Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Spyware called Tencent QQ

This is a discussion on Spyware called Tencent QQ within the Resolved HJT Threads forums, part of the Tech Support Forum category. Please help. It seems as if I have a virus called Tencent QQ. It is all chinese stuff that pops


 
 
Thread Tools Search this Thread
Old 06-22-2015, 08:53 AM   #1
Registered Member
 
mhgrobler's Avatar
 
Join Date: Feb 2015
Location: Paarl, Western Cape, South Africa
Posts: 42
OS: Windows 7



Please help. It seems as if I have a virus called Tencent QQ. It is all chinese stuff that pops up on my computer and I have no clue how to get rid of it. There is nothing in Programes to uninstall, but the file is sitting under my C:]programfiles (x86) as Tencent and then QQ what ever. Please help!!!
I can not delete this file as it keep on saying I have no rights, but I am the owner, administrator everything.

Help!!!
mhgrobler is offline  
Sponsored Links
Advertisement
 
Old 06-22-2015, 12:39 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please do not create multiple threads for the same problem. I deleted the other thread you created earlier.

------------------------------------------------------

Check for additional security risks:
  • Please download CKScanner© by askey127 and save it to your desktop.
  • Double-click on CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, just click OK.
  • Post the contents of ckfiles.txt in your next reply. It is located on your desktop.
------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Do NOT click the green 'Download' button(if visible).
  • Click the blue 'Download now @bleepingcomputer' button.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Cleaning
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[S#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.
  • Double-click FRST64 to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-22-2015, 09:49 PM   #3
Registered Member
 
mhgrobler's Avatar
 
Join Date: Feb 2015
Location: Paarl, Western Cape, South Africa
Posts: 42
OS: Windows 7



Thank you, sorry for the double thread, wasn't sure if I did it correct the first time.

Will do as above and let you know.
mhgrobler is offline  
Sponsored Links
Advertisement
 
Old 06-22-2015, 09:52 PM   #4
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're welcome! Not a problem. Post when ready.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-22-2015, 11:13 PM   #5
Registered Member
 
mhgrobler's Avatar
 
Join Date: Feb 2015
Location: Paarl, Western Cape, South Africa
Posts: 42
OS: Windows 7



Ok I have done all the steps and attached the files. Thank you for the help I do appreciate it.

CKfiles.txt

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.NVNACZ
----- EOF -----

ADW Cleaner logs:

# AdwCleaner v4.207 - Logfile created 23/06/2015 at 07:53:51
# Updated 21/06/2015 by Xplode
# Database : 2015-06-21.2 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Mariette - MARIETTE-PC
# Running from : C:\Users\Mariette\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : QQPCRTP
Service Found : TAOAccelerator
Service Found : TSDefenseBt
Service Found : TSSysKit
Service Found : QMUdisk
Service Found : Update Wooden Seal
Service Found : QQSysMonX64
Service Found : TSCPM
Service Found : TFsFlt
Service Found : TAOFrame
Service Found : TAOKernelDriver
Service Found : 3621a1ae

***** [ Files / Folders ] *****

File Found : C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gmbmikajjgmnabiglmofipeabaddhgne_0.localstorage
File Found : C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gmbmikajjgmnabiglmofipeabaddhgne_0.localstorage-journal
File Found : C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\????\????\????.lnk
File Found : C:\Users\Mariette\Desktop\Live PC Help.lnk
File Found : C:\Windows\System32\cpuminer-conf.json
File Found : C:\Windows\System32\cpuminer-gw64.exe
File Found : C:\Windows\System32\roboot64.exe
Folder Found : C:\Program Files (x86)\Common Files\tencent
Folder Found : C:\Program Files (x86)\tencent
Folder Found : C:\Program Files\Common Files\tencent
Folder Found : C:\ProgramData\{3a6bfa1e-738a-fc7e-3a6b-bfa1e738e879}
Folder Found : C:\ProgramData\bocnefaimclmnfppkcjlfiamdkkhjlel
Folder Found : C:\ProgramData\tencent
Folder Found : C:\ProgramData\TXQMPC
Folder Found : C:\Users\Administrator\AppData\Roaming\tencent
Folder Found : C:\Users\Mariette\AppData\Local\Crossbrowse
Folder Found : C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmbmikajjgmnabiglmofipeabaddhgne
Folder Found : C:\Users\Mariette\AppData\Local\Prompt Downloader
Folder Found : C:\Users\Mariette\AppData\Local\Temp\tencent
Folder Found : C:\Users\Mariette\AppData\Local\Temp\Wooden Seal
Folder Found : C:\Users\Mariette\AppData\Roaming\ASP
Folder Found : C:\Users\Mariette\AppData\Roaming\cpuminer
Folder Found : C:\Users\Mariette\AppData\Roaming\Systweak
Folder Found : C:\Users\Mariette\AppData\Roaming\tencent
Folder Found : C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tencent

***** [ Scheduled tasks ] *****

Task Found : ASP

***** [ Shortcuts ] *****


***** [ Registry ] *****

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
Key Found : HKCU\Software\AppDataLow\Software\Crossrider
Key Found : HKCU\Software\ArenaHD
Key Found : HKCU\Software\canortic
Key Found : HKCU\Software\Crossbrowse
Key Found : HKCU\Software\HighDefAction
Key Found : HKCU\Software\InstalledBrowserExtensions
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mystartsearch.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mystartsearch
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Found : HKCU\Software\Mozilla\Extends
Key Found : HKCU\Software\systweak
Key Found : HKCU\Software\YorkNewCin
Key Found : [x64] HKCU\Software\ArenaHD
Key Found : [x64] HKCU\Software\canortic
Key Found : [x64] HKCU\Software\Crossbrowse
Key Found : [x64] HKCU\Software\HighDefAction
Key Found : [x64] HKCU\Software\InstalledBrowserExtensions
Key Found : [x64] HKCU\Software\systweak
Key Found : [x64] HKCU\Software\YorkNewCin
Key Found : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
Key Found : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Found : HKLM\SOFTWARE\243a1627-8c91-9ade-b5dc-a26e65df8f0f
Key Found : HKLM\SOFTWARE\ArenaHD
Key Found : HKLM\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}
Key Found : HKLM\SOFTWARE\Classes\AppID\DownloadProxy.EXE
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{70DE12EA-79F4-46BC-9812-86DB50A2FD64}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Found : HKLM\SOFTWARE\CLASSES\METNSD
Key Found : HKLM\SOFTWARE\Classes\P22F73C37_0C66_4B08_856E_D7C0007C1B8F_.P22F73C37_0C66_4B08_856E_D7C0007C1B8F_
Key Found : HKLM\SOFTWARE\Classes\P22F73C37_0C66_4B08_856E_D7C0007C1B8F_.P22F73C37_0C66_4B08_856E_D7C0007C1B8F_.9
Key Found : HKLM\SOFTWARE\Classes\P5C96B641_718C_47EB_A9CF_8A2981BF4618_.P5C96B641_718C_47EB_A9CF_8A2981BF4618_
Key Found : HKLM\SOFTWARE\Classes\P5C96B641_718C_47EB_A9CF_8A2981BF4618_.P5C96B641_718C_47EB_A9CF_8A2981BF4618_.9
Key Found : HKLM\SOFTWARE\Classes\S
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{03D19D4E-AADD-472C-93CF-63602AE5DC2E}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
Key Found : HKLM\SOFTWARE\FFPluginHp
Key Found : HKLM\SOFTWARE\GlobalUpdate
Key Found : HKLM\SOFTWARE\GoHD
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ooebklgpfnbcnpokahmdidgbmlcdepkm
Key Found : HKLM\SOFTWARE\HighDefAction
Key Found : HKLM\SOFTWARE\InstalledBrowserExtensions
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{3621a1ae}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
Key Found : HKLM\SOFTWARE\mystartsearchSoftware
Key Found : HKLM\SOFTWARE\systweak
Key Found : HKLM\SOFTWARE\YorkNewCin
Key Found : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\QQPCRTP
Key Found : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\QQPCRTP
Key Found : [x64] HKLM\SOFTWARE\ArenaHD
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Found : [x64] HKLM\SOFTWARE\HighDefAction
Key Found : [x64] HKLM\SOFTWARE\InstalledBrowserExtensions
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cpuminer
Key Found : [x64] HKLM\SOFTWARE\YorkNewCin
Key Found : HKU\.DEFAULT\Software\Avg Secure Update
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [[email protected]]
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [[email protected]]

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17840

Setting Found : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxp://www.hao123.com/?tn=91284697_hao_pg
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL] - hxxp://www.mystartsearch.com/web/?type=ds&ts=1434809571&z=814d952a202abf2ef256564gbz7c5z6b7eftfwdb7g&from=wpc&uid=ADATAXSP900XXXXXXXXXXXXXXXXXXXXXXXXXXX_02718212500400003034&q={searchTerms}
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Page_URL] - hxxp://www.mystartsearch.com/?type=hp&ts=1434809571&z=814d952a202abf2ef256564gbz7c5z6b7eftfwdb7g&from=wpc&uid=ADATAXSP900XXXXXXXXXXXXXXXXXXXXXXXXXXX_02718212500400003034
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page] - hxxp://www.hao123.com/?tn=91284697_hao_pg
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page] - hxxp://www.mystartsearch.com/web/?type=ds&ts=1434809571&z=814d952a202abf2ef256564gbz7c5z6b7eftfwdb7g&from=wpc&uid=ADATAXSP900XXXXXXXXXXXXXXXXXXXXXXXXXXX_02718212500400003034&q={searchTerms}
Setting Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL] - hxxp://www.mystartsearch.com/web/?type=ds&ts=1434809571&z=814d952a202abf2ef256564gbz7c5z6b7eftfwdb7g&from=wpc&uid=ADATAXSP900XXXXXXXXXXXXXXXXXXXXXXXXXXX_02718212500400003034&q={searchTerms}
Setting Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Page_URL] - hxxp://www.mystartsearch.com/?type=hp&ts=1434809571&z=814d952a202abf2ef256564gbz7c5z6b7eftfwdb7g&from=wpc&uid=ADATAXSP900XXXXXXXXXXXXXXXXXXXXXXXXXXX_02718212500400003034
Setting Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page] - hxxp://www.mystartsearch.com/?type=hp&ts=1434809571&z=814d952a202abf2ef256564gbz7c5z6b7eftfwdb7g&from=wpc&uid=ADATAXSP900XXXXXXXXXXXXXXXXXXXXXXXXXXX_02718212500400003034
Setting Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page] - hxxp://www.mystartsearch.com/web/?type=ds&ts=1434809571&z=814d952a202abf2ef256564gbz7c5z6b7eftfwdb7g&from=wpc&uid=ADATAXSP900XXXXXXXXXXXXXXXXXXXXXXXXXXX_02718212500400003034&q={searchTerms}

-\\ Mozilla Firefox v38.0.5 (x86 en-US)


-\\ Google Chrome v43.0.2357.124


*************************

AdwCleaner[R0].txt - [11169 bytes] - [23/06/2015 07:53:51]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [11229 bytes] ##########




# AdwCleaner v4.207 - Logfile created 23/06/2015 at 07:54:54
# Updated 21/06/2015 by Xplode
# Database : 2015-06-21.2 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Mariette - MARIETTE-PC
# Running from : C:\Users\Mariette\Downloads\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

[#] Service Deleted : QQPCRTP
Service Deleted : TAOAccelerator
Service Deleted : TSDefenseBt
[#] Service Deleted : QMUdisk
[#] Service Deleted : Update Wooden Seal
[#] Service Deleted : QQSysMonX64
[#] Service Deleted : TSCPM
[#] Service Deleted : TFsFlt
[#] Service Deleted : TAOFrame
[#] Service Deleted : TAOKernelDriver
[#] Service Deleted : 3621a1ae

***** [ Files / Folders ] *****

[!] Folder Deleted : C:\ProgramData\tencent
Folder Deleted : C:\ProgramData\TXQMPC
Folder Deleted : C:\ProgramData\{3a6bfa1e-738a-fc7e-3a6b-bfa1e738e879}
[!] Folder Deleted : C:\Program Files (x86)\tencent
Folder Deleted : C:\Program Files (x86)\Common Files\tencent
Folder Deleted : C:\Users\Mariette\AppData\Local\Temp\Wooden Seal
Folder Deleted : C:\Users\Mariette\AppData\Local\Temp\tencent
Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tencent
[!] Folder Deleted : C:\Program Files\Common Files\tencent
Folder Deleted : C:\Users\Administrator\AppData\Roaming\tencent
Folder Deleted : C:\Users\Mariette\AppData\Local\Crossbrowse
Folder Deleted : C:\Users\Mariette\AppData\Local\Prompt Downloader
Folder Deleted : C:\Users\Mariette\AppData\Roaming\ASP
Folder Deleted : C:\Users\Mariette\AppData\Roaming\Systweak
Folder Deleted : C:\Users\Mariette\AppData\Roaming\tencent
Folder Deleted : C:\Users\Mariette\AppData\Roaming\cpuminer
Folder Deleted : C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmbmikajjgmnabiglmofipeabaddhgne
Folder Deleted : C:\ProgramData\bocnefaimclmnfppkcjlfiamdkkhjlel
File Deleted : C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gmbmikajjgmnabiglmofipeabaddhgne_0.localstorage
File Deleted : C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gmbmikajjgmnabiglmofipeabaddhgne_0.localstorage-journal
File Deleted : C:\Windows\System32\roboot64.exe
File Deleted : C:\Windows\System32\cpuminer-conf.json
File Deleted : C:\Windows\System32\cpuminer-gw64.exe
File Deleted : C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\????\????\????.lnk
File Deleted : C:\Users\Mariette\Desktop\Live PC Help.lnk

***** [ Scheduled tasks ] *****

Task Deleted : ASP

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [[email protected]]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [[email protected]]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\ooebklgpfnbcnpokahmdidgbmlcdepkm
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKCU\Software\Mozilla\Extends
Key Deleted : HKLM\SOFTWARE\Classes\AppID\DownloadProxy.EXE
Key Deleted : HKLM\SOFTWARE\CLASSES\METNSD
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\QQPCRTP
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\QQPCRTP
Key Deleted : HKLM\SOFTWARE\Classes\P22F73C37_0C66_4B08_856E_D7C0007C1B8F_.P22F73C37_0C66_4B08_856E_D7C0007C1B8F_
Key Deleted : HKLM\SOFTWARE\Classes\P22F73C37_0C66_4B08_856E_D7C0007C1B8F_.P22F73C37_0C66_4B08_856E_D7C0007C1B8F_.9
Key Deleted : HKLM\SOFTWARE\Classes\P5C96B641_718C_47EB_A9CF_8A2981BF4618_.P5C96B641_718C_47EB_A9CF_8A2981BF4618_
Key Deleted : HKLM\SOFTWARE\Classes\P5C96B641_718C_47EB_A9CF_8A2981BF4618_.P5C96B641_718C_47EB_A9CF_8A2981BF4618_.9
Key Deleted : HKLM\SOFTWARE\243a1627-8c91-9ade-b5dc-a26e65df8f0f
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{3621a1ae}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{70DE12EA-79F4-46BC-9812-86DB50A2FD64}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{03D19D4E-AADD-472C-93CF-63602AE5DC2E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22F73C37-0C66-4B08-856E-D7C0007C1B8F}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C96B641-718C-47EB-A9CF-8A2981BF4618}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\systweak
Key Deleted : HKCU\Software\Crossbrowse
Key Deleted : HKCU\Software\YorkNewCin
Key Deleted : HKCU\Software\HighDefAction
Key Deleted : HKCU\Software\ArenaHD
Key Deleted : HKCU\Software\canortic
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\GlobalUpdate
Key Deleted : HKLM\SOFTWARE\InstalledBrowserExtensions
Key Deleted : HKLM\SOFTWARE\systweak
Key Deleted : HKLM\SOFTWARE\GoHD
Key Deleted : HKLM\SOFTWARE\mystartsearchSoftware
Key Deleted : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
Key Deleted : HKLM\SOFTWARE\YorkNewCin
Key Deleted : HKLM\SOFTWARE\HighDefAction
Key Deleted : HKLM\SOFTWARE\ArenaHD
Key Deleted : HKLM\SOFTWARE\FFPluginHp
Key Deleted : HKU\.DEFAULT\Software\Avg Secure Update
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}
Key Deleted : [x64] HKLM\SOFTWARE\InstalledBrowserExtensions
Key Deleted : [x64] HKLM\SOFTWARE\YorkNewCin
Key Deleted : [x64] HKLM\SOFTWARE\HighDefAction
Key Deleted : [x64] HKLM\SOFTWARE\ArenaHD
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cpuminer
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mystartsearch.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\mystartsearch
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17840

Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Page_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Page_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]

-\\ Mozilla Firefox v38.0.5 (x86 en-US)


-\\ Google Chrome v43.0.2357.124


*************************

AdwCleaner[R0].txt - [11413 bytes] - [23/06/2015 07:53:51]
AdwCleaner[S0].txt - [9605 bytes] - [23/06/2015 07:54:54]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9664 bytes] ##########


FRST64 log:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:21-06-2015 01
Ran by Mariette (administrator) on MARIETTE-PC on 23-06-2015 07:59:21
Running from C:\Users\Mariette\Downloads
Loaded Profiles: Mariette (Available Profiles: Mariette & Administrator)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: FRST Tutorial - How to use Farbar Recovery Scan Tool - Geeks to Go Forum

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Adobe Systems Incorporated) D:\Adobe Photoshop\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(CrypKey (Canada) Ltd.) C:\Windows\System32\Crypserv.exe
(Intel(R) Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\Jhi_service.exe
( ) C:\Windows\System32\lxeacoms.exe
(VIA Technologies, Inc.) C:\Windows\System32\ViakaraokeSrv.exe
() C:\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009\knsp41DE.tmpfs
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
(VIA Technologies, Inc.) C:\VIA_XHCI\usb3Monitor.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
() C:\Program Files (x86)\Lexmark S300-S400 Series\lxeamon.exe
() C:\Program Files (x86)\Lexmark S300-S400 Series\ezprint.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe
(D6 Technology) D:\d6_413\d6\d6_413.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe
(D6 Technology) D:\d6_77\d6\d6_77.exe
(VIA) C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Apple Inc.) D:\Program Files (x86)\iTunes\iTunesHelper.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreamsDownloader.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_18_0_0_160.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_18_0_0_160.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [VIAxHCUtl] => C:\VIA_XHCI\usb3Monitor.exe [331776 2011-07-12] (VIA Technologies, Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [497648 2010-07-29] (Adobe Systems Incorporated)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1337000 2015-04-30] (Microsoft Corporation)
HKLM\...\Run: [lxeamon.exe] => C:\Program Files (x86)\Lexmark S300-S400 Series\lxeamon.exe [772712 2013-01-23] ()
HKLM\...\Run: [EzPrint] => C:\Program Files (x86)\Lexmark S300-S400 Series\ezprint.exe [150264 2013-01-23] ()
HKLM-x32\...\Run: [HDAudDeck] => C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe [5028464 2012-01-12] (VIA)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe [284440 2011-11-29] (Intel Corporation)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-27] (Intel Corporation)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
HKLM-x32\...\Run: [iTunesHelper] => D:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2015-04-07] (Apple Inc.)
HKLM-x32\...\Run: [ QQPCTray] => "C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCTRAY.EXE" /regrun /qqrepair
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3727824 2015-06-05] (AVG Technologies CZ, s.r.o.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2407485051-244769875-2442591779-1001\...\Run: [Uploader] => C:\Program Files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe
HKU\S-1-5-21-2407485051-244769875-2442591779-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2015-04-26] (Apple Inc.)
HKU\S-1-5-21-2407485051-244769875-2442591779-1001\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2015-04-26] (Apple Inc.)
HKU\S-1-5-21-2407485051-244769875-2442591779-1001\...\Run: [iCloudDrive] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe [43816 2015-04-26] (Apple Inc.)
HKU\S-1-5-21-2407485051-244769875-2442591779-1001\...\Run: [d6_413] => D:\d6_413\d6\d6_413.exe [1357968 2012-12-14] (D6 Technology)
HKU\S-1-5-21-2407485051-244769875-2442591779-1001\...\Run: [d6_77] => D:\d6_77\d6\d6_77.exe [1357376 2012-08-03] (D6 Technology)
HKU\S-1-5-21-2407485051-244769875-2442591779-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\PhotoScreensaver.scr [477696 2010-11-21] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} => C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMGCShellExt64.dll No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mystartsearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = https://www.hao123.com/?tn=91284697_hao_pg
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Google
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = Google
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Google
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = Google
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Google
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = Google
HKU\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.hao123.com/?tn=91284697_hao_pg
SearchScopes: HKLM -> {81DCC3D8-7CB8-4FAB-BBBA-29EEAB6B154E} URL = https://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {A03EC0EC-1AA9-43CE-A814-4361699C7E40} URL = https://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2407485051-244769875-2442591779-1001 -> {81DCC3D8-7CB8-4FAB-BBBA-29EEAB6B154E} URL =
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO: 电脑管家网页防火墙 -> {7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} -> C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TSWebMon64.dat No File
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2013-12-19] (Microsoft Corporation)
BHO-x32: Wooden Seal 1.0.0.7 -> {7a0ab196-76b2-4ee2-858e-7efdc93c3a47} -> C:\Program Files (x86)\Wooden Seal\WoodenSealbho.dll No File
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Windows Live Messenger Companion Helper -> {9FDDE16B-836F-4806-AB1F-1455CBEFF289} -> C:\Program Files (x86)\Windows Live\Companion\companioncore.dll [2010-11-10] (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2013-03-06] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.2

FireFox:
========
FF ProfilePath: C:\Users\Mariette\AppData\Roaming\Mozilla\Firefox\Profiles\4jy5tjrw.default-1434994323219
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_160.dll [2015-06-19] ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-16] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~3\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_160.dll [2015-06-19] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1218158.dll [2015-05-07] (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> D:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-30] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.52 -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll [2011-12-01] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2011-12-01] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @qq.com/QQPCMgr -> C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\npQMExtensionsMozilla.dll No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-15] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-03-17] (Adobe Systems Inc.)
FF Extension: Foxstart Default Settings - C:\Users\Mariette\AppData\Roaming\Mozilla\Firefox\Profiles\4jy5tjrw.default-1434994323219\Extensions\[email protected] [2015-06-22]

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-05-14]
CHR Extension: (Google Docs) - C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-14]
CHR Extension: (Google Drive) - C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-05-14]
CHR Extension: (YouTube) - C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-05-14]
CHR Extension: (Google Search) - C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-05-14]
CHR Extension: (Google Sheets) - C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-05-14]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-05-14]
CHR Extension: (Google Wallet) - C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-05-18]
CHR Extension: (Gmail) - C:\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-14]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AdobeActiveFileMonitor9.0; D:\Adobe Photoshop\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [169408 2010-09-30] (Adobe Systems Incorporated)
S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3461072 2015-06-05] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [312816 2015-06-05] (AVG Technologies CZ, s.r.o.)
R2 Crypkey License; C:\Windows\system32\crypserv.exe [122880 2008-05-08] (CrypKey (Canada) Ltd.) [File not signed]
R2 jhi_service; C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [161560 2011-12-16] (Intel Corporation)
S2 lxeaCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\x64\3\\lxeaserv.exe [45736 2010-04-14] (Lexmark International, Inc.)
R2 lxea_device; C:\Windows\system32\lxeacoms.exe [1052328 2010-04-14] ( )
R2 lxea_device; C:\Windows\SysWOW64\lxeacoms.exe [598696 2010-04-14] ( )
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [23816 2015-04-30] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [366544 2015-04-30] (Microsoft Corporation)
R2 VIAKaraokeService; C:\Windows\system32\viakaraokesrv.exe [27760 2012-01-10] (VIA Technologies, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S2 QQPCRTP; "C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCRtp.exe" -r [X]
S2 Util Wooden Seal; "C:\Program Files (x86)\Wooden Seal\bin\utilWoodenSeal.exe" [X]
R2 wegyqybi; C:\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009\knsp41DE.tmpfs [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [21616 2011-11-02] ()
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [162784 2015-03-11] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [287200 2015-05-19] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [253408 2015-05-12] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [256992 2015-04-15] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [378336 2015-05-07] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [224224 2015-05-12] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [40928 2015-03-20] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [281568 2015-05-12] (AVG Technologies CZ, s.r.o.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [280376 2015-03-04] (Microsoft Corporation)
R1 NetworkX; C:\Windows\system32\ckldrv.sys [28664 2008-03-17] ()
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [124568 2015-03-04] (Microsoft Corporation)
S3 NMgamingmsFltr; C:\Windows\System32\drivers\NMgamingms.sys [11264 2009-07-24] (Primax Ltd)
S3 TSSKX64; C:\Windows\System32\drivers\tsskx64.sys [38200 2015-06-20] (电脑管家)
S3 usbohci; C:\Windows\system32\drivers\usbohci.sys [25600 2011-08-16] (Microsoft Corporation) [File not signed]
S3 usbuhci; C:\Windows\system32\drivers\usbuhci.sys [30720 2011-08-16] (Microsoft Corporation) [File not signed]
R3 VUSB3HUB; C:\Windows\System32\DRIVERS\ViaHub3.sys [205312 2012-01-20] (VIA Technologies, Inc.)
R3 xhcdrv; C:\Windows\System32\DRIVERS\xhcdrv.sys [254464 2012-01-20] (VIA Technologies, Inc.)
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
R1 TSDefenseBt; \??\C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TsDefenseBT64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-23 07:59 - 2015-06-23 07:59 - 00020123 _____ C:\Users\Mariette\Downloads\FRST.txt
2015-06-23 07:59 - 2015-06-23 07:59 - 00000000 ____D C:\FRST
2015-06-23 07:58 - 2015-06-23 07:58 - 02109952 _____ (Farbar) C:\Users\Mariette\Downloads\FRST64.exe
2015-06-23 07:57 - 2015-06-23 07:57 - 00000000 ____D C:\ProgramData\TXQMPC
2015-06-23 07:53 - 2015-06-23 07:55 - 00000000 ____D C:\AdwCleaner
2015-06-23 07:53 - 2015-06-23 07:53 - 00001519 _____ C:\Users\Mariette\Desktop\AdwCleaner.exe - Shortcut.lnk
2015-06-23 07:52 - 2015-06-23 07:53 - 02244096 _____ C:\Users\Mariette\Downloads\AdwCleaner.exe
2015-06-23 07:50 - 2015-06-23 07:50 - 00000127 _____ C:\Users\Mariette\Downloads\ckfiles.txt
2015-06-23 06:47 - 2015-06-23 06:47 - 00468480 _____ () C:\Users\Mariette\Downloads\CKScanner.exe
2015-06-23 06:47 - 2015-06-23 06:47 - 00001506 _____ C:\Users\Mariette\Desktop\CKScanner.exe - Shortcut.lnk
2015-06-22 20:40 - 2015-06-22 20:43 - 52822240 _____ (Microsoft Corporation) C:\Users\Mariette\Downloads\Windows-KB890830-x64-V5.25.exe
2015-06-22 19:44 - 2015-06-22 19:56 - 00000000 ____D C:\Program Files (x86)\Exterminate It!
2015-06-22 19:37 - 2015-06-22 19:43 - 148947056 _____ (CURIOLAB S.M.B.A.) C:\Users\Mariette\Downloads\ExterminateItSetup(1).exe
2015-06-22 17:45 - 2015-06-22 17:45 - 00031750 _____ C:\Users\Mariette\Desktop\dds.txt
2015-06-22 17:45 - 2015-06-22 17:45 - 00017570 _____ C:\Users\Mariette\Desktop\attach.txt
2015-06-22 17:44 - 2015-06-22 17:44 - 00688992 ____R (Swearware) C:\Users\Mariette\Downloads\dds.scr
2015-06-22 17:04 - 2015-06-22 17:04 - 00000000 _____ C:\autoexec.bat
2015-06-22 17:00 - 2015-06-22 17:00 - 03237248 _____ (Enigma Software Group USA, LLC.) C:\Users\Mariette\Downloads\SpyHunter-Installer.exe
2015-06-22 16:02 - 2015-06-22 16:02 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\Curiolab
2015-06-22 16:01 - 2015-06-22 19:44 - 00001088 _____ C:\Users\Public\Desktop\Exterminate It!.lnk
2015-06-22 16:01 - 2015-06-22 16:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Exterminate It!
2015-06-22 15:53 - 2015-06-22 15:59 - 148947056 _____ (CURIOLAB S.M.B.A.) C:\Users\Mariette\Downloads\ExterminateItSetup.exe
2015-06-22 14:30 - 2015-06-22 15:56 - 00000000 __SHD C:\Windows\SysWOW64\AI_RecycleBin
2015-06-22 14:29 - 2015-06-22 14:29 - 02178872 _____ (Reason Software Company Inc.) C:\Users\Mariette\Downloads\ShouldIRemoveIt_Setup.exe
2015-06-22 14:24 - 2015-06-22 14:24 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eXeScope
2015-06-22 11:27 - 2015-06-22 11:28 - 00000188 _____ C:\Users\Mariette\Downloads\afbdb1ec28ed5a4be608dca2bedb02bc7f894320_original.zip
2015-06-22 09:45 - 2015-06-22 09:46 - 00000000 ____D C:\Users\Mariette\AppData\Local\Avg2015
2015-06-22 09:45 - 2015-06-22 09:45 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\AVG2015
2015-06-22 08:57 - 2015-06-22 08:57 - 00035824 _____ (Curio Laboratories) C:\Users\Administrator\Downloads\RemoveOnRebootSetup(1).exe
2015-06-22 08:54 - 2015-06-22 08:54 - 00035824 _____ (Curio Laboratories) C:\Users\Administrator\Downloads\RemoveOnRebootSetup.exe
2015-06-22 08:54 - 2015-06-22 08:54 - 00003200 _____ C:\Windows\System32\Tasks\{399EE492-1303-4E71-8675-07EE5A18A200}
2015-06-22 08:27 - 2015-06-22 08:27 - 00000000 ____D C:\Users\Administrator\AppData\Local\Macromedia
2015-06-22 08:24 - 2015-06-22 08:24 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\AVG2015
2015-06-22 08:23 - 2015-06-23 06:06 - 00000000 ____D C:\ProgramData\AVG2015
2015-06-22 08:23 - 2015-06-22 08:23 - 00000972 _____ C:\Users\Public\Desktop\AVG 2015.lnk
2015-06-22 08:23 - 2015-06-22 08:23 - 00000000 ___HD C:\$AVG
2015-06-22 08:23 - 2015-06-22 08:23 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\TuneUp Software
2015-06-22 08:23 - 2015-06-22 08:23 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-06-22 08:23 - 2015-06-22 08:23 - 00000000 ____D C:\Program Files\Common Files\AV
2015-06-22 08:23 - 2015-06-22 08:23 - 00000000 ____D C:\Program Files (x86)\AVG
2015-06-22 08:18 - 2015-06-23 06:58 - 00000000 ____D C:\ProgramData\MFAData
2015-06-22 08:18 - 2015-06-22 08:29 - 00000000 ____D C:\Users\Administrator\AppData\Local\Avg2015
2015-06-22 08:18 - 2015-06-22 08:18 - 00000000 ____D C:\Users\Administrator\AppData\Local\MFAData
2015-06-22 08:17 - 2015-06-22 08:17 - 04578024 _____ (AVG Technologies) C:\Users\Administrator\Downloads\avg_avct_stb_all_2015_5315_ppc17.exe
2015-06-22 08:14 - 2015-06-22 08:14 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Mozilla
2015-06-22 08:14 - 2015-06-22 08:14 - 00000000 ____D C:\Users\Administrator\AppData\Local\Mozilla
2015-06-22 08:12 - 2015-06-22 08:12 - 00329776 _____ C:\Users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2015-06-22 08:12 - 2015-06-22 08:12 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Intel Corporation
2015-06-22 08:12 - 2015-06-22 08:12 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Apple Computer
2015-06-22 08:12 - 2015-06-22 08:12 - 00000000 ____D C:\Users\Administrator\AppData\Local\GWX
2015-06-22 08:11 - 2015-06-22 08:11 - 00001420 _____ C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-06-22 08:11 - 2015-06-22 08:11 - 00000020 ___SH C:\Users\Administrator\ntuser.ini
2015-06-22 08:11 - 2015-06-22 08:11 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Adobe
2015-06-22 08:11 - 2015-06-22 08:11 - 00000000 ____D C:\Users\Administrator\AppData\Local\Adobe
2015-06-22 08:11 - 2015-06-22 08:11 - 00000000 ____D C:\Users\Administrator
2015-06-22 08:11 - 2015-04-07 21:01 - 00000000 ____D C:\Users\Administrator\AppData\Local\Microsoft Help
2015-06-22 08:11 - 2015-04-05 10:16 - 00000000 ____D C:\Users\Administrator\AppData\Roaming\Macromedia
2015-06-22 08:11 - 2009-07-14 06:54 - 00000000 ___RD C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
2015-06-22 08:11 - 2009-07-14 06:49 - 00000000 ___RD C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
2015-06-20 21:43 - 2015-06-20 21:43 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-06-20 18:47 - 2015-06-22 07:51 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-06-20 18:47 - 2015-06-20 18:47 - 00001166 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-06-20 18:47 - 2015-06-20 18:47 - 00001154 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-06-20 17:40 - 2015-06-20 17:40 - 00048784 _____ (StdLib) C:\Windows\system32\Drivers\{2dc69315-903c-4a9c-a481-3b9b33c9045d}Gw64.sys.tmp
2015-06-20 17:39 - 2015-06-20 17:39 - 00000464 __RSH C:\ProgramData\ntuser.pol
2015-06-20 17:10 - 2015-06-20 17:11 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\Opera Software
2015-06-20 17:10 - 2015-06-20 17:11 - 00000000 ____D C:\Users\Mariette\AppData\Local\Opera Software
2015-06-20 16:26 - 2015-06-22 08:44 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009
2015-06-20 16:26 - 2015-06-20 16:26 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯软件
2015-06-20 16:26 - 2015-06-20 16:25 - 00174392 _____ (Tencent Technology(Shenzhen) Company Limited) C:\Windows\system32\Drivers\TAOKernel64.sys
2015-06-20 16:26 - 2015-06-20 16:25 - 00099640 _____ (Tencent) C:\Windows\system32\Drivers\TAOAccelerator64.sys
2015-06-20 16:26 - 2015-06-20 16:25 - 00087864 _____ (电脑管家) C:\Windows\system32\Drivers\TFsFltX64.sys
2015-06-20 16:26 - 2015-06-20 16:25 - 00038200 _____ (电脑管家) C:\Windows\system32\Drivers\TSSKX64.sys
2015-06-20 16:25 - 2015-06-23 07:57 - 00000000 ____D C:\ProgramData\Tencent
2015-06-20 16:25 - 2015-06-23 07:55 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\Tencent
2015-06-20 16:25 - 2015-06-20 16:25 - 00000000 ____D C:\Program Files (x86)\Tencent
2015-06-20 16:22 - 2015-06-20 16:29 - 00000000 ____D C:\Program Files (x86)\Rising
2015-06-20 16:22 - 2015-06-20 16:23 - 00000000 ____D C:\ProgramData\Rising
2015-06-20 16:09 - 2015-06-20 16:11 - 00000000 ____D C:\ProgramData\13218838151618144787
2015-06-20 16:07 - 2015-06-23 04:07 - 00000350 _____ C:\Windows\Tasks\Bidaily Synchronize Task[973b].job
2015-06-20 16:07 - 2015-06-20 16:07 - 00003268 _____ C:\Windows\System32\Tasks\Bidaily Synchronize Task[973b]
2015-06-10 18:16 - 2015-06-10 18:16 - 01302237 _____ C:\Users\Mariette\Downloads\ANA QP Maths Gr 9(1).zip
2015-06-10 18:13 - 2015-06-10 18:13 - 00565712 _____ C:\Users\Mariette\Downloads\Grade 9 Mathematics Afrikaans(1).zip
2015-06-10 16:57 - 2015-06-10 16:57 - 01302237 _____ C:\Users\Mariette\Downloads\ANA QP Maths Gr 9.zip
2015-06-10 16:56 - 2015-06-10 16:56 - 00565712 _____ C:\Users\Mariette\Downloads\Grade 9 Mathematics Afrikaans.zip
2015-06-10 16:53 - 2015-06-10 16:53 - 00573327 _____ C:\Users\Mariette\Downloads\2013+Grade+9+English+HL.zip
2015-06-10 16:52 - 2015-06-10 16:52 - 01532785 _____ C:\Users\Mariette\Downloads\ANA QP Gr 9(4).zip
2015-06-10 16:52 - 2015-06-10 16:52 - 00534837 _____ C:\Users\Mariette\Downloads\Grade 9 English Home Language.zip
2015-06-10 06:18 - 2015-04-11 05:19 - 00069888 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\stream.sys
2015-06-10 06:17 - 2015-05-25 20:24 - 05569984 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-06-10 06:17 - 2015-05-25 20:23 - 00155584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2015-06-10 06:17 - 2015-05-25 20:23 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2015-06-10 06:17 - 2015-05-25 20:21 - 01728960 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 01461760 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 01255424 _____ (Microsoft Corporation) C:\Windows\system32\diagtrack.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 01162752 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00879104 _____ (Microsoft Corporation) C:\Windows\system32\tdh.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00728576 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00424960 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00136192 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00113664 _____ (Microsoft Corporation) C:\Windows\system32\sechost.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00029184 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll
2015-06-10 06:17 - 2015-05-25 20:19 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll
2015-06-10 06:17 - 2015-05-25 20:18 - 00879104 _____ (Microsoft Corporation) C:\Windows\system32\advapi32.dll
2015-06-10 06:17 - 2015-05-25 20:18 - 00404992 _____ (Microsoft Corporation) C:\Windows\system32\tracerpt.exe
2015-06-10 06:17 - 2015-05-25 20:18 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2015-06-10 06:17 - 2015-05-25 20:18 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-06-10 06:17 - 2015-05-25 20:18 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe
2015-06-10 06:17 - 2015-05-25 20:18 - 00104448 _____ (Microsoft Corporation) C:\Windows\system32\logman.exe
2015-06-10 06:17 - 2015-05-25 20:18 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\auditpol.exe
2015-06-10 06:17 - 2015-05-25 20:18 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\typeperf.exe
2015-06-10 06:17 - 2015-05-25 20:18 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll
2015-06-10 06:17 - 2015-05-25 20:18 - 00043008 _____ (Microsoft Corporation) C:\Windows\system32\relog.exe
2015-06-10 06:17 - 2015-05-25 20:18 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2015-06-10 06:17 - 2015-05-25 20:18 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2015-06-10 06:17 - 2015-05-25 20:18 - 00019456 _____ (Microsoft Corporation) C:\Windows\system32\diskperf.exe
2015-06-10 06:17 - 2015-05-25 20:14 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2015-06-10 06:17 - 2015-05-25 20:14 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\msobjs.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00686080 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:11 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 20:07 - 03989440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-06-10 06:17 - 2015-05-25 20:07 - 03934144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-06-10 06:17 - 2015-05-25 20:04 - 01310744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll
2015-06-10 06:17 - 2015-05-25 20:01 - 00641536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\advapi32.dll
2015-06-10 06:17 - 2015-05-25 20:01 - 00635392 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tdh.dll
2015-06-10 06:17 - 2015-05-25 20:01 - 00551424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2015-06-10 06:17 - 2015-05-25 20:01 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2015-06-10 06:17 - 2015-05-25 20:01 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2015-06-10 06:17 - 2015-05-25 20:01 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2015-06-10 06:17 - 2015-05-25 20:01 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2015-06-10 06:17 - 2015-05-25 20:01 - 00092160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sechost.dll
2015-06-10 06:17 - 2015-05-25 20:01 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2015-06-10 06:17 - 2015-05-25 20:01 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-06-10 06:17 - 2015-05-25 20:01 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2015-06-10 06:17 - 2015-05-25 20:01 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2015-06-10 06:17 - 2015-05-25 20:01 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll
2015-06-10 06:17 - 2015-05-25 20:00 - 00364544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tracerpt.exe
2015-06-10 06:17 - 2015-05-25 20:00 - 00082944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\logman.exe
2015-06-10 06:17 - 2015-05-25 20:00 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\auditpol.exe
2015-06-10 06:17 - 2015-05-25 20:00 - 00040448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\typeperf.exe
2015-06-10 06:17 - 2015-05-25 20:00 - 00037888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\relog.exe
2015-06-10 06:17 - 2015-05-25 20:00 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe
2015-06-10 06:17 - 2015-05-25 20:00 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\diskperf.exe
2015-06-10 06:17 - 2015-05-25 19:59 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll
2015-06-10 06:17 - 2015-05-25 19:59 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll
2015-06-10 06:17 - 2015-05-25 19:59 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2015-06-10 06:17 - 2015-05-25 19:59 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll
2015-06-10 06:17 - 2015-05-25 19:57 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2015-06-10 06:17 - 2015-05-25 19:57 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msobjs.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00686080 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:55 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 19:00 - 00036864 _____ (Microsoft Corporation) C:\Windows\system32\UtcResources.dll
2015-06-10 06:17 - 2015-05-25 18:50 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe
2015-06-10 06:17 - 2015-05-25 18:50 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe
2015-06-10 06:17 - 2015-05-25 18:48 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 18:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll
2015-06-10 06:17 - 2015-05-25 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll
2015-06-10 06:17 - 2015-05-22 20:18 - 01021440 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll
2015-06-10 06:17 - 2015-05-22 20:18 - 00757248 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll
2015-06-10 06:17 - 2015-05-22 20:18 - 00700416 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2015-06-10 06:17 - 2015-05-22 20:18 - 00423424 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll
2015-06-10 06:17 - 2015-05-22 20:18 - 00227328 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2015-06-10 06:17 - 2015-05-22 20:18 - 00045568 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll
2015-06-10 06:17 - 2015-05-22 20:13 - 01119232 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2015-06-10 06:17 - 2015-05-21 15:19 - 00193536 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll
2015-06-10 06:17 - 2015-04-29 20:22 - 14635008 _____ (Microsoft Corporation) C:\Windows\system32\wmp.dll
2015-06-10 06:17 - 2015-04-29 20:21 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\spwmp.dll
2015-06-10 06:17 - 2015-04-29 20:21 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\msdxm.ocx
2015-06-10 06:17 - 2015-04-29 20:21 - 00005120 _____ (Microsoft Corporation) C:\Windows\system32\dxmasf.dll
2015-06-10 06:17 - 2015-04-29 20:19 - 12625920 _____ (Microsoft Corporation) C:\Windows\system32\wmploc.DLL
2015-06-10 06:17 - 2015-04-29 20:07 - 11411456 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmp.dll
2015-06-10 06:17 - 2015-04-29 20:07 - 00008192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\spwmp.dll
2015-06-10 06:17 - 2015-04-29 20:07 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msdxm.ocx
2015-06-10 06:17 - 2015-04-29 20:07 - 00004096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxmasf.dll
2015-06-10 06:17 - 2015-04-29 20:05 - 12625408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wmploc.DLL
2015-06-10 06:15 - 2015-04-24 20:17 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll
2015-06-10 06:15 - 2015-04-24 19:56 - 00530432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll
2015-06-10 06:14 - 2015-06-01 21:16 - 00389840 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2015-06-10 06:14 - 2015-06-01 20:07 - 00342736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2015-06-10 06:14 - 2015-05-27 16:08 - 19607040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2015-06-10 06:14 - 2015-05-25 19:08 - 03206144 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2015-06-10 06:14 - 2015-05-23 05:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2015-06-10 06:14 - 2015-05-23 05:15 - 00503808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2015-06-10 06:14 - 2015-05-23 05:15 - 00062464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2015-06-10 06:14 - 2015-05-23 05:15 - 00047616 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2015-06-10 06:14 - 2015-05-23 05:14 - 00341504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2015-06-10 06:14 - 2015-05-23 05:13 - 00064000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2015-06-10 06:14 - 2015-05-23 05:10 - 02278912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2015-06-10 06:14 - 2015-05-23 05:09 - 00047104 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2015-06-10 06:14 - 2015-05-23 05:08 - 00030720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2015-06-10 06:14 - 2015-05-23 05:06 - 00478208 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2015-06-10 06:14 - 2015-05-23 05:05 - 00664064 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2015-06-10 06:14 - 2015-05-23 05:05 - 00115712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2015-06-10 06:14 - 2015-05-23 05:04 - 00620032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2015-06-10 06:14 - 2015-05-23 04:57 - 00418304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2015-06-10 06:14 - 2015-05-23 04:52 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2015-06-10 06:14 - 2015-05-23 04:49 - 00168960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2015-06-10 06:14 - 2015-05-23 04:48 - 00076288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2015-06-10 06:14 - 2015-05-23 04:47 - 04305920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2015-06-10 06:14 - 2015-05-23 04:47 - 00285696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2015-06-10 06:14 - 2015-05-23 04:38 - 00689152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2015-06-10 06:14 - 2015-05-23 04:37 - 02052608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2015-06-10 06:14 - 2015-05-23 04:37 - 01155072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2015-06-10 06:14 - 2015-05-23 04:28 - 12829696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2015-06-10 06:14 - 2015-05-23 04:20 - 01950720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2015-06-10 06:14 - 2015-05-23 04:16 - 01309696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2015-06-10 06:14 - 2015-05-23 04:14 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2015-06-10 06:14 - 2015-05-22 21:16 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2015-06-10 06:14 - 2015-05-22 21:16 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2015-06-10 06:14 - 2015-05-22 21:01 - 00066560 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2015-06-10 06:14 - 2015-05-22 21:00 - 02885632 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2015-06-10 06:14 - 2015-05-22 21:00 - 00584192 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2015-06-10 06:14 - 2015-05-22 21:00 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2015-06-10 06:14 - 2015-05-22 20:53 - 00054784 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2015-06-10 06:14 - 2015-05-22 20:52 - 00034304 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2015-06-10 06:14 - 2015-05-22 20:48 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2015-06-10 06:14 - 2015-05-22 20:47 - 00144384 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2015-06-10 06:14 - 2015-05-22 20:47 - 00114688 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2015-06-10 06:14 - 2015-05-22 20:40 - 00968704 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2015-06-10 06:14 - 2015-05-22 20:36 - 00490496 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2015-06-10 06:14 - 2015-05-22 20:29 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2015-06-10 06:14 - 2015-05-22 20:21 - 00316928 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2015-06-10 06:14 - 2015-05-22 20:07 - 00720384 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2015-06-10 06:14 - 2015-05-22 20:06 - 00801280 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2015-06-10 06:14 - 2015-05-22 20:05 - 02125824 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2015-06-10 06:14 - 2015-05-22 19:38 - 01545728 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2015-06-10 06:14 - 2015-05-22 19:26 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2015-06-10 06:13 - 2015-05-27 16:35 - 24917504 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2015-06-10 06:13 - 2015-05-22 21:00 - 00417792 _____ (Microsoft Corporation) C:\Windows\system32\html.iec
2015-06-10 06:13 - 2015-05-22 20:59 - 00088064 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2015-06-10 06:13 - 2015-05-22 20:52 - 06026240 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2015-06-10 06:13 - 2015-05-22 20:47 - 00816640 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2015-06-10 06:13 - 2015-05-22 20:47 - 00814080 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2015-06-10 06:13 - 2015-05-22 20:25 - 00199680 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2015-06-10 06:13 - 2015-05-22 20:24 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2015-06-10 06:13 - 2015-05-22 20:05 - 01359360 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2015-06-10 06:13 - 2015-05-22 19:57 - 14404096 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2015-06-10 06:13 - 2015-05-22 19:50 - 02426880 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2015-06-09 15:47 - 2015-06-09 15:47 - 01532785 _____ C:\Users\Mariette\Downloads\ANA QP Gr 9(3).zip
2015-06-08 12:39 - 2015-06-08 12:39 - 00000186 _____ C:\Users\Mariette\Downloads\eb5cdf3f93a0774627fd050f2f389ff943d80c2b_original.zip
2015-06-08 12:35 - 2015-06-08 12:35 - 00375855 _____ C:\Users\Mariette\Downloads\b1d520e88cb247736ddc9bb8d17ed9e799c2febb_original.zip
2015-06-08 12:33 - 2015-06-08 12:34 - 00000198 _____ C:\Users\Mariette\Downloads\4c1de4db23e461ce83fb85fae3e3a378e77a8a78_original.zip
2015-06-08 12:32 - 2015-06-08 12:32 - 00000198 _____ C:\Users\Mariette\Downloads\da60847518a2f5860043a8e335eb78ef654e36c0_original.zip
2015-06-06 15:09 - 2015-06-06 15:09 - 01532785 _____ C:\Users\Mariette\Downloads\ANA QP Gr 9(2).zip
2015-06-06 15:09 - 2015-06-06 15:09 - 01532785 _____ C:\Users\Mariette\Downloads\ANA QP Gr 9(1).zip
2015-06-06 15:08 - 2015-06-06 15:08 - 01532785 _____ C:\Users\Mariette\Downloads\ANA QP Gr 9.zip
2015-06-06 15:06 - 2015-06-06 15:06 - 00742443 _____ C:\Users\Mariette\Downloads\Grade 9 Afrikaans Home Language(1).zip
2015-06-06 14:59 - 2015-06-06 14:59 - 00742443 _____ C:\Users\Mariette\Downloads\Grade 9 Afrikaans Home Language.zip
2015-06-04 12:20 - 2015-06-04 12:20 - 00000000 ____D C:\Users\Mariette\AppData\Local\GWX
2015-05-26 11:29 - 2015-05-26 20:16 - 00000000 ____D C:\Users\Mariette\AppData\Local\DStv Desktop Player
2015-05-26 11:28 - 2015-05-26 11:28 - 00001809 _____ C:\Users\Mariette\Desktop\DStv Desktop Player.lnk
2015-05-26 11:28 - 2015-05-26 11:28 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DStv Desktop Player
2015-05-26 11:25 - 2015-05-26 11:27 - 28295168 _____ C:\Users\Mariette\Downloads\DStv_Desktop_Player 1.1.10.msi

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-23 07:58 - 2015-04-04 21:13 - 00000000 ___RD C:\Users\Mariette\iCloudDrive
2015-06-23 07:58 - 2015-04-04 18:00 - 00000000 ____D C:\Users\Mariette\Documents\Outlook Files
2015-06-23 07:58 - 2015-04-04 16:30 - 00031357 _____ C:\ProgramData\lxeascan.log
2015-06-23 07:57 - 2012-06-04 22:58 - 01051802 _____ C:\Windows\WindowsUpdate.log
2015-06-23 07:57 - 2011-08-15 00:02 - 00014756 _____ C:\Windows\error.log
2015-06-23 07:57 - 2011-08-15 00:02 - 00003416 _____ C:\Windows\errord.log
2015-06-23 07:57 - 2010-11-21 05:47 - 00197874 _____ C:\Windows\PFRO.log
2015-06-23 07:57 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-23 07:57 - 2009-07-14 06:51 - 00051404 _____ C:\Windows\setupact.log
2015-06-23 07:52 - 2015-04-08 11:29 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-06-23 07:09 - 2009-07-14 06:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-06-23 07:09 - 2009-07-14 06:45 - 00016976 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-06-22 19:32 - 2015-04-04 17:54 - 00000000 ____D C:\Users\Mariette\Desktop\Old Firefox Data
2015-06-22 17:39 - 2009-07-14 07:13 - 00781790 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-22 16:58 - 2009-07-14 05:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2015-06-22 08:12 - 2015-04-07 16:14 - 00000504 _____ C:\ProgramData\FastPics.log
2015-06-22 08:11 - 2009-07-14 06:57 - 00001547 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
2015-06-20 21:43 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\NDF
2015-06-20 21:40 - 2015-04-04 16:18 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\Seagate
2015-06-20 21:40 - 2015-04-04 16:18 - 00000000 ____D C:\ProgramData\Seagate
2015-06-20 21:38 - 2015-04-04 18:00 - 00000000 ____D C:\Users\Mariette\Documents\My Digital Editions
2015-06-20 17:40 - 2009-07-14 04:34 - 00000580 _____ C:\Windows\win.ini
2015-06-20 17:39 - 2015-04-04 16:05 - 00001420 _____ C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-06-20 17:38 - 2009-07-14 06:45 - 00992656 _____ C:\Windows\system32\FNTCACHE.DAT
2015-06-20 17:00 - 2015-04-04 16:05 - 00329776 _____ C:\Users\Mariette\AppData\Local\GDIPFONTCACHEV1.DAT
2015-06-20 16:26 - 2015-04-07 15:13 - 00000000 __SHD C:\Users\Mariette\AppData\Local\EmieUserList
2015-06-20 16:26 - 2015-04-07 15:13 - 00000000 __SHD C:\Users\Mariette\AppData\Local\EmieSiteList
2015-06-20 16:26 - 2015-04-07 15:13 - 00000000 __SHD C:\Users\Mariette\AppData\Local\EmieBrowserModeList
2015-06-20 16:26 - 2015-04-04 16:04 - 00000000 ____D C:\Users\Mariette\AppData\Local\VirtualStore
2015-06-19 20:19 - 2015-04-05 09:54 - 00000000 ____D C:\Users\Mariette\AppData\Local\Adobe
2015-06-19 20:17 - 2015-04-08 11:29 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-06-19 20:16 - 2015-04-08 11:29 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-06-19 20:16 - 2011-08-14 23:48 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-06-11 04:02 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\rescache
2015-06-11 03:26 - 2009-07-14 07:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-06-11 03:24 - 2015-04-16 10:45 - 00000000 ___SD C:\Windows\system32\CompatTel
2015-06-11 03:24 - 2015-04-16 10:45 - 00000000 ____D C:\Windows\system32\appraiser
2015-06-11 03:24 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2015-06-11 03:07 - 2015-04-07 09:29 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-06-11 03:04 - 2015-04-07 08:40 - 00000000 ____D C:\Windows\system32\MRT
2015-06-10 06:42 - 2015-05-14 09:33 - 00002190 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-06-06 13:08 - 2015-04-04 21:06 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\Apple Computer
2015-06-06 13:08 - 2015-04-04 21:06 - 00000000 ____D C:\Users\Mariette\AppData\Local\Apple Computer
2015-05-27 00:04 - 2015-04-07 08:40 - 140135120 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

==================== Files in the root of some directories =======

2015-04-07 16:14 - 2015-06-22 08:12 - 0000504 _____ () C:\ProgramData\FastPics.log
2015-04-04 16:30 - 2015-06-23 07:58 - 0031357 _____ () C:\ProgramData\lxeascan.log
2015-04-07 16:12 - 2015-04-07 16:12 - 0000000 _____ () C:\ProgramData\UpdaterLog.txt

Some files in TEMP:
====================
C:\Users\Mariette\AppData\Local\Temp\094508dd-2ae4-447b-b3da-e52db7d50348.setup.exe
C:\Users\Mariette\AppData\Local\Temp\downloader.dll
C:\Users\Mariette\AppData\Local\Temp\Ingo Downloader.exe
C:\Users\Mariette\AppData\Local\Temp\MSN64CC.exe
C:\Users\Mariette\AppData\Local\Temp\Quarantine.exe
C:\Users\Mariette\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-06-23 07:15

==================== End of log ============================
Attached Files
File Type: txt Addition.txt (35.2 KB, 34 views)
mhgrobler is offline  
Old 06-23-2015, 01:15 AM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello Mariette. You're very welcome! Please refrain from installing new softwares during the cleansing process. Thanks.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

Also, if you haven't done so already, create a system repair disc. It's really easy and quick.

Create a system repair disc

------------------------------------------------------

It appears that you have two antivirus programs installed and running, AVG and Security Essentials.

While this may seem like better protection, they can actually conflict with one another and cause system instability or even system hangs.

After running the fix with FRST, please choose one to keep and uninstall the other via Programs and Features in your Control Panel.

------------------------------------------------------

Do use a development(experimental build) version of Chrome?

If not, you need to uninstall, then re-install Chrome after running FRST, if you want to have Chrome installed.

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    AV: 电脑管家系统防护 (Enabled - Up to date) {6F9C3F92-B625-0E47-F0B1-447602EC65F5}
    AS: 电脑管家系统防护 (Enabled - Up to date) {D4FDDE76-901F-01C9-CA01-7F04796B2F48}
    AVG 2015 (Version: 15.0.4365 - AVG Technologies) Hidden
    AVG 2015 (Version: 15.0.6030 - AVG Technologies) Hidden
    Task: {89F67B7A-C0A8-43AF-A676-750AEEC1085B} - System32\Tasks\Bidaily Synchronize Task[973b] => c:\programdata\{3a6bfa1e-738a-fc7e-3a6b-bfa1e738e879}\ingo downloader.exe <==== ATTENTION
    c:\programdata\{3a6bfa1e-738a-fc7e-3a6b-bfa1e738e879}
    Task: C:\Windows\Tasks\Bidaily Synchronize Task[973b].job => c:\programdata\{3a6bfa1e-738a-fc7e-3a6b-bfa1e738e879}\ingo downloader.exe <==== ATTENTION
    FirewallRules: [TCP Query User{65E479DC-0AB6-48A7-8A5A-AD6BD5D5325C}D:\program files (x86)\prompt downloader\promptdownloader.exe] => (Allow) D:\program files (x86)\prompt downloader\promptdownloader.exe
    FirewallRules: [UDP Query User{73CACF5E-B2E2-4D55-8F71-370757D6BEAB}D:\program files (x86)\prompt downloader\promptdownloader.exe] => (Allow) D:\program files (x86)\prompt downloader\promptdownloader.exe
    D:\program files (x86)\prompt downloader
    FirewallRules: [{E1E457CD-C7A7-4AB1-8D34-2523AEAC2D89}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCmgrInstallGuide.exe
    FirewallRules: [{682ED036-6D2F-4368-8BA9-11A49BEA932E}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCTray.exe
    FirewallRules: [{E6AF920F-F7D0-4957-81A4-410815E292CA}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCMgr.exe
    FirewallRules: [{1429FC3A-3B26-4B95-8DEB-74EC26DB3D21}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCRTP.exe
    FirewallRules: [{F37137F9-7C96-4C91-94EF-F93E39EC13E2}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMDL.exe
    FirewallRules: [{16C6B715-FF08-41E1-B012-50F6C757087F}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\bugreport.exe
    FirewallRules: [{C1847E1B-6AFC-4CAD-9976-84CBDCC789E4}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCFileOpen.exe
    FirewallRules: [{8CDC1C37-2082-4537-AB81-417771D721CA}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCLeakScan.exe
    FirewallRules: [{EF10A901-11F3-48C4-AB6B-1B6BB894FDFD}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPConfig.exe
    FirewallRules: [{7FAEC4B6-DF2F-4879-96FD-529D67D007B9}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCSoftMgr.exe
    FirewallRules: [{9EE59BC7-4B44-4532-B567-18C43EF19412}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\plugins\QMNetMon\QQPCNetFlow.exe
    FirewallRules: [{9EC10F02-2ABF-4AE6-8018-F5D2D638A89C}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCBTU.exe
    FirewallRules: [{A2D4240D-5D39-45FE-9B5E-9EA90168124B}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCClinic.exe
    FirewallRules: [{E1144911-BC00-4E42-94B1-F06210096CE3}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCLaunch.exe
    FirewallRules: [{42C8ADDE-91CB-45FC-BC31-7F917C48E4FA}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMUpdate\QQPCMgrUpdate.exe
    FirewallRules: [{9FACEEC7-2AB5-4D33-A773-3AAE32993043}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCSoftGame.exe
    FirewallRules: [{D233E842-7A86-4824-8B06-38FB6CCCBEE5}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCSysOptimize.exe
    FirewallRules: [{05954904-2392-4DB7-B88E-5323100E34FE}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCUpdateAVLib.exe
    FirewallRules: [{25221F72-F0D1-450F-91D9-989E466EA7E7}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQRepair.exe
    FirewallRules: [{8AB93C03-E337-43D3-BF14-F7420B060974}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\Uninst.exe
    FirewallRules: [{B513B697-52C5-42E8-B732-A74257A1D543}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCPatch.exe
    FirewallRules: [{5D63F7F8-EEC8-4EE0-964F-EFA45B0A9C95}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TpkUpdate.exe
    FirewallRules: [{21E59FAB-328E-48BC-A440-B83558B45FA3}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMRouterMgr.exe
    FirewallRules: [{8C209D39-BE25-46C1-AE7D-C934ADAD1D70}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMAccountProtection.exe
    FirewallRules: [{7DB47441-9F3C-4B4C-966F-C207188F3E4E}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\130\tencentdl.exe
    FirewallRules: [{BFD7BFC4-D60A-4A27-9554-55312096DAC0}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\130\bugreport_xf.exe
    HKLM-x32\...\Run: [ QQPCTray] => "C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCTRAY.EXE" /regrun /qqrepair
    C:\Program Files (x86)\Tencent
    ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} => C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMGCShellExt64.dll No File
    GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mystartsearch
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = https://www.hao123.com/?tn=91284697_hao_pg
    HKU\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.hao123.com/?tn=91284697_hao_pg
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-2407485051-244769875-2442591779-1001 -> {81DCC3D8-7CB8-4FAB-BBBA-29EEAB6B154E} URL = 
    BHO: 电脑管家网页防火墙 -> {7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} -> C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TSWebMon64.dat No File
    FF Plugin: @microsoft.com/GENUINE -> disabled No File
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
    FF Plugin-x32: @qq.com/QQPCMgr -> C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\npQMExtensionsMozilla.dll No File
    HKLM-x32\...\Run: [ QQPCTray] => "C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCTRAY.EXE" /regrun /qqrepair0
    ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} => C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMGCShellExt64.dll No File
    GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mystartsearch
    HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = https://www.hao123.com/?tn=91284697_hao_pg
    HKU\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.hao123.com/?tn=91284697_hao_pg
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-2407485051-244769875-2442591779-1001 -> {81DCC3D8-7CB8-4FAB-BBBA-29EEAB6B154E} URL = 
    BHO: 电脑管家网页防火墙 -> {7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} -> C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TSWebMon64.dat No File
    BHO-x32: Wooden Seal 1.0.0.7 -> {7a0ab196-76b2-4ee2-858e-7efdc93c3a47} -> C:\Program Files (x86)\Wooden Seal\WoodenSealbho.dll No File
    FF Plugin: @microsoft.com/GENUINE -> disabled No File
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
    FF Plugin-x32: @qq.com/QQPCMgr -> C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\npQMExtensionsMozilla.dll No File
    S2 QQPCRTP; "C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCRtp.exe" -r [X]
    R2 wegyqybi; C:\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009\knsp41DE.tmpfs [X]
    C:\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009\knsp41DE.tmpfs
    S3 TSSKX64; C:\Windows\System32\drivers\tsskx64.sys [38200 2015-06-20] (电脑管家)
    S3 gdrv; \??\C:\Windows\gdrv.sys [X]
    R1 TSDefenseBt; \??\C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TsDefenseBT64.sys [X]
    2015-06-20 16:26 - 2015-06-22 08:44 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009
    2015-06-20 16:26 - 2015-06-20 16:26 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯软件
    2015-06-20 16:26 - 2015-06-20 16:25 - 00174392 _____ (Tencent Technology(Shenzhen) Company Limited) C:\Windows\system32\Drivers\TAOKernel64.sys
    2015-06-20 16:26 - 2015-06-20 16:25 - 00099640 _____ (Tencent) C:\Windows\system32\Drivers\TAOAccelerator64.sys
    2015-06-20 16:26 - 2015-06-20 16:25 - 00087864 _____ (电脑管家) C:\Windows\system32\Drivers\TFsFltX64.sys
    2015-06-20 16:26 - 2015-06-20 16:25 - 00038200 _____ (电脑管家) C:\Windows\system32\Drivers\TSSKX64.sys
    2015-06-20 16:25 - 2015-06-23 07:57 - 00000000 ____D C:\ProgramData\Tencent
    2015-06-20 16:25 - 2015-06-23 07:55 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\Tencent
    2015-06-20 16:25 - 2015-06-20 16:25 - 00000000 ____D C:\Program Files (x86)\Tencent
    2015-06-20 16:22 - 2015-06-20 16:29 - 00000000 ____D C:\Program Files (x86)\Rising
    2015-06-20 16:22 - 2015-06-20 16:23 - 00000000 ____D C:\ProgramData\Rising
    2015-06-20 16:09 - 2015-06-20 16:11 - 00000000 ____D C:\ProgramData\13218838151618144787
    2015-06-20 16:07 - 2015-06-23 04:07 - 00000350 _____ C:\Windows\Tasks\Bidaily Synchronize Task[973b].job
    2015-06-20 16:07 - 2015-06-20 16:07 - 00003268 _____ C:\Windows\System32\Tasks\Bidaily Synchronize Task[973b]
    C:\ProgramData\13218838151618144787
    C:\Windows\Tasks\Bidaily Synchronize Task[973b].job
    C:\Windows\System32\Tasks\Bidaily Synchronize Task[973b]
    Folder: C:\ProgramData\TXQMPC
    Folder: C:\ProgramData\13218838151618144787
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-23-2015, 02:32 AM   #7
Registered Member
 
mhgrobler's Avatar
 
Join Date: Feb 2015
Location: Paarl, Western Cape, South Africa
Posts: 42
OS: Windows 7



Fix result of Farbar Recovery Scan Tool (x64) Version:21-06-2015 01
Ran by Mariette at 2015-06-23 11:27:19 Run:1
Running from C:\Users\Mariette\Downloads
Loaded Profiles: Mariette & Administrator (Available Profiles: Mariette & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
createrestorepoint:
AV: ???????? (Enabled - Up to date) {6F9C3F92-B625-0E47-F0B1-447602EC65F5}
AS: ???????? (Enabled - Up to date) {D4FDDE76-901F-01C9-CA01-7F04796B2F48}
AVG 2015 (Version: 15.0.4365 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.6030 - AVG Technologies) Hidden
Task: {89F67B7A-C0A8-43AF-A676-750AEEC1085B} - System32\Tasks\Bidaily Synchronize Task[973b] => c:\programdata\{3a6bfa1e-738a-fc7e-3a6b-bfa1e738e879}\ingo downloader.exe <==== ATTENTION
c:\programdata\{3a6bfa1e-738a-fc7e-3a6b-bfa1e738e879}
Task: C:\Windows\Tasks\Bidaily Synchronize Task[973b].job => c:\programdata\{3a6bfa1e-738a-fc7e-3a6b-bfa1e738e879}\ingo downloader.exe <==== ATTENTION
FirewallRules: [TCP Query User{65E479DC-0AB6-48A7-8A5A-AD6BD5D5325C}D:\program files (x86)\prompt downloader\promptdownloader.exe] => (Allow) D:\program files (x86)\prompt downloader\promptdownloader.exe
FirewallRules: [UDP Query User{73CACF5E-B2E2-4D55-8F71-370757D6BEAB}D:\program files (x86)\prompt downloader\promptdownloader.exe] => (Allow) D:\program files (x86)\prompt downloader\promptdownloader.exe
D:\program files (x86)\prompt downloader
FirewallRules: [{E1E457CD-C7A7-4AB1-8D34-2523AEAC2D89}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCmgrInstallGuide.exe
FirewallRules: [{682ED036-6D2F-4368-8BA9-11A49BEA932E}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCTray.exe
FirewallRules: [{E6AF920F-F7D0-4957-81A4-410815E292CA}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCMgr.exe
FirewallRules: [{1429FC3A-3B26-4B95-8DEB-74EC26DB3D21}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCRTP.exe
FirewallRules: [{F37137F9-7C96-4C91-94EF-F93E39EC13E2}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMDL.exe
FirewallRules: [{16C6B715-FF08-41E1-B012-50F6C757087F}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\bugreport.exe
FirewallRules: [{C1847E1B-6AFC-4CAD-9976-84CBDCC789E4}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCFileOpen.exe
FirewallRules: [{8CDC1C37-2082-4537-AB81-417771D721CA}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCLeakScan.exe
FirewallRules: [{EF10A901-11F3-48C4-AB6B-1B6BB894FDFD}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPConfig.exe
FirewallRules: [{7FAEC4B6-DF2F-4879-96FD-529D67D007B9}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCSoftMgr.exe
FirewallRules: [{9EE59BC7-4B44-4532-B567-18C43EF19412}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\plugins\QMNetMon\QQPCNetFlow.exe
FirewallRules: [{9EC10F02-2ABF-4AE6-8018-F5D2D638A89C}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCBTU.exe
FirewallRules: [{A2D4240D-5D39-45FE-9B5E-9EA90168124B}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCClinic.exe
FirewallRules: [{E1144911-BC00-4E42-94B1-F06210096CE3}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCLaunch.exe
FirewallRules: [{42C8ADDE-91CB-45FC-BC31-7F917C48E4FA}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMUpdate\QQPCMgrUpdate.exe
FirewallRules: [{9FACEEC7-2AB5-4D33-A773-3AAE32993043}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCSoftGame.exe
FirewallRules: [{D233E842-7A86-4824-8B06-38FB6CCCBEE5}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCSysOptimize.exe
FirewallRules: [{05954904-2392-4DB7-B88E-5323100E34FE}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCUpdateAVLib.exe
FirewallRules: [{25221F72-F0D1-450F-91D9-989E466EA7E7}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQRepair.exe
FirewallRules: [{8AB93C03-E337-43D3-BF14-F7420B060974}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\Uninst.exe
FirewallRules: [{B513B697-52C5-42E8-B732-A74257A1D543}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCPatch.exe
FirewallRules: [{5D63F7F8-EEC8-4EE0-964F-EFA45B0A9C95}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TpkUpdate.exe
FirewallRules: [{21E59FAB-328E-48BC-A440-B83558B45FA3}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMRouterMgr.exe
FirewallRules: [{8C209D39-BE25-46C1-AE7D-C934ADAD1D70}] => (Allow) C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMAccountProtection.exe
FirewallRules: [{7DB47441-9F3C-4B4C-966F-C207188F3E4E}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\130\tencentdl.exe
FirewallRules: [{BFD7BFC4-D60A-4A27-9554-55312096DAC0}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\130\bugreport_xf.exe
HKLM-x32\...\Run: [ QQPCTray] => "C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCTRAY.EXE" /regrun /qqrepair
C:\Program Files (x86)\Tencent
ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} => C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMGCShellExt64.dll No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mystartsearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = https://www.hao123.com/?tn=91284697_hao_pg
HKU\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.hao123.com/?tn=91284697_hao_pg
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2407485051-244769875-2442591779-1001 -> {81DCC3D8-7CB8-4FAB-BBBA-29EEAB6B154E} URL =
BHO: ????????? -> {7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} -> C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TSWebMon64.dat No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @qq.com/QQPCMgr -> C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\npQMExtensionsMozilla.dll No File
HKLM-x32\...\Run: [ QQPCTray] => "C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCTRAY.EXE" /regrun /qqrepair0
ShellIconOverlayIdentifiers: [.QMDeskTopGCIcon] -> {B7667919-3765-4815-A66D-98A09BE662D6} => C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMGCShellExt64.dll No File
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mystartsearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = https://www.hao123.com/?tn=91284697_hao_pg
HKU\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.hao123.com/?tn=91284697_hao_pg
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2407485051-244769875-2442591779-1001 -> {81DCC3D8-7CB8-4FAB-BBBA-29EEAB6B154E} URL =
BHO: ????????? -> {7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} -> C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TSWebMon64.dat No File
BHO-x32: Wooden Seal 1.0.0.7 -> {7a0ab196-76b2-4ee2-858e-7efdc93c3a47} -> C:\Program Files (x86)\Wooden Seal\WoodenSealbho.dll No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @qq.com/QQPCMgr -> C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\npQMExtensionsMozilla.dll No File
S2 QQPCRTP; "C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCRtp.exe" -r [X]
R2 wegyqybi; C:\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009\knsp41DE.tmpfs [X]
C:\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009\knsp41DE.tmpfs
S3 TSSKX64; C:\Windows\System32\drivers\tsskx64.sys [38200 2015-06-20] (????)
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
R1 TSDefenseBt; \??\C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TsDefenseBT64.sys [X]
2015-06-20 16:26 - 2015-06-22 08:44 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009
2015-06-20 16:26 - 2015-06-20 16:26 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\????
2015-06-20 16:26 - 2015-06-20 16:25 - 00174392 _____ (Tencent Technology(Shenzhen) Company Limited) C:\Windows\system32\Drivers\TAOKernel64.sys
2015-06-20 16:26 - 2015-06-20 16:25 - 00099640 _____ (Tencent) C:\Windows\system32\Drivers\TAOAccelerator64.sys
2015-06-20 16:26 - 2015-06-20 16:25 - 00087864 _____ (????) C:\Windows\system32\Drivers\TFsFltX64.sys
2015-06-20 16:26 - 2015-06-20 16:25 - 00038200 _____ (????) C:\Windows\system32\Drivers\TSSKX64.sys
2015-06-20 16:25 - 2015-06-23 07:57 - 00000000 ____D C:\ProgramData\Tencent
2015-06-20 16:25 - 2015-06-23 07:55 - 00000000 ____D C:\Users\Mariette\AppData\Roaming\Tencent
2015-06-20 16:25 - 2015-06-20 16:25 - 00000000 ____D C:\Program Files (x86)\Tencent
2015-06-20 16:22 - 2015-06-20 16:29 - 00000000 ____D C:\Program Files (x86)\Rising
2015-06-20 16:22 - 2015-06-20 16:23 - 00000000 ____D C:\ProgramData\Rising
2015-06-20 16:09 - 2015-06-20 16:11 - 00000000 ____D C:\ProgramData\13218838151618144787
2015-06-20 16:07 - 2015-06-23 04:07 - 00000350 _____ C:\Windows\Tasks\Bidaily Synchronize Task[973b].job
2015-06-20 16:07 - 2015-06-20 16:07 - 00003268 _____ C:\Windows\System32\Tasks\Bidaily Synchronize Task[973b]
C:\ProgramData\13218838151618144787
C:\Windows\Tasks\Bidaily Synchronize Task[973b].job
C:\Windows\System32\Tasks\Bidaily Synchronize Task[973b]
Folder: C:\ProgramData\TXQMPC
Folder: C:\ProgramData\13218838151618144787
EmptyTemp:
end
*****************

Error: (0) Failed to create a restore point.
AV: ???????? (Enabled - Up to date) {6F9C3F92-B625-0E47-F0B1-447602EC65F5} => not found
AS: ???????? (Enabled - Up to date) {D4FDDE76-901F-01C9-CA01-7F04796B2F48} => not found
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\SystemComponent => value not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\SystemComponent => value not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{89F67B7A-C0A8-43AF-A676-750AEEC1085B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{89F67B7A-C0A8-43AF-A676-750AEEC1085B}" => key removed successfully
C:\Windows\System32\Tasks\Bidaily Synchronize Task[973b] => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Bidaily Synchronize Task[973b]" => key removed successfully
"c:\programdata\{3a6bfa1e-738a-fc7e-3a6b-bfa1e738e879}" => File/Folder not found.
C:\Windows\Tasks\Bidaily Synchronize Task[973b].job => moved successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{65E479DC-0AB6-48A7-8A5A-AD6BD5D5325C}D:\program files (x86)\prompt downloader\promptdownloader.exe => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{73CACF5E-B2E2-4D55-8F71-370757D6BEAB}D:\program files (x86)\prompt downloader\promptdownloader.exe => value removed successfully
"D:\program files (x86)\prompt downloader" => File/Folder not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E1E457CD-C7A7-4AB1-8D34-2523AEAC2D89} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{682ED036-6D2F-4368-8BA9-11A49BEA932E} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E6AF920F-F7D0-4957-81A4-410815E292CA} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1429FC3A-3B26-4B95-8DEB-74EC26DB3D21} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F37137F9-7C96-4C91-94EF-F93E39EC13E2} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{16C6B715-FF08-41E1-B012-50F6C757087F} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C1847E1B-6AFC-4CAD-9976-84CBDCC789E4} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8CDC1C37-2082-4537-AB81-417771D721CA} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{EF10A901-11F3-48C4-AB6B-1B6BB894FDFD} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7FAEC4B6-DF2F-4879-96FD-529D67D007B9} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9EE59BC7-4B44-4532-B567-18C43EF19412} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9EC10F02-2ABF-4AE6-8018-F5D2D638A89C} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A2D4240D-5D39-45FE-9B5E-9EA90168124B} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{E1144911-BC00-4E42-94B1-F06210096CE3} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{42C8ADDE-91CB-45FC-BC31-7F917C48E4FA} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{9FACEEC7-2AB5-4D33-A773-3AAE32993043} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D233E842-7A86-4824-8B06-38FB6CCCBEE5} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{05954904-2392-4DB7-B88E-5323100E34FE} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{25221F72-F0D1-450F-91D9-989E466EA7E7} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8AB93C03-E337-43D3-BF14-F7420B060974} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{B513B697-52C5-42E8-B732-A74257A1D543} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5D63F7F8-EEC8-4EE0-964F-EFA45B0A9C95} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{21E59FAB-328E-48BC-A440-B83558B45FA3} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8C209D39-BE25-46C1-AE7D-C934ADAD1D70} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{7DB47441-9F3C-4B4C-966F-C207188F3E4E} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{BFD7BFC4-D60A-4A27-9554-55312096DAC0} => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ QQPCTray => value removed successfully
C:\Program Files (x86)\Tencent => moved successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\.QMDeskTopGCIcon" => key removed successfully
"HKCR\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}" => key removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-2407485051-244769875-2442591779-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{81DCC3D8-7CB8-4FAB-BBBA-29EEAB6B154E}" => key removed successfully
HKCR\CLSID\{81DCC3D8-7CB8-4FAB-BBBA-29EEAB6B154E} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}" => key removed successfully
"HKCR\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B}" => key removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@qq.com/QQPCMgr" => key removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ QQPCTray => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\.QMDeskTopGCIcon => key not found.
HKCR\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6} => key not found.
"C:\Windows\system32\GroupPolicy\Machine" => File/Folder not found.
HKLM\SOFTWARE\Policies\Google => key not found.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value not found.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value not found.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value not found.
HKU\S-1-5-21-2407485051-244769875-2442591779-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{81DCC3D8-7CB8-4FAB-BBBA-29EEAB6B154E} => key not found.
HKCR\CLSID\{81DCC3D8-7CB8-4FAB-BBBA-29EEAB6B154E} => key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} => key not found.
HKCR\CLSID\{7C260B4B-F7A0-40B5-B403-BEFCDC6A4C3B} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7a0ab196-76b2-4ee2-858e-7efdc93c3a47}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{7a0ab196-76b2-4ee2-858e-7efdc93c3a47}" => key removed successfully
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@qq.com/QQPCMgr => key not found.
QQPCRTP => Service removed successfully
wegyqybi => Service stopped successfully.
wegyqybi => Service removed successfully
C:\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009\knsp41DE.tmpfs => moved successfully.
TSSKX64 => Service removed successfully
gdrv => Service removed successfully
TSDefenseBt => Service stopped successfully.
TSDefenseBt => Service removed successfully
C:\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009 => moved successfully.

"C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\????" folder move:

Could not move "C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\????" folder => Scheduled to move on reboot.

C:\Windows\system32\Drivers\TAOKernel64.sys => moved successfully.
C:\Windows\system32\Drivers\TAOAccelerator64.sys => moved successfully.
C:\Windows\system32\Drivers\TFsFltX64.sys => moved successfully.
C:\Windows\system32\Drivers\TSSKX64.sys => moved successfully.
C:\ProgramData\Tencent => moved successfully.
C:\Users\Mariette\AppData\Roaming\Tencent => moved successfully.
"C:\Program Files (x86)\Tencent" => File/Folder not found.
C:\Program Files (x86)\Rising => moved successfully.
C:\ProgramData\Rising => moved successfully.
C:\ProgramData\13218838151618144787 => moved successfully.
"C:\Windows\Tasks\Bidaily Synchronize Task[973b].job" => File/Folder not found.
"C:\Windows\System32\Tasks\Bidaily Synchronize Task[973b]" => File/Folder not found.
"C:\ProgramData\13218838151618144787" => File/Folder not found.
"C:\Windows\Tasks\Bidaily Synchronize Task[973b].job" => File/Folder not found.
"C:\Windows\System32\Tasks\Bidaily Synchronize Task[973b]" => File/Folder not found.

========================= Folder: C:\ProgramData\TXQMPC ========================


====== End of Folder: ======


========================= Folder: C:\ProgramData\13218838151618144787 ========================

folder not found
EmptyTemp: => 2.6 GB temporary data Removed.

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-06-23 11:29:15)<=

"C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\????" => Could not move

==== End of Fixlog 11:29:15 ====
mhgrobler is offline  
Old 06-23-2015, 02:34 AM   #8
Registered Member
 
mhgrobler's Avatar
 
Join Date: Feb 2015
Location: Paarl, Western Cape, South Africa
Posts: 42
OS: Windows 7



I am using Firefox as you noticed, but I saw something about chrome now in your previous reply, should I rather open your thread in chrome or can I carry on in Firefox.
mhgrobler is offline  
Old 06-23-2015, 02:44 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Mariette. Still a lot to do here. Which antivirus did you uninstall?

You can carry on with FF, or use any browser you wish.

Have you intentionally disabled System Restore?

------------------------------------------------------

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the Internet Services option remains checked.
  • Check all the other boxes.
  • Click Scan.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log in your next reply.
------------------------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook_x64.exe to run it. (Vista/Win7/Win8 users, right-click > Run as administrator)
  • Copy/paste the contents of the following codebox into the main textfield:
    Code:
    :dir
    C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs /s
    
    :regfind
    Rs.exe
    tencent
    {6F9C3F92-B625-0E47-F0B1-447602EC65F5}
    {D4FDDE76-901F-01C9-CA01-7F04796B2F48}
  • Click the Look button to start the scan.
  • Please be patient, as it may take a while.
  • When finished, a Notepad file will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

------------------------------------------------------

Please go to: VirusTotal
  • Click the Choose File button.
  • Please copy/paste the following bolded text into the 'File name:' box:

    C:\Program Files (x86)\Rs\Rs.exe

  • Click Open then click the Scan it! button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File already analysed: click Reanalyse
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-23-2015, 09:34 PM   #10
Registered Member
 
mhgrobler's Avatar
 
Join Date: Feb 2015
Location: Paarl, Western Cape, South Africa
Posts: 42
OS: Windows 7



Hi Chemist
Glad you are back.

No I did not intentionally disabled System Restore.
I did however create a administrator user by going to command and used a netactive command. Now I do not know how to get rid of it. I am the owner of this computer, so do not need the administrator when I log in.

I also deleted the AVG anti virus.

FSS.txt
Farbar Service Scanner Version: 17-01-2015
Ran by Mariette (administrator) on 24-06-2015 at 06:09:29
Running from "C:\Users\Mariette\Downloads"
Microsoft Windows 7 Professional Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============


Windows Update:
============




SystemLook 30.07.11 by jpshortstuff
Log created at 06:14 on 24/06/2015 by Mariette
Administrator - Elevation successful

========== dir ==========

C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs - Parameters: "/s"

---Files---
desktop.ini ---hs-- 476 bytes [14:05 04/04/2015] [15:39 20/06/2015]
Internet Explorer.lnk --a---- 1420 bytes [14:05 04/04/2015] [15:39 20/06/2015]

C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories dr----- [14:04 04/04/2015]
Command Prompt.lnk --a---- 1280 bytes [14:04 04/04/2015] [04:54 14/07/2009]
Desktop.ini --ahs-- 678 bytes [14:04 04/04/2015] [04:54 14/07/2009]
Notepad.lnk --a---- 1304 bytes [14:04 04/04/2015] [04:54 14/07/2009]
Run.lnk --a---- 262 bytes [14:04 04/04/2015] [04:49 14/07/2009]
Windows Explorer.lnk --a---- 1228 bytes [14:04 04/04/2015] [04:49 14/07/2009]

C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility dr----- [14:04 04/04/2015]
Desktop.ini --ahs-- 704 bytes [14:04 04/04/2015] [04:54 14/07/2009]
Ease of Access.lnk --a---- 1358 bytes [14:04 04/04/2015] [04:54 14/07/2009]
Magnify.lnk --a---- 1258 bytes [14:04 04/04/2015] [04:54 14/07/2009]
Narrator.lnk --a---- 1262 bytes [14:04 04/04/2015] [04:54 14/07/2009]
On-Screen Keyboard.lnk --a---- 1250 bytes [14:04 04/04/2015] [04:54 14/07/2009]

C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools dr----- [14:04 04/04/2015]
computer.lnk --a---- 262 bytes [14:04 04/04/2015] [04:49 14/07/2009]
Control Panel.lnk --a---- 262 bytes [14:04 04/04/2015] [04:49 14/07/2009]
Desktop.ini ---hs-- 738 bytes [14:04 04/04/2015] [14:05 04/04/2015]
Internet Explorer (No Add-ons).lnk --a---- 1470 bytes [14:05 04/04/2015] [15:39 20/06/2015]
Private Character Editor.lnk --a---- 1306 bytes [14:04 04/04/2015] [04:54 14/07/2009]

C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools dr----- [14:05 04/04/2015]
desktop.ini ---hs-- 174 bytes [14:05 04/04/2015] [15:39 20/06/2015]

C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DStv Desktop Player d------ [09:28 26/05/2015]
DStv Desktop Player.lnk --a---- 857 bytes [09:28 26/05/2015] [09:28 26/05/2015]

C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance dr----- [14:04 04/04/2015]
Desktop.ini --ahs-- 318 bytes [14:04 04/04/2015] [04:49 14/07/2009]
Help.lnk --a---- 262 bytes [14:04 04/04/2015] [04:49 14/07/2009]

C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup dr----- [14:05 04/04/2015]
desktop.ini ---hs-- 174 bytes [14:05 04/04/2015] [15:39 20/06/2015]

C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯软件 d------ [14:26 20/06/2015]

C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯软件\电脑管家 d------ [14:26 20/06/2015]
卸载电脑管家.lnk --a---- 2254 bytes [14:26 20/06/2015] [14:26 20/06/2015]
软件管理.lnk --a---- 2291 bytes [14:26 20/06/2015] [14:26 20/06/2015]

========== regfind ==========

Searching for "Rs.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Rs]
"command"="C:\Program Files (x86)\Rs\Rs.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Resolvers]
"SystemBinariesList"="win32k.sys:winlogon.exe:EXPLORER.EXE:CSRSS.Exe:dwm.exe:logon.scr:logonui.exe:lsass.exe:lsm.exe:ntkrpamp.exe:ntoskrnl.exe:RUNDLL32.EXE:services.exe:sppsvc.exe:smss.exe:spoolsv.exe:svchost.exe:taskeng.exe:WinInit.exe:WISPTIS.EXE:dllhost.exe:dllhst3g.exe:cscript.exe:mmc.exe:msiexec.exe:upnpcont.exe:wscript.exe:WUDFHost.exe:dfsvc.exe:dfsvc.exe:fdbs.exe:ntfsbs.exe:memdiag.exe:NETFXSBS10.exe:applaunch.exe:aspnet_compiler.exe:aspnet_regbrowsers.exe:aspnet_regiis.exe:aspnet_regsql.exe:aspnet_state.exe:aspnet_wp.exe:caspol.exe:csc.exe:CVTRES.EXE:dfsvc.exe:dw20.exe:IEExec.exe:ilasm.exe:InstallUtil.exe:jsc.exe:MSBuild.exe:mscorsvw.exe:ngen.exe:RegAsm.exe::RegSvcs.exe:vbc.exe:TrustedInstaller.exe:Aurora.scr:AutoChk.Exe:AUTOFMT.EXE:CHKDSK.EXE:CHKNTFS.EXE:consent.exe:PnPUnattend.exe:PnPutil.exe:RacAgent.exe:fsquirt.exe:Uninst.exe:updateWmc.exe:wmdc.exe:wmdsync.exe:mofcomp.exe:ScrCons.exe:smi2smir.exe:unse
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B499DA244CA61BC4796CD1AF871D9F07]
"6414876250E69FF3395387C6C7F05BEB"="C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B7B51EF661B3A4F48BFE5E3A6B34F533]
"6414876250E69FF3395387C6C7F05BEB"="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="C:\Windows\system32\igfxpers.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Intel\GFX\Uninstall]
"process10"="process=igfxpers.exe error= usequence=-9 group=GFX"

Searching for "tencent"
[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Internet]
"UseRWHlinkNavigation"="https://www.techsupportforum.com/forums/f50/spyware-called-tencent-qq-1009490-new-post.html"
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCFileOpen.exe"="ELEVATECREATEPROCESS"
[HKEY_CURRENT_USER\Software\Tencent]
[HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Tencent]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\InprocServer32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMContextUninstall64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\InProcServer32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMContextUninstall64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PCMgrRepairIEExtensions\DefaultIcon]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCMgr.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PCMgrRepairIEExtensions\Shell\Open\Command]
@=""C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCMgr.exe"%1 "
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qmbfile\DefaultIcon]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCInstAssist.exe,-203"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qmbfile\shell\command]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCInstAssist.exe "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qmgcfiles\DefaultIcon]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMGCShellExt64.dll,1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qmgcfiles\Shell\open\Command]
@=""C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\\QMDeskTopGC.exe" /file="%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qpakfile\DefaultIcon]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCAddWidget.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qpakfile\shell\command]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCAddWidget.exe /inst "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QQPCMgr.qbox\DefaultIcon]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\image\qbox.ico,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\QQPCMgr.qbox\shell\command]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCFileSafe.exe "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{35627C7C-DB28-4772-9A6F-7607FFCBF9FF}\1.0\0\win64]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TSWebMon64.dat"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{445E3964-15B0-472A-95F4-6242DD2EA066}\1.0\0\win32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMContextUninstall64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{593BE60A-1C6A-44F9-946D-A5EAB2D53511}\1.0\0\win32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMContextScan.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{8519F1E4-E25B-42B1-B361-0C643F45CF11}\1.0\0\win32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TAOFrame.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C049F583-D724-4BAB-8F47-F13BCA41B808}\1.0\0\win32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\npQMExtensionsIE.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
@="C:\program files (x86)\common files\tencent\qqdownload\130\tencentdl.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\openas\command]
@=""C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCFileOpen.exe" "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\shell\opendlg\command]
@=""C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCFileOpen.exe" "%1""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9921}\InprocServer32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\npQMExtensionsIE.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4C097DF1-0716-4FA1-84A9-025BC1E7B03F}\LocalServer32]
@=""C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TAOFrame.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\InprocServer32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMContextScan.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{88260EA6-BC91-42DF-ABEF-4A683E8A3C23}\LocalServer32]
@=""C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TAOFrame.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\InProcServer32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMContextScan.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EC0FA563-E0F2-406F-8659-1E728458A91E}\LocalServer32]
@=""C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TAOFrame.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{35627C7C-DB28-4772-9A6F-7607FFCBF9FF}\1.0\0\win64]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TSWebMon64.dat"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{445E3964-15B0-472A-95F4-6242DD2EA066}\1.0\0\win32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMContextUninstall64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{593BE60A-1C6A-44F9-946D-A5EAB2D53511}\1.0\0\win32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMContextScan.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{8519F1E4-E25B-42B1-B361-0C643F45CF11}\1.0\0\win32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TAOFrame.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{C049F583-D724-4BAB-8F47-F13BCA41B808}\1.0\0\win32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\npQMExtensionsIE.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
@="C:\program files (x86)\common files\tencent\qqdownload\130\tencentdl.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\NativeMessagingHosts\com.qq.qmchext]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\com.qq.qmchext.json"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{16EE6530-8649-4F42-A9E4-F6A3295AF975}]
"AppPath"="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tencent]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tencent\QQPCMgr]
"InstallDir"="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Tencent\QQPCMgr]
"ExeString"="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCMgr.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9921}\InprocServer32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\npQMExtensionsIE.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{4C097DF1-0716-4FA1-84A9-025BC1E7B03F}\LocalServer32]
@=""C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TAOFrame.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\InprocServer32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMContextScan.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{88260EA6-BC91-42DF-ABEF-4A683E8A3C23}\LocalServer32]
@=""C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TAOFrame.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\InProcServer32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMContextScan.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{EC0FA563-E0F2-406F-8659-1E728458A91E}\LocalServer32]
@=""C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TAOFrame.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{35627C7C-DB28-4772-9A6F-7607FFCBF9FF}\1.0\0\win64]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TSWebMon64.dat"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{445E3964-15B0-472A-95F4-6242DD2EA066}\1.0\0\win32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMContextUninstall64.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{593BE60A-1C6A-44F9-946D-A5EAB2D53511}\1.0\0\win32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QMContextScan.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{8519F1E4-E25B-42B1-B361-0C643F45CF11}\1.0\0\win32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\TAOFrame.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{C049F583-D724-4BAB-8F47-F13BCA41B808}\1.0\0\win32]
@="C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\npQMExtensionsIE.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
@="C:\program files (x86)\common files\tencent\qqdownload\130\tencentdl.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_QMUDISK\0000]
"DeviceDesc"="tencent QMUdisk"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAOACCELERATOR\0000]
"DeviceDesc"="Tencent TAOAccelerator driver."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAOKERNELDRIVER\0000]
"DeviceDesc"="Tencent TAO kernel driver."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_QMUDISK\0000]
"DeviceDesc"="tencent QMUdisk"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TAOACCELERATOR\0000]
"DeviceDesc"="Tencent TAOAccelerator driver."
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TAOKERNELDRIVER\0000]
"DeviceDesc"="Tencent TAO kernel driver."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_QMUDISK\0000]
"DeviceDesc"="tencent QMUdisk"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAOACCELERATOR\0000]
"DeviceDesc"="Tencent TAOAccelerator driver."
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAOKERNELDRIVER\0000]
"DeviceDesc"="Tencent TAO kernel driver."
[HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Microsoft\Office\14.0\Common\Internet]
"UseRWHlinkNavigation"="https://www.techsupportforum.com/forums/f50/spyware-called-tencent-qq-1009490-new-post.html"
[HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
"C:\Program Files (x86)\Tencent\QQPCMgr\10.9.16350.226\QQPCFileOpen.exe"="ELEVATECREATEPROCESS"
[HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Tencent]
[HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Tencent]
[HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Tencent]

Searching for "{6F9C3F92-B625-0E47-F0B1-447602EC65F5}"
No data found.

Searching for "{D4FDDE76-901F-01C9-CA01-7F04796B2F48}"
No data found.

-= EOF =-


Virus Total
When I choose file it open up in desktop.
If I paste the text c:\program files ....etc. from your instructions into the box
I get a File upload message that says that the path does not exist.
mhgrobler is offline  
Old 06-24-2015, 11:37 AM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Mariette. Let's make sure no remnants of AVG remain.

Please download AVG Remover and Save it to your Desktop.
  • Close all programs and double-click avg_remover_stf_x64_2012_1796.exe then click Run
  • In Vista/Win7, right-click and choose 'Run as administrator'.
  • Follow the on-screen instructions.
  • Reboot your computer if not prompted already.
  • Then delete avg_remover_stf_x64_2012_1796.exe and the avgremover.log from your desktop.
-----------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Double-click ComboFix.exe and follow the prompts to run it.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

Note: If you get an 'Illegal operation attempted on a Registry key which has been marked for deletion' error message, please open Task Manager and 'End Process' on explorer.exe

Next, go File > New Task(Run...) and type explorer then press 'Enter'.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-24-2015, 12:11 PM   #12
Registered Member
 
mhgrobler's Avatar
 
Join Date: Feb 2015
Location: Paarl, Western Cape, South Africa
Posts: 42
OS: Windows 7



Hi Chemist, attached the combofix.txt file. Thank you for all this help. I really appreciate it.

ComboFix 15-06-24.02 - Mariette 2015/06/24 21:02:12.1.8 - x64
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.16346.14245 [GMT 2:00]
Running from: c:\users\Mariette\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Disabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.pol
F:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2015-05-24 to 2015-06-24 )))))))))))))))))))))))))))))))
.
.
2015-06-24 19:05 . 2015-06-24 19:05 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-06-24 14:57 . 2015-06-24 14:57 -------- d-----w- c:\users\Mariette\AppData\Roaming\chc
2015-06-23 08:37 . 2015-06-23 08:37 -------- d-----w- c:\users\Mariette\AppData\Roaming\TuneUp Software
2015-06-23 06:09 . 2015-05-03 03:16 12214312 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A66DA064-69F2-4700-92D0-05F9A340A903}\mpengine.dll
2015-06-23 05:59 . 2015-06-23 09:29 -------- d-----w- C:\FRST
2015-06-23 05:57 . 2015-06-23 05:57 -------- d-----w- c:\programdata\TXQMPC
2015-06-23 05:53 . 2015-06-23 05:55 -------- d-----w- C:\AdwCleaner
2015-06-22 14:02 . 2015-06-22 14:02 -------- d-----w- c:\users\Mariette\AppData\Roaming\Curiolab
2015-06-22 12:30 . 2015-06-22 13:56 -------- d-sh--w- c:\windows\SysWow64\AI_RecycleBin
2015-06-22 06:23 . 2015-06-23 08:41 -------- d-----w- c:\program files\Common Files\AV
2015-06-22 06:18 . 2015-06-22 06:18 -------- d-----w- c:\programdata\Common Files
2015-06-22 06:11 . 2015-06-22 06:11 -------- d-----w- c:\users\Administrator
2015-06-22 06:04 . 2015-05-03 03:16 12214312 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-06-20 19:43 . 2015-06-20 19:43 -------- d-----w- c:\users\Mariette\AppData\Local\Diagnostics
2015-06-20 16:47 . 2015-06-22 05:51 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2015-06-20 15:40 . 2015-06-20 15:40 48784 ----a-w- c:\windows\system32\drivers\{2dc69315-903c-4a9c-a481-3b9b33c9045d}Gw64.sys.tmp
2015-06-20 15:10 . 2015-06-20 15:11 -------- d-----w- c:\users\Mariette\AppData\Local\Opera Software
2015-06-20 15:10 . 2015-06-20 15:11 -------- d-----w- c:\users\Mariette\AppData\Roaming\Opera Software
2015-06-20 14:22 . 2015-06-20 14:22 -------- d-----w- c:\users\Mariette\AppData\Local\Programs
2015-06-17 12:22 . 2015-04-08 07:53 1187344 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F5C6CE58-1F4C-41A5-989D-D9A20C7129C9}\gapaengine.dll
2015-06-10 04:18 . 2015-04-11 03:19 69888 ----a-w- c:\windows\system32\drivers\stream.sys
2015-06-10 04:15 . 2015-04-24 18:17 633856 ----a-w- c:\windows\system32\comctl32.dll
2015-06-10 04:15 . 2015-04-24 17:56 530432 ----a-w- c:\windows\SysWow64\comctl32.dll
2015-06-10 04:13 . 2015-05-22 18:24 92160 ----a-w- c:\windows\system32\mshtmled.dll
2015-06-04 10:20 . 2015-06-04 10:20 -------- d-----w- c:\users\Mariette\AppData\Local\GWX
2015-05-26 09:29 . 2015-05-26 18:16 -------- d-----w- c:\users\Mariette\AppData\Local\DStv Desktop Player
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-06-24 07:52 . 2015-04-08 09:29 778416 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-06-24 07:52 . 2011-08-14 21:48 142512 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-05-26 22:04 . 2015-04-07 06:40 140135120 ----a-w- c:\windows\system32\MRT.exe
2015-05-25 18:01 . 2015-06-10 04:17 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2015-05-01 13:17 . 2015-05-13 11:31 124112 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-05-01 13:16 . 2015-05-13 11:31 102608 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2015-04-20 03:17 . 2015-05-13 04:30 1647104 ----a-w- c:\windows\system32\DWrite.dll
2015-04-20 03:17 . 2015-05-13 04:30 1179136 ----a-w- c:\windows\system32\FntCache.dll
2015-04-20 02:56 . 2015-05-13 04:30 1250816 ----a-w- c:\windows\SysWow64\DWrite.dll
2015-04-18 03:10 . 2015-05-13 04:34 460800 ----a-w- c:\windows\system32\certcli.dll
2015-04-18 02:56 . 2015-05-13 04:34 342016 ----a-w- c:\windows\SysWow64\certcli.dll
2015-04-14 01:38 . 2015-04-14 01:38 1217192 ----a-w- c:\windows\SysWow64\FM20.DLL
2015-04-13 03:28 . 2015-05-13 04:31 328704 ----a-w- c:\windows\system32\services.exe
2015-04-08 07:53 . 2015-04-08 07:53 1187344 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2015-04-08 03:29 . 2015-05-13 04:28 275456 ----a-w- c:\windows\system32\InkEd.dll
2015-04-08 03:29 . 2015-05-13 04:28 24576 ----a-w- c:\windows\system32\jnwmon.dll
2015-04-08 03:14 . 2015-05-13 04:28 216064 ----a-w- c:\windows\SysWow64\InkEd.dll
2015-04-05 09:29 . 2015-04-05 09:29 194048 ----a-w- c:\windows\SysWow64\elshyph.dll
2015-04-05 09:29 . 2015-04-05 09:29 71680 ----a-w- c:\windows\SysWow64\RegisterIEPKEYs.exe
2015-04-05 09:29 . 2015-04-05 09:29 645120 ----a-w- c:\windows\SysWow64\jsIntl.dll
2015-04-05 09:29 . 2015-04-05 09:29 62464 ----a-w- c:\windows\SysWow64\tdc.ocx
2015-04-05 09:29 . 2015-04-05 09:29 36352 ----a-w- c:\windows\SysWow64\imgutil.dll
2015-04-05 09:29 . 2015-04-05 09:29 24576 ----a-w- c:\windows\SysWow64\licmgr10.dll
2015-04-05 09:29 . 2015-04-05 09:29 235008 ----a-w- c:\windows\system32\elshyph.dll
2015-04-05 09:29 . 2015-04-05 09:29 182272 ----a-w- c:\windows\SysWow64\msls31.dll
2015-04-05 09:29 . 2015-04-05 09:29 151552 ----a-w- c:\windows\SysWow64\iexpress.exe
2015-04-05 09:29 . 2015-04-05 09:29 139264 ----a-w- c:\windows\SysWow64\wextract.exe
2015-04-05 09:29 . 2015-04-05 09:29 13312 ----a-w- c:\windows\SysWow64\mshta.exe
2015-04-05 09:29 . 2015-04-05 09:29 942592 ----a-w- c:\windows\system32\jsIntl.dll
2015-04-05 09:29 . 2015-04-05 09:29 90112 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2015-04-05 09:29 . 2015-04-05 09:29 86016 ----a-w- c:\windows\SysWow64\iesysprep.dll
2015-04-05 09:29 . 2015-04-05 09:29 86016 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2015-04-05 09:29 . 2015-04-05 09:29 81408 ----a-w- c:\windows\system32\icardie.dll
2015-04-05 09:29 . 2015-04-05 09:29 77312 ----a-w- c:\windows\system32\tdc.ocx
2015-04-05 09:29 . 2015-04-05 09:29 74240 ----a-w- c:\windows\SysWow64\SetIEInstalledDate.exe
2015-04-05 09:29 . 2015-04-05 09:29 616104 ----a-w- c:\windows\system32\ieapfltr.dat
2015-04-05 09:29 . 2015-04-05 09:29 52224 ----a-w- c:\windows\system32\msfeedsbs.dll
2015-04-05 09:29 . 2015-04-05 09:29 48640 ----a-w- c:\windows\SysWow64\mshtmler.dll
2015-04-05 09:29 . 2015-04-05 09:29 48640 ----a-w- c:\windows\system32\mshtmler.dll
2015-04-05 09:29 . 2015-04-05 09:29 30208 ----a-w- c:\windows\system32\licmgr10.dll
2015-04-05 09:29 . 2015-04-05 09:29 247808 ----a-w- c:\windows\system32\msls31.dll
2015-04-05 09:29 . 2015-04-05 09:29 243200 ----a-w- c:\windows\system32\webcheck.dll
2015-04-05 09:29 . 2015-04-05 09:29 235520 ----a-w- c:\windows\system32\url.dll
2015-04-05 09:29 . 2015-04-05 09:29 13312 ----a-w- c:\windows\system32\msfeedssync.exe
2015-04-05 09:29 . 2015-04-05 09:29 131072 ----a-w- c:\windows\system32\IEAdvpack.dll
2015-04-05 09:29 . 2015-04-05 09:29 111616 ----a-w- c:\windows\SysWow64\IEAdvpack.dll
2015-04-05 09:29 . 2015-04-05 09:29 105984 ----a-w- c:\windows\system32\iesysprep.dll
2015-04-05 09:29 . 2015-04-05 09:29 101376 ----a-w- c:\windows\system32\inseng.dll
2015-04-05 09:29 . 2015-04-05 09:29 143872 ----a-w- c:\windows\system32\wextract.exe
2015-04-05 09:29 . 2015-04-05 09:29 62464 ----a-w- c:\windows\system32\pngfilt.dll
2015-04-05 09:29 . 2015-04-05 09:29 48128 ----a-w- c:\windows\system32\imgutil.dll
2015-04-05 09:29 . 2015-04-05 09:29 167424 ----a-w- c:\windows\system32\iexpress.exe
2015-04-05 09:29 . 2015-04-05 09:29 147968 ----a-w- c:\windows\system32\occache.dll
2015-04-05 09:29 . 2015-04-05 09:29 13824 ----a-w- c:\windows\system32\mshta.exe
2015-04-05 09:29 . 2015-04-05 09:29 135680 ----a-w- c:\windows\system32\iepeers.dll
2015-04-05 09:25 . 2015-04-05 09:25 9728 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 5632 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-ole32-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 522752 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2015-04-05 09:25 . 2015-04-05 09:25 4096 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-user32-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 4096 ---ha-w- c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 364544 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2015-04-05 09:25 . 2015-04-05 09:25 363008 ----a-w- c:\windows\system32\dxgi.dll
2015-04-05 09:25 . 2015-04-05 09:25 3584 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 3584 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-version-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 3072 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-shell32-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 3072 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 2560 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 2560 ---ha-w- c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 249856 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2015-04-05 09:25 . 2015-04-05 09:25 220160 ----a-w- c:\windows\SysWow64\d3d10core.dll
2015-04-05 09:25 . 2015-04-05 09:25 207872 ----a-w- c:\windows\SysWow64\WindowsCodecsExt.dll
2015-04-05 09:25 . 2015-04-05 09:25 1682432 ----a-w- c:\windows\system32\XpsPrint.dll
2015-04-05 09:25 . 2015-04-05 09:25 161792 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2015-04-05 09:25 . 2015-04-05 09:25 1158144 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2015-04-05 09:25 . 2015-04-05 09:25 1080832 ----a-w- c:\windows\SysWow64\d3d10.dll
2015-04-05 09:25 . 2015-04-05 09:25 10752 ---ha-w- c:\windows\SysWow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 10752 ---ha-w- c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
2015-04-05 09:25 . 2015-04-05 09:25 648192 ----a-w- c:\windows\system32\d3d10level9.dll
2015-04-05 09:25 . 2015-04-05 09:25 604160 ----a-w- c:\windows\SysWow64\d3d10level9.dll
2015-04-05 09:25 . 2015-04-05 09:25 333312 ----a-w- c:\windows\system32\d3d10_1core.dll
2015-04-05 09:25 . 2015-04-05 09:25 296960 ----a-w- c:\windows\system32\d3d10core.dll
2015-04-05 09:25 . 2015-04-05 09:25 293376 ----a-w- c:\windows\SysWow64\dxgi.dll
2015-04-05 09:25 . 2015-04-05 09:25 245248 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2015-04-05 09:25 . 2015-04-05 09:25 221184 ----a-w- c:\windows\system32\UIAnimation.dll
2015-04-05 09:25 . 2015-04-05 09:25 194560 ----a-w- c:\windows\system32\d3d10_1.dll
2015-04-05 09:25 . 2015-04-05 09:25 187392 ----a-w- c:\windows\SysWow64\UIAnimation.dll
2015-04-05 09:25 . 2015-04-05 09:25 1238528 ----a-w- c:\windows\system32\d3d10.dll
2015-04-04 14:06 . 2010-06-24 09:33 23256 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2015-04-26 43816]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2015-04-26 43816]
"iCloudDrive"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudDrive.exe" [2015-04-26 43816]
"d6_413"="d:\d6_413\d6\d6_413.exe" [2012-12-14 1357968]
"d6_77"="d:\d6_77\d6\d6_77.exe" [2012-08-03 1357376]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2012-01-12 5028464]
"IAStorIcon"="c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" [2011-11-29 284440]
"USB3MON"="c:\program files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe" [2012-01-27 291608]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2014-10-02 421888]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2012-11-05 89184]
"iTunesHelper"="d:\program files (x86)\iTunes\iTunesHelper.exe" [2015-04-06 157480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\x64\3\\lxeaserv.exe;c:\windows\SYSNATIVE\spool\DRIVERS\x64\3\\lxeaserv.exe [x]
R2 Util Wooden Seal;Util Wooden Seal;c:\program files (x86)\Wooden Seal\bin\utilWoodenSeal.exe;c:\program files (x86)\Wooden Seal\bin\utilWoodenSeal.exe [x]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe;c:\windows\SYSNATIVE\AppleChargerSrv.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys;c:\windows\SYSNATIVE\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 NMgamingmsFltr;USB Optical Mouse;c:\windows\system32\drivers\NMgamingms.sys;c:\windows\SYSNATIVE\drivers\NMgamingms.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 iusb3hcs;Intel(R) USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys;c:\windows\SYSNATIVE\DRIVERS\AppleCharger.sys [x]
S2 AdobeActiveFileMonitor9.0;Adobe Active File Monitor V9;d:\adobe photoshop\Elements 9 Organizer\PhotoshopElementsFileAgent.exe;d:\adobe photoshop\Elements 9 Organizer\PhotoshopElementsFileAgent.exe [x]
S2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe;c:\windows\SYSNATIVE\svchost.exe [x]
S2 IAStorDataMgrSvc;Intel(R) Rapid Storage Technology;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Intel(R) Capability Licensing Service Interface;Intel(R) Capability Licensing Service Interface;c:\program files\Intel\iCLS Client\HeciServer.exe;c:\program files\Intel\iCLS Client\HeciServer.exe [x]
S2 jhi_service;Intel(R) Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe [x]
S2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe;c:\windows\SYSNATIVE\lxeacoms.exe [x]
S2 UNS;Intel(R) Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [x]
S2 VIAKaraokeService;VIA Karaoke digital mixer Service;c:\windows\system32\viakaraokesrv.exe;c:\windows\SYSNATIVE\viakaraokesrv.exe [x]
S3 iusb3hub;Intel(R) USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel(R) USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet Controller;c:\windows\system32\DRIVERS\L1C62x64.sys;c:\windows\SYSNATIVE\DRIVERS\L1C62x64.sys [x]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys;c:\windows\SYSNATIVE\drivers\viahduaa.sys [x]
S3 VUSB3HUB;VIA USB 3 Root Hub Service;c:\windows\system32\DRIVERS\ViaHub3.sys;c:\windows\SYSNATIVE\DRIVERS\ViaHub3.sys [x]
S3 xhcdrv;VIA USB eXtensible Host Controller Service;c:\windows\system32\DRIVERS\xhcdrv.sys;c:\windows\SYSNATIVE\DRIVERS\xhcdrv.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2015-06-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-04-08 07:52]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-12 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-12 398104]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-12 440600]
"VIAxHCUtl"="c:\via_xhci\usb3Monitor.exe" [2011-07-12 331776]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-07-28 497648]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2015-04-29 1337000]
"lxeamon.exe"="c:\program files (x86)\Lexmark S300-S400 Series\lxeamon.exe" [2013-01-23 772712]
"EzPrint"="c:\program files (x86)\Lexmark S300-S400 Series\ezprint.exe" [2013-01-23 150264]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mDefault_Search_URL = hxxp://www.google.com
mDefault_Page_URL = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
mSearch Page = hxxp://www.google.com
TCP: DhcpNameServer = 10.0.0.2
FF - ProfilePath - c:\users\Mariette\AppData\Roaming\Mozilla\Firefox\Profiles\4jy5tjrw.default-1434994323219\
FF - prefs.js: browser.startup.homepage - hxxps://www.mozilla.org/en-US/firefox/central/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-Uploader - c:\program files (x86)\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-06-24 21:07:21
ComboFix-quarantined-files.txt 2015-06-24 19:07
.
Pre-Run: 131 876 425 728 bytes free
Post-Run: 131 697 074 176 bytes free
.
- - End Of File - - 709F87C103232CC982E73212EFD9238F
mhgrobler is offline  
Old 06-24-2015, 06:49 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Mariette. You're very welcome. How is the machine behaving? Any improvement?

Do you use HS Paarl Gimnasium?

------------------------------------------------------

Press the Windows "logo" key and "R" key then copy/paste the following entry into the Run box and press Enter:

cmd /c net user > 0 & notepad 0

A log should open. Please post the contents of the log in your next reply.

------------------------------------------------------

Please go to: VirusTotal
  • Click the Choose File button.
  • Please copy/paste the following bolded text into the 'File name:' box:

    D:\d6_413\d6\d6_413.exe

  • Click Open then click the Scan it! button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File already analysed: click Reanalyse
  • Once scanned, copy and paste the URL from your browser address bar in your next reply.
  • Please repeat for the following file:

    D:\d6_77\d6\d6_77.exe
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-24-2015, 09:19 PM   #14
Registered Member
 
mhgrobler's Avatar
 
Join Date: Feb 2015
Location: Paarl, Western Cape, South Africa
Posts: 42
OS: Windows 7



Hi Chemist
My computer is nearly 100% back to normal again. I just have "foxstart" hogging my searches in Firefox. Whenever I do a search in Firefox it default back to "foxstart" which also came with this Tencent spyware. It is not lying in my default or extensions in Firefox, but I can not seem to find it. I also reset firefox.

The HS Paarl Gimnasium is a communicator we use for our schools here in South Africa. So yes I do use it.

The first log:

User accounts for \\MARIETTE-PC

-------------------------------------------------------------------------------
Administrator Guest Mariette
The command completed successfully.

D6_413 analysis:


https://www.virustotal.com/en/file/6...is/1435205596/

D6_77 analysis:


https://www.virustotal.com/en/file/b...is/1435205755/
mhgrobler is offline  
Old 06-24-2015, 09:48 PM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Mariette. Glad to hear it. Still have a bit to do though.
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe
  • If asked to change 'Encoding:' to 'Unicode', please agree and save it.

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    C:\ProgramData\TXQMPC
    C:\Program Files (x86)\Rs
    C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯软件
    S2 Util Wooden Seal; "C:\Program Files (x86)\Wooden Seal\bin\utilWoodenSeal.exe" [X]
    C:\Program Files (x86)\Wooden Seal
    FF Extension: Foxstart Default Settings - C:\Users\Mariette\AppData\Roaming\Mozilla\Firefox\Profiles\4jy5tjrw.default-1434994323219\Extensions\[email protected] [2015-06-22]
    Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\QQPCRTP" /f
    Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\TAOFrame" /f
    Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\cpuminer" /f
    Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gpuminer" /f
    Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Rs" /f
    Reg: reg delete "HKEY_CURRENT_USER\Software\Tencent" /f
    Reg: reg delete "HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Tencent" /f
    Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}" /f
    Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}" /f
    Reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_QMUDISK" /f
    Reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAOACCELERATOR" /f
    Reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAOKERNELDRIVER" /f
    Reg: reg delete "HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Tencent" /f
    Reg: reg delete "HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Tencent" /f
    Reg: reg delete "HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Tencent" /f
    folder: c:\users\Mariette\AppData\Roaming\chc
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-24-2015, 10:51 PM   #16
Registered Member
 
mhgrobler's Avatar
 
Join Date: Feb 2015
Location: Paarl, Western Cape, South Africa
Posts: 42
OS: Windows 7



Hi Chemist

I also still get video's that just start to play when I open a site on the internet.

Fix result of Farbar Recovery Scan Tool (x64) Version:24-06-2015
Ran by Mariette at 2015-06-25 07:00:43 Run:2
Running from C:\Users\Mariette\Downloads
Loaded Profiles: Mariette (Available Profiles: Mariette & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
createrestorepoint:
C:\ProgramData\TXQMPC
C:\Program Files (x86)\Rs
C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\????
S2 Util Wooden Seal; "C:\Program Files (x86)\Wooden Seal\bin\utilWoodenSeal.exe" [X]
C:\Program Files (x86)\Wooden Seal
FF Extension: Foxstart Default Settings - C:\Users\Mariette\AppData\Roaming\Mozilla\Firefox\Profiles\4jy5tjrw.default-1434994323219\Extensions\[email protected] [2015-06-22]
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\QQPCRTP" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\TAOFrame" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\cpuminer" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gpuminer" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Rs" /f
Reg: reg delete "HKEY_CURRENT_USER\Software\Tencent" /f
Reg: reg delete "HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Tencent" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_QMUDISK" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAOACCELERATOR" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAOKERNELDRIVER" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Tencent" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Tencent" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Tencent" /f
folder: c:\users\Mariette\AppData\Roaming\chc
EmptyTemp:
end
*****************

Error: (0) Failed to create a restore point.
C:\ProgramData\TXQMPC => moved successfully.
"C:\Program Files (x86)\Rs" => File/Folder not found.

"C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\????" folder move:

Could not move "C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\????" folder => Scheduled to move on reboot.

Util Wooden Seal => Service removed successfully
"C:\Program Files (x86)\Wooden Seal" => File/Folder not found.
C:\Users\Mariette\AppData\Roaming\Mozilla\Firefox\Profiles\4jy5tjrw.default-1434994323219\Extensions\[email protected] => moved successfully.

========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\QQPCRTP" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\TAOFrame" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\cpuminer" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\gpuminer" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Rs" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete "HKEY_CURRENT_USER\Software\Tencent" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete "HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Tencent" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_QMUDISK" /f =========

ERROR: Access is denied.



========= End of Reg: =========


========= reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAOACCELERATOR" /f =========

ERROR: Access is denied.



========= End of Reg: =========


========= reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAOKERNELDRIVER" /f =========

ERROR: Access is denied.



========= End of Reg: =========


========= reg delete "HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Tencent" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= reg delete "HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Tencent" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= reg delete "HKEY_USERS\S-1-5-21-2407485051-244769875-2442591779-1001_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Tencent" /f =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========================= folder: c:\users\Mariette\AppData\Roaming\chc ========================

2015-06-24 16:57 - 2015-06-24 20:58 - 0000000 ____D () c:\users\Mariette\AppData\Roaming\chc\#airversion
2015-06-24 20:58 - 2015-06-24 20:58 - 0000000 _____ () c:\users\Mariette\AppData\Roaming\chc\#airversion\18.0.0.144

====== End of Folder: ======

EmptyTemp: => 252.1 MB temporary data Removed.

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-06-25 07:02:09)<=

"C:\Users\Mariette\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\????" => Could not move

==== End of Fixlog 07:02:09 ====
mhgrobler is offline  
Old 06-24-2015, 11:18 PM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Mariette. Let's see what an online scan reveals, and go from there.

------------------------------------------------------

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Double-click mbam-setup-2.1.6.1022.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish
  • At the end of the installation, a database update will be performed.
  • Click on Scan Now
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double-click on the scan log which shows the Date and Time of the scan just performed.
  • Click Export
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista/Win7, you must open the Web browser via a right-click using the Run as administrator command.

Go here and click 'Run ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan. Here's how
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Once the components have downloaded, tick the option Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked:
    • Scan Archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-25-2015, 06:39 AM   #18
Registered Member
 
mhgrobler's Avatar
 
Join Date: Feb 2015
Location: Paarl, Western Cape, South Africa
Posts: 42
OS: Windows 7



Hi Chemist

Attach is the MBAM log. I will send the ESET report as soon as I can get the scan to finish, as our electricity went of a few times today and the scan take a while to run. We have what we call loadshedding (they switch the electricity off at different times in different cities to shed the load) in 20 minutes time, so will have to stop the scan and redo a little later. Therefor the two seperate posts. Hope its not a problem.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2015/06/25
Scan Time: 09:03:03 AM
Logfile: mbam.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.06.25.01
Rootkit Database: v2015.06.22.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Mariette

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 441539
Time Elapsed: 9 min, 8 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.CinemaPlus.A, HKLM\SOFTWARE\WOW6432NODE\CinemaPlus-3.2cV20.06, Quarantined, [d5103e80602a03338b8cdb3215ef29d7],
PUP.Optional.CrossRider.C, HKLM\SOFTWARE\WOW6432NODE\APPDATALOW\SOFTWARE\Crossrider, Quarantined, [17ce407ec4c6b185598ea74f6c97ca36],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 1
PUP.Optional.OptimizerPro.A, C:\Users\Mariette\Documents\Optimizer Pro, Quarantined, [0ed7f0ce6f1b171f351f355b39cceb15],

Files: 2
PUP.Optional.WoodenSeal.A, C:\Windows\System32\drivers\{2dc69315-903c-4a9c-a481-3b9b33c9045d}Gw64.sys.tmp, Quarantined, [895c49757416cc6af656176e37cf916f],
PUP.Optional.OptimizerPro.A, C:\Users\Mariette\Documents\Optimizer Pro\CookiesException.txt, Quarantined, [0ed7f0ce6f1b171f351f355b39cceb15],

Physical Sectors: 0
(No malicious items detected)


(end)
mhgrobler is offline  
Old 06-25-2015, 09:15 PM   #19
Registered Member
 
mhgrobler's Avatar
 
Join Date: Feb 2015
Location: Paarl, Western Cape, South Africa
Posts: 42
OS: Windows 7



Hi Chemist

At last it's done
Attached the ESET report

Thank you.

ESET report

C:\AdwCleaner\Quarantine\C\Users\Mariette\AppData\Roaming\cpuminer\sgminer\sgminer.exe.vir a variant of Win32/BitCoinMiner.BY potentially unsafe application
C:\AdwCleaner\Quarantine\C\Windows\System32\roboot64.exe.vir a variant of Win64/Systweak.A potentially unwanted application
C:\Backup\WINDOWS\Installer\c98b218.msi a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\FRST\Quarantine\C\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009\knsp41DE.tmpfs.xBAD a variant of Win32/Adware.ConvertAd.TJ application
C:\FRST\Quarantine\C\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009\032B0290-1434810389-0532-0406-680700080009\hnsu83D5.tmp Win32/Adware.ConvertAd.SJ application
C:\FRST\Quarantine\C\Users\Mariette\AppData\Roaming\032B0290-1434810389-0532-0406-680700080009\032B0290-1434810389-0532-0406-680700080009\jnsf65E8.tmp Win32/Adware.ConvertAd.SI application
C:\Users\Mariette\Desktop\Old Firefox Data\s302tk2n.default-1432046697821\extensions\[email protected]\chrome\content\toolbar.js Win32/Toolbar.TNT2.I potentially unwanted application
C:\Users\Mariette\Downloads\setup.exe a variant of Win32/InstallCore.AG potentially unwanted application
C:\Users\Mariette\Downloads\SmartDriverUpdater.exe multiple threats
D:\Back-up\New Folder\Backup\WINDOWS\Installer\c98b218.msi a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\freeripmp3-setup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\iMeshV11(1).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
D:\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\iMeshV11(2).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
D:\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\iMeshV11.exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
D:\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\registrybooster(2).exe a variant of Win32/RegistryBooster potentially unwanted application
D:\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\registrybooster(3).exe a variant of Win32/RegistryBooster potentially unwanted application
D:\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\registrybooster.exe a variant of Win32/RegistryBooster potentially unwanted application
D:\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\SweetImSetup.exe a variant of Win32/SweetIM.N potentially unwanted application
D:\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\switchsetup.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application
D:\Back-up\Ou windows April 2015\ou windows files\Program Files (x86)\FromDocToPDF_65EI\Installr\1.bin\65EIPlug.dll Win32/Toolbar.MyWebSearch potentially unwanted application
D:\Back-up\Ou windows April 2015\ou windows files\Program Files (x86)\FromDocToPDF_65EI\Installr\1.bin\65EZSETP.dll a variant of Win32/Toolbar.MyWebSearch.Q potentially unwanted application
D:\Back-up\Ou windows April 2015\ou windows files\Program Files (x86)\FromDocToPDF_65EI\Installr\1.bin\NP65EISb.dll Win32/Toolbar.MyWebSearch potentially unwanted application
D:\Back-up\Ou windows April 2015\ou windows files\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\chrome.dll Win32/Patched.NFQ trojan
D:\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlejngncgiocofkcbnnpaieapabmanfl\132\content.js JS/Adware.MultiPlug.B application
D:\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlejngncgiocofkcbnnpaieapabmanfl\132\lsdb.js JS/Adware.MultiPlug.B application
D:\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\mopjgjmeejicobmeomebhjelpddnlfdo\4.41\content.js JS/Adware.MultiPlug.B application
D:\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\AppData\Local\Google\Chrome\User Data\Default\Extensions\mopjgjmeejicobmeomebhjelpddnlfdo\4.41\lsdb.js JS/Adware.MultiPlug.B application
D:\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1MZK3FE3\track[1].js HTML/Iframe.B.Gen virus
D:\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\AppData\Local\Temp\0LqVvUf0.exe.part a variant of Win32/Toolbar.Babylon.F potentially unwanted application
D:\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\AppData\Local\Temp\optprosetup.exe a variant of Win32/OptimizerEliteMax.C potentially unwanted application
D:\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\AppData\Local\Temp\is771846959\Free_Archiver.exe Win32/Toolbar.Zugo.C potentially unwanted application
D:\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\AppData\Local\Temp\nsvC8BC.tmp\Uninstall.exe a variant of Win32/KoyoteLab.A potentially unwanted application
D:\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\Downloads\mcafee-internet-security-windows-malavida.exe Win32/Malavida.A potentially unwanted application
D:\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\Downloads\OffercastInstaller_AVR_U-0358-01-P_.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
D:\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\Downloads\setup.exe a variant of Win32/InstallCore.AG potentially unwanted application
D:\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\Downloads\SmartDriverUpdater.exe multiple threats
D:\My Documents\Element Village problems and solutions\Downloads\freeripmp3-setup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
D:\My Documents\Element Village problems and solutions\Downloads\iMeshV11(1).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
D:\My Documents\Element Village problems and solutions\Downloads\iMeshV11(2).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
D:\My Documents\Element Village problems and solutions\Downloads\iMeshV11.exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
D:\My Documents\Element Village problems and solutions\Downloads\registrybooster(2).exe a variant of Win32/RegistryBooster potentially unwanted application
D:\My Documents\Element Village problems and solutions\Downloads\registrybooster(3).exe a variant of Win32/RegistryBooster potentially unwanted application
D:\My Documents\Element Village problems and solutions\Downloads\registrybooster.exe a variant of Win32/RegistryBooster potentially unwanted application
D:\My Documents\Element Village problems and solutions\Downloads\SweetImSetup.exe a variant of Win32/SweetIM.N potentially unwanted application
D:\My Documents\Element Village problems and solutions\Downloads\switchsetup.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application
F:\My Documents\Element Village problems and solutions\Downloads\freeripmp3-setup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
F:\My Documents\Element Village problems and solutions\Downloads\iMeshV11(1).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\My Documents\Element Village problems and solutions\Downloads\iMeshV11(2).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\My Documents\Element Village problems and solutions\Downloads\iMeshV11.exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\My Documents\Element Village problems and solutions\Downloads\registrybooster(2).exe a variant of Win32/RegistryBooster potentially unwanted application
F:\My Documents\Element Village problems and solutions\Downloads\registrybooster(3).exe a variant of Win32/RegistryBooster potentially unwanted application
F:\My Documents\Element Village problems and solutions\Downloads\registrybooster.exe a variant of Win32/RegistryBooster potentially unwanted application
F:\My Documents\Element Village problems and solutions\Downloads\SweetImSetup.exe a variant of Win32/SweetIM.N potentially unwanted application
F:\My Documents\Element Village problems and solutions\Downloads\switchsetup.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\freeripmp3-setup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\iMeshV11(1).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\iMeshV11(2).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\iMeshV11.exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\registrybooster(2).exe a variant of Win32/RegistryBooster potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\registrybooster(3).exe a variant of Win32/RegistryBooster potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\registrybooster.exe a variant of Win32/RegistryBooster potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\SweetImSetup.exe a variant of Win32/SweetIM.N potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\switchsetup.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\Ou windows April 2015\ou windows files\Program Files (x86)\FromDocToPDF_65EI\Installr\1.bin\65EIPlug.dll Win32/Toolbar.MyWebSearch potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\Ou windows April 2015\ou windows files\Program Files (x86)\FromDocToPDF_65EI\Installr\1.bin\65EZSETP.dll a variant of Win32/Toolbar.MyWebSearch.Q potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\Ou windows April 2015\ou windows files\Program Files (x86)\FromDocToPDF_65EI\Installr\1.bin\NP65EISb.dll Win32/Toolbar.MyWebSearch potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\Ou windows April 2015\ou windows files\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\chrome.dll Win32/Patched.NFQ trojan
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\Downloads\mcafee-internet-security-windows-malavida.exe Win32/Malavida.A potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\Downloads\OffercastInstaller_AVR_U-0358-01-P_.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\Downloads\setup.exe a variant of Win32/InstallCore.AG potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\Downloads\SmartDriverUpdater.exe multiple threats
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\My Documents\Element Village problems and solutions\Downloads\freeripmp3-setup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\My Documents\Element Village problems and solutions\Downloads\iMeshV11(1).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\My Documents\Element Village problems and solutions\Downloads\iMeshV11(2).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\My Documents\Element Village problems and solutions\Downloads\iMeshV11.exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\My Documents\Element Village problems and solutions\Downloads\registrybooster(2).exe a variant of Win32/RegistryBooster potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\My Documents\Element Village problems and solutions\Downloads\registrybooster(3).exe a variant of Win32/RegistryBooster potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\My Documents\Element Village problems and solutions\Downloads\registrybooster.exe a variant of Win32/RegistryBooster potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\My Documents\Element Village problems and solutions\Downloads\SweetImSetup.exe a variant of Win32/SweetIM.N potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\749d1d40-a335-4046-8e91-6017b47bc17b\20150414_110535_Mariette1\D\My Documents\Element Village problems and solutions\Downloads\switchsetup.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\C\Users\Mariette\Downloads\setup.exe a variant of Win32/InstallCore.AG potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\C\Users\Mariette\Downloads\SmartDriverUpdater.exe multiple threats
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\freeripmp3-setup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\iMeshV11(1).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\iMeshV11(2).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\iMeshV11.exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\registrybooster(2).exe a variant of Win32/RegistryBooster potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\registrybooster(3).exe a variant of Win32/RegistryBooster potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\registrybooster.exe a variant of Win32/RegistryBooster potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\SweetImSetup.exe a variant of Win32/SweetIM.N potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\New Folder\Documents and Settings\Mariette\My Documents\Downloads\switchsetup.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\Ou windows April 2015\ou windows files\Program Files (x86)\FromDocToPDF_65EI\Installr\1.bin\65EIPlug.dll Win32/Toolbar.MyWebSearch potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\Ou windows April 2015\ou windows files\Program Files (x86)\FromDocToPDF_65EI\Installr\1.bin\65EZSETP.dll a variant of Win32/Toolbar.MyWebSearch.Q potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\Ou windows April 2015\ou windows files\Program Files (x86)\FromDocToPDF_65EI\Installr\1.bin\NP65EISb.dll Win32/Toolbar.MyWebSearch potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\Ou windows April 2015\ou windows files\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\chrome.dll Win32/Patched.NFQ trojan
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\Downloads\mcafee-internet-security-windows-malavida.exe Win32/Malavida.A potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\Downloads\OffercastInstaller_AVR_U-0358-01-P_.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\Downloads\setup.exe a variant of Win32/InstallCore.AG potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\Back-up\Ou windows April 2015\ou windows files\Users\Mariette\Downloads\SmartDriverUpdater.exe multiple threats
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\My Documents\Element Village problems and solutions\Downloads\freeripmp3-setup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\My Documents\Element Village problems and solutions\Downloads\iMeshV11(1).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\My Documents\Element Village problems and solutions\Downloads\iMeshV11(2).exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\My Documents\Element Village problems and solutions\Downloads\iMeshV11.exe a variant of Win32/Toolbar.SearchSuite.Z potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\My Documents\Element Village problems and solutions\Downloads\registrybooster(2).exe a variant of Win32/RegistryBooster potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\My Documents\Element Village problems and solutions\Downloads\registrybooster(3).exe a variant of Win32/RegistryBooster potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\My Documents\Element Village problems and solutions\Downloads\registrybooster.exe a variant of Win32/RegistryBooster potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\My Documents\Element Village problems and solutions\Downloads\SweetImSetup.exe a variant of Win32/SweetIM.N potentially unwanted application
F:\Seagate Dashboard 2.0\MARIETTE-PC\Mariette\Backup\a8f11c4c-6169-4c17-b850-7a680229bc8c\20150411_141210_Mariette\D\My Documents\Element Village problems and solutions\Downloads\switchsetup.exe a variant of Win32/Toolbar.Conduit.I potentially unwanted application
mhgrobler is offline  
Old 06-25-2015, 09:23 PM   #20
Registered Member
 
mhgrobler's Avatar
 
Join Date: Feb 2015
Location: Paarl, Western Cape, South Africa
Posts: 42
OS: Windows 7



Hi Chemist
Just want to quickly add something. When I go to start > All programs, I have a program name eXescope sitting there, which doesn't look well, as well as a program name with a lot of chinese letters. Hope that help.
Thank you
Mariette
mhgrobler is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Rule the Asia! An open letter to Google
I am a sixteen-year-old Chinese boy. My name is Kou Dou. I have been a faithful customer of Google since many years ago. Although I can not use g.cn anymore, I still hoped this greatest search engine corporation in the world has a better future. But I found that I can not submit my advices to...
Kou Dou Offline 7 09-03-2011 04:02 PM
Redirecting and virus problems
My computer is redirecting and im sure i have a virus. When i try to run gmer it shuts my computer down even when only checking sections and c drive. Here is the logs that i could get. Thanks in advance. Timmy This is not the same computer as my previous problems. Thanks timmy DDS...
toliver30471 Resolved HJT Threads 21 02-23-2011 05:09 PM
my computer got the defender.exe spyware
Don't know how I exactly I got it, but I traced this fake "spyware protection" software to a "defender.exe" file somewhere in my user file. After the thing turned on by itself, it prevented me from opening all applications, including task manager. It actually closes the application right after I...
yaganon Resolved HJT Threads 1 01-21-2011 11:57 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 08:55 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts