jMzqu3UViAmatMQ9Jr1J

Hi Kevin, I've read the security tips in your last post; visited and made copies of the sites you've provided links for; and visited and made copies of sites the first set of sites provides links for. Of course all the excellent advice, and all the references to software and to other sites, are more than it is possible to assimilate very quickly. As for the software recommended on these sites-- Some of it I've already got (e.g., SpywareBlaster). Some I've looked at in the past and will now make sure to get (e.g., WinPatrol, filehippo.updatechecker). Some types of software I had no idea even existed (e.g., Mailwasher, eulalyzer), and they look excellent. Swapping IE for Firefox has been on my to-do list, and I now I will make sure to make that swap soon. I will continue to sift through this material you've provided (as you must know better than I, this is a very time-consuming process.) May I offer additional suggestions? To create a limited user account for regular use instead of the default Windows account. To put passwords on these accounts. To activate CTL-ALT-DELETE for log-in. On computers that are not physically secure, to set power options requiring log-in after a set amount of idle time. To use a Virtual Machine, or the limited counterpart of one like Sandboxie, to browse the web and test new software. To install Microsoft's EMET. To test downloaded files on sites like VirusTotal, Jotti, VirScan, and NoVirusThanks. To test questionable websites on sites like Zscaler Zulu, urlQuery, and UrlVoid. On wireless networks, to employ full security measures (a bewildering world of its own). Finally, I would feel remiss if I did not frankly address one more issue. While now would not be the right time for me to make more than a token contribution, I regret that this forum uses PayPal. While I have been tempted from time to time to use it, the briefest search about it on the internet is always frightening (there is a recent article in The New York Times that calls PayPal the most hated site on the internet). That said, I would like to thank you again for all you've done for me (and if my computer could talk, it would thank you too). Robin

Hi Kevin, OTM clean-up done. Thank you for your knowledgeability, thoroughness, and, perhaps I should add, patience. Robin

Hi Kevin, OTM The new log is copy-pasted below. FYI - The first time I ran OTM (when it didn't work), I copy-pasted the contents of the code box into Notepad so I could perform the OTM move offline, then copied from Notepad (which had changed the font) into OTM. The second time I ran OTM (when it does seem to have worked), I copied directly from your posting. Java I've uninstalled Java without updating it. (BTW - I've been waiting to get rid of Java altogether because of its high security risk, and am now hoping its absence doesn't interfere with LibreOffice functionality.) I know of just one other issue: can I delete the folder "OTM\Moved Files," including all its sub-folders and files? Robin OTM All processes killed ========== FILES ========== < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Users\Robin\Downloads\OTL_per scan\Download_OTL\cmd.bat deleted successfully. C:\Users\Robin\Downloads\OTL_per scan\Download_OTL\cmd.txt deleted successfully. ========== FILES ========== C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEIPlug.dll moved successfully. C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEZSETP.dll moved successfully. DllUnregisterServer procedure not found in C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\NP2lEISb.dll C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\NP2lEISb.dll moved successfully. File/Folder C:\Users\Robin\BU Versions Storage_OLD\2013-05-03 170851\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exe not found. File/Folder C:\Users\Robin\BU Versions Storage_OLD\2013-05-05 002104\Pgms Removed from the Computer\Problem Pgm Downloads\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exe not found. C:\Users\Robin\BU Versions Storage_OLD\2013-08-08 004930\Foxit Reader_Sep12\Download 6.0.3.0542_Foxit\FoxitReader603.0524_enu_Setup.exe 2013-08-08 004930.exe moved successfully. ========== COMMANDS ========== [EMPTYTEMP] User: Administrator ->Temp folder emptied: 106660 bytes ->Temporary Internet Files folder emptied: 128 bytes ->Java cache emptied: 0 bytes User: All Users User: BackupAdmin ->Temp folder emptied: 56138 bytes ->Temporary Internet Files folder emptied: 26405 bytes ->Flash cache emptied: 56466 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes User: Janice CQ2010 User: Public User: Robin ->Temp folder emptied: 54739 bytes ->Temporary Internet Files folder emptied: 74121344 bytes ->Java cache emptied: 337898 bytes ->Flash cache emptied: 3388 bytes User: RobinAdmin ->Temp folder emptied: 253076990 bytes ->Temporary Internet Files folder emptied: 14128244 bytes ->Java cache emptied: 1876 bytes ->Flash cache emptied: 506 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32 (64bit) .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 525974 bytes %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 2881540 bytes %systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 738 bytes %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 5735158 bytes RecycleBin emptied: 3145103773 bytes Total Files Cleaned = 3,334.00 mb OTM by OldTimer - Version 3.1.21.0 log created on 10132013_145642 END OF POST

Hi Kevin, Below are the OTM and Security Check logs you requested. Robin OTM All processes killed Error: Unable to interpret <:Files C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEIPlug.dll C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEZSETP.dll C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\NP2lEISb.dll C:\Users\Robin\BU Versions Storage_OLD\2013-05-03 170851\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exe C:\Users\Robin\BU Versions Storage_OLD\2013-05-05 002104\Pgms Removed from the Computer\Problem Pgm Downloads\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exe C:\Users\Robin\BU Versions Storage_OLD\2013-08-08 004930\Foxit Reader_Sep12\Download 6.0.3.0542_Foxit\FoxitReader603.0524_enu_Setup.exe 2013-08-08 004930.exe :Commands [EmptyTemp]> in the current context! OTM by OldTimer - Version 3.1.21.0 log created on 10122013_232459 Security Check Results of screen317's Security Check version 0.99.74 Windows 7 Service Pack 1 x64 (UAC is enabled) Internet Explorer 10 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! Norton AntiVirus WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` SpywareBlaster 5.0 VirusTotal Uploader 2.0 Malwarebytes Anti-Malware version 1.75.0.1300 Java 7 Update 25 Java version out of Date! Adobe Reader XI ````````Process Check: objlist.exe by Laurent```````` Norton ccSvcHst.exe Norton AntiVirus Engine 20.4.0.40 ccSvcHst.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 1% ````````````````````End of Log`````````````````````` END OF POST

Hi Kevin, The results of the ESET Online Scanner complete system scan are copy-pasted below. Robin C:\$RECYCLE.BIN\S-1-5-21-476204944-2562783861-3005158361-1000\$R8WHUVS.21\Download_5.21_SourceForge\FreeFileSync_5.21_Windows_Setup.exe Win32/OpenCandy application C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEIPlug.dll Win32/Toolbar.MyWebSearch application C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\2lEZSETP.dll Win32/Toolbar.MyWebSearch application C:\Program Files (x86)\SoundDabble_2lEI\Installr\1.bin\NP2lEISb.dll Win32/Toolbar.MyWebSearch application C:\Users\Robin\BU Versions Storage_OLD\2013-05-03 170851\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exe 2013-05-03 170851.exe a variant of Win32/Bundled.Toolbar.Ask application C:\Users\Robin\BU Versions Storage_OLD\2013-05-05 002104\Pgms Removed from the Computer\Problem Pgm Downloads\ImgBurn_May13\Download_2.5.7.0_FileHippo\SetupImgBurn_2.5.7.0.exe 2013-05-05 002104.exe a variant of Win32/Bundled.Toolbar.Ask application C:\Users\Robin\BU Versions Storage_OLD\2013-08-08 004930\Foxit Reader_Sep12\Download 6.0.3.0542_Foxit\FoxitReader603.0524_enu_Setup.exe 2013-08-08 004930.exe a variant of Win32/Bundled.Toolbar.Ask.D application

Hi Kevin, Before un- and re-installing MBAM, I checked the registry once more, and as often happens when one does not document every step of a procedure, I found that my account was insufficiently fine-grained. 1. When the registry is accessed in the regular user account without elevated privileges, the values flagged by MBAM are present. 2. When the registry is accessed in the regular user account with elevated privileges, the values flagged by MBAM are not present. 3. When the registry is accessed in a user-created administrator account, the values flagged by MBAM are not present. Pix below. My apologies for the imprecision. I will stop at this point to await your instructions. Robin Regular user account without elevated privileges: Regular user account with elevated privileges: User-created administrator account: END OF POST

Hi Kevin, 1. Thank you for the FRST fix. 2. AdwCleaner Before- and after-cleaning logs are posted below. (The tabs were all empty.) It appears to me this task has been successfully completed? 3. Inappropriate registry values: gone from Regedit, persisting in MBAM Quick scan A. Regedit shows the inappropriate values in HKCU in the regular user account are finally gone. B. However, MBAM continues to report them, and continues to do so even after Remove-restart. The MBAM log is posted below. Is this to be interpreted as an MBAM error? C. The following is of little or no consequence--but after I ran AdwCleaner today: i. If I remember correctly, I then tried to delete the inappropriate registry values in the regular user account, with elevated privileges, again without success. ii. When I looked for the values in a user-created administrator account, they were not there (as had been the case since I successfully deleted them from all the hives in the various accounts in which they appeared, except for HKCU in the regular user account, from which they would not delete.) iii. Next I looked in every hive and key in the hidden administrator account, and they weren't there either. (Out of caution I had never opened this account before today.) iv. Next, I looked for the values in the regular user account again, and they were gone. I suppose either AdwCleaner got rid of them (and I am mistaken about having looked for them immediately after running AdwCleaner today), or else opening the hidden administrator account had some sort of (miraculous) effect on them? Robin AdwCleaner - Before cleaning # AdwCleaner v3.007 - Report created 10/10/2013 at 16:31:01 # Updated 09/10/2013 by Xplode # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits) # Username : RobinAdmin - ROBIN-HP # Running from : C:\Users\Robin\Downloads\AdwCleaner_Oct13_Portable\Download_3.0.0.7_GCT\adwcleaner.exe # Option : Scan ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\APN PIP Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E45F3E8-2683-4824-A6BE-08108022FB36} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E45F3E8-2683-4824-A6BE-08108022FB36} Key Found : [x64] HKCU\Software\APN PIP Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Found : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2} Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB} Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE Key Found : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL Key Found : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2} Key Found : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339} Key Found : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7} Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36} Key Found : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3} Key Found : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323} Key Found : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9} Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} Key Found : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706} Key Found : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA} Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339} Key Found : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7} Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6} Key Found : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol Key Found : HKLM\SOFTWARE\Classes\S Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1 Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1 Key Found : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94} Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1 Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6E45F3E8-2683-4824-A6BE-08108022FB36} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32 Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS Key Found : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASAPI32 Key Found : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASMANCS Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} Key Found : HKLM\Software\PIP Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7} Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}] ***** [ Browsers ] ***** -\\ Internet Explorer v10.0.9200.16720 ************************* AdwCleaner[R0].txt - [4018 octets] - [06/10/2013 12:50:36] AdwCleaner[R1].txt - [8351 octets] - [10/10/2013 14:59:15] AdwCleaner[R2].txt - [7825 octets] - [10/10/2013 15:33:02] AdwCleaner[R3].txt - [7548 octets] - [10/10/2013 15:49:13] AdwCleaner[R4].txt - [7350 octets] - [10/10/2013 16:31:01] AdwCleaner[s0].txt - [8346 octets] - [10/10/2013 15:41:13] ########## EOF - \AdwCleaner\AdwCleaner[R4].txt - [7470 octets] ########## AdwCleaner - After cleaning # AdwCleaner v3.007 - Report created 10/10/2013 at 16:38:37 # Updated 09/10/2013 by Xplode # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits) # Username : RobinAdmin - ROBIN-HP # Running from : C:\Users\Robin\Downloads\AdwCleaner_Oct13_Portable\Download_3.0.0.7_GCT\adwcleaner.exe # Option : Scan ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** ***** [ Browsers ] ***** -\\ Internet Explorer v10.0.9200.16720 ************************* AdwCleaner[R0].txt - [4018 octets] - [06/10/2013 12:50:36] AdwCleaner[R1].txt - [8351 octets] - [10/10/2013 14:59:15] AdwCleaner[R2].txt - [7825 octets] - [10/10/2013 15:33:02] AdwCleaner[R3].txt - [7548 octets] - [10/10/2013 15:49:13] AdwCleaner[R4].txt - [7608 octets] - [10/10/2013 16:31:01] AdwCleaner[R5].txt - [852 octets] - [10/10/2013 16:38:37] AdwCleaner[s0].txt - [8346 octets] - [10/10/2013 15:41:13] AdwCleaner[s1].txt - [7201 octets] - [10/10/2013 16:33:53] ########## EOF - \AdwCleaner\AdwCleaner[R5].txt - [1031 octets] ########## MBAM log Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.08.26.03 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 10.0.9200.16721 Robin :: ROBIN-HP [limited] 10/10/2013 5:58:22 PM MBAM-log-2013-10-10 (18-09-36).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 230774 Time elapsed: 7 minute(s), 54 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> No action taken. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) END OF POST

Hi Kevin, I'm very happy you've concluded my MBR is good. In respect to the current status of my computer--when MBAM first reported the Hijack.Regedit PUMs, my computer was functioning properly, and it has continued to do so since then. I have three remaining concerns. 1. The MBAM PUMs report and inappropriate, undeletable registry values 2. The Farbar Recovery Scan Tool scan results 3. The AdwCleaner scan results 1. The MBAM PUM report and inappropriate, undeletable registry values (A) MBAM Quick scan continues to report the following results: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Delete on reboot. But there is no "Delete on reboot"; after every scan-delete-reboot, MBAM reports this same problem. (The MBAM Quick scan results are copied in my last post.) (B) The following three inappropriate values remain in the registry for the regular user account, and Windows continues to refuse permission to delete them regardless of tweaks to Ownership and Permissions: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System| DisableRegedit DisableRegistryTools DisableTaskMgr However, Regedit and Task Manager have never lost functionality (I don't know what "RegistryTools" refers to). (2) The Farbar Recovery Scan Tool scan results Is there anything to needs to be done in consequence of the Farbar Recovery Scan Tool scan results (copied in my post of October 5)? Or did you already do that with the Fixlist.txt file you provided? (3) The AdwCleaner scan results In your post of October 7 you indicated that after we addressed the MBR issue that had just come up, we would get back to addressing the AdwCleaner scan results (copied as #2 in my post of October 6). You had previously indicated that I should perform cleaning after scanning with AdwCleaner, but I couldn't do so because I don't know how to interpret the scan results. Robin

MBR.zipMBR.zipHi Kevin, The contents and attachment for this post are as follows. MBAM Quick scan log Paste-copied below aswMBR.txt Paste-copied below RK_Quarantine folder\PhysicalDriveo_User.dat I was unable to find this folder or this file (even though I re-ran the scan and ran a search on the C-drive for both). MBR.dat (zipped) Attached Robin 　 MBAM Quick scan log Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.08.26.03 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 10.0.9200.16686 Robin :: ROBIN-HP [limited] 10/8/2013 3:13:24 PM mbam-log-2013-10-08 (15-13-24).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 226996 Time elapsed: 7 minute(s), 55 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Delete on reboot. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) 　 aswMBR.txt aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software Run date: 2013-10-08 19:35:38 ----------------------------- 19:35:38.325 OS Version: Windows x64 6.1.7601 Service Pack 1 19:35:38.325 Number of processors: 2 586 0x200 19:35:38.325 ComputerName: ROBIN-HP UserName: 19:35:40.027 Initialize success 20:10:04.971 AVAST engine defs: 13100800 20:24:12.655 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000006f 20:24:12.671 Disk 0 Vendor: WDC_WD50 16.0 Size: 476940MB BusType: 11 20:24:12.796 Disk 0 MBR read successfully 20:24:12.811 Disk 0 MBR scan 20:24:12.921 Disk 0 Windows 7 default MBR code 20:24:12.921 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048 20:24:12.952 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 465442 MB offset 206848 20:24:13.014 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 11396 MB offset 953432064 20:24:13.077 Disk 0 scanning C:\Windows\system32\drivers 20:24:26.259 Service scanning 20:24:31.797 Service BHDrvx64 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\BASHDefs\20130924.001\BHDrvx64.sys **LOCKED** 5 20:24:37.054 Service eeCtrl C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys **LOCKED** 5 20:24:37.600 Service EraserUtilRebootDrv C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys **LOCKED** 5 20:24:40.876 Service IDSVia64 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\IPSDefs\20131005.002\IDSvia64.sys **LOCKED** 5 20:24:45.431 Service NAVENG C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131008.019\ENG64.SYS **LOCKED** 5 20:24:45.712 Service NAVEX15 C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131008.019\EX64.SYS **LOCKED** 5 20:25:01.281 Modules scanning 20:25:01.296 Disk 0 trace - called modules: 20:25:01.343 ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys storport.sys hal.dll amd_sata.sys 20:25:01.359 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80025153d0] 20:25:01.359 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa8002401ac0] 20:25:01.374 5 amd_xata.sys[fffff8800108bd00] -> nt!IofCallDriver -> \Device\0000006f[0xfffffa80023fb060] 20:25:05.259 AVAST engine scan C:\Windows 20:25:09.143 AVAST engine scan C:\Windows\system32 20:29:29.086 AVAST engine scan C:\Windows\system32\drivers 20:30:00.832 AVAST engine scan C:\Users\RobinAdmin 20:31:49.611 AVAST engine scan C:\ProgramData 20:39:59.523 Scan finished successfully 21:40:40.517 Disk 0 MBR has been saved successfully to "C:\Users\Robin\Downloads\aswMBR_Oct13_Portable\Download_0.9.9.1771_Avast\MBR.dat" 21:40:40.537 The log file has been saved successfully to "C:\Users\Robin\Downloads\aswMBR_Oct13_Portable\Download_0.9.9.1771_Avast\aswMBR.txt" END OF POST

Hi Kevin, The MBAM Anti-Rootkit scan results, copy-pasted below, were negative. (I also ran Kaspersky TDSSKiller, and its results were negative as well.) Robin mbar-log-2013-10-07 (17-25-19).txt Malwarebytes Anti-Rootkit BETA 1.07.0.1005 www.malwarebytes.org Database version: v2013.10.07.12 Windows 7 Service Pack 1 x64 NTFS Internet Explorer 10.0.9200.16686 RobinAdmin :: ROBIN-HP [administrator] 10/7/2013 5:25:19 PM mbar-log-2013-10-07 (17-25-19).txt Scan type: Quick scan Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken Scan options disabled: Objects scanned: 284810 Time elapsed: 28 minute(s), 30 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) Physical Sectors Detected: 0 (No malicious items detected) (end) system-log.txt --------------------------------------- Malwarebytes Anti-Rootkit BETA 1.07.0.1005 © Malwarebytes Corporation 2011-2012 OS version: 6.1.7601 Windows 7 Service Pack 1 x64 Account is Administrative Internet Explorer version: 10.0.9200.16686 File system is: NTFS Disk drives: C:\ DRIVE_FIXED, D:\ DRIVE_FIXED, Q:\ DRIVE_FIXED CPU speed: 1.646000 GHz Memory total: 1718140928, free: 503021568 Downloaded database version: v2013.10.07.12 Downloaded database version: v2013.09.30.01 ======================================= Initializing... ------------ Kernel report ------------ 10/07/2013 17:25:08 ------------ Loaded modules ----------- \SystemRoot\system32\ntoskrnl.exe \SystemRoot\system32\hal.dll \SystemRoot\system32\kdcom.dll \SystemRoot\system32\mcupdate_AuthenticAMD.dll \SystemRoot\system32\PSHED.dll \SystemRoot\system32\CLFS.SYS \SystemRoot\system32\CI.dll \SystemRoot\system32\drivers\Wdf01000.sys \SystemRoot\system32\drivers\WDFLDR.SYS \SystemRoot\system32\drivers\ACPI.sys \SystemRoot\system32\drivers\WMILIB.SYS \SystemRoot\system32\drivers\msisadrv.sys \SystemRoot\system32\drivers\pci.sys \SystemRoot\system32\drivers\vdrvroot.sys \SystemRoot\System32\drivers\partmgr.sys \SystemRoot\system32\drivers\volmgr.sys \SystemRoot\System32\drivers\volmgrx.sys \SystemRoot\System32\drivers\mountmgr.sys \SystemRoot\system32\drivers\amd_sata.sys \SystemRoot\system32\drivers\storport.sys \SystemRoot\system32\drivers\amd_xata.sys \SystemRoot\system32\drivers\amdsata.sys \SystemRoot\system32\drivers\amdxata.sys \SystemRoot\system32\drivers\fltmgr.sys \SystemRoot\system32\drivers\NAVx64\1404000.028\SYMDS64.SYS \SystemRoot\system32\drivers\fileinfo.sys \SystemRoot\system32\drivers\NAVx64\1404000.028\SYMEFA64.SYS \SystemRoot\System32\Drivers\Ntfs.sys \SystemRoot\System32\Drivers\msrpc.sys \SystemRoot\System32\Drivers\ksecdd.sys \SystemRoot\System32\Drivers\cng.sys \SystemRoot\System32\drivers\pcw.sys \SystemRoot\System32\Drivers\Fs_Rec.sys \SystemRoot\system32\drivers\ndis.sys \SystemRoot\system32\drivers\NETIO.SYS \SystemRoot\System32\Drivers\ksecpkg.sys \SystemRoot\System32\drivers\tcpip.sys \SystemRoot\System32\drivers\fwpkclnt.sys \SystemRoot\system32\drivers\volsnap.sys \SystemRoot\System32\Drivers\spldr.sys \SystemRoot\System32\drivers\rdyboost.sys \SystemRoot\System32\Drivers\mup.sys \SystemRoot\System32\drivers\hwpolicy.sys \SystemRoot\System32\DRIVERS\fvevol.sys \SystemRoot\system32\drivers\disk.sys \SystemRoot\system32\drivers\CLASSPNP.SYS \SystemRoot\system32\DRIVERS\cdrom.sys \SystemRoot\system32\drivers\NAVx64\1404000.028\ccSetx64.sys \SystemRoot\system32\drivers\NSTx64\0200000.010\ccSetx64.sys \SystemRoot\system32\drivers\NAVx64\1404000.028\Ironx64.SYS \SystemRoot\System32\Drivers\Null.SYS \SystemRoot\System32\Drivers\Beep.SYS \SystemRoot\System32\drivers\vga.sys \SystemRoot\System32\drivers\VIDEOPRT.SYS \SystemRoot\System32\drivers\watchdog.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys \SystemRoot\system32\drivers\rdpencdd.sys \SystemRoot\system32\drivers\rdprefmp.sys \SystemRoot\System32\Drivers\Msfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS \SystemRoot\system32\DRIVERS\tdx.sys \SystemRoot\system32\DRIVERS\TDI.SYS \SystemRoot\system32\drivers\afd.sys \SystemRoot\System32\DRIVERS\netbt.sys \SystemRoot\system32\DRIVERS\wfplwf.sys \SystemRoot\system32\DRIVERS\pacer.sys \SystemRoot\system32\DRIVERS\vwififlt.sys \SystemRoot\system32\DRIVERS\netbios.sys \SystemRoot\system32\DRIVERS\wanarp.sys \SystemRoot\system32\drivers\termdd.sys \SystemRoot\System32\Drivers\NAVx64\1404000.028\SYMNETS.SYS \??\C:\Windows\system32\Drivers\SYMEVENT64x86.SYS \SystemRoot\system32\drivers\NAVx64\1404000.028\SRTSPX64.SYS \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS \SystemRoot\system32\DRIVERS\rdbss.sys \SystemRoot\system32\drivers\nsiproxy.sys \SystemRoot\system32\drivers\mssmbios.sys \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys \??\C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys \SystemRoot\System32\drivers\discache.sys \SystemRoot\System32\Drivers\dfsc.sys \SystemRoot\system32\drivers\blbdrive.sys \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\BASHDefs\20130924.001\BHDrvx64.sys \SystemRoot\system32\DRIVERS\tunnel.sys \SystemRoot\system32\DRIVERS\atikmpag.sys \SystemRoot\system32\DRIVERS\atikmdag.sys \SystemRoot\System32\drivers\dxgkrnl.sys \SystemRoot\System32\drivers\dxgmms1.sys \SystemRoot\system32\DRIVERS\usbohci.sys \SystemRoot\system32\DRIVERS\USBPORT.SYS \SystemRoot\system32\drivers\usbfilter.sys \SystemRoot\system32\DRIVERS\usbehci.sys \SystemRoot\system32\drivers\HDAudBus.sys \SystemRoot\system32\DRIVERS\L1C62x64.sys \SystemRoot\system32\drivers\amdppm.sys \SystemRoot\system32\drivers\CompositeBus.sys \SystemRoot\system32\DRIVERS\AgileVpn.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys \SystemRoot\system32\DRIVERS\ndistapi.sys \SystemRoot\system32\DRIVERS\ndiswan.sys \SystemRoot\system32\DRIVERS\raspppoe.sys \SystemRoot\system32\DRIVERS\raspptp.sys \SystemRoot\system32\DRIVERS\rassstp.sys \SystemRoot\system32\DRIVERS\kbdclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys \SystemRoot\system32\DRIVERS\BazisVirtualCDBus.sys \SystemRoot\system32\drivers\swenum.sys \SystemRoot\system32\drivers\ks.sys \SystemRoot\system32\DRIVERS\umbus.sys \SystemRoot\system32\DRIVERS\usbhub.sys \SystemRoot\System32\Drivers\NDProxy.SYS \SystemRoot\system32\drivers\RTKVHD64.sys \SystemRoot\system32\drivers\portcls.sys \SystemRoot\system32\drivers\drmk.sys \SystemRoot\system32\drivers\ksthunk.sys \SystemRoot\system32\DRIVERS\usbccgp.sys \SystemRoot\system32\DRIVERS\USBD.SYS \SystemRoot\system32\DRIVERS\hidusb.sys \SystemRoot\system32\DRIVERS\HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS \SystemRoot\system32\DRIVERS\kbdhid.sys \SystemRoot\System32\win32k.sys \SystemRoot\System32\drivers\Dxapi.sys \SystemRoot\system32\DRIVERS\AE2500w764.sys \SystemRoot\system32\DRIVERS\vwifibus.sys \SystemRoot\system32\DRIVERS\mouhid.sys \SystemRoot\System32\Drivers\crashdmp.sys \SystemRoot\System32\Drivers\dump_diskdump.sys \SystemRoot\System32\Drivers\dump_amd_sata.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys \SystemRoot\system32\DRIVERS\monitor.sys \SystemRoot\System32\TSDDD.dll \SystemRoot\System32\cdd.dll \SystemRoot\system32\drivers\luafv.sys \SystemRoot\system32\DRIVERS\Sftvollh.sys \SystemRoot\system32\drivers\WudfPf.sys \??\C:\Program Files\Sandboxie\SbieDrv.sys \SystemRoot\system32\DRIVERS\lltdio.sys \SystemRoot\system32\DRIVERS\nwifi.sys \SystemRoot\system32\DRIVERS\ndisuio.sys \SystemRoot\system32\DRIVERS\rspndr.sys \SystemRoot\system32\DRIVERS\vwifimp.sys \SystemRoot\system32\drivers\HTTP.sys \SystemRoot\system32\DRIVERS\bowser.sys \SystemRoot\System32\drivers\mpsdrv.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys \SystemRoot\system32\drivers\peauth.sys \SystemRoot\System32\Drivers\secdrv.SYS \SystemRoot\system32\DRIVERS\Sftfslh.sys \SystemRoot\system32\DRIVERS\Sftplaylh.sys \SystemRoot\System32\DRIVERS\srvnet.sys \SystemRoot\System32\drivers\tcpipreg.sys \SystemRoot\System32\DRIVERS\srv2.sys \SystemRoot\System32\DRIVERS\srv.sys \SystemRoot\system32\DRIVERS\Sftredirlh.sys \SystemRoot\System32\Drivers\NAVx64\1404000.028\SRTSP64.SYS \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131007.003\EX64.SYS \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131007.003\ENG64.SYS \SystemRoot\system32\DRIVERS\udfs.sys \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\IPSDefs\20131005.002\IDSvia64.sys \SystemRoot\system32\DRIVERS\cdfs.sys \??\C:\Windows\system32\drivers\mbamchameleon.sys \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys \Windows\System32\ntdll.dll \Windows\System32\smss.exe \Windows\System32\apisetschema.dll \Windows\System32\autochk.exe \Windows\System32\normaliz.dll \Windows\System32\clbcatq.dll \Windows\System32\psapi.dll \Windows\System32\difxapi.dll \Windows\System32\sechost.dll \Windows\System32\gdi32.dll \Windows\System32\ole32.dll \Windows\System32\setupapi.dll \Windows\System32\urlmon.dll \Windows\System32\nsi.dll \Windows\System32\usp10.dll \Windows\System32\kernel32.dll \Windows\System32\oleaut32.dll \Windows\System32\wininet.dll \Windows\System32\imm32.dll \Windows\System32\user32.dll \Windows\System32\shell32.dll \Windows\System32\rpcrt4.dll \Windows\System32\ws2_32.dll \Windows\System32\comdlg32.dll \Windows\System32\iertutil.dll \Windows\System32\msctf.dll \Windows\System32\Wldap32.dll \Windows\System32\advapi32.dll \Windows\System32\shlwapi.dll \Windows\System32\imagehlp.dll \Windows\System32\lpk.dll \Windows\System32\msvcrt.dll \Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll \Windows\System32\crypt32.dll \Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll \Windows\System32\wintrust.dll \Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll \Windows\System32\KernelBase.dll \Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll \Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll \Windows\System32\comctl32.dll \Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll \Windows\System32\cfgmgr32.dll \Windows\System32\devobj.dll \Windows\System32\msasn1.dll \Windows\SysWOW64\normaliz.dll ----------- End ----------- Done! <<<1>>> Upper Device Name: \Device\Harddisk0\DR0 Upper Device Object: 0xfffffa80024ed060 Upper Device Driver Name: \Driver\Disk\ Lower Device Name: \Device\0000006f\ Lower Device Object: 0xfffffa80023cf060 Lower Device Driver Name: \Driver\amd_sata\ <<<2>>> Physical Sector Size: 512 Drive: 0, DevicePointer: 0xfffffa80024ed060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ --------- Disk Stack ------ DevicePointer: 0xfffffa80024ec4c0, DeviceName: Unknown, DriverName: \Driver\partmgr\ DevicePointer: 0xfffffa80024ed060, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ DevicePointer: 0xfffffa80023d5ac0, DeviceName: Unknown, DriverName: \Driver\amd_xata\ DevicePointer: 0xfffffa80023cf060, DeviceName: \Device\0000006f\, DriverName: \Driver\amd_sata\ ------------ End ---------- Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\ Upper DeviceData: 0x0, 0x0, 0x0 Lower DeviceData: 0x0, 0x0, 0x0 <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers... <<<2>>> <<<3>>> Volume: C: File system type: NTFS SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes Done! Drive 0 Scanning MBR on drive 0... Inspecting partition table: MBR Signature: 55AA Disk Signature: 81E89589 Partition information: Partition 0 type is Primary (0x7) Partition is ACTIVE. Partition starts at LBA: 2048 Numsec = 204800 Partition file system is NTFS Partition is bootable Partition 1 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 206848 Numsec = 953225216 Partition 2 type is Primary (0x7) Partition is NOT ACTIVE. Partition starts at LBA: 953432064 Numsec = 23339008 Partition 3 type is Empty (0x0) Partition is NOT ACTIVE. Partition starts at LBA: 0 Numsec = 0 Disk Size: 500107862016 bytes Sector size: 512 bytes Scanning physical sectors of unpartitioned space on drive 0 (1-2047-976753168-976773168)... Done! Scan finished ======================================= Removal queue found; removal started Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_0_2048_i.mbam... Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam... Removal finished END OF POST

Hi Kevin, Nothing to worry about. Thank you for the attachment. Following are copy-pastes of the results of the three scans you requested, preceded by a summary of these items, with comments. Robin Summary of items 1. Fixlog.txt 2. AdwCleaner[R0].txt I did not perform any cleaning with this tool because I don't know how to interpret the log. 3. RKreport[0]_S_10062013_155434.txt 4. RogueKiller_MBR This is a copy-paste of the contents under the MBR tab, which were not included in #3. I've copy-pasted these contents here because they twice include the phrase, "Invalid partition table. Error loading operating system. Missing operating system." 1. Fixlog.txt Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-10-2013 Ran by Robin at 2013-10-06 12:01:07 Run:1 Running from C:\Users\Robin\Downloads\Farbar Rcvry_Oct13_Portable\Download+Scans_NV_blpgcmptr Boot Mode: Normal ============================================== Content of fixlist: ***************** Start HKCU\...\Winlogon: [shell] Explorer.exe <==== ATTENTION C:\Users\Robin\AppData\Local\Temp\Checkupdate.exe C:\Users\Robin\AppData\Local\Temp\Foxit Reader Updater.exe C:\Users\Robin\AppData\Local\Temp\gcapi_dll.dll C:\Users\Robin\AppData\Local\Temp\gtapi_signed.dll End ***************** HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully. "C:\Users\Robin\AppData\Local\Temp\Checkupdate.exe" => File/Directory not found. "C:\Users\Robin\AppData\Local\Temp\Foxit Reader Updater.exe" => File/Directory not found. "C:\Users\Robin\AppData\Local\Temp\gcapi_dll.dll" => File/Directory not found. "C:\Users\Robin\AppData\Local\Temp\gtapi_signed.dll" => File/Directory not found. ==== End of Fixlog ==== 2. AdwCleaner[R0].txt # AdwCleaner v3.006 - Report created 06/10/2013 at 12:50:36 # Updated 01/10/2013 by Xplode # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits) # Username : RobinAdmin - ROBIN-HP # Running from : C:\Users\Robin\Downloads\AdwCleaner_Oct13_Portable\Download\AdwCleaner.exe # Option : Scan ***** [ Services ] ***** ***** [ Files / Folders ] ***** ***** [ Shortcuts ] ***** ***** [ Registry ] ***** Key Found : HKCU\Software\APN PIP Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{6E45F3E8-2683-4824-A6BE-08108022FB36} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E45F3E8-2683-4824-A6BE-08108022FB36} Key Found : [x64] HKCU\Software\APN PIP Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Found : HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2} Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36} Key Found : HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323} Key Found : HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA} Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool Key Found : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1 Key Found : HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6E45F3E8-2683-4824-A6BE-08108022FB36} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32 Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS Key Found : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASAPI32 Key Found : HKLM\SOFTWARE\Microsoft\Tracing\HPSF_Tasks_RASMANCS Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E45F3E8-2683-4824-A6BE-08108022FB36} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} Key Found : HKLM\Software\PIP Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} ***** [ Browsers ] ***** -\\ Internet Explorer v10.0.9200.16686 ************************* AdwCleaner[R0].txt - [3848 octets] - [06/10/2013 12:50:36] ########## EOF - \AdwCleaner\AdwCleaner[R0].txt - [3908 octets] ########## 3. RKreport[0]_S_10062013_155434.txt RogueKiller V8.7.1 _x64_ [Oct 3 2013] by Tigzy mail : tigzyRK<at>gmail<dot>com Feedback : http://www.adlice.com/forum/ Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://tigzyrk.blogspot.com/ Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : RobinAdmin [Admin rights] Mode : Scan -- Date : 10/06/2013 15:54:34 | ARK || FAK || MBR | ¤¤¤ Bad processes : 0 ¤¤¤ ¤¤¤ Registry Entries : 6 ¤¤¤ [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND [HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Scheduled tasks : 0 ¤¤¤ ¤¤¤ Startup Entries : 0 ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤ ¤¤¤ External Hives: ¤¤¤ ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ --> %SystemRoot%\System32\drivers\etc\hosts ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives) - WDC WD50 00AAKS-60WWPA0 SATA Disk Device +++++ --- User --- [MBR] c312eb3e7c9e40283fe5be0687ff02b5 [bSP] f240f10f74d80b93bcfbdd5c175b2e6e : Windows 7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 465442 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 953432064 | Size: 11396 Mo User = LL1 ... OK! User != LL2 ... KO! --- LL2 --- [MBR] 770d4aaeb3cf76c68f1a0a5d857f35aa [bSP] b3dc17f7a53eab7e22c06474a3fc7477 : Windows 7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 165308416 | Size: 300 Mo Finished : << RKreport[0]_S_10062013_155434.txt >> 4. RogueKiller_MBR ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: WDC WD50 00AAKS-60WWPA0 SATA Disk Device +++++ --- User --- [MBR] c312eb3e7c9e40283fe5be0687ff02b5 [bSP] f240f10f74d80b93bcfbdd5c175b2e6e : Windows 7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo 1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 465442 Mo 2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 953432064 | Size: 11396 Mo 33 c0 8e d0 bc 00 7c 8e c0 8e d8 be 00 7c bf 00 06 b9 00 02 fc f3 a4 50 68 1c 06 cb fb b9 04 00 bd be 07 80 7e 00 00 7c 0b 0f 85 0e 01 83 c5 10 e2 f1 cd 18 88 56 00 55 c6 46 11 05 c6 46 10 00 b4 41 bb aa 55 cd 13 5d 72 0f 81 fb 55 aa 75 09 f7 c1 01 00 74 03 fe 46 10 66 60 80 7e 10 00 74 26 66 68 00 00 00 00 66 ff 76 08 68 00 00 68 00 7c 68 01 00 68 10 00 b4 42 8a 56 00 8b f4 cd 13 9f 83 c4 10 9e eb 14 b8 01 02 bb 00 7c 8a 56 00 8a 76 01 8a 4e 02 8a 6e 03 cd 13 66 61 73 1c fe 4e 11 75 0c 80 7e 00 80 0f 84 8a 00 b2 80 eb 84 55 32 e4 8a 56 00 cd 13 5d eb 9e 81 3e fe 7d 55 aa 75 6e ff 76 00 e8 8d 00 75 17 fa b0 d1 e6 64 e8 83 00 b0 df e6 60 e8 7c 00 b0 ff e6 64 e8 75 00 fb b8 00 bb cd 1a 66 23 c0 75 3b 66 81 fb 54 43 50 41 75 32 81 f9 02 01 72 2c 66 68 07 bb 00 00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66 53 66 55 66 68 00 00 00 00 66 68 00 7c 00 00 66 61 68 00 00 07 cd 1a 5a 32 f6 ea 00 7c 00 00 cd 18 a0 b7 07 eb 08 a0 b6 07 eb 03 a0 b5 07 32 e4 05 00 07 8b f0 ac 3c 00 74 09 bb 07 00 b4 0e cd 10 eb f2 f4 eb fd 2b c9 e4 64 eb 00 24 02 e0 f8 24 02 c3 49 6e 76 61 6c 69 64 20 70 61 72 74 69 74 69 6f 6e 20 74 61 62 6c 65 00 45 72 72 6f 72 20 6c 6f 61 64 69 6e 67 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 65 6d 00 4d 69 73 73 69 6e 67 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 65 6d 00 00 00 63 7b 9a 89 95 e8 81 00 00 3.....|......|.........Ph...........~..|.............V.U.F...F...A..U..]r...U.u.....t..F.f`.~..t&fh....f.v.h..h.|h..h...B.V.................|.V..v..N..n...fas..N.u..~..........U2..V...]...>.}U.un.v....u.....d......`.|....d.u.......f#.u;f..TCPAu2....r,fh....fh....fh....fSfSfUfh....fh.|..fah.....Z2...|.................2.......<.t.............+..d..$...$..Invalid partition table.Error loading operating system.Missing operating system...c{....... User = LL1 ... OK! User != LL2 ... KO! --- LL2 --- [MBR] 770d4aaeb3cf76c68f1a0a5d857f35aa [bSP] b3dc17f7a53eab7e22c06474a3fc7477 : Windows 7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 165308416 | Size: 300 Mo 33 c0 8e d0 bc 00 7c 8e c0 8e d8 be 00 7c bf 00 06 b9 00 02 fc f3 a4 50 68 1c 06 cb fb b9 04 00 bd be 07 80 7e 00 00 7c 0b 0f 85 0e 01 83 c5 10 e2 f1 cd 18 88 56 00 55 c6 46 11 05 c6 46 10 00 b4 41 bb aa 55 cd 13 5d 72 0f 81 fb 55 aa 75 09 f7 c1 01 00 74 03 fe 46 10 66 60 80 7e 10 00 74 26 66 68 00 00 00 00 66 ff 76 08 68 00 00 68 00 7c 68 01 00 68 10 00 b4 42 8a 56 00 8b f4 cd 13 9f 83 c4 10 9e eb 14 b8 01 02 bb 00 7c 8a 56 00 8a 76 01 8a 4e 02 8a 6e 03 cd 13 66 61 73 1c fe 4e 11 75 0c 80 7e 00 80 0f 84 8a 00 b2 80 eb 84 55 32 e4 8a 56 00 cd 13 5d eb 9e 81 3e fe 7d 55 aa 75 6e ff 76 00 e8 8d 00 75 17 fa b0 d1 e6 64 e8 83 00 b0 df e6 60 e8 7c 00 b0 ff e6 64 e8 75 00 fb b8 00 bb cd 1a 66 23 c0 75 3b 66 81 fb 54 43 50 41 75 32 81 f9 02 01 72 2c 66 68 07 bb 00 00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66 53 66 55 66 68 00 00 00 00 66 68 00 7c 00 00 66 61 68 00 00 07 cd 1a 5a 32 f6 ea 00 7c 00 00 cd 18 a0 b7 07 eb 08 a0 b6 07 eb 03 a0 b5 07 32 e4 05 00 07 8b f0 ac 3c 00 74 09 bb 07 00 b4 0e cd 10 eb f2 f4 eb fd 2b c9 e4 64 eb 00 24 02 e0 f8 24 02 c3 49 6e 76 61 6c 69 64 20 70 61 72 74 69 74 69 6f 6e 20 74 61 62 6c 65 00 45 72 72 6f 72 20 6c 6f 61 64 69 6e 67 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 65 6d 00 4d 69 73 73 69 6e 67 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 65 6d 00 00 00 63 7b 9a 89 95 e8 81 00 00 3.....|......|.........Ph...........~..|.............V.U.F...F...A..U..]r...U.u.....t..F.f`.~..t&fh....f.v.h..h.|h..h...B.V.................|.V..v..N..n...fas..N.u..~..........U2..V...]...>.}U.un.v....u.....d......`.|....d.u.......f#.u;f..TCPAu2....r,fh....fh....fh....fSfSfUfh....fh.|..fah.....Z2...|.................2.......<.t.............+..d..$...$..Invalid partition table.Error loading operating system.Missing operating system...c{....... END OF MESSAGE

Hi Kevin, Please forgive me for being obtuse, but I can't figure out how to download the file fixlist.txt attached to (your) message #4. I tried clicking on the download icon next to the print icon at the very bottom of the web page, but that just opens this same web page again in another tab. I do see the icon for the attached file Addition.txt in (my) message #3, and when I mouse over it, the cursor becomes a hand and a "Download attachment" pop-up appears. I couldn't find anything to resolve this issue in the treatment of attachments in Help. Perhaps the problem is caused by my browser settings? Robin

Addition.txtHi Kevin, Thank you for helping me. (BTW - I am in the US Pacific time zone.) Per your request, the Farbar Recovery Scan Tool file FRST.txt is copy-pasted below, and the file Addition.txt is attached. Robin Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-10-2013 Ran by Robin (ATTENTION: The logged in user is not administrator) on ROBIN-HP on 05-10-2013 16:00:34 Running from C:\Users\Robin\Downloads\Farbar Rcvry Scan Tool_Oct13\Download Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US) Internet Explorer Version 10 Boot Mode: Normal ==================== Processes (Whitelisted) ================= (Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieCtrl.exe (Finkit d.o.o.) C:\Users\Robin\Downloads\ManicTime_Jun13_Portable\ManicTimeUsb\ManicTime.exe (SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe (Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe (Microsoft Corporation) C:\Program Files (x86)\EMET 4.0\EMET_Agent.exe (Advanced Micro Devices Inc.) c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SandboxieRpcSs.exe (Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe (Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe (Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SandboxieCrypto.exe (Abine Inc.) C:\Program Files (x86)\DoNotTrackPlus\IE\DNTPService.exe ==================== Registry (Whitelisted) ================== HKLM\...\Run: [hpsysdrv] - c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard) HKLM\...\Policies\Explorer: [NoSetActiveDesktop] 0 HKCU\...\Run: [sandboxieControl] - C:\Program Files\Sandboxie\SbieCtrl.exe [759384 2013-07-08] (Sandboxie Holdings, LLC) HKCU\...\Run: [ManicTime] - C:\Users\Robin\Downloads\ManicTime_Jun13_Portable\ManicTimeUsb\ManicTime.exe [250120 2013-09-06] (Finkit d.o.o.) HKCU\...\Run: [sUPERAntiSpyware] - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6588144 2013-10-03] (SUPERAntiSpyware) HKCU\...\Winlogon: [shell] Explorer.exe <==== ATTENTION HKCU\...\Policies\Explorer: [NoSetActiveDesktop] 0 HKLM-x32\...\Run: [startCCC] - c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-05-12] (Advanced Micro Devices, Inc.) HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated) HKLM-x32\...\Run: [HP Software Update] - C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard) HKLM-x32\...\Run: [] - [x] HKLM-x32\...\Run: [sunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [253816 2013-03-12] (Oracle Corporation) HKLM-x32\...\Run: [EMET Agent] - C:\Program Files (x86)\EMET 4.0\EMET_agent.exe [78496 2013-06-14] (Microsoft Corporation) ==================== Internet (Whitelisted) ==================== HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:Tabs HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/CQDSK/1 StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=CPDTDF SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPDTDF SearchScopes: HKLM - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms} SearchScopes: HKLM - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms} SearchScopes: HKLM - {FA0D16A8-431F-4392-BD08-9C441800A074} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms} SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=CPDTDF SearchScopes: HKLM-x32 - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPDTDF SearchScopes: HKLM-x32 - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms} SearchScopes: HKLM-x32 - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms} SearchScopes: HKLM-x32 - {FA0D16A8-431F-4392-BD08-9C441800A074} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms} SearchScopes: HKCU - DefaultScope {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=SWL&chn=&geo=US&ver=2 SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=CPDTDF SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?q={SEARCHTERMS}&o=15527&l=dis&prt=SWL&chn=&geo=US&ver=2 SearchScopes: HKCU - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CPDTDF SearchScopes: HKCU - {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms} SearchScopes: HKCU - {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms} SearchScopes: HKCU - {FA0D16A8-431F-4392-BD08-9C441800A074} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms} BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO-x32: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton AntiVirus\Engine\20.4.0.40\IPS\IPSBHO.DLL (Symantec Corporation) BHO-x32: Do Not Track Me - {6E45F3E8-2683-4824-A6BE-08108022FB36} - C:\Program Files (x86)\DoNotTrackPlus\IE\DNTPAddon.dll (Abine Inc) BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.) BHO-x32: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard) BHO-x32: Norton Safe Web Lite BHO - {F0DA78E9-6B60-42fb-BC26-EF2CFB8C8FF3} - C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\coIEPlg.dll (Symantec Corporation) Toolbar: HKLM-x32 - Norton Safe Web Lite - {30CEEEA2-3742-40e4-85DD-812BF1CBB83D} - C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\coIEPlg.dll (Symantec Corporation) Toolbar: HKCU - No Name - {30CEEEA2-3742-40E4-85DD-812BF1CBB83D} - No File DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: HKLM-x32 {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: HKLM-x32 {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab DPF: HKLM-x32 {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect1263.cab Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - No File Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.) Tcpip\..\Interfaces\{75C2E03F-A082-459A-80ED-F54B2D493FB3}: [NameServer]192.168.1.254 ==================== Services (Whitelisted) ================= R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [143120 2013-05-23] (SUPERAntiSpyware.com) R2 lmhosts; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation) R2 NAV; C:\Program Files (x86)\Norton AntiVirus\Engine\20.4.0.40\ccSvcHst.exe [144368 2013-05-20] (Symantec Corporation) R2 NlaSvc; C:\Windows\System32\svchost.exe [27136 2009-07-13] (Microsoft Corporation) R2 nsi; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation) R2 NSL; C:\Program Files (x86)\Norton Safe Web Lite\Engine\2.0.0.16\ccSvcHst.exe [138760 2011-08-10] (Symantec Corporation) R2 nvda; C:\Program Files (x86)\NVDA\nvda_service.exe [40040 2013-05-17] (NV Access Limited) R2 ReflectService.exe; C:\Program Files\Macrium\Reflect\ReflectService.exe [409720 2013-06-28] () R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [183896 2013-07-08] (Sandboxie Holdings, LLC) ==================== Drivers (Whitelisted) ==================== R1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\BASHDefs\20130924.001\BHDrvx64.sys [1525848 2013-09-23] (Symantec Corporation) R1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\BASHDefs\20130924.001\BHDrvx64.sys [1525848 2013-09-23] (Symantec Corporation) R1 ccSet_NAV; C:\Windows\system32\drivers\NAVx64\1404000.028\ccSetx64.sys [169048 2013-04-15] (Symantec Corporation) R1 ccSet_NST; C:\Windows\system32\drivers\NSTx64\0200000.010\ccSetx64.sys [167048 2011-08-08] (Symantec Corporation) S3 CpqDfw; C:\Windows\System32\drivers\CpqDfw.sys [27456 2012-05-29] (Windows ® Codename Longhorn DDK provider) R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-09-11] (Symantec Corporation) R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484952 2013-09-11] (Symantec Corporation) R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [140376 2013-08-26] (Symantec Corporation) R1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\IPSDefs\20131004.001\IDSvia64.sys [520280 2013-08-20] (Symantec Corporation) R1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\IPSDefs\20131004.001\IDSvia64.sys [520280 2013-08-20] (Symantec Corporation) S3 libusb0; C:\Windows\System32\drivers\libusb0.sys [29184 2011-11-23] (http://libusb-win32.sourceforge.net) R3 Linksys_adapter_H; C:\Windows\System32\DRIVERS\AE2500w764.sys [1254464 2011-03-30] (Broadcom Corporation) R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131005.007\ENG64.SYS [126040 2013-10-03] (Symantec Corporation) R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131005.007\ENG64.SYS [126040 2013-10-03] (Symantec Corporation) R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131005.007\EX64.SYS [2099288 2013-10-03] (Symantec Corporation) R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_20.2.0.19\Definitions\VirusDefs\20131005.007\EX64.SYS [2099288 2013-10-03] (Symantec Corporation) R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com) R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com) R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com) R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com) R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [199384 2013-07-08] (Sandboxie Holdings, LLC) R3 SRTSP; C:\Windows\System32\Drivers\NAVx64\1404000.028\SRTSP64.SYS [796760 2013-05-15] (Symantec Corporation) R1 SRTSPX; C:\Windows\system32\drivers\NAVx64\1404000.028\SRTSPX64.SYS [36952 2013-03-04] (Symantec Corporation) R0 SymDS; C:\Windows\System32\drivers\NAVx64\1404000.028\SYMDS64.SYS [493656 2013-05-20] (Symantec Corporation) R0 SymEFA; C:\Windows\System32\drivers\NAVx64\1404000.028\SYMEFA64.SYS [1139800 2013-05-22] (Symantec Corporation) R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-06-17] (Symantec Corporation) R1 SymIRON; C:\Windows\system32\drivers\NAVx64\1404000.028\Ironx64.SYS [224416 2013-03-04] (Symantec Corporation) R1 SymNetS; C:\Windows\System32\Drivers\NAVx64\1404000.028\SYMNETS.SYS [433752 2013-04-24] (Symantec Corporation) S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [x] ==================== NetSvcs (Whitelisted) =================== ==================== One Month Created Files and Folders ======== 2013-10-05 16:00 - 2013-10-05 16:00 - 00000000 ____D C:\FRST 2013-10-05 14:48 - 2013-10-05 14:50 - 00000000 ____D C:\Users\Robin\Downloads\Farbar Rcvry Scan Tool_Oct13 2013-10-04 01:02 - 2013-10-05 13:49 - 00000616 _____ C:\Windows\setupact.log 2013-10-04 01:02 - 2013-10-04 01:02 - 00000000 _____ C:\Windows\setuperr.log 2013-10-03 18:45 - 2013-10-03 19:04 - 00000000 ____D C:\Users\Robin\Downloads\SuperAntiSpyware_Jul13 2013-10-01 15:34 - 2013-10-01 15:34 - 00002147 _____ C:\Users\Public\Desktop\HP Support Assistant.lnk 2013-10-01 15:30 - 2013-10-01 15:30 - 00000000 ____D C:\ProgramData\{9BF4D58B-C6D6-467B-BC5A-FD0C1278F4AF} 2013-10-01 15:28 - 2013-10-01 15:32 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\hpqLog 2013-10-01 14:58 - 2013-10-01 18:02 - 00000000 ____D C:\Users\Robin\Downloads\HP Support Asst_Pre-Installed 2013-10-01 12:51 - 2013-10-01 12:52 - 00104702 _____ C:\Users\Robin\Documents\2013-10-01 PrimaryDatabase.kdbx 2013-09-30 00:13 - 2013-09-30 00:13 - 00001240 _____ C:\Users\Robin\Desktop\misc-janice.rtf - Shortcut.lnk 2013-09-28 21:36 - 2013-09-28 22:08 - 00000000 ____D C:\Users\Robin\Desktop\GUMPS-2-copy 2013-09-27 17:13 - 2013-09-27 17:14 - 00000000 ____D C:\Program Files (x86)\Microsoft Rich Tools 2013-09-27 16:40 - 2013-09-27 17:08 - 00000000 ____D C:\Users\Robin\Downloads\RichCopy 2013-09-26 15:26 - 2013-09-26 16:22 - 00000000 ____D C:\Users\Robin\Downloads\CCleaner_Jul13 2013-09-25 16:33 - 2013-09-25 16:33 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinCDEmu 2013-09-25 16:29 - 2013-09-25 16:29 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IrfanView 2013-09-25 16:27 - 2013-09-25 16:27 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FreeFileSync 2013-09-25 16:13 - 2013-09-25 16:13 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EPIM 2013-09-25 16:08 - 2013-09-25 16:09 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Macrium Reflect 2013-09-25 15:31 - 2013-09-25 16:49 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV 2013-09-25 15:12 - 2013-09-25 15:12 - 00000000 ____D C:\Program Files (x86)\BurnAware Free 2013-09-25 14:10 - 2013-09-25 14:34 - 00000000 ____D C:\Users\Robin\Downloads\BurnAware Free_May13 2013-09-24 20:59 - 2013-10-03 19:47 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\QuickScan 2013-09-21 21:12 - 2013-09-21 21:12 - 00003784 _____ C:\{715BDB84-5996-4A9F-A8A7-3D070DA8A21D} 2013-09-21 16:35 - 2013-09-21 16:35 - 00003720 _____ C:\{F9A1C52E-50E1-4547-BE69-5875A0830EBC} 2013-09-21 16:25 - 2013-09-21 16:25 - 00003416 _____ C:\{67EBFB47-E37D-4A8A-BD84-913826C69132} 2013-09-18 23:03 - 2013-10-05 15:42 - 00000000 ____D C:\Users\Robin\Downloads\Hitman Pro_Sep13 2013-09-18 22:52 - 2013-09-19 21:30 - 00000000 ____D C:\Program Files\HitmanPro 2013-09-18 22:47 - 2013-09-18 22:55 - 00000000 ____D C:\ProgramData\HitmanPro 2013-09-18 22:00 - 2013-09-18 22:00 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\ArcaVirMicroScan 2013-09-18 14:42 - 2013-09-18 20:05 - 00000000 ____D C:\Users\Robin\Downloads\NET FW Verif_Sep13_Portable 2013-09-14 20:53 - 2013-09-14 20:55 - 00041984 ___SH C:\Users\Robin\AppData\Roaming\Thumbs.db 2013-09-14 20:53 - 2013-09-14 20:53 - 00001247 _____ C:\Users\Robin\AppData\Roaming\Roaming - Shortcut.lnk 2013-09-12 22:12 - 2013-09-12 22:12 - 00000000 _____ C:\Windows\SysWOW64\shoE63C.tmp 2013-09-11 15:50 - 2013-09-11 16:30 - 00000000 ____D C:\Users\Robin\Downloads\EssentialPIM_Sep12 2013-09-10 15:27 - 2013-08-09 22:22 - 02241024 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll 2013-09-10 15:27 - 2013-08-09 22:22 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll 2013-09-10 15:27 - 2013-08-09 22:22 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe 2013-09-10 15:27 - 2013-08-09 22:21 - 19246592 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll 2013-09-10 15:27 - 2013-08-09 22:21 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll 2013-09-10 15:27 - 2013-08-09 22:21 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll 2013-09-10 15:27 - 2013-08-09 22:20 - 15404544 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll 2013-09-10 15:27 - 2013-08-09 22:20 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll 2013-09-10 15:27 - 2013-08-09 22:20 - 02647040 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll 2013-09-10 15:27 - 2013-08-09 22:20 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll 2013-09-10 15:27 - 2013-08-09 22:20 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll 2013-09-10 15:27 - 2013-08-09 22:20 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll 2013-09-10 15:27 - 2013-08-09 22:20 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll 2013-09-10 15:27 - 2013-08-09 22:20 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll 2013-09-10 15:27 - 2013-08-09 20:59 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll 2013-09-10 15:27 - 2013-08-09 20:59 - 01141248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll 2013-09-10 15:27 - 2013-08-09 20:58 - 14332928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll 2013-09-10 15:27 - 2013-08-09 20:58 - 13761024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll 2013-09-10 15:27 - 2013-08-09 20:58 - 02876928 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll 2013-09-10 15:27 - 2013-08-09 20:58 - 02048000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll 2013-09-10 15:27 - 2013-08-09 20:58 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll 2013-09-10 15:27 - 2013-08-09 20:58 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll 2013-09-10 15:27 - 2013-08-09 20:58 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll 2013-09-10 15:27 - 2013-08-09 20:58 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll 2013-09-10 15:27 - 2013-08-09 20:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll 2013-09-10 15:27 - 2013-08-09 20:58 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll 2013-09-10 15:27 - 2013-08-09 20:58 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll 2013-09-10 15:27 - 2013-08-09 20:17 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb 2013-09-10 15:27 - 2013-08-09 20:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb 2013-09-10 15:27 - 2013-08-09 19:27 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe 2013-09-10 15:27 - 2013-08-09 19:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe 2013-09-10 14:54 - 2013-08-01 19:23 - 05550528 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe 2013-09-10 14:54 - 2013-08-01 19:15 - 01732032 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll 2013-09-10 14:54 - 2013-08-01 19:15 - 00362496 _____ (Microsoft Corporation) C:\Windows\system32\wow64win.dll 2013-09-10 14:54 - 2013-08-01 19:15 - 00243712 _____ (Microsoft Corporation) C:\Windows\system32\wow64.dll 2013-09-10 14:54 - 2013-08-01 19:15 - 00013312 _____ (Microsoft Corporation) C:\Windows\system32\wow64cpu.dll 2013-09-10 14:54 - 2013-08-01 19:14 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll 2013-09-10 14:54 - 2013-08-01 19:14 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\ntvdm64.dll 2013-09-10 14:54 - 2013-08-01 19:13 - 01161216 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll 2013-09-10 14:54 - 2013-08-01 19:13 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00043520 _____ (Microsoft Corporation) C:\Windows\system32\csrsrv.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\apisetschema.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 19:12 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:59 - 03968960 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe 2013-09-10 14:54 - 2013-08-01 18:59 - 03913664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe 2013-09-10 14:54 - 2013-08-01 18:51 - 01292192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll 2013-09-10 14:54 - 2013-08-01 18:50 - 01114112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kernel32.dll 2013-09-10 14:54 - 2013-08-01 18:50 - 00274944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll 2013-09-10 14:54 - 2013-08-01 18:50 - 00005120 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wow32.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\apisetschema.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00005120 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-file-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processthreads-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-sysinfo-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-synch-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-misc-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localregistry-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-localization-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-processenvironment-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-namedpipe-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-memory-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-libraryloader-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-heap-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-string-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-profile-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-io-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-handle-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-fibers-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-errorhandling-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-delayload-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-debug-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-console-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 18:09 - 00338432 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe 2013-09-10 14:54 - 2013-08-01 17:59 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\smss.exe 2013-09-10 14:54 - 2013-08-01 17:45 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\setup16.exe 2013-09-10 14:54 - 2013-08-01 17:45 - 00014336 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntvdm64.dll 2013-09-10 14:54 - 2013-08-01 17:45 - 00007680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\instnm.exe 2013-09-10 14:54 - 2013-08-01 17:45 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\user.exe 2013-09-10 14:54 - 2013-08-01 17:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-security-base-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 17:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-threadpool-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 17:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-xstate-l1-1-0.dll 2013-09-10 14:54 - 2013-08-01 17:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\SysWOW64\api-ms-win-core-util-l1-1-0.dll 2013-09-10 14:53 - 2013-08-07 18:20 - 03155456 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys 2013-09-10 14:53 - 2013-08-04 19:25 - 00155584 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ataport.sys 2013-09-10 14:53 - 2013-07-25 19:24 - 14172672 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll 2013-09-10 14:53 - 2013-07-25 19:24 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\shdocvw.dll 2013-09-10 14:53 - 2013-07-25 18:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll 2013-09-10 14:53 - 2013-07-25 18:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll 2013-09-06 18:28 - 2013-09-06 19:03 - 00000000 ____D C:\Users\Robin\Downloads\ManicTime_Jun13_Portable 2013-09-05 20:35 - 2013-09-05 21:16 - 00000000 ____D C:\Users\Robin\Downloads\FreeFileSync_Mar13_Portable ==================== One Month Modified Files and Folders ======= 2013-10-05 16:00 - 2013-10-05 16:00 - 00000000 ____D C:\FRST 2013-10-05 15:50 - 2013-02-05 19:31 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2013-10-05 15:42 - 2013-09-18 23:03 - 00000000 ____D C:\Users\Robin\Downloads\Hitman Pro_Sep13 2013-10-05 15:35 - 2012-04-04 20:25 - 00000000 ____D C:\Users\Robin\AppData\Roaming\PrimoPDF 2013-10-05 15:34 - 2012-03-22 18:58 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job 2013-10-05 15:26 - 2009-07-13 21:45 - 00024608 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2013-10-05 15:26 - 2009-07-13 21:45 - 00024608 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2013-10-05 15:18 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\tracing 2013-10-05 14:50 - 2013-10-05 14:48 - 00000000 ____D C:\Users\Robin\Downloads\Farbar Rcvry Scan Tool_Oct13 2013-10-05 14:21 - 2011-11-18 07:49 - 01710806 _____ C:\Windows\WindowsUpdate.log 2013-10-05 14:17 - 2013-07-18 23:17 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster 2013-10-05 13:50 - 2012-03-22 18:58 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job 2013-10-05 13:49 - 2013-10-04 01:02 - 00000616 _____ C:\Windows\setupact.log 2013-10-05 13:49 - 2011-11-17 23:59 - 00065536 _____ C:\Windows\system32\Ikeext.etl 2013-10-05 13:49 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2013-10-05 00:29 - 2011-11-23 00:47 - 00000000 ____D C:\Users\Robin\AppData\Local\CrashDumps 2013-10-05 00:11 - 2013-07-08 20:38 - 00000000 ____D C:\Users\Robin\Downloads\Malwarebytes_Oct12 2013-10-05 00:07 - 2013-07-18 20:51 - 00000000 ____D C:\Users\Robin\AppData\Local\DoNotTrackPlus 2013-10-04 22:32 - 2013-08-20 21:13 - 00000000 ____D C:\Users\Robin\Downloads\OTL_per scan 2013-10-04 01:02 - 2013-10-04 01:02 - 00000000 _____ C:\Windows\setuperr.log 2013-10-04 00:13 - 2011-02-11 10:00 - 00000000 ____D C:\Windows\Panther 2013-10-03 22:37 - 2013-07-04 22:57 - 00000949 _____ C:\Users\Robin\AppData\Roaming\burnaware.ini 2013-10-03 22:02 - 2013-01-01 22:46 - 00000000 ____D C:\Windows\Minidump 2013-10-03 22:02 - 2011-11-19 15:12 - 00000000 ___DC C:\Users\Robin\AppData\Local\MigWiz 2013-10-03 19:47 - 2013-09-24 20:59 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\QuickScan 2013-10-03 19:04 - 2013-10-03 18:45 - 00000000 ____D C:\Users\Robin\Downloads\SuperAntiSpyware_Jul13 2013-10-03 18:35 - 2013-07-19 03:02 - 00000000 ____D C:\Program Files\SUPERAntiSpyware 2013-10-02 21:22 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\system32\NDF 2013-10-01 20:27 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\rescache 2013-10-01 19:54 - 2012-08-23 23:18 - 00000332 _____ C:\Windows\Tasks\HPCeeScheduleForRobin.job 2013-10-01 18:02 - 2013-10-01 14:58 - 00000000 ____D C:\Users\Robin\Downloads\HP Support Asst_Pre-Installed 2013-10-01 17:53 - 2013-03-28 17:35 - 00000000 ____D C:\Users\Robin\Archive 2013-10-01 17:48 - 2013-02-08 00:46 - 00000000 ____D C:\Users\Robin\Downloads\HP Product Detection 2013-10-01 17:31 - 2011-11-25 18:29 - 00000000 ____D C:\Users\Robin\AppData\Roaming\HpUpdate 2013-10-01 17:17 - 2012-03-25 16:10 - 00000000 ____D C:\Users\Robin\AppData\Roaming\EssentialPIM 2013-10-01 15:43 - 2011-07-23 16:01 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information 2013-10-01 15:43 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\Help 2013-10-01 15:34 - 2013-10-01 15:34 - 00002147 _____ C:\Users\Public\Desktop\HP Support Assistant.lnk 2013-10-01 15:33 - 2011-07-23 15:59 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard 2013-10-01 15:32 - 2013-10-01 15:28 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\hpqLog 2013-10-01 15:30 - 2013-10-01 15:30 - 00000000 ____D C:\ProgramData\{9BF4D58B-C6D6-467B-BC5A-FD0C1278F4AF} 2013-10-01 15:28 - 2011-02-11 09:32 - 00000000 ____D C:\SWSETUP 2013-10-01 12:52 - 2013-10-01 12:51 - 00104702 _____ C:\Users\Robin\Documents\2013-10-01 PrimaryDatabase.kdbx 2013-09-30 22:18 - 2013-04-09 17:49 - 00000000 ____D C:\Users\Robin\Desktop\JANICE-FINAL-SAVE-ANIM-FACT 2013-09-30 17:09 - 2012-07-30 19:21 - 00000000 ____D C:\Users\Robin\Downloads\KeePass_Sep12_Port 2013-09-30 00:13 - 2013-09-30 00:13 - 00001240 _____ C:\Users\Robin\Desktop\misc-janice.rtf - Shortcut.lnk 2013-09-29 21:49 - 2009-07-13 22:13 - 00779724 _____ C:\Windows\system32\PerfStringBackup.INI 2013-09-29 21:20 - 2013-05-16 22:48 - 00011196 _____ C:\Windows\Sandboxie.ini 2013-09-28 22:08 - 2013-09-28 21:36 - 00000000 ____D C:\Users\Robin\Desktop\GUMPS-2-copy 2013-09-27 22:54 - 2013-06-05 21:50 - 00000000 ____D C:\Users\Robin\BU Versions Storage 2013-09-27 22:48 - 2013-03-29 15:56 - 00000000 ____D C:\Users\Robin\BU 2013-09-27 22:48 - 2013-03-24 00:27 - 00000000 ____D C:\Users\Robin\Documents\Periodical Articles 2013-09-27 22:48 - 2013-03-23 22:55 - 00000000 ____D C:\Users\Robin\Documents\My Internet 2013-09-27 22:48 - 2012-11-27 22:36 - 00000000 ____D C:\Users\Robin\Documents\Symantec 2013-09-27 22:48 - 2012-06-01 13:41 - 00000000 ____D C:\Users\Robin\Directory Printouts 2013-09-27 22:48 - 2012-02-21 22:47 - 00000000 ____D C:\Users\Robin\Documents\My Kindle Content 2013-09-27 22:48 - 2011-12-07 21:22 - 00000000 ____D C:\Users\Robin\Documents\Business 2013-09-27 22:48 - 2011-12-02 18:59 - 00000000 ____D C:\Users\Robin\Documents\Personal 2013-09-27 22:48 - 2011-12-02 18:59 - 00000000 ____D C:\Users\Robin\Documents\Literature et al 2013-09-27 22:48 - 2011-12-02 18:58 - 00000000 ____D C:\Users\Robin\Documents\Household 2013-09-27 22:48 - 2011-11-19 23:43 - 00000000 ____D C:\Users\Robin\Documents\My Computer 2013-09-27 22:40 - 2013-07-14 01:29 - 00000000 ____D C:\Users\Robin\BU Versions Storage_OLD 2013-09-27 21:17 - 2012-07-19 16:33 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\PrimoPDF 2013-09-27 21:06 - 2012-07-06 00:53 - 00000000 ____D C:\Users\RobinAdmin 2013-09-27 21:04 - 2011-11-17 16:51 - 00000000 ____D C:\Users\Robin 2013-09-27 17:39 - 2013-01-12 23:35 - 00000000 ____D C:\Users\Robin\Downloads\DOWNLOAD FOLDER 2013-09-27 17:14 - 2013-09-27 17:13 - 00000000 ____D C:\Program Files (x86)\Microsoft Rich Tools 2013-09-27 17:08 - 2013-09-27 16:40 - 00000000 ____D C:\Users\Robin\Downloads\RichCopy 2013-09-26 16:22 - 2013-09-26 15:26 - 00000000 ____D C:\Users\Robin\Downloads\CCleaner_Jul13 2013-09-26 16:13 - 2013-07-12 21:25 - 00000000 ____D C:\Program Files\CCleaner 2013-09-25 22:39 - 2013-08-24 17:36 - 00000000 ____D C:\Users\Robin\Downloads\TestDisk_Aug13_Portable 2013-09-25 16:49 - 2013-09-25 15:31 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AV 2013-09-25 16:44 - 2012-07-09 22:32 - 00000000 ____D C:\Users\Robin\AppData\Local\Windows Live 2013-09-25 16:33 - 2013-09-25 16:33 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinCDEmu 2013-09-25 16:29 - 2013-09-25 16:29 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IrfanView 2013-09-25 16:27 - 2013-09-25 16:27 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FreeFileSync 2013-09-25 16:26 - 2012-06-01 23:37 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PDF & Screenshots 2013-09-25 16:25 - 2012-08-22 12:59 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\E-readers and Document Viewers 2013-09-25 16:25 - 2012-06-02 00:03 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Utilities 2013-09-25 16:23 - 2012-06-01 23:02 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games 2013-09-25 16:22 - 2012-06-01 22:56 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Clocks & Watches 2013-09-25 16:21 - 2011-11-17 16:51 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories 2013-09-25 16:20 - 2013-05-31 18:35 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Time Management 2013-09-25 16:17 - 2012-06-01 23:56 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Scan & Fax 2013-09-25 16:13 - 2013-09-25 16:13 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EPIM 2013-09-25 16:09 - 2013-09-25 16:08 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Macrium Reflect 2013-09-25 16:03 - 2012-06-02 13:42 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security 2013-09-25 15:12 - 2013-09-25 15:12 - 00000000 ____D C:\Program Files (x86)\BurnAware Free 2013-09-25 14:34 - 2013-09-25 14:10 - 00000000 ____D C:\Users\Robin\Downloads\BurnAware Free_May13 2013-09-23 21:23 - 2013-01-04 19:19 - 00000000 ____D C:\Users\Robin\Downloads\MS Safety Scanner_per scan 2013-09-21 21:12 - 2013-09-21 21:12 - 00003784 _____ C:\{715BDB84-5996-4A9F-A8A7-3D070DA8A21D} 2013-09-21 20:26 - 2012-06-01 23:57 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spreadsheets & Math 2013-09-21 16:35 - 2013-09-21 16:35 - 00003720 _____ C:\{F9A1C52E-50E1-4547-BE69-5875A0830EBC} 2013-09-21 16:25 - 2013-09-21 16:25 - 00003416 _____ C:\{67EBFB47-E37D-4A8A-BD84-913826C69132} 2013-09-19 21:30 - 2013-09-18 22:52 - 00000000 ____D C:\Program Files\HitmanPro 2013-09-19 14:51 - 2013-02-05 19:31 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2013-09-19 14:51 - 2013-02-05 19:31 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2013-09-18 22:55 - 2013-09-18 22:47 - 00000000 ____D C:\ProgramData\HitmanPro 2013-09-18 22:00 - 2013-09-18 22:00 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\ArcaVirMicroScan 2013-09-18 20:05 - 2013-09-18 14:42 - 00000000 ____D C:\Users\Robin\Downloads\NET FW Verif_Sep13_Portable 2013-09-17 19:14 - 2012-10-17 15:13 - 00000000 ____D C:\Users\Robin\Downloads\New 2013-09-15 22:00 - 2013-08-31 19:52 - 00000000 ____D C:\Users\Robin\Downloads\Trend Micro Housecall_Aug13 2013-09-14 20:55 - 2013-09-14 20:53 - 00041984 ___SH C:\Users\Robin\AppData\Roaming\Thumbs.db 2013-09-14 20:53 - 2013-09-14 20:53 - 00001247 _____ C:\Users\Robin\AppData\Roaming\Roaming - Shortcut.lnk 2013-09-14 20:23 - 2012-07-08 13:09 - 00000000 ____D C:\Users\BackupAdmin 2013-09-14 20:23 - 2011-07-23 16:24 - 00000000 ____D C:\ProgramData\Norton 2013-09-14 20:23 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\registration 2013-09-13 21:55 - 2013-09-01 19:59 - 00000000 ____D C:\Users\Robin\Downloads\ESET_Aug13 2013-09-13 21:15 - 2013-01-04 19:20 - 00000000 ____D C:\Users\Robin\Downloads\Norton Power Eraser_per scan 2013-09-13 17:33 - 2013-06-20 11:30 - 00000000 ____D C:\Users\Robin\AppData\Roaming\Foxit Software 2013-09-12 23:08 - 2011-11-17 20:47 - 00000000 ____D C:\ProgramData\Microsoft Help 2013-09-12 22:12 - 2013-09-12 22:12 - 00000000 _____ C:\Windows\SysWOW64\shoE63C.tmp 2013-09-12 12:24 - 2009-07-13 22:08 - 00032604 _____ C:\Windows\Tasks\SCHEDLGU.TXT 2013-09-11 17:19 - 2012-07-18 23:38 - 00000000 ____D C:\Users\RobinAdmin\AppData\Roaming\EssentialPIM 2013-09-11 16:30 - 2013-09-11 15:50 - 00000000 ____D C:\Users\Robin\Downloads\EssentialPIM_Sep12 2013-09-10 16:47 - 2012-08-15 20:16 - 00000000 ____D C:\Windows\SysWOW64\Adobe 2013-09-10 15:41 - 2012-06-07 12:35 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 2013-09-10 15:41 - 2012-06-01 22:49 - 00000000 ___RD C:\Users\Robin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools 2013-09-10 15:39 - 2009-07-13 21:45 - 00387736 _____ C:\Windows\system32\FNTCACHE.DAT 2013-09-10 15:26 - 2013-07-14 22:47 - 00000000 ____D C:\Windows\system32\MRT 2013-09-10 15:26 - 2011-11-17 20:38 - 00000000 ____D C:\Program Files (x86)\Microsoft Application Virtualization Client 2013-09-10 15:26 - 2011-02-11 10:15 - 00795928 _____ C:\Windows\SysWOW64\PerfStringBackup.INI 2013-09-10 15:19 - 2011-11-25 13:30 - 79143768 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe 2013-09-09 19:12 - 2012-12-29 02:16 - 00000000 ____D C:\Users\Robin\Downloads\MS SharePoint+MODI_Feb12 2013-09-09 19:12 - 2011-11-26 12:31 - 00000000 ____D C:\Users\Robin\Downloads\arena_3.0_Downloads_playwitharena 2013-09-09 00:03 - 2013-07-16 00:08 - 00000000 ____D C:\Users\Robin\Downloads\DoNotTrackMe_Jul13 2013-09-08 21:35 - 2013-09-01 15:37 - 00000000 ____D C:\Users\Robin\Downloads\LibreOffice_May12 2013-09-08 21:35 - 2013-06-20 09:45 - 00000000 ____D C:\Users\Robin\Downloads\Foxit Reader_Sep12 2013-09-07 19:34 - 2012-09-12 23:59 - 00000000 ____D C:\Users\Robin\Downloads\Kaspersky Security Scan_per scan 2013-09-07 19:32 - 2013-01-16 01:24 - 00000000 ____D C:\Users\Robin\Downloads\Windows Defender Offline_per scan 2013-09-07 19:31 - 2013-02-22 20:49 - 00000000 ____D C:\Users\Robin\Downloads\Norton Safe Web Lite 2013-09-06 20:19 - 2013-06-02 00:18 - 00000243 _____ C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc 2013-09-06 20:18 - 2013-06-01 23:54 - 00000231 _____ C:\ProgramData\Microsoft.SqlServer.Compact.400.64.bc 2013-09-06 19:03 - 2013-09-06 18:28 - 00000000 ____D C:\Users\Robin\Downloads\ManicTime_Jun13_Portable 2013-09-06 17:28 - 2011-07-23 17:26 - 00289398 _____ C:\DUMP2f68.tmp 2013-09-05 21:16 - 2013-09-05 20:35 - 00000000 ____D C:\Users\Robin\Downloads\FreeFileSync_Mar13_Portable Some content of TEMP: ==================== C:\Users\Robin\AppData\Local\Temp\Checkupdate.exe C:\Users\Robin\AppData\Local\Temp\Foxit Reader Updater.exe C:\Users\Robin\AppData\Local\Temp\gcapi_dll.dll C:\Users\Robin\AppData\Local\Temp\gtapi_signed.dll ==================== Bamital & volsnap Check ================= C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== End Of Log ============================

Hi, (1) An MBAM Quick scan found the following "malicious software" running on my Windows 7 computer: Registry Values Detected: 2 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Delete on reboot. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Delete on reboot. (2) In the MBAM results Window, I clicked first on the "Remove Selected" button, then on the "Click Yes to restart now" button. After the computer restarted, a second Quick scan produced the same positive result. Repeating this cycle of scan-delete-restart a few times produced the same result each time. (3) An internet search showed that when MBAM has found these so-called "PUMs" on others' computers, they were unable to open Regedit or Task Manager. However, I have continued to be able to open both. (4) Furthermore, I have had no symptoms of infection. Windows, IE, and all the other programs I have been using, were functioning properly before MBAM found the "malicious software," and continue to. I have Norton Antivirus running, as my real-time AV program, together with Windows Defender and Windows firewall. I regularly scan with MBAM, MS Safety Scanner, SuperAntiSpyware, and have recently added, as on-demand scanners, ESET Online Scanner, Hitman Pro, Kaspersky TDSSKiller, and Trend Micro Housecall. Apart from MBAM's report of OpenCandy whenever I update FreeFileSync, I have never had either a report of malware, or an actual infection that I have known about, in the two years since I bought the computer. (4) After MBAM was unable to remove the PUMs, I opened Regedit and found the following values: HKCU . . . DisableRegedit HKCU . . . DisableRegistryTools HKCU . . . DisableTaskMgr HKLM . . . DisableRegedit HKLM . . . DisableRegistryTools This same set of values appeared in Regedit for the regular user account, for the regular administrator account, and for the backup administrator account. (5) In both administrator accounts I was able to delete all these values. In the regular user account, I was able to delete the two values only in HKLM. This leaves the three HKCU values in the regular user account. Windows refuses permission to delete them, even though I have tried every tweak of Ownership and Permissions for the sub-key. My questions are,, (A) How do I delete the three values in the registry for the regular user account? And (B) Do I need to do something more, in order to ensure that these PUMs are not symptoms of an infection that remains to be dealt with? Thank you for your kind attention to this matter.