hosts:
End

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~`

Open AdwCleaner we need to delete this version and download a newer one. Click on uninstall/delete.

-AdwCleaner-by Xplode

Click on this link to download : ADWCleaner
Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.

Do not click on any links in the top Advertisment.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Scan.
After the scan is complete click on "Clean"
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.
NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

~~~~~~~~~~~~~~
please post
Fixlog.txt
C:\AdwCleaner.txt
JRT.txt

**bobbym** · 2014-10-17, 15:56

this does not show up in the remove software panel
Wajam Internet Enhancer

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 16-10-2014
Ran by bob at 2014-10-17 14:18:22 Run:1
Running from C:\Users\bob\Desktop
Loaded Profile: bob (Available profiles: bob)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
MySafeProxy for Internet Explorer (HKLM-x32\...\{2535ED3F-5ADD-4A65-B07F-82F04C7358E7}) (Version: 1.0.6 - XTRM Group Ltd.) <==== ATTENTION
Task: {20568BB1-CA37-4B16-82CB-EE29E60803A6} - System32\Tasks\QY => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: {948DF117-18EC-4442-A415-819AABA42F2C} - System32\Tasks\XZQE => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION
C:\Users\bob\AppData\Roaming\QY.exe
C:\Users\bob\AppData\Roaming\XZQE.exe
Task: C:\Windows\Tasks\QY.job => C:\Users\bob\AppData\Roaming\QY.exe <==== ATTENTION
Task: C:\Windows\Tasks\XZQE.job => C:\Users\bob\AppData\Roaming\XZQE.exe <==== ATTENTION
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
2014-10-13 10:54 - 2014-10-16 18:02 - 00001326 _____ () C:\Windows\Tasks\XZQE.job
2014-10-13 10:54 - 2014-10-16 18:02 - 00001322 _____ () C:\Windows\Tasks\QY.job
2014-10-13 10:54 - 2014-10-13 10:54 - 00004344 _____ () C:\Windows\System32\Tasks\XZQE
2014-10-13 10:54 - 2014-10-13 10:54 - 00004340 _____ () C:\Windows\System32\Tasks\QY
C:\Users\bob\AppData\Local\Temp\avgnt.exe
C:\Users\bob\AppData\Local\Temp\Quarantine.exe
C:\Users\bob\AppData\Local\Temp\sqlite3.dll
EmptyTemp:
Hosts:
End
*****************

Processes closed successfully.
MySafeProxy for Internet Explorer (HKLM-x32\...\{2535ED3F-5ADD-4A65-B07F-82F04C7358E7}) (Version: 1.0.6 - XTRM Group Ltd.) <==== ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{20568BB1-CA37-4B16-82CB-EE29E60803A6}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{20568BB1-CA37-4B16-82CB-EE29E60803A6}" => Key deleted successfully.
C:\Windows\System32\Tasks\QY => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\QY" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{948DF117-18EC-4442-A415-819AABA42F2C}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{948DF117-18EC-4442-A415-819AABA42F2C}" => Key deleted successfully.
C:\Windows\System32\Tasks\XZQE => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\XZQE" => Key deleted successfully.
"C:\Users\bob\AppData\Roaming\QY.exe" => File/Directory not found.
"C:\Users\bob\AppData\Roaming\XZQE.exe" => File/Directory not found.
C:\Windows\Tasks\QY.job => Moved successfully.
C:\Windows\Tasks\XZQE.job => Moved successfully.
"HKCR\PROTOCOLS\Handler\ipp\0x00000001" => Key deleted successfully.
"HKCR\CLSID\{E1D2BF42-A96B-11D1-9C6B-0000F875AC61}" => Key not found.
"C:\Windows\Tasks\XZQE.job" => File/Directory not found.
"C:\Windows\Tasks\QY.job" => File/Directory not found.
"C:\Windows\System32\Tasks\XZQE" => File/Directory not found.
"C:\Windows\System32\Tasks\QY" => File/Directory not found.
C:\Users\bob\AppData\Local\Temp\avgnt.exe => Moved successfully.
C:\Users\bob\AppData\Local\Temp\Quarantine.exe => Moved successfully.
C:\Users\bob\AppData\Local\Temp\sqlite3.dll => Moved successfully.
"C:\Windows\System32\Drivers\etc\hosts" => Could not move.
Could not reset Hosts.
EmptyTemp: => Removed 95.2 MB temporary data.

The system needed a reboot.

==== End of Fixlog ====

# AdwCleaner v4.000 - Report created 17/10/2014 at 14:36:28
# DB v2014-10-17.9
# Updated 12/10/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : bob - BOB-PC
# Running from : C:\Users\bob\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Upt
Key Deleted : HKLM\SOFTWARE\WinUpd
Key Deleted : HKLM\SOFTWARE\SI-App
Key Deleted : HKLM\SOFTWARE\RST
Key Deleted : [x64] HKLM\SOFTWARE\Upt
Key Deleted : [x64] HKLM\SOFTWARE\WinUpd
Key Deleted : [x64] HKLM\SOFTWARE\SI-App
Key Deleted : [x64] HKLM\SOFTWARE\RST

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17344

-\\ Mozilla Firefox v33.0 (x86 en-US)

*************************

AdwCleaner[R0].txt - [1019 octets] - [17/10/2014 14:33:37]
AdwCleaner[S0].txt - [935 octets] - [17/10/2014 14:36:28]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [994 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.14.2014:1)
OS: Windows 7 Ultimate x64
Ran by bob on Fri 10/17/2014 at 14:44:01.69
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

Successfully deleted: [File] "C:\Windows\wininit.ini"

~~~ Folders

~~~ FireFox

Emptied folder: C:\Users\bob\AppData\Roaming\mozilla\firefox\profiles\q42j5mhf.default\minidumps [2 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 10/17/2014 at 14:46:47.60
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I am still getting the additional windows opening.

thanks for the quick response.

**bobbym** · 2014-10-17, 16:01

I note that the proxy setup does not stay in automatic although there is no information in the two small windows.

**Juliet** · 2014-10-17, 20:30

I want you to reset your browsers back to default.
If you don't have all of these just go to the next.

http://www.howtogeek.com/171924/how-...Speed=noscript

Open Internet Explorer, click on the “gear icon” in the upper right part of your browser, then click again on Internet Options.
In the “Internet Options” dialog box, click on the “Advanced” tab, then click on the “Reset” button.
In the “Reset Internet Explorer settings” section, select the “Delete personal settings” check box, then click on “Reset” button.
When Internet Explorer has completed its task, click on the “Close” button in the confirmation dialogue box. You will now need to close your browser,

If you’re having problems with Firefox, resetting it can help. The reset feature fixes many issues by restoring Firefox to its factory default state while saving your essential information like bookmarks, passwords, web form auto-fill information, browsing history and open tabs.

In the upper-right corner of the Firefox window, click the Firefox menu button (3 thin lines), then click on the “Help” (light blue question mark) button.
From the Help menu, choose Troubleshooting Information.
If you’re unable to access the Help menu, type about:support in your address bar to bring up the Troubleshooting information page.
Click the “Reset Firefox” button in the upper-right corner of the “Troubleshooting Information” page.
To continue, click on the “Reset Firefox” button in the new confirmation window that opens.
Firefox will close itself and will revert to its default settings. When it’s done, a window will list the information that was imported. Click on the “Finish“.

Note: Your old Firefox profile will be placed on your desktop in a folder named “Old Firefox Data“. If the reset didn’t fix your problem you can restore some of the information not saved by copying files to the new profile that was created. If you don’t need this folder any longer, you should delete it as it contains sensitive information.

lets set Chome back to factory defaults

Click the Chrome menu on the browser toolbar.
Select Settings.
Scroll down to Show advanced settings...
Down on the bottom you will see an option for RESET BROWSER SETTINGS
Click on it and it will set Chome back to defaults

Click on Chrome’s main menu button, represented by three horizontal lines ( Chrome's main menu button) .When the drop-down menu appears, select the option labeled Settings.
Chrome’s Settings should now be displayed in a new tab or window, depending on your configuration. Next, scroll to the bottom of the page and click on the Show advanced settings link
Chrome’s advanced Settings should now be displayed. Scroll down until the Reset browser settings section is visible, as shown in the example below. Next, click on the Reset browser settings button.
A confirmation dialog should now be displayed, detailing the components that will be restored to their default state should you continue on with the reset process. To complete the restoration process, click on the Reset button.

~~~~~~~~~~~~~~~~

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.
Emergency Backup Procedure - Tech Support Forum

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

How to use ComboFix

Download ComboFix from here:
Link 1
Link 2
Link 3

Place ComboFix.exe on your Desktop <--Important

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You can get help on disabling your protection programs here
Double click on ComboFix.exe & follow the prompts.
You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)
Your desktop may go blank. This is normal. It will return when ComboFix is done. Combofix may need to reboot your computer more than once to do its job this is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
---------------------------------------------------------------------------------------------
If there are Internet issues after running ComboFix:
Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". Also clear any proxy address and port. ok, apply (only if applicable), ok.
Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.
Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.
Safari
Launch Safari
Go to general settings menu
Then in Preferences/ Advanced
Then on line click Proxies change settings ...
Click Internet Options, then click the Connections tab, click Network Settings.
Disable option (uncheck) for the use of proxy server ...

**bobbym** · 2014-10-17, 21:48

I am having trouble shutting down both spybot and avira as they avira is not on my system tray and spybot window does not have a "mode" choice ??
I have reset both firefox and internet explorer. but still get the unwanted windows

please tell me how to shut down the two antiviruses or I could take them out of the start up menue.

**bobbym** · 2014-10-17, 23:58

Originally Posted by bobbym

I am having trouble shutting down both spybot and avira as they avira is not on my system tray and spybot window does not have a "mode" choice ??
I have reset both firefox and internet explorer. but still get the unwanted windows

please tell me how to shut down the two antiviruses or I could take them out of the start up menue.

have just checked the proxy window. it does not stay at "automatic", it always reverts back to "use proxy"

going to bed will look out for you tomorrow morning.

thanks

**Juliet** · 2014-10-18, 01:19

Please use the Reply To Thread button at the bottom left of the page.

Avira's Antivir

Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background.

right click it-> untick the option AntiVir Guard enable.
You should now see a closed, white umbrella on a red background.

You successfully disabled the AntiVir Guard.

Windows Defender

Launch Windows Defender, right click on the System Tray icon, select Open.
Click on Tools>Options.
Scroll down and uncheck "Use real-time protection (recommended)".
Scroll down further, and uncheck "Use Windows Defender"
After you uncheck these, click on the Save button, approve the UAC prompt, and close Windows Defender.

Spybot - Search and Destroy

Run Spybot-S&D, switch to the Advanced mode via the menu bar item Mode → hit Yes → select Tools in the navigation bar on the left → Resident and there you can untick the checkboxes in front of the two tools.

Explorer and Google use the same settings. So when you change one, the other responds as well. The easiest way to fix this is in Explorer, but it you don't have that, you can do the same thing by going to the Google Chrome icon, right click and open it with "Run as Administrator." Then do the same things I did below from Chrome Settings If you don't know where to find this, the bar just below the top bar has see 3 horizontal lines. Click with left button, down to settings, then go to Advanced Settings towards the bottom to CHANGE PROXY SETTINGS. This brings up the same Setting Box as in Internet Explorer. Then follow instructions on "D".

A. If you have Internet Explorer, go to your icon for Internet Explorer on the Start Menu. Click on your right right mouse button and on the drop down menu, open it with "Run as Administrator."

B,. When you do this, then a box opens and it asks if you want this program to make changes to your computer. Click Yes. Then it opens Explorer.

C. Go up to the menu (If you don't see one, then click on gray bar just under the dark blue Internet Explorer Bar with your right mouse and check menu). On the Menu bar, go to Tools and then at the drop down menu, click on Internet Options.

D. Then select the tab, Connections, then LAN settings and REMOVE THE CHECK from USE PROXY SERVER and now CHECK AUTOMATICALLY DETECT SETTINGS. CLICK OK in LAN Setting Box and then OK in the final window. NOW IT WILL STAY since it now recognizes you as the Administrator.

**bobbym** · 2014-10-18, 11:23

Good Morning.

ok last night as I was preparing to shut down the computer IE closing programs " ComboFix" was still running waiting for the antivirus software to be shut down. when I clicked yes it started it's scan and appeared to to run ok below is the ComboFix report

ComboFix 14-10-15.01 - bob 10/17/2014 23:00:27.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.4086.2479 [GMT 1:00]
Running from: c:\users\bob\Downloads\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {4D041356-F94D-285F-8768-AAE50FA36859}
SP: Avira Desktop *Enabled/Updated* {F665F2B2-DF77-27D1-BDD8-9197742422E4}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\bob\AppData\Local\Temp\avgnt.exe\Avira.OE.ExtApi.dll
E:\uninstall.exe
.
.
((((((((((((((((((((((((( Files Created from 2014-09-17 to 2014-10-17 )))))))))))))))))))))))))))))))
.
.
2014-10-17 22:03 . 2014-10-17 22:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-17 13:43 . 2014-10-17 13:43 -------- d-----w- c:\windows\ERUNT
2014-10-17 13:33 . 2014-10-17 13:36 -------- d-----w- C:\AdwCleaner
2014-10-17 13:10 . 2014-10-17 13:10 -------- d-----w- c:\windows\system32\appmgmt
2014-10-16 17:55 . 2014-09-19 01:26 139264 ----a-w- c:\windows\system32\ieUnatt.exe
2014-10-16 17:54 . 2014-09-13 01:58 77312 ----a-w- c:\windows\system32\packager.dll
2014-10-16 17:54 . 2014-09-13 01:40 67072 ----a-w- c:\windows\SysWow64\packager.dll
2014-10-16 17:36 . 2014-10-17 13:18 -------- d-----w- C:\FRST
2014-10-16 17:27 . 2014-10-16 17:27 -------- d-----w- C:\RegBackup
2014-10-15 09:13 . 2014-10-15 09:13 -------- d-----w- c:\program files\CCleaner
2014-10-14 17:08 . 2014-10-14 17:08 -------- d-----w- c:\users\bob\AppData\Local\CheckCode
2014-10-13 17:09 . 2014-10-13 17:09 -------- d-----w- c:\users\bob\AppData\Local\Deployment
2014-10-13 17:08 . 2014-10-13 17:08 -------- d-----w- c:\users\bob\AppData\Local\fastplayer
2014-10-13 17:08 . 2014-10-13 17:08 -------- d-----w- c:\windows\SysWow64\Direct3dTextWin32
2014-10-13 09:54 . 2014-10-13 09:54 -------- d-----w- c:\users\bob\AppData\Local\com
2014-10-06 10:50 . 2014-10-06 10:50 -------- d-----w- c:\users\bob\AppData\Local\Apps
2014-10-01 21:04 . 2014-09-25 02:08 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-10-01 21:04 . 2014-09-25 01:40 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-28 16:30 . 2014-09-09 22:11 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-28 16:30 . 2014-09-09 21:47 2048 ----a-w- c:\windows\SysWow64\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-10-16 17:56 . 2014-08-05 20:52 103265616 ----a-w- c:\windows\system32\MRT.exe
2014-10-16 17:14 . 2014-08-12 16:45 43064 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2014-10-16 17:14 . 2014-08-11 17:13 131608 ----a-w- c:\windows\system32\drivers\avipbb.sys
2014-10-16 17:14 . 2014-08-11 17:13 119272 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2014-10-14 10:52 . 2014-08-06 21:26 122584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-09-10 16:51 . 2014-08-06 17:24 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-10 16:51 . 2014-08-06 17:24 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-08-23 02:07 . 2014-08-28 16:00 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-23 01:45 . 2014-08-28 16:00 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-08-06 11:53 . 2014-08-06 11:53 194048 ----a-w- c:\windows\SysWow64\elshyph.dll
2014-08-06 11:53 . 2014-08-06 11:53 942592 ----a-w- c:\windows\system32\jsIntl.dll
2014-08-06 11:53 . 2014-08-06 11:53 90112 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2014-08-06 11:53 . 2014-08-06 11:53 86016 ----a-w- c:\windows\SysWow64\iesysprep.dll
2014-08-06 11:53 . 2014-08-06 11:53 86016 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2014-08-06 11:53 . 2014-08-06 11:53 81408 ----a-w- c:\windows\system32\icardie.dll
2014-08-06 11:53 . 2014-08-06 11:53 774144 ----a-w- c:\windows\system32\jscript.dll
2014-08-06 11:53 . 2014-08-06 11:53 77312 ----a-w- c:\windows\system32\tdc.ocx
2014-08-06 11:53 . 2014-08-06 11:53 74240 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2014-08-06 11:53 . 2014-08-06 11:53 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2014-08-06 11:53 . 2014-08-06 11:53 645120 ----a-w- c:\windows\SysWow64\jsIntl.dll
2014-08-06 11:53 . 2014-08-06 11:53 62464 ----a-w- c:\windows\SysWow64\tdc.ocx
2014-08-06 11:53 . 2014-08-06 11:53 62464 ----a-w- c:\windows\system32\pngfilt.dll
2014-08-06 11:53 . 2014-08-06 11:53 616104 ----a-w- c:\windows\system32\ieapfltr.dat
2014-08-06 11:53 . 2014-08-06 11:53 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2014-08-06 11:53 . 2014-08-06 11:53 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2014-08-06 11:53 . 2014-08-06 11:53 48640 ----a-w- c:\windows\system32\mshtmler.dll
2014-08-06 11:53 . 2014-08-06 11:53 48128 ----a-w- c:\windows\system32\imgutil.dll
2014-08-06 11:53 . 2014-08-06 11:53 413696 ----a-w- c:\windows\system32\html.iec
2014-08-06 11:53 . 2014-08-06 11:53 36352 ----a-w- c:\windows\SysWow64\imgutil.dll
2014-08-06 11:53 . 2014-08-06 11:53 337408 ----a-w- c:\windows\SysWow64\html.iec
2014-08-06 11:53 . 2014-08-06 11:53 30208 ----a-w- c:\windows\system32\licmgr10.dll
2014-08-06 11:53 . 2014-08-06 11:53 247808 ----a-w- c:\windows\system32\msls31.dll
2014-08-06 11:53 . 2014-08-06 11:53 24576 ----a-w- c:\windows\SysWow64\licmgr10.dll
2014-08-06 11:53 . 2014-08-06 11:53 243200 ----a-w- c:\windows\system32\webcheck.dll
2014-08-06 11:53 . 2014-08-06 11:53 235520 ----a-w- c:\windows\system32\url.dll
2014-08-06 11:53 . 2014-08-06 11:53 235008 ----a-w- c:\windows\system32\elshyph.dll
2014-08-06 11:53 . 2014-08-06 11:53 182272 ----a-w- c:\windows\SysWow64\msls31.dll
2014-08-06 11:53 . 2014-08-06 11:53 167424 ----a-w- c:\windows\system32\iexpress.exe
2014-08-06 11:53 . 2014-08-06 11:53 151552 ----a-w- c:\windows\SysWow64\iexpress.exe
2014-08-06 11:53 . 2014-08-06 11:53 147968 ----a-w- c:\windows\system32\occache.dll
2014-08-06 11:53 . 2014-08-06 11:53 143872 ----a-w- c:\windows\system32\wextract.exe
2014-08-06 11:53 . 2014-08-06 11:53 139264 ----a-w- c:\windows\SysWow64\wextract.exe
2014-08-06 11:53 . 2014-08-06 11:53 13824 ----a-w- c:\windows\system32\mshta.exe
2014-08-06 11:53 . 2014-08-06 11:53 135680 ----a-w- c:\windows\system32\iepeers.dll
2014-08-06 11:53 . 2014-08-06 11:53 13312 ----a-w- c:\windows\SysWow64\mshta.exe
2014-08-06 11:53 . 2014-08-06 11:53 13312 ----a-w- c:\windows\system32\msfeedssync.exe
2014-08-06 11:53 . 2014-08-06 11:53 131072 ----a-w- c:\windows\system32\IEAdvpack.dll
2014-08-06 11:53 . 2014-08-06 11:53 111616 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2014-08-06 11:53 . 2014-08-06 11:53 105984 ----a-w- c:\windows\system32\iesysprep.dll
2014-08-06 11:53 . 2014-08-06 11:53 101376 ----a-w- c:\windows\system32\inseng.dll
2014-08-06 11:51 . 2014-08-06 11:51 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 648192 ----a-w- c:\windows\system32\d3d10level9.dll
2014-08-06 11:51 . 2014-08-06 11:51 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2014-08-06 11:51 . 2014-08-06 11:51 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2014-08-06 11:51 . 2014-08-06 11:51 363008 ----a-w- c:\windows\system32\dxgi.dll
2014-08-06 11:51 . 2014-08-06 11:51 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 333312 ----a-w- c:\windows\system32\d3d10_1core.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 296960 ----a-w- c:\windows\system32\d3d10core.dll
2014-08-06 11:51 . 2014-08-06 11:51 293376 ----a-w- c:\windows\SysWow64\dxgi.dll
2014-08-06 11:51 . 2014-08-06 11:51 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2014-08-06 11:51 . 2014-08-06 11:51 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2014-08-06 11:51 . 2014-08-06 11:51 221184 ----a-w- c:\windows\system32\UIAnimation.dll
2014-08-06 11:51 . 2014-08-06 11:51 220160 ----a-w- c:\windows\SysWow64\d3d10core.dll
2014-08-06 11:51 . 2014-08-06 11:51 207872 ----a-w- c:\windows\SysWow64\WindowsCodecsExt.dll
2014-08-06 11:51 . 2014-08-06 11:51 194560 ----a-w- c:\windows\system32\d3d10_1.dll
2014-08-06 11:51 . 2014-08-06 11:51 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2014-08-06 11:51 . 2014-08-06 11:51 1682432 ----a-w- c:\windows\system32\XpsPrint.dll
2014-08-06 11:51 . 2014-08-06 11:51 1643520 ----a-w- c:\windows\system32\DWrite.dll
2014-08-06 11:51 . 2014-08-06 11:51 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2014-08-06 11:51 . 2014-08-06 11:51 1247744 ----a-w- c:\windows\SysWow64\DWrite.dll
2014-08-06 11:51 . 2014-08-06 11:51 1238528 ----a-w- c:\windows\system32\d3d10.dll
2014-08-06 11:51 . 2014-08-06 11:51 1175552 ----a-w- c:\windows\system32\FntCache.dll
2014-08-06 11:51 . 2014-08-06 11:51 1158144 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2014-08-06 11:51 . 2014-08-06 11:51 1080832 ----a-w- c:\windows\SysWow64\d3d10.dll
2014-08-06 11:51 . 2014-08-06 11:51 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2014-08-06 11:51 . 2014-08-06 11:51 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2014-08-06 10:36 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2014-08-06 10:36 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2014-08-01 11:53 . 2014-09-10 16:33 1031168 ----a-w- c:\windows\system32\TSWorkspace.dll
2014-08-01 11:35 . 2014-09-10 16:33 793600 ----a-w- c:\windows\SysWow64\TSWorkspace.dll
2014-07-25 01:35 . 2014-07-25 01:35 875688 ----a-w- c:\windows\SysWow64\msvcr120_clr0400.dll
2014-07-24 22:47 . 2014-07-24 22:47 869544 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2014-07-23 12:29 . 2014-08-11 17:13 28600 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2014-07-23 09:52 . 2014-08-05 20:37 270496 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spybot-S&D Cleaning"="e:\program files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" [2014-06-24 4566952]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2014-09-26 6482200]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2014-10-16 703736]
"Avira Systray"="c:\program files (x86)\Avira\My Avira\Avira.OE.Systray.exe" [2014-09-23 165168]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - e:\office\OSA9.EXE -b -l [1999-2-17 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean64.exe
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 Direct3dTextWin32;Direct3dTextWin32;c:\windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe;c:\windows\SysWOW64\Direct3dTextWin32\Direct3dTextWin32.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 Avira.OE.ServiceHost;Avira Service Host;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe;c:\program files (x86)\Avira\My Avira\Avira.OE.ServiceHost.exe [x]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;e:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;e:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;e:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;e:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;e:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe;e:\program files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-17 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-08-06 16:51]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 363544]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = http=127.0.0.1:34484
uInternet Settings,ProxyOverride = <local>;*origin.com;*ea.com;*akamaihd.net
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\e568ifz3.default-1413572278333\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKU-Default-RunOnce-SPReview - c:\windows\System32\SPReview\SPReview.exe
Notify-SDWinLogon - SDWinLogon.dll
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
AddRemove-Tweaking.com - Registry Backup - e:\\uninstall.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
.
**************************************************************************
.
Completion time: 2014-10-17 23:08:33 - machine was rebooted
ComboFix-quarantined-files.txt 2014-10-17 22:08
.
Pre-Run: 3,058,159,616 bytes free
Post-Run: 2,880,585,728 bytes free
.
- - End Of File - - 86462F9CF298AD88E0D36195135629EE
A36C5E4F47E84449FF07ED3517B43A31

I have now got the avira icon in the system tray, which showed up this morning after combofix had been run last night.
(I was wondering if Spybot and Avira are not running if there are no browsers open)

my spybot version is 2.4.40.0 and only has "Help" in the menu bar.
In advance user mode. there is : Report Creator : Settings : Start up tools : System repair : Secure shredder : Rootkit scanner : phone scan : Boot CD creator : Open SBI Editor : Script Editor : Repair Environment :

Does this version of spybot have "Teatime" as I can not find any mention of it by using the "search".

As for my proxy problem I followed your instructions using Windows Explorer, run in "As Administrator" but as before after you have clicked OK on both the Proxy window and the Connection window. If you then go back and look it is back to "Use Proxy". The Apply button never lights. I am using a ISDN router connected to a land line with TalkTalk as my provider. so I do not think that it is a Talktalk requirement.

I have just checked still getting the extra windows opening.

**Juliet** · 2014-10-18, 14:19

Still have FRST on desktop?

Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CloseProcesses:
ProxyEnable: Internet Explorer proxy is enabled.
ProxyServer: http=127.0.0.1:20194
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - No File
End

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

Download RogueKiller to your desktop.
Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Don't run any other options, they're not all bad!!
Post back the report which should be located on your desktop.

Please post these 2 logs.

Thread: unwanted windows poping up

Thread Tools

Display

unwanted windows poping up

Posting Permissions