Infected with Malware from France

annvrolijk · May 17, 2014

Hi

This is the first time I have tried to fix malware myself. I read the instructions and hope I have provided everything required.
Please note the scan I have just performed seems to indicate there are no problems. BUT it is also a different display to the first scan. Does this mean Spybot has removed the Malware?

I was on an unsecured network, as usual. A pop up window came onto the webpage I was viewing. It was in French but obviously without a cancel, only a submit button. I pressed this (stupid) and went to another screen without an exit possibility.

Steps taken and the results:

1. Ran Skybot Search and Destroy 2.2. The results appear to have been saved but I searched my computer (all drives) and cannot find them. I did take and image which is attached named "Spybot 2014-05-15.JPG

2. Downloaded and ran ERUNT. Successful

3. Downloaded and ran DDS - successful. Surely this would be better attached?
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.16521 BrowserJavaVersion: 10.45.2
Run by Ann at 18:26:49 on 2014-05-17
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.1790.926 [GMT 2:00]
.
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
C:\Program Files\Google\Update\1.3.23.9\GoogleCrashHandler.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\System32\rundll32.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\vds.exe
C:\Windows\system32\AUDIODG.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = Preserve
uSearch Page = hxxp://www.google.com
mStart Page = hxxp://websearch.amaizingsearches.info/?pid=2145&r=2014/04/14&hid=8826810464153519484&lg=EN&cc=NL&unqvl=51
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: MSS+ Identifier: {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - c:\program files\mcafee security scan\3.8.130\McAfeeMSS_IE.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: SSaVeRRExtteensIon: {B6D204D8-1AB1-82F8-CBB8-798B937AB885} - c:\programdata\ssaverrextteension\RKO.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mRunOnce: [20131224] c:\program files\avast software\avast\setup\emupdate\d7e8535f-30e0-40e9-b1e1-b19abee51c13.exe /check
StartupFolder: c:\users\ann\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/4.1.0.0/GarminAxControl_32.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 172.16.0.1
TCP: Interfaces\{569D3AD7-5E63-495E-AAF4-9B021182BE7F} : DHCPNameServer = 172.16.0.1
TCP: Interfaces\{569D3AD7-5E63-495E-AAF4-9B021182BE7F}\44F6E676162716342534 : DHCPNameServer = 192.168.100.11
TCP: Interfaces\{569D3AD7-5E63-495E-AAF4-9B021182BE7F}\75647455543545 : DHCPNameServer = 139.130.4.4 203.50.2.71
TCP: Interfaces\{569D3AD7-5E63-495E-AAF4-9B021182BE7F}\8696464656E66716C6C65697 : DHCPNameServer = 192.168.112.1
TCP: Interfaces\{569D3AD7-5E63-495E-AAF4-9B021182BE7F}\D425C49626D275966496 : DHCPNameServer = 10.150.2.200 10.150.2.207
TCP: Interfaces\{569D3AD7-5E63-495E-AAF4-9B021182BE7F}\D696A6E6E65647775627B6 : DHCPNameServer = 192.168.1.1
TCP: Interfaces\{843E2462-1D1D-4D0C-AEDC-58460603997F} : DHCPNameServer = 211.29.132.12 198.142.0.51 198.142.235.14
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: SDWinLogon - SDWinLogon.dll
AppInit_DLLs= c:\progra~1\sw-boo~1\assist~1.dll
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\34.0.1847.116\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2013-3-27 49944]
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2013-3-27 180760]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-12-17 776976]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-12-17 411552]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-12-17 67824]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-3-31 50344]
R2 Garmin Core Update Service;Garmin Core Update Service;c:\program files\garmin\core update service\Garmin.Cartography.MapUpdate.CoreService.exe [2013-11-8 250712]
R3 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2014-1-29 67264]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad32v.sys [2013-8-31 33568]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys [2014-3-13 30976]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-3-14 108032]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\3.8.130\McCHSvc.exe [2013-9-6 235216]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-12-17 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-12-18 52224]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
.
=============== Created Last 30 ================
.
2014-04-21 16:26:30 -------- d-----w- c:\programdata\SSaVeRRExtteensIon
.
==================== Find3M ====================
.
2014-05-15 08:30:27 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-05-15 08:30:27 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-03-31 07:35:10 231584 ------w- c:\windows\system32\MpSigStub.exe
2014-03-31 02:15:43 81768 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-03-31 02:15:43 776976 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-03-31 02:15:43 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-03-31 02:15:43 67264 ----a-w- c:\windows\system32\drivers\aswStm.sys
2014-03-31 02:15:43 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-03-31 02:15:43 180760 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-03-31 02:15:42 43152 ----a-w- c:\windows\avastSS.scr
2014-03-13 06:43:33 30976 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2014-03-01 04:11:20 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-03-01 04:10:48 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-03-01 03:52:43 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-03-01 03:51:53 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-03-01 03:38:26 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-03-01 03:38:23 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-03-01 03:37:35 553472 ----a-w- c:\windows\system32\jscript9diag.dll
2014-03-01 03:31:30 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-03-01 03:14:15 4244480 ----a-w- c:\windows\system32\jscript9.dll
2014-03-01 03:00:08 1964032 ----a-w- c:\windows\system32\inetcpl.cpl
2014-03-01 02:32:16 1820160 ----a-w- c:\windows\system32\wininet.dll
.
============= FINISH: 18:30:01.35 ===============

4. Downloaded and ran aswMBR Log - NOT successful

My computer crashed and rebooted. I never start in safe mode nor do I try and find out what caused the crash. Inevitably I am not online after a crash anyway.

5. Reran Spybot - successful

The results show there is no longer a problem. I am wary though. I don't believe malware will just remove itself. Or did Spybot remove the Malware.

Search results from Spybot - Search & Destroy

5/17/2014 8:27:26 PM
Scan took 01:15:54.
15 items found.

DoubleClick: [SBI $4E2AF2AC] Tracking cookie (Internet Explorer (User): Ann) (Browser: Cookie, nothing done)

7-Zip: [SBI $12C3A52C] Folder history (Registry Value, nothing done)
HKEY_USERS\S-1-5-21-3847289671-3493599336-2917903439-1001\Software\7-ZIP\FM\FolderHistory

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3847289671-3493599336-2917903439-1001\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry Change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

MS DirectInput: [SBI $9A063C91] Most recent application (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3847289671-3493599336-2917903439-1001\Software\Microsoft\DirectInput\MostRecentApplication\Name

MS DirectInput: [SBI $7B184199] Most recent application ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3847289671-3493599336-2917903439-1001\Software\Microsoft\DirectInput\MostRecentApplication\Id

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry Key, nothing done)
HKEY_USERS\S-1-5-21-3847289671-3493599336-2917903439-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3847289671-3493599336-2917903439-1001\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry Change, nothing done)
HKEY_USERS\S-1-5-21-3847289671-3493599336-2917903439-1001\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry Value, nothing done)
HKEY_USERS\S-1-5-21-3847289671-3493599336-2917903439-1001\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

Cookie: [SBI $49804B54] Browser: Cookie (12) (Browser: Cookie, nothing done)

Cache: [SBI $49804B54] Browser: Cache (354) (Browser: Cache, nothing done)

History: [SBI $49804B54] Browser: History (55) (Browser: History, nothing done)

ken545 · May 18, 2014

:snwelcome:

I am going to ask you not to run any other programs on your own or it could interfere with the analysis, also do not install or uninstall any programs until we are done.

Looks like you have some PUP (Potentially Unwanted Programs ) on your system, lets do this

-AdwCleaner-by Xplode

Click on this link to download : ADWCleaner
Click on ONE of the Two Blue Download Now buttons That have a blue arrow beside them and save it to your desktop.

Do not click on any links in the top Advertisment.

Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
Copy and paste the contents of that logfile in your next reply.
A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

annvrolijk · May 18, 2014

Results of AdwCleaner

There is nothing in the report that I recognize as something I want to keep.

This is the report from AdwCleaner

# AdwCleaner v3.208 - Report created 18/05/2014 at 10:38:26
# Updated 11/05/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : Ann - ANN-PC
# Running from : C:\Users\Ann\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Found : C:\Program Files\Conduit
Folder Found : C:\Program Files\save net
Folder Found : C:\Program Files\SNT
Folder Found : C:\Program Files\SW-Booster
Folder Found : C:\Program Files\YoutubeAdblocker
Folder Found : C:\ProgramData\save net
Folder Found : C:\ProgramData\SNT
Folder Found : C:\ProgramData\SuperbApp
Folder Found : C:\ProgramData\Tarma Installer
Folder Found : C:\ProgramData\YoutubeAdblocker
Folder Found : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbifcgdmblggjcefpnipldpgcbegfjfb
Folder Found : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mclbdehngbefbfmephopjgigkfkgbadi
Folder Found : C:\Users\Administrator\AppData\Local\torch
Folder Found : C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgaanchmbkbjjjclkdlcjhhipijhndil
Folder Found : C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgaanchmbkbjjjclkdlcjhhipijhndil
Folder Found : C:\Users\Ann\AppData\Local\torch
Folder Found : C:\Users\Ann\AppData\LocalLow\Conduit
Folder Found : C:\Users\Ann\AppData\LocalLow\Funmoods
Folder Found : C:\Users\Ann\AppData\Roaming\Funmoods
Folder Found : C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbifcgdmblggjcefpnipldpgcbegfjfb
Folder Found : C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mclbdehngbefbfmephopjgigkfkgbadi
Folder Found : C:\Users\Guest\AppData\Local\torch
Folder Found : C:\Users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbifcgdmblggjcefpnipldpgcbegfjfb
Folder Found : C:\Users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\mclbdehngbefbfmephopjgigkfkgbadi
Folder Found : C:\Users\HomeGroupUser$\AppData\Local\torch
Folder Found : C:\Users\UpdatusUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbifcgdmblggjcefpnipldpgcbegfjfb
Folder Found : C:\Users\UpdatusUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\mclbdehngbefbfmephopjgigkfkgbadi
Folder Found : C:\Users\UpdatusUser\AppData\Local\torch
Folder Found : C:\Windows\system32\SearchProtect

***** [ Shortcuts ] *****

***** [ Registry ] *****

Data Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~1\sw-boo~1\assist~1.dll
Key Found : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Found : HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Found : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Found : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Google\Chrome\Extensions\jgaanchmbkbjjjclkdlcjhhipijhndil
Key Found : HKCU\Software\Google\Chrome\Extensions\jgaanchmbkbjjjclkdlcjhhipijhndil
Key Found : HKCU\Software\IM
Key Found : HKCU\Software\InstallCore
Key Found : HKCU\Software\RegisteredApplicationsEx
Key Found : HKCU\Software\Softonic
Key Found : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Found : HKLM\Software\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Found : HKLM\Software\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Found : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Found : HKLM\Software\{77D46E27-0E41-4478-87A6-AABE6FBCF252}
Key Found : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Found : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Found : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Classes\esrv.funmoodsESrvc
Key Found : HKLM\SOFTWARE\Classes\esrv.funmoodsESrvc.1
Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3000930
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jgaanchmbkbjjjclkdlcjhhipijhndil
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jgaanchmbkbjjjclkdlcjhhipijhndil
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj
Key Found : HKLM\Software\InstallCore
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SweetPacks Communicator
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_picasa_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_picasa_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\sweetim_rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\sweetim_rasmancs
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\sweetpacksupdatemanager_rasapi32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{c67abfdb}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7DD5E91C-3864-77EC-7635-D14910C2A03E}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileParade bundle uninstaller
Key Found : HKLM\Software\Tarma Installer

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16521

Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page] - hxxp://websearch.amaizingsearches.info/?pid=2145&r=2014/04/14&hid=8826810464153519484&lg=EN&cc=NL&unqvl=51

-\\ Google Chrome v34.0.1847.116

[ File : C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Found [Search Provider] : hxxp://websearch.amaizingsearches.info/?l=1&q={searchTerms}&pid=2145&r=2014/04/14&hid=8826810464153519484&lg=EN&cc=NL&unqvl=51
Found [Extension] : jgaanchmbkbjjjclkdlcjhhipijhndil

*************************

AdwCleaner[R0].txt - [7336 octets] - [18/05/2014 10:38:26]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [7396 octets] ##########

ken545 · May 18, 2014

Good Morning,

Lots of garbage needs to go, run these in order please and post the log for each one, they may not fit all in one reply so use as many replies as you need

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Scan.
After the scan is complete click on "Clean"
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the content of that logfile with your next reply.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Please download Malwarebytes Anti-Malware to your desktop.

Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
Once installed, Malwarebytes will ask if you want to Launch Now. Please select to do so and then Malwarebytes will open and update on its own. Please allow this to complete.
If an update is found, it will download and install the latest version.
Let's be sure to run a Hyper Scan. Press the Scan tab and then select Hyper Scan.
Press Scan Now then Skip Update (since we just updated it)

When the scan is complete, click View Detailed Log, then Export to save the log to your Desktop (name the log MBAM Scan).
Copy and Paste all of the information in that file to your next reply.

annvrolijk · May 19, 2014

I have copied all the logs below

Unfortunately I could not run Malwarebytes Hyper Scan. This is only available in the premium version. I did run the normal scan.

Why I missed it:
First I copied the copy of your reply to Word so I could follow the instructions. Then closed the browser.
The Word document did not contain the screen shot.
Second I downloaded the free version of Malwarebytes and ran the scan. No, I didn't read the instructions properly. As soon as I realized my mistake I cancelled the scan.
Third I tried to obtain a 14 day trial. I uninstalled Malwarebytes and specifically loaded the 14 day trial version. Even so the freeware version installed. I tried several scenarios but none worked.

AdwCleaner Log

# AdwCleaner v3.208 - Report created 18/05/2014 at 14:36:58
# Updated 11/05/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : Ann - ANN-PC
# Running from : C:\Users\Ann\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\SNT
Folder Deleted : C:\ProgramData\SuperbApp
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\ProgramData\save net
Folder Deleted : C:\ProgramData\YoutubeAdblocker
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\SNT
Folder Deleted : C:\Program Files\SW-Booster
Folder Deleted : C:\Program Files\save net
Folder Deleted : C:\Program Files\YoutubeAdblocker
Folder Deleted : C:\Windows\system32\SearchProtect
Folder Deleted : C:\Users\Administrator\AppData\Local\torch
Folder Deleted : C:\Users\Ann\AppData\Local\torch
Folder Deleted : C:\Users\Ann\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Ann\AppData\LocalLow\Funmoods
Folder Deleted : C:\Users\Ann\AppData\Roaming\Funmoods
Folder Deleted : C:\Users\Guest\AppData\Local\torch
Folder Deleted : C:\Users\HomeGroupUser$\AppData\Local\torch
Folder Deleted : C:\Users\UpdatusUser\AppData\Local\torch
Folder Deleted : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbifcgdmblggjcefpnipldpgcbegfjfb
Folder Deleted : C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbifcgdmblggjcefpnipldpgcbegfjfb
Folder Deleted : C:\Users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbifcgdmblggjcefpnipldpgcbegfjfb
Folder Deleted : C:\Users\UpdatusUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\gbifcgdmblggjcefpnipldpgcbegfjfb
Folder Deleted : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\mclbdehngbefbfmephopjgigkfkgbadi
Folder Deleted : C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\mclbdehngbefbfmephopjgigkfkgbadi
Folder Deleted : C:\Users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\mclbdehngbefbfmephopjgigkfkgbadi
Folder Deleted : C:\Users\UpdatusUser\AppData\Local\Google\Chrome\User Data\Default\Extensions\mclbdehngbefbfmephopjgigkfkgbadi
Folder Deleted : C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgaanchmbkbjjjclkdlcjhhipijhndil
[!] Folder Deleted : C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgaanchmbkbjjjclkdlcjhhipijhndil

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ogccgbmabaphcakpiclgcnmcnimhokcj
Key Deleted : HKCU\Software\Google\Chrome\Extensions\jgaanchmbkbjjjclkdlcjhhipijhndil
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jgaanchmbkbjjjclkdlcjhhipijhndil
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\esrv.funmoodsESrvc
Key Deleted : HKLM\SOFTWARE\Classes\esrv.funmoodsESrvc.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SweetPacks Communicator
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\FunmoodsSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\sweetim_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\sweetim_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\sweetpacksupdatemanager_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\UpdateTask_RASMANCS
Key Deleted : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{c67abfdb}
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3000930
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_picasa_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_picasa_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{960DF771-CFCB-4E53-A5B5-6EF2BBE6E706}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C87FC351-A80D-43E9-9A86-CF1E29DC443A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\RegisteredApplicationsEx
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Deleted : HKLM\Software\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\Software\{77D46E27-0E41-4478-87A6-AABE6FBCF252}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\InstallCore
Key Deleted : HKLM\Software\Tarma Installer
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7DD5E91C-3864-77EC-7635-D14910C2A03E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FileParade bundle uninstaller
Data Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - c:\progra~1\sw-boo~1\assist~1.dll

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16521

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]

-\\ Google Chrome v34.0.1847.116

[ File : C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://websearch.amaizingsearches.info/?l=1&q={searchTerms}&pid=2145&r=2014/04/14&hid=8826810464153519484&lg=EN&cc=NL&unqvl=51
Deleted [Extension] : jgaanchmbkbjjjclkdlcjhhipijhndil

*************************

AdwCleaner[R0].txt - [7476 octets] - [18/05/2014 10:38:26]
AdwCleaner[R1].txt - [7534 octets] - [18/05/2014 14:33:14]
AdwCleaner[S0].txt - [7274 octets] - [18/05/2014 14:36:58]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [7334 octets] ##########

Junk Removal Tool Log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Ultimate x86
Ran by Ann on Sun 05/18/2014 at 14:45:15.74
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B6D204D8-1AB1-82F8-CBB8-798B937AB885}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{B6D204D8-1AB1-82F8-CBB8-798B937AB885}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B6D204D8-1AB1-82F8-CBB8-798B937AB885}

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Users\Ann\Local Settings\Application Data\cre"

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 05/18/2014 at 14:56:07.08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Malwarebytes Log

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/19/2014
Scan Time: 9:18:43 AM
Logfile: MBAM.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.05.19.02
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Ann

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 288271
Time Elapsed: 27 min, 52 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 5
PUP.Optional.MultiPlug.A, C:\ProgramData\SSaVeRRExtteensIon\RKO.dll, , [92ac83d07dfe4beb9561430631d0669a],
BadJoke.KillFiles, C:\$Recycle.Bin\S-1-5-21-3847289671-3493599336-2917903439-1001\$RT4GXIQ.zip, , [9ca2262d1f5c77bf903c991acc35619f],
BadJoke.KillFiles, C:\$Recycle.Bin\S-1-5-21-3847289671-3493599336-2917903439-1001\$RPGSTSU.zip, , [a896db787803ec4ab01cbcf78b7657a9],
PUP.Optional.Superfish.A, C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage, , [b58985ce7dfe6ccab4bd86fe1de5837d],
PUP.Optional.Superfish.A, C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal, , [f44af55ed6a53cfa87ea2c58c63c1de3],

Physical Sectors: 0
(No malicious items detected)

(end)

ken545 · May 19, 2014

Good Morning,

When your not used to running these type of programs it can be a bit confusing, but your doing fine.

Open up Malwarebytes and run the Threat scan again

When the scan has completed, you will now be presented with a screen showing you the malware infections that Malwarebytes’ Anti-Malware has detected. To remove the malicious programs that Malwarebytes Anti-malware has found, click on the “Quarantine All” button, and then click on the “Apply Now” button.

Then post the log please

annvrolijk · May 19, 2014

I reran Malwarebytes.

As I am not sure which log you are referring to I have attached a copy of the screen after I quarantined the malware.

I then reran the scan and have copied the report below.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/19/2014
Scan Time: 3:35:11 PM
Logfile: MBAM3.txt
Administrator: Yes

Version: 2.00.1.1004
Malware Database: v2014.05.19.04
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Ann

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 288187
Time Elapsed: 42 min, 29 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

ken545 · May 19, 2014

Good,

Lets check for leftovers

OTL by OldTimer

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Click the "Scan All Users" checkbox.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
  Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.

annvrolijk · May 21, 2014

results of OTL - message 1

OTL logfile created on: 5/21/2014 10:59:47 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Ann\Downloads
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.16521)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.75 Gb Total Physical Memory | 0.91 Gb Available Physical Memory | 51.97% Memory free
3.50 Gb Paging File | 2.26 Gb Available in Paging File | 64.62% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 57.59 Gb Total Space | 8.20 Gb Free Space | 14.24% Space Free | Partition Type: NTFS
Drive D: | 163.98 Gb Total Space | 51.10 Gb Free Space | 31.16% Space Free | Partition Type: NTFS
Drive E: | 11.11 Gb Total Space | 10.99 Gb Free Space | 98.95% Space Free | Partition Type: NTFS

Computer Name: ANN-PC | User Name: Ann | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\Ann\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Google\Update\1.3.23.9\GoogleCrashHandler.exe (Google Inc.)
PRC - C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
PRC - C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
PRC - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
PRC - C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe (Garmin Ltd or its subsidiaries)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe (Safer-Networking Ltd.)
PRC - C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe (NVIDIA Corporation)
PRC - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
PRC - C:\Windows\System32\conhost.exe (Microsoft Corporation)
PRC - C:\Program Files\NVIDIA Corporation\Display\nvtray.exe (NVIDIA Corporation)
PRC - C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe (NVIDIA Corporation)
PRC - C:\Windows\System32\taskhost.exe (Microsoft Corporation)
PRC - C:\Windows\explorer.exe (Microsoft Corporation)
PRC - C:\Windows\System32\audiodg.exe (Microsoft Corporation)
PRC - c:\Program Files\Windows Defender\MpCmdRun.exe (Microsoft Corporation)

========== Modules (No Company Name) ==========

MOD - C:\Program Files\AVAST Software\Avast\libcef.dll ()
MOD - C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF ()
MOD - C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll ()

========== Services (SafeList) ==========

SRV - (SDWSCService) -- C:\Program Files\Spybot File not found
SRV - (SDUpdateService) -- C:\Program Files\Spybot File not found
SRV - (SDScannerService) -- C:\Program Files\Spybot File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (avast! Antivirus) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe (AVAST Software)
SRV - (IEEtwCollectorService) -- C:\Windows\System32\IEEtwCollector.exe (Microsoft Corporation)
SRV - (AdobeARMservice) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe (Adobe Systems Incorporated)
SRV - (Microsoft SharePoint Workspace Audit Service) -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE (Microsoft Corporation)
SRV - (Garmin Core Update Service) -- C:\Program Files\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe (Garmin Ltd or its subsidiaries)
SRV - (McComponentHostService) -- C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe (McAfee, Inc.)
SRV - (NvStreamSvc) -- C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe (NVIDIA Corporation)
SRV - (nvUpdatusService) -- C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe (NVIDIA Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV - (WatAdminSvc) -- C:\Windows\System32\Wat\WatAdminSvc.exe (Microsoft Corporation)
SRV - (SensrSvc) -- C:\Windows\System32\sensrsvc.dll (Microsoft Corporation)
SRV - (PeerDistSvc) -- C:\Windows\System32\PeerDistSvc.dll (Microsoft Corporation)
SRV - (WcesComm) -- C:\Windows\WindowsMobile\wcescomm.dll (Microsoft Corporation)
SRV - (RapiMgr) -- C:\Windows\WindowsMobile\rapimgr.dll (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (VGPU) -- System32\drivers\rdvgkmd.sys File not found
DRV - (tsusbhub) -- system32\drivers\tsusbhub.sys File not found
DRV - (Synth3dVsc) -- System32\drivers\synth3dvsc.sys File not found
DRV - (NVNET) -- system32\DRIVERS\nvmf6232.sys File not found
DRV - (aswSnx) -- C:\Windows\System32\drivers\aswSnx.sys (AVAST Software)
DRV - (aswSP) -- C:\Windows\System32\drivers\aswSP.sys (AVAST Software)
DRV - (aswVmm) -- C:\Windows\System32\drivers\aswVmm.sys ()
DRV - (aswRdr) -- C:\Windows\System32\drivers\aswRdr2.sys (AVAST Software)
DRV - (aswMonFlt) -- C:\Windows\System32\drivers\aswMonFlt.sys (AVAST Software)
DRV - (aswStm) -- C:\Windows\System32\drivers\aswStm.sys (AVAST Software)
DRV - (aswRvrt) -- C:\Windows\System32\drivers\aswRvrt.sys ()
DRV - (hitmanpro37) -- C:\Windows\System32\drivers\hitmanpro37.sys ()
DRV - (aswTdi) -- C:\Windows\System32\drivers\aswTdi.sys (AVAST Software)
DRV - (nvvad_WaveExtensible) -- C:\Windows\System32\drivers\nvvad32v.sys (NVIDIA Corporation)
DRV - (nvlddmkm) -- C:\Windows\System32\drivers\nvlddmkm.sys (NVIDIA Corporation)
DRV - (NVHDA) -- C:\Windows\System32\drivers\nvhda32v.sys (NVIDIA Corporation)
DRV - (vmbus) -- C:\Windows\System32\drivers\vmbus.sys (Microsoft Corporation)
DRV - (storflt) -- C:\Windows\System32\drivers\vmstorfl.sys (Microsoft Corporation)
DRV - (storvsc) -- C:\Windows\System32\drivers\storvsc.sys (Microsoft Corporation)
DRV - (TsUsbFlt) -- C:\Windows\System32\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV - (RdpVideoMiniport) -- C:\Windows\System32\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV - (WinUsb) -- C:\Windows\System32\drivers\winusb.sys (Microsoft Corporation)
DRV - (VMBusHID) -- C:\Windows\System32\drivers\VMBusHID.sys (Microsoft Corporation)
DRV - (s3cap) -- C:\Windows\System32\drivers\vms3cap.sys (Microsoft Corporation)
DRV - (nvstor32) -- C:\Windows\System32\drivers\nvstor32.sys (NVIDIA Corporation)
DRV - (Serial) -- C:\Windows\System32\drivers\serial.sys (Brother Industries Ltd.)
DRV - (NVENETFD) -- C:\Windows\System32\drivers\nvm62x32.sys (NVIDIA Corporation)
DRV - (WDC_SAM) -- C:\Windows\System32\drivers\wdcsam.sys (Western Digital Technologies)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

IE - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/?ocid=U220DHP&pc=U220
IE - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://iat.ninemsn.com.au/tickler/default.aspx
IE - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 30 97 6C 39 88 3E CF 01 [binary data]
IE - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR
IE - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3847289671-3493599336-2917903439-1031\..\SearchScopes,DefaultScope =

========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.45.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/McAfeeMssPlugin: C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

[2012/12/17 19:35:51 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Ann\AppData\Roaming\Mozilla\Firefox\extensions
[2012/12/17 19:35:54 | 000,000,000 | ---D | M] (Serif WebPlus Community Toolbar) -- C:\Users\Ann\AppData\Roaming\Mozilla\Firefox\extensions\{07364a98-eb02-4736-bc54-ebe437fccb87}

========== Chrome ==========

CHR - default_search_provider: WebSearch (Enabled)
CHR - default_search_provider: search_url = http://websearch.amaizingsearches.info/?l=1&q={searchTerms}&pid=2145&r=2014/04/14&hid=8826810464153519484&lg=EN&cc=NL&unqvl=51
CHR - default_search_provider: suggest_url = http://localhost,
CHR - plugin: Error reading preferences file
CHR - Extension: Google Wallet = C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_0\
CHR - Extension: DownSaave = C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\omdbkioijpmnnheejmlbkddibejbioik\5.2\

O1 HOSTS File: ([2014/03/13 08:38:13 | 000,000,741 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (MSS+ Identifier) - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\..\Toolbar\WebBrowser: (no name) - {07364A98-EB02-4736-BC54-EBE437FCCB87} - No CLSID value found.
O3 - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [AvastUI.exe] C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3847289671-3493599336-2917903439-1031..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - Startup: C:\Users\Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O7 - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/4.1.0.0/GarminAxControl_32.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{569D3AD7-5E63-495E-AAF4-9B021182BE7F}: DhcpNameServer = 172.16.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{843E2462-1D1D-4D0C-AEDC-58460603997F}: DhcpNameServer = 211.29.132.12 198.142.0.51 198.142.235.14
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - Winlogon\Notify\SDWinLogon: DllName - (SDWinLogon.dll) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2014/05/19 11:24:47 | 000,000,000 | --SD | C] -- C:\Windows\System32\CompatTel
[2014/05/19 10:42:05 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\DESIGNER
[2014/05/19 10:31:45 | 002,724,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2014/05/19 10:23:31 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2014/05/19 10:15:21 | 000,369,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\aepdu.dll
[2014/05/19 10:15:20 | 000,302,592 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\aeinv.dll
[2014/05/19 10:14:48 | 003,969,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2014/05/19 10:14:46 | 003,914,176 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2014/05/19 10:14:42 | 000,538,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\objsel.dll
[2014/05/19 10:14:40 | 000,049,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\adprovider.dll
[2014/05/19 10:14:40 | 000,036,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dimsroam.dll
[2014/05/19 10:14:39 | 000,051,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cngprovider.dll
[2014/05/19 10:14:39 | 000,048,128 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\capiprovider.dll
[2014/05/19 10:14:39 | 000,047,616 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dpapiprovider.dll
[2014/05/19 10:14:38 | 000,035,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wincredprovider.dll
[2014/05/19 10:14:37 | 000,015,872 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\sspisrv.dll
[2014/05/19 10:14:12 | 000,149,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\storport.sys
[2014/05/19 10:14:12 | 000,027,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\Diskdump.sys
[2014/05/19 10:14:11 | 000,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\iologmsg.dll
[2014/05/19 08:49:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
[2014/05/19 08:49:06 | 000,073,432 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamchameleon.sys
[2014/05/19 08:49:06 | 000,051,416 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mwac.sys
[2014/05/19 08:49:06 | 000,023,256 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2014/05/19 08:49:06 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes Anti-Malware
[2014/05/18 15:00:02 | 000,107,736 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\MBAMSwissArmy.sys
[2014/05/18 14:59:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2014/05/18 14:45:12 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
[2014/05/18 14:27:14 | 017,305,616 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Ann\Desktop\mbam-setup-2.0.1.1004.exe
[2014/05/18 14:26:15 | 001,016,261 | ---- | C] (Thisisu) -- C:\Users\Ann\Desktop\JRT.exe
[2014/05/18 10:43:01 | 000,536,576 | ---- | C] (SQLite Development Team) -- C:\Windows\System32\sqlite3.dll
[2014/05/18 10:38:14 | 000,000,000 | ---D | C] -- C:\AdwCleaner
[2014/05/17 18:25:08 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2014/05/17 18:22:45 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ERUNT-registry back up
[2014/05/17 18:22:43 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2014/04/21 18:26:30 | 000,000,000 | ---D | C] -- C:\ProgramData\SSaVeRRExtteensIon
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2014/05/21 10:43:56 | 000,665,576 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2014/05/21 10:43:56 | 000,123,352 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2014/05/21 10:41:09 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2014/05/21 10:40:09 | 000,000,830 | ---- | M] () -- C:\Windows\tasks\Adobe Flash Player Updater.job
[2014/05/21 10:39:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2014/05/20 13:57:23 | 000,000,876 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2014/05/19 15:56:18 | 000,000,196 | ---- | M] () -- C:\Windows\tasks\AutoKMS.job
[2014/05/19 15:56:00 | 1407,692,800 | -HS- | M] () -- C:\hiberfil.sys
[2014/05/19 14:52:08 | 000,103,448 | ---- | M] () -- C:\Users\Ann\Desktop\Mware quarantine.JPG
[2014/05/19 14:45:03 | 000,107,736 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\MBAMSwissArmy.sys
[2014/05/19 08:49:17 | 000,001,064 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014/05/18 14:28:20 | 017,305,616 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Ann\Desktop\mbam-setup-2.0.1.1004.exe
[2014/05/18 14:26:14 | 001,016,261 | ---- | M] (Thisisu) -- C:\Users\Ann\Desktop\JRT.exe
[2014/05/18 10:35:56 | 001,325,827 | ---- | M] () -- C:\Users\Ann\Desktop\AdwCleaner.exe
[2014/05/17 18:39:00 | 000,002,411 | ---- | M] () -- C:\Users\Ann\Desktop\attach.zip
[2014/05/17 18:23:10 | 000,001,078 | ---- | M] () -- C:\Users\Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2014/05/15 15:59:56 | 000,000,539 | ---- | M] () -- C:\Windows\wininit.ini
[2014/05/15 10:30:27 | 000,692,400 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2014/05/15 10:30:27 | 000,070,832 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2014/05/09 09:06:23 | 000,369,664 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\aepdu.dll
[2014/05/09 09:04:12 | 000,302,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\aeinv.dll
[2014/05/08 07:27:05 | 002,724,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[1 C:\Program Files\*.tmp files -> C:\Program Files\*.tmp -> ]

========== Files Created - No Company Name ==========

[2014/05/19 14:52:07 | 000,103,448 | ---- | C] () -- C:\Users\Ann\Desktop\Mware quarantine.JPG
[2014/05/19 08:49:17 | 000,001,064 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2014/05/18 10:36:01 | 001,325,827 | ---- | C] () -- C:\Users\Ann\Desktop\AdwCleaner.exe
[2014/05/17 18:39:00 | 000,002,411 | ---- | C] () -- C:\Users\Ann\Desktop\attach.zip
[2014/05/17 18:23:10 | 000,001,078 | ---- | C] () -- C:\Users\Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk
[2014/03/14 12:55:50 | 000,000,017 | ---- | C] () -- C:\Users\Ann\AppData\Local\resmon.resmoncfg
[2014/03/14 02:06:02 | 000,000,539 | ---- | C] () -- C:\Windows\wininit.ini
[2014/03/13 08:38:47 | 000,030,976 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro37.sys
[2013/03/27 10:35:02 | 000,180,760 | ---- | C] () -- C:\Windows\System32\drivers\aswVmm.sys
[2013/03/27 10:35:01 | 000,049,944 | ---- | C] () -- C:\Windows\System32\drivers\aswRvrt.sys
[2013/02/13 09:04:30 | 000,006,136 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2013/02/09 10:56:59 | 000,000,268 | RH-- | C] () -- C:\ProgramData\Authentication
[2013/02/09 10:56:59 | 000,000,268 | RH-- | C] () -- C:\Users\Ann\AppData\Roaming\Applications
[2013/02/09 10:56:58 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLes.DAT
[2013/02/09 10:51:48 | 000,000,000 | ---- | C] () -- C:\Users\Ann\AppData\Roaming\Audio
[2013/02/09 10:51:47 | 000,000,000 | -H-- | C] () -- C:\ProgramData\PKP_DLev.DAT
[2013/02/09 10:51:43 | 000,000,000 | ---- | C] () -- C:\Users\Ann\AppData\Roaming\Application Support
[2013/02/09 10:51:42 | 000,000,000 | -H-- | C] () -- C:\ProgramData\PKP_DLet.DAT
[2013/02/09 10:49:03 | 000,000,268 | RH-- | C] () -- C:\ProgramData\Breath Pad
[2013/02/09 10:49:03 | 000,000,268 | RH-- | C] () -- C:\Users\Ann\AppData\Roaming\Bass Amp
[2013/02/09 10:49:02 | 000,000,020 | -H-- | C] () -- C:\ProgramData\PKP_DLeo.DAT
[2013/01/17 12:53:05 | 000,040,448 | ---- | C] () -- C:\Windows\System32\regobj.dll
[2013/01/17 12:53:03 | 000,151,552 | ---- | C] () -- C:\Windows\System32\LWLLHttpsUpload2.dll
[2012/12/18 18:09:27 | 000,000,135 | ---- | C] () -- C:\Windows\AutoKMS.ini
[2012/12/18 12:55:27 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2012/12/18 12:49:08 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe

========== ZeroAccess Check ==========

[2009/07/14 06:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2014/03/25 04:09:54 | 012,874,240 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 14:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 03:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2014/01/29 05:13:39 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\AVAST Software
[2013/12/31 07:51:34 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\Dropbox
[2013/07/22 16:24:55 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\DVDVideoSoft
[2012/12/17 14:55:02 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\Easy Thumbnails
[2013/02/25 14:58:29 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\FileZilla
[2013/11/18 09:47:25 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\GARMIN
[2013/01/17 12:53:53 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\High Impact eMail 5
[2013/01/17 12:53:26 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\LiveMetrics
[2013/01/17 12:50:52 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\LiveWare
[2013/02/09 11:50:37 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\Nikon
[2012/12/17 15:04:00 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\NoteTab Light
[2013/09/11 16:32:10 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\PDF Software
[2013/01/17 14:06:42 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\Serif
[2014/01/12 05:03:09 | 000,000,000 | ---D | M] -- C:\Users\Ann\AppData\Roaming\Simple Sudoku

========== Purity Check ==========

< End of report >

annvrolijk · May 21, 2014

Results from OTL - message 2 - extras

OTL Extras logfile created on: 5/21/2014 10:59:47 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Ann\Downloads
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.11.9600.16521)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.75 Gb Total Physical Memory | 0.91 Gb Available Physical Memory | 51.97% Memory free
3.50 Gb Paging File | 2.26 Gb Available in Paging File | 64.62% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 57.59 Gb Total Space | 8.20 Gb Free Space | 14.24% Space Free | Partition Type: NTFS
Drive D: | 163.98 Gb Total Space | 51.10 Gb Free Space | 31.16% Space Free | Partition Type: NTFS
Drive E: | 11.11 Gb Total Space | 10.99 Gb Free Space | 98.95% Space Free | Partition Type: NTFS

Computer Name: ANN-PC | User Name: Ann | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_USERS\S-1-5-21-3847289671-3493599336-2917903439-1001\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Enabled:Spybot-S&D 2 Scanner Service -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service -- (Safer-Networking Ltd.)

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0465E5FF-9060-4637-A8BE-7C526F99B243}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{04AF3DD0-7E7C-43DA-937E-2B1178D67569}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{07ECA800-3639-4269-A5A8-12D8683D5663}" = lport=47991 | protocol=6 | dir=in | app=c:\program files\nvidia corporation\nvstreamsrv\nvstreamer.exe |
"{096DB036-02CC-47CB-9F74-F48A1FD2F062}" = lport=999 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{0E9A37FA-3CC0-4959-8699-3E88187C3A02}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{0ED4CC82-7538-46FE-AD08-5F224B5B7AD0}" = rport=445 | protocol=6 | dir=out | app=system |
"{1065D41E-B603-48D3-AC1E-CFBB3C9F0380}" = lport=2869 | protocol=6 | dir=in | app=system |
"{125D3671-2D26-403F-BC8E-F51C402E23F9}" = lport=139 | protocol=6 | dir=in | app=system |
"{1E19C104-742C-423E-B2A8-3CA7EAA785AD}" = rport=10243 | protocol=6 | dir=out | app=system |
"{1E205D1A-900E-479A-8A60-94EE97248D8B}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe |
"{236139E5-C545-472D-9195-3EC13C2360FE}" = rport=139 | protocol=6 | dir=out | app=system |
"{24D7D5AC-92F1-47A0-9A6E-9DDF07102F1B}" = lport=5721 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{2B6A34B9-8726-42F9-88D8-4B8239F82660}" = lport=5353 | protocol=17 | dir=in | app=c:\program files\nvidia corporation\nvstreamsrv\nvstreamsvc.exe |
"{342D9528-BB74-40D7-A372-BC910339F8F8}" = lport=445 | protocol=6 | dir=in | app=system |
"{3B557FD0-3430-47C9-9282-823B3A8BC415}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{43CEFA0A-6AF0-4D38-840D-277A16983813}" = lport=138 | protocol=17 | dir=in | app=system |
"{483127FF-C8AB-4989-AD90-D2539B749158}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{510E7364-457F-4AEE-BA19-042C0BE5FD9B}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{5202DE1A-9A0A-4BB3-90AA-A3561FE84DC1}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{568AC3DD-3F66-4E64-BE05-65AE4CE93D29}" = lport=5678 | protocol=6 | dir=in | app=%systemroot%\windowsmobile\wmdhost.exe |
"{64CE5447-5399-4CA0-88F8-C51DDF9815D3}" = lport=808 | protocol=6 | dir=in | svc=nettcpactivator | app=c:\windows\microsoft.net\framework\v4.0.30319\smsvchost.exe |
"{669E00BB-4BE2-4C9C-9F6B-A56E28313DD6}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{8479F5C6-D7D3-4483-B5A6-A8ECE40A4B6A}" = lport=137 | protocol=17 | dir=in | app=system |
"{9ACFC72B-F14B-43DC-ADE5-C8D8D54A22CA}" = rport=137 | protocol=17 | dir=out | app=system |
"{9D0662ED-2981-4834-9AC2-98FE7B6BC4E4}" = lport=47987 | protocol=6 | dir=in | app=c:\program files\nvidia corporation\nvstreamsrv\nvstreamsvc.exe |
"{ADE06BB0-7CB0-43EE-92F1-E6C6753295AC}" = rport=138 | protocol=17 | dir=out | app=system |
"{B577A667-081F-46D8-B8F2-E2D45D070606}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{BD06F76B-6CC4-44C3-A7B2-C84F14054B23}" = lport=26675 | protocol=6 | dir=in | name=@%systemroot%\windowsmobile\wmdcbase.exe,-4006 |
"{C0157268-F4C2-49B8-8E50-1399B1D34A71}" = lport=10243 | protocol=6 | dir=in | app=system |
"{C0A0AAF1-1600-4F3C-851A-9C62DE8B7F0D}" = lport=48000 | protocol=17 | dir=in | app=c:\program files\nvidia corporation\nvstreamsrv\nvstreamer.exe |
"{EFFEA2CA-D2A3-468B-B24D-C06E33963394}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office14\outlook.exe |
"{F0FB20EC-AF3C-4CA9-B25F-7F74EA1E3CDE}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |
"{FFD853D5-1199-42D7-AE18-F0BE92FCFB57}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0443E63E-B8F5-4AA8-8C98-BF28ECFA2501}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{0A489481-C3E6-4640-9DDF-8AE7BB09A93B}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{0C7FC993-03EF-48E0-AEC8-075B476F5C9D}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{227503C5-4E36-4D35-91E1-4567739D73B8}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{3BADAAA0-FE3A-4F7C-90C8-F1EE23A39E82}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{3D936346-BC5E-4CD1-96FC-334636ABBA66}" = protocol=6 | dir=in | app=c:\windows\system32\msiexec.exe |
"{4DD0AC00-2BFD-4B45-B7E4-040934AED5E1}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{540216BD-04F1-44E2-8F2F-904E8F37699E}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{548E36F7-0F70-41F6-88C0-03BEF9AE1834}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{59B8531F-5A2B-4435-ACBB-FB2A3A51367C}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{68BE496E-5899-4EEB-97EA-0EC8DBD73AA0}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{6AFC7F9E-A005-4430-827D-942570928EF5}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{6CBFC28C-BD6C-44A4-BC04-D85EB55E1DFD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{6FE6116B-C2C3-4614-BBA8-7D6E35C2F2B7}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{8C84B3FE-5EC5-40F4-99D1-4DDFC7BBDCC8}" = dir=in | app=c:\program files\common files\apple\apple application support\webkit2webprocess.exe |
"{961B6A48-67A2-4D03-8AF4-103D223DD1C0}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"{A007BB9F-4280-4A4D-851A-5C9525D6BFEB}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |
"{ACC5B85D-AF95-450D-A06E-013B1F482395}" = protocol=6 | dir=out | app=system |
"{B4ACB695-11A7-4E44-B311-D5668FB097B3}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{B4E35702-4F14-4DB9-A89F-103AB3F13EA2}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office14\onenote.exe |
"{B56BF00F-E6B9-46FB-BDFA-6EBCACEBF884}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{CBF4A1A8-6346-43D8-B8B4-7822C65EE877}" = protocol=17 | dir=in | app=c:\windows\system32\msiexec.exe |
"{CF300E6C-C789-4CF0-A79A-0A50965206B9}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |
"{D005B334-1D89-41DB-A305-B2DFFC14F1E4}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office14\groove.exe |
"{D19CAE5F-3652-4852-955A-160493C3CACD}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{DD7C21B1-29EE-43DC-8463-C319FE36576A}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{ED4232C7-BF20-419B-A8C0-37047BB1BBB0}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |
"{F1E4D4E9-D55D-4AA1-BFD1-A0CF60CACF12}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |
"TCP Query User{89861BF4-C288-4ABC-882A-735E20ECC85C}C:\users\ann\appdata\local\temp\491d.tmp\kmservice.exe" = protocol=6 | dir=in | app=c:\users\ann\appdata\local\temp\491d.tmp\kmservice.exe |
"UDP Query User{6258C689-60AB-4B42-BDDE-7F5A967547EB}C:\users\ann\appdata\local\temp\491d.tmp\kmservice.exe" = protocol=17 | dir=in | app=c:\users\ann\appdata\local\temp\491d.tmp\kmservice.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{13d868cf-47e9-4b3d-9366-a0c60f82e5aa}" = Striata Reader
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83217025FF}" = Java 7 Update 45
"{274E3C5C-178E-EAE2-A52F-2863C0EECD46}" = SSaVeRRExtteensIon
"{2EA870FA-585F-4187-903D-CB9FFD21E2E0}" = DHTML Editing Component
"{365C44C6-DAAA-4615-992F-D606494EF76B}" = Garmin WorldMap v5
"{3AB18A98-082D-41A1-B269-7FA8AD3AA30C}" = Garmin Express Tray
"{4903D172-DCCB-392F-93A3-34CA9D47FE3D}" = Microsoft .NET Framework 4.5.1
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}" = Google Earth
"{5CAD3393-EEC0-44CE-9F93-BCAA365B77FB}" = Nikon Movie Editor
"{6f60b921-2ae3-43fe-a6fb-ad849bd91451}" = Garmin Express
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{904CCF62-818D-4675-BC76-D37EB399F917}" = Windows Mobile Device Center
"{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" = Microsoft .NET Framework 4.5.1
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{ABA5E381-EC46-425C-86C5-5CD15BBFB4BF}" = Garmin USB Drivers
"{AC76BA86-7AD7-1033-7B44-AB0000000001}" = Adobe Reader XI (11.0.06)
"{AE1EC58E-B2AC-4959-A4C2-C38202A25239}" = Garmin WebUpdater
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.ControlPanel" = NVIDIA Control Panel 320.18
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver" = NVIDIA Graphics Driver 320.18
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience" = NVIDIA GeForce Experience 1.6.1
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Update" = NVIDIA Update 8.3.14
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_GFExperience.NvStreamC" = GeForce Experience NvStream Client Components
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_GFExperience.NvStreamSrv" = SHIELD Streaming
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver" = NVIDIA HD Audio Driver 1.3.24.2
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_installer" = NVIDIA Install Application
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_NVIDIA.Update" = NVIDIA Update Components
"{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_VirtualAudio.Driver" = NVIDIA Virtual Audio 1.2.5
"{B3931BE3-3189-4A07-833C-50527AC4F2F4}" = Garmin Express
"{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1" = Spybot - Search & Destroy
"{B67BAFBA-4C9F-48FA-9496-933E3B255044}" = QuickTime
"{C7B3C4B4-D6E1-4E5D-8428-1FB7111944B9}" = Serif WebPlus X6
"{DABFD34E-BE68-4BC6-9254-5D7A7FF76B99}" = ArcSoft Panorama Maker 6
"{E86E510B-CBAD-354D-841B-853E23EF038A}" = Google Chrome
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F2E9C364-0DFD-434B-AF0D-3F5D095B3F8F}" = Elevated Installer
"{F5266D28-E0B2-4130-BFC5-EE155AD514DC}" = Apple Application Support
"7-Zip" = 7-Zip 9.20
"98157A226B40B173301B0F53C8E98C47805D5152" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (04/19/2012 2.3.1.0)
"Adobe Flash Player ActiveX" = Adobe Flash Player 13 ActiveX
"Amazon Kindle" = Amazon Kindle
"avast" = avast! Free Antivirus
"CCleaner" = CCleaner
"Easy Thumbnails_is1" = Easy Thumbnails (Remove only)
"ERUNT_is1" = ERUNT 1.1j
"Evrsoft First Page 2006_is1" = Evrsoft First Page 2006
"Free Video to JPG Converter_is1" = Free Video to JPG Converter version 5.0.27.717
"Kobo" = Kobo
"Malwarebytes Anti-Malware_is1" = Malwarebytes Anti-Malware version 2.0.1.1004
"McAfee Security Scan" = McAfee Security Scan Plus
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"Picasa 3" = Picasa 3
"QuoVadis 6_is1" = QuoVadis 6
"Simple Sudoku_is1" = Simple Sudoku 4.2
"TTQV Navteq-Maps 2009Q4_is1" = TTQV Navteq-Maps 2009Q4

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 5/19/2014 5:29:01 AM | Computer Name = Ann-PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x80070005.

Error - 5/19/2014 8:42:14 AM | Computer Name = Ann-PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x80070005.

Error - 5/19/2014 9:56:16 AM | Computer Name = Ann-PC | Source = Winlogon | ID = 4103
Description = Windows license activation failed. Error 0x80070005.

Error - 5/19/2014 11:26:16 AM | Computer Name = Ann-PC | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 11.0.9600.16521,
time stamp: 0x53114399 Faulting module name: nvwgf2um.dll, version: 9.18.13.2018,
time stamp: 0x518fe597 Exception code: 0xc0000005 Fault offset: 0x001b447e Faulting
process id: 0x44c Faulting application start time: 0x01cf73769ab8f308 Faulting application
path: C:\Program Files\Internet Explorer\iexplore.exe Faulting module path: C:\Windows\system32\nvwgf2um.dll
Report
Id: eb109338-df69-11e3-bfd7-00269e4af3e2

Error - 5/19/2014 11:40:56 AM | Computer Name = Ann-PC | Source = Windows Backup | ID = 4104
Description =

Error - 5/19/2014 11:41:32 AM | Computer Name = Ann-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7601.17567,
time stamp: 0x4d6727a7 Faulting module name: SHELL32.dll, version: 6.1.7601.18429,
time stamp: 0x5330e506 Exception code: 0xc0000005 Fault offset: 0x0004b1f0 Faulting
process id: 0x6cc Faulting application start time: 0x01cf736a1abdfce0 Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\system32\SHELL32.dll
Report
Id: 0ced2528-df6c-11e3-bfd7-00269e4af3e2

Error - 5/19/2014 11:42:07 AM | Computer Name = Ann-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7601.17567,
time stamp: 0x4d6727a7 Faulting module name: SHELL32.dll, version: 6.1.7601.18429,
time stamp: 0x5330e506 Exception code: 0xc0000005 Fault offset: 0x0004b1f0 Faulting
process id: 0x11d8 Faulting application start time: 0x01cf7378d67563e8 Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\system32\SHELL32.dll
Report
Id: 21743608-df6c-11e3-bfd7-00269e4af3e2

Error - 5/19/2014 5:46:55 PM | Computer Name = Ann-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\program files\Kobo\drivers\dpinst64.exe".
Dependent
Assembly Microsoft.Windows.Common-Controls,language="*",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 5/20/2014 8:36:48 AM | Computer Name = Ann-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7601.17567,
time stamp: 0x4d6727a7 Faulting module name: SHELL32.dll, version: 6.1.7601.18429,
time stamp: 0x5330e506 Exception code: 0xc0000005 Fault offset: 0x0004b1f0 Faulting
process id: 0x13ec Faulting application start time: 0x01cf7378e97ad608 Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\system32\SHELL32.dll
Report
Id: 68de3a20-e01b-11e3-bfd7-00269e4af3e2

Error - 5/20/2014 8:48:01 AM | Computer Name = Ann-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7601.17567,
time stamp: 0x4d6727a7 Faulting module name: SHELL32.dll, version: 6.1.7601.18429,
time stamp: 0x5330e506 Exception code: 0xc0000005 Fault offset: 0x0004b1f0 Faulting
process id: 0x1684 Faulting application start time: 0x01cf74283500f9e0 Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\system32\SHELL32.dll
Report
Id: f9a4a570-e01c-11e3-bfd7-00269e4af3e2

[ Spybot - Search and Destroy Events ]
Error - 3/13/2014 8:06:04 PM | Computer Name = Ann-PC | Source = SDCleaner | ID = 100
Description = LoadCleaningInstructions

[ System Events ]
Error - 5/18/2014 9:03:27 AM | Computer Name = Ann-PC | Source = Service Control Manager | ID = 7034
Description = The MBAMService service terminated unexpectedly. It has done this
1 time(s).

Error - 5/18/2014 11:29:40 PM | Computer Name = Ann-PC | Source = DCOM | ID = 10001
Description =

Error - 5/19/2014 4:42:15 AM | Computer Name = Ann-PC | Source = DCOM | ID = 10001
Description =

Error - 5/19/2014 5:28:11 AM | Computer Name = Ann-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom

Error - 5/19/2014 8:43:21 AM | Computer Name = Ann-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom

Error - 5/19/2014 9:25:38 AM | Computer Name = Ann-PC | Source = volsnap | ID = 393252
Description = The shadow copies of volume C: were aborted because the shadow copy
storage could not grow due to a user imposed limit.

Error - 5/19/2014 9:56:59 AM | Computer Name = Ann-PC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
cdrom

Error - 5/20/2014 3:26:17 PM | Computer Name = Ann-PC | Source = Microsoft-Windows-HAL | ID = 12
Description = The platform firmware has corrupted memory across the previous system
power transition. Please check for updated firmware for your system.

Error - 5/21/2014 4:39:53 AM | Computer Name = Ann-PC | Source = Service Control Manager | ID = 7011
Description = A timeout (30000 milliseconds) was reached while waiting for a transaction
response from the Garmin Core Update Service service.

< End of report >

ken545 · May 21, 2014

Just a few more things to remove. After the fix let me know how you feel your system is behaving now

Open OTL.exe

Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

Code:

:OTL
[2012/12/17 19:35:54 | 000,000,000 | ---D | M] (Serif WebPlus Community Toolbar) -- C:\Users\Ann\AppData\Roaming\Mozilla\Firefox\extensions\{07364a98-eb02-4736-bc54-ebe437fccb87}
CHR - default_search_provider: WebSearch (Enabled)
CHR - default_search_provider: search_url = http://websearch.amaizingsearches.info/?l=1&q={searchTerms}&pid=2145&r=2014/04/14&hid=8826810464153519484&lg=EN&cc=NL&unqvl=51
CHR - Extension: DownSaave = C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\omdbkioijpmnnheejmlbkddibejbioik\5.2\
O3 - HKU\S-1-5-21-3847289671-3493599336-2917903439-1001\..\Toolbar\WebBrowser: (no name) - {07364A98-EB02-4736-BC54-EBE437FCCB87} - No CLSID value found.
[2014/04/21 18:26:30 | 000,000,000 | ---D | C] -- C:\ProgramData\SSaVeRRExtteensIon


:Services

:Reg

:Files
ipconfig /flushdns /c


:Commands
[purity]
[resethosts]
[EMPTYJAVA] 
[emptytemp]
[start explorer]
[Reboot]

Then click the Run Fix button at the top. <--Not run Scan
Let the program run unhindered, reboot when it is done
Then post the results of the log it produces

annvrolijk · May 21, 2014

results of custom fix

Thanks very much for helping me. I really appreciate this.http://forums.spybot.info/images/smilies/animated/crowned.gif

I am sure the computer will run better and I am definitely sure it is clean for the moment.

All processes killed
========== OTL ==========
C:\Users\Ann\AppData\Roaming\Mozilla\Firefox\extensions\{07364a98-eb02-4736-bc54-ebe437fccb87}\searchplugin folder moved successfully.
C:\Users\Ann\AppData\Roaming\Mozilla\Firefox\extensions\{07364a98-eb02-4736-bc54-ebe437fccb87}\modules folder moved successfully.
C:\Users\Ann\AppData\Roaming\Mozilla\Firefox\extensions\{07364a98-eb02-4736-bc54-ebe437fccb87}\META-INF folder moved successfully.
C:\Users\Ann\AppData\Roaming\Mozilla\Firefox\extensions\{07364a98-eb02-4736-bc54-ebe437fccb87}\defaults folder moved successfully.
C:\Users\Ann\AppData\Roaming\Mozilla\Firefox\extensions\{07364a98-eb02-4736-bc54-ebe437fccb87}\components folder moved successfully.
C:\Users\Ann\AppData\Roaming\Mozilla\Firefox\extensions\{07364a98-eb02-4736-bc54-ebe437fccb87}\chrome folder moved successfully.
C:\Users\Ann\AppData\Roaming\Mozilla\Firefox\extensions\{07364a98-eb02-4736-bc54-ebe437fccb87} folder moved successfully.
Use Chrome's Settings page to remove the default_search_provider items.
Use Chrome's Settings page to remove the default_search_provider items.
C:\Users\Ann\AppData\Local\Google\Chrome\User Data\Default\Extensions\omdbkioijpmnnheejmlbkddibejbioik\5.2 folder moved successfully.
Registry value HKEY_USERS\S-1-5-21-3847289671-3493599336-2917903439-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{07364A98-EB02-4736-BC54-EBE437FCCB87} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{07364A98-EB02-4736-BC54-EBE437FCCB87}\ not found.
C:\ProgramData\SSaVeRRExtteensIon folder moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Ann\Downloads\cmd.bat deleted successfully.
C:\Users\Ann\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYJAVA]

User: Administrator

User: All Users

User: Ann
->Java cache emptied: 96461 bytes

User: Default

User: Default User

User: Guest

User: HomeGroupUser$

User: Public

User: UpdatusUser

Total Java Files Cleaned = 0.00 mb

[EMPTYTEMP]

User: Administrator

User: All Users

User: Ann
->Temp folder emptied: 9246703 bytes
->Temporary Internet Files folder emptied: 384154 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 102849081 bytes
->Flash cache emptied: 751 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest

User: HomeGroupUser$

User: Public

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 11269482 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 43964436 bytes
RecycleBin emptied: 837453660 bytes

Total Files Cleaned = 959.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 05212014_132841

Files\Folders moved on Reboot...
C:\Users\Ann\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\4A72F430-B40C-4D36-A068-CE33ADA5ADF9.dat moved successfully.
C:\Users\Ann\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
File move failed. C:\Windows\temp\_avast_\AvastLock.txt scheduled to be moved on reboot.
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

ken545 · May 21, 2014

Open Chrome
Click the Chrome menu

on the browser toolbar.
Click on Settings
Then Manage Search Engines
Highlite WebSearch and select Delete

annvrolijk · May 21, 2014

Done

:bigthumb:

ken545 · May 21, 2014

How is your system behaving now ?

annvrolijk · May 21, 2014

It is running perfectly.
Thankyou

ken545 · May 21, 2014

Wonderful , glad we could help

Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups, any programs that where not removed you can just drag to the trash.

Malwarebytes is the free version and yours to keep and will not be removed

How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
Grinler BleepingComputer
GeeksTo Go
Dslreports

Safe Surfn
Ken

Infected with Malware from France

annvrolijk

New member

Attachments

ken545

Emeritus-Security Expert

annvrolijk

New member

ken545

Emeritus-Security Expert

annvrolijk

New member

ken545

Emeritus-Security Expert

annvrolijk

New member

ken545

Emeritus-Security Expert

annvrolijk

New member

annvrolijk

New member

ken545

Emeritus-Security Expert

annvrolijk

New member

ken545

Emeritus-Security Expert

annvrolijk

New member

ken545

Emeritus-Security Expert

annvrolijk

New member

ken545

Emeritus-Security Expert