Help with fathers Laptop, virus detected...

[Northenlad60]

Hi,

My father is not tech savvy and had allowed my younger brother (who has even less IT know-how) on his laptop. My father has been advised to keep his AV up to date, and I installed Kaspersky for him. He will use the laptop for eBay and buying holidays.
My brother on the other hand seems to just be downloading rubbish and by the looks is the one who has managed to get the laptop infected.
It had various toolbars installed, along with a backup and virus checker that prompted for payment to allow fixing to occur. Obviously my dad knows he has an AV package installed and has advised me of this. I removed the various toolbars, and tried to remove the unwanted software, but am unsure if this has worked correctly.

I have followed the steps given and have various log files for you to investigate, and will post these for you in the next couple of postings.

Kind Regards

Richard

[Northenlad60]

# AdwCleaner v2.306 - Logfile created 07/30/2013 at 19:18:50
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : ray - ACERASPIRE5733
# Boot Mode : Normal
# Running from : C:\Users\ray\Desktop\Richards AV Cleaning\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Users\Public\Desktop\eBay.lnk
Folder Found : C:\Program Files (x86)\Advanced System Protector
Folder Found : C:\Program Files (x86)\Conduit
Folder Found : C:\Program Files (x86)\SearchProtect
Folder Found : C:\ProgramData\Ask
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced System Protector
Folder Found : C:\Users\ian35\AppData\LocalLow\Conduit
Folder Found : C:\Users\ian35\AppData\LocalLow\PriceGong
Folder Found : C:\Users\ian35\AppData\Roaming\SearchProtect
Folder Found : C:\Users\ray\AppData\Local\Conduit
Folder Found : C:\Users\ray\AppData\LocalLow\Conduit
Folder Found : C:\Users\ray\AppData\LocalLow\PriceGong
Folder Found : C:\Users\ray\AppData\Roaming\Advanced System Protector

***** [Registry] *****

Key Found : HKCU\Software\AppDataLow\Software\Conduit
Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Found : HKCU\Software\AppDataLow\Software\PriceGong
Key Found : HKCU\Software\AppDataLow\Software\SmartBar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKCU\Software\SearchProtect
Key Found : HKCU\Software\systweak
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3201318
Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3282134
Key Found : HKLM\Software\Conduit
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKLM\Software\systweak
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16635

[OK] Registry is clean.

-\\ Google Chrome v28.0.1500.72

File : C:\Users\ray\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found [l.28] : icon_url = "hxxp://www.ask.com/favicon.ico",
Found [l.31] : keyword = "ask.com",
Found [l.35] : search_url = "hxxp://websearch.ask.com/redirect?client=cr&src=kw&tb=ORJ&o=100000027&locale=en_UK&apn_uid=0B5D6613-91B3-4C23-B49E-8E78022EFA5E&apn_ptnrs=U4&apn_sauid=EB24B20E-B771-43DE-B66A-BC8DCF7C32C3&apn_dtid=OSJ000YYUK&q={searchTerms}",
Found [l.36] : suggest_url = "hxxp://ss.websearch.ask.com/query?qsrc=2922&li=ff&sstype=prefix&q={searchTerms}"

File : C:\Users\ian35\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3544 octets] - [30/07/2013 19:18:50]

########## EOF - C:\AdwCleaner[R1].txt - [3604 octets] ##########

[Northenlad60]

# AdwCleaner v2.306 - Logfile created 07/30/2013 at 19:19:40
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : ray - ACERASPIRE5733
# Boot Mode : Normal
# Running from : C:\Users\ray\Desktop\Richards AV Cleaning\adwcleaner.exe
# Option [Delete]


***** [Services] *****

[Northenlad60]

# AdwCleaner v2.306 - Logfile created 07/30/2013 at 19:20:17
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : ray - ACERASPIRE5733
# Boot Mode : Normal
# Running from : C:\Users\ray\Desktop\Richards AV Cleaning\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

File Deleted : C:\Users\Public\Desktop\eBay.lnk
Folder Deleted : C:\Program Files (x86)\Advanced System Protector
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\SearchProtect
Folder Deleted : C:\ProgramData\Ask
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced System Protector
Folder Deleted : C:\Users\ian35\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\ian35\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\ian35\AppData\Roaming\SearchProtect
Folder Deleted : C:\Users\ray\AppData\Local\Conduit
Folder Deleted : C:\Users\ray\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\ray\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\ray\AppData\Roaming\Advanced System Protector

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\systweak
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3201318
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3282134
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\Software\systweak
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16635

[OK] Registry is clean.

-\\ Google Chrome v28.0.1500.72

File : C:\Users\ray\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.28] : icon_url = "hxxp://www.ask.com/favicon.ico",
Deleted [l.31] : keyword = "ask.com",
Deleted [l.35] : search_url = "hxxp://websearch.ask.com/redirect?client=cr&src=kw&tb=ORJ&o=100000027&locale=[...]
Deleted [l.36] : suggest_url = "hxxp://ss.websearch.ask.com/query?qsrc=2922&li=ff&sstype=prefix&q={searchTer[...]

File : C:\Users\ian35\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3667 octets] - [30/07/2013 19:18:50]
AdwCleaner[S1].txt - [341 octets] - [30/07/2013 19:19:40]
AdwCleaner[S2].txt - [3597 octets] - [30/07/2013 19:20:17]

########## EOF - C:\AdwCleaner[S2].txt - [3657 octets] ##########

[Northenlad60]

 Results of screen317's Security Check version 0.99.71 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Disabled! 
Kaspersky Internet Security   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Java 7 Update 25 
 Adobe Reader 9 Adobe Reader out of Date!
 Google Chrome 27.0.1453.116 
 Google Chrome 28.0.1500.72 
````````Process Check: objlist.exe by Laurent````````[/u] 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe   
 Symantec Norton Online Backup NOBuAgent.exe 
 Kaspersky Lab Kaspersky Internet Security 2013 avp.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````[/u]

[Northenlad60]

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.30.08

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
ray :: ACERASPIRE5733 [administrator]

Protection: Enabled

30/07/2013 19:30:16
mbam-log-2013-07-30 (19-30-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 239021
Time elapsed: 3 minute(s), 50 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\ian35\AppData\Local\Temp\SecondStepInstaller.exe (PUP.Optional.Conduit) -> Quarantined and deleted successfully.
C:\Users\ian35\AppData\Local\Temp\AU\AutoUpdate.zip (PUP.Optional.Conduit) -> Quarantined and deleted successfully.
C:\Users\ian35\AppData\Local\Temp\AU\SPUpdater.exe (PUP.Optional.Conduit) -> Quarantined and deleted successfully.

(end)

[Northenlad60]

Please advise if any further information is required.

Thanks in advance.

Richard

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
******************************************
Download Combofix from any of the links below, and save it to your DESKTOP. 
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

[Northenlad60]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.2.9 (07.30.2013:1)
OS: Windows 7 Home Premium x64
Ran by ray on 01/08/2013 at 22:36:11.24
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\apnstub_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\tracing\apnstub_rasmancs
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{82FA67AB-31E2-4DCA-9F68-EB768C208CA2}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D40CBCB7-BD7B-40A8-921B-3A59B454E9C1}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\systweak"
Successfully deleted: [Folder] "C:\Users\ray\AppData\Roaming\systweak"
Successfully deleted: [Folder] "C:\Program Files (x86)\mypc backup"
Successfully deleted: [Empty Folder] C:\Users\ray\appdata\local\{1CB990E4-929A-426D-B6F3-CBD142A92F8A}
Successfully deleted: [Empty Folder] C:\Users\ray\appdata\local\{CB125A7C-8C78-4C2F-AF87-FAD3006125D1}
Successfully deleted: [Empty Folder] C:\Users\ray\appdata\local\{D27EB27E-D511-430F-8951-A2927B882B80}
Successfully deleted: [Empty Folder] C:\Users\ray\appdata\local\{D9A72E6D-F7BD-4AFC-A098-339C60E4B2C9}



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 01/08/2013 at 22:43:32.53
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Northenlad60]

ComboFix 13-08-01.01 - ray 02/08/2013   7:12.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.44.1033.18.3767.2348 [GMT 1:00]
Running from: c:\users\ray\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {C3113FBF-4BCB-4461-D78D-6EDFEC9593E5}
FW: Kaspersky Internet Security *Disabled* {FB2ABE9A-01A4-4539-FCD2-C7EA1246D49E}
SP: Kaspersky Internet Security *Disabled/Updated* {7870DE5B-6DF1-4BEF-ED3D-55AD9712D958}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\FullRemove.exe
c:\windows\SysWow64\avdevice-52.dll
c:\windows\SysWow64\avutil-50.dll
c:\windows\SysWow64\swscale-0.dll
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2013-07-02 to 2013-08-02  )))))))))))))))))))))))))))))))
.
.
2013-08-02 06:18 . 2013-08-02 06:18   --------   d-----w-   c:\users\ian35\AppData\Local\temp
2013-08-02 06:18 . 2013-08-02 06:18   --------   d-----w-   c:\users\Default\AppData\Local\temp
2013-08-01 21:36 . 2013-08-01 21:36   --------   d-----w-   c:\windows\ERUNT
2013-07-30 19:10 . 2013-07-30 19:10   76232   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{050AA650-91DC-4E9A-9B4F-75C85DD9B878}\offreg.dll
2013-07-30 18:29 . 2013-07-30 18:29   --------   d-----w-   c:\users\ray\AppData\Roaming\Malwarebytes
2013-07-30 18:28 . 2013-07-30 18:28   --------   d-----w-   c:\programdata\Malwarebytes
2013-07-30 18:28 . 2013-07-30 18:28   --------   d-----w-   c:\program files (x86)\Malwarebytes' Anti-Malware
2013-07-30 18:28 . 2013-04-04 13:50   25928   ----a-w-   c:\windows\system32\drivers\mbam.sys
2013-07-30 09:03 . 2013-07-02 08:34   9460976   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{050AA650-91DC-4E9A-9B4F-75C85DD9B878}\mpengine.dll
2013-07-30 08:39 . 2013-07-30 08:39   --------   d-----w-   c:\program files\Microsoft Silverlight
2013-07-30 08:39 . 2013-07-30 08:39   --------   d-----w-   c:\program files (x86)\Microsoft Silverlight
2013-07-29 12:35 . 2012-07-25 11:03   16896   ----a-w-   c:\windows\system32\sasnative64.exe
2013-07-29 12:34 . 2013-05-07 15:51   20312   ----a-w-   c:\windows\system32\roboot64.exe
2013-07-29 12:31 . 2013-07-29 12:31   --------   d-----w-   c:\users\ray\AppData\Local\Programs
2013-07-12 14:34 . 2013-05-27 05:50   1011712   ----a-w-   c:\program files\Windows Defender\MpSvc.dll
2013-07-12 14:33 . 2013-04-09 23:34   1247744   ----a-w-   c:\windows\SysWow64\DWrite.dll
2013-07-12 14:33 . 2013-04-02 22:51   1643520   ----a-w-   c:\windows\system32\DWrite.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-07-29 12:07 . 2012-04-10 09:03   692104   ----a-w-   c:\windows\SysWow64\FlashPlayerApp.exe
2013-07-29 12:07 . 2011-12-20 08:21   71048   ----a-w-   c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2013-07-15 09:55 . 2011-12-08 12:40   78185248   ----a-w-   c:\windows\system32\MRT.exe
2013-06-19 07:52 . 2012-06-08 11:38   54368   ----a-w-   c:\windows\system32\drivers\kltdi.sys
2013-06-12 20:48 . 2012-07-06 09:21   867240   ----a-w-   c:\windows\SysWow64\npdeployJava1.dll
2013-06-12 20:48 . 2012-04-10 09:08   789416   ----a-w-   c:\windows\SysWow64\deployJava1.dll
2013-06-12 20:47 . 2013-06-19 07:55   96168   ----a-w-   c:\windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-02 20:34 . 2013-06-02 20:34   73728   ----a-w-   c:\windows\SysWow64\SetIEInstalledDate.exe
2013-06-02 20:34 . 2013-06-02 20:34   719360   ----a-w-   c:\windows\SysWow64\mshtmlmedia.dll
2013-06-02 20:34 . 2013-06-02 20:34   523264   ----a-w-   c:\windows\SysWow64\vbscript.dll
2013-06-02 20:34 . 2013-06-02 20:34   48640   ----a-w-   c:\windows\SysWow64\mshtmler.dll
2013-06-02 20:34 . 2013-06-02 20:34   38400   ----a-w-   c:\windows\SysWow64\imgutil.dll
2013-06-02 20:34 . 2013-06-02 20:34   226304   ----a-w-   c:\windows\system32\elshyph.dll
2013-06-02 20:34 . 2013-06-02 20:34   185344   ----a-w-   c:\windows\SysWow64\elshyph.dll
2013-06-02 20:34 . 2013-06-02 20:34   158720   ----a-w-   c:\windows\SysWow64\msls31.dll
2013-06-02 20:34 . 2013-06-02 20:34   150528   ----a-w-   c:\windows\SysWow64\iexpress.exe
2013-06-02 20:34 . 2013-06-02 20:34   138752   ----a-w-   c:\windows\SysWow64\wextract.exe
2013-06-02 20:34 . 2013-06-02 20:34   137216   ----a-w-   c:\windows\SysWow64\ieUnatt.exe
2013-06-02 20:34 . 2013-06-02 20:34   12800   ----a-w-   c:\windows\SysWow64\mshta.exe
2013-06-02 20:34 . 2013-06-02 20:34   110592   ----a-w-   c:\windows\SysWow64\IEAdvpack.dll
2013-06-02 20:34 . 2013-06-02 20:34   1054720   ----a-w-   c:\windows\system32\MsSpellCheckingFacility.exe
2013-06-02 20:34 . 2013-06-02 20:34   97280   ----a-w-   c:\windows\system32\mshtmled.dll
2013-06-02 20:34 . 2013-06-02 20:34   92160   ----a-w-   c:\windows\system32\SetIEInstalledDate.exe
2013-06-02 20:34 . 2013-06-02 20:34   905728   ----a-w-   c:\windows\system32\mshtmlmedia.dll
2013-06-02 20:34 . 2013-06-02 20:34   81408   ----a-w-   c:\windows\system32\icardie.dll
2013-06-02 20:34 . 2013-06-02 20:34   77312   ----a-w-   c:\windows\system32\tdc.ocx
2013-06-02 20:34 . 2013-06-02 20:34   762368   ----a-w-   c:\windows\system32\ieapfltr.dll
2013-06-02 20:34 . 2013-06-02 20:34   62976   ----a-w-   c:\windows\system32\pngfilt.dll
2013-06-02 20:34 . 2013-06-02 20:34   61952   ----a-w-   c:\windows\SysWow64\tdc.ocx
2013-06-02 20:34 . 2013-06-02 20:34   599552   ----a-w-   c:\windows\system32\vbscript.dll
2013-06-02 20:34 . 2013-06-02 20:34   52224   ----a-w-   c:\windows\system32\msfeedsbs.dll
2013-06-02 20:34 . 2013-06-02 20:34   51200   ----a-w-   c:\windows\system32\imgutil.dll
2013-06-02 20:34 . 2013-06-02 20:34   48640   ----a-w-   c:\windows\system32\mshtmler.dll
2013-06-02 20:34 . 2013-06-02 20:34   452096   ----a-w-   c:\windows\system32\dxtmsft.dll
2013-06-02 20:34 . 2013-06-02 20:34   441856   ----a-w-   c:\windows\system32\html.iec
2013-06-02 20:34 . 2013-06-02 20:34   361984   ----a-w-   c:\windows\SysWow64\html.iec
2013-06-02 20:34 . 2013-06-02 20:34   281600   ----a-w-   c:\windows\system32\dxtrans.dll
2013-06-02 20:34 . 2013-06-02 20:34   27648   ----a-w-   c:\windows\system32\licmgr10.dll
2013-06-02 20:34 . 2013-06-02 20:34   270848   ----a-w-   c:\windows\system32\iedkcs32.dll
2013-06-02 20:34 . 2013-06-02 20:34   247296   ----a-w-   c:\windows\system32\webcheck.dll
2013-06-02 20:34 . 2013-06-02 20:34   235008   ----a-w-   c:\windows\system32\url.dll
2013-06-02 20:34 . 2013-06-02 20:34   23040   ----a-w-   c:\windows\SysWow64\licmgr10.dll
2013-06-02 20:34 . 2013-06-02 20:34   216064   ----a-w-   c:\windows\system32\msls31.dll
2013-06-02 20:34 . 2013-06-02 20:34   197120   ----a-w-   c:\windows\system32\msrating.dll
2013-06-02 20:34 . 2013-06-02 20:34   173568   ----a-w-   c:\windows\system32\ieUnatt.exe
2013-06-02 20:34 . 2013-06-02 20:34   167424   ----a-w-   c:\windows\system32\iexpress.exe
2013-06-02 20:34 . 2013-06-02 20:34   1509376   ----a-w-   c:\windows\system32\inetcpl.cpl
2013-06-02 20:34 . 2013-06-02 20:34   149504   ----a-w-   c:\windows\system32\occache.dll
2013-06-02 20:34 . 2013-06-02 20:34   144896   ----a-w-   c:\windows\system32\wextract.exe
2013-06-02 20:34 . 2013-06-02 20:34   1441280   ----a-w-   c:\windows\SysWow64\inetcpl.cpl
2013-06-02 20:34 . 2013-06-02 20:34   1400416   ----a-w-   c:\windows\system32\ieapfltr.dat
2013-06-02 20:34 . 2013-06-02 20:34   13824   ----a-w-   c:\windows\system32\mshta.exe
2013-06-02 20:34 . 2013-06-02 20:34   136192   ----a-w-   c:\windows\system32\iepeers.dll
2013-06-02 20:34 . 2013-06-02 20:34   135680   ----a-w-   c:\windows\system32\IEAdvpack.dll
2013-06-02 20:34 . 2013-06-02 20:34   12800   ----a-w-   c:\windows\system32\msfeedssync.exe
2013-06-02 20:34 . 2013-06-02 20:34   102912   ----a-w-   c:\windows\system32\inseng.dll
2013-06-02 20:32 . 2013-06-02 20:32   9728   ---ha-w-   c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   9728   ---ha-w-   c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   648192   ----a-w-   c:\windows\system32\d3d10level9.dll
2013-06-02 20:32 . 2013-06-02 20:32   604160   ----a-w-   c:\windows\SysWow64\d3d10level9.dll
2013-06-02 20:32 . 2013-06-02 20:32   5632   ---ha-w-   c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   5632   ---ha-w-   c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   5632   ---ha-w-   c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   5632   ---ha-w-   c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   522752   ----a-w-   c:\windows\system32\XpsGdiConverter.dll
2013-06-02 20:32 . 2013-06-02 20:32   465920   ----a-w-   c:\windows\system32\WMPhoto.dll
2013-06-02 20:32 . 2013-06-02 20:32   417792   ----a-w-   c:\windows\SysWow64\WMPhoto.dll
2013-06-02 20:32 . 2013-06-02 20:32   4096   ---ha-w-   c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   4096   ---ha-w-   c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   3928064   ----a-w-   c:\windows\system32\d2d1.dll
2013-06-02 20:32 . 2013-06-02 20:32   364544   ----a-w-   c:\windows\SysWow64\XpsGdiConverter.dll
2013-06-02 20:32 . 2013-06-02 20:32   363008   ----a-w-   c:\windows\system32\dxgi.dll
2013-06-02 20:32 . 2013-06-02 20:32   3584   ---ha-w-   c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   3584   ---ha-w-   c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   3419136   ----a-w-   c:\windows\SysWow64\d2d1.dll
2013-06-02 20:32 . 2013-06-02 20:32   333312   ----a-w-   c:\windows\system32\d3d10_1core.dll
2013-06-02 20:32 . 2013-06-02 20:32   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   3072   ---ha-w-   c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   3072   ---ha-w-   c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   3072   ---ha-w-   c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   296960   ----a-w-   c:\windows\system32\d3d10core.dll
2013-06-02 20:32 . 2013-06-02 20:32   293376   ----a-w-   c:\windows\SysWow64\dxgi.dll
2013-06-02 20:32 . 2013-06-02 20:32   2776576   ----a-w-   c:\windows\system32\msmpeg2vdec.dll
2013-06-02 20:32 . 2013-06-02 20:32   2565120   ----a-w-   c:\windows\system32\d3d10warp.dll
2013-06-02 20:32 . 2013-06-02 20:32   2560   ---ha-w-   c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   2560   ---ha-w-   c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2013-06-02 20:32 . 2013-06-02 20:32   249856   ----a-w-   c:\windows\SysWow64\d3d10_1core.dll
2013-06-02 20:32 . 2013-06-02 20:32   245248   ----a-w-   c:\windows\system32\WindowsCodecsExt.dll
2013-06-02 20:32 . 2013-06-02 20:32   2284544   ----a-w-   c:\windows\SysWow64\msmpeg2vdec.dll
2013-06-02 20:32 . 2013-06-02 20:32   221184   ----a-w-   c:\windows\system32\UIAnimation.dll
2013-06-02 20:32 . 2013-06-02 20:32   220160   ----a-w-   c:\windows\SysWow64\d3d10core.dll
2013-06-02 20:32 . 2013-06-02 20:32   207872   ----a-w-   c:\windows\SysWow64\WindowsCodecsExt.dll
2013-06-02 20:32 . 2013-06-02 20:32   1988096   ----a-w-   c:\windows\SysWow64\d3d10warp.dll
2013-06-02 20:32 . 2013-06-02 20:32   194560   ----a-w-   c:\windows\system32\d3d10_1.dll
2013-06-02 20:32 . 2013-06-02 20:32   187392   ----a-w-   c:\windows\SysWow64\UIAnimation.dll
2013-06-02 20:32 . 2013-06-02 20:32   1682432   ----a-w-   c:\windows\system32\XpsPrint.dll
2013-06-02 20:32 . 2013-06-02 20:32   161792   ----a-w-   c:\windows\SysWow64\d3d10_1.dll
2013-06-02 20:32 . 2013-06-02 20:32   1238528   ----a-w-   c:\windows\system32\d3d10.dll
2013-06-02 20:32 . 2013-06-02 20:32   1175552   ----a-w-   c:\windows\system32\FntCache.dll
2013-06-02 20:32 . 2013-06-02 20:32   1158144   ----a-w-   c:\windows\SysWow64\XpsPrint.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2013-06-03 19603048]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-09-14 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2010-04-13 284696]
"SuiteTray"="c:\program files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [2010-09-28 340336]
"EgisTecPMMUpdate"="c:\program files (x86)\EgisTec IPS\PmmUpdate.exe" [2010-09-17 407920]
"EgisUpdate"="c:\program files (x86)\EgisTec IPS\EgisUpdate.exe" [2010-09-17 201584]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"BackupManagerTray"="c:\program files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" [2011-02-15 297280]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2011-03-31 1092688]
"ArcadeMovieService"="c:\program files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe" [2011-02-18 177448]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-12-12 152544]
"AVP"="c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe" [2013-01-04 356376]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IsMyWinLockerReboot"="msiexec.exe" [2010-11-21 73216]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office\OSA9.EXE -b -l [2000-1-21 65588]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe;c:\program files (x86)\Google\Update\GoogleUpdate.exe

R2 Skype C2C Service;Skype C2C Service;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe;c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe

R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe

R3 EgisTec Ticket Service;EgisTec Ticket Service;c:\program files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe;c:\program files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe

R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe;c:\program files (x86)\Google\Update\GoogleUpdate.exe

R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\System32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys

R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys

R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe

R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe

S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys;c:\windows\SYSNATIVE\DRIVERS\klim6.sys

S1 kltdi;kltdi;c:\windows\system32\DRIVERS\kltdi.sys;c:\windows\SYSNATIVE\DRIVERS\kltdi.sys

S1 kneps;kneps;c:\windows\system32\DRIVERS\kneps.sys;c:\windows\SYSNATIVE\DRIVERS\kneps.sys

S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDFilter.sys

S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDNServ.sys

S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDVDisk.sys

S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe;c:\program files (x86)\Launch Manager\dsiwmis.exe

S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe

S2 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe;c:\program files (x86)\Acer\Registration\GREGsvc.exe

S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe

S2 Live Updater Service;Live Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe;c:\program files\Acer\Acer Updater\UpdaterService.exe

S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe

S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE

S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe;c:\program files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe

S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe

S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\DRIVERS\ETD.sys;c:\windows\SYSNATIVE\DRIVERS\ETD.sys

S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys;c:\windows\SYSNATIVE\drivers\HECIx64.sys

S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys

S3 k57nd60a;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys;c:\windows\SYSNATIVE\DRIVERS\k57nd60a.sys

S3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\DRIVERS\klkbdflt.sys;c:\windows\SYSNATIVE\DRIVERS\klkbdflt.sys

S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys;c:\windows\SYSNATIVE\DRIVERS\klmouflt.sys

S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys

.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-07-15 10:09   1173456   ----a-w-   c:\program files (x86)\Google\Chrome\Application\28.0.1500.72\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-10 12:07]
.
2013-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-14 18:43]
.
2013-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-09-14 18:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-02-18 11779176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-23 161304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-23 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-23 415256]
"Power Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2011-02-22 1796200]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 10.0.0.1
DPF: {32E7B36C-7960-4A42-B83B-D8AFD0AAEF2B} - hxxp://dizun95pzobbc.cloudfront.net/INDBrowser.CAB
DPF: {99E63F21-514B-4C2B-9170-D25D54F65D5B} - hxxp://dizun95pzobbc.cloudfront.net/VBIXDPlayer.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKU-Default-Run-SearchProtect - \SearchProtect\bin\cltmng.exe
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
HKLM-Run-ETDCtrl - c:\program files (x86)\Elantech\ETDCtrl.exe
AddRemove-00212D92-C5D8-4ff4-AE50-B20F0F85C40A_Systweak_Ad~B9F029BF_is1 - c:\program files (x86)\Advanced System Protector\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_8_800_94.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-08-02  07:20:20
ComboFix-quarantined-files.txt  2013-08-02 06:20
.
Pre-Run: 429,470,429,184 bytes free
Post-Run: 429,236,097,024 bytes free
.
- - End Of File - - F35904D629EE5A5182C76187BEE476E9
D41D8CD98F00B204E9800998ECF8427E

[SuperDave]

• Download RogueKiller on the desktop
  
• Close all the running programs
• Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  
• Otherwise just double-click on RogueKiller.exe
  
• Pre-scan will start. Let it finish.
• Click on SCAN button.
  
• A report (RKreport.txt) should open. Post its content in your next reply. (RKreport could also be found on your desktop)
  
• If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again
  

[Northenlad60]

RogueKiller V8.6.4 [Jul 29 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : ray [Admin rights]
Mode : Remove -- Date : 08/03/2013 13:25:31
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : DisableRegistryTools (0) -> [0x2] The system cannot find the file specified.
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD5000BPVT-22HXZT1 +++++
--- User ---
[MBR] 97e2f7753a5cdbe05854588d8b5cb5a2
[BSP] bb8d704b130b1e20b06fd03d1cbb27ef : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 16384 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 33556480 | Size: 100 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 33761280 | Size: 460454 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_D_08032013_132531.txt >>
RKreport[0]_S_08032013_132414.txt

[SuperDave]

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[Northenlad60]

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=99e29f34a57e2a46ae903244c596138b
# engine=14641
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-08-04 05:14:33
# local_time=2013-08-04 06:14:33 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=1286 16777213 100 99 33431 30399195 0 0
# compatibility_mode=5893 16776573 100 94 104923 128101523 0 0
# scanned=160233
# found=0
# cleaned=0
# scan_time=32016

[SuperDave]

That looks good. How's your computer running now? Any other issues before we clean up?