WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Error in Registry [Solved]

Started by nelsonite , Nov 02 2014 06:20 PM

Registry

This topic is locked

18 replies to this topic

#1 nelsonite

New Member

Authentic Member
9 posts

Posted 02 November 2014 - 06:20 PM

Hello,

I use Windows 7. A scan by Escan had 3 errors in the registry I believe:

03 Nov 2014 05:38:48 [13fc] - ERROR(l)!!! Invalid Entry AppInit_DLLs = c:\progra~1\optimi~1\optpro~1.dll (in key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows). Action Taken: No Action Taken.

03 Nov 2014 05:41:07 [13fc] - ERROR(2)!!! Invalid Entry \??\C:\Users\NELSON\AppData\Local\Temp\aswMBR.sys. Action Taken: Removing HKLM\SYSTEM\CurrentControlSet\Services\aswMBR.

03 Nov 2014 05:41:07 [13fc] - ERROR(2)!!! Invalid Entry \??\C:\Users\NELSON\AppData\Local\Temp\aswVmm.sys. Action Taken: Removing HKLM\SYSTEM\CurrentControlSet\Services\aswVmm.

I tried AswMBR quick scan but it was taking long. I was quite worried since I tried to find optpro~1.dll on the hard disk but could not do so. Googling it, I found that many people here have posted a same or similar file name.

I have tried system restore two times. Yet the same problem arises again.

Editing Post to paste the logs in here since I got time to do it.

ASWMBR Log:

aswMBR version 1.0.1.2172 Copyright© 2014 AVAST Software
Run date: 2014-11-03 15:07:49
-----------------------------
15:07:49.965    OS Version: Windows 6.1.7601 Service Pack 1
15:07:49.965    Number of processors: 2 586 0x170A
15:07:49.965    ComputerName: MYSUPERPC UserName: NELSON
15:08:31.867    Initialize success
15:08:32.585    VM: initialized successfully
15:08:32.585    VM: Intel CPU supported
15:08:36.168    VM: not used
15:08:36.183    supported disk I/O ataport.SYS
15:09:00.988    AVAST engine defs: 14110201
15:09:12.298    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:09:12.313    Disk 0 Vendor: WDC_WD3200AAKX-001CA0 15.01H15 Size: 305245MB BusType: 3
15:09:12.422    Disk 0 MBR read successfully I/O
15:09:12.422    Disk 0 MBR scan
15:09:12.516    Disk 0 Windows 7 default MBR code
15:09:12.547    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        99998 MB offset 63
15:09:12.563    Disk 0 Boot: NTFS     code=2
15:09:12.563    Disk 0 Partition - 00     0F Extended LBA            205236 MB offset 204796620
15:09:12.594    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       205236 MB offset 204796683
15:09:12.610    Disk 0 scanning sectors +625121280
15:09:12.688    Disk 0 scanning C:\Windows\system32\drivers
15:09:22.484    Service scanning
15:09:27.539    Service econceal C:\Windows\system32\DRIVERS\econceal.sys **LOCKED** 32
15:09:41.813    Modules scanning
15:09:48.443    Disk 0 trace - called modules:
15:09:48.443
15:09:49.192    AVAST engine scan C:\Windows
15:09:51.844    AVAST engine scan C:\Windows\system32
15:12:44.598    AVAST engine scan C:\Windows\system32\drivers
15:13:08.432    AVAST engine scan C:\Users\NELSON
15:41:07.665    AVAST engine scan C:\ProgramData
15:47:18.880    Disk 0 statistics 3791097/275/0 @ 1.17 MB/s
15:47:18.896    Scan finished successfully
15:49:14.055    Disk 0 MBR has been saved successfully to "C:\Users\NELSON\Desktop\MBR.dat"
15:49:14.133    The log file has been saved successfully to "C:\Users\NELSON\Desktop\aswMBR Log.txt"

FRST LOG:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-11-2014
Ran by NELSON (administrator) on MYSUPERPC on 03-11-2014 16:00:02
Running from C:\Users\NELSON\Desktop
Loaded Profile: NELSON (Available profiles: NELSON)
Platform: Microsoft Windows 7 Ultimate Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(BlueStack Systems, Inc.) C:\Program Files\BlueStacks\HD-UpdaterService.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\TRAYICOS.EXE
(MicroWorld Technologies Inc.) C:\Program Files\eScan\maildisp.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\econser.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\econceal.exe
(MicroWorld Technologies Inc.) C:\ProgramData\MicroWorld\eScanBD\avpmapp.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\traysser.exe
( New Softwares.net) C:\Windows\System32\WinFLTray.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Nokia) C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
(New Softwares.net) C:\Windows\System32\WinFLService.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\consctl.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\spooler.exe
() C:\Windows\System32\PnkBstrA.exe
() C:\Windows\System32\PnkBstrB.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(Chris Pietschmann (http://pietschsoft.com)) C:\Program Files\Virtual Router\VirtualRouterService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(MicroWorld Technologies Inc.) C:\Program Files\eScan\Vista\escanmon.exe
(Nokia) C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
(Nokia) C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
(Nokia) C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(MicroWorld Technologies Inc.) C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
(MicroWorld Technologies Inc.) C:\Program Files\Common Files\MicroWorld\Agent\MWAGENT.EXE
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\audiodg.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-03-09] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKU\S-1-5-21-2238098226-1804821945-1009031106-1001\...\Run: [WinFLTray] => C:\Windows\system32\WinFLTray.exe [321736 2013-06-07] ( New Softwares.net)
HKU\S-1-5-21-2238098226-1804821945-1009031106-1001\...\Run: [FLBackup] => C:\Program Files\NewSoftware's\Folder Lock\FLComServCtrl.exe [275656 2013-06-07] (New Softwares.net)
HKU\S-1-5-21-2238098226-1804821945-1009031106-1001\...\Run: [TBHostSupport] => "C:\Windows\system32\Rundll32.exe" "C:\Users\NELSON\AppData\Local\TBHostSupport\TBHostSupport.dll",DLLRunTBHostSupportPlugin <===== ATTENTION
HKU\S-1-5-21-2238098226-1804821945-1009031106-1001\...\Run: [PC Suite Tray] => C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe [1516632 2012-06-26] (Nokia)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-06-09] (Microsoft Corporation)
AppInit_DLLs: c:\progra~1\optimi~1\optpro~1.dll => c:\progra~1\optimi~1\optpro~1.dll File Not Found
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://in.msn.com/?r...opt=0&ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x15CC3B68D4DACE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.yahoo.com/?fr=fp-spt_gen
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.yahoo.com/?fr=fp-spt_gen
SearchScopes: HKLM - DefaultScope {853AA969-24F7-4F3B-8B71-C6F6EE9D03CC} URL =
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {853AA969-24F7-4F3B-8B71-C6F6EE9D03CC} URL = http://search.condui...4921191611&UM=2
BHO: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
BHO: savvEitokeep. -> {2184E0FB-6128-B15B-7CD2-B6BA637021A2} -> C:\ProgramData\savvEitokeep\b.dll ()
BHO: GetRight IE Helper -> {31FF080D-12A3-439A-A2EF-4BA95A3148E8} -> C:\Program Files\GetRight\xx2gr.dll (Headlight Software, Inc.)
BHO: DivX Plus Web Player HTML5 <video> -> {326E768D-4182-46FD-9C16-1449A49795F4} -> C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Winsock: Catalog5 09 %SystemRoot%\system32\mwnsp.dll [172776] (MicroWorld Technologies Inc.)
Winsock: Catalog9 01 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Winsock: Catalog9 02 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Winsock: Catalog9 03 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Winsock: Catalog9 04 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Winsock: Catalog9 35 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF ProfilePath: C:\Users\NELSON\AppData\Roaming\Mozilla\Firefox\Profiles\tdvrzepd.default
FF DefaultSearchUrl: hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&CUI=UN34198832483085513&UM=2&SearchSource=3&q={searchTerms}
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll No File
FF Plugin: @divx.com/DivX Plus Web Player Plug-In,version=1.0.0 -> C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\PROGRAM FILES\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.22.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.0.8 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Users\NELSON\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll (DivX, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF SearchPlugin: C:\Users\NELSON\AppData\Roaming\Mozilla\Firefox\Profiles\tdvrzepd.default\searchplugins\bingp.xml
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-10-15]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-10-15]
FF HKLM\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] - C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 <video> - C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2013-04-07]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/webhp?source=search_app"
CHR DefaultSearchKeyword: Default -> bing.com
CHR DefaultSearchURL: Default -> http://www.bing.com/...q={searchTerms}
CHR DefaultSuggestURL: Default -> http://api.bing.com/...=UP97DF&PC=UP97
CHR Profile: C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (No Name) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-06-18]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-10-28]
CHR Extension: (Skype Click to Call) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2013-07-29]
CHR Extension: (Connect DLC 5) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\lipgolpfajiadodbcbljdpmbmbdmfcil [2014-02-13]
CHR Extension: (Google Wallet) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-29]
CHR Extension: (DivX Plus Web Player HTML5 <video>) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm [2013-06-18]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-05-14]
CHR HKLM\...\Chrome\Extension: [lipgolpfajiadodbcbljdpmbmbdmfcil] - C:\Users\NELSON\AppData\Local\CRE\lipgolpfajiadodbcbljdpmbmbdmfcil.crx [2013-11-01]
CHR HKLM\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx [2013-04-02]
CHR HKCU\...\Chrome\Extension: [lipgolpfajiadodbcbljdpmbmbdmfcil] - C:\Users\NELSON\AppData\Local\CRE\lipgolpfajiadodbcbljdpmbmbdmfcil.crx [2013-11-01]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S4 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [120088 2013-10-11] (SUPERAntiSpyware.com)
S2 BstHdAndroidSvc; C:\Program Files\BlueStacks\HD-Service.exe [402192 2014-05-01] (BlueStack Systems, Inc.)
S4 BstHdLogRotatorSvc; C:\Program Files\BlueStacks\HD-LogRotatorService.exe [385808 2014-05-01] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files\BlueStacks\HD-UpdaterService.exe [774928 2014-05-01] (BlueStack Systems, Inc.)
R2 EconService; c:\Program Files\eScan\econser.exe [961032 2011-12-20] (MicroWorld Technologies Inc.)
R2 eScan Monitor Service; C:\ProgramData\MicroWorld\eScanBD\avpmapp.exe [2141128 2014-08-26] (MicroWorld Technologies Inc.)
R2 eScan-trayicos; C:\Program Files\eScan\traysser.exe [140520 2014-06-19] (MicroWorld Technologies Inc.)
R2 MWAgent; C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE [858632 2011-12-20] (MicroWorld Technologies Inc.)
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [66872 2012-04-18] ()
R2 PnkBstrB; C:\Windows\system32\PnkBstrB.exe [107832 2012-04-18] ()
R2 Virtual Router; C:\Program Files\Virtual Router\VirtualRouterService.exe [12288 2013-02-10] (Chris Pietschmann (http://pietschsoft.com)) [File not signed]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AR9271; C:\Windows\System32\DRIVERS\athuw.sys [1763584 2013-06-28] (Atheros Communications, Inc.) [File not signed]
S3 athur; C:\Windows\System32\DRIVERS\athur.sys [1570304 2013-06-28] (Atheros Communications, Inc.)
R3 bdfsfltr; C:\Windows\System32\DRIVERS\bdfsfltr.sys [353096 2011-03-24] (BitDefender)
R2 BstHdDrv; C:\Program Files\BlueStacks\HD-Hypervisor-x86.sys [113424 2014-05-01] (BlueStack Systems)
R1 econceal; C:\Windows\System32\DRIVERS\econceal.sys [25608 2011-08-01] (MicroWorld Technologies Inc.)
R2 NEWDRIVER; C:\Windows\system32\WinVDEdrv6.sys [188176 2013-06-07] ()
R3 ProcObsrv; c:\Program Files\eScan\ProcObsrv.sys [14848 2011-12-20] (MicroWorld Technologies Inc.)
R3 ProcObsrves; C:\Program Files\eScan\ProcObsrves.sys [32104 2014-06-19] (MicroWorld Technologies Inc.)
R3 trufos; C:\Windows\System32\drivers\trufos.sys [343456 2013-02-28] (BitDefender S.R.L.)
R1 WinFLAdrv; C:\Windows\System32\WinFLAdrv.sys [29184 2013-06-07] ()
U3 aswMBR; \??\C:\Users\NELSON\AppData\Local\Temp\aswMBR.sys [X]
U3 aswVmm; \??\C:\Users\NELSON\AppData\Local\Temp\aswVmm.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-03 16:00 - 2014-11-03 16:00 - 00017491 _____ () C:\Users\NELSON\Desktop\FRST.txt
2014-11-03 15:59 - 2014-11-03 16:00 - 00000000 ____D () C:\FRST
2014-11-03 15:49 - 2014-11-03 15:49 - 00000512 _____ () C:\Users\NELSON\Desktop\MBR.dat
2014-11-03 05:21 - 2014-11-03 05:21 - 01106432 _____ (Farbar) C:\Users\NELSON\Desktop\FRST.exe
2014-11-03 04:39 - 2014-11-03 04:39 - 00000000 ____D () C:\Program Files\QS
2014-11-03 04:38 - 2014-11-03 04:38 - 00000000 ____D () C:\Users\NELSON\temp
2014-10-29 01:56 - 2014-10-29 01:56 - 00000000 ____D () C:\Program Files\Zeallsoft
2014-10-24 23:28 - 2014-10-24 23:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2014-10-24 23:28 - 2014-10-24 23:28 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-10-15 23:24 - 2014-11-03 04:20 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-10-12 20:52 - 2014-10-12 21:14 - 00000000 ____D () C:\Users\NELSON\Documents\fIXED
2014-10-12 20:48 - 2014-10-12 20:50 - 00024576 _____ () C:\Users\NELSON\Desktop\OpTransactionHistory12-10-2014 YASHU.xls
2014-10-12 20:41 - 2014-10-12 20:43 - 00062464 _____ () C:\Users\NELSON\Desktop\OpTransactionHistory12-10-2014.xls
2014-10-11 20:31 - 2014-11-03 15:20 - 00000568 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2238098226-1804821945-1009031106-1001.job
2014-10-11 20:31 - 2014-10-11 20:31 - 00000000 ____D () C:\Users\NELSON\AppData\Local\Citrix
2014-10-07 21:12 - 2014-10-07 21:12 - 00002044 _____ () C:\Users\Public\Desktop\SDFormatter.lnk
2014-10-07 21:12 - 2014-10-07 21:12 - 00000000 ____D () C:\Users\NELSON\AppData\Local\Downloaded Installations
2014-10-07 21:12 - 2014-10-07 21:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SDFormatter
2014-10-07 21:12 - 2014-10-07 21:12 - 00000000 ____D () C:\Program Files\SDA
2014-10-07 21:09 - 2014-10-07 21:09 - 00000796 _____ () C:\Windows\KB955704.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-03 15:51 - 2012-04-14 18:36 - 02262824 _____ () C:\Windows\ESCAN.LOG
2014-11-03 15:38 - 2014-02-15 00:33 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-03 15:14 - 2012-04-14 18:35 - 00000000 ____D () C:\Program Files\eScan
2014-11-03 15:14 - 2009-07-14 07:34 - 00003725 ____N () C:\Windows\win.ini
2014-11-03 15:11 - 2009-07-14 10:04 - 00023504 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-03 15:11 - 2009-07-14 10:04 - 00023504 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-03 15:10 - 2012-04-14 18:33 - 01175402 _____ () C:\Windows\WindowsUpdate.log
2014-11-03 14:59 - 2014-02-15 00:33 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-03 14:59 - 2012-04-14 18:36 - 00124146 _____ () C:\Windows\frights.log
2014-11-03 14:59 - 2009-07-14 10:23 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-03 14:59 - 2009-07-14 10:09 - 00996040 _____ () C:\Windows\setupact.log
2014-11-03 07:55 - 2013-03-04 03:29 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\Skype
2014-11-03 04:38 - 2012-04-14 18:31 - 00000000 ____D () C:\Users\NELSON
2014-11-03 04:28 - 2012-04-14 18:37 - 00000000 ____D () C:\FBackup
2014-11-03 04:20 - 2014-08-17 02:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-11-03 04:20 - 2014-02-15 00:36 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-11-03 04:20 - 2012-05-06 02:06 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-03 04:20 - 2012-04-16 09:56 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\vlc
2014-11-03 04:20 - 2012-04-14 18:51 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\uTorrent
2014-11-03 04:20 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\system32\wfp
2014-11-03 04:19 - 2014-08-17 02:18 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-11-03 04:19 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\registration
2014-11-01 21:48 - 2014-09-16 23:27 - 00017408 _____ () C:\Users\NELSON\Documents\Mobile Credits.xls
2014-10-31 21:25 - 2013-09-30 13:36 - 00000202 _____ () C:\Users\NELSON\Desktop\5 stocks.txt
2014-10-30 19:56 - 2014-10-01 19:31 - 00000032 _____ () C:\Users\NELSON\Documents\hathway password.txt
2014-10-29 00:40 - 2013-11-27 01:23 - 00000000 ____D () C:\ProgramData\Oracle
2014-10-28 06:35 - 2012-04-17 15:26 - 00229000 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-26 15:21 - 2012-04-14 18:36 - 00802676 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-26 00:40 - 2012-04-15 19:30 - 01083183 _____ () C:\Windows\general.log
2014-10-24 23:28 - 2013-03-04 03:29 - 00000000 ___RD () C:\Program Files\Skype
2014-10-24 23:28 - 2013-03-04 03:29 - 00000000 ____D () C:\ProgramData\Skype
2014-10-24 20:55 - 2013-06-05 15:04 - 00000700 ___SH () C:\Users\NELSON\AppData\Local\systemFL7.dat
2014-10-24 20:54 - 2013-06-07 10:28 - 00001213 ___SH () C:\Users\NELSON\AppData\Local\win_fldb_sys.dat
2014-10-24 20:54 - 2013-06-07 10:28 - 00000693 ___SH () C:\Windows\system32\win_fldb_sys.dat
2014-10-24 20:54 - 2013-06-07 10:16 - 00003465 ___SH () C:\Windows\system32\win_stlthdb_sys.dat
2014-10-24 20:54 - 2013-06-07 10:16 - 00003465 ___SH () C:\Users\NELSON\AppData\Local\win_stlthdb_sys.dat
2014-10-23 18:36 - 2014-09-13 16:22 - 00000354 _____ () C:\Users\NELSON\Desktop\REDMI HELP.txt
2014-10-23 14:11 - 2014-09-29 21:06 - 00000000 ____D () C:\Users\NELSON\Documents\My Kindle Content
2014-10-18 03:26 - 2012-11-01 04:07 - 00225280 ___SH () C:\Users\NELSON\Thumbs.db
2014-10-16 15:51 - 2014-08-21 19:00 - 00000000 ____D () C:\Users\NELSON\AppData\Local\Adobe
2014-10-16 15:51 - 2012-04-15 19:50 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-10-16 15:51 - 2012-04-15 19:50 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-10-16 02:20 - 2014-08-12 13:53 - 00023552 _____ () C:\Users\NELSON\Documents\DIVIDEND TOTAL PAID TILL DATE.xls
2014-10-15 22:39 - 2014-09-18 18:54 - 00000036 _____ () C:\Users\NELSON\Desktop\Links.txt
2014-10-15 13:14 - 2013-07-29 16:09 - 00000000 ____D () C:\Users\NELSON\Desktop\SOLO TAX
2014-10-10 20:22 - 2012-04-14 19:54 - 00213590 _____ () C:\Windows\UPDLL.LOG
2014-10-10 16:51 - 2009-07-14 10:23 - 00032544 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

Files to move or delete:
====================
C:\ProgramData\win_mpwd_sys.dat

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-09-27 14:24

==================== End Of Log ============================

ADDITION LOG:

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 02-11-2014
Ran by NELSON at 2014-11-03 16:00:46
Running from C:\Users\NELSON\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: eScan Internet Security for Windows (Enabled - Up to date) {BCDBC2EE-EFD9-33B4-FA81-487C1275AEA6}
AS: eScan Internet Security for Windows (Enabled - Up to date) {07BA230A-C9E3-3C3A-C031-730E69F2E41B}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: eScan Internet Security for Windows (Enabled) {84E043CB-A5B6-32EC-D1DE-E149ECA6E9DD}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKCU\...\uTorrent) (Version: 3.4.2.34024 - BitTorrent Inc.)
µTorrent (HKLM\...\uTorrent) (Version: 3.2.0 - BitTorrent Inc.)
7-Zip 9.20 (HKLM\...\7-Zip) (Version: - )
7-Zip 9.21 (HKLM\...\{23170F69-40C1-2701-0921-000001000000}) (Version: 9.21.00.0 - Igor Pavlov)
Active@ Partition Recovery Enterprise (HKLM\...\Active@ Partition Recovery Enterprise) (Version: - )
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.3.300.257 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.189 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Amazon Kindle (HKCU\...\Amazon Kindle) (Version: - Amazon)
Any Video Converter Professional 5.0.7 (HKLM\...\Any Video Converter Professional_is1) (Version: - Any-Video-Converter.com)
Apple Application Support (HKLM\...\{EB879750-CCBD-4013-BFD5-0294D4DA5BD0}) (Version: 2.1.7 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ATI AVIVO Codecs (Version: 11.6.0.10309 - ATI Technologies Inc.) Hidden
ATI Catalyst Install Manager (HKLM\...\{7638AC61-8AEE-9983-D681-BA48EE41A8FE}) (Version: 3.0.820.0 - ATI Technologies, Inc.)
BlueStacks App Player (HKLM\...\BlueStacks App Player) (Version: 0.8.9.3088 - BlueStack Systems, Inc.)
BlueStacks Notification Center (HKLM\...\{4C02AFA8-074D-44FE-B0E1-A73D4AA65390}) (Version: 0.8.9.3088 - BlueStack Systems, Inc.)
Boilsoft Video Splitter 6.33 (HKLM\...\{24549038-9956-4EE5-976D-4419AAEA7DD5}_is1) (Version: - Boilsoft, Inc.)
ChartNexus version 3.3.5 (HKLM\...\{F8F74455-1B4F-4CFC-A580-070297547BB0}_is1) (Version: 3.3.5 - ChartNexus Sdn Bhd)
Citrix Online Launcher (HKLM\...\{77463C86-BB3A-426E-A6C2-06B4D28C250F}) (Version: 1.0.223 - Citrix)
CutePDF Writer 2.8 (HKLM\...\CutePDF Writer Installation) (Version: - )
DivX Converter (HKLM\...\{13F3917B56CD4C25848BDC69916971BB}) (Version: 7.0.0 - DivX, Inc.)
DivX Converter (HKLM\...\{B13A7C41581B411290FBC0395694E2A9}) (Version: 7.0.0 - DivX, Inc.)
DivX Plus DirectShow Filters (HKLM\...\DivX Plus DirectShow Filters) (Version: - DivX, Inc.)
DivX Setup (HKLM\...\DivX Setup) (Version: 2.6.1.28 - DivX, LLC)
DivX Version Checker (HKLM\...\{3FC7CBBC4C1E11DCA1A752EA55D89593}) (Version: 7.0.0.19 - DivX, Inc.)
DivX Web Player (HKLM\...\{B7050CBDB2504B34BC2A9CA0A692CC29}) (Version: 1.4.2 - DivX,Inc.)
eScan Internet Security for Windows (HKLM\...\eScan Internet Security for Windows_is1) (Version: 11.0.1139.1640 - MicroWorld Technologies Inc.)
File Shredder 2.0 (HKLM\...\File Shredder_is1) (Version: - WipeSoft)
Foxit Reader (HKLM\...\Foxit Reader_is1) (Version: 5.4.5.114 - Foxit Corporation)
GetRight (HKLM\...\GetRight_is1) (Version: - Headlight Software, Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 32.0.1700.107 - Google Inc.)
Google Update Helper (Version: 1.3.22.5 - Google Inc.) Hidden
GoToMeeting 6.4.5.1865 (HKCU\...\GoToMeeting) (Version: 6.4.5.1865 - CitrixOnline)
HydraVision (Version: 4.2.188.0 - ATI Technologies Inc.) Hidden
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
JavaFX 2.1.1 (HKLM\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
Magic ISO Maker v5.5 (build 0281) (HKLM\...\Magic ISO Maker v5.5 (build 0281)) (Version: - )
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM\...\{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}) (Version: 3.5.92.0 - Microsoft Corporation)
Microsoft Games for Windows Marketplace (HKLM\...\{4CB0307C-565E-4441-86BE-0DF2E4FB828C}) (Version: 3.5.50.0 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Mobipocket Reader 6.2 (HKLM\...\{342126E1-173C-4585-BFBE-3EBDD20E3E9E}) (Version: 6.2.608 - Mobipocket.com)
Mozilla Firefox 33.0 (x86 en-US) (HKLM\...\Mozilla Firefox 33.0 (x86 en-US)) (Version: 33.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
MPC-HC 1.7.0 (HKLM\...\{2624B969-7135-4EB1-B0F6-2D8C397B45F7}_is1) (Version: 1.7.0.7858 - MPC-HC Team)
MSVC80_x86_v2 (Version: 1.0.3.0 - Nokia) Hidden
MSVC90_x86 (Version: 1.0.1.2 - Nokia) Hidden
Nokia Connectivity Cable Driver (HKLM\...\{A57025CC-5F2E-4D01-B387-06DB10500D43}) (Version: 7.1.78.0 - Nokia)
Nokia PC Suite (HKLM\...\Nokia PC Suite) (Version: 7.1.180.94 - Nokia)
Nokia PC Suite (Version: 7.1.180.94 - Nokia) Hidden
NVIDIA PhysX (HKLM\...\{DA909E62-3B45-4BA1-8B58-FCAEBA4BCEC9}) (Version: 9.12.0213 - NVIDIA Corporation)
Opera 12.17 (HKLM\...\Opera 12.17.1863) (Version: 12.17.1863 - Opera Software ASA)
OptionsOracle (HKLM\...\{2C31929A-D6AB-4D0B-ABF9-4812A045CE97}) (Version: 1.502 - SamoaSky)
PC Connectivity Solution (HKLM\...\{644F4910-E812-49AD-93EC-86828CB81A0D}) (Version: 12.0.27.0 - Nokia)
Philips Songbird (HKLM\...\Philips Songbird) (Version: 3.2.1667 (1667) - Koninklijke Philips Electronics N.V.)
PunkBuster Services (HKLM\...\PunkBusterSvc) (Version: 0.986 - Even Balance, Inc.)
QuickTime (HKLM\...\{0E64B098-8018-4256-BA23-C316A43AD9B0}) (Version: 7.72.80.56 - Apple Inc.)
Remove Logo Now! 1.0 (HKLM\...\Remove Logo Now!_is1) (Version: 1.0 - SoftOrbits)
savvEitokeep. (HKLM\...\{B10BC31B-DBC6-56FE-DD3D-DD4E49A3E6CE}) (Version: - saveitkeep.)
SDFormatter (HKLM\...\{179324FF-7B16-4BA8-9836-055CAAEE4F08}) (Version: 4.0.0 - SD Association)
Skype Click to Call (HKLM\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.9.12585 - Skype Technologies S.A.)
Skype™ 6.21 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.21.104 - Skype Technologies S.A.)
SolveigMM Video Splitter (HKLM\...\SolveigMM Video Splitter 3.6.1308.22) (Version: 3.6.1308.22 - Solveig Multimedia)
Stock Market Yearbook 2013 (HKLM\...\{8E8A3EB8-44AD-442B-BCA3-4ED4D76522FA}) (Version: 1.0.4 - Equitymaster)
TeamViewer 9 (HKLM\...\TeamViewer 9) (Version: 9.0.29947 - TeamViewer)
The KMPlayer (remove only) (HKLM\...\The KMPlayer) (Version: - )
TP-LINK TL-WN721N_TL-WN722N Driver (HKLM\...\{86A7EED0-02D0-4D91-8183-8D2F23F5E6AE}) (Version: 1.3.1 - TP-LINK)
VC80CRTRedist - 8.0.50727.6195 (Version: 1.2.0 - DivX, Inc) Hidden
Virtual Router v1.0 (HKLM\...\{BE905C46-2B34-4D73-AEE1-769ED138E0FF}) (Version: 1.0 - Chris Pietschmann)
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WebcamMax (HKLM\...\WebcamMax) (Version: 7.1.2.6.MultiLanguage - )
WinAVI Video Converter (HKLM\...\WinAVI Video Converter) (Version: 11.4.0.4147 - ZJMedia Digital Technology Ltd.)
Windows Driver Package - Nokia Modem (02/25/2011 4.7) (HKLM\...\E0AC723A3DE3A04256288CADBBB011B112AED454) (Version: 02/25/2011 4.7 - Nokia)
Windows Driver Package - Nokia Modem (02/25/2011 7.01.0.9) (HKLM\...\72A50F48CC5601190B9C4E74D81161693133E7F7) (Version: 02/25/2011 7.01.0.9 - Nokia)
Windows Driver Package - Nokia pccsmcfd “LegacyDriver” (05/31/2012 7.1.2.0) (HKLM\...\17D063A0A9F5D5A225B76B1D9BCB5ADBE85C8382) (Version: 05/31/2012 7.1.2.0 - Nokia)
Windows Live ID Sign-in Assistant (HKLM\...\{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}) (Version: 6.500.3165.0 - Microsoft Corporation)
Winhotspot version 2.0 (HKLM\...\Winhotspot_is1) (Version: 2.0 - )
WinISO 5.3 (HKLM\...\WinISO_is1) (Version: - WinISO Computing Inc.)
WinZip (HKLM\...\WinZip) (Version: 9.0 SR-1 (6224) - WinZip Computing, Inc.)
WMV9/VC-1 Video Playback (Version: 1.0.60309.2155 - ATI Technologies Inc.) Hidden
Yahoo! Messenger (HKLM\...\Yahoo! Messenger) (Version: - Yahoo! Inc.)
Yahoo! Software Update (HKLM\...\Yahoo! Software Update) (Version: - )
Yahoo! Toolbar (HKLM\...\Yahoo! Companion) (Version: - Yahoo! Inc.)
Zyzzyva (HKLM\...\Zyzzyva 2.1.5) (Version: 2.1.5 - Boshvark Software, LLC)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2238098226-1804821945-1009031106-1001_Classes\CLSID\{16C8C46E-C811-4977-BF0A-B5CC1FA78D95}\InprocServer32 -> C:\Users\NELSON\AppData\Local\AskToolbar\Downloaded Program Files\xaddon.dll (Ask.com)
CustomCLSID: HKU\S-1-5-21-2238098226-1804821945-1009031106-1001_Classes\CLSID\{736AF091-C361-49B4-A928-87C586130D33}\InprocServer32 -> C:\Program Files\File Shredder\fsshell.dll ()
CustomCLSID: HKU\S-1-5-21-2238098226-1804821945-1009031106-1001_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\NELSON\AppData\Local\Citrix\GoToMeeting\1669\G2MOutlookAddin.dll (Citrix Online, a division of Citrix Systems, Inc.)

==================== Restore Points =========================

27-10-2014 16:04:38 Windows Update
28-10-2014 19:09:50 Installed Java 7 Update 71
02-11-2014 22:38:16 Restore Operation
02-11-2014 22:57:51 Windows Update
02-11-2014 23:01:18 Windows Backup

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 07:34 - 2013-10-07 17:33 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {1F7F742E-B06E-491A-B0F2-68FF0584809B} - System32\Tasks\{5E1D6F55-0A82-4C5A-9A08-2582117500FA} => C:\Program Files\Trillian\trillian.exe
Task: {2F310882-28D5-4D47-AF8B-F703396B1CCD} - System32\Tasks\MailScan Dispatcher => C:\Program Files\eScan\launch.exe [2014-06-19] (MicroWorld Technologies Inc.)
Task: {4E00BCCA-63F9-4742-9687-0BEEBEC10FBF} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {89A2EB49-CBFF-4145-89F4-9965E4D0EEDD} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-02-15] (Google Inc.)
Task: {B4632AF1-535E-4A1F-83A1-C74D03926D0B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-02-15] (Google Inc.)
Task: {B481830A-4836-4423-B7CF-51F41AA8B2B6} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup
Task: {D63873E5-C72D-461B-B316-4AB8AFA88492} - System32\Tasks\G2MUpdateTask-S-1-5-21-2238098226-1804821945-1009031106-1001 => C:\Users\NELSON\AppData\Local\Citrix\GoToMeeting\1865\g2mupdate.exe [2014-11-03] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {DE680CE0-977A-4C09-A2B8-5A453026DC4C} - System32\Tasks\{73DC7E2C-A42D-45CD-ABF2-D11E180242CF} => C:\Program Files\Trillian\trillian.exe
Task: {F5236B55-35A5-443E-B99C-C8C5CB19A599} - System32\Tasks\eScan Updater => C:\Program Files\eScan\TRAYICOS.EXE [2011-12-20] (MicroWorld Technologies Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2238098226-1804821945-1009031106-1001.job => C:\Users\NELSON\AppData\Local\Citrix\GoToMeeting\1865\g2mupdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2012-04-14 18:58 - 2009-11-05 08:39 - 00087552 _____ () C:\Windows\System32\cpwmon2k.dll
2012-06-19 23:34 - 2007-03-01 23:54 - 00657920 _____ () C:\Program Files\File Shredder\fsshell.dll
2009-07-14 02:33 - 2009-07-14 06:45 - 00364544 _____ () C:\Windows\system32\msjetoledb40.dll
2012-04-14 18:35 - 2010-05-07 16:53 - 00172040 _____ () C:\Windows\system32\unrar.dll
2012-06-26 13:11 - 2012-06-26 13:11 - 02302040 _____ () C:\Program Files\Nokia\Nokia PC Suite 7\QtCore4.dll
2012-06-26 13:11 - 2012-06-26 13:11 - 08197208 _____ () C:\Program Files\Nokia\Nokia PC Suite 7\QtGui4.dll
2012-06-26 13:11 - 2012-06-26 13:11 - 00345688 _____ () C:\Program Files\Nokia\Nokia PC Suite 7\QtXml4.dll
2012-06-26 13:10 - 2012-06-26 13:10 - 00202328 _____ () C:\Program Files\Nokia\Nokia PC Suite 7\imageformats\qjpeg4.dll
2012-06-26 13:10 - 2012-06-26 13:10 - 00027736 _____ () C:\Program Files\Nokia\Nokia PC Suite 7\imageformats\qsvg4.dll
2012-06-26 13:11 - 2012-06-26 13:11 - 00282200 _____ () C:\Program Files\Nokia\Nokia PC Suite 7\QtSvg4.dll
2011-03-09 23:05 - 2011-03-09 23:05 - 00243712 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2012-04-18 00:01 - 2012-04-18 00:01 - 00066872 _____ () C:\Windows\system32\PnkBstrA.exe
2012-04-18 00:01 - 2012-04-18 00:01 - 00107832 _____ () C:\Windows\system32\PnkBstrB.exe
2014-10-15 23:24 - 2014-10-15 23:24 - 03649648 _____ () C:\Program Files\Mozilla Firefox\mozjs.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:2CFDCA54
AlternateDataStreams: C:\ProgramData\TEMP:373E1720

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinFLAdrv.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: !SASCORE => 2
MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: BstHdLogRotatorSvc => 2
MSCONFIG\Services: BstHdUpdaterSvc => 2
MSCONFIG\Services: CryptSvc => 2
MSCONFIG\Services: SkypeUpdate => 2
MSCONFIG\Services: WMPNetworkSvc => 2
MSCONFIG\Services: YahooAUService => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Virtual Router Manager.lnk => C:\Windows\pss\Virtual Router Manager.lnk.CommonStartup
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk => C:\Windows\pss\WinZip Quick Pick.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: BlueStacks Agent => C:\Program Files\BlueStacks\HD-Agent.exe
MSCONFIG\startupreg: DivXMediaServer => C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe
MSCONFIG\startupreg: DivXUpdate => "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
MSCONFIG\startupreg: Messenger (Yahoo!) => "C:\PROGRA~1\Yahoo!\Messenger\YahooMessenger.exe" -quiet
MSCONFIG\startupreg: PC Suite Tray => "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
MSCONFIG\startupreg: Philips Device Listener => "C:\Program Files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: Skype => "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: SUPERAntiSpyware => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
MSCONFIG\startupreg: WebcamMaxAutoRun => "C:\Program Files\WebcamMax\WebcamMax.exe" -a

========================= Accounts: ==========================

Administrator (S-1-5-21-2238098226-1804821945-1009031106-500 - Administrator - Disabled)
Guest (S-1-5-21-2238098226-1804821945-1009031106-501 - Limited - Enabled)
HomeGroupUser$ (S-1-5-21-2238098226-1804821945-1009031106-1002 - Limited - Enabled)
NELSON (S-1-5-21-2238098226-1804821945-1009031106-1001 - Administrator - Enabled) => C:\Users\NELSON

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (11/03/2014 03:00:01 PM) (Source: BstHdAndroidSvc) (EventID: 0) (User: )
Description: Service cannot be started. System.ApplicationException: Cannot start service. Service did not stop gracefully the last time it was run.
   at BlueStacks.hyperDroid.Service.Service.OnStart(String[] args)
   at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error: (11/03/2014 06:33:58 AM) (Source: BstHdAndroidSvc) (EventID: 0) (User: )
Description: Service cannot be started. System.ApplicationException: Cannot start service. Service did not stop gracefully the last time it was run.
   at BlueStacks.hyperDroid.Service.Service.OnStart(String[] args)
   at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error: (11/03/2014 06:25:23 AM) (Source: BstHdAndroidSvc) (EventID: 0) (User: )
Description: Service cannot be started. System.ApplicationException: Cannot start service. Service did not stop gracefully the last time it was run.
   at BlueStacks.hyperDroid.Service.Service.OnStart(String[] args)
   at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error: (11/03/2014 05:15:31 AM) (Source: Windows Backup) (EventID: 4104) (User: )
Description: The backup was not successful. The error is: There is not enough free space on the backup storage location to back up the data. (0x80780048).

Error: (11/03/2014 04:21:25 AM) (Source: BstHdAndroidSvc) (EventID: 0) (User: )
Description: Service cannot be started. System.ApplicationException: Cannot start service. Service did not stop gracefully the last time it was run.
   at BlueStacks.hyperDroid.Service.Service.OnStart(String[] args)
   at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error: (11/03/2014 04:12:39 AM) (Source: System Restore) (EventID: 8210) (User: )
Description: An unspecified error occurred during System Restore: (Installed Java 7 Update 71). Additional information: 0x80070005.

Error: (10/27/2014 02:22:47 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 33.0.0.5397 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 1780

Start Time: 01cff14d4af47718

Termination Time: 74

Application Path: C:\Program Files\Mozilla Firefox\firefox.exe

Report Id: 07ff47d0-5d52-11e4-812c-7071bcce71fc

Error: (10/27/2014 02:22:47 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 33.0.0.5397, time stamp: 0x543924b1
Faulting module name: mozalloc.dll, version: 33.0.0.5397, time stamp: 0x5438ffbb
Exception code: 0x80000003
Fault offset: 0x00001425
Faulting process id: 0x15f0
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (10/19/2014 08:36:05 PM) (Source: Windows Backup) (EventID: 4104) (User: )
Description: The backup was not successful. The error is: There is not enough free space on the backup storage location to back up the data. (0x80780048).

Error: (10/12/2014 11:51:15 PM) (Source: ATIeRecord) (EventID: 16393) (User: )
Description: ATI EEU failed to create a QNode

System errors:
=============
Error: (11/03/2014 03:06:56 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the MWAgent service, but this action failed with the following error:
%%1056

Error: (11/03/2014 03:06:46 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The MWAgent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (11/03/2014 03:06:45 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the MWAgent service, but this action failed with the following error:
%%1056

Error: (11/03/2014 03:06:35 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The MWAgent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (11/03/2014 03:06:29 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the MWAgent service, but this action failed with the following error:
%%1056

Error: (11/03/2014 03:06:19 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The MWAgent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (11/03/2014 03:00:01 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The BlueStacks Android Service service terminated with the following error:
%%1064

Error: (11/03/2014 08:01:42 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (11/03/2014 06:53:34 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Windows Error Reporting Service service to connect.

Error: (11/03/2014 06:33:58 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The BlueStacks Android Service service terminated with the following error:
%%1064

Microsoft Office Sessions:
=========================

CodeIntegrity Errors:
===================================
Date: 2014-10-05 17:59:42.331
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\eScan\w2kdb\bdfsfltr.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-10-05 17:59:42.253
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\eScan\w2kdb\bdfsfltr.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-10-05 17:59:42.206
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\eScan\w2kdb\bdfsfltr.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-10-05 17:59:42.143
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\eScan\w2kdb\bdfsfltr.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-10-05 17:59:42.081
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\eScan\w2kdb\bdfsfltr.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-10-05 17:59:42.034
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\eScan\w2kdb\bdfsfltr.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-27 14:26:58.074
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\eScan\w2kdb\bdfsfltr.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-27 14:26:58.027
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\eScan\w2kdb\bdfsfltr.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-27 14:26:57.949
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\eScan\w2kdb\bdfsfltr.sys because the set of per-page image hashes could not be found on the system.

Date: 2014-09-27 14:26:57.902
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\eScan\w2kdb\bdfsfltr.sys because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: Pentium® Dual-Core CPU E5800 @ 3.20GHz
Percentage of memory in use: 51%
Total physical RAM: 3327.24 MB
Available physical RAM: 1609.21 MB
Total Pagefile: 6652.77 MB
Available Pagefile: 4509.67 MB
Total Virtual: 2047.88 MB
Available Virtual: 1879.38 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:97.65 GB) (Free:36.81 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (HCL DISK) (Fixed) (Total:200.43 GB) (Free:12 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 567DE008)
Partition 1: (Active) - (Size=97.7 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=200.4 GB) - (Type=OF Extended)

==================== End Of Log ============================

Please help me with what to do as I am stumped and extremely confused.

Edited by nelsonite, 03 November 2014 - 05:05 AM.

Advertisements

Register to Remove

#2 OCD

SuperHelper

Malware Team
5,574 posts

Posted 03 November 2014 - 07:26 PM

Hi nelsonite,

My name is OCD. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
Copy and Paste logs directly into the reply window. DO NOT attach the logs unless specifically instructed to do so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Please stay with this topic until I let you know that your system appears to be "All Clear"

Important: All tools MUST be run from the Desktop.

=========================

P2P - (Peer to Peer)

I see you have/had P2P software uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall this now.

Click Start > Control Panel > Programs and Features. Locate and select the following that are present on the list and click the Remove button:

uTorrent

If you choose to not remove this programs please refrain from using it until we have finished cleaning your computer.

=========================

FRST Fix Script

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the desktop as fixlist.txt

Start
CloseProcesses:
HKU\S-1-5-21-2238098226-1804821945-1009031106-1001\...\Run: [TBHostSupport] => "C:\Windows\system32\Rundll32.exe" "C:\Users\NELSON\AppData\Local\TBHostSupport\TBHostSupport.dll",DLLRunTBHostSupportPlugin <===== ATTENTION
AppInit_DLLs: c:\progra~1\optimi~1\optpro~1.dll => c:\progra~1\optimi~1\optpro~1.dll File Not Found
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM - DefaultScope {853AA969-24F7-4F3B-8B71-C6F6EE9D03CC} URL =
SearchScopes: HKCU - {853AA969-24F7-4F3B-8B71-C6F6EE9D03CC} URL = http://search.condui...4921191611&UM=2
FF DefaultSearchUrl: hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&CUI=UN34198832483085513&UM=2&SearchSource=3&q={searchTerms}
CustomCLSID: HKU\S-1-5-21-2238098226-1804821945-1009031106-1001_Classes\CLSID\{16C8C46E-C811-4977-BF0A-B5CC1FA78D95}\InprocServer32 -> C:\Users\NELSON\AppData\Local\AskToolbar\Downloaded Program Files\xaddon.dll (Ask.com)
EmptyTemp:
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST and press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

=========================

Reboot

=========================

Re-run Farbar Recovery Scan Tool it should be on your desktop.

- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

=========================

Security Check

Download Security Check by screen317 from here or here.

Save it to your Desktop.
Right click SecurityCheck.exe, select "Run as Administrator" and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=========================

In your next post please provide the following:

Fixlog.txt
new FRST.txt
checkup.txt
Describe how the computer is running at the moment.

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

If you are satisfied with the help you have received, please consider making a donation.

#3 nelsonite

New Member

Authentic Member
9 posts

Posted 04 November 2014 - 06:18 AM

Hello,

Thanks for all the help so far. Please see the logs pasted below as per your instruction:

Fixlog.txt

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 02-11-2014
Ran by NELSON at 2014-11-04 14:27:59 Run:1
Running from C:\Users\NELSON\Desktop
Loaded Profile: NELSON (Available profiles: NELSON)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Start
CloseProcesses:
HKU\S-1-5-21-2238098226-1804821945-1009031106-1001\...\Run: [TBHostSupport] =>
"C:\Windows\system32\Rundll32.exe" "C:\Users\NELSON\AppData\Local\TBHostSupport\TBHostSupport.dll",DLLRunTBHostSupportPlugin <===== ATTENTION
AppInit_DLLs: c:\progra~1\optimi~1\optpro~1.dll => c:\progra~1\optimi~1\optpro~1.dll File Not Found
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM - DefaultScope {853AA969-24F7-4F3B-8B71-C6F6EE9D03CC} URL =
SearchScopes: HKCU - {853AA969-24F7-4F3B-8B71-C6F6EE9D03CC} URL = http://search.condui...4921191611&UM=2
FF DefaultSearchUrl: hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3306061&CUI=UN34198832483085513&UM=2&SearchSource=3&q={searchTerms}
CustomCLSID: HKU\S-1-5-21-2238098226-1804821945-1009031106-1001_Classes\CLSID\{16C8C46E-C811-4977-BF0A-B5CC1FA78D95}\InprocServer32 -> C:\Users\NELSON\AppData\Local\AskToolbar\Downloaded Program Files\xaddon.dll (Ask.com)
EmptyTemp:
End
*****************

Processes closed successfully.
HKU\S-1-5-21-2238098226-1804821945-1009031106-1001\Software\Microsoft\Windows\CurrentVersion\Run\\TBHostSupport => value deleted successfully.
"C:\Windows\system32\Rundll32.exe "C:\Users\NELSON\AppData\Local\TBHostSupport\TBHostSupport.dll",DLLRunTBHostSupportPlugin <===== ATTENTION" => File/Directory not found.
"c:\progra~1\optimi~1\optpro~1.dll" => Value Data not found.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{853AA969-24F7-4F3B-8B71-C6F6EE9D03CC}" => Key deleted successfully.
"HKCR\CLSID\{853AA969-24F7-4F3B-8B71-C6F6EE9D03CC}" => Key not found.
Firefox DefaultSearchUrl deleted successfully.
"HKU\S-1-5-21-2238098226-1804821945-1009031106-1001_Classes\CLSID\{16C8C46E-C811-4977-BF0A-B5CC1FA78D95}" => Key deleted successfully.
EmptyTemp: => Removed 816.9 MB temporary data.

The system needed a reboot.

==== End of Fixlog ====

new FRST.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-11-2014
Ran by NELSON (administrator) on MYSUPERPC on 04-11-2014 14:38:20
Running from C:\Users\NELSON\Desktop
Loaded Profile: NELSON (Available profiles: NELSON)
Platform: Microsoft Windows 7 Ultimate Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Microsoft Corporation) C:\Windows\System32\audiodg.exe
(AMD) C:\Windows\System32\atieclxx.exe
(BlueStack Systems, Inc.) C:\Program Files\BlueStacks\HD-UpdaterService.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\TRAYICOS.EXE
(MicroWorld Technologies Inc.) C:\Program Files\eScan\econser.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\econceal.exe
(MicroWorld Technologies Inc.) C:\ProgramData\MicroWorld\eScanBD\avpmapp.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\traysser.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(New Softwares.net) C:\Windows\System32\WinFLService.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\consctl.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\maildisp.exe
(MicroWorld Technologies Inc.) C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
(MicroWorld Technologies Inc.) C:\Program Files\Common Files\MicroWorld\Agent\MWAGENT.EXE
( New Softwares.net) C:\Windows\System32\WinFLTray.exe
(Nokia) C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\spooler.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\Vista\escanmon.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
(Nokia) C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
(Nokia) C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
(Nokia) C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-03-09] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKU\S-1-5-21-2238098226-1804821945-1009031106-1001\...\Run: [WinFLTray] => C:\Windows\system32\WinFLTray.exe [321736 2013-06-07] ( New Softwares.net)
HKU\S-1-5-21-2238098226-1804821945-1009031106-1001\...\Run: [FLBackup] => C:\Program Files\NewSoftware's\Folder Lock\FLComServCtrl.exe [275656 2013-06-07] (New Softwares.net)
HKU\S-1-5-21-2238098226-1804821945-1009031106-1001\...\Run: [PC Suite Tray] => C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe [1516632 2012-06-26] (Nokia)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-06-09] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://in.msn.com/?r...opt=0&ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x15CC3B68D4DACE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.yahoo.com/?fr=fp-spt_gen
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.yahoo.com/?fr=fp-spt_gen
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {07E480F9-76AA-4B5F-ADBA-7A355712FE41} URL = http://in.search.yah...&fr=chr-spt_gen
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO: savvEitokeep. -> {2184E0FB-6128-B15B-7CD2-B6BA637021A2} -> C:\ProgramData\savvEitokeep\b.dll ()
BHO: DivX Plus Web Player HTML5 <video> -> {326E768D-4182-46FD-9C16-1449A49795F4} -> C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Winsock: Catalog5 09 %SystemRoot%\system32\mwnsp.dll [172776] (MicroWorld Technologies Inc.)
Winsock: Catalog9 01 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Winsock: Catalog9 02 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Winsock: Catalog9 03 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Winsock: Catalog9 04 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Winsock: Catalog9 35 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Tcpip\Parameters: [DhcpNameServer] 202.88.131.90 202.88.131.89

FireFox:
========
FF ProfilePath: C:\Users\NELSON\AppData\Roaming\Mozilla\Firefox\Profiles\tdvrzepd.default
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll No File
FF Plugin: @divx.com/DivX Plus Web Player Plug-In,version=1.0.0 -> C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\PROGRAM FILES\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.0.8 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Users\NELSON\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll (DivX, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF SearchPlugin: C:\Users\NELSON\AppData\Roaming\Mozilla\Firefox\Profiles\tdvrzepd.default\searchplugins\bingp.xml
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-10-15]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-10-15]
FF HKLM\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] - C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 <video> - C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2013-04-07]

Chrome:
=======
CHR Profile: C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-11-03]
CHR Extension: (Google Docs) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-11-03]
CHR Extension: (Google Drive) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-11-03]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-04]
CHR Extension: (YouTube) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-11-03]
CHR Extension: (Google Search) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-11-03]
CHR Extension: (Google Sheets) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-11-03]
CHR Extension: (Skype Click to Call) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2014-11-03]
CHR Extension: (Connect DLC 5) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\lipgolpfajiadodbcbljdpmbmbdmfcil [2014-02-13]
CHR Extension: (Google Wallet) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-03]
CHR Extension: (DivX Plus Web Player HTML5 <video>) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm [2014-11-03]
CHR Extension: (Gmail) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-11-03]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-05-14]
CHR HKLM\...\Chrome\Extension: [lipgolpfajiadodbcbljdpmbmbdmfcil] - C:\Users\NELSON\AppData\Local\CRE\lipgolpfajiadodbcbljdpmbmbdmfcil.crx [2013-11-01]
CHR HKLM\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx [2013-04-02]
CHR HKCU\...\Chrome\Extension: [lipgolpfajiadodbcbljdpmbmbdmfcil] - C:\Users\NELSON\AppData\Local\CRE\lipgolpfajiadodbcbljdpmbmbdmfcil.crx [2013-11-01]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 BstHdAndroidSvc; C:\Program Files\BlueStacks\HD-Service.exe [402192 2014-05-01] (BlueStack Systems, Inc.)
S4 BstHdLogRotatorSvc; C:\Program Files\BlueStacks\HD-LogRotatorService.exe [385808 2014-05-01] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files\BlueStacks\HD-UpdaterService.exe [774928 2014-05-01] (BlueStack Systems, Inc.)
R2 EconService; c:\Program Files\eScan\econser.exe [961032 2011-12-20] (MicroWorld Technologies Inc.)
R2 eScan Monitor Service; C:\ProgramData\MicroWorld\eScanBD\avpmapp.exe [2141128 2014-08-26] (MicroWorld Technologies Inc.)
R2 eScan-trayicos; C:\Program Files\eScan\traysser.exe [140520 2014-06-19] (MicroWorld Technologies Inc.)
R2 MWAgent; C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE [858632 2011-12-20] (MicroWorld Technologies Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AR9271; C:\Windows\System32\DRIVERS\athuw.sys [1763584 2013-06-28] (Atheros Communications, Inc.) [File not signed]
R3 bdfsfltr; C:\Windows\System32\DRIVERS\bdfsfltr.sys [353096 2011-03-24] (BitDefender)
R2 BstHdDrv; C:\Program Files\BlueStacks\HD-Hypervisor-x86.sys [113424 2014-05-01] (BlueStack Systems)
R1 econceal; C:\Windows\System32\DRIVERS\econceal.sys [25608 2011-08-01] (MicroWorld Technologies Inc.)
R2 NEWDRIVER; C:\Windows\system32\WinVDEdrv6.sys [188176 2013-06-07] ()
R3 ProcObsrv; c:\Program Files\eScan\ProcObsrv.sys [14848 2011-12-20] (MicroWorld Technologies Inc.)
R3 ProcObsrves; C:\Program Files\eScan\ProcObsrves.sys [32104 2014-06-19] (MicroWorld Technologies Inc.)
R3 trufos; C:\Windows\System32\drivers\trufos.sys [343456 2013-02-28] (BitDefender S.R.L.)
R1 WinFLAdrv; C:\Windows\System32\WinFLAdrv.sys [29184 2013-06-07] ()

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-04 14:38 - 2014-11-04 14:39 - 00016176 _____ () C:\Users\NELSON\Desktop\FRST.txt
2014-11-04 14:06 - 2014-11-04 14:06 - 00000000 ____D () C:\Windows\rundll16.exe
2014-11-04 14:06 - 2014-11-04 14:06 - 00000000 ____D () C:\Windows\logo1_.exe
2014-11-04 02:09 - 2014-11-04 02:09 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\Yahoo!
2014-11-03 21:01 - 2014-11-03 21:01 - 00001097 _____ () C:\Users\Public\Desktop\Opera.lnk
2014-11-03 21:01 - 2014-11-03 21:01 - 00001097 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2014-11-03 21:01 - 2014-11-03 21:01 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\Opera Software
2014-11-03 21:01 - 2014-11-03 21:01 - 00000000 ____D () C:\Users\NELSON\AppData\Local\Opera Software
2014-11-03 20:47 - 2014-11-04 14:31 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-03 20:47 - 2014-11-04 02:52 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-03 20:47 - 2014-11-03 20:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-11-03 15:59 - 2014-11-04 14:38 - 00000000 ____D () C:\FRST
2014-11-03 15:49 - 2014-11-03 15:49 - 00000512 _____ () C:\Users\NELSON\Desktop\MBR.dat
2014-11-03 05:21 - 2014-11-03 05:21 - 01106432 _____ (Farbar) C:\Users\NELSON\Desktop\FRST.exe
2014-11-03 04:39 - 2014-11-03 04:39 - 00000000 ____D () C:\Program Files\QS
2014-11-03 04:38 - 2014-11-03 04:38 - 00000000 ____D () C:\Users\NELSON\temp
2014-10-29 01:56 - 2014-10-29 01:56 - 00000000 ____D () C:\Program Files\Zeallsoft
2014-10-24 23:28 - 2014-10-24 23:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2014-10-24 23:28 - 2014-10-24 23:28 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-10-15 23:24 - 2014-11-03 04:20 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-10-12 20:52 - 2014-10-12 21:14 - 00000000 ____D () C:\Users\NELSON\Documents\fIXED
2014-10-12 20:48 - 2014-10-12 20:50 - 00024576 _____ () C:\Users\NELSON\Desktop\OpTransactionHistory12-10-2014 YASHU.xls
2014-10-12 20:41 - 2014-10-12 20:43 - 00062464 _____ () C:\Users\NELSON\Desktop\OpTransactionHistory12-10-2014.xls
2014-10-11 20:31 - 2014-11-04 14:21 - 00000568 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2238098226-1804821945-1009031106-1001.job
2014-10-11 20:31 - 2014-10-11 20:31 - 00000000 ____D () C:\Users\NELSON\AppData\Local\Citrix
2014-10-07 21:12 - 2014-10-07 21:12 - 00002044 _____ () C:\Users\Public\Desktop\SDFormatter.lnk
2014-10-07 21:12 - 2014-10-07 21:12 - 00000000 ____D () C:\Users\NELSON\AppData\Local\Downloaded Installations
2014-10-07 21:12 - 2014-10-07 21:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SDFormatter
2014-10-07 21:12 - 2014-10-07 21:12 - 00000000 ____D () C:\Program Files\SDA
2014-10-07 21:09 - 2014-10-07 21:09 - 00000796 _____ () C:\Windows\KB955704.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-04 14:37 - 2009-07-14 10:04 - 00023504 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-04 14:37 - 2009-07-14 10:04 - 00023504 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-04 14:35 - 2012-04-14 18:33 - 01219693 _____ () C:\Windows\WindowsUpdate.log
2014-11-04 14:32 - 2012-04-14 18:35 - 00000000 ____D () C:\Program Files\eScan
2014-11-04 14:32 - 2009-07-14 07:34 - 00003725 _____ () C:\Windows\win.ini
2014-11-04 14:31 - 2012-04-14 19:56 - 00032924 _____ () C:\Windows\PFRO.log
2014-11-04 14:31 - 2012-04-14 18:36 - 02300685 _____ () C:\Windows\ESCAN.LOG
2014-11-04 14:31 - 2012-04-14 18:36 - 00124475 _____ () C:\Windows\frights.log
2014-11-04 14:31 - 2009-07-14 10:23 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-04 14:31 - 2009-07-14 10:09 - 00996880 _____ () C:\Windows\setupact.log
2014-11-04 13:59 - 2012-04-15 19:30 - 01087795 _____ () C:\Windows\general.log
2014-11-03 21:01 - 2012-04-14 18:35 - 00000000 ____D () C:\Program Files\Opera
2014-11-03 20:59 - 2012-04-17 23:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MagicISO
2014-11-03 20:59 - 2012-04-17 23:54 - 00000000 ____D () C:\Program Files\MagicISO
2014-11-03 20:59 - 2012-04-14 18:35 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\Opera
2014-11-03 20:59 - 2012-04-14 18:35 - 00000000 ____D () C:\Users\NELSON\AppData\Local\Opera
2014-11-03 20:58 - 2012-04-16 02:56 - 00000000 ____D () C:\Program Files\Yahoo!
2014-11-03 20:57 - 2014-09-25 04:08 - 00000000 ____D () C:\Program Files\Virtual Router
2014-11-03 20:57 - 2014-09-24 20:34 - 00000000 ____D () C:\Program Files\Winhotspot
2014-11-03 20:56 - 2014-01-13 20:22 - 00000000 ____D () C:\Temp
2014-11-03 20:56 - 2012-04-17 23:59 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2014-11-03 20:55 - 2012-08-08 20:03 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-11-03 20:47 - 2013-06-18 03:42 - 00000000 ____D () C:\Program Files\Google
2014-11-03 19:42 - 2013-09-03 20:39 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\Solveig Multimedia
2014-11-03 19:42 - 2013-09-03 20:39 - 00000000 ____D () C:\Program Files\Solveig Multimedia
2014-11-03 19:41 - 2012-04-14 18:36 - 00819426 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-03 19:38 - 2012-05-10 21:07 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\GetRight
2014-11-03 19:38 - 2012-05-10 21:07 - 00000000 ____D () C:\ProgramData\GetRight
2014-11-03 19:36 - 2012-06-24 17:34 - 00000000 ____D () C:\Program Files\7-Zip
2014-11-03 07:55 - 2013-03-04 03:29 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\Skype
2014-11-03 04:38 - 2012-04-14 18:31 - 00000000 ____D () C:\Users\NELSON
2014-11-03 04:28 - 2012-04-14 18:37 - 00000000 ____D () C:\FBackup
2014-11-03 04:20 - 2014-08-17 02:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-11-03 04:20 - 2012-05-06 02:06 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-03 04:20 - 2012-04-16 09:56 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\vlc
2014-11-03 04:20 - 2012-04-14 18:51 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\uTorrent
2014-11-03 04:20 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\system32\wfp
2014-11-03 04:19 - 2014-08-17 02:18 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-11-03 04:19 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\registration
2014-11-01 21:48 - 2014-09-16 23:27 - 00017408 _____ () C:\Users\NELSON\Documents\Mobile Credits.xls
2014-10-31 21:25 - 2013-09-30 13:36 - 00000202 _____ () C:\Users\NELSON\Desktop\5 stocks.txt
2014-10-30 19:56 - 2014-10-01 19:31 - 00000032 _____ () C:\Users\NELSON\Documents\hathway password.txt
2014-10-29 00:40 - 2013-11-27 01:23 - 00000000 ____D () C:\ProgramData\Oracle
2014-10-28 06:35 - 2012-04-17 15:26 - 00229000 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-24 23:28 - 2013-03-04 03:29 - 00000000 ___RD () C:\Program Files\Skype
2014-10-24 23:28 - 2013-03-04 03:29 - 00000000 ____D () C:\ProgramData\Skype
2014-10-24 20:55 - 2013-06-05 15:04 - 00000700 ___SH () C:\Users\NELSON\AppData\Local\systemFL7.dat
2014-10-24 20:54 - 2013-06-07 10:28 - 00001213 ___SH () C:\Users\NELSON\AppData\Local\win_fldb_sys.dat
2014-10-24 20:54 - 2013-06-07 10:28 - 00000693 ___SH () C:\Windows\system32\win_fldb_sys.dat
2014-10-24 20:54 - 2013-06-07 10:16 - 00003465 ___SH () C:\Windows\system32\win_stlthdb_sys.dat
2014-10-24 20:54 - 2013-06-07 10:16 - 00003465 ___SH () C:\Users\NELSON\AppData\Local\win_stlthdb_sys.dat
2014-10-23 18:36 - 2014-09-13 16:22 - 00000354 _____ () C:\Users\NELSON\Desktop\REDMI HELP.txt
2014-10-23 14:11 - 2014-09-29 21:06 - 00000000 ____D () C:\Users\NELSON\Documents\My Kindle Content
2014-10-18 03:26 - 2012-11-01 04:07 - 00225280 ___SH () C:\Users\NELSON\Thumbs.db
2014-10-16 15:51 - 2014-08-21 19:00 - 00000000 ____D () C:\Users\NELSON\AppData\Local\Adobe
2014-10-16 15:51 - 2012-04-15 19:50 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-10-16 15:51 - 2012-04-15 19:50 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-10-16 02:20 - 2014-08-12 13:53 - 00023552 _____ () C:\Users\NELSON\Documents\DIVIDEND TOTAL PAID TILL DATE.xls
2014-10-15 22:39 - 2014-09-18 18:54 - 00000036 _____ () C:\Users\NELSON\Desktop\Links.txt
2014-10-15 13:14 - 2013-07-29 16:09 - 00000000 ____D () C:\Users\NELSON\Desktop\SOLO TAX
2014-10-10 20:22 - 2012-04-14 19:54 - 00213590 _____ () C:\Windows\UPDLL.LOG
2014-10-10 16:51 - 2009-07-14 10:23 - 00032544 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

Files to move or delete:
====================
C:\ProgramData\win_mpwd_sys.dat

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-11-04 01:03

==================== End Of Log ============================

checkup.txt

Results of screen317's Security Check version 0.99.89
Windows 7 Service Pack 1 x86 (UAC is enabled)
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
eScan Internet Security for Windows
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
JavaFX 2.1.1
Java 7 Update 67
Adobe Flash Player 15.0.0.189
Adobe Reader XI
Mozilla Firefox (33.0)
Google Chrome 38.0.2125.111
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````

While doing Full PC Scan, certain files(usaually 2 to 3 maximum) cannot be scanned and it gives message of scanfile failed.

However when I manually go to that location where file is based and scan it...not only does it scan properly but shows the file as clean. This has happened many times over last 2 days and is still happening.

Spyware scan under Escan is not enabled by default and hence I have to run it as administrator and select this option for full PC scan. When I manually scan 2 or 3 files that were not scanned earlier, this is done by right clicking file and selecting scan for viruses using Escan. so there is a possibility that these files contain spyware. Please see below for example of such an error while doing scan which is pasted straight from the Scan Log:

04 Nov 2014 14:54:00 [0dc8] - Scanning File C:\Windows\system32\drivers\1394ohci.sys
04 Nov 2014 14:54:00 [0dc8] - ERROR(2)!!! ScanFile Fails for C:\Windows\system32\drivers\1394ohci.sys...

A similar error was found with Windows defender downloaded update where one of the dll files scan failed. I manually scanned the file and found nothing. A few hours later again the same problem arose while doing another scan. I am not able to find that particular log file.

These are the problems I am facing as of now.

#4 OCD

SuperHelper

Malware Team
5,574 posts

Posted 04 November 2014 - 10:19 AM

Hi nelsonite,

Thanks for the logs and the detailed explanation. :thumbup:

04 Nov 2014 14:54:00 [0dc8] - Scanning File C:\Windows\system32\drivers\1394ohci.sys
04 Nov 2014 14:54:00 [0dc8] - ERROR(2)!!! ScanFile Fails for C:\Windows\system32\drivers\1394ohci.sys...

I don't know enough about the eScan program you are using. The file you listed does not appear to be malicious as your individual scans have shown. Please view the links I have provided for additional information. Do the same files always come up as failed during a scan? Is there an option within eScan to exclude these files in future scans, perhaps adding them to a white-list?

http://www.computerh...?p=1394ohci.sys
http://www.systemloo...94ohci_sys.html
http://www.systemloo...ch=1394ohci.sys

Are you experiencing any other issues other than these files not being able to be scanned?

=========================

AdwCleaner v3: Scan & Clean

- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished...
Click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a log file report (AdwCleaner[S0].txt) will open automatically.
Copy and paste the contents of that log file in your next reply.
A copy of that log file will also be saved in the C:\AdwCleaner folder.

=========================

Junkware Removal Tool

Download Junkware Removal Tool to your desktop.

- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Shut down your protection software now to avoid potential conflicts.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

=========================

In your next post please provide the following:

AdwCleaner[S0].txt
JRT.txt

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

If you are satisfied with the help you have received, please consider making a donation.

#5 nelsonite

New Member

Authentic Member
9 posts

Posted 04 November 2014 - 03:21 PM

Hello,

Thank you for such detailed, precise and clear cut instructions.

Escan does not allow me to download Junkware Removal Tool

It classifies the url or the download as Malware. Please advise about what has to be done.

Usually the same files turn up for failed scan. But in the latest full PC scan by Escan no errors or failed scans of files turned up. This was done just 45 mins ago after the AdwCleaner scan finished.

There is a way to add files/folders to the safelist or whitelist but since none are turning up now, I do not see need for same. I will keep you updated if any of these file scan fail problems recur.

I was able to run AdwCleaner v3: Scan & Clean

Please find below the log for the same:

AdwCleaner[S0].txt

# AdwCleaner v3.311 - Report created 05/11/2014 at 01:31:10
# Updated 30/09/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : NELSON - MYSUPERPC
# Running from : C:\Users\NELSON\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Conduit
Folder Deleted : C:\ProgramData\COolSaleCouipon
Folder Deleted : C:\ProgramData\savvEitokeep
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Program Files\COolSaleCouipon
Folder Deleted : C:\Users\NELSON\AppData\Local\AskToolbar
Folder Deleted : C:\Users\NELSON\AppData\Local\Conduit
Folder Deleted : C:\Users\NELSON\AppData\Local\NativeMessaging
Folder Deleted : C:\Users\NELSON\AppData\Local\TBHostSupport
Folder Deleted : C:\Users\NELSON\AppData\Local\WhiteListing
Folder Deleted : C:\Users\NELSON\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\lipgolpfajiadodbcbljdpmbmbdmfcil
File Deleted : C:\Users\NELSON\AppData\Local\CRE\lipgolpfajiadodbcbljdpmbmbdmfcil.crx
File Deleted : C:\END
File Deleted : C:\Users\NELSON\AppData\Roaming\Mozilla\Firefox\Profiles\tdvrzepd.default\invalidprefs.js
File Deleted : C:\Users\NELSON\AppData\Roaming\Mozilla\Firefox\Profiles\tdvrzepd.default\searchplugins\bingp.xml

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Google\Chrome\Extensions\lipgolpfajiadodbcbljdpmbmbdmfcil
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lipgolpfajiadodbcbljdpmbmbdmfcil
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\AskInstallChecker-1_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\mconduitinstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\mconduitinstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\saveitkeep..saveitkeep.
Key Deleted : HKLM\SOFTWARE\Classes\saveitkeep..saveitkeep..1.5
Key Deleted : HKLM\SOFTWARE\Classes\CoolSaileeCOOupon.CoolSaileeCOOupon
Key Deleted : HKLM\SOFTWARE\Classes\CoolSaileeCOOupon.CoolSaileeCOOupon.3.95
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3306061
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_flv-player_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_flv-player_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_kmplayer_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SoftonicDownloader_for_kmplayer_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2184E0FB-6128-B15B-7CD2-B6BA637021A2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CBBD1B37-4CBE-B771-6E36-7A1553153001}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2184E0FB-6128-B15B-7CD2-B6BA637021A2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2184E0FB-6128-B15B-7CD2-B6BA637021A2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CBBD1B37-4CBE-B771-6E36-7A1553153001}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2184E0FB-6128-B15B-7CD2-B6BA637021A2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CBBD1B37-4CBE-B771-6E36-7A1553153001}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2184E0FB-6128-B15B-7CD2-B6BA637021A2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CBBD1B37-4CBE-B771-6E36-7A1553153001}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Headlight
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\Conduit

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.7601.17514

-\\ Mozilla Firefox v33.0 (x86 en-US)

[ File : C:\Users\NELSON\AppData\Roaming\Mozilla\Firefox\Profiles\tdvrzepd.default\prefs.js ]

Line Deleted : user_pref("CT3306061.FF19Solved", "true");
Line Deleted : user_pref("CT3306061.UserID", "UN34198832483085513");
Line Deleted : user_pref("CT3306061.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3306061.fullUserID", "UN34198832483085513.IN.20131109050018");
Line Deleted : user_pref("CT3306061.installDate", "09/11/2013 05:00:22");
Line Deleted : user_pref("CT3306061.installSessionId", "{AF8F4AE7-035B-43BF-AC30-0A960E293C7B}");
Line Deleted : user_pref("CT3306061.installSp", "TRUE");
Line Deleted : user_pref("CT3306061.installerVersion", "1.8.0.14");
Line Deleted : user_pref("CT3306061.keyword", "true");
Line Deleted : user_pref("CT3306061.originalHomepage", "about:home");
Line Deleted : user_pref("CT3306061.originalSearchAddressUrl", "");
Line Deleted : user_pref("CT3306061.originalSearchEngine", "");
Line Deleted : user_pref("CT3306061.originalSearchEngineName", "");
Line Deleted : user_pref("CT3306061.searchRevert", "true");
Line Deleted : user_pref("CT3306061.searchUserMode", "2");
Line Deleted : user_pref("CT3306061.smartbar.homepage", "true");
Line Deleted : user_pref("CT3306061.toolbarInstallDate", "09-11-2013 05:00:18");
Line Deleted : user_pref("CT3306061.versionFromInstaller", "10.21.1.7");
Line Deleted : user_pref("CT3306061.xpeMode", "0");
Line Deleted : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3306061&octid=CT3306061&SearchSource=61&CUI=UN34198832483085513&UM=2&UP=SPB6397B97-B8A7-424B-90F2-4AE2F1D2459A");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Line Deleted : user_pref("browser.search.defaultthis.engineName", "Connect DLC 5 Customized Web Search");
Line Deleted : user_pref("extensions.FdxxIPRPu6W.scode", "(function(){try{var url=window.self.location.href;if(url.indexOf(\"acebook\")>-1||url.indexOf(\"txtlnkusaolp00000800\")>-1||url.indexOf(\"onduit\")>-1||url.m[...]

-\\ Google Chrome v38.0.2125.111

[ File : C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [9093 octets] - [05/11/2014 01:28:46]
AdwCleaner[S0].txt - [9056 octets] - [05/11/2014 01:31:10]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9116 octets] ##########

#6 OCD

SuperHelper

Malware Team
5,574 posts

Posted 04 November 2014 - 04:23 PM

Hi nelsonite ,

Escan does not allow me to download Junkware Removal Tool

Disable Escan to download JRT, then re-enable it before running the program. If it still flags it as malicious, then keep Escan disabled while you run it. It will only take a few minutes to do it's scan.

Then please run a fresh scan with FRST and post the JRT and a new FRST.txt

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

If you are satisfied with the help you have received, please consider making a donation.

#7 nelsonite

New Member

Authentic Member
9 posts

Posted 05 November 2014 - 04:42 AM

Hello,

The file scan failed still happens for 1394ohci.sys. I have enabled 2 step verification for email accounts. From them on I am getting Last account activity information. Is this normal or standard. I was not getting this information before the 2 step verification.

I also got a message saying that you are not invisible on Google Talk because you have signed on from another place where being invisible is not an option. However when I went to recent activity, no breaches were shown. I also get the following message almost every time even though I always sign in and out:

This account does not seem to be open in any other location. However, there may be sessions that have not been signed out.

Please also let me know if a firewall is required as I am getting more and more paranoid with the changes above. Also any other security tools required.

Please find below the logs:

JRT.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.5 (10.31.2014:1)
OS: Windows 7 Ultimate x86
Ran by NELSON on Wed 11/05/2014 at 15:54:44.86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\Users\NELSON\Local Settings\Application Data\cre"

~~~ FireFox

Emptied folder: C:\Users\NELSON\AppData\Roaming\mozilla\firefox\profiles\tdvrzepd.default\minidumps [7 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 11/05/2014 at 15:59:01.99
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Frst.txt

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-11-2014
Ran by NELSON (administrator) on MYSUPERPC on 05-11-2014 16:01:05
Running from C:\Users\NELSON\Desktop
Loaded Profile: NELSON (Available profiles: NELSON)
Platform: Microsoft Windows 7 Ultimate Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(BlueStack Systems, Inc.) C:\Program Files\BlueStacks\HD-UpdaterService.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\econser.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\econceal.exe
(MicroWorld Technologies Inc.) C:\ProgramData\MicroWorld\eScanBD\avpmapp.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\traysser.exe
(New Softwares.net) C:\Windows\System32\WinFLService.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\consctl.exe
(MicroWorld Technologies Inc.) C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE
(MicroWorld Technologies Inc.) C:\Program Files\Common Files\MicroWorld\Agent\MWAGENT.EXE
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(MicroWorld Technologies Inc.) C:\Program Files\eScan\TRAYICOS.EXE
(MicroWorld Technologies Inc.) C:\Program Files\eScan\Vista\escanmon.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
( New Softwares.net) C:\Windows\System32\WINFLT~2.EXE
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Nokia) C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
(Nokia) C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
(Nokia) C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
(Nokia) C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\maildisp.exe
(MicroWorld Technologies Inc.) C:\Program Files\eScan\spooler.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Windows\System32\audiodg.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-03-09] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKU\S-1-5-21-2238098226-1804821945-1009031106-1001\...\Run: [WinFLTray] => C:\Windows\system32\WinFLTray.exe [321736 2013-06-07] ( New Softwares.net)
HKU\S-1-5-21-2238098226-1804821945-1009031106-1001\...\Run: [FLBackup] => C:\Program Files\NewSoftware's\Folder Lock\FLComServCtrl.exe [275656 2013-06-07] (New Softwares.net)
HKU\S-1-5-21-2238098226-1804821945-1009031106-1001\...\Run: [PC Suite Tray] => C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe [1516632 2012-06-26] (Nokia)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [280576 2013-06-09] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://in.msn.com/?r...opt=0&ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x15CC3B68D4DACE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.yahoo.com/?fr=fp-spt_gen
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.yahoo.com/?fr=fp-spt_gen
SearchScopes: HKCU - {07E480F9-76AA-4B5F-ADBA-7A355712FE41} URL = http://in.search.yah...&fr=chr-spt_gen
BHO: DivX Plus Web Player HTML5 <video> -> {326E768D-4182-46FD-9C16-1449A49795F4} -> C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll (DivX, LLC)
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Winsock: Catalog5 09 %SystemRoot%\system32\mwnsp.dll [172776] (MicroWorld Technologies Inc.)
Winsock: Catalog9 01 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Winsock: Catalog9 02 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Winsock: Catalog9 03 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Winsock: Catalog9 04 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Winsock: Catalog9 35 %SystemRoot%\system32\mwtsp.dll [1359080] (MicroWorld Technologies Inc.)
Tcpip\Parameters: [DhcpNameServer] 202.88.131.90 202.88.131.89

FireFox:
========
FF ProfilePath: C:\Users\NELSON\AppData\Roaming\Mozilla\Firefox\Profiles\tdvrzepd.default
FF Homepage: about:home
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_189.dll ()
FF Plugin: @divx.com/DivX Browser Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Web Player\npdivx32.dll (DivX,Inc.)
FF Plugin: @divx.com/DivX Player Plugin,version=1.0.0 -> C:\Program Files\DivX\DivX Player\npDivxPlayerPlugin.dll No File
FF Plugin: @divx.com/DivX Plus Web Player Plug-In,version=1.0.0 -> C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\PROGRAM FILES\FOXIT SOFTWARE\FOXIT READER\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.0.8 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.1 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.3 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @citrixonline.com/appdetectorplugin -> C:\Users\NELSON\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npDivxPlayerPlugin.dll (DivX, Inc)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin2.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin3.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin4.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin5.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin6.dll (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npqtplugin7.dll (Apple Inc.)
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-10-15]
FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-10-15]
FF HKLM\...\Firefox\Extensions: [{23fcfd51-4958-4f00-80a3-ae97e717ed8b}] - C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5
FF Extension: DivX Plus Web Player HTML5 <video> - C:\Program Files\DivX\DivX Plus Web Player\firefox\DivXHTML5 [2013-04-07]

Chrome:
=======
CHR Profile: C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-11-03]
CHR Extension: (Google Docs) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-11-03]
CHR Extension: (Google Drive) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-11-03]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-04]
CHR Extension: (YouTube) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-11-03]
CHR Extension: (Google Search) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-11-03]
CHR Extension: (Google Sheets) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-11-03]
CHR Extension: (Skype Click to Call) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2014-11-03]
CHR Extension: (Google Wallet) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-03]
CHR Extension: (DivX Plus Web Player HTML5 <video>) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\nneajnkjbffgblleaoojgaacokifdkhm [2014-11-03]
CHR Extension: (Gmail) - C:\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-11-03]
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-05-14]
CHR HKLM\...\Chrome\Extension: [nneajnkjbffgblleaoojgaacokifdkhm] - C:\Program Files\DivX\DivX Plus Web Player\chrome\DivXHTML5\DivXHTML5.crx [2013-04-02]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 BstHdAndroidSvc; C:\Program Files\BlueStacks\HD-Service.exe [402192 2014-05-01] (BlueStack Systems, Inc.)
S4 BstHdLogRotatorSvc; C:\Program Files\BlueStacks\HD-LogRotatorService.exe [385808 2014-05-01] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files\BlueStacks\HD-UpdaterService.exe [774928 2014-05-01] (BlueStack Systems, Inc.)
R2 EconService; c:\Program Files\eScan\econser.exe [961032 2011-12-20] (MicroWorld Technologies Inc.)
R2 eScan Monitor Service; C:\ProgramData\MicroWorld\eScanBD\avpmapp.exe [2141128 2014-08-26] (MicroWorld Technologies Inc.)
R2 eScan-trayicos; C:\Program Files\eScan\traysser.exe [140520 2014-06-19] (MicroWorld Technologies Inc.)
R2 MWAgent; C:\Program Files\Common Files\MicroWorld\Agent\MWASER.EXE [858632 2011-12-20] (MicroWorld Technologies Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AR9271; C:\Windows\System32\DRIVERS\athuw.sys [1763584 2013-06-28] (Atheros Communications, Inc.) [File not signed]
R3 bdfsfltr; C:\Windows\System32\DRIVERS\bdfsfltr.sys [353096 2011-03-24] (BitDefender)
R2 BstHdDrv; C:\Program Files\BlueStacks\HD-Hypervisor-x86.sys [113424 2014-05-01] (BlueStack Systems)
R1 econceal; C:\Windows\System32\DRIVERS\econceal.sys [25608 2011-08-01] (MicroWorld Technologies Inc.)
R2 NEWDRIVER; C:\Windows\system32\WinVDEdrv6.sys [188176 2013-06-07] ()
R3 ProcObsrv; c:\Program Files\eScan\ProcObsrv.sys [14848 2011-12-20] (MicroWorld Technologies Inc.)
R3 ProcObsrves; C:\Program Files\eScan\ProcObsrves.sys [32104 2014-06-19] (MicroWorld Technologies Inc.)
R3 trufos; C:\Windows\System32\drivers\trufos.sys [343456 2013-02-28] (BitDefender S.R.L.)
R1 WinFLAdrv; C:\Windows\System32\WinFLAdrv.sys [29184 2013-06-07] ()

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-05 16:01 - 2014-11-05 16:01 - 00015415 _____ () C:\Users\NELSON\Desktop\FRST.txt
2014-11-05 15:59 - 2014-11-05 15:59 - 00000850 _____ () C:\Users\NELSON\Desktop\JRT.txt
2014-11-05 15:54 - 2014-11-05 15:54 - 00000000 ____D () C:\Windows\ERUNT
2014-11-05 15:46 - 2014-11-05 15:46 - 00000000 ____D () C:\Windows\rundll16.exe
2014-11-05 15:46 - 2014-11-05 15:46 - 00000000 ____D () C:\Windows\logo1_.exe
2014-11-05 15:41 - 2014-11-05 15:41 - 01706359 _____ (Thisisu) C:\Users\NELSON\Desktop\JRT.exe
2014-11-05 15:36 - 2014-11-05 15:36 - 00021980 _____ () C:\Windows\WSSPORD.DAT
2014-11-05 01:29 - 2010-08-30 08:34 - 00536576 _____ (SQLite Development Team) C:\Windows\system32\sqlite3.dll
2014-11-05 01:28 - 2014-11-05 01:31 - 00000000 ____D () C:\AdwCleaner
2014-11-05 01:18 - 2014-11-05 01:18 - 01375089 _____ () C:\Users\NELSON\Desktop\AdwCleaner.exe
2014-11-04 14:42 - 2014-11-04 16:20 - 00000000 ____D () C:\Users\NELSON\Desktop\NEW LOG
2014-11-04 14:42 - 2014-11-04 14:42 - 00854448 _____ () C:\Users\NELSON\Desktop\SecurityCheck.exe
2014-11-04 02:09 - 2014-11-04 02:09 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\Yahoo!
2014-11-03 21:01 - 2014-11-03 21:01 - 00001097 _____ () C:\Users\Public\Desktop\Opera.lnk
2014-11-03 21:01 - 2014-11-03 21:01 - 00001097 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
2014-11-03 21:01 - 2014-11-03 21:01 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\Opera Software
2014-11-03 21:01 - 2014-11-03 21:01 - 00000000 ____D () C:\Users\NELSON\AppData\Local\Opera Software
2014-11-03 20:47 - 2014-11-05 15:52 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-03 20:47 - 2014-11-05 14:25 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-03 20:47 - 2014-11-03 20:47 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2014-11-03 15:59 - 2014-11-05 16:01 - 00000000 ____D () C:\FRST
2014-11-03 15:49 - 2014-11-03 15:49 - 00000512 _____ () C:\Users\NELSON\Desktop\MBR.dat
2014-11-03 05:21 - 2014-11-03 05:21 - 01106432 _____ (Farbar) C:\Users\NELSON\Desktop\FRST.exe
2014-11-03 04:39 - 2014-11-03 04:39 - 00000000 ____D () C:\Program Files\QS
2014-11-03 04:38 - 2014-11-03 04:38 - 00000000 ____D () C:\Users\NELSON\temp
2014-10-29 01:56 - 2014-10-29 01:56 - 00000000 ____D () C:\Program Files\Zeallsoft
2014-10-24 23:28 - 2014-10-24 23:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2014-10-24 23:28 - 2014-10-24 23:28 - 00000000 ____D () C:\Program Files\Common Files\Skype
2014-10-15 23:24 - 2014-11-03 04:20 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-10-12 20:52 - 2014-10-12 21:14 - 00000000 ____D () C:\Users\NELSON\Documents\fIXED
2014-10-12 20:48 - 2014-10-12 20:50 - 00024576 _____ () C:\Users\NELSON\Desktop\OpTransactionHistory12-10-2014 YASHU.xls
2014-10-12 20:41 - 2014-10-12 20:43 - 00062464 _____ () C:\Users\NELSON\Desktop\OpTransactionHistory12-10-2014.xls
2014-10-11 20:31 - 2014-11-05 15:20 - 00000568 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2238098226-1804821945-1009031106-1001.job
2014-10-11 20:31 - 2014-10-11 20:31 - 00000000 ____D () C:\Users\NELSON\AppData\Local\Citrix
2014-10-07 21:12 - 2014-10-07 21:12 - 00002044 _____ () C:\Users\Public\Desktop\SDFormatter.lnk
2014-10-07 21:12 - 2014-10-07 21:12 - 00000000 ____D () C:\Users\NELSON\AppData\Local\Downloaded Installations
2014-10-07 21:12 - 2014-10-07 21:12 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SDFormatter
2014-10-07 21:12 - 2014-10-07 21:12 - 00000000 ____D () C:\Program Files\SDA
2014-10-07 21:09 - 2014-10-07 21:09 - 00000796 _____ () C:\Windows\KB955704.log

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-05 15:41 - 2012-04-14 18:35 - 00000000 ____D () C:\Program Files\eScan
2014-11-05 15:36 - 2012-04-14 18:36 - 02321899 _____ () C:\Windows\ESCAN.LOG
2014-11-05 15:36 - 2009-07-14 07:34 - 00003726 _____ () C:\Windows\win.ini
2014-11-05 14:30 - 2009-07-14 10:04 - 00023504 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-05 14:30 - 2009-07-14 10:04 - 00023504 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-05 14:28 - 2012-04-14 18:33 - 01238553 _____ () C:\Windows\WindowsUpdate.log
2014-11-05 14:25 - 2012-04-15 19:30 - 01089237 _____ () C:\Windows\general.log
2014-11-05 14:24 - 2012-04-14 18:36 - 00124710 _____ () C:\Windows\frights.log
2014-11-05 14:24 - 2009-07-14 10:23 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-05 14:24 - 2009-07-14 10:09 - 00997272 _____ () C:\Windows\setupact.log
2014-11-05 01:32 - 2012-04-14 19:56 - 00033234 _____ () C:\Windows\PFRO.log
2014-11-03 21:01 - 2012-04-14 18:35 - 00000000 ____D () C:\Program Files\Opera
2014-11-03 20:59 - 2012-04-17 23:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MagicISO
2014-11-03 20:59 - 2012-04-17 23:54 - 00000000 ____D () C:\Program Files\MagicISO
2014-11-03 20:59 - 2012-04-14 18:35 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\Opera
2014-11-03 20:59 - 2012-04-14 18:35 - 00000000 ____D () C:\Users\NELSON\AppData\Local\Opera
2014-11-03 20:58 - 2012-04-16 02:56 - 00000000 ____D () C:\Program Files\Yahoo!
2014-11-03 20:57 - 2014-09-25 04:08 - 00000000 ____D () C:\Program Files\Virtual Router
2014-11-03 20:57 - 2014-09-24 20:34 - 00000000 ____D () C:\Program Files\Winhotspot
2014-11-03 20:56 - 2014-01-13 20:22 - 00000000 ____D () C:\Temp
2014-11-03 20:56 - 2012-04-17 23:59 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2014-11-03 20:55 - 2012-08-08 20:03 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-11-03 20:47 - 2013-06-18 03:42 - 00000000 ____D () C:\Program Files\Google
2014-11-03 19:42 - 2013-09-03 20:39 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\Solveig Multimedia
2014-11-03 19:42 - 2013-09-03 20:39 - 00000000 ____D () C:\Program Files\Solveig Multimedia
2014-11-03 19:41 - 2012-04-14 18:36 - 00819426 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-03 19:38 - 2012-05-10 21:07 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\GetRight
2014-11-03 19:38 - 2012-05-10 21:07 - 00000000 ____D () C:\ProgramData\GetRight
2014-11-03 19:36 - 2012-06-24 17:34 - 00000000 ____D () C:\Program Files\7-Zip
2014-11-03 07:55 - 2013-03-04 03:29 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\Skype
2014-11-03 04:38 - 2012-04-14 18:31 - 00000000 ____D () C:\Users\NELSON
2014-11-03 04:28 - 2012-04-14 18:37 - 00000000 ____D () C:\FBackup
2014-11-03 04:20 - 2014-08-17 02:18 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-11-03 04:20 - 2012-05-06 02:06 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2014-11-03 04:20 - 2012-04-16 09:56 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\vlc
2014-11-03 04:20 - 2012-04-14 18:51 - 00000000 ____D () C:\Users\NELSON\AppData\Roaming\uTorrent
2014-11-03 04:20 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\system32\wfp
2014-11-03 04:19 - 2014-08-17 02:18 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-11-03 04:19 - 2009-07-14 08:07 - 00000000 ____D () C:\Windows\registration
2014-11-01 21:48 - 2014-09-16 23:27 - 00017408 _____ () C:\Users\NELSON\Documents\Mobile Credits.xls
2014-10-31 21:25 - 2013-09-30 13:36 - 00000202 _____ () C:\Users\NELSON\Desktop\5 stocks.txt
2014-10-30 19:56 - 2014-10-01 19:31 - 00000032 _____ () C:\Users\NELSON\Documents\hathway password.txt
2014-10-29 00:40 - 2013-11-27 01:23 - 00000000 ____D () C:\ProgramData\Oracle
2014-10-28 06:35 - 2012-04-17 15:26 - 00229000 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-24 23:28 - 2013-03-04 03:29 - 00000000 ___RD () C:\Program Files\Skype
2014-10-24 23:28 - 2013-03-04 03:29 - 00000000 ____D () C:\ProgramData\Skype
2014-10-24 20:55 - 2013-06-05 15:04 - 00000700 ___SH () C:\Users\NELSON\AppData\Local\systemFL7.dat
2014-10-24 20:54 - 2013-06-07 10:28 - 00001213 ___SH () C:\Users\NELSON\AppData\Local\win_fldb_sys.dat
2014-10-24 20:54 - 2013-06-07 10:28 - 00000693 ___SH () C:\Windows\system32\win_fldb_sys.dat
2014-10-24 20:54 - 2013-06-07 10:16 - 00003465 ___SH () C:\Windows\system32\win_stlthdb_sys.dat
2014-10-24 20:54 - 2013-06-07 10:16 - 00003465 ___SH () C:\Users\NELSON\AppData\Local\win_stlthdb_sys.dat
2014-10-23 18:36 - 2014-09-13 16:22 - 00000354 _____ () C:\Users\NELSON\Desktop\REDMI HELP.txt
2014-10-23 14:11 - 2014-09-29 21:06 - 00000000 ____D () C:\Users\NELSON\Documents\My Kindle Content
2014-10-18 03:26 - 2012-11-01 04:07 - 00225280 ___SH () C:\Users\NELSON\Thumbs.db
2014-10-16 15:51 - 2014-08-21 19:00 - 00000000 ____D () C:\Users\NELSON\AppData\Local\Adobe
2014-10-16 15:51 - 2012-04-15 19:50 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-10-16 15:51 - 2012-04-15 19:50 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-10-16 02:20 - 2014-08-12 13:53 - 00023552 _____ () C:\Users\NELSON\Documents\DIVIDEND TOTAL PAID TILL DATE.xls
2014-10-15 22:39 - 2014-09-18 18:54 - 00000036 _____ () C:\Users\NELSON\Desktop\Links.txt
2014-10-15 13:14 - 2013-07-29 16:09 - 00000000 ____D () C:\Users\NELSON\Desktop\SOLO TAX
2014-10-10 20:22 - 2012-04-14 19:54 - 00213590 _____ () C:\Windows\UPDLL.LOG
2014-10-10 16:51 - 2009-07-14 10:23 - 00032544 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

Files to move or delete:
====================
C:\ProgramData\win_mpwd_sys.dat

Some content of TEMP:
====================
C:\Users\NELSON\AppData\Local\Temp\Quarantine.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-11-04 01:03

==================== End Of Log ============================

Please also let me know the status of my PC as I do not know whether things are safe or not. Also advise me whether new install of Windows 7 is required considering my problems.

Editing post for updates:

I am getting this error which I had got before many times:

05 Nov 2014 19:22:51 [1040] - ** Scanning may fail! File Locked [SUSPICIOUS]: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2E6FD990-5486-455E-8449-F0E27557A05D}\mpengine.dll (????)

Also I cannot see recent activity under Gmail now. Earlier it was displayed under the bottom of inbox. Now it is gone. Should I uninstall Firefox completely. Also any help with how to see recent activity again in Gmail.

I am getting the recent activity/account activity again under gmail. But now getting another error:

This account is open in one other location.
(Location may refer to a different session on the same computer.)

The other location has the same IP address as mine and browser used is also same. Is it because the previous session was not cleared by Gmail and it is counting the earlier session as being open in another location?

I have only one browser open right now.

Edited by nelsonite, 05 November 2014 - 09:02 AM.

#8 OCD

SuperHelper

Malware Team
5,574 posts

Posted 05 November 2014 - 09:25 PM

Hi nelsonite,

Please remember I am addressing your malware issues. Other issues may be present and I might be able to offer assistance with those other issues, but my primary focus will be on removing the malware from your system.

The file scan failed still happens for 1394ohci.sys. I have enabled 2 step verification for email accounts. From them on I am getting Last account activity information. Is this normal or standard. I was not getting this information before the 2 step verification.

I cannot answer your question as I don't know what you are referring to by "2 step verification". You can always disable the 2 step verification and see if it resolves the issue. Otherwise, add the file to the "whitelist" and it should scan without issue.

I also got a message saying that you are not invisible on Google Talk because you have signed on from another place where being invisible is not an option. However when I went to recent activity, no breaches were shown. I also get the following message almost every time even though I always sign in and out:
This account does not seem to be open in any other location. However, there may be sessions that have not been signed out.

I am also unfamiliar with Google Talk, so I don't know if this is a normal or not.

Please also let me know if a firewall is required as I am getting more and more paranoid with the changes above. Also any other security tools required.

Your logs indicate you are using a firewall, Windows firewall.

Please also let me know the status of my PC as I do not know whether things are safe or not. Also advise me whether new install of Windows 7 is required considering my problems.

We are making progress, your logs are starting to look better.

I am getting this error which I had got before many times:
05 Nov 2014 19:22:51 [1040] - ** Scanning may fail! File Locked [SUSPICIOUS]: C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2E6FD990-5486-455E-8449-F0E27557A05D}\mpengine.dll (????)

What scan are you getting this message from?

Also I cannot see recent activity under Gmail now. Earlier it was displayed under the bottom of inbox. Now it is gone. Should I uninstall Firefox completely. Also any help with how to see recent activity again in Gmail.

I am getting the recent activity/account activity again under gmail. But now getting another error:

This account is open in one other location.
(Location may refer to a different session on the same computer.)

The other location has the same IP address as mine and browser used is also same. Is it because the previous session was not cleared by Gmail and it is counting the earlier session as being open in another location?

I have only one browser open right now.

This sound like a a setting in Gmail. I don't think uninstalling Firefox will remedy this issue. Maybe just deleting the Google browser cache may help.

Delete cache and other browser data in Chrome

Click the Chrome menu on the browser toolbar.
Select Tools.
Select Clear browsing data.
In the dialogue that appears, select the highlighted check-boxes for the types of information that you want to remove.
- Clear browsing history
- Clear download history
- Empty the cache
- Delete cookies and other site and plug-in data
- Clear saved passwords
- Clear saved Autofill form data
- Clear data from hosted apps
- Deauthorize content licenses
Use the menu at the top to select the amount of data that you want to delete. Select beginning of time to delete everything.
Click Clear browsing data.

=========================

Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware (save it to your desktop).

- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Select Scan tab.
Select type of scan to perform:
- Threat Scan < --- Select this type of scan
- Custom Scan
- Hyper Scan
Next click the Scan button.
When the scan is complete, if no malicious items are found you can close the program.
If malicious items are found be sure that everything is checked, and click Quarantine .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

=========================

ESET Online Scanner

*Note:

It is recommended to disable on-board antivirus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your anti-spyware programs.

** You need to run your browser with Administrator Rights, to do so right click your browsers short cut and select "Run as Administrator".

= = = = = = = = = = = = = = = = = = = =

Go here to run ESET Online Scanner

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your Antivirus software. You can usually do this with its Notification Tray icon near the clock
Click Start
Make sure that the option "Remove found threats" is Checked, and the option "Scan unwanted applications" is Checked.
Click Scan.
Wait for the scan to finish.
When the scan completes, click List of found threats
click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.
Push the back button.
Push Finish
Re-enable your Antivirus software.

=========================

In your next post please provide the following:

MBAM log
ESET's log.txt
How's the computer running, any symptoms?

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

If you are satisfied with the help you have received, please consider making a donation.

#9 nelsonite

New Member

Authentic Member
9 posts

Posted 06 November 2014 - 01:49 PM

Hello,

The Malwarebytes' Anti-Malware scan did not show any malware. I could not export the log file as that option was not visible to me.

Please find pasted below the Eset Online scanner log:

C:\Users\All Users\giefhgaekffjalplfdhbcoommiehopeg\se9.js   Win32/Adware.MultiPlug.H application
C:\AdwCleaner\Quarantine\C\Program Files\Conduit\Community Alerts\Alert.dll.vir   Win32/Toolbar.Conduit.Y potentially unwanted application   deleted - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\Conduit\IE\CT3306061\UninstallerUI.exe.vir   Win32/Toolbar.Conduit.AJ potentially unwanted application   deleted - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\savvEitokeep\b.dll.vir   a variant of Win32/AdWare.MultiPlug.N application   cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\NELSON\AppData\Local\AskToolbar\Downloaded Program Files\xaddon.dll.vir   a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application   deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\NELSON\AppData\Local\CRE\lipgolpfajiadodbcbljdpmbmbdmfcil.crx.vir   a variant of Win32/Toolbar.Conduit.AA potentially unwanted application   deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\lipgolpfajiadodbcbljdpmbmbdmfcil\10.31.4.510_0\APISupport\APISupport.dll.vir   a variant of Win32/Conduit.SearchProtect.P potentially unwanted application   deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\lipgolpfajiadodbcbljdpmbmbdmfcil\10.31.4.510_0\nativeMessaging\TBMessagingHost.exe.vir   a variant of Win32/Toolbar.Conduit.AH potentially unwanted application   deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\NELSON\AppData\Local\Google\Chrome\User Data\Default\Extensions\lipgolpfajiadodbcbljdpmbmbdmfcil\10.31.4.510_0\plugins\ChromeApiPlugin.dll.vir   a variant of Win32/Conduit.SearchProtect.N potentially unwanted application   deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\NELSON\AppData\Local\NativeMessaging\CT3306061\1_0_0_2\TBMessagingHost.exe.vir   a variant of Win32/Toolbar.Conduit.AH potentially unwanted application   deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\NELSON\AppData\Local\NativeMessaging\CT3306061\1_0_0_4\TBMessagingHost.exe.vir   a variant of Win32/Toolbar.Conduit.AH potentially unwanted application   deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\NELSON\AppData\Local\TBHostSupport\TBHostSupport.dll.vir   a variant of Win32/Toolbar.Conduit.AA potentially unwanted application   deleted - quarantined
C:\ProgramData\giefhgaekffjalplfdhbcoommiehopeg\se9.js   Win32/Adware.MultiPlug.H application   cleaned by deleting - quarantined
D:\C DRIVE\My Documents\Downloads\RapidTyping_Setup_4.exe   a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application   deleted - quarantined
D:\E DRIVE\movies\WebcamMax v7.1.2.6 MultiLanguage Cracked-REDT\WebcamMax-7.1.2.6.Setup.exe   a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application   deleted - quarantined
D:\E DRIVE\SOTWARE-COLLECTION\cbsidlm-cbsi213-Winhotspot_WiFi_Router-SEO-75806412.exe   a variant of Win32/CNETInstaller.B potentially unwanted application   deleted - quarantined
D:\E DRIVE\SOTWARE-COLLECTION\CuteWriter.exe   a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application   deleted - quarantined
D:\E DRIVE\SOTWARE-COLLECTION\FoxitReader531.0606_enu_Setup.exe   a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application   deleted - quarantined
D:\E DRIVE\SOTWARE-COLLECTION\kmp.exe   a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application   deleted - quarantined
D:\E DRIVE\SOTWARE-COLLECTION\VideoSplitterSetup.exe   Win32/InstallMonetizer.AF potentially unwanted application   deleted - quarantined
D:\E DRIVE\SOTWARE-COLLECTION\Windows Loader.exe   Win32/HackTool.WinActivator.I potentially unsafe application   deleted - quarantined
D:\E DRIVE\SOTWARE-COLLECTION\Windows_Loader_v2.2.1.zip   Win32/HackTool.WinActivator.I potentially unsafe application   deleted - quarantined
D:\E DRIVE\SOTWARE-COLLECTION\winzip155.exe   Win32/OpenCandy potentially unsafe application   deleted - quarantined
D:\E DRIVE\SOTWARE-COLLECTION\backups\backup-20141103-043238-147.dll   a variant of Win32/AdWare.MultiPlug.N application   cleaned by deleting - quarantined
D:\E DRIVE\SOTWARE-COLLECTION\Folder lock\Folder Lock 7.2.1 Activator.bat   BAT/Qhost.NTI trojan   cleaned by deleting - quarantined
D:\E DRIVE\SOTWARE-COLLECTION\Torrent File\Real Hide IP 4.1.6.2 with Crack.rar   a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application   deleted - quarantined

END OF LOG

PC sometimes restarts on its own but it has happened only twice so far with considerable lag between each time of few days.

Besides the above and few files getting locked, I do not see any other problem currently.

#10 OCD

SuperHelper

Malware Team
5,574 posts

Posted 06 November 2014 - 08:26 PM

Hi nelsonite,

Show Hidden Files & Folders in Windows 7

To show hidden files, just click on the Organize button in any folder, and then select Folder and Search Options from the menu.
Click the View tab, and then you should select Show hidden files and folders in the list.
Then click OK.

=========================

Delete a File/Folder

Using Windows Explorer (Windows Key + E), locate the following files/folders, and DELETE them (if still present):

C:\Users\All Users\giefhgaekffjalplfdhbcoommiehopeg <-- delete the folder, if present

Exit Explorer

=========================

Re-hide Files and Folders

=========================

few files getting locked

What files are locked?

PC sometimes restarts on its own but it has happened only twice so far with considerable lag between each time of few days.

Are you performing any particular task when this happens?

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

If you are satisfied with the help you have received, please consider making a donation.

Advertisements

Register to Remove

#11 nelsonite

New Member

Authentic Member
9 posts

Posted 07 November 2014 - 09:21 AM

Hello,

I have deleted the specified folder.

The two files that get locked frequently in Escan are:

C:\Windows\system32\drivers\1394ohci.sys

C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2E6FD990-5486-455E-8449-F0E27557A05D}\mpengine.dll

I do not recall doing similar tasks when the PC shut down automatically. It has not happened since the last time I wrote about it.

Please let me know how safe my PC is now. I have avoided any downloads or use of P2P or any other site that could destabilize my PC. I do not trust Windows Firewall that much. I have used Sygate firewall few years back. Should I start using it again?

Again a million thanks from the bottom of my heart for helping me out.

#12 OCD

SuperHelper

Malware Team
5,574 posts

Posted 07 November 2014 - 09:39 AM

Hi nelsonite,

Those files that your AV can't scan are not malicious files. You will need to add them to the "whitelist" or just ignore them knowing they are not bad.

Your computer appears to be safe at this time. But I can't stress enough that you avoid using P2P sites as this is where a large portion of malware is picked up from. The site may be fine, but you have no way of knowing the origin of the file and in contents you are sharing.

When we finish up I will give a list of a few free firewall programs that you can switch to if you are not happy with the Windows firewall.

Please test your computer for a day, and if all seems fine at that point we will do some housekeeping of the tools we used and send you on your way.

nelsonite likes this

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

If you are satisfied with the help you have received, please consider making a donation.

#13 nelsonite

New Member

Authentic Member
9 posts

Posted 09 November 2014 - 06:20 AM

Hello,

The latest Escan scan did not show any locked files but this does happen once in a while where no files are locked but after few scans again same problem arises. Since you have advised that these files are not malicious I will ignore them.

PC has not restarted since the last time I wrote about it. Everything else seems to be OK at the moment.

Thanks for all the help again over so many days. I really appreciate you taking time out for me from your busy schedule.

#14 OCD

SuperHelper

Malware Team
5,574 posts

Posted 09 November 2014 - 09:14 AM

Hi nelsonite,

Your log appears to be clean. :thumbup:
We have a few items to take care of before we get to the All Clean Speech.

= = = = = = = = = = = = = = = = = = = =

Remove Disinfection Tools

Download Delfix
Tick the following boxes:
- Remove disinfection tools
- Create registry backup
- Purge system restore
Click Run
Any other tools and files found can simply be deleted or uninstall via the Control Panel.

= = = = = = = = = = = = = = = = = = = =

With the above items taken care of let's move on to the All Clean part of the process.

The following procedures are recommendations for helping to keep your system running smoothly. If you are currently satisfied with how your system is running some or all of these may not pertain to you. Implement what you need.

This infection appears to have been cleaned, but I can not give you any absolute guarantees. As a precaution, I would go ahead and change all of your passwords as this is especially important after an infection.

Any of the logs that you created for use in the forums or remaining tools that have not yet been removed can be deleted so they aren't cluttering up your desktop.

Here are some tips to reduce the potential for spyware infection in the future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate windows and frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Make your Mozilla Firefox more secure - This can be done by adding these add-ons:

Use and update an anti-virus software - I can not overemphasize the need for you to use and update your anti-virus application on a regular basis. With the ever increasing number of new variants of malware arriving on the scene daily, you become very susceptible to an attack without updated protection.

Free Anti-Virus

Free Firewall
Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. A tutorial on firewalls can be found here.

= = = = = = = = = = = = = = = = = = = =

Be prepared for CryptoLocker:

Cryptolocker Ransomware: What You Need To Know
CryptoLocker Ransomware Information Guide and FAQ

to help protect your computer in the future I recommend that you get the following free program:

CryptoPrevent install this program to lock down and prevent crypto-ransomeware

= = = = = = = = = = = = = = = = = = = =

COMPUTER SECURITY - a short guide to staying safer online

= = = = = = = = = = = = = = = = = = = =

WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

Green should be good to go
Yellow for caution
Red to stop

= = = = = = = = = = = = = = = = = = = =

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

= = = = = = = = = = = = = = = = = = = =

Make sure you keep your Windows OS current.

Windows XP:
Microsoft will no longer offer support for Windows XP beginning on April 8, 2014
If you are running Windows XP, please take the time to read the information provided at these links.
- Windows XP - The Elephant In The Room
- Windows XP - The end of the road
Windows Vista/7 users can open the Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane) to update these systems.
Window 8 Open Windows Update by swiping in from the right edge of the screen (or, if you're using a mouse, pointing to the lower-right corner of the screen and moving the mouse pointer up), tapping or clicking Settings, tapping or clicking Change PC settings, and then tapping or clicking Update and recovery.

Without these you are leaving the back door open.

= = = = = = = = = = = = = = = = = = = =

Consider a custom hosts file such as MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.

= = = = = = = = = = = = = = = = = = = =

Finally, I strongly recommend that you read TonyKlein's good advice So how did I get infected in the first place?

Please reply to this thread once more if you are satisfied so that we can mark the problem as resolved.

nelsonite likes this

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

If you are satisfied with the help you have received, please consider making a donation.

#15 nelsonite

New Member

Authentic Member
9 posts

Posted 10 November 2014 - 06:13 AM

Hello,

I have taken your advice and done most of what was recommended.

Online Armor is free for 30 days after which I have to buy. Is it possible to use a free Firewall instead that is freeware for ever. Please let me know which one you would prefer. Escan the Anti-Virus I use has firewall capability. The link for the same is given below:

http://www.escanav.c...an_firewall.asp

Please do let me know if this itself would suffice.

Please also let me know if password manager should be used. I have doubts regarding the integrity of password manager software itself and hence have never used one so far.

The custom hosts files seems very good but too technical for me to pull it off. Maybe I can find local help that would assist me in doing this.

Thank you again for helping me out.

Also tagged with one or more of these keywords: Registry

Software → Microsoft Windows™ →

How I learned to stop worrying and love running rootkit scans

Started by brentorama , 28 Mar 2016

windows 7, registry, fubar and 1 more...

9 replies
3,792 views

brentorama
08 Apr 2016

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Body Background

skin color theme

Error in Registry [Solved]

#1 nelsonite

Advertisements

Register to Remove

#2 OCD

#3 nelsonite

#4 OCD

#5 nelsonite

#6 OCD

#7 nelsonite

#8 OCD

#9 nelsonite

#10 OCD

Advertisements

Register to Remove

#11 nelsonite

#12 OCD

#13 nelsonite

#14 OCD

#15 nelsonite

Related Topics

Also tagged with one or more of these keywords: Registry

How I learned to stop worrying and love running rootkit scans

0 user(s) are reading this topic

About What the Tech

Follow Us

Body Background

skin color theme

Error in Registry [Solved]

#1 nelsonite

Advertisements Register to Remove

#2 OCD

#3 nelsonite

#4 OCD

#5 nelsonite

#6 OCD

#7 nelsonite

#8 OCD

#9 nelsonite

#10 OCD

Advertisements Register to Remove

#11 nelsonite

#12 OCD

#13 nelsonite

#14 OCD

#15 nelsonite

Related Topics

Also tagged with one or more of these keywords: Registry

How I learned to stop worrying and love running rootkit scans

0 user(s) are reading this topic

About What the Tech

Follow Us

Sign In

Advertisements

Register to Remove

Advertisements

Register to Remove