Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor/Gen + can't run Windows Update


  • This topic is locked This topic is locked
31 replies to this topic

#1 tekhelpr

tekhelpr

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 24 October 2013 - 02:20 PM

Hello!  This is my first post to BleepingComputer forums after reading the Welcome Guide and other pinned Forum instructions.

 

I am helping a friend with her laptop, which has been infected with something I cannot remove using several tools, including MBAM, SuperAntiSpyware, AVG Free Antivirus to name a few.  

 

A brief description of the known issues:

-  Windows in normal mode does not allow programs to start.  Instead, a popup states that the program did not start in a timely manner.  

-  Windows Update does not run.  

-  Attempts to run a manual update .exe file fail.

-  The Security Center is disabled.

-  AVG Free Antivirus starts in a disfunctional state, stating it requires a reboot to correct the issue, which does not help.

-  Safe Mode has some functionality, but Windows Update does not run and Security Center remains disabled.

-  On a Multiboot Linux USB, I am able to run scans using AVG, Avira, Kaspersky, AOSS, Comodo and others, and though some problems may be found and removed, the original problems persist.

 

Please find the DDS logs attached as requested.

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 9.0.8112.16506  BrowserJavaVersion: 10.45.2
Run by Rebecca at 18:55:52 on 2013-10-24
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1917.1308 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\FirewallControlPanel.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
BHO: ERBHOMasterObject Class: {5A15CA85-DAB9-456c-95ED-06C6E3885C2A} - c:\program files\exitreality\webspace\system\ExitRealityHelper.dll
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [Google Update] "c:\users\rebecca\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Windows Mobile-based device management] c:\windows\windowsmobile\wmdSync.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_UI] "c:\program files\avg\avg2014\avgui.exe" /TRAYONLY
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRunOnce: [panda2_0dn] reg.exe delete "HKCU\Software\AppDataLow\Software\panda2_0dn" /f
dRunOnce: [panda2_0dn_XP] reg.exe delete "HKCU\Software\panda2_0dn" /f
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
mPolicies-Explorer: BindDirectlyToPropertySetStorage = dword:0
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
LSP: c:\windows\system32\wpclsp.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 68.237.161.12 71.250.0.12 192.168.1.1
TCP: Interfaces\{0642EFCB-8E53-40C6-82BB-3788A1190ACD} : DHCPNameServer = 68.237.161.12 71.250.0.12 192.168.1.1
TCP: Interfaces\{4259B441-DFC2-4EEB-8101-F2E29801372C} : DHCPNameServer = 213.230.155.10 213.230.130.222
TCP: Interfaces\{4FFD3413-E9D3-471B-8920-EFCB0C9764FF} : DHCPNameServer = 68.237.161.12 71.250.0.12 192.168.1.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
LSA: Security Packages =  kerberos msv1_0 schannel wdigest tspkg
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\30.0.1599.101\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-9-2 145720]
R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-9-2 223032]
R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-8-20 102200]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-9-8 27448]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-8-1 193848]
R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2013-10-5 37664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-23 119056]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-8-22 7168]
S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2013-6-18 211560]
S1 Avgdiskx;AVG Disk Driver;c:\windows\system32\drivers\avgdiskx.sys [2013-9-25 120632]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-9-2 209208]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-9-10 22840]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-9-2 176952]
S1 MpKsle0d3d50c;MpKsle0d3d50c;c:\programdata\microsoft\microsoft antimalware\definition updates\{0f2b499a-19b3-4c2f-baea-d9de9be24f83}\MpKsle0d3d50c.sys [2013-10-21 40392]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2014\avgidsagent.exe [2013-10-3 3538480]
S2 avgwd;AVG WatchDog;c:\program files\avg\avg2014\avgwdsvc.exe [2013-9-25 301152]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-28 21504]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-10-21 418376]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-10-21 701512]
S2 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2013-1-20 107392]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2013-7-3 1228504]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2013-7-3 660184]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-21 162408]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-4-14 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-10-21 22856]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-10-21 40776]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2013-6-20 295376]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf_x86.sys [2013-7-3 16024]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2010-8-29 86824]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2010-8-29 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2010-8-29 114600]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2010-8-29 108328]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2010-8-29 26024]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2010-8-29 104616]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2010-8-29 109736]
S3 winbondcir;Winbond IR Transceiver;c:\windows\system32\drivers\winbondcir.sys [2007-3-28 43008]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-4-18 754856]
.
=============== Created Last 30 ================
.
2013-10-22 01:47:45 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-10-22 01:05:32 40392 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{0f2b499a-19b3-4c2f-baea-d9de9be24f83}\MpKsle0d3d50c.sys
2013-10-21 05:03:45 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-10-21 05:03:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-10-21 03:25:01 -------- d-----w- c:\program files\CCleaner
2013-10-21 03:04:18 7796464 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{0f2b499a-19b3-4c2f-baea-d9de9be24f83}\mpengine.dll
2013-10-20 09:01:18 -------- dc----w- C:\AdwCleaner
2013-10-18 17:25:45 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-10-17 12:07:46 -------- d-----w- c:\program files\ProcessExplorer
2013-10-17 11:29:50 -------- d--h--w- c:\windows\PIF
2013-10-17 11:01:47 -------- d-----w- c:\windows\system32\MpEngineStore
2013-10-17 10:25:03 -------- dc----w- C:\myupdates
2013-10-16 21:01:09 -------- d-----w- C:\acr_logs
2013-10-14 22:51:15 7328304 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-10-14 18:15:28 -------- d---a-w- C:\cce_linux
2013-10-07 06:02:27 -------- d-----w- c:\program files\ESET
2013-10-07 05:36:08 -------- d-----w- c:\users\rebecca\appdata\local\ElevatedDiagnostics
2013-10-07 00:53:03 -------- d-----w- c:\users\rebecca\appdata\local\AVG SafeGuard toolbar
2013-10-06 03:54:13 -------- d-----w- c:\users\rebecca\appdata\roaming\AVG2014
2013-10-06 03:53:11 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys
2013-10-06 03:52:59 -------- d-----w- c:\programdata\AVG SafeGuard toolbar
2013-10-06 03:52:53 -------- d-----w- c:\program files\AVG SafeGuard toolbar
2013-10-06 03:51:19 -------- dc-h--w- C:\$AVG
2013-10-06 03:51:19 -------- d-----w- c:\programdata\AVG2014
2013-10-06 03:50:33 -------- d-----w- c:\program files\AVG
2013-10-06 03:48:51 -------- d-----w- c:\users\rebecca\appdata\local\Avg2014
2013-10-06 01:16:26 257928 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2013-10-05 21:13:57 -------- d-----w- C:\bd_logs
2013-09-26 03:51:17 -------- d-----w- c:\programdata\Oracle
2013-09-26 01:43:46 -------- d-----w- c:\users\rebecca\appdata\roaming\Malwarebytes
2013-09-26 01:43:08 -------- d-----w- c:\programdata\Malwarebytes
2013-09-26 00:57:14 120632 ----a-w- c:\windows\system32\drivers\avgdiskx.sys
2013-09-26 00:16:48 -------- d-----w- c:\users\rebecca\appdata\roaming\SUPERAntiSpyware.com
2013-09-26 00:16:15 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2013-09-26 00:16:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2013-09-25 23:29:53 -------- d-----w- c:\users\rebecca\appdata\local\Secunia PSI
2013-09-25 23:29:18 -------- d-----w- c:\program files\Secunia
.
==================== Find3M  ====================
.
2013-10-22 01:03:04 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-10-22 01:03:04 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-11 02:11:44 22840 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2013-09-09 02:12:16 27448 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2013-09-02 14:39:32 176952 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2013-09-02 14:28:06 145720 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2013-09-02 14:28:04 209208 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2013-09-02 14:28:00 223032 ----a-w- c:\windows\system32\drivers\avglogx.sys
2013-08-08 01:45:09 2049536 ----a-w- c:\windows\system32\win32k.sys
2013-08-02 04:09:35 1548288 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-08-01 20:08:52 193848 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2013-07-31 10:00:20 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-07-31 09:52:44 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-07-31 09:52:34 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-07-31 09:48:43 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-07-31 09:48:09 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-07-31 09:45:42 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 18:57:47.80 ===============
 
 
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:23 PM

Posted 26 October 2013 - 04:53 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  • I'll catch you tomorror sinice I need my sleep. :)

 

 

Regards,
Georgi


qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#3 tekhelpr

tekhelpr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 26 October 2013 - 06:18 PM

Thank you for replying, Georgi!

 

Please note that after booting but prior to Windows Desktop, I now got a Windows Activation window that says, "An unauthorized change was made to Windows.  You must re-type your Windows Vista Home Premium product key to activate."  I'm worried that some recent scan I did prompted the bug to do this.  I have not entered the product key.

 

I did not yet press the Fix button on the Farbar tool.  The log follows and the Addition.txt is attached:

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 26-10-2013 01
Ran by Rebecca (administrator) on ANDREAS-PC on 26-10-2013 18:59:47
Running from C:\Users\Rebecca\Desktop
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Safe Mode (with Networking)
 
==================== Processes (Whitelisted) ===================
 
(Microsoft Corporation) c:\Program Files\Microsoft Security Client\MsMpEng.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
(Microsoft Corporation) C:\Windows\helppane.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [4702208 2007-08-09] (Realtek Semiconductor)
HKLM\...\Run: [SynTPStart] - C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-08-15] (Synaptics, Inc.)
HKLM\...\Run: [AppleSyncNotifier] - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-10-06] (Apple Inc.)
HKLM\...\Run: [Windows Mobile-based device management] - C:\Windows\WindowsMobile\wmdSync.exe [215552 2006-11-02] (Microsoft Corporation)
HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1348904 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [MSC] - c:\Program Files\Microsoft Security Client\msseces.exe [995176 2013-06-20] (Microsoft Corporation)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-09-17] (Apple Inc.)
HKLM\...\Run: [AVG_UI] - C:\Program Files\AVG\AVG2014\avgui.exe [4908592 2013-10-07] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [SunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKCU\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [430080 2007-05-18] ()
HKCU\...\Run: [Google Update] - C:\Users\Rebecca\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2013-03-03] (Google Inc.)
HKCU\...\Run: [SUPERAntiSpyware] - C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [5706480 2013-10-02] (SUPERAntiSpyware)
HKCU\...\Policies\system: [LogonHoursAction] 2
HKCU\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Andreas\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-19] (Microsoft Corporation)
HKU\Andreas\...\Run: [Pando Media Booster] - C:\Program Files\Pando Networks\Media Booster\PMB.exe
HKU\Andreas\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2008-06-07] (Google Inc.)
HKU\Andreas\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-19] (Microsoft Corporation)
HKU\Andreas\...\Run: [Google Update] - C:\Users\Andreas\AppData\Local\Google\Update\GoogleUpdate.exe [ 2011-10-17] (Google Inc.)
HKU\Andreas\...\Policies\system: [LogonHoursAction] 2
HKU\Andreas\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2007-05-18] ()
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2007-05-18] ()
HKU\Mcx1\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Mcx1\...\Run: [TOSCDSPD] - C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe [ 2007-05-18] ()
HKU\Mcx1\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-19] (Microsoft Corporation)
HKU\Mcx1\...\Policies\system: [LogonHoursAction] 2
HKU\Mcx1\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Mcx1\...\Winlogon: [Shell] EXPLORER.EXE <==== ATTENTION 
BootExecute: 
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
SearchScopes: HKLM - DefaultScope value is missing.
BHO: ERBHOMasterObject Class - {5A15CA85-DAB9-456c-95ED-06C6E3885C2A} - C:\Program Files\ExitReality\Webspace\System\ExitRealityHelper.dll ()
BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
ShellExecuteHooks: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [115440 2013-05-07] (SuperAdBlocker.com)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 02 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 03 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 04 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 05 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 06 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 07 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 08 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Winsock: Catalog9 19 C:\Windows\system32\wpclsp.dll [72192] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 68.237.161.12 71.250.0.12 192.168.1.1
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.com
CHR RestoreOnStartup: "hxxp://www.google.com/"
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\30.0.1599.101\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\30.0.1599.101\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\30.0.1599.101\gcswf32.dll No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.1) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (ExitReality Online) - C:\Program Files\ExitReality\WebSpace\System\Mozilla\nperonline.dll (ExitReality)
CHR Plugin: (Google Earth Plugin) - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Updater) - C:\Program Files\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll (Google)
CHR Plugin: (Picasa) - C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll No File
CHR Plugin: (Microsoft Office Live Plug-in for Firefox) - C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
CHR Plugin: (Windows Live\u0099 Photo Gallery) - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Nexon Game Controller) - C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Extension: (Skype Click to Call) - C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl\6.9.0.12585_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx
 
========================== Services (Whitelisted) =================
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE.EXE [119056 2013-05-23] (SUPERAntiSpyware.com)
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2014\avgidsagent.exe [3538480 2013-10-03] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2014\avgwdsvc.exe [301152 2013-09-25] (AVG Technologies CZ, s.r.o.)
S2 EPSON_PM_RPCV4_01; C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE [113664 2007-01-11] (SEIKO EPSON CORPORATION)
S2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22208 2013-06-20] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [295376 2013-06-20] (Microsoft Corporation)
S2 pinger; C:\Toshiba\IVP\ISM\pinger.exe [136816 2007-01-25] ()
S2 Secunia PSI Agent; C:\Program Files\Secunia\PSI\PSIA.exe [1228504 2013-07-03] (Secunia)
S2 Secunia Update Agent; C:\Program Files\Secunia\PSI\sua.exe [660184 2013-07-03] (Secunia)
S2 Swupdtmr; c:\Toshiba\IVP\swupdate\swupdtmr.exe [63096 2007-01-25] ()
S2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
S4 RoxLiveShare9; "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe" [x]
 
==================== Drivers (Whitelisted) ====================
 
S3 61883; C:\Windows\System32\DRIVERS\61883.sys [45696 2008-01-19] (Microsoft Corporation)
R3 Afc; C:\Windows\System32\drivers\Afc.sys [11776 2005-02-23] (Arcsoft, Inc.)
S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [120632 2013-09-25] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [209208 2013-09-02] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [145720 2013-09-02] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [22840 2013-09-10] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [176952 2013-09-02] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [223032 2013-09-02] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [102200 2013-08-20] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27448 2013-09-08] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [193848 2013-08-01] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [37664 2013-10-05] (AVG Technologies)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\mbamswissarmy.sys [40776 2013-10-22] (Malwarebytes Corporation)
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [211560 2013-06-18] (Microsoft Corporation)
S1 MpKsl1b2d0caa; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0F2B499A-19B3-4C2F-BAEA-D9DE9BE24F83}\MpKsl1b2d0caa.sys [40392 2013-10-25] (Microsoft Corporation)
S1 MpKsle0d3d50c; c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0F2B499A-19B3-4C2F-BAEA-D9DE9BE24F83}\MpKsle0d3d50c.sys [40392 2013-10-21] (Microsoft Corporation)
S3 PSI; C:\Windows\System32\DRIVERS\psi_mf_x86.sys [16024 2013-07-03] (Secunia)
S3 s0017bus; C:\Windows\System32\DRIVERS\s0017bus.sys [86824 2008-10-21] (MCCI Corporation)
S3 s0017mdfl; C:\Windows\System32\DRIVERS\s0017mdfl.sys [15016 2008-10-21] (MCCI Corporation)
S3 s0017mdm; C:\Windows\System32\DRIVERS\s0017mdm.sys [114600 2008-10-21] (MCCI Corporation)
S3 s0017mgmt; C:\Windows\System32\DRIVERS\s0017mgmt.sys [108328 2008-10-21] (MCCI Corporation)
S3 s0017nd5; C:\Windows\System32\DRIVERS\s0017nd5.sys [26024 2008-10-21] (MCCI Corporation)
S3 s0017obex; C:\Windows\System32\DRIVERS\s0017obex.sys [104616 2008-10-21] (MCCI Corporation)
S3 s0017unic; C:\Windows\System32\DRIVERS\s0017unic.sys [109736 2008-10-21] (MCCI Corporation)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12880 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67664 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [717296 2009-02-21] ()
S1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2010-06-17] (Avira GmbH)
S3 UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [11776 2007-04-16] (Chicony Electronics Co., Ltd.)
S3 winbondcir; C:\Windows\System32\DRIVERS\winbondcir.sys [43008 2007-03-28] (Winbond Electronics Corporation)
U3 a8r2ws84; C:\Windows\System32\Drivers\a8r2ws84.sys [0 ] (Microsoft Corporation)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [x]
S4 EagleNT; \??\C:\Windows\system32\drivers\EagleNT.sys [x]
S4 IO_Memory; \??\C:\WINDOWS\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
S4 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 ONDAusbmdm6k; system32\DRIVERS\ONDAusbmdm6k.sys [x]
S3 ONDAusbnet; system32\DRIVERS\ONDAusbnet.sys [x]
S3 ONDAusbnmea; system32\DRIVERS\ONDAusbnmea.sys [x]
S3 ONDAusbser6k; system32\DRIVERS\ONDAusbser6k.sys [x]
S3 RimUsb; System32\Drivers\RimUsb.sys [x]
S3 Tosrfcom; No ImagePath
S3 WDC_SAM; system32\DRIVERS\wdcsam.sys [x]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-10-26 18:59 - 2013-10-26 18:59 - 00000000 ___DC C:\FRST
2013-10-26 18:59 - 2013-10-26 18:58 - 01089001 _____ (Farbar) C:\Users\Rebecca\Desktop\FRST.exe
2013-10-26 18:58 - 2013-10-26 18:58 - 01089001 _____ (Farbar) C:\Users\Rebecca\Downloads\FRST.exe
2013-10-25 19:43 - 2013-10-25 19:43 - 00008908 _____ C:\Users\Rebecca\Desktop\Attach10252013prefinishboot.txt
2013-10-25 19:42 - 2013-10-25 19:42 - 00014844 _____ C:\Users\Rebecca\Desktop\DDS10252013prefinishboot.txt
2013-10-25 19:36 - 2013-10-25 19:47 - 00014805 _____ C:\Users\Rebecca\Desktop\dds.txt
2013-10-25 19:36 - 2013-10-25 19:47 - 00008908 _____ C:\Users\Rebecca\Desktop\attach.txt
2013-10-24 18:57 - 2013-10-24 18:57 - 00015498 _____ C:\Users\Rebecca\Desktop\dds10242013.txt
2013-10-24 18:57 - 2013-10-24 18:57 - 00010052 _____ C:\Users\Rebecca\Desktop\attach10242013.txt
2013-10-24 18:55 - 2013-10-24 18:54 - 00688992 ____R (Swearware) C:\Users\Rebecca\Desktop\dds.com
2013-10-24 18:54 - 2013-10-24 18:54 - 00688992 _____ (Swearware) C:\Users\Rebecca\Downloads\dds.com
2013-10-24 01:07 - 2013-10-24 01:08 - 524288000 ____C C:\REMOVE_THIS_FILE.livecd.swap
2013-10-21 21:47 - 2013-10-22 19:06 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2013-10-21 20:42 - 2013-10-25 21:06 - 00000736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-21 20:42 - 2013-10-25 21:06 - 00000736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-21 20:42 - 2013-10-21 20:43 - 00000552 _____ C:\Windows\system32\spsys.log
2013-10-21 18:24 - 2013-10-26 18:45 - 00334720 _____ C:\Windows\system32\FNTCACHE.DAT
2013-10-21 18:24 - 2013-10-22 18:45 - 00000974 _____ C:\Windows\PFRO.log
2013-10-21 01:03 - 2013-10-21 01:03 - 00000877 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-21 01:03 - 2013-10-21 01:03 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-10-21 01:03 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-10-21 01:02 - 2013-10-21 01:02 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Rebecca\Downloads\mbam-setup-1.75.0.1300 (2).exe
2013-10-21 00:33 - 2013-10-25 19:35 - 00011853 _____ C:\Windows\WindowsUpdate.log
2013-10-20 23:58 - 2013-10-20 23:59 - 00224174 _____ C:\Users\Rebecca\Documents\cc_20131020_235833.reg.bkup.reg
2013-10-20 23:25 - 2013-10-20 23:25 - 00000775 _____ C:\Users\Public\Desktop\CCleaner.lnk
2013-10-20 23:25 - 2013-10-20 23:25 - 00000000 ____D C:\Program Files\CCleaner
2013-10-20 23:09 - 2013-10-20 23:10 - 04369632 _____ (Piriform Ltd) C:\Users\Rebecca\Downloads\ccsetup406.exe
2013-10-20 05:01 - 2013-10-20 05:28 - 00000000 ___DC C:\AdwCleaner
2013-10-20 04:55 - 2013-10-20 04:55 - 04121952 _____ (Kaspersky Lab ZAO) C:\Users\Rebecca\Downloads\tdsskiller (2).exe
2013-10-18 13:26 - 2013-10-18 13:26 - 00000000 ____D C:\Program Files\Common Files\Java
2013-10-18 13:25 - 2013-10-18 13:25 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2013-10-18 13:25 - 2013-10-18 13:25 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2013-10-18 13:25 - 2013-10-18 13:25 - 00174504 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2013-10-18 13:25 - 2013-10-18 13:25 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2013-10-18 13:22 - 2013-10-18 13:22 - 00915368 _____ (Oracle Corporation) C:\Users\Rebecca\Downloads\chromeinstall-7u45.exe
2013-10-17 08:07 - 2013-10-17 08:07 - 00000000 ____D C:\Program Files\ProcessExplorer
2013-10-17 08:06 - 2013-07-31 13:08 - 02799296 _____ (Sysinternals - www.sysinternals.com) C:\Users\Rebecca\Downloads\procexp.exe
2013-10-17 07:29 - 2013-10-17 07:29 - 00000000 ___HD C:\Windows\PIF
2013-10-17 07:01 - 2013-10-17 07:01 - 00000000 ____D C:\Windows\system32\MpEngineStore
2013-10-17 06:40 - 2013-10-17 06:42 - 86845712 _____ (Microsoft Corporation) C:\Users\Rebecca\Downloads\msert (1).exe
2013-10-17 06:28 - 2013-10-17 06:28 - 21414024 _____ (Microsoft Corporation) C:\Users\Andreas\Downloads\Windows-KB890830-V5.5.exe
2013-10-17 06:25 - 2013-10-17 06:26 - 00000000 ___DC C:\myupdates
2013-10-17 02:04 - 2013-10-17 02:04 - 00000000 ____D C:\Users\Andreas\AppData\Roaming\Malwarebytes
2013-10-17 01:45 - 2013-10-17 01:45 - 00000000 ____D C:\Users\Andreas\AppData\Roaming\SUPERAntiSpyware.com
2013-10-17 01:03 - 2013-10-17 01:03 - 00000000 ____D C:\Users\Andreas\AppData\Local\Avg2014
2013-10-15 02:58 - 2013-10-15 02:38 - 58707968 _____ C:\comodo_rescue_disk_2.0.275239.1.iso
2013-10-14 21:55 - 2013-10-14 23:48 - 424005844 _____ C:\Users\Rebecca\Downloads\bases (1).cav
2013-10-14 18:46 - 2013-10-14 19:18 - 00000000 _____ C:\Users\Rebecca\Downloads\bases.cav
2013-10-14 18:44 - 2013-10-14 18:48 - 00000000 _____ C:\Users\Rebecca\Downloads\cce_2.5.242177.201_x32.zip
2013-10-14 14:15 - 2013-10-14 17:24 - 00000000 ____D C:\cce_linux
2013-10-07 18:53 - 2013-10-07 18:53 - 02347384 _____ (ESET) C:\Users\Rebecca\Downloads\esetsmartinstaller_enu (1).exe
2013-10-07 18:24 - 2013-10-07 18:24 - 00661184 _____ (Sysinternals - www.sysinternals.com) C:\Users\Rebecca\Downloads\autoruns.exe
2013-10-07 18:19 - 2013-10-07 18:23 - 00002866 _____ C:\Users\Rebecca\Desktop\Rkill.txt
2013-10-07 18:17 - 2013-10-07 18:19 - 00004253 _____ C:\Users\Rebecca\Documents\aswMBR.txt
2013-10-07 18:17 - 2013-10-07 18:19 - 00000512 _____ C:\Users\Rebecca\Documents\MBR.dat
2013-10-07 10:43 - 2013-10-07 10:43 - 00000000 _RSHC C:\MSDOS.SYS
2013-10-07 10:43 - 2013-10-07 10:43 - 00000000 _RSHC C:\IO.SYS
2013-10-07 10:23 - 2013-10-07 10:23 - 02053704 _____ (Microsoft Corporation) C:\Users\Rebecca\Downloads\msxml4-KB2721691-enu.exe
2013-10-07 09:10 - 2013-10-07 13:14 - 00000083 _____ C:\AOSS.log
2013-10-07 02:02 - 2013-10-07 02:02 - 00000000 ____D C:\Program Files\ESET
2013-10-07 02:00 - 2013-10-07 02:00 - 00275181 _____ C:\Users\Rebecca\Downloads\WindowsUpdateDiagnostic (1).diagcab
2013-10-07 01:34 - 2013-10-07 01:34 - 00347424 _____ (Microsoft Corporation) C:\Users\Rebecca\Downloads\MicrosoftFixit.wu.RNP.50304554889194055.1.1.Run.exe
2013-10-07 01:33 - 2013-10-07 01:33 - 00275181 _____ C:\Users\Rebecca\Downloads\WindowsUpdateDiagnostic.diagcab
2013-10-06 20:53 - 2013-10-09 19:12 - 00000000 ____D C:\Users\Rebecca\AppData\Local\AVG SafeGuard toolbar
2013-10-06 11:04 - 2013-10-06 11:04 - 01191834 _____ C:\Users\Rebecca\Downloads\ProcessExplorer.zip
2013-10-06 10:01 - 2013-10-06 10:01 - 00000177 _____ C:\Windows\system32\avgrep.txt
2013-10-06 00:16 - 2013-10-16 20:25 - 00000180 _____ C:\Users\Rebecca\Desktop\avgrep.txt
2013-10-05 23:54 - 2013-10-05 23:54 - 00000000 ____D C:\Users\Rebecca\AppData\Roaming\AVG2014
2013-10-05 23:53 - 2013-10-10 10:07 - 00000853 _____ C:\Users\Public\Desktop\AVG 2014.lnk
2013-10-05 23:53 - 2013-10-05 23:52 - 00037664 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx86.sys
2013-10-05 23:52 - 2013-10-09 18:58 - 00000000 ____D C:\Program Files\AVG SafeGuard toolbar
2013-10-05 23:52 - 2013-10-05 23:53 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
2013-10-05 23:51 - 2013-10-05 23:54 - 00000000 ____D C:\ProgramData\AVG2014
2013-10-05 23:51 - 2013-10-05 23:51 - 00000000 __HDC C:\$AVG
2013-10-05 23:50 - 2013-10-05 23:50 - 00000000 ____D C:\Program Files\AVG
2013-10-05 23:48 - 2013-10-06 00:16 - 00000000 ____D C:\Users\Rebecca\AppData\Local\Avg2014
2013-10-05 23:48 - 2013-10-05 23:48 - 04433128 _____ (AVG Technologies) C:\Users\Rebecca\Downloads\avg_free_stb_all_2014_4142.exe
2013-10-05 23:27 - 2013-10-05 23:27 - 27878304 _____ (SUPERAntiSpyware) C:\Users\Rebecca\Downloads\SUPERAntiSpyware.exe
2013-10-05 23:27 - 2013-10-05 23:27 - 00001811 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2013-10-05 22:47 - 2013-10-05 22:47 - 00000000 ____D C:\Windows\Sun
2013-10-05 22:44 - 2013-10-05 22:44 - 00913832 _____ (Oracle Corporation) C:\Users\Rebecca\Downloads\chromeinstall-7u40.exe
2013-10-05 21:49 - 2013-10-05 21:49 - 00803303 _____ C:\Users\Rebecca\AppData\Local\census.cache
2013-10-05 21:48 - 2013-10-05 21:48 - 00205299 _____ C:\Users\Rebecca\AppData\Local\ars.cache
2013-10-05 21:16 - 2013-10-05 21:16 - 02049128 _____ (Trend Micro Inc.) C:\Users\Rebecca\Downloads\HousecallLauncher.exe
2013-10-05 21:16 - 2013-10-05 21:16 - 00000036 _____ C:\Users\Rebecca\AppData\Local\housecall.guid.cache
2013-10-05 21:16 - 2012-07-26 22:02 - 00257928 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2013-10-05 21:09 - 2013-10-05 21:11 - 03272136 _____ (Secunia) C:\Users\Rebecca\Downloads\PSISetup.exe
2013-10-05 20:38 - 2013-10-05 20:39 - 20894344 _____ (Microsoft Corporation) C:\Users\Rebecca\Downloads\Windows-KB890830-V5.4.exe
 
==================== One Month Modified Files and Folders =======
 
2013-10-26 18:59 - 2013-10-26 18:59 - 00000000 ___DC C:\FRST
2013-10-26 18:58 - 2013-10-26 18:59 - 01089001 _____ (Farbar) C:\Users\Rebecca\Desktop\FRST.exe
2013-10-26 18:58 - 2013-10-26 18:58 - 01089001 _____ (Farbar) C:\Users\Rebecca\Downloads\FRST.exe
2013-10-26 18:45 - 2013-10-21 18:24 - 00334720 _____ C:\Windows\system32\FNTCACHE.DAT
2013-10-25 23:20 - 2008-02-28 10:19 - 00000414 ____H C:\Windows\Tasks\User_Feed_Synchronization-{F34B144A-D3EA-4A07-BFEE-48337FCC6BB2}.job
2013-10-25 23:08 - 2009-12-25 14:40 - 00001098 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-10-25 23:06 - 2012-10-10 22:09 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-10-25 23:06 - 2009-12-25 14:40 - 00001094 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-10-25 23:06 - 2006-11-02 09:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-10-25 21:06 - 2013-10-21 20:42 - 00000736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-25 21:06 - 2013-10-21 20:42 - 00000736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-25 19:47 - 2013-10-25 19:36 - 00014805 _____ C:\Users\Rebecca\Desktop\dds.txt
2013-10-25 19:47 - 2013-10-25 19:36 - 00008908 _____ C:\Users\Rebecca\Desktop\attach.txt
2013-10-25 19:43 - 2013-10-25 19:43 - 00008908 _____ C:\Users\Rebecca\Desktop\Attach10252013prefinishboot.txt
2013-10-25 19:42 - 2013-10-25 19:42 - 00014844 _____ C:\Users\Rebecca\Desktop\DDS10252013prefinishboot.txt
2013-10-25 19:35 - 2013-10-21 00:33 - 00011853 _____ C:\Windows\WindowsUpdate.log
2013-10-24 18:57 - 2013-10-24 18:57 - 00015498 _____ C:\Users\Rebecca\Desktop\dds10242013.txt
2013-10-24 18:57 - 2013-10-24 18:57 - 00010052 _____ C:\Users\Rebecca\Desktop\attach10242013.txt
2013-10-24 18:54 - 2013-10-24 18:55 - 00688992 ____R (Swearware) C:\Users\Rebecca\Desktop\dds.com
2013-10-24 18:54 - 2013-10-24 18:54 - 00688992 _____ (Swearware) C:\Users\Rebecca\Downloads\dds.com
2013-10-24 01:08 - 2013-10-24 01:07 - 524288000 ____C C:\REMOVE_THIS_FILE.livecd.swap
2013-10-22 19:06 - 2013-10-21 21:47 - 00040776 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamswissarmy.sys
2013-10-22 18:45 - 2013-10-21 18:24 - 00000974 _____ C:\Windows\PFRO.log
2013-10-21 21:18 - 2013-07-04 22:30 - 00001942 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-10-21 21:13 - 2012-01-08 16:20 - 00000000 ____D C:\Users\Rebecca\AppData\Local\Google
2013-10-21 21:03 - 2012-10-10 22:09 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2013-10-21 21:03 - 2011-05-19 00:29 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2013-10-21 20:43 - 2013-10-21 20:42 - 00000552 _____ C:\Windows\system32\spsys.log
2013-10-21 20:10 - 2012-05-26 22:31 - 00000680 _____ C:\Users\Rebecca\AppData\Local\d3d9caps.dat
2013-10-21 13:54 - 2008-02-27 20:14 - 00000000 ____D C:\Users\Andreas
2013-10-21 01:03 - 2013-10-21 01:03 - 00000877 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-10-21 01:03 - 2013-10-21 01:03 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-10-21 01:02 - 2013-10-21 01:02 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Rebecca\Downloads\mbam-setup-1.75.0.1300 (2).exe
2013-10-20 23:59 - 2013-10-20 23:58 - 00224174 _____ C:\Users\Rebecca\Documents\cc_20131020_235833.reg.bkup.reg
2013-10-20 23:30 - 2007-08-22 16:26 - 00000000 ____D C:\Program Files\Java
2013-10-20 23:27 - 2012-03-30 17:55 - 00000000 ____D C:\Users\Rebecca\AppData\Roaming\Skype
2013-10-20 23:26 - 2007-08-22 15:24 - 00000000 ____D C:\Windows\Panther
2013-10-20 23:25 - 2013-10-20 23:25 - 00000775 _____ C:\Users\Public\Desktop\CCleaner.lnk
2013-10-20 23:25 - 2013-10-20 23:25 - 00000000 ____D C:\Program Files\CCleaner
2013-10-20 23:10 - 2013-10-20 23:09 - 04369632 _____ (Piriform Ltd) C:\Users\Rebecca\Downloads\ccsetup406.exe
2013-10-20 05:38 - 2009-10-07 16:20 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3222351459-3557411957-99243863-1002UA.job
2013-10-20 05:28 - 2013-10-20 05:01 - 00000000 ___DC C:\AdwCleaner
2013-10-20 04:55 - 2013-10-20 04:55 - 04121952 _____ (Kaspersky Lab ZAO) C:\Users\Rebecca\Downloads\tdsskiller (2).exe
2013-10-19 21:37 - 2006-11-02 09:01 - 00032626 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-10-18 13:26 - 2013-10-18 13:26 - 00000000 ____D C:\Program Files\Common Files\Java
2013-10-18 13:26 - 2013-09-25 23:51 - 00000000 ____D C:\ProgramData\Oracle
2013-10-18 13:25 - 2013-10-18 13:25 - 00264616 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2013-10-18 13:25 - 2013-10-18 13:25 - 00175016 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2013-10-18 13:25 - 2013-10-18 13:25 - 00174504 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2013-10-18 13:25 - 2013-10-18 13:25 - 00094632 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll
2013-10-18 13:22 - 2013-10-18 13:22 - 00915368 _____ (Oracle Corporation) C:\Users\Rebecca\Downloads\chromeinstall-7u45.exe
2013-10-18 13:05 - 2012-01-08 16:17 - 00000000 ____D C:\Users\Rebecca\AppData\Roaming\Western Digital
2013-10-18 13:03 - 2007-08-22 16:00 - 00000000 ____D C:\ProgramData\WildTangent
2013-10-18 13:03 - 2007-08-22 16:00 - 00000000 ____D C:\Program Files\TOSHIBA Games
2013-10-18 12:55 - 2006-11-02 08:37 - 00000000 ____D C:\Windows\twain_32
2013-10-18 12:54 - 2008-04-20 15:12 - 00000000 ____D C:\Program Files\epson
2013-10-18 12:53 - 2007-08-22 15:39 - 00000000 ___HD C:\Program Files\InstallShield Installation Information
2013-10-17 22:58 - 2012-11-04 11:31 - 00000000 ____D C:\ProgramData\MFAData
2013-10-17 08:07 - 2013-10-17 08:07 - 00000000 ____D C:\Program Files\ProcessExplorer
2013-10-17 07:29 - 2013-10-17 07:29 - 00000000 ___HD C:\Windows\PIF
2013-10-17 07:01 - 2013-10-17 07:01 - 00000000 ____D C:\Windows\system32\MpEngineStore
2013-10-17 06:42 - 2013-10-17 06:40 - 86845712 _____ (Microsoft Corporation) C:\Users\Rebecca\Downloads\msert (1).exe
2013-10-17 06:28 - 2013-10-17 06:28 - 21414024 _____ (Microsoft Corporation) C:\Users\Andreas\Downloads\Windows-KB890830-V5.5.exe
2013-10-17 06:26 - 2013-10-17 06:25 - 00000000 ___DC C:\myupdates
2013-10-17 06:23 - 2006-11-02 06:33 - 00703388 _____ C:\Windows\system32\PerfStringBackup.INI
2013-10-17 02:04 - 2013-10-17 02:04 - 00000000 ____D C:\Users\Andreas\AppData\Roaming\Malwarebytes
2013-10-17 01:45 - 2013-10-17 01:45 - 00000000 ____D C:\Users\Andreas\AppData\Roaming\SUPERAntiSpyware.com
2013-10-17 01:03 - 2013-10-17 01:03 - 00000000 ____D C:\Users\Andreas\AppData\Local\Avg2014
2013-10-16 20:25 - 2013-10-06 00:16 - 00000180 _____ C:\Users\Rebecca\Desktop\avgrep.txt
2013-10-16 13:47 - 2006-11-02 08:37 - 00262144 _____ C:\Windows\system32\config\BCD-Template
2013-10-15 02:38 - 2013-10-15 02:58 - 58707968 _____ C:\comodo_rescue_disk_2.0.275239.1.iso
2013-10-14 23:48 - 2013-10-14 21:55 - 424005844 _____ C:\Users\Rebecca\Downloads\bases (1).cav
2013-10-14 19:18 - 2013-10-14 18:46 - 00000000 _____ C:\Users\Rebecca\Downloads\bases.cav
2013-10-14 18:48 - 2013-10-14 18:44 - 00000000 _____ C:\Users\Rebecca\Downloads\cce_2.5.242177.201_x32.zip
2013-10-14 18:21 - 2013-04-13 19:25 - 00000916 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3222351459-3557411957-99243863-1008UA.job
2013-10-14 18:21 - 2013-04-13 19:25 - 00000864 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3222351459-3557411957-99243863-1008Core.job
2013-10-14 17:24 - 2013-10-14 14:15 - 00000000 ____D C:\cce_linux
2013-10-10 10:07 - 2013-10-05 23:53 - 00000853 _____ C:\Users\Public\Desktop\AVG 2014.lnk
2013-10-09 19:12 - 2013-10-06 20:53 - 00000000 ____D C:\Users\Rebecca\AppData\Local\AVG SafeGuard toolbar
2013-10-09 18:58 - 2013-10-05 23:52 - 00000000 ____D C:\Program Files\AVG SafeGuard toolbar
2013-10-07 18:53 - 2013-10-07 18:53 - 02347384 _____ (ESET) C:\Users\Rebecca\Downloads\esetsmartinstaller_enu (1).exe
2013-10-07 18:24 - 2013-10-07 18:24 - 00661184 _____ (Sysinternals - www.sysinternals.com) C:\Users\Rebecca\Downloads\autoruns.exe
2013-10-07 18:23 - 2013-10-07 18:19 - 00002866 _____ C:\Users\Rebecca\Desktop\Rkill.txt
2013-10-07 18:19 - 2013-10-07 18:17 - 00004253 _____ C:\Users\Rebecca\Documents\aswMBR.txt
2013-10-07 18:19 - 2013-10-07 18:17 - 00000512 _____ C:\Users\Rebecca\Documents\MBR.dat
2013-10-07 13:14 - 2013-10-07 09:10 - 00000083 _____ C:\AOSS.log
2013-10-07 10:43 - 2013-10-07 10:43 - 00000000 _RSHC C:\MSDOS.SYS
2013-10-07 10:43 - 2013-10-07 10:43 - 00000000 _RSHC C:\IO.SYS
2013-10-07 10:40 - 2007-08-22 14:57 - 00000000 ____D C:\Program Files\MSXML 4.0
2013-10-07 10:23 - 2013-10-07 10:23 - 02053704 _____ (Microsoft Corporation) C:\Users\Rebecca\Downloads\msxml4-KB2721691-enu.exe
2013-10-07 02:02 - 2013-10-07 02:02 - 00000000 ____D C:\Program Files\ESET
2013-10-07 02:00 - 2013-10-07 02:00 - 00275181 _____ C:\Users\Rebecca\Downloads\WindowsUpdateDiagnostic (1).diagcab
2013-10-07 01:42 - 2009-01-20 20:30 - 00000000 ____D C:\Program Files\Trend Micro
2013-10-07 01:34 - 2013-10-07 01:34 - 00347424 _____ (Microsoft Corporation) C:\Users\Rebecca\Downloads\MicrosoftFixit.wu.RNP.50304554889194055.1.1.Run.exe
2013-10-07 01:33 - 2013-10-07 01:33 - 00275181 _____ C:\Users\Rebecca\Downloads\WindowsUpdateDiagnostic.diagcab
2013-10-07 01:02 - 2011-10-30 10:39 - 00001128 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3222351459-3557411957-99243863-1000UA.job
2013-10-07 00:48 - 2007-08-22 16:18 - 00000000 ____D C:\Windows\system32\Macromed
2013-10-06 11:04 - 2013-10-06 11:04 - 01191834 _____ C:\Users\Rebecca\Downloads\ProcessExplorer.zip
2013-10-06 10:01 - 2013-10-06 10:01 - 00000177 _____ C:\Windows\system32\avgrep.txt
2013-10-06 00:16 - 2013-10-05 23:48 - 00000000 ____D C:\Users\Rebecca\AppData\Local\Avg2014
2013-10-05 23:54 - 2013-10-05 23:54 - 00000000 ____D C:\Users\Rebecca\AppData\Roaming\AVG2014
2013-10-05 23:54 - 2013-10-05 23:51 - 00000000 ____D C:\ProgramData\AVG2014
2013-10-05 23:53 - 2013-10-05 23:52 - 00000000 ____D C:\ProgramData\AVG SafeGuard toolbar
2013-10-05 23:52 - 2013-10-05 23:53 - 00037664 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx86.sys
2013-10-05 23:51 - 2013-10-05 23:51 - 00000000 __HDC C:\$AVG
2013-10-05 23:51 - 2006-11-02 08:37 - 00000000 ____D C:\Program Files\Windows Sidebar
2013-10-05 23:50 - 2013-10-05 23:50 - 00000000 ____D C:\Program Files\AVG
2013-10-05 23:48 - 2013-10-05 23:48 - 04433128 _____ (AVG Technologies) C:\Users\Rebecca\Downloads\avg_free_stb_all_2014_4142.exe
2013-10-05 23:28 - 2013-09-25 20:16 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2013-10-05 23:27 - 2013-10-05 23:27 - 27878304 _____ (SUPERAntiSpyware) C:\Users\Rebecca\Downloads\SUPERAntiSpyware.exe
2013-10-05 23:27 - 2013-10-05 23:27 - 00001811 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2013-10-05 22:47 - 2013-10-05 22:47 - 00000000 ____D C:\Windows\Sun
2013-10-05 22:44 - 2013-10-05 22:44 - 00913832 _____ (Oracle Corporation) C:\Users\Rebecca\Downloads\chromeinstall-7u40.exe
2013-10-05 21:49 - 2013-10-05 21:49 - 00803303 _____ C:\Users\Rebecca\AppData\Local\census.cache
2013-10-05 21:48 - 2013-10-05 21:48 - 00205299 _____ C:\Users\Rebecca\AppData\Local\ars.cache
2013-10-05 21:16 - 2013-10-05 21:16 - 02049128 _____ (Trend Micro Inc.) C:\Users\Rebecca\Downloads\HousecallLauncher.exe
2013-10-05 21:16 - 2013-10-05 21:16 - 00000036 _____ C:\Users\Rebecca\AppData\Local\housecall.guid.cache
2013-10-05 21:11 - 2013-10-05 21:09 - 03272136 _____ (Secunia) C:\Users\Rebecca\Downloads\PSISetup.exe
2013-10-05 20:39 - 2013-10-05 20:38 - 20894344 _____ (Microsoft Corporation) C:\Users\Rebecca\Downloads\Windows-KB890830-V5.4.exe
2013-09-29 20:55 - 2010-01-23 23:07 - 00000000 ____D C:\Users\Andreas\AppData\Local\PMB Files
2013-09-28 15:46 - 2012-01-08 16:14 - 00000000 ____D C:\Users\Rebecca
2013-09-28 15:46 - 2011-02-12 19:38 - 00000000 ____D C:\Users\Mcx1
2013-09-28 15:46 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\system32\spool
2013-09-28 15:46 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\system32\Msdtc
2013-09-28 15:46 - 2006-11-02 06:22 - 51118080 _____ C:\Windows\system32\config\software_previous
2013-09-28 15:46 - 2006-11-02 06:22 - 41680896 _____ C:\Windows\system32\config\components_previous
2013-09-28 15:46 - 2006-11-02 06:22 - 30408704 _____ C:\Windows\system32\config\system_previous
2013-09-28 15:46 - 2006-11-02 06:22 - 00786432 _____ C:\Windows\system32\config\default_previous
2013-09-28 15:46 - 2006-11-02 06:22 - 00122880 _____ C:\Windows\system32\config\sam_previous
2013-09-28 15:46 - 2006-11-02 06:22 - 00028672 _____ C:\Windows\system32\config\security_previous
2013-09-28 15:45 - 2012-01-08 18:03 - 00000000 ____D C:\Program Files\World of Warcraft
2013-09-28 15:45 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\registration
2013-09-28 14:12 - 2006-11-02 07:18 - 00000000 ____D C:\Windows\Microsoft.NET
2013-09-26 02:19 - 2006-11-02 06:24 - 78106760 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
 
Files to move or delete:
====================
C:\Users\Andreas\AppData\Roaming\desktop.ini
C:\ProgramData\ezsid.dat
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2013-10-25 23:20
 
==================== End Of Log ============================
 
 

 

 

 

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:23 PM

Posted 27 October 2013 - 08:43 AM

Hi,

 

 

That's why you shouldn't do things on your own without guidance from trained experts.
Just because there is a button/option that says "fix" (in the tools we use) it doesn't mean it's safe to use whenever.
 

Regarding the event viewer logs something goes wrong with your activation for sure:

 

Error: (10/26/2013 06:55:52 PM) (Source: Winlogon) (User: )
Description: Windows license activation failed. Error 0x00000000.

 

Error: (10/25/2013 08:00:19 PM) (Source: Software Licensing Service) (User: )
Description: License Activation Scheduler (SLUINotify.dll) failed with the following error code:
0x80080005

 

Is your copy legit?

Please click Start Menu > All Programs > Accessories, right click on Command Prompt and select "run as administrator".

 

Copy/paste the following text at the command prompt and press enter after each line:

sfc /scannow

findstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcdetails.txt"

A txt file named sfcdetails.txt should appear on the desktop.

Attach the log to your next reply.

Reboot the computer in order the changes to take effect

 

 

 

Also run this MGA Diagnostic Tool  (as an Administrator). See what it says and post the log in your next reply.
http://go.microsoft.com/fwlink/?linkid=52012

 

 

 

Also let's check for leftovers.

The most of them should take no more than 5 minutes each.

 

 

 

STEP 1

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
     
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 2




  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3



Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 4




  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and copy and past the results at pastebin.com and post the link to the log in your next reply.




STEP 5



Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 27 October 2013 - 01:09 PM.
typo.

qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#5 tekhelpr

tekhelpr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 27 October 2013 - 12:24 PM

Results from latest instructions:

 

System file checker: attached

 

MGA Diagnostic Tool log:  Appears as .cab file 756k large, too big to attach. What should I do?

 

Rkill log:

http://pastebin.com/guD3agYu

 

RogueKiller log:

(Note: The link in your post is dead.  I found the program at http://www.bleepingcomputer.com/download/roguekiller/dl/121/ )

 

Will post the remaining logs in the next post as I need to close the browser before I run RogueKiller.

 



#6 tekhelpr

tekhelpr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 27 October 2013 - 01:42 PM

OK. I seem to have had a problem attaching the SFC log.  I've included Pastebin.com links for all logs, except MGA Diag tool, which saves its log as a .cab file.  How would you like me to get that to you?

 

SFC log:

http://pastebin.com/NZttNSAY

 

Rkill log:  (as before)

http://pastebin.com/guD3agYu

 

RogueKiller log:

http://pastebin.com/tX5fB8j8

 

TDSSKiller log:

http://pastebin.com/YSwuQv0q

 

MBAM log:

http://pastebin.com/k7katpVH

 

Farbar Service Scanner log:

http://pastebin.com/UpKBDEcF

 

Please note that these were all run in Safe mode.  If you'd like me to attempt to run them in Normal mode, please let me know.

 

Best,

Cesar



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:23 PM

Posted 27 October 2013 - 02:31 PM

Hi,

 

Please upload the bigger file here and post the link to the log.

Also please re-run all tools from Normal Mode - please do not make logs in safe mode unless asked to do so.

 

 

Regards,

Georgi


qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#8 tekhelpr

tekhelpr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 27 October 2013 - 02:48 PM

Very well.  I have been running in Safe mode as previously Normal mode would not allow me to run .EXE files.  I will re-run the latest scans in Normal mode.

 

Here's the link to the MGA cab file:

http://www.filedropper.com/mgadiag20131027124802746

 

I did a little Event Log digging and found that Licensing checks began to fail around 10/21.  I also found a .reg backup file from CCleaner dated 10/20.  While I am careful not to use the RegCleaner feature of CCleaner, my friend was not.  Will attach the backup file of reg changes if you would like.

 

I'll post the new scan logs in the next message.

 

Thanks for your patience :)



#9 tekhelpr

tekhelpr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 28 October 2013 - 02:50 AM

First off, Windows in Normal mode is still a mess.  AVG is disabled, Security Center is disabled, Chrome hangs when opening, and the scan tools that did work take at least 15 minutes to complete.

 

That said, here are the latest scan results from Normal mode.  I ran DDS at the end only after I realized I hadn't done it first.

 

DDS log

http://pastebin.com/ENgrv9TJ

 

Attach.txt log

http://pastebin.com/5dcrVEFK

 

FRST log

http://pastebin.com/ENKeS9kh

 

Addition.txt log

http://pastebin.com/mmBcPAjT

 

SFCdetails.txt log

http://pastebin.com/ABSZE0n3

 

Rkill log

http://pastebin.com/KJc8tEbJ

 

RogueKiller -- did not complete.  No log.

 

TDSSkiller run details:

-  After starting the tool in Normal mode, I checked the Loaded Modules box, which prompted a reboot.

-  The laptop stopped at the "Logging off..." message.  I did a hard restart by holding the power button.

-  During Windows startup after boot but before the user selection screen, Windows threw a blue screen and auto-restarted.

-  At the boot menu, I chose to start Windows normally.

-  This time, I selected the user and the desktop appeared with a security prompt to allow Kaspersky, which I did allow.

-  TDSSkiller tool starts to initialize by stays stuck at 70% for over 10 minutes.

-  During the wait, a Windows dialog box appears with information about the blue screen:

-  BCCode:  1000007e

-  BCP1:      C0000006

-  BCP2:      8075EF61

-  BCP3:      9DCB296C

-  BCP4:      9DCB2668

-  OS Version: 6_0_6002

-  Service Pack: 2_0

-  Product:  768_1

 

Files that help describe the problem:

C:\Windows\Minidump\Mini102813-01.dmp

C:\Users\Rebecca\AppData\Local\Temp\WER-100885-0.sysdata.xml

C:\Users\Rebecca\AppData\Local\Temp\WERA073.tmp.version.txt

 

TDSSkiller log

http://pastebin.com/esHEpVCT

 

MBAM log

The scan did not find any malicious objects.  Must not have saved the text file before closing.

 

Farbar Service Scanner log

http://pastebin.com/JsKS1vFd

 

 

I hope these new logs provide more answers than the Safe mode versions.

 

Will check the topic in the morning.

Good night.  



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:23 PM

Posted 28 October 2013 - 08:17 PM

Hello,

 

 

Although I guess that you installed AVG when ZeroAccess rootkit disabled MSE I still do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".  It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either MSE or AVG.

 

Also there are a log of leftovers from TrendMicro, Avira etc...

 

Also the link to the Rkill log don't work

 

http://pastebin.com/KJc8tEbJ

 

This paste has been removed!

 

Also please zip and upload the following dmp file:

 

C:\Windows\Minidump\Mini102813-01.dmp

 

and send me the link via PM.

 

 

 

Download the following file => Attached File  fixlist.txt   1.16KB   2 downloads and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Next let's try to fix the broken services.


Backup Your Registry
 

 

Now download the following files and save them to your desktop:

 

BITS.reg

 

EventSystem.reg

 

Winmgmt.reg

 

wscsvc.reg

 

wuauserv.reg

 

WinDefend.reg

 

msiserver.reg

 

slsvc.reg

 

Now double click on each of them one by one. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

 

  • Next please download the ESET ServicesRepair utility and save it to your Desktop.
  • Double-click ServicesRepair.exe to run the ESET ServicesRepair utility.
  • If you are using User Access Control, click Run when prompted and then click Yes when asked to allow changes.
  • Reboot the computer and then please attach fresh logs from the following 2 tools - RKILL and Farbar Service Scanner.

 

Finally please run MGADiag.exe again. Click "Continue", click the "Copy" button then “Paste” the report into a message in your next reply (instead of uploading the whole cab file).

 

Also it's a good idea to attempt validation at www.microsoft.com/genuine/validate and see what happens.

If it still fails, then visit the diagnostics page www.microsoft.com/genuine/diag and see what it has to say.

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 28 October 2013 - 08:18 PM.

qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#11 tekhelpr

tekhelpr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 29 October 2013 - 03:26 AM

Hi,

 

It may be useful for you to know that I have to send you this forum updates from Safe Mode because Chrome still hangs Normal Mode.  Likewise, I download all the tools you mention from Safe Mode then run them in Normal Mode.  

 

Also, while in Normal Mode, after the desktop appears, the system tray fills with its icons, including AVG (which looks fine) and Secunia (which is grayed out).  After about 10 minutes, the AVG icon gets a little yellow caution sign in its middle, while the Secunia icon looks normal.  Opening each of these apps to their full windows reveals that AVG requires a reboot to fix the Computer's protection (reads Not Fully Protected) and Secunia's window hangs.

 

Here are the results from your latest instructions: 

 

1) Uninstalled Microsoft Security Essentials.  The procedure required a reboot.

 

2) RE: Minidump file: I sent you a private message with the link.

 

3) To get the Farbar Recovery Scan Tool to run in Normal Mode, I had to open Process Explorer (from Microsoft), kill the explorer.exe process so that procexp.exe was no longer a child process of explorer.exe, use the Process Explorer Run as Admin tool to start FRST.exe, restart the explorer.exe process via the same Run tool, and then run the FRST fix.

 

When the tool asked me to restart the system, I did, but the system got hung up at the Logging off... screen with the spinning circle.  After 10 minutes, I performed a hard restart by pressing the power button.

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-10-2013 01
Ran by Rebecca at 2013-10-29 00:45:25 Run:1
Running from C:\Users\Rebecca\Desktop
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
HKU\Mcx1\...\Winlogon: [Shell] EXPLORER.EXE <==== ATTENTION 
SearchScopes: HKLM - DefaultScope value is missing.
R1 ssmdrv; C:\Windows\System32\DRIVERS\ssmdrv.sys [28520 2010-06-17] (Avira GmbH)
C:\Windows\System32\DRIVERS\ssmdrv.sys
U3 TrueSight; \??\C:\Windows\system32\TrueSight.sys [x]
C:\Windows\system32\TrueSight.sys
2013-10-07 02:02 - 2013-10-07 02:02 - 00000000 ____D C:\Program Files\ESET
2013-10-05 21:16 - 2012-07-26 22:02 - 00257928 _____ (Trend Micro Inc.) C:\Windows\system32\Drivers\tmcomm.sys
2013-10-07 01:42 - 2009-01-20 20:30 - 00000000 ____D C:\Program Files\Trend Micro
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\35629677.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\35629677.sys => ""="Driver"
cmd: sc query slsvc
cmd: sc query MSIServer
cmd: sc query Winmgmt
Reg: reg query "hklm\SYSTEM\CurrentControlSet\services\slsvc" /s
Reg: reg query "hklm\SYSTEM\CurrentControlSet\services\MSIServer" /s
Reg: reg query "hklm\SYSTEM\CurrentControlSet\services\Winmgmt" /s
Task: C:\Windows\Tasks\BearShareNAG.job => C:\Users\Nikolaus\AppData\Local\Temp\BearShare_setup.exe
C:\Users\Rebecca\AppData\Local\Temp
end
*****************
 
HKU\Mcx1\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
ssmdrv => Service deleted successfully.
C:\Windows\System32\DRIVERS\ssmdrv.sys => Moved successfully.
TrueSight => Service not found.
"C:\Windows\system32\TrueSight.sys" => File/Directory not found.
C:\Program Files\ESET => Moved successfully.
C:\Windows\system32\Drivers\tmcomm.sys => Moved successfully.
C:\Program Files\Trend Micro => Moved successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\35629677.sys => Key deleted successfully.
HKLM\System\CurrentControlSet\Control\SafeBoot\Network\35629677.sys => Key deleted successfully.
 
=========  sc query slsvc =========
 
 
SERVICE_NAME: slsvc 
        TYPE               : 10  WIN32_OWN_PROCESS  
        STATE              : 4  RUNNING 
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
========= End of CMD: =========
 
 
=========  sc query MSIServer =========
 
 
SERVICE_NAME: MSIServer 
        TYPE               : 10  WIN32_OWN_PROCESS  
        STATE              : 1  STOPPED 
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
========= End of CMD: =========
 
 
=========  sc query Winmgmt =========
 
 
SERVICE_NAME: Winmgmt 
        TYPE               : 20  WIN32_SHARE_PROCESS  
        STATE              : 1  STOPPED 
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
========= End of CMD: =========
 
 
========= reg query "hklm\SYSTEM\CurrentControlSet\services\slsvc" /s =========
 
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\slsvc
    DisplayName    REG_SZ    @%SystemRoot%\system32\SLsvc.exe,-101
    Group    REG_SZ    ProfSvc_Group
    ImagePath    REG_EXPAND_SZ    %SystemRoot%\system32\SLsvc.exe
    Description    REG_SZ    @%SystemRoot%\system32\SLsvc.exe,-102
    ObjectName    REG_SZ    NT AUTHORITY\NetworkService
    ErrorControl    REG_DWORD    0x1
    Start    REG_DWORD    0x2
    Type    REG_DWORD    0x10
    DependOnService    REG_MULTI_SZ    RpcSs
    ServiceSidType    REG_DWORD    0x1
    RequiredPrivileges    REG_MULTI_SZ    SeAuditPrivilege\0SeChangeNotifyPrivilege\0SeCreateGlobalPrivilege\0SeImpersonatePrivilege
    FailureActions    REG_BINARY    805101000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
 
 
 
========= End of Reg: =========
 
 
========= reg query "hklm\SYSTEM\CurrentControlSet\services\MSIServer" /s =========
 
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSIServer
    DisplayName    REG_SZ    @%SystemRoot%\system32\msimsg.dll,-27
    ImagePath    REG_EXPAND_SZ    %systemroot%\system32\msiexec /V
    Description    REG_SZ    @%SystemRoot%\system32\msimsg.dll,-32
    ObjectName    REG_SZ    LocalSystem
    ErrorControl    REG_DWORD    0x1
    Start    REG_DWORD    0x3
    Type    REG_DWORD    0x10
    DependOnService    REG_MULTI_SZ    rpcss
    ServiceSidType    REG_DWORD    0x1
    RequiredPrivileges    REG_MULTI_SZ    SeTcbPrivilege\0SeCreatePagefilePrivilege\0SeLockMemoryPrivilege\0SeIncreaseBasePriorityPrivilege\0SeCreatePermanentPrivilege\0SeAuditPrivilege\0SeSecurityPrivilege\0SeChangeNotifyPrivilege\0SeProfileSingleProcessPrivilege\0SeImpersonatePrivilege\0SeCreateGlobalPrivilege\0SeAssignPrimaryTokenPrivilege\0SeRestorePrivilege\0SeIncreaseQuotaPrivilege\0SeShutdownPrivilege\0SeTakeOwnershipPrivilege\0SeLoadDriverPrivilege\0SeBackupPrivilege
    FailureActions    REG_BINARY    840300000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSIServer\Enum
    0    REG_SZ    Root\LEGACY_MSISERVER\0000
    Count    REG_DWORD    0x1
    NextInstance    REG_DWORD    0x1
 
 
 
========= End of Reg: =========
 
 
========= reg query "hklm\SYSTEM\CurrentControlSet\services\Winmgmt" /s =========
 
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt
    DisplayName    REG_SZ    @%Systemroot%\system32\wbem\wmisvc.dll,-205
    ImagePath    REG_EXPAND_SZ    %systemroot%\system32\svchost.exe -k netsvcs
    Description    REG_SZ    @%Systemroot%\system32\wbem\wmisvc.dll,-204
    ObjectName    REG_SZ    localSystem
    ErrorControl    REG_DWORD    0x0
    Start    REG_DWORD    0x2
    Type    REG_DWORD    0x20
    DependOnService    REG_MULTI_SZ    RPCSS
    ServiceSidType    REG_DWORD    0x1
    FailureActions    REG_BINARY    840300000000000000000000030000001400000001000000C0D4010001000000E09304000000000000000000
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters
    ServiceDllUnloadOnStop    REG_DWORD    0x0
    ServiceDll    REG_EXPAND_SZ    %SystemRoot%\system32\wbem\WMIsvc.dll
    ServiceMain    REG_SZ    ServiceMain
 
 
 
========= End of Reg: =========
 
C:\Windows\Tasks\BearShareNAG.job => Moved successfully.
C:\Users\Rebecca\AppData\Local\Temp => Moved successfully.
 
 
The system needs a manual reboot. 
 
==== End of Fixlog ====

 

 

4) Downloaded and installed the Tweaking.con Registry Backup tool.  Backed up all keys successfully.

 

5) Downloaded and attempted to run the .REG files.  The BITS.reg file failed with an error window titled "Registry Editor" and the message, "Cannot import C:\Users\Rebecca\Desktop\BITS.reg.  Not all data was successfully written to the registry.  Some keys are open by the system or other processes."

 

All other .REG files ran successfully.

 

6) After running the ESET ServicesRepair tool and pressing the Reboot button, Windows again gets to the Logging off... screen, but it would not shut down.  I had to hard restart by pressing the power button after waiting 15 minutes.

 

7) RKILL Log

http://pastebin.com/swtKw7K8

 

8) Farbar Service Scanner log

http://pastebin.com/s5sdgAF8

 

9) MGADiag.exe report

 

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Invalid License
Validation Code: 50
Cached Online Validation Code: N/A, hr = 0xc004f012
Windows Product Key: *****-*****-JQMWD-2QJRJ-RJ34F
Windows Product Key Hash: R8gPTEFMoOygFewoq/uOoWMpz68=
Windows Product ID: 89578-OEM-7332157-00237
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.0.6002.2.00010300.2.0.003
ID: {99E62D5B-D2A6-4F1C-A894-98FFD5769FF7}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows Vista ™ Home Premium
Architecture: 0x00000000
Build lab: 6002.vistasp2_gdr.130707-1535
TTS Error: T:20131021204300743-
Validation Diagnostic: 
Resolution Status: N/A
 
Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: 6.0.6001.18000
 
Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002
 
OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft
 
OGA Data-->
Office Status: 100 Genuine
Microsoft Office Home and Student 2007 - 100 Genuine
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: FCEE394C-458-8007041d_025D1FF3-344-8007041d_025D1FF3-229-8007041d_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3
 
Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed
 
File Scan Data-->
 
Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{99E62D5B-D2A6-4F1C-A894-98FFD5769FF7}</UGUID><Version>1.9.0027.0</Version><OS>6.0.6002.2.00010300.2.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-RJ34F</PKey><PID>89578-OEM-7332157-00237</PID><PIDType>2</PIDType><SID>S-1-5-21-3222351459-3557411957-99243863</SID><SYSTEM/><BIOS/><HWID>CB303507018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>TOSINV</OEMID><OEMTableID>TOSINV00</OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><Val>22C16E87446770E</Val><Hash>lUw3swJDWV6S2+e3d9xFj4FSr/c=</Hash><Pid>81602-903-3413935-68107</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>  
 
Spsys.log Content: U1BMRwEAAAAAAQAABAAAAD4bAAAAAAAAYWECAOSf5qFZvG6iv87OASPvOhE4aiPWkIrToHXwxdr7A9c8gTT1DmgIUzESYtCrc1fjeuCoA3W4xECtdNIjZzOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAw2LChCixnhclyLKxemNGWeWpeWYUA6+Ebm/IDbS1nR4Ms97uGADhHgzOQHuMsuzJ8zkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgMM5DWJ9vWy3OurH7DdY1oDDOQ1ifb1stzrqx+w3WNaAwzkNYn29bLc66sfsN1jWgM
 
Licensing Data-->
C:\Windows\system32\slmgr.vbs(2000, 5) Microsoft VBScript runtime error: Object required: 'g_objWMIService'
 
Windows Activation Technologies-->
N/A
 
HWID Data-->
HWID Hash Current: QAAAAAIABwABAAEAAgABAAAAAwABAAEAJJQMxaaXm0h6eKzvroS+0RCauJGQpsS78vSZKPL0bHMOWVbyrFZ4qg==
 
OEM Activation 1.0 Data-->
N/A
 
OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20000
OEMID and OEMTableID Consistent: yes
BIOS Information: 
  ACPI Table Name OEMID Value OEMTableID Value
  APIC TOSINV APIC  
  FACP ATI   Herring 
  HPET PTLTD HPETTBL 
  MCFG TOSINV  MCFG  
  SSDT PTLTD POWERNOW
  SLIC TOSINV TOSINV00
 
 

 

______________________________________________

 

10) The www.microsoft.com/genuine/validate link and process was unable to determine if Windows is genuine because the validation service was interrupted.  I ran this from SAFE mode. Will let you know if the result is different in Normal mode, now that the validation tool is downloaded.

 

11) The www.microsoft.com/genuine/diag link determined that IE was properly configured to use the validation service.  Still, the validation service was interrupted as before.  Again, I ran this from SAFE mode.  

 

 

Thanks for your continued attention to this, Georgi.

 

Best,

Cesar



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:23 PM

Posted 30 October 2013 - 06:29 AM

Hello Cesar,

 

 

I am sorry for the delay - busy week at the office. The symptoms described look like hardware issue or damaged Windows (damaged from the rootkit or other malware, damaged from a registry cleaner software due to registry corruption, changed permissions, a bad driver, bad memory, file system errors or from the tools you ran on your own).

 

I read several topics regarding this kind of issue but the most of them ended with a repair install. (so be prepared for this type of possibility).

 

Please download Windows Repair (all in one) from here
Install the program then go to step 2 and allow it to run Disk check:

Capture3.gif

Once that is done then go to step 3 and allow it to run SFC by pressing the Do It button

Capture.gif

 

When done go to step 4 and create a new system restore point and new registry backup.

step-4-tab.jpg

On the the Start Repairs tab => Click the Start

start-repairs-tab.jpg

Click on the Select All button and then click on Start

7fthj.png

DON'T use the computer while each scan is in progress.

Restart may be needed to finish the repair procedure.

Post new fresh logs from Rkill and Farbar Service Scanner.

 

 

Regards,

Georgi

 

 


qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#13 tekhelpr

tekhelpr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 30 October 2013 - 07:43 PM

Running the Windows validation tool (legitcheck.hta) in Normal mode gave a different message:

 

"Activate Windows.  Windows must be activated before validation can determine if this copy of Windows is genuine.  Windows is now in reduced functionality mode."

 

From what I've been reading about reduced functionality mode, it prevents Windows Update among other limitations.  After a call to Toshiba about retrieving the Windows product key, the tech said that Windows product keys are injected into the motherboard, making Windows Activation unnecessary.  He also said some registry corruption was likely the cause of Windows being unable to read the machine's Windows product key.  The Toshiba solution is to buy their Recovery discs for this laptop, which would reinstall the OS and wipe the hard drive.  However, this laptop was purchased in Austria, not the U.S., so that tech could not help further.  The European website for Toshiba indicated that the laptop was too old to create Recovery discs for it. This is a Toshiba Satellite A215-S6804.

 

These are the latest logs.

 

Windows Repair log

http://www.filedropper.com/windowsrepairlogs

 

Rkill log

http://pastebin.com/ihpMGF0R

 

Farbar Service Scanner log

http://pastebin.com/zGrxAwhD

 

Best,

Cesar



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleeping Freestyler


  • Malware Response Team
  • 6,570 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:23 PM

Posted 31 October 2013 - 03:50 AM

Hi Cesar,

 

I think this have something to do with the WMI service:

 

Licensing Data-->
C:\Windows\system32\slmgr.vbs(2000, 5) Microsoft VBScript runtime error: Object required: 'g_objWMIService'

 

* Windows Management Instrumentation (Winmgmt) is not Running.

Startup Type set to: Automatic

Let's try to reset the WMI to see if that will helps

 

Please download and run the attached file => Attached File  WMI.BAT   578bytes   1 downloads

 

Restart the computer and post a new log from Rkill.

 

 

 

Regards,

Georgi


qnfKk.jpg
My help is always free of charge. If you appreciate my work, you can buy me a beer or two by clicking here - paypal.gif

#15 tekhelpr

tekhelpr
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:10:23 AM

Posted 01 November 2013 - 02:14 AM

Ran the batch file, first mistakenly in Safe Mode, then again in Normal mode.  Not cool, I know.  Hopefully, I did no damage.

 

The good news: 

-  AVG in Windows Normal Mode now seems to be running normally with no more "Not Fully Protected" or "Restart Required" warnings.  I actually think this change happened after the Tweaking.com Windows Repair.  I have downloaded updates manually, but I have not yet run a scan. 

-  Also, I am now able to use IE in Normal mode, obviating the need to use Safe Mode at all.

 

The bad news: 

-  The Windows Activation screen still pops up after selecting the User profile during the login process. 

-  Google Chrome still hangs in Normal mode.

-  Windows Update still fails because the service does not start in a timely manner. 

-  The Secunia window still hangs. 

-  It takes the Windows Security Alerts icon in the system tray about 10 minutes to pop up.  Prior to that, the system is sometimes very slow to respond.

-  I checked the System Restore location, but did not find anything there!  I checked this after I got worried my flub of running the batch file in Safe mode might have been problematic.  Apparently, the Tweaking.com Windows Repair tool did not perform the system backup correctly, even though it reported to me in the application window that it had succeeded.  I manually created a System Restore Point tonight.  Btw, I checked the Registry Backup tool, and it does list registry backups there, in case they are needed.

 

Also, I found this while investigating WMI issues on the microsoft site, in case it may be a next step:

http://www.microsoft.com/en-us/download/details.aspx?id=7684

 

 

Rkill log

http://pastebin.com/7mJ7Fy8J

 

Best,

Cesar






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users