Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Rootkit access problem, tried hard to get rid of it ;(


  • This topic is locked This topic is locked
26 replies to this topic

#1 camzilla

camzilla

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 08 September 2013 - 03:35 PM

So my laptop is 4-5 years old. Im usually pretty carefull with what I download, only thing thats been out of place lately (that I could tell) was this Adobe flash pop-up update that started sometimes when i booted. it wanted me to update blabla, usually i didnt click the update since it seemed unecessairy (due to just updating not long ago).

 

Anyhow, must have clicked update sometime and Im pretty sure now that it was no flash update.. My issues included; slowed computer performance, re-direction of some websites, cookie/cash issues preventing me to log on some sites.

 

First thing i tried was downloading Malwarebytes Anti-malware 1.75 and ran it, it found sevral threats which it removed. Then continiued to download AVG internet seciruty that also found some threats and removed them. But I was still having issues when a friend suggested I tried rkill to check for suspicious activities. It found severed rootkit issues from a folder that has "Trusted installer"-permissions so i cant really do anything with it. I've tried changing owner and giving my windows-account full access but its not letting me change that, and when i try to delete the folder (even in falesafe-mode) it just crashes the explorer.exe.

I also tried Sophos Rootkit analyser which also didnt help. Finally i tried a ckdsk, but to no avail.

 

I attached the Rkill notes and hope it can shine some light over my probelm and how to remove it :C I'll be waiting patiently, thanks beforehand!

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:57 AM

Posted 08 September 2013 - 04:38 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,
Georgi


cXfZ4wS.png


#3 camzilla

camzilla
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 08 September 2013 - 04:46 PM

Hello Georgi!

 

Thanks for the quick reply, I hope we can solve this with mutual efforts!

 

Heres the FRTS.txt notes:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-09-2013
Ran by Camilla (administrator) on BRITTA on 08-09-2013 23:41:38
Running from C:\Users\Camilla\Downloads
Windows 7 Home Premium Service Pack 1 (X64) OS Language: Swedish
Internet Explorer Version 9
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(AVG Technologies CZ, s.r.o.) C:\PROGRA~2\AVG\AVG2014\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
(AMD) C:\Windows\system32\atiesrxx.exe
(IDT, Inc.) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchService.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Andrea Electronics Corporation) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgfws.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TouchUser.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) C:\Windows\system32\inetsrv\inetinfo.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Windows\system32\mqsvc.exe
(Microsoft Corporation) c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgemca.exe
(Palo Alto Networks) C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe
() C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_TabletUser.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Wacom\Wacom_Tablet.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Windows\system32\mqtgsvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Palo Alto Networks) C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe
(Spotify Ltd) C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe
(Synaptics Incorporated) C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPHELPER.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgui.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe
(Microsoft Corporation) C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE
(Microsoft Corporation) C:\Windows\splwow64.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2837288 2011-10-14] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] - C:\Program Files\IDT\WDM\sttray64.exe [450048 2009-07-22] (IDT, Inc.)
HKLM\...\Run: [GlobalProtect] - C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe [969512 2013-02-08] (Palo Alto Networks)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\822\G2AWinLogon_x64.dll (Citrix Online, a division of Citrix Systems, Inc.)
HKLM\...\Policies\Explorer: [NoActiveDesktop] 1
HKLM\...\Policies\Explorer: [3212083974] 0x504B0304C239B7F8068374BFB511000000400000E269F63D73594F6202C9694280CC96A28BBD63516FE3C2D5F7A2FF87AC3A990C3EC3B2ED7B07716237A0DFB1DFB651F67E31CB2E7649F98D5E55E9B25B1A579794989B176C357BDCC11226BD6ECB7DE8A63EA2165F6B31EAD6B0A2A96A6E9D04B9B39F194EF52D48B088D4B6597F685A70FF6912914F86D8235681747DA26CFD83223D3D248872C51095484634EBF976E4595F734BD35CAF42B38DCF9E878AF0BE0A5E84B22940F721E8BBCDCBAA3E53607359252DB16C0D6C38A142261BB4896D12A48C006CC3C21FDF717C155B2AF0375D2545EE286C2AECB2955206EF25C82DC686F7EB83BB3072E94E1E59254B11A2E3628E1D98E177375B54E682A1C77F986E1907FFCB784ACCACB124189751D7EBBAFC91D3A127F134A85E27F8C201D9082F621F5FFFAC09D2AAB94A62F90BD74D6C96A8DB6D42E4E98316449D202A4E24857673E2A50B7DFD9D5AF72A21A19A922ACC9675BA933A1C6AD4E0A11470FBB82EED7A79C5CA2DBB0BEC5B2B43BAA37373D3EF494726D7CF4A4AA8A3D6A5C206CED49148C0100BFA96B707BE91B855151D8DA8E0723DD1303325011B3951C9DF7B10E9B153BCED98376C4D7517F2E0E23A986914B2B0F978454441C47B5797D924CE9CD186D74D308099EE52F226E92DE6B50E4A0691F75CFA9CE733494B8CAFAEB4BE4C65F6C9DFFA34A3C2ED9D14F5844164BE79B7A90495290350177B03AEFA777FF519B624E3C75C219260AC447BBA9A6DB56F34B340A5F75837FAB3C33831A3BC39C2914AEB87A39545BD7ED52450EB7E94D5380E2BABCE3F8EE6E3CDC9D4ED54D9889D9DBD0DC879CAA2B121048A308A7F873252DAD24EA8F8911EA0A3B202DE930A9FC882CF1349FFE229016B2EBFD7821B8986D31DECCBC296BA54FD6D864C915F1D77AC0734D96FE0BA43A669FAB128026C7F90E9E1E0A7047F5A2378E4DE0966EB6C217B3483194B2B21A3FA8A1CBEF1D66A3FC8A5C863BCEA6157981A11449BAE3357F3287501CB9C24E0AFB156F5DDFD6855CD8B7B43FEABD9412C1C208B5DE2330C469A59DE5B490CC06BFD5A4900CB121EB967BC7185A9F00112A5B1E8D8028CA02B0F2B194AF03CC1E172B70C9B88643E3C064B5406CF184AD9EBA26736EF6FEB30DAC8BA400933A32A3C03230BD732FCBE16C4B3BDCC0B501616CE956D968B8DA68B4A9A64238601E81E78095961580431361A4DD9FE963D3CEBA5C21BBA416C1CC9D94BB842C25B2FD12C8BF42C35948272965A3FECF6E9B92D32D7E84A402A0B6214A412A23427E4852CE607FD9F7FF8559BBB96A9AE577DF0C19D108587D372470BE0D3E27ED61FEB442C2D65E55BAC81C2786CF6B837EEBC1B5AF35634B29FD5D96347B5F9C747C8A9A83E7CB3C188D9042F08FBD4EDEEBD65DE7C04B275B7FD74067A0AE3033752AA55A45A05355811416EA4A5101511E99305B700BD44742CBD6A9272B5CF4001505C4057866B57E4DE5EF0EE9F88B41986A80119C962594972011FC0C39B4A74B74747F5116D896A0EBCBB4387685672899AF54B80AE07008971EA1C997A898E33AAB769E4E52FBBEC97EBF199CE76454BADBD4EAB272F1D1CAABB3B49B3AAFC1E67D09EE8FEB0580E414EB45F3F0C25FE88872312FEC2341E7A6100B2E04ED25FCE13A146098DCE98446B2F3875ECB269A886795698619D337DA612F19BF8D4FE3028E79A26548128D1595AF0BF98FF320DC73D873F05EBD07C87CAE28DF067C00DE3E53CC77E801E1304192CA7BF78AB28DB40564328A108F9F0DDD8E1B0BAECCF16BF1DEB3CC5C4B5F5140F6B8A256E9128C203418AA3D93E3F08078977667DC02D830BB6869DE92F29A65AC6D2689D0A5A90887A8643119DC9A68B5B00BD59D45DA9D7ED5DAE6EE6DA6119243F77F51B263200F90ABBB61CCE9A951781EA2012A2C8D7200906439B08E7E76CF9C9536B2E6B560AFD7CBAA5044791EE17DED45ADFD9D359DAC0A9F4ED15BF2CB2EA9B12B7CB11B597CF2E6E750A6C636FE2C4B144F6FF43CCFFDDAE787BE160B0A8B4282B35A6AEECE165814E95CE7ADBE416EF4E51860CB4F5D50AF2A86AA4EE602A30AA54850E0CB4A38DC3A1C711B5D03B6A53EE102AC68E553D11E5FB3D0A8E0EF34266263CA4A3E0B76C55A92F75F921CD61A5363E5DB7737874D57C653D63457260B67B1DF330827B2921C29FDA0045BBE7404E40985039F7DB153F52B2C941A56E922DCFB60B89DBEE327ED6F5C1E438270F766A6ED1730FC581A4AEBCFE3B7726B27D6B092CF5A0B6954196CB4CC2788B8722338EE189D9E22692595F0D5B333B0F715CB8D94A08AFB631DBB1BE79A773E8F1A4EAF7220C24222DDA431B91D9175DFA0C6AE81E8C4C879D64446CF56FAEFE1487CA6739A776AEE42EF8BE40A612F95CDE3B1FEEAC1E1E41A24C92ED8B0152E247239E5A8BC903679CA8C7B94659AD5B1D10551F460D924FB60882FC90508C3723420F86F4CF100387E808133CC429883C0E3ACE91651C075CD19D106E0B437B0363048CA1FEAAF929B87AED90AFDE281EDCA0FA0CC7B5A7F03807FA5AC41B1ED73130EAC1117C631C1818142F24D420F6776CB53D4D0326B9FC3008C3CA03FC649D87D37FA617B74F2865C75298BED54B7D8DC676E2210374D8BF194AE2FEDA62B4798933C764CCDDF845330721FC21E68C0695CA73285103E22AE68DA440326DFEF9A80D17D0A7C3F920E7B0AA806EE9B7549ED9878B6CFB505AC69E8E8D3CFA718675764CFB03861D32AFAAE1D918BE87F6A9AC0D815C57AD3E167D642F5FCDDC25D4BA3AC3E67C26A4DEAA17797B3C0654F271EAAA442A71CBE19372ADCBDE3DF8B3FE491E5A76A79D1291A0DE317FFBF927F42782FA48270F2C969563B183A4B0112F3497DD3C2A423EC83498BDBAAC928910A9FB7FE5788E454C027A28F4A91AF2BF09E261F85B0EEE4F7929E63C4062496CB09534BB6D03FF69ED2915D0EA215B4FB3D1044E86EB87DFB4898BCBD50E5C4DDFBDB83B9410E1ADF91446C43C959E0E341D67A5A7EF8712586DE3B8B9C5B6F80F42F235BF68900EBFE6304BB0D9F67408B76201EC26180B4BD76500DE4F0DF86DF4A063AECECCA69DDF8A162B67A4B9800FA7570D5B551AC2703ADC0FFCED00650A96CD81EC4187B90C6B2140CE99C1937C40587EA72899897E628115BCAB73B3D9F425860B109A67347B8A121F65D0968D56A3DDE6B8171CEA61B08AE568B9D03C398977CE86F75055230EF370CABF67C9CF97C3223719555403F3E0BD2AF0E1E8742DECB05FADB0227F15D40EE2D6DC5A49FE1E6BC9E6CEDDE74294C3BB6FD5C5FEDFAD672DF1DFFD219BD8BC1EC39158EAB507998755F553441D01CD26A5501F6FB2DB4F3597510F85B93A542514C8013EEDBBFC913DCCE8B20A5759665BDFD9919EB22A89163D8656386D857C5BFC7C241C1D726CD94AB0F92D5B0FEFCF1D4ABDD26FBC6C17A4CCACF2D31E5E713059DE93C59D3B8D3E8D03B5D663F9DFADB03E093CB84FCF500A1F0E2E5BA1C9D81DB12CC799C6539AF0CC35682D95CB789C745A452BD8B38E6CF08E0579DA1AB43AD0858D0305F961B15A79C1090F4867040EA2BD36CF6512AAB44CE5A1098EFE039134F23BF057777FEF3E68E45827B0487924CAD4E5F0B1C3B4F5A0E3853B39640EB0782D78888FE92C3B68624E84FF6A5EDED87BE62D34CE858F34E5FFFBBA75F014DF0F648988B51A72DE1FF54D5C7A4B8ECB10C5E9EF51DE98C01EF8C406F9824A0C15A29E16B5A53E3643B0065A4263ECAE50D2CB976D3D2EA6255A65F1C6CC86167F1784A27B832037DB4CE1E262475334F3B2430F86C7A24456EEA82AB678ABA91BB4C0CC82C877B80B6D3574007257272C3E126C17A8B36AA8AA9431FF01BF658F82D8153EDDEA6804CDC564A3F5E9967B08FEEB823D3DB9356A4ACDD80E883CA58A1C661D01D145F80A3AB67E8036C0BAE1BB7BC43204EB0CF38214BC74A9AEF036A31D5A9C552D93A25C0E84057BCE5437B1634680D04A77472D631432D2BAA7A3ACD64220EFCF9E7848F8FD9801BEF7561A470A1822032160EB59EDC0F977882DCE4FB2872D89D27FF076DBA74A9672F86909956579C28853FA8DE7002CC8458D09256D42A39F1A4BDB6B56D36D51488E7368686E54C1BBBFFF48884E0D536BE362E59BD7F18329A4B82AED396E4F92865F594D0DA38F7CACE7A4603AF60C1A53BDFD19476094AAC6E4A8F31FC1257D48D03BB0EF515D8460B9441532C8B5043D0531D5881ADB6D997BB184FD8CAF4D8E6C759C3F7143B9E32BC7A0EC6234B68ADF4111CA1D136721438E5E6D7125D480CE982D84AEA7703B4010CD27867D6DDC5E0C970385196F020E48EDDB24C56972F9E61E6CC29C1712551583828F899534AACFFFC66F99999EA2BA2731D52A7FD2FA262A22B075DA52A5AA58F5B41AA9CDC9181406717F3F75E7C475090121966838125236E4DC6291AE3874968E8208B983AADB03CA60ACD935E6DA1B829407F70A77340E4439F22FDC2FC4218DE0F25D2F886C0AAEB693C2B23DB0EAB9953BF806C2173E0BC9D0D7EF0E763775BC1432FF48D6035B1214294C81B71CD98C42831014090CD99CB74929AE853F88132E559104D4FEA98AD40F17DA4100A909A6981BAD9EFB240A79520927AA12232A56F4D8893BFF92BFC2BD42CF3DC09BDC484DFDBA3A10C609186104CE33E3024F44000BE34814FF5DC9872D44B4157FB3A6655B985F6CC5EF4586F2ABFEE12DCBDB90181B396F95FE3213F094D1F3DD3D7FED800F4ED21290F613B62048E0FC1F1328D9F87A5653B489D36F727BE9D755523DEF0472F1C1D5AC90EE665379FF39D06E863C244890F5333A0B89B92022C1A8198029FE5F8C203B3DD211D4398958EE190108DD50B7850E20D8ABE2B927D53D28F3B8CA26BE81BC6B83C0E2B3B1DDA28066C63860CEA89DF82708EF21D4D36B84663E87B4385A3E37BD3FF1EB2BF64184C44723490669AF4DA092D45BA21A569A352E513D9A9B43E9CD4B812055822626EFC55F950009232B8B3BB2D63D44A8B0BD9BD4E84C5A724496A2326F63C97DBCB235366EC0CF6096B5F4988D073C34BD3A084130CEA8D6EE22E542B411C1E18599667B3FD6DDE0669AD82C85A1C10CA5862213CB1BB277E6C4F6564F20A9BCEA1B48170504C47235D78ED0A0441987C8C17D90D7B56CF487C46733BA4A6848FEC42B97CE4048F3C6D9C493322F052EF93F02F142B3940A10921BD15C911E7A97AA4A20DC383C62CD288D252BA937B3F60761E6653568A01241BB573664DE04811CF3F59B4C2D7E8A6C55DA16F468383456AA751697697397C2A5E5ABFA0F1099D80447D49DA509AA1347F3943EE9BAA1FDAD2A0E69410B34253AD4991282D0E952260F52AB9F02A3D00B37098CF60354424F862066E45E92AC475C99A00E7380766E589ABF66271619142795CF7A7FBD138A6CC5BD7E135122341D1F06EB5B436C59BE0ADEDC71BC03D7C63C16751AD56C69E36DECFE9E8214C719FCDF2E9FE2DC971F03C1C2AD6B6D368FE8B11D0389650C73D1C7E73708145FA05992A150E6A909656EA786E244BDF1CD71F4B0FD05B1335D703182FFA9D96C99108297B1FE327A83BF4F69D2A9C3D1EB73A9DD8CEE2B3220904AC31011FD6407A5BA427FACB46227FDEDB13D1CA6443DED3DC3B6CF06A59DC9B9226FBF357334ABF58412605FD206E7B6125FA19E5D68F75783FA08205B05C0A12D1830068317F6105958C4EB37BCB1BEAE6A401C267641AA58274A410D76B4D2A03E418020869B6886BB81964761B3FCD8EA68050AD6CFF99649CDE8FA53F04B0C96E271C0B092E24D81EA2D723775799E713EA9DA6967EF57AAAFE1C6732F2F047556027F021C65FC20C1C3BCB392ACF8FF7A9E14D9728A5AAACD255FC3866B041E9C96DCF592083D78C9E405DDD7991D2E2536D2EB1BA0F0ECE3DFB6A34C2665CFAC2D1850FD478F617FDD4E9DD4492C553BD375CFD33F4744D642006F3A5216A1FF7D73643ED751CAECDFDCB56247AA2F66FBCB8315DAAA86006A99E0350A72D5D5260D6BB77AC53CDD7ABACB859586C279B7FACDF076C922AC27F3E907FB3B4EC977CA634A28DF064162165222DCCE674DAB60A4E9D48E7FCEA267ABB1F8E0A2012AA6DB532A4CE74FBAF583E2C292FA1B56BE585D14EE073CDAFE3FC0C19050E698EC41B9D27F5DB41A779208118A5D3F8F74333B2AD2FE3CEE273BBFEA485EAD817EFFEDF1260C1A125070589B6F0F31984ED498CBD273E84A718F54C82CBC2747E678F8437DDE23C9EA3C877823034B7C70731C2D01CC09D11D3364E7945B6480B9B416ACB54CD1194B46C6D2E147619AC1C1FA915AF80A5098647247EBCF0449634F69C96AFC740BCE61993228183D98D0F85406D8FFD934
HKCU\...\Run: [Google Update*] -  <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Run: [Spotify Web Helper] - C:\Program Files (x86)\Spotify\Data\SpotifyWebHelper.exe [1104384 2013-07-09] (Spotify Ltd)
HKCU\...\Policies\system: [DisableLockWorkstation] 0
HKCU\...\Policies\system: [DisableChangePassword] 0
MountPoints2: {3b98ea72-eb03-11de-9404-00269e557522} - F:\AutoRun.exe
MountPoints2: {3b98ea78-eb03-11de-9404-00269e557522} - F:\AutoRun.exe
MountPoints2: {631b6510-08a2-11e2-85cd-00247ef698b1} - F:\AutoRun.exe
MountPoints2: {631b6565-08a2-11e2-85cd-00247ef698b1} - F:\AutoRun.exe
MountPoints2: {7ecc6d6f-c44c-11e0-a575-00247ef698b1} - F:\AutoRun.exe
MountPoints2: {7ecc6dbb-c44c-11e0-a575-00247ef698b1} - F:\AutoRun.exe
MountPoints2: {a1ae633a-f615-11de-b78c-00269e557522} - F:\AutoRun.exe
MountPoints2: {a1ae633c-f615-11de-b78c-00269e557522} - F:\AutoRun.exe
MountPoints2: {aab9f4ff-d4dd-11e1-b7b3-00247ef698b1} - F:\MotoCastSetup.exe -a
MountPoints2: {fceda082-ef05-11de-a136-00247ef698b1} - F:\AutoRun.exe
MountPoints2: {fceda084-ef05-11de-a136-00247ef698b1} - F:\AutoRun.exe
HKLM-x32\...\Run: [] -  [x]
HKLM-x32\...\Run: [AVG_UI] - C:\Program Files (x86)\AVG\AVG2014\avgui.exe [4851248 2013-08-26] (AVG Technologies CZ, s.r.o.)
HKU\Default\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
HKU\Default User\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
HKU\DefaultAppPool\...\Run: [HPADVISOR] - C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.se/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_SE&c=94&bd=Presario&pf=cnnb
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_SE&c=94&bd=Presario&pf=cnnb
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_SE&c=94&bd=Presario&pf=cnnb
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_SE&c=94&bd=Presario&pf=cnnb
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_SE&c=94&bd=Presario&pf=cnnb
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM - DefaultScope {E496F463-113A-40C7-974C-3074F54F3B6E} URL = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=1222&query={searchTerms}&invocationType=tb50hpcnnbie7-sv-se
SearchScopes: HKLM - {1030021D-CAEA-4B4C-B48D-3FA951E508E0} URL = http://se.kelkoopartners.net/ctl/do/search?siteSearchQuery={searchTerms}&fromform=true&x=true&y=true&partner=hp&partnerId=96913934
SearchScopes: HKLM - {C9F46D4F-C324-47E2-8575-874A83A0BB4C} URL = http://se.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=cb-hp06&type=ie2008
SearchScopes: HKLM - {E496F463-113A-40C7-974C-3074F54F3B6E} URL = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=1222&query={searchTerms}&invocationType=tb50hpcnnbie7-sv-se
SearchScopes: HKLM-x32 - DefaultScope {E496F463-113A-40C7-974C-3074F54F3B6E} URL = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=1222&query={searchTerms}&invocationType=tb50hpcnnbie7-sv-se
SearchScopes: HKLM-x32 - {1030021D-CAEA-4B4C-B48D-3FA951E508E0} URL = http://se.kelkoopartners.net/ctl/do/search?siteSearchQuery={searchTerms}&fromform=true&x=true&y=true&partner=hp&partnerId=96913934
SearchScopes: HKLM-x32 - {C9F46D4F-C324-47E2-8575-874A83A0BB4C} URL = http://se.search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=cb-hp06&type=ie2008
SearchScopes: HKLM-x32 - {E496F463-113A-40C7-974C-3074F54F3B6E} URL = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=1222&query={searchTerms}&invocationType=tb50hpcnnbie7-sv-se
SearchScopes: HKCU - DefaultScope {E496F463-113A-40C7-974C-3074F54F3B6E} URL = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=1222&query={searchTerms}&invocationType=tb50hpcnnbie7-sv-se
SearchScopes: HKCU - {1030021D-CAEA-4B4C-B48D-3FA951E508E0} URL =
SearchScopes: HKCU - {18EAB056-9057-F224-FD4C-1F6569C4D8D2} URL = http://www.plusnetwork.com/s/?q={searchTerms}&iesrc={referrer:source?}
SearchScopes: HKCU - {C9F46D4F-C324-47E2-8575-874A83A0BB4C} URL =
SearchScopes: HKCU - {E496F463-113A-40C7-974C-3074F54F3B6E} URL = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=1222&query={searchTerms}&invocationType=tb50hpcnnbie7-sv-se
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll No File
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {063F7D71-5E0B-48F2-87D5-F63C5917947E} http://ahnlabdownload.nefficient.co.kr/aos/plugin/aosmgr.cab
DPF: HKLM-x32 {4A85DBE0-BFB2-4119-8401-186A7C6EB653} http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
DPF: HKLM-x32 {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: HKLM-x32 {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: HKLM-x32 {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Winsock: Catalog5 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 06 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9 11 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog5-x64 01 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 06 mswsock.dll File Not found (Microsoft Corporation) ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 02 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 03 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 04 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 05 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 06 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 07 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 08 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 09 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 10 mswsock.dll File Not found (Microsoft Corporation)
Winsock: Catalog9-x64 11 mswsock.dll File Not found (Microsoft Corporation)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 83.255.245.11 193.150.193.150

FireFox:
========
FF ProfilePath: C:\Users\Camilla\AppData\Roaming\Mozilla\Firefox\Profiles\3m1tlrq2.default
FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_202.dll ()
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
FF Plugin-x32: @ahnlab.com/asp/npaosmgr.1 - C:\Program Files (x86)\AhnLab\ASP\Components\aosmgr\npaosmgr.dll No File
FF Plugin-x32: @ahnlab.com/asp/npmkd25sp - C:\Program Files (x86)\AhnLab\ASP\MyKeyDefense 2.5\npmkd25sp.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.17.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF Plugin-x32: @se.nexus/Personal - C:\Program Files (x86)\Personal\bin\np_prsnl.dll (Technology Nexus AB)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Acrobat - C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @ahnlab.com/asp/npmkd25sp - C:\Program Files (x86)\AhnLab\ASP\MyKeyDefense 2.5\npmkd25sp.dll No File
FF Plugin HKCU: wacom.com/WacomTabletPlugin - C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll No File
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\allaannonser-sv-SE.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\prisjakt-sv-SE.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\tyda-sv-SE.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\wikipedia-sv-SE.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\yahoo-sv-SE.xml
FF HKLM-x32\...\Firefox\Extensions: [{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}] C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\

Chrome:
=======
CHR DefaultSearchURL: (Google) - {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
CHR DefaultSuggestURL: (Google) - {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\29.0.1547.66\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.300.12) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U30) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7) - C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Nexus Personal) - C:\Program Files (x86)\Personal\bin\np_prsnl.dll (Technology Nexus AB)
CHR Plugin: (WacomTabletPlugin) - C:\Program Files (x86)\TabletPlugins\npWacomTabletPlugin.dll No File
CHR Plugin: ( Wacom Dynamic Link Library) - C:\Program Files (x86)\TabletPlugins\npwacom.dll No File
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_265.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll No File
CHR Extension: (Google Docs) - C:\Users\Camilla\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_0
CHR Extension: (Google Drive) - C:\Users\Camilla\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\Camilla\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\Camilla\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Chrome In-App Payments service) - C:\Users\Camilla\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.10_0
CHR Extension: (Gmail) - C:\Users\Camilla\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0

==================== Services (Whitelisted) =================

S3 Adobe Version Cue CS4; C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [284016 2008-08-15] (Adobe Systems Incorporated)
R2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
R2 avgfws; C:\Program Files (x86)\AVG\AVG2014\avgfws.exe [1358432 2013-08-26] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3534896 2013-08-27] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [300640 2013-08-20] (AVG Technologies CZ, s.r.o.)
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23808 2013-06-20] ()
R2 MSMQ; C:\Windows\system32\mqsvc.exe [9216 2009-07-14] (Microsoft Corporation)
R2 MSMQTriggers; C:\Windows\system32\mqtgsvc.exe [189440 2010-11-20] (Microsoft Corporation)
R2 MSSQL$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe [62218696 2012-06-29] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [366600 2013-06-20] ()
S3 npggsvc; C:\Windows\SysWow64\GameMon.des [3804120 2011-08-07] (INCA Internet Co., Ltd.)
R2 PanGPS; C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPS.exe [1472296 2013-02-08] (Palo Alto Networks)
R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-01-21] ()
S4 SQLAgent$SQLEXPRESS; c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [441288 2012-06-29] (Microsoft Corporation)
R2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe [240128 2009-07-22] (IDT, Inc.)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)
R2 ezSharedSvc; C:\Windows\System32\ezsvc7.dll [x]

==================== Drivers (Whitelisted) ====================

R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [147768 2013-08-01] (AVG Technologies CZ, s.r.o.)
R1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [50296 2012-09-04] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [241464 2013-08-22] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [192824 2013-08-22] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [212280 2013-08-22] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [294712 2013-08-22] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123704 2013-08-20] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31544 2013-08-01] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [251192 2013-08-01] (AVG Technologies CZ, s.r.o.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
S3 MEMSWEEP2; C:\Windows\system32\1B8.tmp [6144 2009-06-18] (Sophos Plc)
S3 MEMSWEEP2; C:\Windows\system32\1B8.tmp [6144 2009-06-18] (Sophos Plc)
S3 Mkd2Bthf; C:\Windows\System32\drivers\Mkd2Bthf.sys [97368 2010-03-08] (AhnLab, Inc.)
S3 Mkd2Nadr; C:\Windows\System32\drivers\Mkd2Nadr.sys [107096 2010-11-19] (AhnLab, Inc.)
S3 Mkd3kfNt; C:\Windows\System32\drivers\Mkd3kfNt.sys [182872 2010-09-13] (AhnLab, Inc.)
R3 MQAC; C:\Windows\System32\drivers\mqac.sys [189440 2009-07-14] (Microsoft Corporation)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [139616 2013-06-18] (Microsoft Corporation)
S3 nocashio; C:\Windows\SysWow64\drivers\nocashio.sys [4096 2011-05-08] ()
S3 NPPTNT2; C:\Windows\SysWow64\npptNT2.sys [4682 2005-01-02] (INCA Internet Co., Ltd.)
R3 PanGpd; C:\Windows\System32\DRIVERS\pangpd.sys [36352 2013-02-08] (Palo Alto Networks)
S4 RsFx0153; C:\Windows\System32\DRIVERS\RsFx0153.sys [321992 2012-06-29] (Microsoft Corporation)
S3 s1018bus; C:\Windows\System32\DRIVERS\s1018bus.sys [113704 2009-03-25] (MCCI Corporation)
S3 s1018mdfl; C:\Windows\System32\DRIVERS\s1018mdfl.sys [19496 2009-03-25] (MCCI Corporation)
S3 s1018mdm; C:\Windows\System32\DRIVERS\s1018mdm.sys [153128 2009-03-25] (MCCI Corporation)
S3 s1018mgmt; C:\Windows\System32\DRIVERS\s1018mgmt.sys [133160 2009-03-25] (MCCI Corporation)
S3 s1018nd5; C:\Windows\System32\DRIVERS\s1018nd5.sys [34856 2009-03-25] (MCCI Corporation)
S3 s1018obex; C:\Windows\System32\DRIVERS\s1018obex.sys [128552 2009-03-25] (MCCI Corporation)
S3 s1018unic; C:\Windows\System32\DRIVERS\s1018unic.sys [146472 2009-03-25] (MCCI Corporation)
S1 SAVRKBootTasks; C:\Windows\SysWow64\SAVRKBootTasks.sys [18816 2009-06-18] (Sophos Plc)
S3 TdsNordecr; C:\Windows\System32\DRIVERS\nordecr.sys [28672 2007-10-30] (Todos Data System AB)
R2 VBoxDrv; C:\Program Files (x86)\YouWave_Android\vb\VBoxDrv.sys [203864 2010-07-15] (Oracle Corporation)
S1 brivrmqw; \??\C:\Windows\system32\drivers\brivrmqw.sys [x]
S3 ew_hwusbdev; system32\DRIVERS\ew_hwusbdev.sys [x]
S3 huawei_enumerator; system32\DRIVERS\ew_jubusenum.sys [x]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [x]
S3 kbdcap; No ImagePath
S3 LVPr2M64; system32\DRIVERS\LVPr2M64.sys [x]
S3 nocashio; system32\drivers\nocashio.sys [x]
S3 NPPTNT2; \??\C:\Windows\system32\npptNT2.sys [x]
S3 pccsmcfd; system32\DRIVERS\pccsmcfdx64.sys [x]
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [x]
S1 SAVRKBootTasks; \??\C:\Windows\system32\SAVRKBootTasks.sys [x]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [x]

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-09-08 23:40 - 2013-09-08 23:40 - 01948988 _____ (Farbar) C:\Users\Camilla\Downloads\FRST64.exe
2013-09-08 22:15 - 2013-09-08 22:15 - 00019348 _____ C:\Users\Camilla\Desktop\attach.txt
2013-09-08 22:15 - 2013-09-08 22:14 - 00025401 _____ C:\Users\Camilla\Desktop\dds.txt
2013-09-08 22:11 - 2013-09-08 22:12 - 00688992 ____R (Swearware) C:\Users\Camilla\Downloads\dds.com
2013-09-08 16:33 - 2013-09-08 16:33 - 00003672 ____N C:\bootsqm.dat
2013-09-07 17:11 - 2013-09-07 17:11 - 00000000 ____D C:\Users\Camilla\Downloads\WinOwnership v1.1
2013-09-07 17:07 - 2013-09-07 17:07 - 05829088 _____ (TeamViewer GmbH) C:\Users\Camilla\Downloads\TeamViewer_Setup_sv.exe
2013-09-07 17:07 - 2013-09-07 17:07 - 00001122 _____ C:\Users\Public\Desktop\TeamViewer 8.lnk
2013-09-07 17:07 - 2013-09-07 17:07 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2013-09-07 17:01 - 2013-09-07 17:01 - 02129971 _____ C:\Users\Camilla\Downloads\WinOwnership v1.1.zip
2013-09-07 14:56 - 2009-06-18 12:55 - 00018816 ____N (Sophos Plc) C:\Windows\SysWOW64\SAVRKBootTasks.sys
2013-09-06 23:43 - 2009-06-18 12:54 - 00006144 ____N (Sophos Plc) C:\Windows\system32\1B8.tmp
2013-09-06 22:58 - 2009-06-18 12:54 - 00006144 ____N (Sophos Plc) C:\Windows\system32\C3EC.tmp
2013-09-06 22:56 - 2013-09-06 22:56 - 01339288 _____ C:\Users\Camilla\Downloads\sar_15_sfx.exe
2013-09-06 22:20 - 2013-09-06 22:20 - 00003215 _____ C:\Users\Camilla\Desktop\Sophos Virus Removal Tool.lnk
2013-09-06 22:20 - 2013-09-06 22:20 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
2013-09-06 22:20 - 2013-09-06 22:20 - 00000000 ____D C:\ProgramData\Sophos
2013-09-06 22:19 - 2013-09-06 22:57 - 00000000 ____D C:\Program Files (x86)\Sophos
2013-09-06 22:15 - 2013-09-06 22:16 - 76707392 _____ (Sophos Limited) C:\Users\Camilla\Downloads\Sophos Virus Removal Tool.exe
2013-09-06 20:55 - 2013-09-08 16:46 - 00032960 _____ C:\Users\Camilla\Desktop\Rkill.txt
2013-09-06 20:55 - 2013-09-06 20:55 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\Camilla\Downloads\rkill.com
2013-09-06 20:55 - 2013-09-06 20:55 - 01038464 _____ (Bleeping Computer, LLC) C:\Users\Camilla\Downloads\rkill64.com
2013-09-06 20:55 - 2013-09-06 20:55 - 00000000 ____D C:\Users\Camilla\Desktop\rkill
2013-09-06 20:47 - 2013-09-08 17:52 - 00000000 _____ C:\Users\Camilla\Desktop\Glass handling configurator.zip.part
2013-09-06 20:47 - 2013-09-06 20:47 - 00000000 _____ C:\Users\Camilla\Desktop\Glass handling configurator.zip
2013-09-06 20:39 - 2013-09-06 20:39 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software
2013-09-06 20:39 - 2013-09-06 20:39 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software
2013-09-06 20:18 - 2013-09-06 20:19 - 109003910 _____ C:\Users\Camilla\PanGPA.dmp
2013-09-06 20:17 - 2013-09-08 16:35 - 00000399 _____ C:\Windows\DtcInstall.log
2013-09-06 20:13 - 2013-09-06 20:15 - 00000320 _____ C:\Windows\system32\avgrep.txt
2013-09-06 07:04 - 2013-09-06 07:04 - 00000000 __SHD C:\$$PendingFiles
2013-09-06 06:52 - 2013-09-06 06:58 - 00000000 ____D C:\Program Files\DVD Maker
2013-09-05 22:55 - 2013-09-05 22:55 - 00003704 _____ C:\Windows\System32\Tasks\Java Update Scheduler
2013-09-05 22:12 - 2013-09-05 22:12 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\AVG
2013-09-05 22:08 - 2013-09-05 22:19 - 00000000 ____D C:\ProgramData\AVG
2013-09-05 22:07 - 2013-09-05 22:54 - 00000000 __SHD C:\ProgramData\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2013-09-05 22:06 - 2013-09-05 22:07 - 78407592 _____ (AVG) C:\Users\Camilla\Downloads\avg_tuh_stf_all_2014_146_24c4.exe
2013-09-05 21:37 - 2013-09-05 21:37 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\AVG2014
2013-09-05 21:36 - 2013-09-06 20:39 - 00000925 _____ C:\Users\Public\Desktop\AVG 2014.lnk
2013-09-05 21:36 - 2013-09-05 21:36 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\TuneUp Software
2013-09-05 21:34 - 2013-09-06 20:32 - 00000000 ____D C:\ProgramData\AVG2014
2013-09-05 21:34 - 2013-09-05 21:34 - 00000000 ___HD C:\$AVG
2013-09-05 21:33 - 2013-09-06 00:05 - 00000000 ____D C:\Program Files (x86)\AVG
2013-09-05 21:21 - 2013-09-08 22:01 - 00000000 ____D C:\ProgramData\MFAData
2013-09-05 21:21 - 2013-09-05 21:40 - 00000000 ____D C:\Users\Camilla\AppData\Local\Avg2014
2013-09-05 21:21 - 2013-09-05 21:21 - 04425440 _____ (AVG Technologies) C:\Users\Camilla\Downloads\avg_isct_stb_all_2014_4116_free.exe
2013-09-05 21:21 - 2013-09-05 21:21 - 00000000 ____D C:\Users\Camilla\AppData\Local\MFAData
2013-09-05 20:36 - 2013-09-05 20:36 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-09-04 17:23 - 2013-09-04 17:23 - 00001107 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-09-04 17:14 - 2013-09-04 17:14 - 00281632 _____ (Mozilla) C:\Users\Camilla\Downloads\Firefox Setup Stub 23.0.1.exe
2013-09-04 16:07 - 2013-09-04 17:13 - 00000000 ____D C:\Users\Camilla\Downloads\backups
2013-09-04 16:05 - 2013-09-04 16:05 - 00388608 _____ (Trend Micro Inc.) C:\Users\Camilla\Downloads\HijackThis.exe
2013-09-04 16:05 - 2013-09-04 16:05 - 00014829 _____ C:\Users\Camilla\Downloads\hijackthis.log
2013-09-04 15:00 - 2013-09-04 16:12 - 00014862 _____ C:\Users\Camilla\Desktop\hijackthis.log
2013-09-04 14:56 - 2013-09-04 14:56 - 00000000 ____D C:\Windows\Temp4DA5C848-2DEC-B65C-779B-9E5603F0F218-Signatures
2013-09-04 14:48 - 2013-09-04 14:51 - 13836992 _____ (Microsoft Corporation) C:\Users\Camilla\Desktop\mseinstall.exe
2013-09-04 13:37 - 2013-09-04 13:37 - 00001069 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-04 13:37 - 2013-09-04 13:37 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\Malwarebytes
2013-09-04 13:37 - 2013-09-04 13:37 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-09-04 13:37 - 2013-09-04 13:37 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-04 13:37 - 2013-04-04 14:50 - 00025928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-09-04 13:36 - 2013-09-04 13:37 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Camilla\Downloads\mbam-setup-1.75.0.1300.exe
2013-09-04 13:33 - 2013-09-04 13:33 - 00003114 _____ C:\Windows\System32\Tasks\{0511D159-ECB9-4C07-887A-EB88284E5308}
2013-09-04 12:55 - 2013-09-05 22:32 - 00040785 _____ C:\Windows\WindowsUpdate.log
2013-09-01 19:34 - 2013-09-01 19:35 - 00018549 _____ C:\Windows\DirectX.log
2013-09-01 00:24 - 2013-09-01 01:34 - 00282296 _____ C:\Windows\SysWOW64\PnkBstrB.xtr
2013-09-01 00:23 - 2013-09-01 00:23 - 00000000 ____D C:\Users\Camilla\AppData\Local\PunkBuster
2013-09-01 00:20 - 2013-09-01 01:26 - 00282296 _____ C:\Windows\SysWOW64\PnkBstrB.ex0
2013-08-31 22:43 - 2013-08-31 22:43 - 00000219 _____ C:\Users\Camilla\Desktop\Dota 2.url
2013-08-30 23:11 - 2013-09-08 20:36 - 00130480 _____ C:\Users\Camilla\AppData\Local\GDIPFONTCACHEV1.DAT
2013-08-30 19:52 - 2013-09-08 20:46 - 00005376 _____ C:\Windows\setupact.log
2013-08-30 19:52 - 2013-08-30 19:52 - 00000000 _____ C:\Windows\setuperr.log
2013-08-30 19:51 - 2013-09-08 16:35 - 05096312 _____ C:\Windows\system32\FNTCACHE.DAT
2013-08-30 19:51 - 2013-09-05 21:05 - 00006346 _____ C:\Windows\PFRO.log
2013-08-24 16:31 - 2013-08-24 16:31 - 00000000 ____D C:\Users\Camilla\AppData\Local\SKIDROW
2013-08-22 23:25 - 2013-08-22 23:25 - 00212280 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgldx64.sys
2013-08-22 23:08 - 2013-08-22 23:08 - 00294712 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgloga.sys
2013-08-22 22:55 - 2013-08-22 22:55 - 00241464 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsdrivera.sys
2013-08-22 22:54 - 2013-08-22 22:54 - 00192824 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsha.sys
2013-08-22 19:22 - 2013-08-22 19:23 - 01269760 _____ C:\Users\Camilla\Desktop\image.jpeg
2013-08-22 19:21 - 2013-09-08 23:05 - 00000868 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-08-22 19:21 - 2013-08-22 19:21 - 00003806 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-22 19:09 - 2013-08-22 19:09 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2013-08-21 20:14 - 2013-09-04 13:01 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-08-21 17:54 - 2013-09-01 21:05 - 00000000 ____D C:\Program Files (x86)\The Binding of Isaac
2013-08-21 17:54 - 2013-08-21 17:54 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\The Binding of Isaac
2013-08-20 22:53 - 2013-08-20 22:53 - 00123704 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgmfx64.sys

==================== One Month Modified Files and Folders =======

2013-09-08 23:42 - 2013-03-27 23:19 - 00000996 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-08 23:41 - 2013-09-08 23:41 - 00000000 ____D C:\FRST
2013-09-08 23:40 - 2013-09-08 23:40 - 01948988 _____ (Farbar) C:\Users\Camilla\Downloads\FRST64.exe
2013-09-08 23:38 - 2011-05-30 20:21 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\Skype
2013-09-08 23:14 - 2009-12-25 15:07 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\Spotify
2013-09-08 23:05 - 2013-08-22 19:21 - 00000868 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-08 22:15 - 2013-09-08 22:15 - 00019348 _____ C:\Users\Camilla\Desktop\attach.txt
2013-09-08 22:14 - 2013-09-08 22:15 - 00025401 _____ C:\Users\Camilla\Desktop\dds.txt
2013-09-08 22:12 - 2013-09-08 22:11 - 00688992 ____R (Swearware) C:\Users\Camilla\Downloads\dds.com
2013-09-08 22:01 - 2013-09-05 21:21 - 00000000 ____D C:\ProgramData\MFAData
2013-09-08 20:46 - 2013-08-30 19:52 - 00005376 _____ C:\Windows\setupact.log
2013-09-08 20:36 - 2013-08-30 23:11 - 00130480 _____ C:\Users\Camilla\AppData\Local\GDIPFONTCACHEV1.DAT
2013-09-08 17:52 - 2013-09-06 20:47 - 00000000 _____ C:\Users\Camilla\Desktop\Glass handling configurator.zip.part
2013-09-08 16:46 - 2013-09-06 20:55 - 00032960 _____ C:\Users\Camilla\Desktop\Rkill.txt
2013-09-08 16:43 - 2009-07-14 06:45 - 00023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-08 16:43 - 2009-07-14 06:45 - 00023248 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-08 16:37 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\system32\inetsrv
2013-09-08 16:36 - 2013-07-16 09:27 - 00446071 _____ C:\Users\Camilla\PanGPA.log
2013-09-08 16:35 - 2013-09-06 20:17 - 00000399 _____ C:\Windows\DtcInstall.log
2013-09-08 16:35 - 2013-08-30 19:51 - 05096312 _____ C:\Windows\system32\FNTCACHE.DAT
2013-09-08 16:35 - 2013-03-27 23:19 - 00000992 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-08 16:35 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-08 16:33 - 2013-09-08 16:33 - 00003672 ____N C:\bootsqm.dat
2013-09-07 17:11 - 2013-09-07 17:11 - 00000000 ____D C:\Users\Camilla\Downloads\WinOwnership v1.1
2013-09-07 17:07 - 2013-09-07 17:07 - 05829088 _____ (TeamViewer GmbH) C:\Users\Camilla\Downloads\TeamViewer_Setup_sv.exe
2013-09-07 17:07 - 2013-09-07 17:07 - 00001122 _____ C:\Users\Public\Desktop\TeamViewer 8.lnk
2013-09-07 17:07 - 2013-09-07 17:07 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2013-09-07 17:01 - 2013-09-07 17:01 - 02129971 _____ C:\Users\Camilla\Downloads\WinOwnership v1.1.zip
2013-09-07 15:05 - 2009-08-26 21:03 - 00829204 _____ C:\Windows\system32\perfh01D.dat
2013-09-07 15:05 - 2009-08-26 21:03 - 00203238 _____ C:\Windows\system32\perfc01D.dat
2013-09-07 15:05 - 2009-07-14 07:13 - 02028146 _____ C:\Windows\system32\PerfStringBackup.INI
2013-09-06 22:57 - 2013-09-06 22:19 - 00000000 ____D C:\Program Files (x86)\Sophos
2013-09-06 22:56 - 2013-09-06 22:56 - 01339288 _____ C:\Users\Camilla\Downloads\sar_15_sfx.exe
2013-09-06 22:20 - 2013-09-06 22:20 - 00003215 _____ C:\Users\Camilla\Desktop\Sophos Virus Removal Tool.lnk
2013-09-06 22:20 - 2013-09-06 22:20 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sophos
2013-09-06 22:20 - 2013-09-06 22:20 - 00000000 ____D C:\ProgramData\Sophos
2013-09-06 22:16 - 2013-09-06 22:15 - 76707392 _____ (Sophos Limited) C:\Users\Camilla\Downloads\Sophos Virus Removal Tool.exe
2013-09-06 21:41 - 2009-08-26 21:58 - 00000000 ____D C:\Program Files (x86)\Java
2013-09-06 21:40 - 2010-08-27 00:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2013-09-06 20:55 - 2013-09-06 20:55 - 01898112 _____ (Bleeping Computer, LLC) C:\Users\Camilla\Downloads\rkill.com
2013-09-06 20:55 - 2013-09-06 20:55 - 01038464 _____ (Bleeping Computer, LLC) C:\Users\Camilla\Downloads\rkill64.com
2013-09-06 20:55 - 2013-09-06 20:55 - 00000000 ____D C:\Users\Camilla\Desktop\rkill
2013-09-06 20:47 - 2013-09-06 20:47 - 00000000 _____ C:\Users\Camilla\Desktop\Glass handling configurator.zip
2013-09-06 20:39 - 2013-09-06 20:39 - 00000000 ____D C:\Users\Default\AppData\Roaming\TuneUp Software
2013-09-06 20:39 - 2013-09-06 20:39 - 00000000 ____D C:\Users\Default User\AppData\Roaming\TuneUp Software
2013-09-06 20:39 - 2013-09-05 21:36 - 00000925 _____ C:\Users\Public\Desktop\AVG 2014.lnk
2013-09-06 20:32 - 2013-09-05 21:34 - 00000000 ____D C:\ProgramData\AVG2014
2013-09-06 20:19 - 2013-09-06 20:18 - 109003910 _____ C:\Users\Camilla\PanGPA.dmp
2013-09-06 20:18 - 2009-12-16 14:29 - 00000000 ____D C:\Users\Camilla
2013-09-06 20:15 - 2013-09-06 20:13 - 00000320 _____ C:\Windows\system32\avgrep.txt
2013-09-06 07:04 - 2013-09-06 07:04 - 00000000 __SHD C:\$$PendingFiles
2013-09-06 07:04 - 2010-01-21 17:21 - 00000000 ____D C:\ProgramData\Recovery
2013-09-06 06:58 - 2013-09-06 06:52 - 00000000 ____D C:\Program Files\DVD Maker
2013-09-06 00:05 - 2013-09-05 21:33 - 00000000 ____D C:\Program Files (x86)\AVG
2013-09-05 22:55 - 2013-09-05 22:55 - 00003704 _____ C:\Windows\System32\Tasks\Java Update Scheduler
2013-09-05 22:54 - 2013-09-05 22:07 - 00000000 __SHD C:\ProgramData\{01BD4FC9-2F86-4706-A62E-774BB7E9D308}
2013-09-05 22:54 - 2010-12-30 17:20 - 00000000 ____D C:\ProgramData\{8D274659-3D84-4410-A197-C170D180BC76}
2013-09-05 22:54 - 2010-04-16 00:14 - 00000000 ____D C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2013-09-05 22:54 - 2010-03-03 20:25 - 00000000 ____D C:\ProgramData\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}
2013-09-05 22:54 - 2009-12-16 15:24 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\HpUpdate
2013-09-05 22:54 - 2009-12-16 15:18 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\hpqlog
2013-09-05 22:32 - 2013-09-04 12:55 - 00040785 _____ C:\Windows\WindowsUpdate.log
2013-09-05 22:19 - 2013-09-05 22:08 - 00000000 ____D C:\ProgramData\AVG
2013-09-05 22:12 - 2013-09-05 22:12 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\AVG
2013-09-05 22:07 - 2013-09-05 22:06 - 78407592 _____ (AVG) C:\Users\Camilla\Downloads\avg_tuh_stf_all_2014_146_24c4.exe
2013-09-05 21:40 - 2013-09-05 21:21 - 00000000 ____D C:\Users\Camilla\AppData\Local\Avg2014
2013-09-05 21:37 - 2013-09-05 21:37 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\AVG2014
2013-09-05 21:36 - 2013-09-05 21:36 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\TuneUp Software
2013-09-05 21:36 - 2010-08-14 21:51 - 00003230 _____ C:\Windows\System32\Tasks\SidebarExecute
2013-09-05 21:34 - 2013-09-05 21:34 - 00000000 ___HD C:\$AVG
2013-09-05 21:21 - 2013-09-05 21:21 - 04425440 _____ (AVG Technologies) C:\Users\Camilla\Downloads\avg_isct_stb_all_2014_4116_free.exe
2013-09-05 21:21 - 2013-09-05 21:21 - 00000000 ____D C:\Users\Camilla\AppData\Local\MFAData
2013-09-05 21:05 - 2013-08-30 19:51 - 00006346 _____ C:\Windows\PFRO.log
2013-09-05 20:36 - 2013-09-05 20:36 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2013-09-05 20:36 - 2012-04-23 22:02 - 00000000 ____D C:\Program Files\Microsoft Security Client
2013-09-04 22:06 - 2010-11-25 21:45 - 00002004 ____H C:\Users\Camilla\Documents\Default.rdp
2013-09-04 17:23 - 2013-09-04 17:23 - 00001107 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2013-09-04 17:14 - 2013-09-04 17:14 - 00281632 _____ (Mozilla) C:\Users\Camilla\Downloads\Firefox Setup Stub 23.0.1.exe
2013-09-04 17:13 - 2013-09-04 16:07 - 00000000 ____D C:\Users\Camilla\Downloads\backups
2013-09-04 16:47 - 2013-07-16 09:30 - 00003760 _____ C:\Users\Camilla\PanPortalCfg.dat
2013-09-04 16:47 - 2013-07-16 09:29 - 00001060 _____ C:\Users\Camilla\ServerCert.pan
2013-09-04 16:20 - 2009-08-26 21:27 - 00000000 ____D C:\Program Files (x86)\CyberLink
2013-09-04 16:18 - 2010-08-18 22:30 - 00000000 ____D C:\Program Files (x86)\Nokia
2013-09-04 16:12 - 2013-09-04 15:00 - 00014862 _____ C:\Users\Camilla\Desktop\hijackthis.log
2013-09-04 16:05 - 2013-09-04 16:05 - 00388608 _____ (Trend Micro Inc.) C:\Users\Camilla\Downloads\HijackThis.exe
2013-09-04 16:05 - 2013-09-04 16:05 - 00014829 _____ C:\Users\Camilla\Downloads\hijackthis.log
2013-09-04 14:57 - 2012-04-23 22:02 - 00002113 _____ C:\Windows\epplauncher.mif
2013-09-04 14:56 - 2013-09-04 14:56 - 00000000 ____D C:\Windows\Temp4DA5C848-2DEC-B65C-779B-9E5603F0F218-Signatures
2013-09-04 14:51 - 2013-09-04 14:48 - 13836992 _____ (Microsoft Corporation) C:\Users\Camilla\Desktop\mseinstall.exe
2013-09-04 14:50 - 2012-07-24 05:03 - 00000000 ____D C:\Program Files\TabletPlugins
2013-09-04 14:50 - 2012-07-24 05:03 - 00000000 ____D C:\Program Files (x86)\TabletPlugins
2013-09-04 13:37 - 2013-09-04 13:37 - 00001069 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-09-04 13:37 - 2013-09-04 13:37 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\Malwarebytes
2013-09-04 13:37 - 2013-09-04 13:37 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-09-04 13:37 - 2013-09-04 13:37 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-09-04 13:37 - 2013-09-04 13:36 - 10285040 _____ (Malwarebytes Corporation                                    ) C:\Users\Camilla\Downloads\mbam-setup-1.75.0.1300.exe
2013-09-04 13:33 - 2013-09-04 13:33 - 00003114 _____ C:\Windows\System32\Tasks\{0511D159-ECB9-4C07-887A-EB88284E5308}
2013-09-04 13:01 - 2013-08-21 20:14 - 00000000 ____D C:\Program Files\Mozilla Firefox
2013-09-04 12:06 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\tracing
2013-09-03 23:59 - 2013-07-12 21:34 - 00000000 ____D C:\Program Files (x86)\Steam
2013-09-02 22:05 - 2009-12-17 14:19 - 00003198 _____ C:\Windows\System32\Tasks\HPCeeScheduleForCamilla
2013-09-02 22:05 - 2009-12-17 14:19 - 00000340 _____ C:\Windows\Tasks\HPCeeScheduleForCamilla.job
2013-09-01 21:05 - 2013-08-21 17:54 - 00000000 ____D C:\Program Files (x86)\The Binding of Isaac
2013-09-01 19:35 - 2013-09-01 19:34 - 00018549 _____ C:\Windows\DirectX.log
2013-09-01 02:05 - 2011-12-22 00:42 - 00000000 ____D C:\Users\Camilla\AppData\Local\Deployment
2013-09-01 01:34 - 2013-09-01 00:24 - 00282296 _____ C:\Windows\SysWOW64\PnkBstrB.xtr
2013-09-01 01:26 - 2013-09-01 00:20 - 00282296 _____ C:\Windows\SysWOW64\PnkBstrB.ex0
2013-09-01 00:23 - 2013-09-01 00:23 - 00000000 ____D C:\Users\Camilla\AppData\Local\PunkBuster
2013-09-01 00:03 - 2013-04-24 21:21 - 00000000 ____D C:\Program Files (x86)\EA Games
2013-08-31 22:43 - 2013-08-31 22:43 - 00000219 _____ C:\Users\Camilla\Desktop\Dota 2.url
2013-08-31 12:50 - 2009-12-25 14:09 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\Azureus
2013-08-30 19:52 - 2013-08-30 19:52 - 00000000 _____ C:\Windows\setuperr.log
2013-08-29 22:49 - 2009-12-25 14:39 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\Media Player Classic
2013-08-29 19:08 - 2009-12-17 08:37 - 00000000 ____D C:\Program Files\Spel
2013-08-28 21:58 - 2009-12-25 15:07 - 00000000 ____D C:\Users\Camilla\AppData\Local\Spotify
2013-08-26 21:03 - 2009-07-14 05:20 - 00000000 ____D C:\Windows\rescache
2013-08-24 16:31 - 2013-08-24 16:31 - 00000000 ____D C:\Users\Camilla\AppData\Local\SKIDROW
2013-08-22 23:25 - 2013-08-22 23:25 - 00212280 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgldx64.sys
2013-08-22 23:08 - 2013-08-22 23:08 - 00294712 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgloga.sys
2013-08-22 22:55 - 2013-08-22 22:55 - 00241464 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsdrivera.sys
2013-08-22 22:54 - 2013-08-22 22:54 - 00192824 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsha.sys
2013-08-22 21:55 - 2009-12-18 03:25 - 00196608 _____ C:\Windows\system32\Ikeext.etl
2013-08-22 19:23 - 2013-08-22 19:22 - 01269760 _____ C:\Users\Camilla\Desktop\image.jpeg
2013-08-22 19:21 - 2013-08-22 19:21 - 00003806 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2013-08-22 19:21 - 2013-06-05 22:14 - 00692104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-08-22 19:21 - 2013-06-05 22:14 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-08-22 19:09 - 2013-08-22 19:09 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2013-08-22 19:02 - 2009-12-16 15:18 - 00000000 ___RD C:\Users\Camilla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2013-08-22 19:02 - 2009-12-16 15:18 - 00000000 ___RD C:\Users\Camilla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools
2013-08-21 21:24 - 2013-07-02 23:14 - 00000000 ____D C:\Program Files\Mozilla Firefox.bak
2013-08-21 17:55 - 2013-03-27 23:19 - 00000000 ____D C:\Users\Camilla\AppData\Local\Google
2013-08-21 17:55 - 2013-03-27 23:19 - 00000000 ____D C:\Program Files (x86)\Google
2013-08-21 17:54 - 2013-08-21 17:54 - 00000000 ____D C:\Users\Camilla\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\The Binding of Isaac
2013-08-20 22:53 - 2013-08-20 22:53 - 00123704 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgmfx64.sys

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

Files to move or delete:
====================
ZeroAccess:
C:\Users\Camilla\AppData\Local\Google\Desktop\Install\{17b72e44-ea30-50a1-d367-082e40143dc5}
ZeroAccess:
C:\Program Files (x86)\Google\Desktop\Install\{17b72e44-ea30-50a1-d367-082e40143dc5}
C:\Users\Camilla\PanPortalCfg.dat
C:\Users\Camilla\AppData\Local\Temp\lgnzts.exe
C:\Users\Camilla\AppData\Local\Temp\vjthjw.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
C:\Program Files\Microsoft Security Client\MsMpEng.exe => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client


LastRegBack: 2013-09-05 18:47

==================== End Of Log ============================

 

 

 

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:57 AM

Posted 08 September 2013 - 08:49 PM

Hi,

 

 

 

No wonder your computer was so severly infected. You use a lot of cracks.

 

 

 

==================== Hosts content: ==========================

2009-07-14 04:34 - 2010-03-04 17:09 - 00001755 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1                activate.adobe.com
127.0.0.1                practivate.adobe.com
127.0.0.1                ereg.adobe.com
127.0.0.1                activate.wip3.adobe.com
127.0.0.1                wip3.adobe.com
127.0.0.1                3dns-3.adobe.com
127.0.0.1                3dns-2.adobe.com
127.0.0.1                adobe-dns.adobe.com
127.0.0.1                adobe-dns-2.adobe.com
127.0.0.1                adobe-dns-3.adobe.com
127.0.0.1                ereg.wip3.adobe.com
127.0.0.1                activate-sea.adobe.com
127.0.0.1                wwis-dubc1-vip60.adobe.com
127.0.0.1                activate-sjc0.adobe.com
127.0.0.1                practivate.adobe.com
127.0.0.1                ereg.adobe.com
127.0.0.1                activate.wip3.adobe.com
127.0.0.1                wip3.adobe.com
127.0.0.1                3dns-3.adobe.com
127.0.0.1                3dns-2.adobe.com
127.0.0.1                adobe-dns.adobe.com
127.0.0.1                adobe-dns-2.adobe.com
127.0.0.1                adobe-dns-3.adobe.com
127.0.0.1                ereg.wip3.adobe.com
127.0.0.1                activate-sea.adobe.com
127.0.0.1                wwis-dubc1-vip60.adobe.com
127.0.0.1                activate-sjc0.adobe.com

 

2013-08-24 16:31 - 2013-08-24 16:31 - 00000000 ____D C:\Users\Camilla\AppData\Local\SKIDROW

 

 

 

This is playing with fire though.

Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications.

Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems.

So my advice is - stay away from them!

 

 

 

 

 

I do not recommend that you have more than one anti virus product installed and running on your computer at a time.  The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms".  It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove AVG 2014 and leave only Microsoft Security Essentials installed (for now). We must repair MSE in order to restore it's functionality again and then you can uninstall it as well if you want to replace it with an alternative (but DON'T uninstall it yet because you will screw up your Windows). MSE is still affected by the rootkit.

 

Download the AVG Remover(64bit) 2014 tool and run it to clean the remnants from AVG.

 

Also please go ahead and uninstall the following tools:

 

Sophos Anti-Rootkit 1.5.0 (x32 Version: 1.5.0)
Sophos Virus Removal Tool (x32 Version: 2.4)

 

 

 

 

 

I suggest you to uninstall Vuze.


Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Vuze). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Libre Office or GIMP."


Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software

 

 

 

 

 

Now please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 08 September 2013 - 08:50 PM.

cXfZ4wS.png


#5 camzilla

camzilla
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 10 September 2013 - 11:16 AM

Hello again, sorry for the late reply. I had a pretty busy day at work.

 

Yes, I know, I'm afraid its an "old" (Relative in todays speedy technology leap) laptop thats never been formated, and "tampered" with by various people.

 

I successfully uninstalled Sophos anti-virus and anti-rootkit programs. I tried running the AVG remover tool aswell, but it crashes near the end(?). I attached an image of where it crashes (Sorry btw for my computer being set to swedish, if you need anything translated I'll be glad to help you out).

I also tried uninstalling it going through the controlpanel -> unisntall program, where it still exists in the list. But when i try to uninstall it, it says AVG is not installed.

I also tried uninstalling Vuze, but i'll instantly get an error saying "No JVM could be found on your syste. Please define EX4J_JAVA_HOME to point to an installed 32-bit JDK or JRE or download JRE from www.java.com.

I previously uninstalled java due to it might be a security risk and will leave it like that unless you tell me to do otherwise!

Attached Files



#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:57 AM

Posted 10 September 2013 - 05:20 PM

Hi,

 

Nice work. I think that we removed the most of the traces of AVG and Sophos but let's double-check that:

 

Please download SystemLook from the link below and save it to your Desktop.
SystemLook_x64.exe

  • Double-click SystemLook_x64.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :folderfind
    AVG
    MFAData
    Grisoft
    Sophos
    TuneUp
    Vuze
    :regfind
    AVG
    MFAData
    Grisoft
    Sophos
    TuneUp
    Vuze

     

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

 

 

About java you are right. It is considered a security risk and let's get rid of the leftovers:

 

 

:Run JavaRa
 

  • Please download JavaRa and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • Click on Settings and Place a checkmark beside Create a log file. Click on Back.
  • Choose Remove JRE and from the drop-down menu select any Java version (if listed) and press Run Uninstaller. (If Java is not listed please click on Next).
  • Now click on Perform Removal Routine to remove the older versions of Java installed on your computer.
  • When that's successfully done, please click OK to close the message.
  • Click on Next and skip the downloading process. Click Next and now click on Close this wizard and click Finish.
  • From the main menu please choose Additional tasks
  • Place a checkmark beside Remove startup entry, Remove Outdated JRE Firefox Extentions and Clean JRE Temp Files and click Run. The browsers should be closed before running this task.
  • When that's succesfully done you will see a message at the top saying: "Selected tasks completed successfully".
  • A log file should be created in the same directory as JavaRa.
  • Please post the log in your next reply.
  • Close JavaRa by clicking the red cross button.

 

 

Regards,

Georgi


cXfZ4wS.png


#7 camzilla

camzilla
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 11 September 2013 - 11:36 AM

Alright I proceeded with those tasks and have 2 logs that I attach.

 

Im curious how the Fixlist seem to have removed the rootkit when every way I tried to remove didn't seem to work at all ;)

Attached Files



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:57 AM

Posted 11 September 2013 - 07:44 PM

Hi,

 

 

 

Backup Your Registry

 

 

 

We need to run an OTL Fix

 

  • Please download OTL from the link below:
  • Save it to your desktop.
  • Double click on the otlDesktopIcon.png icon on your desktop.
  • OTL should now start.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word "Quote"

    :services
    AVGDISKA
    AVGFWFD
    AVGIDSDRIVER
    AVGIDSHA
    Avgldx64
    Avgloga
    Avgmfx64
    Avgrkx64
    Avgtdia
    :files
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
    C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\AVG
    C:\Program Files (x86)\Vuze
    :reg
    [-HKEY_CURRENT_USER\Software\Avg]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\AVG]
    [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\b85fa835_0]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AVG Shell Extension]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avgdi]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avgdx]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avgfv]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\avgsbg.DLL]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EFFE7926-4CE7-43A9-8E93-2040AC623858}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F083C5AB-08AD-4ABF-A2BE-8FA5C7D2F10A}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\avgfilevault]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\avgsbg.state]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\avgsbg.state.1]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B2BFA8E6-DB09-43F4-8469-BC587CB603EB}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\AVG Shell Extension]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\AVG Shell Extension]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{660E1DFA-2E19-4C53-8EE1-F093E2A1E37F}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{66694099-FBD8-4A98-AB9F-F19EAB4144C0}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A0869B2C-C907-4DCA-A72B-6D54C1E1B1A2}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A30}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0BB4CD-81FA-48AF-99B3-AB6C1F079BEC}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\avgsbg.DLL]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{EFFE7926-4CE7-43A9-8E93-2040AC623858}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{F083C5AB-08AD-4ABF-A2BE-8FA5C7D2F10A}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{660E1DFA-2E19-4C53-8EE1-F093E2A1E37F}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{66694099-FBD8-4A98-AB9F-F19EAB4144C0}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{A0869B2C-C907-4DCA-A72B-6D54C1E1B1A2}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AVGSE.DLL]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\AVG]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\avgfws_RASAPI32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\avgfws_RASMANCS]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\avgui_RASAPI32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\avgui_RASMANCS]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\avg_tuh_stf_all_2014_146_24c4_RASAPI32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\avg_tuh_stf_all_2014_146_24c4_RASMANCS]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\AVGSE.DLL]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A30}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{EF0BB4CD-81FA-48AF-99B3-AB6C1F079BEC}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\avgsbg.DLL]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{EFFE7926-4CE7-43A9-8E93-2040AC623858}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{F083C5AB-08AD-4ABF-A2BE-8FA5C7D2F10A}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{660E1DFA-2E19-4C53-8EE1-F093E2A1E37F}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{66694099-FBD8-4A98-AB9F-F19EAB4144C0}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{A0869B2C-C907-4DCA-A72B-6D54C1E1B1A2}]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Avg]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\TuneUp]
    [-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiRSAlert]
    [-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiScanFinished]
    [-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiScanFinishedThreatFound]
    [-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiScanStarted]
    [-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiUpdEnd]
    [-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiUpdEndFail]
    [-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiUpdStart]
    [-HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiWSAlert]
    [-HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\avgui]
    [-HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\avgui]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Avg]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\b85fa835_0]
    [-HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiRSAlert]
    [-HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiScanFinished]
    [-HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiScanFinishedThreatFound]
    [-HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiScanStarted]
    [-HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiUpdEnd]
    [-HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiUpdEndFail]
    [-HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiUpdStart]
    [-HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiWSAlert]
    [-HKEY_USERS\S-1-5-18\AppEvents\Schemes\Apps\avgui]
    [-HKEY_USERS\S-1-5-18\AppEvents\Schemes\Apps\avgui]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00711705-12C5-420B-A4E5-6413F2AB3C7B}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9F29329-1C42-4F3F-9A49-7741CA550A2C}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00711705-12C5-420B-A4E5-6413F2AB3C7B}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TuneUpUtilitiesService64_RASAPI32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TuneUpUtilitiesService64_RASMANCS]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\TuneUpSystemStatusCheck_RASAPI32]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\TuneUpSystemStatusCheck_RASMANCS]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TuneUp]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{00711705-12C5-420B-A4E5-6413F2AB3C7B}]
    [-HKEY_CURRENT_USER\Software\Azureus]
    [-HKEY_CURRENT_USER\Software\ej-technologies]
    [-HKEY_CURRENT_USER\Software\Classes\.vuze]
    [-HKEY_CURRENT_USER\Software\Classes\BC]
    [-HKEY_CURRENT_USER\Software\Classes\BCTP]
    [-HKEY_CURRENT_USER\Software\Classes\DHT]
    [-HKEY_CURRENT_USER\Software\Classes\Magnet]
    [-HKEY_CURRENT_USER\Software\Classes\Mime\Database\Content Type\application/x-vuze]
    [-HKEY_CURRENT_USER\Software\Classes\Vuze]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vuze]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Azureus]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BC]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BCTP]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DHT]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Magnet]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vuze]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Vuze]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Azureus]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ej-technologies]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\magnet]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\8461-7759-5462-8226]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Azureus]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\ej-technologies]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\.vuze]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\BC]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\BCTP]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\DHT]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\Magnet]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\Mime\Database\Content Type\application/x-vuze]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\Vuze]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\.vuze]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\BC]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\BCTP]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\DHT]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\Magnet]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\Mime\Database\Content Type\application/x-vuze]
    [-HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\Vuze]
    :commands
    [emptytemp]
  • Push runFixbutton.png
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click btnOK.png.
  • A report will open. Copy and Paste that report in your next reply.
  • If a report is not shown please navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present.
  • Copy/paste the content of the log back here in your next post.

 

 

Regards,

Georgi


cXfZ4wS.png


#9 camzilla

camzilla
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 12 September 2013 - 03:51 PM

Hello again, back with some further progress:

All processes killed
========== SERVICES/DRIVERS ==========
Error: No service named AVGDISKA was found to stop!
Service\Driver key AVGDISKA not found.
Error: No service named AVGFWFD was found to stop!
Service\Driver key AVGFWFD not found.
Error: No service named AVGIDSDRIVER was found to stop!
Service\Driver key AVGIDSDRIVER not found.
Error: No service named AVGIDSHA was found to stop!
Service\Driver key AVGIDSHA not found.
Error: No service named Avgldx64 was found to stop!
Service\Driver key Avgldx64 not found.
Error: No service named Avgloga was found to stop!
Service\Driver key Avgloga not found.
Error: No service named Avgmfx64 was found to stop!
Service\Driver key Avgmfx64 not found.
Error: No service named Avgrkx64 was found to stop!
Service\Driver key Avgrkx64 not found.
Error: No service named Avgtdia was found to stop!
Service\Driver key Avgtdia not found.
========== FILES ==========
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG folder moved successfully.
File\Folder C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\AVG not found.
C:\Program Files (x86)\Vuze\plugins\azupnpav folder moved successfully.
C:\Program Files (x86)\Vuze\plugins\azupdater folder moved successfully.
C:\Program Files (x86)\Vuze\plugins\azrating folder moved successfully.
C:\Program Files (x86)\Vuze\plugins\azplugins folder moved successfully.
C:\Program Files (x86)\Vuze\plugins\azitunes folder moved successfully.
C:\Program Files (x86)\Vuze\plugins\azemp\mplayer folder moved successfully.
C:\Program Files (x86)\Vuze\plugins\azemp folder moved successfully.
C:\Program Files (x86)\Vuze\plugins folder moved successfully.
C:\Program Files (x86)\Vuze\.install4j\user folder moved successfully.
C:\Program Files (x86)\Vuze\.install4j folder moved successfully.
C:\Program Files (x86)\Vuze folder moved successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Avg\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\AVG\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\b85fa835_0\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\AVG Shell Extension\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avgdi\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avgdx\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.avgfv\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\avgsbg.DLL\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EFFE7926-4CE7-43A9-8E93-2040AC623858}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EFFE7926-4CE7-43A9-8E93-2040AC623858}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{F083C5AB-08AD-4ABF-A2BE-8FA5C7D2F10A}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F083C5AB-08AD-4ABF-A2BE-8FA5C7D2F10A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\avgfilevault\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\avgsbg.state\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\avgsbg.state.1\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B2BFA8E6-DB09-43F4-8469-BC587CB603EB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B2BFA8E6-DB09-43F4-8469-BC587CB603EB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\AVG Shell Extension\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shellex\ContextMenuHandlers\AVG Shell Extension\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{660E1DFA-2E19-4C53-8EE1-F093E2A1E37F}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660E1DFA-2E19-4C53-8EE1-F093E2A1E37F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{66694099-FBD8-4A98-AB9F-F19EAB4144C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66694099-FBD8-4A98-AB9F-F19EAB4144C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A0869B2C-C907-4DCA-A72B-6D54C1E1B1A2}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0869B2C-C907-4DCA-A72B-6D54C1E1B1A2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A30}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A30}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF0BB4CD-81FA-48AF-99B3-AB6C1F079BEC}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF0BB4CD-81FA-48AF-99B3-AB6C1F079BEC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\avgsbg.DLL\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{EFFE7926-4CE7-43A9-8E93-2040AC623858}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EFFE7926-4CE7-43A9-8E93-2040AC623858}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{F083C5AB-08AD-4ABF-A2BE-8FA5C7D2F10A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F083C5AB-08AD-4ABF-A2BE-8FA5C7D2F10A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{660E1DFA-2E19-4C53-8EE1-F093E2A1E37F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660E1DFA-2E19-4C53-8EE1-F093E2A1E37F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{66694099-FBD8-4A98-AB9F-F19EAB4144C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66694099-FBD8-4A98-AB9F-F19EAB4144C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{A0869B2C-C907-4DCA-A72B-6D54C1E1B1A2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0869B2C-C907-4DCA-A72B-6D54C1E1B1A2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AVGSE.DLL\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\AVG\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\avgfws_RASAPI32\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\avgfws_RASMANCS\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\avgui_RASAPI32\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\avgui_RASMANCS\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\avg_tuh_stf_all_2014_146_24c4_RASAPI32\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\avg_tuh_stf_all_2014_146_24c4_RASMANCS\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}\ not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\AVGSE.DLL\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A30}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1152F8E0-69DB-4935-AFC3-59F8A5A86A30}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{86E8C5B0-75B6-4ff2-B04F-6789CC7AE386}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{EF0BB4CD-81FA-48AF-99B3-AB6C1F079BEC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF0BB4CD-81FA-48AF-99B3-AB6C1F079BEC}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\avgsbg.DLL\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{EFFE7926-4CE7-43A9-8E93-2040AC623858}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EFFE7926-4CE7-43A9-8E93-2040AC623858}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\AppID\{F083C5AB-08AD-4ABF-A2BE-8FA5C7D2F10A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F083C5AB-08AD-4ABF-A2BE-8FA5C7D2F10A}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{660E1DFA-2E19-4C53-8EE1-F093E2A1E37F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660E1DFA-2E19-4C53-8EE1-F093E2A1E37F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{66694099-FBD8-4A98-AB9F-F19EAB4144C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66694099-FBD8-4A98-AB9F-F19EAB4144C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\TypeLib\{A0869B2C-C907-4DCA-A72B-6D54C1E1B1A2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A0869B2C-C907-4DCA-A72B-6D54C1E1B1A2}\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Avg\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\TuneUp\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiRSAlert\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiScanFinished\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiScanFinishedThreatFound\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiScanStarted\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiUpdEnd\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiUpdEndFail\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiUpdStart\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\AppEvents\EventLabels\avguiWSAlert\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\avgui\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\AppEvents\Schemes\Apps\avgui\ not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Avg\ not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\b85fa835_0\ not found.
Registry key HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiRSAlert\ not found.
Registry key HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiScanFinished\ not found.
Registry key HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiScanFinishedThreatFound\ not found.
Registry key HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiScanStarted\ not found.
Registry key HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiUpdEnd\ not found.
Registry key HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiUpdEndFail\ not found.
Registry key HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiUpdStart\ not found.
Registry key HKEY_USERS\S-1-5-18\AppEvents\EventLabels\avguiWSAlert\ not found.
Registry key HKEY_USERS\S-1-5-18\AppEvents\Schemes\Apps\avgui\ not found.
Registry key HKEY_USERS\S-1-5-18\AppEvents\Schemes\Apps\avgui\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00711705-12C5-420B-A4E5-6413F2AB3C7B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00711705-12C5-420B-A4E5-6413F2AB3C7B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A9F29329-1C42-4F3F-9A49-7741CA550A2C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A9F29329-1C42-4F3F-9A49-7741CA550A2C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00711705-12C5-420B-A4E5-6413F2AB3C7B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00711705-12C5-420B-A4E5-6413F2AB3C7B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TuneUpUtilitiesService64_RASAPI32\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\TuneUpUtilitiesService64_RASMANCS\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\TuneUpSystemStatusCheck_RASAPI32\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\TuneUpSystemStatusCheck_RASMANCS\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TuneUp\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\CLSID\{00711705-12C5-420B-A4E5-6413F2AB3C7B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00711705-12C5-420B-A4E5-6413F2AB3C7B}\ not found.
Registry key HKEY_CURRENT_USER\Software\Azureus\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\ej-technologies\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\.vuze\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\BC\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\BCTP\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\DHT\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\Magnet\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\Mime\Database\Content Type\application/x-vuze\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Classes\Vuze\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.vuze\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Azureus\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BC\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BCTP\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DHT\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Magnet\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-vuze\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Vuze\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Azureus\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ej-technologies\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\magnet\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\8461-7759-5462-8226\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Azureus\ not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\ej-technologies\ not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\.vuze\ not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\BC\ not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\BCTP\ not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\DHT\ not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\Magnet\ not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\Mime\Database\Content Type\application/x-vuze\ not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000\Software\Classes\Vuze\ not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\.vuze not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\BC not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\BCTP not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\DHT not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\Magnet not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\Mime\Database\Content Type\application/x-vuze\ not found.
Registry key HKEY_USERS\S-1-5-21-484236511-2725123542-3564523058-1000_Classes\Vuze not found.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Camilla
->Temp folder emptied: 380497401 bytes
->Temporary Internet Files folder emptied: 128221172 bytes
->FireFox cache emptied: 460047461 bytes
->Google Chrome cache emptied: 9825368 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 1938110 bytes
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: DefaultAppPool
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 99931 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 67729 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 751 bytes
RecycleBin emptied: 6665288 bytes
 
Total Files Cleaned = 942,00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 09122013_224101

Files\Folders moved on Reboot...
C:\Users\Camilla\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 

 

 



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:57 AM

Posted 12 September 2013 - 11:19 PM

Nice work! :)
Let's check for leftovers.
The most of them should take no more than 5 minutes each.
You can run these scans at night when you are not there and the computer is idle.

Also we need to repair some of the Windows services like Windows Update, Windows Firewall, Security Center etc. which are probably broken by the rootkit.
And then I'll give you my final recommendations:



STEP 1

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
     
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 2




  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 3



Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 4




  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and copy and past the results at pastebin.com and post the link to the log in your next reply.




STEP 5



Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.



STEP 6



Please download AdwCleaner by Xplode and save to your Desktop.


  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.



STEP 7
 

  1. Please download OTL from the link below:
  2. Save it to your desktop/
  3. Double click on the otlDesktopIcon.png icon on your desktop.
  4. OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  5. Copy and Paste the following code into the customFix.png textbox.
  6. Don't copy the word "quote"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Local\*.
    %USERPROFILE%\AppData\Local\temp\*.exe
    %USERPROFILE%\AppData\Roaming\*.*
    %USERPROFILE%\AppData\Roaming\*.
    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Templates\*.*
    %USERPROFILE%\AppData\Local\Microsoft\*.*
    %USERPROFILE%\AppData\Local\Microsoft\*.
    %USERPROFILE%\AppData\Roaming\Microsoft\*.*
    %USERPROFILE%\AppData\Roaming\Microsoft\*.
    %windir%\AppPatch\*.*
    %windir%\AppPatch\*.
    %Public%\Documents\*.*
    %Public%\Documents\*.
    %ProgramData%\*.*
    %ProgramData%\*.
    %CommonProgramFiles%\*.*
    %CommonProgramFiles%\*.
    %CommonProgramFiles%\ComObjects\*.exe
    %ProgramFiles%\*.*
    %ProgramFiles%\*.
    %programdata%\Microsoft\Windows\DRM\*.tmp
    %programdata%\Microsoft\DRM\*.tmp
    %systemroot%\system32\config\systemprofile\AppData\Local\*.*
    %systemroot%\system32\config\systemprofile\AppData\Local\*.
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.*
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.
    %windir%\SysWOW64\config\systemprofile\AppData\Local\*.*
    %windir%\SysWOW64\config\systemprofile\AppData\Local\*.
    %windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.*
    %windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.
    %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
    %windir%\temp\*.exe
    %windir%\*.
    %windir%\ShellNew\*.*
    %windir%\installer\*.
    %windir%\system32\*.
    %windir%\sysnative\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\syswow64\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\syswow64\drivers\*.sys /90
    %systemroot%\syswow64\drivers\*.sys /lockedfiles
    %SYSTEMDRIVE%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BED3C-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{212B3DCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{A12BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188F} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188B} /s
    HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers /s
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    type C:\WINDOWS\system.ini >> test.txt /c
    bcdedit /enum all /v >C:\boot.txt /c
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    consrv.dll
    services.exe
    explorer.exe
    lsass.exe
    svchost.exe
    wininit.exe
    winlogon.exe
    userinit.exe
    imapi.sys
    fastfat.sys
    atapi.sys
    iaStor.sys
    serial.sys
    volsnap.sys
    disk.sys
    redbook.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    csc.sys
    tcpip.sys
    kbdclass.sys
    kbdhid.sys
    mouclass.sys
    mouhid.sys
    spldr.sys
    dfsc.sys
    hlp.dat
    str.sys
    CREXVX.OCX
    crexv.ocx
    msseedir.dll
    msdr.dll
    lmbd.dll
    wsse.dll
    /md5stop

     

  7. Push the runscanbutton.png button.
  8. Two reports will open, attach the logs to your next reply.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

 

 

Regards,

Georgi


cXfZ4wS.png


#11 camzilla

camzilla
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 14 September 2013 - 02:47 PM

Heres the results,

 

rkill: http://pastebin.com/RaDn5f1d

rouge killer http://pastebin.com/eeUuxURK

Malwarebytes: http://pastebin.com/0MGGeqv8

Farbar: http://pastebin.com/4icZGPYR

AdwCleaner: http://pastebin.com/v1JTvPRh

 

OTL: http://pastebin.com/bd1YZFFh (was too big to attach)

 

But there was no Extra.txt?



#12 camzilla

camzilla
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 14 September 2013 - 07:21 PM

I realized i missed step 3, the first time I ran it i accidentally pressed delete on the found threat. And I had also missed to check the Verify file digital signatures and Detect TDLFS file system. So I completely messed that one up.. I ran it a second time though and remembered to check all the boxes and proceeded with skip on the found threat.

 

First log: http://pastebin.com/DFYm2Gjg

Second log: http://pastebin.com/1BLHezTi

 



#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:57 AM

Posted 15 September 2013 - 01:13 PM

Hi,

 

 

 

STEP 1

 

 

 

Please re-run RogueKiller for one more time and post back the newest log.

 

 

 

STEP 2

 

 

 

Next let's try to fix the broken services.


Backup Your Registry

 


 

Now download the following files and save them to your desktop:

mpsdrv.reg

 

BFE.reg

 

BITS.reg

 

iphlpsvc.reg

 

MpsSvc.reg

 

PcaSvc.reg

 

PolicyAgent.reg

 

RemoteAccess.reg

 

WinDefend.reg

 

wscsvc.reg

 

wuauserv.reg

 

SharedAccess.reg

Now double click on each of them one by one. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

 

  • Next please download the ESET ServicesRepair utility and save it to your Desktop.
  • Double-click ServicesRepair.exe to run the ESET ServicesRepair utility.
  • If you are using User Access Control, click Run when prompted and then click Yes when asked to allow changes.
  • Reboot the computer and then please attach fresh logs from the following 2 tools - RKILL and Farbar Service Scanner.

 

 

STEP 3

 

 

Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished this time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 

Regards,

Georgi


cXfZ4wS.png


#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:08:57 AM

Posted 18 September 2013 - 03:39 AM

Hi ,

It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 72 hours.


Regards,
Georgi


cXfZ4wS.png


#15 camzilla

camzilla
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 19 September 2013 - 08:07 AM

I've been working late nights, I tried to do the latest tasks last night but time ran off and i had to sleep. Ill proceed with it tonight!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users