Ok, I also have a topic open at Bleeping Computer but since I’m desperate to get this resolved I’m going to post both places. Feel free to close accordingly, I will let both of you know who replies first.

It all started when I downloaded a ‘SoundCloud Downloader’ off of Cnet. I chose direct download link, I scanned it through VirusTotal (0/54 to anyone wondering), and then I launched it while browsing the EULA. Wow, I don’t want that on my system. Avast! went crazy, detecting ‘Win32:Malware-gen’ in a bizarre uninstall folder, and that’s where I went nuts. I’d never had this issue before, really, it was nightmarish. Anyway, MBAM detected nothing… ESET online scanner detected a couple CNET installers of which I carefully unticked the awful “offers”, and then more problems ensued: A suspicious hidden process running in AppData/Software Update from the same time I downloaded the first software long after it was uninstalled. Thankfully, RKill killed the hidden process and I deleted the folder manually, but I would love some help in fixing the possible broken registry keys.
And now for the biggest issue: SonicWall Gateway AntiVirus. Either this is scareware or it is so dumb to block FRST and OTL from running, stating “Kryptik” and “AutoIt”? We all know that those files aren’t infected, I got them off of BC… they fail every time in download. Please advise here! Running RogueKiller as we speak…

(Outdated) Rogue Killer report (didn’t want to risk trying to download a new version):

(Is that ‘Unknown MBR Code’ thing bad? I’m scared now…)
RogueKiller V9.1.0.0 [Jun 23 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : mathb_000 [Admin rights]
Mode : Scan – Date : 07/31/2014 09:37:58

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 8 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Software Updater Service → FOUND
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Software Updater Service → FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{286F5901-097E-4716-8432-8B15B3707CC1} | DhcpNameServer : 209.18.47.61 209.18.47.62 192.168.1.1 → FOUND
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces{286F5901-097E-4716-8432-8B15B3707CC1} | DhcpNameServer : 209.18.47.61 209.18.47.62 192.168.1.1 → FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 → FOUND
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 → FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 → FOUND
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 → FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 36 ¤¤¤
[C:\WINDOWS\System32\drivers\etc\hosts] 127.0.0.1 localhost
[C:\WINDOWS\System32\drivers\etc\hosts]
[C:\WINDOWS\System32\drivers\etc\hosts]
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\WINDOWS\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 0 ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.Proxy][FIREFX:Config] 3siszp71.default : user_pref(“network.proxy.type”, 2); → FOUND

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK6475GSX +++++
— User —
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Unknown MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 … OK
User = LL2 … OK

============================================
RKreport_DEL_06132014_192231.log - RKreport_SCN_06132014_192021.log - RKreport_SCN_06302014_110745.log - RKreport_SCN_07212014_122026.log

ASWmbr will not run… I shouldnt’ve let that thing with elevated permissions. It starts loading and then it stops, and runs with 0% CPU and 1MB memory and doesn’t do anything. EDIT: Forgot to run as administrator… running now. No issues except for ‘Unknown MBR Code’

Lets have a quick look run this from safe mode

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Should I wait for ASWmbr to finish before going into safe mode? Thanks for your reply!

Whichever you feel comfortable with AswMBR is actually running a full virus scan using a VM

I’m in Safe Mode and it won’t run. Gives me a message that my downloads folder is corrupted or unreadable. When I try to save it to my Desktop it says it can’t be downloaded :o I have a slightly outdated FRST version on my computer that should work, or should I try to transfer it via flash drive?

The version I have is 249 days old but it runs:

Were you using Firefox to download FRST ? If so try IE

Once this has run could you try to download an updated FRST and then run that

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

FF NetworkProxy: "autoconfig_url", "data:text/javascript,function%20FindProxyForURL(url%2C%20host)%20%7Bif%20(url.indexOf('vevo.com')%20!%3D%20-1%20%7C%7C%20host%20%3D%3D%20'www.pandora.com'%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.last.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fext.last.fm*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fgrooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fretro.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fhtml5.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Flisten.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.grooveshark.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fpreview.grooveshark.com*')%20%7C%7C%20url.indexOf('play.google.com')%20!%3D%20-1%20%7C%7C%20(url.indexOf('youtube.com%2Fvideoplayback')%20!%3D%20-1%20%26%26%20url.indexOf('%26gcr%3Dus')%20!%3D%20-1%20%26%26%20url.indexOf('%26ptchn')%20!%3D%20-1)%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.iheart.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.funimation.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fsecure.funimation.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fpiki.fm*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fpiki.fm*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Faccount.beatsmusic.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.beatsmusic.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fplay.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fplay.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fwww.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.spotify.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fsongza.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fnew.songza.com*')%20%7C%7C%20host%20%3D%3D%20's.hulu.com'%20%7C%7C%20(url.indexOf('proxmate%3Dactive')%20!%3D%20-1%20%26%26%20url.indexOf('amazonaws.com')%20%3D%3D%20-1)%20%7C%7C%20(url.indexOf('proxmate%3Dus')%20!%3D%20-1)%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.mtv.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fmedia.mtvnservices.com*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.crunchyroll.com*')%20%7C%7C%20url.indexOf('discoverymedia.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fdsc.discovery.com%2F*')%20%7C%7C%20url.indexOf('southparkstudios.com')%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20'https%3A%2F%2Fwww.daisuki.net*')%20%7C%7C%20shExpMatch(url%2C%20'http%3A%2F%2Fwww.rdio.com*'))%20%7B%20return%20'PROXY%20%20%09109.73.70.165%3A8090'%3B%7D%20%20else%20%7B%20return%20'DIRECT'%3B%20%7D%7D" FF NetworkProxy: "type", 2 FF Extension: Hola Better Internet - C:\Users\mathb_000\AppData\Roaming\Mozilla\Firefox\Profiles\3siszp71.default\Extensions\jid1-4P0kohSJxU1qGg@jetpack FF Extension: No Name - C:\Users\mathb_000\AppData\Roaming\Mozilla\Firefox\Profiles\3siszp71.default\Extensions\staged FF Extension: jid1-QpHD8URtZWJC2A - C:\Users\mathb_000\AppData\Roaming\Mozilla\Firefox\Profiles\3siszp71.default\Extensions\jid1-QpHD8URtZWJC2A@jetpack.xpi FF Extension: mediahint - C:\Users\mathb_000\AppData\Roaming\Mozilla\Firefox\Profiles\3siszp71.default\Extensions\mediahint@jetpack.xpi CMD: bitsadmin /reset /allusers CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

Fixing now! I did download FRST in IE by the way… let me do the fix anyways though.

It said ‘Update Completed’, it closed, and now I can’t find it on my system… the last copy of FRST I have left won’t run, stating it can’t be used on this system :o I can’t believe a program off of CNET (and not a nasty ad, I have AdBlocker), would cause this much corruption!

OK could you download FRST.com from here to your desktop https://dl.dropboxusercontent.com/u/73555776/FRST64.com windows will not like this but select run anyway on the blue bar that pops up

Ensure that you also select the addition text prior to the scan

IT RAN!!! Thank you 8)

Content of fixlist:

FF NetworkProxy: “autoconfig_url”, “data:text/javascript,function%20FindProxyForURL(url%2C%20host)%20%7Bif%20(url.indexOf(‘vevo.com’)%20!%3D%20-1%20%7C%7C%20host%20%3D%3D%20’www.pandora.com’%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fwww.last.fm*‘)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fext.last.fm*’)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fgrooveshark.com*‘)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fretro.grooveshark.com*’)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fhtml5.grooveshark.com*‘)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Flisten.grooveshark.com*’)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fwww.grooveshark.com*‘)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fpreview.grooveshark.com*’)%20%7C%7C%20url.indexOf(‘play.google.com’)%20!%3D%20-1%20%7C%7C%20(url.indexOf(‘youtube.com%2Fvideoplayback’)%20!%3D%20-1%20%26%26%20url.indexOf(‘%26gcr%3Dus’)%20!%3D%20-1%20%26%26%20url.indexOf(‘%26ptchn’)%20!%3D%20-1)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fwww.iheart.com*‘)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fwww.funimation.com*’)%20%7C%7C%20shExpMatch(url%2C%20’https%3A%2F%2Fsecure.funimation.com*‘)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fpiki.fm*’)%20%7C%7C%20shExpMatch(url%2C%20’https%3A%2F%2Fpiki.fm*‘)%20%7C%7C%20shExpMatch(url%2C%20’https%3A%2F%2Faccount.beatsmusic.com*’)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fwww.beatsmusic.com*‘)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fplay.spotify.com*’)%20%7C%7C%20shExpMatch(url%2C%20’https%3A%2F%2Fplay.spotify.com*‘)%20%7C%7C%20shExpMatch(url%2C%20’https%3A%2F%2Fwww.spotify.com*’)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fwww.spotify.com*‘)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fsongza.com*’)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fnew.songza.com*‘)%20%7C%7C%20host%20%3D%3D%20’s.hulu.com’%20%7C%7C%20(url.indexOf(‘proxmate%3Dactive’)%20!%3D%20-1%20%26%26%20url.indexOf(‘amazonaws.com’)%20%3D%3D%20-1)%20%7C%7C%20(url.indexOf(‘proxmate%3Dus’)%20!%3D%20-1)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fwww.mtv.com*‘)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fmedia.mtvnservices.com*’)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fwww.crunchyroll.com*‘)%20%7C%7C%20url.indexOf(‘discoverymedia.com’)%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fdsc.discovery.com%2F*’)%20%7C%7C%20url.indexOf(‘southparkstudios.com’)%20!%3D%20-1%20%7C%7C%20shExpMatch(url%2C%20’https%3A%2F%2Fwww.daisuki.net*‘)%20%7C%7C%20shExpMatch(url%2C%20’http%3A%2F%2Fwww.rdio.com*’))%20%7B%20return%20’PROXY%20%20%09109.73.70.165%3A8090’%3B%7D%20%20else%20%7B%20return%20’DIRECT’%3B%20%7D%7D”
FF NetworkProxy: “type”, 2
FF Extension: Hola Better Internet - C:\Users\mathb_000\AppData\Roaming\Mozilla\Firefox\Profiles\3siszp71.default\Extensions\jid1-4P0kohSJxU1qGg@jetpack
FF Extension: No Name - C:\Users\mathb_000\AppData\Roaming\Mozilla\Firefox\Profiles\3siszp71.default\Extensions\staged
FF Extension: jid1-QpHD8URtZWJC2A - C:\Users\mathb_000\AppData\Roaming\Mozilla\Firefox\Profiles\3siszp71.default\Extensions\jid1-QpHD8URtZWJC2A@jetpack.xpi
FF Extension: mediahint - C:\Users\mathb_000\AppData\Roaming\Mozilla\Firefox\Profiles\3siszp71.default\Extensions\mediahint@jetpack.xpi
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:

Firefox Proxy settings were reset.
Firefox Proxy settings were reset.
FF Extension: Hola Better Internet - C:\Users\mathb_000\AppData\Roaming\Mozilla\Firefox\Profiles\3siszp71.default\Extensions\jid1-4P0kohSJxU1qGg@jetpack not found.
FF Extension: No Name - C:\Users\mathb_000\AppData\Roaming\Mozilla\Firefox\Profiles\3siszp71.default\Extensions\staged not found.
FF Extension: jid1-QpHD8URtZWJC2A - C:\Users\mathb_000\AppData\Roaming\Mozilla\Firefox\Profiles\3siszp71.default\Extensions\jid1-QpHD8URtZWJC2A@jetpack.xpi not found.
FF Extension: mediahint - C:\Users\mathb_000\AppData\Roaming\Mozilla\Firefox\Profiles\3siszp71.default\Extensions\mediahint@jetpack.xpi not found.

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

Unable to connect to BITS - 0x8007042c
The dependency service or group failed to start.

========= End of CMD: =========

========= DEL %TEMP%*.* /F /S /Q =========

Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\114514328.od
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\171417968.od
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\249614718.od
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\30124843.od
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\63443687.od
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\64244031.od
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\92160687.od
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\AmazonMP3AlbumArt.png
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\AmazonMP3Logo.png
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\ART1EDA.tmp
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\chart_data.dat
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\chrome_installer.log
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\CVR12D7.tmp.cvr
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\CVR42AF.tmp.cvr
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\CVR493F.tmp.cvr
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\CVR590B.tmp.cvr
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\CVRA122.tmp.cvr
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\CVRAB2B.tmp.cvr
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\CVRD16F.tmp.cvr
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\DMIC648.tmp
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\error051720_01.xml
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsaD18.tmp
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\qtsingleapp-fmlast-93b-1-lockfile
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\qtsingleapp-fmlast-93b-2-lockfile
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\qtsingleapp-fmlast-cd93-1-lockfile
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\qtsingleapp-fmlast-cd93-2-lockfile
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\Skype.msi
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\streaming_updates.dat
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\StructuredQuery.log
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\wmsetup.log
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp~DF046969875022EC49.TMP
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp~DF47486C5564CD6971.TMP
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp~DF62536F7DD3FB7504.TMP
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp~DF8C0930F1FB33206D.TMP
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp~DFD1044B8F6B810988.TMP
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp~DFDDEE9CAF76A1C95F.TMP
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\avastBCLTMP\chrome\Default\Web Data
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\avastBCLTMP\firefox\jid1-qphd8urtzwjc2a@jetpack\icon.png
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\avastBCLTMP\firefox{73a6fe31-595d-460b-a920-fcc0f8843232}\chrome\noscript.jar
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\avastBCLTMP\firefox{73a6fe31-595d-460b-a920-fcc0f8843232}\noscript.jar.unp\skin\classic\noscript\icon32.png
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\avastBCLTMP\firefox{e4a8a97b-f2ed-450b-b12d-ee082ba24781}\skin\icon32.png
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\CitrixLogs\GoToMeeting\G2MUpdate.log
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\msohtmlclip1\01\clip_colorschememapping.xml
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\msohtmlclip1\01\clip_themedata.thmx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\7z.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\Client7z.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\downloader.exe
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\downloaderMessages.ini
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\InstallOptions.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\installOptions.ini
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\ioSpecial.ini
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\library.zip
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\md5dll.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\Microsoft.VC90.CRT.manifest
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\modern-wizard.bmp
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\msvcm90.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\msvcp90.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\msvcr90.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\NSISHelper.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\sidebanner.bmp
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nsf3272.tmp\System.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nso7F7.tmp\InstallOptions.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nso7F7.tmp\ioSpecial.ini
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nso7F7.tmp\modern-wizard.bmp
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nso7F7.tmp\NSISHelper.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nso7F7.tmp\sidebanner.bmp
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\nso7F7.tmp\System.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\SimCity\0x10c83361!1762653860956059293.jpg
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\Skype\DbTemp\temp-iLUjZQhPA6gqtKdFZ4iVEVaA
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\Skype\DbTemp\temp-UxOO8jdg7mcbsTMtaP8qjcxd
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\Skype\DbTemp\temp-wjslouTwExWgk3WGSElMCMs5
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\Skype\DbTemp\temp-ynhe3YuOJ1K2nqh1xdQPeu9U
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\avBugReport.exe
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\avbugreport_ais-7e5.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\HTMLayout.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\instcont_ais-7e5.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\Instup.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\instup.exe
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\instup_ais-7e5.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\offertool_ais-7e5.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\part-iex-1.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\part-jrog2-ab1.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\part-jrog2-af9.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\part-prg_ais-7e5.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\part-setup_ais-7e5.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\part-vps_win32-14062601.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\part-vps_win32-14072701.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\prod-ais.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\prod-vps.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\selfdefense_x64_ais-7e5.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\selfdefense_x86_ais-7e5.vpx.dld
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\servers.def
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\servers.def.lkg
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\servers.def.vpx
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp_av_iup.tm~a05264\setgui_ais-7e5.vpx

========= End of CMD: =========

========= RD /S /Q %TEMP% =========

C:\Users\MATHB_~1\AppData\Local\Temp\etilqs_GCgSuhQ0RkdWE1A - The process cannot access the file because it is being used by another process.
C:\Users\MATHB_~1\AppData\Local\Temp\etilqs_K0HMxhFC7Eh9cFJ - The process cannot access the file because it is being used by another process.
C:\Users\MATHB_~1\AppData\Local\Temp\etilqs_ofSGgY1bHasVHFJ - The process cannot access the file because it is being used by another process.
C:\Users\MATHB_~1\AppData\Local\Temp\etilqs_w0bzGX0h403GWrg - The process cannot access the file because it is being used by another process.
C:\Users\MATHB_~1\AppData\Local\Temp~DF046969875022EC49.TMP - Access is denied.
C:\Users\MATHB_~1\AppData\Local\Temp~DF47486C5564CD6971.TMP - Access is denied.
C:\Users\MATHB_~1\AppData\Local\Temp~DF8C0930F1FB33206D.TMP - Access is denied.
C:\Users\MATHB_~1\AppData\Local\Temp~DFD1044B8F6B810988.TMP - Access is denied.
C:\Users\MATHB_~1\AppData\Local\Temp~DFDDEE9CAF76A1C95F.TMP - Access is denied.

========= End of CMD: =========

The system needed a reboot.

==== End of Fixlog ====

Could you now run a fresh scan with the updated FRST please as that is a vast improvement on last years copy

Thank you SO MUCH for your assistance so far! When I was a bit younger I used to browse this forum all the time and look up to you because you were so helpful ;D

EDIT: Maybe it’s my Internet connection? I’m at my Grandma’s apartment complex and while her wi-fi is her personal connection it runs under a special internet provider setup. Maybe that’s the firewall that was blocking FRST and OTL?

That SoundCloud downloader truly is malicious… there were so many issues tacked on with it. CNET needs to step up their game and give thought to what they put on their website.

If the router is blocking it then mayhap that is infected

I would like to check out the services next as I fear a few may be broken

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

SearchScopes: HKLM - DefaultScope value is missing. SearchScopes: HKLM-x32 - DefaultScope value is missing. SearchScopes: HKCU - DefaultScope {9F4F8C9A-201E-45B4-8AE7-5CC91141DEBC} URL = SearchScopes: HKCU - {9F4F8C9A-201E-45B4-8AE7-5CC91141DEBC} URL = Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION R2 Amazon Download Agent; C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [401920 2009-10-23] (Amazon.com) [File not signed] CMD: bitsadmin /reset /allusers CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

It’s a firewall that’s blocking it, I Googled it and it appears legitamite. If there is no issue when I get back home then I’ll inquire about a possible router infection. Logs on the way

Content of fixlist:

SearchScopes: HKLM - DefaultScope value is missing.
SearchScopes: HKLM-x32 - DefaultScope value is missing.
SearchScopes: HKCU - DefaultScope {9F4F8C9A-201E-45B4-8AE7-5CC91141DEBC} URL =
SearchScopes: HKCU - {9F4F8C9A-201E-45B4-8AE7-5CC91141DEBC} URL =
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
CHR HKCU\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
R2 Amazon Download Agent; C:\Program Files (x86)\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [401920 2009-10-23] (Amazon.com) [File not signed]
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope => Value was restored successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope => Value was restored successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope => value deleted successfully.
“HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{9F4F8C9A-201E-45B4-8AE7-5CC91141DEBC}” => Key deleted successfully.
“HKCR\CLSID{9F4F8C9A-201E-45B4-8AE7-5CC91141DEBC}” => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => value deleted successfully.
“HKCR\CLSID{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}” => Key not found.
“HKCU\SOFTWARE\Policies\Google” => Key deleted successfully.
Amazon Download Agent => Unable to stop service
Amazon Download Agent => Service deleted successfully.

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
(C) Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

========= DEL %TEMP%*.* /F /S /Q =========

Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\drm_dyndata_7400009.dll
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\avastBCLTMP\chrome\Default\Web Data
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\avastBCLTMP\firefox\jid1-qphd8urtzwjc2a@jetpack\icon.png
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\avastBCLTMP\firefox{73a6fe31-595d-460b-a920-fcc0f8843232}\chrome\noscript.jar
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\avastBCLTMP\firefox{73a6fe31-595d-460b-a920-fcc0f8843232}\noscript.jar.unp\skin\classic\noscript\icon32.png
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\avastBCLTMP\firefox{e4a8a97b-f2ed-450b-b12d-ee082ba24781}\skin\icon32.png
Deleted file - C:\Users\MATHB_~1\AppData\Local\Temp\CitrixLogs\GoToMeeting\G2MUpdate.log

========= End of CMD: =========

========= RD /S /Q %TEMP% =========

C:\Users\MATHB_~1\AppData\Local\Temp\etilqs_veGeeM2cUxg5dSi - The process cannot access the file because it is being used by another process.
C:\Users\MATHB_~1\AppData\Local\Temp\etilqs_xDAC6JwRHNtnoYz - The process cannot access the file because it is being used by another process.
C:\Users\MATHB_~1\AppData\Local\Temp\etilqs_zZpXtiW0hhqY59k - The process cannot access the file because it is being used by another process.

========= End of CMD: =========

The system needed a reboot.

==== End of Fixlog ====

Farbar Service Scanner was blocked, “Failed - Network Error” right before it finished. A 1 KB file is saved instead. How would you go about resetting a router. I’m almost positive that my grandmother’s router must be infected.

Do you have access to the physical box ? If so then let me know what the make/model is

Netgear Wireless-N 300 Router.