GINA an unknown value in Advance Start up

[Raymondo]

Hi thank you ever so much for your help! I think that this logon entry GINA is a spy ?

I do not know where this came from : and I cant delete it as I am afraid I might cause damage to winlogon in registry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

View attachment GinaUnknown.txtView attachment Addition.txtView attachment aswMBR.txtView attachment FRST.txt

I also removed omniboxes in registry but it came back again and I cannot find it to remove. thanking you all so much for your help raymondo cheers

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by Ray (administrator) on QOSMIO on 17-03-2015 12:14:03
Running from C:\Users\Ray\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J0W30TEX
Loaded Profiles: Ray (Available profiles: Ray)
Platform: Microsoft Windows 7 Home Premium Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
() C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.6.306.7947\AdAwareService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\ToshibaServiceStation.exe
() C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.6.306.7947\AdAwareTray.exe
(Lavasoft Limited) C:\Program Files\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe
(Bandoo Media Inc.) C:\Users\Ray\AppData\Local\iLivid\iLivid.exe
(Desksware) C:\Program Files\desksware\Desktop iCalendar Lite\Desktop iCalendar Lite.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Lavasoft) C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(TOSHIBA CORPORATION) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
(Microsoft Corporation) C:\Windows\System32\wbem\unsecapp.exe
(TOSHIBA CORPORATION.) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe
(TOSHIBA Corporation) C:\Program Files\Toshiba\TOSHIBA Service Station\TMachInfo.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
() C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.WinService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) C:\Windows\System32\wuauclt.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWelcome.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDShred.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTools.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Dominik Reichl) C:\Program Files\KEEPASS\KeePass.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Tweaking.com) C:\Program Files\Tweaking.com\Registry Backup\TweakingRegistryBackup.exe
(Tweaking.com) C:\Program Files\Tweaking.com\Registry Backup\files\vss_start.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Program Files\Tweaking.com\Registry Backup\files\vss_7_8_2008_2012_32.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Tweaking.com) C:\Program Files\Tweaking.com\Registry Backup\files\vss_pause.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7625248 2009-07-28] (Realtek Semiconductor)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [978520 2015-01-30] (Microsoft Corporation)
HKLM\...\Run: [ITSecMng] => C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [83336 2008-12-19] (TOSHIBA CORPORATION)
HKLM\...\Run: [ToshibaServiceStation] => C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1298816 2011-07-11] (TOSHIBA Corporation)
HKLM\...\Run: [] => [X]
HKLM\...\Run: [AdAwareTray] => C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.6.306.7947\AdAwareTray.exe [8216048 2015-03-10] ()
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\...\Run: [iLivid] => C:\Users\Ray\AppData\Local\iLivid\iLivid.exe [6827008 2013-09-09] (Bandoo Media Inc.)
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\...\Run: [Desktop iCalendar Lite.exe] => C:\Program Files\desksware\Desktop iCalendar Lite\Desktop iCalendar Lite.exe [1087232 2013-07-06] (Desksware)
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5503768 2015-02-20] (Piriform Ltd)
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\...\Run: [Web Companion] => C:\Program Files\Lavasoft\Web Companion\Application\WebCompanion.exe [1298752 2015-02-23] (Lavasoft)
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\...\Run: [Spybot-S&D Cleaning] => C:\Program Files\Spybot - Search & Destroy 2\SDCleaner.exe [4566952 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\...\Policies\Explorer: [NoSaveSettings] 1
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\...\Policies\Explorer: [link] 0x00000000
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\...\MountPoints2: E - E:\LaunchU3.exe -a
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\...\MountPoints2: G - G:\LaunchU3.exe -a
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\...\MountPoints2: {c3f238a3-49f1-11e3-bfb8-001eec3fd11f} - E:\LaunchU3.exe -a
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk
ShortcutTarget: Bluetooth Manager.lnk -> C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
BootExecute: autocheck autochk * sdnclean.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/en-au/?ocid=iehp
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://securedsearch.lavasoft.com/?pr=vmn&id=webcompa&ent=hp_WCYID10088_cnet_150302
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2577715357-3074203239-3946342261-1001 -> DefaultScope {BDF61FAE-9D19-40F0-8F34-688DEB334CA9} URL = http://securedsearch.lavasoft.com/results.php?pr=vmn&id=webcompa&ent=ch_WCYID10088_cnet_150302&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2577715357-3074203239-3946342261-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?pc=COSP&ptag=D030215-AE491287838034FE996F&form=CONBDF&conlogo=CT3331986&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2577715357-3074203239-3946342261-1001 -> {BDF61FAE-9D19-40F0-8F34-688DEB334CA9} URL = http://securedsearch.lavasoft.com/results.php?pr=vmn&id=webcompa&ent=ch_WCYID10088_cnet_150302&q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-26] (Microsoft Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} http://www.pcpitstop.com/internet/pcpConnCheck.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-26] (Microsoft Corporation)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2014-07-14] (Microsoft Corporation)
Winsock: Catalog9 01 C:\Windows\system32\LavasoftTcpService.dll [325944] (Lavasoft Limited)
Winsock: Catalog9 02 C:\Windows\system32\LavasoftTcpService.dll [325944] (Lavasoft Limited)
Winsock: Catalog9 03 C:\Windows\system32\LavasoftTcpService.dll [325944] (Lavasoft Limited)
Winsock: Catalog9 04 C:\Windows\system32\LavasoftTcpService.dll [325944] (Lavasoft Limited)
Winsock: Catalog9 48 C:\Windows\system32\LavasoftTcpService.dll [325944] (Lavasoft Limited)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\Ray\AppData\Roaming\Mozilla\Firefox\Profiles\3er9z533.default
FF DefaultSearchEngine: Bing
FF SelectedSearchEngine: Bing
FF Homepage: hxxp://securedsearch.lavasoft.com/?pr=vmn&id=webcompa&ent=hp_WCYID10088_cnet_150302
FF NewTab: hxxp://securedsearch.lavasoft.com/?pr=vmn&id=webcompa&ent=hp_WCYID10088_cnet_150302
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll [2015-02-17] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @videolan.org/vlc,version=2.0.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2012-02-18] (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF Extension: No Name - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 c2cautoupdatesvc; C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
R2 LavasoftAdAwareService11; C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.6.306.7947\AdAwareService.exe [670808 2015-03-10] ()
R2 LavasoftTcpService; C:\Program Files\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe [836984 2015-02-23] (Lavasoft Limited)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [22184 2015-01-30] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [284472 2015-01-30] (Microsoft Corporation)
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1740760 2014-09-03] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
R2 SearchProtectionService; C:\Program Files\Lavasoft\Web Companion\Application\Lavasoft.SearchProtect.WinService.exe [17768 2015-02-23] ()
R3 TMachInfo; C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [57216 2011-07-11] (TOSHIBA Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-27] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 Apowersoft_AudioDevice; C:\Windows\System32\drivers\Apowersoft_AudioDevice.sys [26032 2014-04-09] (Wondershare)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [239224 2014-11-15] (Microsoft Corporation)
S3 PRESONUS_AUDIOBOX_MIDI; C:\Windows\System32\drivers\psabusbm.sys [31864 2009-12-07] (Ploytec GmbH)
S3 PRESONUS_AUDIOBOX_USB; C:\Windows\System32\Drivers\psabusbu.sys [401016 2009-12-07] (Ploytec GmbH)
S3 PRESONUS_AUDIOBOX_WDM; C:\Windows\System32\drivers\psabusba.sys [40568 2009-12-07] (Ploytec GmbH)
S3 RkHit; C:\Windows\system32\drivers\RKHit.sys [34736 2010-12-28] ()
R1 SDHookDriver; C:\Program Files\Spybot - Search & Destroy 2\SDHookDrv32.sys [46336 2014-04-25] ()
S3 Trufos; C:\Windows\System32\DRIVERS\Trufos.sys [408280 2015-01-22] (BitDefender S.R.L.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-17 12:11 - 2015-03-17 12:14 - 00000000 ____D () C:\FRST
2015-03-17 12:08 - 2015-03-17 12:08 - 00000207 _____ () C:\Windows\tweaking.com-regbackup-QOSMIO-Windows-7-Home-Premium-(32-bit).dat
2015-03-17 12:07 - 2015-03-17 12:07 - 00000000 ____D () C:\RegBackup
2015-03-17 11:59 - 2015-03-17 11:59 - 00002185 _____ () C:\Users\Ray\Desktop\Tweaking.com - Registry Backup.lnk
2015-03-17 11:59 - 2015-03-17 11:59 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Tweaking.com
2015-03-17 11:59 - 2015-03-17 11:59 - 00000000 ____D () C:\Program Files\Tweaking.com
2015-03-14 19:03 - 2015-03-17 09:32 - 00000280 _____ () C:\Windows\setupact.log
2015-03-14 19:03 - 2015-03-14 19:03 - 00000000 _____ () C:\Windows\setuperr.log
2015-03-14 19:02 - 2015-03-15 10:01 - 00003270 _____ () C:\Windows\PFRO.log
2015-03-14 18:00 - 2015-03-14 18:00 - 00000000 ____D () C:\CrimeWatch
2015-03-14 16:51 - 2015-03-14 16:51 - 00000000 ____D () C:\Users\Ray\AppData\Local\CrimeWatch
2015-03-14 16:50 - 2015-03-14 16:50 - 00001028 _____ () C:\Users\Public\Desktop\VLC media player.lnk
2015-03-14 16:50 - 2015-03-14 16:50 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN
2015-03-14 16:50 - 2015-03-14 16:50 - 00000000 ____D () C:\Program Files\VideoLAN
2015-03-14 16:40 - 2015-03-14 16:40 - 00000000 ____D () C:\ProgramData\EFaeZP
2015-03-14 16:37 - 2015-03-14 16:37 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\omniboxes
2015-03-14 08:24 - 2015-03-14 08:24 - 00000000 ____D () C:\Users\Ray\Documents\TagsRevisited
2015-03-13 18:26 - 2015-02-24 13:32 - 00342696 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-03-13 18:26 - 2015-02-21 11:41 - 12827648 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-03-13 18:26 - 2015-02-21 11:27 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-03-13 18:26 - 2015-02-21 11:27 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-03-13 18:26 - 2015-02-21 10:32 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-03-13 18:26 - 2015-02-20 13:22 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-03-13 18:26 - 2015-02-20 13:22 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-03-13 18:26 - 2015-02-20 13:08 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-03-13 18:26 - 2015-02-20 13:08 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-03-13 18:26 - 2015-02-20 13:06 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-03-13 18:26 - 2015-02-20 13:03 - 02278400 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-03-13 18:26 - 2015-02-20 13:01 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-03-13 18:26 - 2015-02-20 13:00 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-03-13 18:26 - 2015-02-20 12:58 - 00478208 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-03-13 18:26 - 2015-02-20 12:56 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-03-13 18:26 - 2015-02-20 12:56 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-03-13 18:26 - 2015-02-20 12:56 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-03-13 18:26 - 2015-02-20 12:50 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-03-13 18:26 - 2015-02-20 12:41 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-03-13 18:26 - 2015-02-20 12:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-03-13 18:26 - 2015-02-20 12:24 - 02052608 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-03-13 18:26 - 2015-02-20 12:24 - 00689152 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-03-13 18:26 - 2015-02-20 12:24 - 00684544 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-03-13 18:26 - 2015-02-20 12:23 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-03-13 18:26 - 2015-02-20 12:01 - 01888256 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-03-13 18:26 - 2015-02-20 11:57 - 01311232 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-03-13 18:26 - 2015-02-20 11:55 - 00710144 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-03-13 18:25 - 2015-02-21 11:25 - 19720192 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-03-13 18:25 - 2015-02-20 13:09 - 00503296 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-03-13 18:25 - 2015-02-20 12:30 - 04300288 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-03-13 18:22 - 2015-02-13 16:26 - 12875264 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2015-03-13 18:22 - 2015-02-03 14:12 - 01230848 _____ (Microsoft Corporation) C:\Windows\system32\WindowsCodecs.dll
2015-03-13 18:22 - 2015-01-17 13:30 - 00828928 _____ (Microsoft Corporation) C:\Windows\system32\msctf.dll
2015-03-13 18:21 - 2015-02-26 14:11 - 02381312 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-03-13 18:17 - 2015-02-03 14:12 - 00171520 _____ (Microsoft Corporation) C:\Windows\system32\ubpm.dll
2015-03-13 18:16 - 2015-03-06 16:15 - 00137656 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-03-13 18:16 - 2015-03-06 16:15 - 00067512 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-03-13 18:16 - 2015-03-06 16:10 - 01061376 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-03-13 18:16 - 2015-03-06 16:10 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-03-13 18:16 - 2015-03-06 16:10 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-03-13 18:16 - 2015-03-06 16:10 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-03-13 18:16 - 2015-03-06 16:10 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-03-13 18:16 - 2015-03-06 16:10 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-03-13 18:16 - 2015-03-06 16:10 - 00100352 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-03-13 18:16 - 2015-03-06 16:10 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-03-13 18:16 - 2015-03-06 16:10 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-03-13 18:16 - 2015-03-06 16:10 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-03-13 18:16 - 2015-03-06 16:10 - 00015872 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-03-13 18:16 - 2015-03-06 16:09 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-03-13 18:16 - 2015-03-06 16:09 - 00022528 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-03-13 18:16 - 2015-03-06 16:07 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-03-13 18:16 - 2015-03-06 16:07 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-03-13 18:16 - 2015-03-06 16:06 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-03-13 18:16 - 2015-02-20 15:13 - 00070656 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2015-03-13 18:16 - 2015-02-20 15:13 - 00034304 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2015-03-13 18:16 - 2015-02-20 15:13 - 00026624 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2015-03-13 18:16 - 2015-02-20 15:13 - 00010240 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2015-03-13 18:16 - 2015-02-20 14:09 - 00299008 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2015-03-13 18:16 - 2015-02-04 13:54 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\WMPhoto.dll
2015-03-13 18:15 - 2015-02-03 14:16 - 03973048 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-03-13 18:15 - 2015-02-03 14:16 - 03917760 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-03-13 18:15 - 2015-02-03 14:16 - 00078784 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mountmgr.sys
2015-03-13 18:15 - 2015-02-03 14:12 - 11411968 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 03209728 _____ (Microsoft Corporation) C:\Windows\system32\mf.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 01329664 _____ (Microsoft Corporation) C:\Windows\system32\quartz.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 01174528 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 01005056 _____ (Microsoft Corporation) C:\Windows\system32\cryptui.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00988160 _____ (Microsoft Corporation) C:\Windows\system32\drmv2clt.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00744960 _____ (Microsoft Corporation) C:\Windows\system32\blackbox.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00617984 _____ (Microsoft Corporation) C:\Windows\system32\wmdrmsdk.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00519680 _____ (Microsoft Corporation) C:\Windows\system32\qdvd.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00504320 _____ (Microsoft Corporation) C:\Windows\system32\msscp.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00489984 _____ (Microsoft Corporation) C:\Windows\system32\evr.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00475136 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00442880 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00406016 _____ (Microsoft Corporation) C:\Windows\system32\drmmgrtn.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00400896 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00374784 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00354816 _____ (Microsoft Corporation) C:\Windows\system32\mfplat.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00275968 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00265216 _____ (Microsoft Corporation) C:\Windows\system32\msnetobj.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00179200 _____ (Microsoft Corporation) C:\Windows\system32\wintrust.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00157184 _____ (Microsoft Corporation) C:\Windows\system32\pcasvc.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00143872 _____ (Microsoft Corporation) C:\Windows\system32\cryptsvc.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00103936 _____ (Microsoft Corporation) C:\Windows\system32\cryptnet.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00103424 _____ (Microsoft Corporation) C:\Windows\system32\mfps.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\cryptsp.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00069632 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-03-13 18:15 - 2015-02-03 14:12 - 00050688 _____ (Microsoft Corporation) C:\Windows\system32\appidapi.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\setbcdlocale.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00038912 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\pcadm.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00027648 _____ (Microsoft Corporation) C:\Windows\system32\appidsvc.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00010752 _____ (Microsoft Corporation) C:\Windows\system32\msmmsp.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00008192 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2015-03-13 18:15 - 2015-02-03 14:12 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2015-03-13 18:15 - 2015-02-03 14:12 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2015-03-13 18:15 - 2015-02-03 14:11 - 12625408 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2015-03-13 18:15 - 2015-02-03 14:11 - 00262656 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-03-13 18:15 - 2015-02-03 14:11 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\audiodg.exe
2015-03-13 18:15 - 2015-02-03 14:11 - 00096768 _____ (Microsoft Corporation) C:\Windows\system32\appidpolicyconverter.exe
2015-03-13 18:15 - 2015-02-03 14:11 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\rrinstaller.exe
2015-03-13 18:15 - 2015-02-03 14:11 - 00023040 _____ (Microsoft Corporation) C:\Windows\system32\mfpmp.exe
2015-03-13 18:15 - 2015-02-03 14:11 - 00016896 _____ (Microsoft Corporation) C:\Windows\system32\appidcertstorecheck.exe
2015-03-13 18:15 - 2015-02-03 14:11 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\pcawrk.exe
2015-03-13 18:15 - 2015-02-03 14:11 - 00008192 _____ (Microsoft Corporation) C:\Windows\system32\pcalua.exe
2015-03-13 18:15 - 2015-02-03 14:10 - 00008704 _____ (Microsoft Corporation) C:\Windows\system32\pcaevts.dll
2015-03-13 18:15 - 2015-02-03 14:09 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\mferror.dll
2015-03-13 18:15 - 2015-02-03 14:08 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-03-13 18:15 - 2015-02-03 14:00 - 00593920 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\PEAuth.sys
2015-03-13 18:15 - 2015-02-03 13:26 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\appid.sys
2015-03-13 18:15 - 2015-01-31 10:56 - 00370488 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2015-03-13 18:15 - 2014-11-01 09:22 - 00521384 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe
2015-03-13 18:15 - 2014-06-28 11:21 - 00455752 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe
2015-03-13 18:15 - 2014-06-28 11:21 - 00409272 _____ (Microsoft Corporation) C:\Windows\system32\ci.dll
2015-03-11 07:52 - 2015-03-11 07:52 - 00000000 ____D () C:\Program Files\Common Files\Lavasoft
2015-03-04 17:23 - 2015-03-14 18:24 - 00000000 ____D () C:\Users\Ray\Documents\CCleaner reg backup
2015-03-04 01:14 - 2015-03-04 01:14 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\InstallShield
2015-03-03 01:01 - 2015-03-03 01:01 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\LavasoftStatistics
2015-03-03 01:00 - 2015-03-03 01:00 - 00000000 ____D () C:\Users\Ray\AppData\Local\Lavasoft
2015-03-03 01:00 - 2015-02-23 13:03 - 00325944 _____ (Lavasoft Limited) C:\Windows\system32\LavasoftTcpService.dll
2015-03-03 00:55 - 2015-03-03 01:13 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Lavasoft
2015-03-03 00:53 - 2015-03-17 09:34 - 00002321 _____ () C:\Users\Public\Desktop\Ad-Aware Antivirus.lnk
2015-03-03 00:53 - 2015-03-11 08:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft
2015-03-03 00:40 - 2015-03-03 00:58 - 00000000 ____D () C:\Program Files\Lavasoft
2015-03-03 00:29 - 2015-03-03 00:55 - 00000000 ____D () C:\ProgramData\Lavasoft
2015-03-02 23:50 - 2015-03-02 23:50 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Safer Networking
2015-03-02 21:53 - 2015-03-02 21:55 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Safer Networking
2015-03-02 21:53 - 2015-03-02 21:55 - 00000000 ____D () C:\Program Files\Safer Networking
2015-02-21 22:36 - 2015-03-14 17:57 - 00000969 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-02-21 22:36 - 2015-03-14 17:57 - 00000000 ____D () C:\Program Files\CCleaner
2015-02-21 22:36 - 2015-02-21 22:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2015-02-21 22:20 - 2015-02-24 22:16 - 00000000 __SHD () C:\Users\Ray\AppData\Local\EmieUserList
2015-02-21 22:20 - 2015-02-24 22:16 - 00000000 __SHD () C:\Users\Ray\AppData\Local\EmieBrowserModeList
2015-02-21 22:20 - 2015-02-21 22:31 - 00000000 __SHD () C:\Users\Ray\AppData\Local\EmieSiteList
2015-02-18 22:51 - 2015-02-18 22:51 - 00000000 ____D () C:\Users\Ray\Documents\ProcAlyzer Dumps
2015-02-18 22:32 - 2015-02-18 22:32 - 00002135 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-02-18 22:32 - 2015-02-18 22:32 - 00002123 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-02-18 22:32 - 2015-02-18 22:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-02-18 22:31 - 2015-02-22 13:21 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-02-18 22:31 - 2015-02-19 22:24 - 00000000 ____D () C:\Program Files\Spybot - Search & Destroy 2
2015-02-18 22:31 - 2013-09-20 10:49 - 00018968 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean.exe
2015-02-17 23:15 - 2015-02-28 17:03 - 00000000 ____D () C:\ProgramData\Sophos
2015-02-17 23:12 - 2015-03-17 11:00 - 00000000 ____D () C:\Users\Ray\Documents\VViruuus info
2015-02-17 20:45 - 2015-03-17 11:17 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-17 16:04 - 2015-02-17 16:04 - 01202848 _____ (Microsoft Corporation) C:\Windows\system32\FM20.DLL
2015-02-16 12:12 - 2015-02-16 12:17 - 00000000 ____D () C:\AdwCleaner
2015-02-16 00:47 - 2015-02-17 01:42 - 00000508 _____ () C:\Users\Ray\AppData\Roaming\Microsoft\Windows\Start Menu\msn, with Outlook.com, Skype, and news.website
2015-02-15 19:07 - 2015-03-01 13:16 - 00000000 ____D () C:\Windows\pss
2015-02-15 16:06 - 2015-02-19 23:21 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\6642AC94-1424016394-DD11-A354-001EEC3FD11F

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-03-17 11:38 - 2013-11-23 23:37 - 00000000 ____D () C:\Program Files\KEEPASS
2015-03-17 11:05 - 2013-11-11 15:55 - 01736856 _____ () C:\Windows\WindowsUpdate.log
2015-03-17 09:41 - 2009-07-14 15:34 - 00021888 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-17 09:41 - 2009-07-14 15:34 - 00021888 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-17 09:38 - 2010-11-21 08:01 - 00730320 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-03-17 09:32 - 2009-07-14 15:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-03-16 13:24 - 2009-07-14 15:53 - 00032574 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-03-15 13:03 - 2013-11-10 23:28 - 00000000 ____D () C:\Plus19
2015-03-15 10:03 - 2013-11-10 23:00 - 00000204 _____ () C:\Windows\MYOBP.INI
2015-03-15 10:03 - 2013-11-10 23:00 - 00000039 _____ () C:\Windows\MYOB.INI
2015-03-14 19:30 - 2009-07-14 13:37 - 00000000 ____D () C:\Windows\rescache
2015-03-14 18:53 - 2014-11-11 02:45 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-03-14 17:47 - 2013-11-27 22:42 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\vlc
2015-03-14 16:37 - 2013-11-10 20:58 - 00001306 _____ () C:\Users\Ray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-03-14 16:31 - 2009-07-14 13:37 - 00000000 ____D () C:\Windows\Resources
2015-03-14 16:12 - 2015-02-09 12:34 - 00001515 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-03-14 16:11 - 2013-11-18 23:19 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Audacity
2015-03-14 08:45 - 2009-07-14 15:33 - 00406048 _____ () C:\Windows\system32\FNTCACHE.DAT
2015-03-14 08:16 - 2013-11-12 23:59 - 00000000 ____D () C:\ProgramData\Microsoft Help
2015-03-13 21:11 - 2013-11-12 23:34 - 00000000 ____D () C:\Users\Ray\Documents\Netbank receipts Bank Statements
2015-03-09 20:20 - 2013-01-12 16:18 - 00000000 _____ () C:\sparkraw.log
2015-03-09 20:04 - 2013-11-19 11:29 - 00000000 ____D () C:\Users\Ray\Documents\SEA RAY INVOICES
2015-03-04 17:20 - 2014-08-17 18:47 - 00000000 ____D () C:\Windows\Minidump
2015-03-04 17:12 - 2013-11-27 22:23 - 00000000 ____D () C:\Users\Ray\AppData\Local\iLivid
2015-03-04 01:15 - 2015-01-04 00:19 - 00000000 ____D () C:\ProgramData\TOSHIBA
2015-03-04 01:15 - 2015-01-03 21:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TOSHIBA
2015-03-04 01:15 - 2015-01-03 21:41 - 00000000 ____D () C:\Program Files\Toshiba
2015-03-04 01:15 - 2013-11-10 23:29 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2015-03-04 00:16 - 2013-11-10 22:02 - 00246920 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2015-02-28 13:19 - 2014-11-16 18:21 - 00001037 _____ () C:\Users\Public\Desktop\Recoveryer Ultimate Edition.lnk
2015-02-28 13:19 - 2014-11-16 18:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Recoveryer Ultimate Edition
2015-02-28 13:19 - 2014-11-16 18:21 - 00000000 ____D () C:\Program Files\Recoveryer Ultimate Edition
2015-02-27 23:15 - 2014-09-14 17:38 - 00007667 _____ () C:\Users\Ray\AppData\Local\Resmon.ResmonCfg
2015-02-27 21:38 - 2009-07-14 13:37 - 00000000 ____D () C:\Windows\system32\NDF
2015-02-24 09:02 - 2014-10-31 09:18 - 00000000 ____D () C:\Users\Ray\Documents\ABORIGINAL INFORATION
2015-02-22 10:54 - 2014-05-17 20:19 - 00000000 ____D () C:\Users\Ray\AppData\Roaming\Skype
2015-02-22 10:54 - 2013-12-04 00:07 - 00000000 ____D () C:\Users\Ray\Documents\SEA RAY DOCS
2015-02-21 22:50 - 2013-11-11 15:38 - 00000000 ____D () C:\Windows\Panther
2015-02-20 01:16 - 2014-11-11 02:19 - 00000000 ____D () C:\Program Files\Registry Easy
2015-02-18 00:08 - 2013-11-10 20:58 - 00000000 ____D () C:\Users\Ray
2015-02-17 21:24 - 2013-11-11 13:10 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-02-17 21:24 - 2013-11-11 13:10 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-02-17 20:54 - 2013-12-10 23:30 - 00000000 ____D () C:\Users\Ray\Documents\Movie Studio Platinum 12.0 Projects
2015-02-17 20:26 - 2014-01-19 10:06 - 00000000 ____D () C:\Program Files\Google
2015-02-16 12:40 - 2014-01-19 10:06 - 00000000 ____D () C:\Users\Ray\AppData\Local\Google

==================== Files in the root of some directories =======

2014-09-22 12:46 - 2014-09-22 12:46 - 0004454 _____ () C:\Users\Ray\AppData\Local\recently-used.xbel
2014-09-14 17:38 - 2015-02-27 23:15 - 0007667 _____ () C:\Users\Ray\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-03-15 10:33

==================== End Of Log ============================
aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2015-03-17 12:19:14
-----------------------------
12:19:14.016 OS Version: Windows 6.1.7601 Service Pack 1
12:19:14.016 Number of processors: 2 586 0x1706
12:19:14.018 ComputerName: QOSMIO UserName: Ray
12:19:18.741 Initialize success
12:19:18.787 VM: initialized successfully
12:19:18.788 VM: Intel CPU virtualization not supported
12:48:43.023 The log file has been saved successfully to "C:\Users\Ray\Desktop\aswMBR.txt"

 

[Juliet]

Bandoo Media
Please look for the above in your add/remove programs list. If found please uninstall/delete.
~~~~~~~~~~~~~~

Ad-Aware Antivirus and Microsoft Security Essentials?
Having more then 1 antivirus on your computer will cause a problem. Please uninstall one of your choice.

~~~~~~~~~~~~~~~~~~~~~~~~~
Please follow this tutorial to show all files and folders
http://www.bleepingcomputer.com/tutorials/show-hidden-files-in-windows-7/

Please go to one of the below sites to scan the following files:
Virus Total (Recommended)
jotti.org
VirScan
click on Browse, and upload the following file for analysis:

C:\Windows\system32\drivers\RKHit.sys


Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

~~~~
We will need to download Farbar Recovery Scan Tool again.
You ran it out of a temp folder, wont allow us to do anything from there.

Running from C:\Users\Ray\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J0W30TEX



- Save ALL Tools to your Desktop-

All tools that I have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.

Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.

Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser.

Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.

Internet Explorer - Click the Tools menu in the upper right-corner of the browser.

Select View downloads. Select the Options link in the lower left of the window. Click Browse and
select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

~~~~~~~~~~~`
Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
Don't run scan or other options for now, just need it on desktop to run the script.

NEXT

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CloseProcesses:
C:\Users\Ray\AppData\Local\iLivid
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\...\Run: [iLivid] => C:\Users\Ray\AppData\Local\iLivid\iLivid.exe [6827008 2013-09-09] (Bandoo Media Inc.)
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Extension: No Name - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
2015-03-04 17:12 - 2013-11-27 22:23 - 00000000 ____D () C:\Users\Ray\AppData\Local\iLivid
R2 serverjo; C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\JOSrv.exe [127488 2015-02-16] () [File not signed]
C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\JOSrv.exe
EmptyTemp:
Hosts:
End

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~~`

Please remove any usb or external drives from the computer before you run this scan!


Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

• 
  Download RogueKiller to your desktop.
  
  
• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes Close the program > Don't Fix anything!
• Don't run any other options, they're not all bad!!
• Post back the report which should be located on your desktop.

please post
file requested scanned
Fixlog.txt
RogueKiller

 

[Juliet]

Still need help?

 

[Raymondo]

Still need help tes sorry I have been away

:crowned:

 

[Raymondo]

Ah thats a yes thank you

::devil::bigthumb:

 

[Raymondo]

Virustotal copy

Still need help?

SHA256: 68d49671e0d34960ac99a92f74cebffe51007458f1098c0e6dd6ae774d1b8d5f
File name: RKHit.sys
Detection ratio: 10 / 57
Analysis date: 2015-03-24 10:43:03 UTC ( 24 minutes ago )






0




0



 Analysis


 File detail


 Additional information


 Comments 0


 Votes










Antivirus

Result

Update


Agnitum PUA.SpywareCease! 20150322
Antiy-AVL Trojan/Win32.TSGeneric 20150324
ByteHero Trojan.Win32.Native.Heur.Gen 20150324
ClamAV Trojan.Rootkit-2922 20150324
Comodo UnclassifiedMalware 20150324
DrWeb Trojan.Fakealert.20721 20150324
ESET-NOD32 Win32/Adware.SpywareCease 20150324
Fortinet Riskware/PUP_z 20150324
NANO-Antivirus Trojan.Win32.Fakealert.deefof 20150324
Zillya Trojan.FakeAV.Win32.59154 20150323
ALYac  20150324
AVG  20150324
AVware  20150324
Ad-Aware  20150324
AegisLab  20150324
AhnLab-V3  20150324
Alibaba  20150324
Avast  20150324
Avira  20150324
Baidu-International  20150324
BitDefender  20150324
Bkav  20150323
CAT-QuickHeal  20150324
CMC  20150324
Cyren  20150324
Emsisoft  20150324
F-Prot  20150324
F-Secure  20150324
GData  20150324
Ikarus  20150324
Jiangmin  20150323
K7AntiVirus  20150324
K7GW  20150324
Kaspersky  20150324
Kingsoft  20150324
Malwarebytes  20150324
McAfee  20150324
McAfee-GW-Edition  20150323
MicroWorld-eScan  20150324
Microsoft  20150324
Norman  20150324
Panda  20150323
Qihoo-360  20150324
Rising  20150323
SUPERAntiSpyware  20150323
Sophos  20150324
Symantec  20150324
Tencent  20150324
TheHacker  20150323
TotalDefense  20150324
TrendMicro  20150324
TrendMicro-HouseCall  20150324
VBA32  20150322
VIPRE  20150324
ViRobot  20150324
Zoner  20150323
nProtect  20150324

 

[Raymondo]

Still need help?

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by Ray at 2015-03-24 22:36:24 Run:1
Running from C:\Users\Ray\Desktop
Loaded Profiles: Ray (Available profiles: Ray)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
C:\Users\Ray\AppData\Local\iLivid
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\...\Run: [iLivid] => C:\Users\Ray\AppData\Local\iLivid\iLivid.exe [6827008 2013-09-09] (Bandoo Media Inc.)
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Extension: No Name - C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
2015-03-04 17:12 - 2013-11-27 22:23 - 00000000 ____D () C:\Users\Ray\AppData\Local\iLivid
R2 serverjo; C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\JOSrv.exe [127488 2015-02-16] () [File not signed]
C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\JOSrv.exe
EmptyTemp:
Hosts:
End
*****************

Processes closed successfully.
C:\Users\Ray\AppData\Local\iLivid => Moved successfully.
HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\Software\Microsoft\Windows\CurrentVersion\Run\\iLivid => value deleted successfully.
"HKU\S-1-5-21-2577715357-3074203239-3946342261-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => Value was restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => Value was restored successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} => not found.
"C:\Users\Ray\AppData\Local\iLivid" => File/Directory not found.
serverjo => Service not found.
"C:\Users\Kevin\AppData\Roaming\29AD3C80-1424083001-81E2-25E5-50465DE8C0E7\JOSrv.exe" => File/Directory not found.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 424.8 MB temporary data.


The system needed a reboot.

==== End of Fixlog 22:36:40 ====

 

[Raymondo]

Roguekiller

Bandoo Media
Please look for the above in your add/remove programs list. If found please uninstall/delete.
~~~~~~~~~~~~~~

Ad-Aware Antivirus and Microsoft Security Essentials?
Having more then 1 antivirus on your computer will cause a problem. Please uninstall one of your choice.

~~~~~~~~~~~~~~~~~~~~~~~~~
Please follow this tutorial to show all files and folders
http://www.bleepingcomputer.com/tutorials/show-hidden-files-in-windows-7/

Please go to one of the below sites to scan the following files:
Virus Total (Recommended)
jotti.org
VirScan
click on Browse, and upload the following file for analysis:

C:\Windows\system32\drivers\RKHit.sys


Then click Submit. Allow the file to be scanned, and then please copy and paste the results link (for Virus Total) here for me to see.
If it says already scanned -- click "reanalyze now"
Please post the results in your next reply.

~~~~
We will need to download Farbar Recovery Scan Tool again.
You ran it out of a temp folder, wont allow us to do anything from there.

Running from C:\Users\Ray\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J0W30TEX



- Save ALL Tools to your Desktop-

All tools that I have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.

Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.

Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser.

Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.

Internet Explorer - Click the Tools menu in the upper right-corner of the browser.

Select View downloads. Select the Options link in the lower left of the window. Click Browse and
select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

~~~~~~~~~~~`
Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
Don't run scan or other options for now, just need it on desktop to run the script.

NEXT

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

~~~~~~~~~~~~~~~~`

Please remove any usb or external drives from the computer before you run this scan!


Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

• 
  Download RogueKiller to your desktop.
  
  
• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes Close the program > Don't Fix anything!
• Don't run any other options, they're not all bad!!
• Post back the report which should be located on your desktop.

please post
file requested scanned
Fixlog.txt
RogueKiller

RogueKiller V10.5.7.0 [Mar 22 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Ray [Administrator]
Started from : C:\Users\Ray\Desktop\RogueKiller.exe
Mode : Scan -- Date : 03/24/2015 23:14:02

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 7 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B} ("C:\Program Files\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe") -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-2577715357-3074203239-3946342261-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://securedsearch.lavasoft.com/?pr=vmn&id=webcompa&ent=hp_WCYID10088_cnet_150302 -> Found
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-2577715357-3074203239-3946342261-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-2577715357-3074203239-3946342261-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] 3er9z533.default : user_pref("browser.startup.homepage", "http://securedsearch.lavasoft.com/?pr=vmn&id=webcompa&ent=hp_WCYID10088_cnet_150302"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: LZT-128 ATA Device +++++
--- User ---
[MBR] 89459c5d4166289a81c8f79185aa802e
[BSP] 6c769be858a831c3a74394258cf29801 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 122002 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

 

[Raymondo]

Sorry this is all a mess all over the place but all the reports are there

Still need help?

Sorry this is all a mess all over the place but all the reports you requested are there amongst what you wrote as instructions I don't know how to get a clean page Ray

 

[Juliet]

No problem.

I have an errand to run, be back in a couple of hours to sort this all out.

 

[Juliet]

Did you remove Bandoo Media from add/remove programs list?


Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CreateRestorePoint:
CloseProcesses:
S3 RkHit; C:\Windows\system32\drivers\RKHit.sys [34736 2010-12-28] ()
End

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


~~~~~~~~~~~~~~~~~~~~

What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.

ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.


Please run a free online scan with the ESET Online Scanner

US Link: http://www.eset.com/us/online-scanner/
EU Link: http://www.eset.eu/online-scanner/

Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator
Note: For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.

• Turn off the real time scanner of any existing antivirus program while performing the online scan.
• Click the blue Run ESET Online Scanner button
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
• Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
• Click on Advanced Settings
• Make sure that the option Remove found threats is unticked.
• Ensure these options are ticked
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
• Under "Current Scan Targets" > click "change" and ensure all your drives are selected
• Click Start
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Attach the log as a reply to your next reply..
• Close the ESET online scan, and let me know how things are now.

Please post these 2 logs when finished.

How is your computer now?

 

[Raymondo]

Hi Juliet I replied to this, so how can I read my reply? I'm lost! lol

Hi Juliet I replied to this already, so how can I read my reply? I'm lost! lol Do I delete all this stuff above for a fresh clean page? Put this reply message at the beginning or end of the page? thanks Juliet

 

[Juliet]

If you had posted the results to the last instructions, I'm not seeing them.
The last one was to remove the file I asked scanned at virus total and to run the Eset online scan?

When you want to post your logs, please click on the reply button located at the left bottom of the page instead of reply with quote.

 

[Raymondo]

Fixlog + Eset scan result thanks for your patience

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by Ray at 2015-03-29 12:10:11 Run:2
Running from C:\Users\Ray\Desktop
Loaded Profiles: Ray (Available profiles: Ray)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CreateRestorePoint:
CloseProcesses:
S3 RkHit; C:\Windows\system32\drivers\RKHit.sys [34736 2010-12-28] ()
End
*****************

Restore point was successfully created.
Processes closed successfully.
RkHit => Service deleted successfully.


The system needed a reboot.

==== End of Fixlog 12:10:18 ====

------------------------------------------------------------------------------------------------------------------------------------------------

C:\FRST\Quarantine\C\Users\Ray\AppData\Local\iLivid\Uninstall.exe a variant of Win32/Toolbar.SearchSuite.G potentially unwanted application
C:\Program Files\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftLSPInstaller.exe a variant of Win32/Komodia.A potentially unsafe application
C:\Program Files\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.dll a variant of Win32/Komodia.A potentially unsafe application
C:\Program Files\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe a variant of Win32/Komodia.A potentially unsafe application
C:\Program Files\Registry Easy\RECleaner.exe a variant of Win32/Adware.RegistryEasy application
C:\Program Files\Registry Easy\Recoveryer.dll Win32/Adware.RegistryEasy application
C:\Program Files\Registry Easy\RegEasyUpdate.exe Win32/Adware.RegistryEasy application
C:\Program FilesFormatFactory\FFModules\Package\Ask\AskPIP_FF_.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
C:\ProgramData\EFaeZP\fkhHTPTK.exe a variant of MSIL/Adware.PullUpdate.N.gen application
C:\ProgramData\EFaeZP\dat\bQqzKCsHX.exe a variant of MSIL/Adware.PullUpdate.N.gen application
C:\Users\All Users\EFaeZP\fkhHTPTK.exe a variant of MSIL/Adware.PullUpdate.N.gen application
C:\Users\All Users\EFaeZP\dat\bQqzKCsHX.exe a variant of MSIL/Adware.PullUpdate.N.gen application
C:\Users\Ray\Favorites\Downloads\cbsidlm-cbsi188-FormatFactory-BP-10968547.exe a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Users\Ray\Favorites\Downloads\RegistryEasy_Setup.exe a variant of Win32/Adware.RegistryEasy application
C:\Windows\Installer\1583720.msi a variant of Win32/Komodia.A potentially unsafe application
C:\Windows\System32\LavasoftTcpService.dll a variant of Win32/Komodia.A potentially unsafe application
C:\Windows\System32\drivers\RKHit.sys Win32/Adware.SpywareCease application
Operating memory a variant of Win32/Komodia.A potentially unsafe application

 

[Juliet]

Did you uninstall one of the antivirus programs off your computer?

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CloseProcesses:
C:\Program Files\Registry Easy\RECleaner.exe
C:\Program Files\Registry Easy\Recoveryer.dll
C:\Program Files\Registry Easy\RegEasyUpdate.exe
C:\Program FilesFormatFactory\FFModules\Package\Ask\AskPIP_FF_.exe
C:\ProgramData\EFaeZP
C:\Users\Ray\Favorites\Downloads\cbsidlm-cbsi188-FormatFactory-BP-10968547.exe
C:\Users\Ray\Favorites\Downloads\RegistryEasy_Setup.exe
C:\Windows\Installer\1583720.msi
C:\Windows\System32\drivers\RKHit.sys
End

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

How is your computer now?

 

[Raymondo]

Did you uninstall one of the antivirus programs off your computer? YES Thank you Jul

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 11-03-2015
Ran by Ray at 2015-04-01 00:54:22 Run:3
Running from C:\Users\Ray\Desktop
Loaded Profiles: Ray (Available profiles: Ray)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CloseProcesses:
C:\Program Files\Registry Easy\RECleaner.exe
C:\Program Files\Registry Easy\Recoveryer.dll
C:\Program Files\Registry Easy\RegEasyUpdate.exe
C:\Program FilesFormatFactory\FFModules\Package\Ask\AskPIP_FF_.exe
C:\ProgramData\EFaeZP
C:\Users\Ray\Favorites\Downloads\cbsidlm-cbsi188-FormatFactory-BP-10968547.exe
C:\Users\Ray\Favorites\Downloads\RegistryEasy_Setup.exe
C:\Windows\Installer\1583720.msi
C:\Windows\System32\drivers\RKHit.sys
End
*****************

Processes closed successfully.
C:\Program Files\Registry Easy\RECleaner.exe => Moved successfully.
C:\Program Files\Registry Easy\Recoveryer.dll => Moved successfully.
C:\Program Files\Registry Easy\RegEasyUpdate.exe => Moved successfully.
C:\Program FilesFormatFactory\FFModules\Package\Ask\AskPIP_FF_.exe => Moved successfully.
C:\ProgramData\EFaeZP => Moved successfully.
C:\Users\Ray\Favorites\Downloads\cbsidlm-cbsi188-FormatFactory-BP-10968547.exe => Moved successfully.
C:\Users\Ray\Favorites\Downloads\RegistryEasy_Setup.exe => Moved successfully.
C:\Windows\Installer\1583720.msi => Moved successfully.
C:\Windows\System32\drivers\RKHit.sys => Moved successfully.


The system needed a reboot.

==== End of Fixlog 00:54:23 ====

-----------------------------------------------------------------------------------------==================+++++++++++++++++++++++++

RogueKiller V10.5.7.0 [Mar 22 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : Ray [Administrator]
Started from : C:\Users\Ray\Desktop\RogueKiller.exe
Mode : Scan -- Date : 04/01/2015 01:11:25

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 7 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B} ("C:\Program Files\Lavasoft\Web Companion\TcpService\2.3.3.0\LavasoftTcpService.exe") -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-2577715357-3074203239-3946342261-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://securedsearch.lavasoft.com/?pr=vmn&id=webcompa&ent=hp_WCYID10088_cnet_150302 -> Found
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-2577715357-3074203239-3946342261-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found
[PUM.DesktopIcons] HKEY_USERS\S-1-5-21-2577715357-3074203239-3946342261-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 9 (Driver: Loaded) ¤¤¤
[IAT:Inl(Hook.IEAT)] (explorer.exe) kernel32.dll - CreateProcessW : C:\Program Files\Spybot - Search & Destroy 2\SDHook32.dll @ 0x65923310 (jmp 0xfffffffff3eb32da)
[IAT:Inl(Hook.IEAT)] (explorer.exe) kernel32.dll - CreateProcessA : C:\Program Files\Spybot - Search & Destroy 2\SDHook32.dll @ 0x659231a0 (jmp 0xfffffffff3e4316a)
[IAT:Inl(Hook.IEAT)] (explorer.exe) ADVAPI32.dll - CreateProcessWithLogonW : C:\Program Files\Spybot - Search & Destroy 2\SDHook32.dll @ 0x659237a0 (jmp 0xfffffffff3f1376a)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW : C:\Program Files\Spybot - Search & Destroy 2\SDHook32.dll @ 0x65923310 (jmp 0xfffffffff3ea32da)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessA : C:\Program Files\Spybot - Search & Destroy 2\SDHook32.dll @ 0x659231a0 (jmp 0xfffffffff3e3316a)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) advapi32.DLL - CreateProcessWithLogonW : C:\Program Files\Spybot - Search & Destroy 2\SDHook32.dll @ 0x659237a0 (jmp 0xfffffffff3f0376a)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessW : C:\Program Files\Spybot - Search & Destroy 2\SDHook32.dll @ 0x65923310 (jmp 0xfffffffff3ea32da)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) kernel32.dll - CreateProcessA : C:\Program Files\Spybot - Search & Destroy 2\SDHook32.dll @ 0x659231a0 (jmp 0xfffffffff3e3316a)
[IAT:Inl(Hook.IEAT)] (iexplore.exe) advapi32.DLL - CreateProcessWithLogonW : C:\Program Files\Spybot - Search & Destroy 2\SDHook32.dll @ 0x659237a0 (jmp 0xfffffffff3f0376a)

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] 3er9z533.default : user_pref("browser.startup.homepage", "http://securedsearch.lavasoft.com/?pr=vmn&id=webcompa&ent=hp_WCYID10088_cnet_150302"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: LZT-128 ATA Device +++++
--- User ---
[MBR] 89459c5d4166289a81c8f79185aa802e
[BSP] 6c769be858a831c3a74394258cf29801 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 122002 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_03242015_231402.log

 

[Juliet]

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus

Ad-Aware Antivirus and Microsoft Security Essentials?
Having more then 1 antivirus on your computer will cause a problem. Please uninstall one of your choice.

Also, please tell me what the computer is doing now?

 

[Raymondo]

Hi (Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

removed this last week (Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe

cheers thank you

 

[Juliet]

How is the computer now?

Let's run one more FRST scan to see if all traces of MSE are gone.

• Right-Click FRST.exe / FRST64.exe and select
  
  Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
  

 

[Juliet]

Still need help?