Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zero Access Rootkit?


  • This topic is locked This topic is locked
17 replies to this topic

#1 art_vandelay

art_vandelay

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 17 December 2013 - 12:27 AM

Hi all,

 

My mom's computer is hosed up with what appears to be the Zero Access Rootkit.  I cannot download any of the scanning or removal tools like DDS to fix because every download attempt results in the ".....contained a virus and was deleted" error (which is why I think this PC is infected with it).

 

Any assistance would be great.

 

Thank you.

 

vandelay87



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:18 AM

Posted 17 December 2013 - 07:52 AM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

First please navigate to C:\Program Files, then right-click the Windows Defender folder and select Rename from the context menu.

Add a unique variation to the filename, such as .old (for example, Windows Defender.old).

 

 

 

Next please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • If the download complete successfully, make sure to rename the Windows Defender folder back to its original filename before running FRST.

    Double-click to run it. When the tool opens click Yes to disclaimer.

  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,
Georgi


cXfZ4wS.png


#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:18 AM

Posted 24 December 2013 - 05:03 AM

Hi,

 

Are you still there?

 

 

Regards,

Georgi


cXfZ4wS.png


#4 art_vandelay

art_vandelay
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 25 December 2013 - 04:27 PM

Yes, I'm here but with the holidays I haven't had a chance to work on my mom's computer yet.  I did find the suggestion to do the "windows defender.old" fix on another forum but it seems that I still could not download anything.  I'll try it again when I get back to her place.  Thanks.



#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:18 AM

Posted 26 December 2013 - 07:31 AM

Hi,

 

Merry Christmas to you and yours! No worries if the trick don't work - you can use a pendrive and transfer the file on the sick computer's desktop. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:18 AM

Posted 29 December 2013 - 06:11 PM

Hi,

 

Are you still there?

 

 

Regards,

Georgi


cXfZ4wS.png


#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:18 AM

Posted 04 January 2014 - 06:08 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

cXfZ4wS.png


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:18 AM

Posted 02 February 2014 - 05:26 AM

Unlocked per user request.


cXfZ4wS.png


#9 art_vandelay

art_vandelay
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 02 February 2014 - 11:25 AM

Result of Farbar scan tool:  (note:  results of Addition.txt are below that).  Thanks for your help!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-02-2014 04
Ran by sheila (administrator) on SHEILA-PC on 01-02-2014 22:01:58
Running from C:\Users\sheila\Desktop
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Elements 9 Organizer\PhotoshopElementsFileAgent.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2svc.exe
( ) C:\Windows\System32\lxbxcoms.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2comm.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2pre.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2tray.exe
(Dell, Inc.) C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
(SoftThinks SAS) C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe
(Lexmark International, Inc.) C:\Program Files (x86)\Lexmark 7100 Series\lxbxmon.exe
(Lexmark International Inc.) C:\Program Files (x86)\Lexmark 7100 Series\ezprint.exe
() C:\Program Files (x86)\Dell\Stage Remote\StageRemoteService.exe
(Google Inc.) C:\Users\sheila\AppData\Local\Google\Chrome Frame\Application\32.0.1700.102\chrome_frame_helper.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
() C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
() C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe
(Lavasoft) C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
(Sun Microsystems, Inc.) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Lavasoft.) C:\ProgramData\Search Protection\SearchProtection.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
(SoftThinks - Dell) C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe
() C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Google Inc.) C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2mainh.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2host.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2audioh.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2printh.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Citrix Online, a division of Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\GoToMyPC\g2fileh.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Stage Remote] - C:\Program Files (x86)\Dell\Stage Remote\StageRemote.exe [2022976 2011-06-27] ()
HKLM\...\Run: [AdobeAAMUpdater-1.0] - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [497648 2010-07-28] (Adobe Systems Incorporated)
HKLM\...\Run: [lxbxmon.exe] - C:\Program Files (x86)\Lexmark 7100 Series\lxbxmon.exe [205744 2007-05-11] (Lexmark International, Inc.)
HKLM\...\Run: [EzPrint] - C:\Program Files (x86)\Lexmark 7100 Series\ezprint.exe [103344 2007-05-11] (Lexmark International Inc.)
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey <===== ATTENTION (File name is altered)
HKLM\...\Run: [DellStage] - C:\Program Files (x86)\Dell Stage\Dell Stage\stage_primary.exe [2195824 2012-02-01] ()
HKLM-x32\...\Run: [Dell DataSafe Online] - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe [1117528 2010-08-25] (Dell, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe [35768 2012-07-27] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [RoxWatchTray] - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM-x32\...\Run: [Desktop Disc Tool] - C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59280 2012-05-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] - C:\Program Files (x86)\iTunes\iTunesHelper.exe [421776 2012-06-07] (Apple Inc.)
HKLM-x32\...\Run: [AccuWeatherWidget] - C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\accuweather.exe [968048 2012-02-01] ()
HKLM-x32\...\Run: [Ad-Aware Browsing Protection] - C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe [542632 2013-01-31] (Lavasoft)
HKLM-x32\...\Run: [SearchProtection] - C:\ProgramData\Search Protection\_run.bat [142 2013-05-17] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
HKU\.DEFAULT\...\Run: [SearchProtect] - \SearchProtect\bin\cltmng.exe
HKU\S-1-5-21-2431324496-903031801-2049932644-1001\...\Run: [Google Update] - C:\Users\sheila\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-03-20] (Google Inc.)
HKU\S-1-5-21-2431324496-903031801-2049932644-1001\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-03-11] (Google Inc.)
HKU\S-1-5-21-2431324496-903031801-2049932644-1001\...\Run: [ChromeFrameHelper] - C:\Users\sheila\AppData\Local\Google\Chrome Frame\Application\32.0.1700.102\chrome_frame_helper.exe [83736 2014-01-22] (Google Inc.)
HKU\S-1-5-21-2431324496-903031801-2049932644-1001\...\RunOnce: [Application Restart #2] - C:\Users\sheila\AppData\Local\Google\Chrome Frame\Application\chrome.exe [866584 2014-01-22] (Google Inc.)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x3BFC1D24FC1BCF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
SearchScopes: HKLM-x32 - DefaultScope {2996C722-AD3A-49EF-8A06-59A59F2DC1BF} URL =
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll ()
BHO-x32: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.0 Runtime\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll ()
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://zone.msn.com/bingame/popcaploader_v10.cab
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} -  No File
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} -  No File
Handler-x32: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll (Cozi Group, Inc.)
Handler-x32: gcf - No CLSID Value -
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

Chrome:
=======
Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [lfffjahnfbocnaooecgijfnbpcfekoik] - C:\ProgramData\adawaretb\shortcuts\chrome\adawaretb.crx [2013-02-04]

==================== Services (Whitelisted) =================

S3 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227936 2013-11-08] (WildTangent)
R2 lxbx_device; C:\Windows\system32\lxbxcoms.exe [566704 2007-03-22] ( )
R2 lxbx_device; C:\Windows\SysWOW64\lxbxcoms.exe [537520 2007-03-22] ( )
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [22056 2013-01-27] ()
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [379360 2013-01-27] ()
S3 WinDefend; %ProgramFiles%\Windows Defender\mpsvc.dll [x]

==================== Drivers (Whitelisted) ====================

R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2013-05-17] (GFI Software)
R2 monblanking; C:\Windows\System32\DRIVERS\monblanking.sys [34048 2013-03-13] (Citrix Systems, Inc.)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [230320 2013-01-20] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [130008 2013-01-20] (Microsoft Corporation)
S1 xfrlmvfj; \??\C:\Windows\system32\drivers\xfrlmvfj.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-02-01 22:01 - 2014-02-01 22:02 - 00011944 _____ () C:\Users\sheila\Desktop\FRST.txt
2014-02-01 22:01 - 2014-02-01 22:01 - 00000000 ____D () C:\FRST
2014-02-01 22:00 - 2014-02-01 21:48 - 02080256 _____ (Farbar) C:\Users\sheila\Desktop\FRST64.exe
2014-02-01 14:25 - 2014-02-01 14:25 - 00000000 ____D () C:\Program Files\DIFX
2014-02-01 14:25 - 2014-02-01 14:25 - 00000000 ____D () C:\Program Files (x86)\Citrix
2014-02-01 14:25 - 2013-03-13 06:26 - 00131416 _____ (Citrix Online, a division of Citrix Systems, Inc.) C:\Windows\system32\gotomon_x64.dll
2014-02-01 14:25 - 2013-03-13 06:15 - 00034048 _____ (Citrix Systems, Inc.) C:\Windows\system32\Drivers\monblanking.sys
2014-02-01 03:00 - 2014-02-01 03:00 - 00000000 ____D () C:\Windows\Temp5D780EBB-E66A-A9C2-43DE-0AA6DFE35A4C-Signatures
2014-01-31 03:00 - 2014-01-31 03:00 - 00000000 ____D () C:\Windows\Temp30B113B4-72F0-3A23-2446-4DE8EEEAD3B1-Signatures
2014-01-30 03:00 - 2014-01-30 03:00 - 00000000 ____D () C:\Windows\Temp04D9281F-AACA-8BE5-BCCD-5FBC772EBE98-Signatures
2014-01-29 03:00 - 2014-01-29 03:00 - 00000000 ____D () C:\Windows\Temp9CA713F8-F34F-00CB-9B50-657CDC9FE5CD-Signatures
2014-01-28 03:00 - 2014-01-28 03:00 - 00000000 ____D () C:\Windows\Temp3CD44A89-AE88-3356-874D-D42E43C84F08-Signatures
2014-01-27 03:00 - 2014-01-27 03:00 - 00000000 ____D () C:\Windows\TempA0EBCAF5-91AA-EF91-A65E-B15B10E2EDB0-Signatures
2014-01-26 03:00 - 2014-01-26 03:00 - 00000000 ____D () C:\Windows\Temp96A20CA6-BF7C-7555-0EC9-F87A8E3E628E-Signatures
2014-01-25 03:00 - 2014-01-25 03:00 - 00000000 ____D () C:\Windows\TempE6412A92-0BDA-E213-8AA4-8667834DC848-Signatures
2014-01-24 03:00 - 2014-01-24 03:00 - 00000000 ____D () C:\Windows\TempE2BDC03C-49DD-971B-54C5-E855716BDF0B-Signatures
2014-01-23 03:00 - 2014-01-23 03:00 - 00000000 ____D () C:\Windows\Temp35F87F96-1323-9060-4A97-926F5DBBADFB-Signatures
2014-01-22 03:00 - 2014-01-22 03:00 - 00000000 ____D () C:\Windows\Temp0FE6111B-BEAF-4009-70A4-21B91690317A-Signatures
2014-01-21 03:00 - 2014-01-21 03:00 - 00000000 ____D () C:\Windows\TempECD788E3-CBD7-7348-2C0B-6DD3158C91C7-Signatures
2014-01-20 03:00 - 2014-01-20 03:00 - 00000000 ____D () C:\Windows\Temp768B27FA-E813-2709-CBF9-9EBE780BDC18-Signatures
2014-01-19 03:00 - 2014-01-19 03:00 - 00000000 ____D () C:\Windows\Temp0D9A455A-EE92-7627-9BB7-35A6121FC38B-Signatures
2014-01-18 03:00 - 2014-01-18 03:00 - 00000000 ____D () C:\Windows\Temp0B9D3E4A-6145-99E2-D0D3-E8A3984D8B41-Signatures
2014-01-17 03:00 - 2014-01-17 03:00 - 00000000 ____D () C:\Windows\Temp0C50F1F7-B68B-22C3-A32F-B1B96DDE835F-Signatures
2014-01-16 03:04 - 2014-01-16 03:04 - 00000000 ____D () C:\Windows\Temp84026C6C-D471-E1F4-17B7-65B018F04DDE-Signatures
2014-01-15 03:03 - 2013-11-26 17:42 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2014-01-15 03:03 - 2013-11-26 17:42 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2014-01-15 03:03 - 2013-11-26 17:42 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2014-01-15 03:03 - 2013-11-26 17:42 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2014-01-15 03:03 - 2013-11-26 17:42 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2014-01-15 03:03 - 2013-11-26 17:42 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2014-01-15 03:03 - 2013-11-26 17:42 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2014-01-15 03:03 - 2013-11-26 03:40 - 00376768 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2014-01-15 03:03 - 2013-11-26 02:32 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-01-15 03:00 - 2014-01-15 03:00 - 00000000 ____D () C:\Windows\TempAE4D94DE-F3C5-B30E-E350-DE5DDBAE4F16-Signatures
2014-01-14 03:00 - 2014-01-14 03:00 - 00000000 ____D () C:\Windows\Temp0076A2A5-C0AD-DFFB-54E5-787DFD8F6D00-Signatures
2014-01-13 03:00 - 2014-01-13 03:00 - 00000000 ____D () C:\Windows\Temp00EFE9E5-8AA2-82D2-421D-2BD9A5B16077-Signatures
2014-01-12 03:00 - 2014-01-12 03:00 - 00000000 ____D () C:\Windows\Temp23A02816-22CA-3943-BB74-DD6120AAA8F0-Signatures
2014-01-11 03:00 - 2014-01-11 03:00 - 00000000 ____D () C:\Windows\TempAA9E9AE1-82C7-3EF8-16CF-DAC86903AEA8-Signatures
2014-01-10 03:00 - 2014-01-10 03:00 - 00000000 ____D () C:\Windows\Temp09D93223-C182-9ACD-AEC4-A8C0BCE0A532-Signatures
2014-01-09 03:00 - 2014-01-09 03:00 - 00000000 ____D () C:\Windows\TempA98E9CE6-B216-A8F0-AAF9-3B8A541F048C-Signatures
2014-01-08 03:00 - 2014-01-08 03:00 - 00000000 ____D () C:\Windows\Temp0639F541-2F16-FC87-9E8F-A743BC19D01B-Signatures
2014-01-07 03:00 - 2014-01-07 03:00 - 00000000 ____D () C:\Windows\TempC82881F3-54D5-5D40-A93A-1595513CD9C8-Signatures
2014-01-06 03:00 - 2014-01-06 03:00 - 00000000 ____D () C:\Windows\Temp13091F48-F3F8-2DA5-1AFA-5FD0C995C2F6-Signatures
2014-01-05 03:00 - 2014-01-05 03:00 - 00000000 ____D () C:\Windows\TempA4AACF7D-C159-B279-1F25-0D0BE9EDD0BD-Signatures
2014-01-04 03:00 - 2014-01-04 03:00 - 00000000 ____D () C:\Windows\Temp45E4045D-AEC5-3849-5A49-FB4A3226819E-Signatures
2014-01-03 03:00 - 2014-01-03 03:00 - 00000000 ____D () C:\Windows\TempB3FCD713-925C-40B7-0691-DB009A4F3ADB-Signatures
2014-01-02 03:00 - 2014-01-02 03:00 - 00000000 ____D () C:\Windows\TempE7AE1C20-29A8-661E-EA22-885EC21720B7-Signatures

==================== One Month Modified Files and Folders =======

2014-02-01 22:02 - 2014-02-01 22:01 - 00011944 _____ () C:\Users\sheila\Desktop\FRST.txt
2014-02-01 22:01 - 2014-02-01 22:01 - 00000000 ____D () C:\FRST
2014-02-01 21:48 - 2014-02-01 22:00 - 02080256 _____ (Farbar) C:\Users\sheila\Desktop\FRST64.exe
2014-02-01 21:31 - 2012-02-24 09:28 - 01904499 _____ () C:\Windows\WindowsUpdate.log
2014-02-01 21:14 - 2012-03-11 15:35 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-02-01 21:07 - 2013-02-07 20:43 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-01 21:06 - 2012-04-12 21:45 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2431324496-903031801-2049932644-1001UA.job
2014-02-01 14:47 - 2009-07-13 20:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-01 14:47 - 2009-07-13 20:45 - 00021296 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-01 14:40 - 2009-07-13 21:13 - 00778834 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-01 14:36 - 2012-03-11 15:35 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-02-01 14:36 - 2012-02-24 08:24 - 00000000 ____D () C:\Users\Default\AppData\Local\SoftThinks
2014-02-01 14:36 - 2012-02-24 08:24 - 00000000 ____D () C:\Users\Default User\AppData\Local\SoftThinks
2014-02-01 14:36 - 2012-02-24 07:54 - 00000000 ____D () C:\Program Files (x86)\Dell DataSafe Local Backup
2014-02-01 14:35 - 2010-11-20 19:47 - 00105878 _____ () C:\Windows\PFRO.log
2014-02-01 14:35 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-01 14:35 - 2009-07-13 20:51 - 00034434 _____ () C:\Windows\setupact.log
2014-02-01 14:25 - 2014-02-01 14:25 - 00000000 ____D () C:\Program Files\DIFX
2014-02-01 14:25 - 2014-02-01 14:25 - 00000000 ____D () C:\Program Files (x86)\Citrix
2014-02-01 14:01 - 2013-05-21 16:03 - 00003440 _____ () C:\Windows\System32\Tasks\PCDEventLauncherTask
2014-02-01 03:06 - 2012-04-12 21:45 - 00000860 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2431324496-903031801-2049932644-1001Core.job
2014-02-01 03:00 - 2014-02-01 03:00 - 00000000 ____D () C:\Windows\Temp5D780EBB-E66A-A9C2-43DE-0AA6DFE35A4C-Signatures
2014-02-01 03:00 - 2012-03-11 15:41 - 00002148 _____ () C:\Windows\epplauncher.mif
2014-01-31 03:00 - 2014-01-31 03:00 - 00000000 ____D () C:\Windows\Temp30B113B4-72F0-3A23-2446-4DE8EEEAD3B1-Signatures
2014-01-31 03:00 - 2012-05-01 02:00 - 00000000 ____D () C:\Program Files (x86)\Microsoft Security Client
2014-01-31 03:00 - 2012-03-11 15:40 - 00000000 ____D () C:\Program Files\Microsoft Security Client
2014-01-30 03:00 - 2014-01-30 03:00 - 00000000 ____D () C:\Windows\Temp04D9281F-AACA-8BE5-BCCD-5FBC772EBE98-Signatures
2014-01-29 03:00 - 2014-01-29 03:00 - 00000000 ____D () C:\Windows\Temp9CA713F8-F34F-00CB-9B50-657CDC9FE5CD-Signatures
2014-01-28 03:00 - 2014-01-28 03:00 - 00000000 ____D () C:\Windows\Temp3CD44A89-AE88-3356-874D-D42E43C84F08-Signatures
2014-01-27 03:00 - 2014-01-27 03:00 - 00000000 ____D () C:\Windows\TempA0EBCAF5-91AA-EF91-A65E-B15B10E2EDB0-Signatures
2014-01-26 03:00 - 2014-01-26 03:00 - 00000000 ____D () C:\Windows\Temp96A20CA6-BF7C-7555-0EC9-F87A8E3E628E-Signatures
2014-01-25 03:00 - 2014-01-25 03:00 - 00000000 ____D () C:\Windows\TempE6412A92-0BDA-E213-8AA4-8667834DC848-Signatures
2014-01-24 03:00 - 2014-01-24 03:00 - 00000000 ____D () C:\Windows\TempE2BDC03C-49DD-971B-54C5-E855716BDF0B-Signatures
2014-01-23 03:00 - 2014-01-23 03:00 - 00000000 ____D () C:\Windows\Temp35F87F96-1323-9060-4A97-926F5DBBADFB-Signatures
2014-01-22 03:00 - 2014-01-22 03:00 - 00000000 ____D () C:\Windows\Temp0FE6111B-BEAF-4009-70A4-21B91690317A-Signatures
2014-01-21 03:00 - 2014-01-21 03:00 - 00000000 ____D () C:\Windows\TempECD788E3-CBD7-7348-2C0B-6DD3158C91C7-Signatures
2014-01-20 03:00 - 2014-01-20 03:00 - 00000000 ____D () C:\Windows\Temp768B27FA-E813-2709-CBF9-9EBE780BDC18-Signatures
2014-01-19 03:00 - 2014-01-19 03:00 - 00000000 ____D () C:\Windows\Temp0D9A455A-EE92-7627-9BB7-35A6121FC38B-Signatures
2014-01-18 03:00 - 2014-01-18 03:00 - 00000000 ____D () C:\Windows\Temp0B9D3E4A-6145-99E2-D0D3-E8A3984D8B41-Signatures
2014-01-17 03:00 - 2014-01-17 03:00 - 00000000 ____D () C:\Windows\Temp0C50F1F7-B68B-22C3-A32F-B1B96DDE835F-Signatures
2014-01-16 03:20 - 2009-07-13 20:45 - 00322536 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-01-16 03:04 - 2014-01-16 03:04 - 00000000 ____D () C:\Windows\Temp84026C6C-D471-E1F4-17B7-65B018F04DDE-Signatures
2014-01-16 03:03 - 2013-08-15 02:01 - 00000000 ____D () C:\Windows\system32\MRT
2014-01-16 03:01 - 2012-03-12 02:02 - 86054176 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-01-15 03:00 - 2014-01-15 03:00 - 00000000 ____D () C:\Windows\TempAE4D94DE-F3C5-B30E-E350-DE5DDBAE4F16-Signatures
2014-01-14 03:00 - 2014-01-14 03:00 - 00000000 ____D () C:\Windows\Temp0076A2A5-C0AD-DFFB-54E5-787DFD8F6D00-Signatures
2014-01-13 03:00 - 2014-01-13 03:00 - 00000000 ____D () C:\Windows\Temp00EFE9E5-8AA2-82D2-421D-2BD9A5B16077-Signatures
2014-01-12 03:00 - 2014-01-12 03:00 - 00000000 ____D () C:\Windows\Temp23A02816-22CA-3943-BB74-DD6120AAA8F0-Signatures
2014-01-11 03:00 - 2014-01-11 03:00 - 00000000 ____D () C:\Windows\TempAA9E9AE1-82C7-3EF8-16CF-DAC86903AEA8-Signatures
2014-01-10 03:00 - 2014-01-10 03:00 - 00000000 ____D () C:\Windows\Temp09D93223-C182-9ACD-AEC4-A8C0BCE0A532-Signatures
2014-01-09 03:00 - 2014-01-09 03:00 - 00000000 ____D () C:\Windows\TempA98E9CE6-B216-A8F0-AAF9-3B8A541F048C-Signatures
2014-01-08 03:00 - 2014-01-08 03:00 - 00000000 ____D () C:\Windows\Temp0639F541-2F16-FC87-9E8F-A743BC19D01B-Signatures
2014-01-07 03:00 - 2014-01-07 03:00 - 00000000 ____D () C:\Windows\TempC82881F3-54D5-5D40-A93A-1595513CD9C8-Signatures
2014-01-06 03:00 - 2014-01-06 03:00 - 00000000 ____D () C:\Windows\Temp13091F48-F3F8-2DA5-1AFA-5FD0C995C2F6-Signatures
2014-01-05 03:00 - 2014-01-05 03:00 - 00000000 ____D () C:\Windows\TempA4AACF7D-C159-B279-1F25-0D0BE9EDD0BD-Signatures
2014-01-04 03:00 - 2014-01-04 03:00 - 00000000 ____D () C:\Windows\Temp45E4045D-AEC5-3849-5A49-FB4A3226819E-Signatures
2014-01-03 03:00 - 2014-01-03 03:00 - 00000000 ____D () C:\Windows\TempB3FCD713-925C-40B7-0691-DB009A4F3ADB-Signatures
2014-01-02 03:00 - 2014-01-02 03:00 - 00000000 ____D () C:\Windows\TempE7AE1C20-29A8-661E-EA22-885EC21720B7-Signatures

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2431324496-903031801-2049932644-1001\$4757f2ac96a0dd32ef7fcd5208976805

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$4757f2ac96a0dd32ef7fcd5208976805

Some content of TEMP:
====================
C:\Users\George\AppData\Local\Temp\jre-7u5-windows-i586-iftw.exe
C:\Users\George\AppData\Local\Temp\MSN28F8.exe
C:\Users\sheila\AppData\Local\Temp\10ac3bd0-6bd2-4a02-8dc8-abdd80bfe7a4.exe
C:\Users\sheila\AppData\Local\Temp\bitool.dll
C:\Users\sheila\AppData\Local\Temp\jre-7u3-windows-i586-iftw.exe
C:\Users\sheila\AppData\Local\Temp\nsf4B42.exe
C:\Users\sheila\AppData\Local\Temp\nsn68C4.exe
C:\Users\sheila\AppData\Local\Temp\nsp647D.exe
C:\Users\sheila\AppData\Local\Temp\SecondStepInstaller.exe
C:\Users\sheila\AppData\Local\Temp\SPStub.exe
C:\Users\sheila\AppData\Local\Temp\tbWhi0.dll
C:\Users\sheila\AppData\Local\Temp\ToolbarHelper.exe
C:\Users\sheila\AppData\Local\Temp\UpdUninstall.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

LastRegBack: 2014-01-29 03:03

==================== End Of Log ============================

 

 

Addition.txt:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 01-02-2014 04
Ran by sheila at 2014-02-01 22:02:31
Running from C:\Users\sheila\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

Ad-Aware Security Add-on (x32 Version: 2.5.0.6 - Lavasoft)
Adobe AIR (x32 Version: 2.6.0.19120 - Adobe Systems Incorporated)
Adobe AIR (x32 Version: 2.6.0.19120 - Adobe Systems Incorporated) Hidden
Adobe Community Help (x32 Version: 3.2.1 - Adobe Systems Incorporated) Hidden
Adobe Community Help (x32 Version: 3.2.1.650 - Adobe Systems Incorporated)
Adobe Flash Player 11 ActiveX (x32 Version: 11.9.900.170 - Adobe Systems Incorporated)
Adobe Photoshop Elements 9 (x32 Version: 9.0 - Adobe Systems Incorporated)
Adobe Photoshop Elements 9 (x32 Version: 9.0 - Adobe Systems Incorporated) Hidden
Adobe Premiere Elements 9 (x32 Version: 9.0 - Adobe Systems Incorporated)
Adobe Premiere Elements 9 (x32 Version: 9.0 - Adobe Systems Incorporated) Hidden
Adobe Reader X (10.1.4) MUI (x32 Version: 10.1.4 - Adobe Systems Incorporated)
Apple Application Support (x32 Version: 2.1.9 - Apple Inc.)
Apple Mobile Device Support (Version: 5.2.0.6 - Apple Inc.)
Apple Software Update (x32 Version: 2.1.3.127 - Apple Inc.)
Bejeweled 2 Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Blackhawk Striker 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Blio (x32 Version: 2.3.7140 - K-NFB Reading Technology, Inc.)
Bonjour (Version: 3.0.0.10 - Apple Inc.)
Bonnie's Bookstore (x32 Version:  - Oberon Media)
Bounce Symphony (x32 Version: 2.2.0.95 - WildTangent) Hidden
Build-a-lot 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Cake Mania (x32 Version: 2.2.0.95 - WildTangent) Hidden
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Conexant HD Audio (Version: 8.50.4.0 - Conexant)
Consumer In-Home Service Agreement (x32 Version: 2.0.0 - Dell Inc.)
Cozi (x32 Version: 1.0.6505.38692 - Cozi Group, Inc.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dell DataSafe Local Backup - Support Software (x32 Version: 9.4.61 - Dell Inc.)
Dell DataSafe Local Backup (x32 Version: 9.4.61 - Dell Inc.)
Dell DataSafe Online (x32 Version: 2.1.19634 - Dell)
Dell Edoc Viewer (Version: 1.0.0 - Dell Inc)
Dell Getting Started Guide (x32 Version: 1.00.0000 - Dell Inc.)
Dell MusicStage (x32 Version: 1.5.201.0 - Fingertapps)
Dell PhotoStage (x32 Version: 1.5.0.65 - ArcSoft)
Dell Stage (x32 Version: 1.7.209.0 - Fingertapps)
Dell Stage Remote (x32 Version: 2.0.0.43 - ArcSoft)
Dell VideoStage  (x32 Version: 1.2.0.1712 - CyberLink Corp.)
Dell VideoStage  (x32 Version: 1.2.0.1712 - CyberLink Corp.) Hidden
Diner Dash 2 Restaurant Rescue (x32 Version: 2.2.0.95 - WildTangent) Hidden
DirectX 9 Runtime (x32 Version: 1.00.0000 - Sonic Solutions) Hidden
Dora's World Adventure (x32 Version: 2.2.0.95 - WildTangent) Hidden
eBay (x32 Version: 1.4.0 - eBay Inc.)
Elements 9 Organizer (x32 Version: 9.0 - Adobe Systems Incorporated) Hidden
Elements STI Installer (x32 Version: 1.0 - Adobe Systems Incorporated) Hidden
Escape Whisper Valley ™ (x32 Version: 2.2.0.95 - WildTangent) Hidden
Farm Frenzy (x32 Version: 2.2.0.95 - WildTangent) Hidden
FATE (x32 Version: 2.2.0.95 - WildTangent) Hidden
Final Drive Fury (x32 Version: 2.2.0.95 - WildTangent) Hidden
Final Drive Nitro (x32 Version: 2.2.0.95 - WildTangent) Hidden
Google Chrome Frame (HKCU Version: 32.0.1700.102 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Toolbar for Internet Explorer (x32 Version: 7.5.4805.320 - Google Inc.)
Google Update Helper (x32 Version: 1.3.22.3 - Google Inc.) Hidden
GoToMyPC (x32 Version: 8.0.943 - Citrix Online)
Intel® Processor Graphics (x32 Version: 8.15.10.2291 - Intel Corporation)
iTunes (Version: 10.6.3.25 - Apple Inc.)
Java Auto Updater (x32 Version: 2.1.6.0 - Sun Microsystems, Inc.) Hidden
Java™ 7 Update 1 (64-bit) (Version: 7.0.10 - Oracle)
Java™ 7 Update 3 (x32 Version: 7.0.30 - Oracle)
JavaFX 2.0.3 (x32 Version: 2.0.3 - Oracle Corporation)
Jewel Quest (x32 Version: 2.2.0.95 - WildTangent) Hidden
Jewel Quest Solitaire 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Lexmark 7100 Series (Version:  - Lexmark International, Inc.)
Luxor (x32 Version: 2.2.0.95 - WildTangent) Hidden
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Office 2010 (x32 Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Security Client (Version: 4.2.0223.1 - Microsoft Corporation) Hidden
Microsoft Security Essentials (Version: 4.2.223.1 - Microsoft Corporation)
Microsoft Silverlight (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (x32 Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (x32 Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (x32 Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (x32 Version: 10.0.30319 - Microsoft Corporation)
Microsoft_VC80_CRT_x86 (x32 Version: 8.0.50727.4053 - Adobe) Hidden
Microsoft_VC80_MFC_x86 (x32 Version: 8.0.50727.4053 - Adobe) Hidden
Microsoft_VC80_MFCLOC_x86 (x32 Version: 8.0.50727.4053 - Adobe) Hidden
Microsoft_VC90_CRT_x86 (x32 Version: 1.00.0000 - Adobe) Hidden
MSVCRT (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSVCRT_amd64 (x32 Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (x32 Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (x32 Version: 4.20.9876.0 - Microsoft Corporation)
My Dell (Version: 3.4.6422.14 - PC-Doctor, Inc.)
Namco All-Stars PAC-MAN (x32 Version: 2.2.0.95 - WildTangent) Hidden
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
PhotoShowExpress (x32 Version: 2.0.063 - Sonic Solutions) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.95 - WildTangent) Hidden
PlayReady PC Runtime x86 (x32 Version: 1.3.0 - Microsoft Corporation)
Poker Superstars III (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.95 - WildTangent) Hidden
RBVirtualFolder64Inst (Version: 1.00.0000 - Roxio, Inc.) Hidden
Roxio Activation Module (x32 Version: 1.0 - Roxio) Hidden
Roxio BackOnTrack (x32 Version: 1.3.3 - Roxio) Hidden
Roxio Burn (x32 Version: 1.8 - Roxio) Hidden
Roxio Creator Starter (x32 Version: 1.0.439 - Roxio) Hidden
Roxio Creator Starter (x32 Version: 12.1.77.0 - Roxio)
Roxio Creator Starter (x32 Version: 5.0.0 - Roxio) Hidden
Roxio Express Labeler 3 (x32 Version: 3.2.2 - Roxio) Hidden
Roxio File Backup (Version: 1.3.2 - Roxio) Hidden
Samantha Swift (x32 Version: 2.2.0.95 - WildTangent) Hidden
Skype™ 5.10 (x32 Version: 5.10.116 - Skype Technologies S.A.)
SmartSound Quicktracks for Premiere Elements 9.0 (x32 Version: 3.12.3090 - SmartSound Software Inc)
SmartSound Quicktracks for Premiere Elements 9.0 (x32 Version: 3.12.3090 - SmartSound Software Inc) Hidden
Sonic CinePlayer Decoder Pack (x32 Version: 4.3.0 - Sonic Solutions) Hidden
TrustedID (x32 Version: 5.0 - TrustedID)
TrustedID IDMonitor Identity Protection (x32 Version: 1.1.0 - TrustedID Inc)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3) (x32 Version: 3 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2836939) (x32 Version: 1 - Microsoft Corporation)
Update for Microsoft .NET Framework 4 Extended (KB2836939v3) (x32 Version: 3 - Microsoft Corporation)
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Virtual Villagers 4 - The Tree of Life (x32 Version: 2.2.0.95 - WildTangent) Hidden
Wedding Dash - Ready, Aim, Love! (x32 Version: 2.2.0.95 - WildTangent) Hidden
WildTangent Games (x32 Version: 1.0.2.5 - WildTangent)
WildTangent Games App (Dell Games) (x32 Version: 4.0.11.2 - WildTangent) Hidden
Windows Driver Package - Citrix Systems monblanking Citrix Driver  (06/27/2012 6.3.0.48) (Version: 06/27/2012 6.3.0.48 - Citrix Systems)
Windows Live Communications Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Essentials (x32 Version: 15.4.3508.1109 - Microsoft Corporation)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0 - Microsoft Corporation) Hidden
Windows Live Installer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Language Selector (Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Mesh ActiveX Control for Remote Connections (x32 Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Messenger (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live MIME IFilter (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Common (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live PIMT Platform (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Remote Client (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Client Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live Remote Service Resources (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Windows Live SOXE (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live SOXE Definitions (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live UX Platform Language Pack (x32 Version: 15.4.3508.1109 - Microsoft Corporation) Hidden
Windows Live Writer (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Windows Live Writer Resources (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Zinio Reader 4 (x32 Version: 4.2.4164 - Zinio LLC)
Zinio Reader 4 (x32 Version: 4.2.4164 - Zinio LLC) Hidden
Zuma Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden

==================== Restore Points  =========================

15-01-2014 11:00:19 Windows Update
16-01-2014 11:00:51 Windows Update
17-01-2014 11:00:19 Windows Update
18-01-2014 11:00:19 Windows Update
19-01-2014 11:00:19 Windows Update
20-01-2014 11:00:19 Windows Update
21-01-2014 11:00:19 Windows Update
22-01-2014 11:00:19 Windows Update
23-01-2014 11:00:19 Windows Update
24-01-2014 11:00:19 Windows Update
25-01-2014 11:00:19 Windows Update
26-01-2014 11:00:19 Windows Update
27-01-2014 11:00:19 Windows Update
28-01-2014 11:00:19 Windows Update
29-01-2014 11:00:19 Windows Update
30-01-2014 11:00:19 Windows Update
31-01-2014 11:00:19 Windows Update
01-02-2014 11:00:19 Windows Update
01-02-2014 22:24:52 Installed GoToMyPC

==================== Hosts content: ==========================

2009-07-13 18:34 - 2009-06-10 13:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

Task: {0527DFE8-71F3-406E-BF2A-1896512B72A2} - System32\Tasks\Ad-Aware Antivirus Scheduled Scan => C:\PROGRA~2\AD-AWA~1\AdAwareLauncher.exe
Task: {17761988-ADEB-4249-99F9-D0A645A2F0D6} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\MpCmdRun.exe [2013-01-27] ()
Task: {2DEDFAA0-FAEF-4519-8B2C-6D8A78500EA9} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\My Dell\sessionchecker.exe [2013-12-06] (PC-Doctor, Inc.)
Task: {423066FE-3F94-4CC9-9F24-0664B6254AFF} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2431324496-903031801-2049932644-1001UA => C:\Users\sheila\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-20] (Google Inc.)
Task: {51DFE04C-94DC-4003-BE01-7C2AC3A03C09} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2013-12-11] (Adobe Systems Incorporated)
Task: {65A1E8B7-C466-4FEC-BF4C-1F74EB349F82} - System32\Tasks\SystemToolsDailyTest => uaclauncher.exe
Task: {7A9E1E7F-9C01-4305-B126-C558AAB612DB} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {81CD5F4D-C2E5-4496-8B10-456D18D8702B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-03-11] (Google Inc.)
Task: {90C417A5-8DA6-4918-A991-21B1BF66C2FC} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-03-11] (Google Inc.)
Task: {D8113DF2-FFBA-4266-B8A7-BD88ACB4783F} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2431324496-903031801-2049932644-1001Core => C:\Users\sheila\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-20] (Google Inc.)
Task: {E9028AB5-1470-4778-80F3-154B4C1CA7A2} - System32\Tasks\PCDoctorBackgroundMonitorTask => C:\Program Files\My Dell\uaclauncher.exe [2013-09-05] (PC-Doctor, Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2431324496-903031801-2049932644-1001Core.job => C:\Users\sheila\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2431324496-903031801-2049932644-1001UA.job => C:\Users\sheila\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2012-02-24 09:04 - 2011-01-27 07:11 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2012-05-30 19:06 - 2012-05-30 19:06 - 00087912 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2012-05-30 19:06 - 2012-05-30 19:06 - 01242512 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2010-03-16 18:28 - 2010-03-16 18:28 - 01926144 _____ () C:\Program Files (x86)\Dell\Stage Remote\QtCore4.dll
2010-03-22 13:52 - 2010-03-22 13:52 - 06776832 _____ () C:\Program Files (x86)\Dell\Stage Remote\QtGui4.dll
2010-03-16 18:28 - 2010-03-16 18:28 - 00635904 _____ () C:\Program Files (x86)\Dell\Stage Remote\QtNetwork4.dll
2010-03-16 18:28 - 2010-03-16 18:28 - 00326144 _____ () C:\Program Files (x86)\Dell\Stage Remote\QtXml4.dll
2011-06-24 21:20 - 2011-06-24 21:20 - 00565968 _____ () C:\Program Files (x86)\Dell\Stage Remote\sqlite3.dll
2011-06-27 17:25 - 2011-06-27 17:25 - 00058944 _____ () C:\Program Files (x86)\Dell\Stage Remote\DataService.dll
2011-06-24 21:21 - 2011-06-24 21:21 - 00322624 _____ () C:\Program Files (x86)\Dell\Stage Remote\en-US\UI\ManagerUI.dll
2010-03-11 17:52 - 2010-03-11 17:52 - 00028160 _____ () C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qgif4.dll
2010-03-05 13:07 - 2010-03-05 13:07 - 00031744 _____ () C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qico4.dll
2010-03-05 13:07 - 2010-03-05 13:07 - 00125952 _____ () C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qjpeg4.dll
2010-03-11 17:52 - 2010-03-11 17:52 - 00225280 _____ () C:\Program Files (x86)\Dell\Stage Remote\plugins\imageformats\qmng4.dll
2012-03-11 18:19 - 2005-06-14 16:08 - 00196608 _____ () C:\Program Files (x86)\Lexmark 7100 Series\iptk.dll
2010-11-24 20:44 - 2010-11-24 20:44 - 00375280 _____ () c:\program files (x86)\common files\roxio shared\dllshared\SQLite352.dll
2012-02-01 11:44 - 2012-02-01 11:44 - 08151040 _____ () C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\QtGui4.dll
2012-02-01 11:44 - 2012-02-01 11:44 - 02278400 _____ () C:\Program Files (x86)\Dell Stage\Dell Stage\AccuWeather\QtCore4.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\ProgramData\Temp:0ECF32C6

==================== Safe Mode (whitelisted) ===================

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (02/01/2014 02:35:57 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/01/2014 02:26:58 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/01/2014 03:00:38 AM) (Source: Microsoft Security Client Setup) (User: NT AUTHORITY)
Description: HRESULT:0x80070643
Description:Cannot complete the Security Essentials Upgrade. An error has prevented the Security Essentials Upgrade Wizard from continuing. The previous version of Security Essentials was restored. Error code:0x80070643. Fatal error during installation.

Error: (02/01/2014 03:00:38 AM) (Source: MsiInstaller) (User: NT AUTHORITY)
Description: Product: Microsoft Security Client -- Error 1321. The Installer has insufficient privileges to modify this file: c:\Program Files\Microsoft Security Client\MsMpEng.exe.

Error: (01/31/2014 10:18:32 PM) (Source: Application Error) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.16428, time stamp: 0x525b664c
Faulting module name: Flash32_11_9_900_170.ocx, version: 11.9.900.170, time stamp: 0x529b7962
Exception code: 0xc0000005
Fault offset: 0x0008f6ea
Faulting process id: 0x3630
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3

Error: (01/31/2014 03:00:38 AM) (Source: Microsoft Security Client Setup) (User: NT AUTHORITY)
Description: HRESULT:0x80070643
Description:Cannot complete the Security Essentials Upgrade. An error has prevented the Security Essentials Upgrade Wizard from continuing. The previous version of Security Essentials was restored. Error code:0x80070643. Fatal error during installation.

Error: (01/31/2014 03:00:38 AM) (Source: MsiInstaller) (User: NT AUTHORITY)
Description: Product: Microsoft Security Client -- Error 1321. The Installer has insufficient privileges to modify this file: c:\Program Files\Microsoft Security Client\MsMpEng.exe.

Error: (01/30/2014 00:24:54 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5226

Error: (01/30/2014 00:24:54 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5226

Error: (01/30/2014 00:24:54 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

System errors:
=============
Error: (02/01/2014 02:36:35 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SftService service.

Error: (02/01/2014 02:35:49 PM) (Source: Service Control Manager) (User: )
Description: The Microsoft Antimalware Service service failed to start due to the following error:
%%5

Error: (02/01/2014 02:27:36 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the SftService service.

Error: (02/01/2014 02:26:48 PM) (Source: Service Control Manager) (User: )
Description: The Microsoft Antimalware Service service failed to start due to the following error:
%%5

Error: (02/01/2014 03:01:21 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft Security Essentials - 4.4.304.0 (KB2902885).

Error: (01/31/2014 03:01:14 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft Security Essentials - 4.4.304.0 (KB2902885).

Error: (01/30/2014 03:01:19 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft Security Essentials - 4.4.304.0 (KB2902885).

Error: (01/29/2014 03:01:28 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft Security Essentials - 4.4.304.0 (KB2902885).

Error: (01/28/2014 03:01:17 AM) (Source: Microsoft-Windows-WindowsUpdateClient) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Update for Microsoft Security Essentials - 4.4.304.0 (KB2902885).

Error: (01/27/2014 01:00:19 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 107.

Microsoft Office Sessions:
=========================
Error: (02/01/2014 02:35:57 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/01/2014 02:26:58 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/01/2014 03:00:38 AM) (Source: Microsoft Security Client Setup)(User: NT AUTHORITY)
Description: HRESULT:0x80070643
Description:Cannot complete the Security Essentials Upgrade. An error has prevented the Security Essentials Upgrade Wizard from continuing. The previous version of Security Essentials was restored. Error code:0x80070643. Fatal error during installation.

Error: (02/01/2014 03:00:38 AM) (Source: MsiInstaller)(User: NT AUTHORITY)
Description: Product: Microsoft Security Client -- Error 1321. The Installer has insufficient privileges to modify this file: c:\Program Files\Microsoft Security Client\MsMpEng.exe.(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (01/31/2014 10:18:32 PM) (Source: Application Error)(User: )
Description: IEXPLORE.EXE11.0.9600.16428525b664cFlash32_11_9_900_170.ocx11.9.900.170529b7962c00000050008f6ea363001cf1f12b4bbadccC:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Windows\SysWOW64\Macromed\Flash\Flash32_11_9_900_170.ocxac09e862-8b08-11e3-9e17-d4bed9bea717

Error: (01/31/2014 03:00:38 AM) (Source: Microsoft Security Client Setup)(User: NT AUTHORITY)
Description: HRESULT:0x80070643
Description:Cannot complete the Security Essentials Upgrade. An error has prevented the Security Essentials Upgrade Wizard from continuing. The previous version of Security Essentials was restored. Error code:0x80070643. Fatal error during installation.

Error: (01/31/2014 03:00:38 AM) (Source: MsiInstaller)(User: NT AUTHORITY)
Description: Product: Microsoft Security Client -- Error 1321. The Installer has insufficient privileges to modify this file: c:\Program Files\Microsoft Security Client\MsMpEng.exe.(NULL)(NULL)(NULL)(NULL)(NULL)

Error: (01/30/2014 00:24:54 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5226

Error: (01/30/2014 00:24:54 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5226

Error: (01/30/2014 00:24:54 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second

==================== Memory info ===========================

Percentage of memory in use: 41%
Total physical RAM: 4008.64 MB
Available physical RAM: 2348.44 MB
Total Pagefile: 8015.47 MB
Available Pagefile: 6230.05 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:444.91 GB) (Free:381.46 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 80A33920)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=21 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=445 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:18 AM

Posted 03 February 2014 - 06:18 AM

Hi,

 

 

Please go to add/remove in the control panel and remove Ad-Aware Security Add-on. Check the link below for more information:

http://www.systemlookup.com/CLSID/73381-lavaguardDx_dll_adawareDx_dll.html

 

 

 

Also go ahead and reinstall Google Chrome because of this reported in the frst log:

 

Error reading preferences. Please check "preferences" file for possible corruption. <======= ATTENTION

 

 

 
Next please download the following file => [attachment=146681:fixlist.txt] and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

 

 

Regards,

Georgi


cXfZ4wS.png


#11 art_vandelay

art_vandelay
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 03 February 2014 - 11:30 AM

fixlog.txt:  (Thank you)

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2014 04
Ran by sheila at 2014-02-03 08:27:51 Run:1
Running from C:\Users\sheila\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKLM\...\Run: [MSC] - "c:\Program Files\Microsoft Security Client\mssecex.exe" -hide -runkey <===== ATTENTION (File name is altered)
HKLM-x32\...\Run: [] - [x]
HKLM-x32\...\Run: [Ad-Aware Browsing Protection] - C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe [542632 2013-01-31] (Lavasoft)
C:\ProgramData\Ad-Aware Browsing Protection
HKLM-x32\...\Run: [SearchProtection] - C:\ProgramData\Search Protection\_run.bat [142 2013-05-17] ()
C:\ProgramData\Search Protection
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox]  ATTENTION! ====> ZeroAccess?
HKU\.DEFAULT\...\Run: [SearchProtect] - \SearchProtect\bin\cltmng.exe
BHO-x32: Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll ()
C:\Program Files (x86)\adawaretb
Toolbar: HKLM-x32 - Ad-Aware Security Add-on - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll ()
CHR HKLM-x32\...\Chrome\Extension: [lfffjahnfbocnaooecgijfnbpcfekoik] - C:\ProgramData\adawaretb\shortcuts\chrome\adawaretb.crx [2013-02-04]
S1 xfrlmvfj; \??\C:\Windows\system32\drivers\xfrlmvfj.sys [x]
C:\Windows\system32\drivers\xfrlmvfj.sys
C:\$Recycle.Bin\S-1-5-21-2431324496-903031801-2049932644-1001\$4757f2ac96a0dd32ef7fcd5208976805
C:\$Recycle.Bin\S-1-5-18\$4757f2ac96a0dd32ef7fcd5208976805
cmd: Dir /s /a:l C:\*
Task: {0527DFE8-71F3-406E-BF2A-1896512B72A2} - System32\Tasks\Ad-Aware Antivirus Scheduled Scan => C:\PROGRA~2\AD-AWA~1\AdAwareLauncher.exe
C:\PROGRA~2\AD-AWA~1
AlternateDataStreams: C:\ProgramData\Temp:0ECF32C6
C:\Users\George\AppData\Local\Temp
end
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\MSC => Value was restored successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Ad-Aware Browsing Protection => Value not found.
"C:\ProgramData\Ad-Aware Browsing Protection" => File/Directory not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\SearchProtection => Value deleted successfully.
C:\ProgramData\Search Protection => Moved successfully.
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\SearchProtect => Value deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c} => Key not found.
HKCR\Wow6432Node\CLSID\{6c97a91e-4524-4019-86af-2aa2d567bf5c} => Key not found.
"C:\Program Files (x86)\adawaretb" => File/Directory not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{6c97a91e-4524-4019-86af-2aa2d567bf5c} => Value not found.
HKCR\Wow6432Node\CLSID\{6c97a91e-4524-4019-86af-2aa2d567bf5c} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\lfffjahnfbocnaooecgijfnbpcfekoik => Key deleted successfully.
"C:\ProgramData\adawaretb\shortcuts\chrome\adawaretb.crx" => File/Directory not found.
xfrlmvfj => Service deleted successfully.
"C:\Windows\system32\drivers\xfrlmvfj.sys" => File/Directory not found.
C:\$Recycle.Bin\S-1-5-21-2431324496-903031801-2049932644-1001\$4757f2ac96a0dd32ef7fcd5208976805 => Moved successfully.
C:\$Recycle.Bin\S-1-5-18\$4757f2ac96a0dd32ef7fcd5208976805 => Moved successfully.

=========  Dir /s /a:l C:\* =========

 Volume in drive C is OS
 Volume Serial Number is D23B-94C3

 Directory of C:\

07/13/2009  09:08 PM    <JUNCTION>     Documents and Settings [C:\Users]
               0 File(s)              0 bytes

 Directory of C:\Program Files\Microsoft Security Client

05/01/2012  02:01 AM    <SYMLINKD>     Backup [c:\windows\system32\config]
05/23/2012  09:25 AM    <SYMLINK>      DbgHelp.dll [c:\windows\system32\config]
10/02/2012  02:00 AM    <SYMLINKD>     Drivers [c:\windows\system32\config]
02/15/2013  03:01 AM    <SYMLINKD>     en-us [c:\windows\system32\config]
01/27/2013  02:37 PM    <SYMLINK>      EppManifest.dll [c:\windows\system32\config]
01/27/2013  01:43 PM    <SYMLINK>      MpAsDesc.dll [c:\windows\system32\config]
01/27/2013  11:36 AM    <SYMLINK>      MpClient.dll [c:\windows\system32\config]
01/27/2013  11:34 AM    <SYMLINK>      MpCmdRun.exe [c:\windows\system32\config]
01/27/2013  11:36 AM    <SYMLINK>      MpCommu.dll [c:\windows\system32\config]
01/27/2013  01:36 PM    <SYMLINK>      mpevmsg.dll [c:\windows\system32\config]
01/27/2013  11:36 AM    <SYMLINK>      MpOAv.dll [c:\windows\system32\config]
01/27/2013  11:36 AM    <SYMLINK>      MpRTP.dll [c:\windows\system32\config]
01/27/2013  11:36 AM    <SYMLINK>      MpSvc.dll [c:\windows\system32\config]
03/26/2012  05:54 PM    <SYMLINK>      MSESysprep.dll [c:\windows\system32\config]
01/27/2013  11:36 AM    <SYMLINK>      MsMpCom.dll [c:\windows\system32\config]
01/27/2013  11:34 AM    <SYMLINK>      MsMpEng.exe [c:\windows\system32\config]
01/27/2013  11:36 AM    <SYMLINK>      MsMpLics.dll [c:\windows\system32\config]
01/27/2013  11:35 AM    <SYMLINK>      MsMpRes.dll [c:\windows\system32\config]
01/27/2013  11:34 AM    <SYMLINK>      msseces.exe [c:\windows\system32\config]
03/26/2012  05:54 PM    <SYMLINK>      msseoobe.exe [c:\windows\system32\config]
03/26/2012  05:54 PM    <SYMLINK>      msseooberes.dll [c:\windows\system32\config]
01/27/2013  11:34 AM    <SYMLINK>      MsseWat.dll [c:\windows\system32\config]
01/27/2013  11:36 AM    <SYMLINK>      NisIpsPlugin.dll [c:\windows\system32\config]
01/27/2013  11:36 AM    <SYMLINK>      NisLog.dll [c:\windows\system32\config]
01/27/2013  11:34 AM    <SYMLINK>      NisSrv.exe [c:\windows\system32\config]
01/27/2013  11:36 AM    <SYMLINK>      NisWFP.dll [c:\windows\system32\config]
01/27/2013  11:34 AM    <SYMLINK>      Setup.exe [c:\windows\system32\config]
01/27/2013  11:35 AM    <SYMLINK>      SetupRes.dll [c:\windows\system32\config]
01/27/2013  11:35 AM    <SYMLINK>      shellext.dll [c:\windows\system32\config]
05/19/2011  04:26 PM    <SYMLINK>      sqmapi.dll [c:\windows\system32\config]
05/23/2012  09:25 AM    <SYMLINK>      SymSrv.dll [c:\windows\system32\config]
04/06/2012  08:59 AM    <SYMLINK>      SymSrv.yes [c:\windows\system32\config]
              29 File(s)     10,693,689 bytes

 Directory of C:\Program Files\Windows Defender.old

11/20/2010  11:06 PM    <SYMLINKD>     en-US [c:\windows\system32\config]
07/13/2009  05:41 PM    <SYMLINK>      MpAsDesc.dll [c:\windows\system32\config]
07/13/2009  05:41 PM    <SYMLINK>      MpClient.dll [c:\windows\system32\config]
07/13/2009  05:39 PM    <SYMLINK>      MpCmdRun.exe [c:\windows\system32\config]
07/13/2009  05:41 PM    <SYMLINK>      MpCommu.dll [c:\windows\system32\config]
07/13/2009  05:29 PM    <SYMLINK>      MpEvMsg.dll [c:\windows\system32\config]
07/13/2009  05:41 PM    <SYMLINK>      MpOAV.dll [c:\windows\system32\config]
07/13/2009  05:41 PM    <SYMLINK>      MpRTP.dll [c:\windows\system32\config]
07/13/2009  05:41 PM    <SYMLINK>      MpSvc.dll [c:\windows\system32\config]
07/13/2009  05:39 PM    <SYMLINK>      MSASCui.exe [c:\windows\system32\config]
11/20/2010  07:24 PM    <SYMLINK>      MsMpCom.dll [c:\windows\system32\config]
07/13/2009  05:29 PM    <SYMLINK>      MsMpLics.dll [c:\windows\system32\config]
07/13/2009  05:41 PM    <SYMLINK>      MsMpRes.dll [c:\windows\system32\config]
              12 File(s)      3,919,360 bytes

 Directory of C:\ProgramData

07/13/2009  09:08 PM    <JUNCTION>     Application Data [C:\ProgramData]
07/13/2009  09:08 PM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
07/13/2009  09:08 PM    <JUNCTION>     Documents [C:\Users\Public\Documents]
07/13/2009  09:08 PM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
07/13/2009  09:08 PM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
07/13/2009  09:08 PM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes

 Directory of C:\Users

07/13/2009  09:08 PM    <SYMLINKD>     All Users [C:\ProgramData]
07/13/2009  09:08 PM    <JUNCTION>     Default User [C:\Users\Default]
               0 File(s)              0 bytes

 Directory of C:\Users\All Users

07/13/2009  09:08 PM    <JUNCTION>     Application Data [C:\ProgramData]
07/13/2009  09:08 PM    <JUNCTION>     Desktop [C:\Users\Public\Desktop]
07/13/2009  09:08 PM    <JUNCTION>     Documents [C:\Users\Public\Documents]
07/13/2009  09:08 PM    <JUNCTION>     Favorites [C:\Users\Public\Favorites]
07/13/2009  09:08 PM    <JUNCTION>     Start Menu [C:\ProgramData\Microsoft\Windows\Start Menu]
07/13/2009  09:08 PM    <JUNCTION>     Templates [C:\ProgramData\Microsoft\Windows\Templates]
               0 File(s)              0 bytes

 Directory of C:\Users\Default

07/13/2009  09:08 PM    <JUNCTION>     Application Data [C:\Users\Default\AppData\Roaming]
07/13/2009  09:08 PM    <JUNCTION>     Cookies [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies]
07/13/2009  09:08 PM    <JUNCTION>     Local Settings [C:\Users\Default\AppData\Local]
07/13/2009  09:08 PM    <JUNCTION>     My Documents [C:\Users\Default\Documents]
07/13/2009  09:08 PM    <JUNCTION>     NetHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
07/13/2009  09:08 PM    <JUNCTION>     PrintHood [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
07/13/2009  09:08 PM    <JUNCTION>     Recent [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent]
07/13/2009  09:08 PM    <JUNCTION>     SendTo [C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo]
07/13/2009  09:08 PM    <JUNCTION>     Start Menu [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu]
07/13/2009  09:08 PM    <JUNCTION>     Templates [C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates]
               0 File(s)              0 bytes

 Directory of C:\Users\Default\AppData\Local

07/13/2009  09:08 PM    <JUNCTION>     Application Data [C:\Users\Default\AppData\Local]
07/13/2009  09:08 PM    <JUNCTION>     History [C:\Users\Default\AppData\Local\Microsoft\Windows\History]
07/13/2009  09:08 PM    <JUNCTION>     Temporary Internet Files [C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files]
               0 File(s)              0 bytes

 Directory of C:\Users\Default\Documents

07/13/2009  09:08 PM    <JUNCTION>     My Music [C:\Users\Default\Music]
07/13/2009  09:08 PM    <JUNCTION>     My Pictures [C:\Users\Default\Pictures]
07/13/2009  09:08 PM    <JUNCTION>     My Videos [C:\Users\Default\Videos]
               0 File(s)              0 bytes

 Directory of C:\Users\George

04/14/2012  06:47 PM    <JUNCTION>     Application Data [C:\Users\George\AppData\Roaming]
04/14/2012  06:47 PM    <JUNCTION>     Cookies [C:\Users\George\AppData\Roaming\Microsoft\Windows\Cookies]
04/14/2012  06:47 PM    <JUNCTION>     Local Settings [C:\Users\George\AppData\Local]
04/14/2012  06:47 PM    <JUNCTION>     My Documents [C:\Users\George\Documents]
04/14/2012  06:47 PM    <JUNCTION>     NetHood [C:\Users\George\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
04/14/2012  06:47 PM    <JUNCTION>     PrintHood [C:\Users\George\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
04/14/2012  06:47 PM    <JUNCTION>     Recent [C:\Users\George\AppData\Roaming\Microsoft\Windows\Recent]
04/14/2012  06:47 PM    <JUNCTION>     SendTo [C:\Users\George\AppData\Roaming\Microsoft\Windows\SendTo]
04/14/2012  06:47 PM    <JUNCTION>     Start Menu [C:\Users\George\AppData\Roaming\Microsoft\Windows\Start Menu]
04/14/2012  06:47 PM    <JUNCTION>     Templates [C:\Users\George\AppData\Roaming\Microsoft\Windows\Templates]
               0 File(s)              0 bytes

 Directory of C:\Users\George\AppData\Local

04/14/2012  06:47 PM    <JUNCTION>     Application Data [C:\Users\George\AppData\Local]
04/14/2012  06:47 PM    <JUNCTION>     History [C:\Users\George\AppData\Local\Microsoft\Windows\History]
04/14/2012  06:47 PM    <JUNCTION>     Temporary Internet Files [C:\Users\George\AppData\Local\Microsoft\Windows\Temporary Internet Files]
               0 File(s)              0 bytes

 Directory of C:\Users\George\Documents

04/14/2012  06:47 PM    <JUNCTION>     My Music [C:\Users\George\Music]
04/14/2012  06:47 PM    <JUNCTION>     My Pictures [C:\Users\George\Pictures]
04/14/2012  06:47 PM    <JUNCTION>     My Videos [C:\Users\George\Videos]
               0 File(s)              0 bytes

 Directory of C:\Users\Public\Documents

07/13/2009  09:08 PM    <JUNCTION>     My Music [C:\Users\Public\Music]
07/13/2009  09:08 PM    <JUNCTION>     My Pictures [C:\Users\Public\Pictures]
07/13/2009  09:08 PM    <JUNCTION>     My Videos [C:\Users\Public\Videos]
               0 File(s)              0 bytes

 Directory of C:\Users\sheila

03/11/2012  04:15 PM    <JUNCTION>     Application Data [C:\Users\sheila\AppData\Roaming]
03/11/2012  04:15 PM    <JUNCTION>     Cookies [C:\Users\sheila\AppData\Roaming\Microsoft\Windows\Cookies]
03/11/2012  04:15 PM    <JUNCTION>     Local Settings [C:\Users\sheila\AppData\Local]
03/11/2012  04:15 PM    <JUNCTION>     My Documents [C:\Users\sheila\Documents]
03/11/2012  04:15 PM    <JUNCTION>     NetHood [C:\Users\sheila\AppData\Roaming\Microsoft\Windows\Network Shortcuts]
03/11/2012  04:15 PM    <JUNCTION>     PrintHood [C:\Users\sheila\AppData\Roaming\Microsoft\Windows\Printer Shortcuts]
03/11/2012  04:15 PM    <JUNCTION>     Recent [C:\Users\sheila\AppData\Roaming\Microsoft\Windows\Recent]
03/11/2012  04:15 PM    <JUNCTION>     SendTo [C:\Users\sheila\AppData\Roaming\Microsoft\Windows\SendTo]
03/11/2012  04:15 PM    <JUNCTION>     Start Menu [C:\Users\sheila\AppData\Roaming\Microsoft\Windows\Start Menu]
03/11/2012  04:15 PM    <JUNCTION>     Templates [C:\Users\sheila\AppData\Roaming\Microsoft\Windows\Templates]
               0 File(s)              0 bytes

 Directory of C:\Users\sheila\AppData\Local

03/11/2012  04:15 PM    <JUNCTION>     Application Data [C:\Users\sheila\AppData\Local]
03/11/2012  04:15 PM    <JUNCTION>     History [C:\Users\sheila\AppData\Local\Microsoft\Windows\History]
03/11/2012  04:15 PM    <JUNCTION>     Temporary Internet Files [C:\Users\sheila\AppData\Local\Microsoft\Windows\Temporary Internet Files]
               0 File(s)              0 bytes

 Directory of C:\Users\sheila\Documents

03/11/2012  04:15 PM    <JUNCTION>     My Music [C:\Users\sheila\Music]
03/11/2012  04:15 PM    <JUNCTION>     My Pictures [C:\Users\sheila\Pictures]
03/11/2012  04:15 PM    <JUNCTION>     My Videos [C:\Users\sheila\Videos]
               0 File(s)              0 bytes

 Directory of C:\Windows\winsxs\amd64_security-malware-windows-defender-events_31bf3856ad364e35_6.1.7600.16385_none_118cf1dcd54a3dea

07/13/2009  05:29 PM    <SYMLINK>      MpEvMsg.dll [c:\windows\system32\config]
               1 File(s)         52,224 bytes

 Directory of C:\Windows\winsxs\amd64_security-malware-windows-defender_31bf3856ad364e35_6.1.7601.17514_none_b5e2b6396ecea306

07/13/2009  05:41 PM    <SYMLINK>      MpAsDesc.dll [c:\windows\system32\config]
07/13/2009  05:41 PM    <SYMLINK>      MpClient.dll [c:\windows\system32\config]
07/13/2009  05:39 PM    <SYMLINK>      MpCmdRun.exe [c:\windows\system32\config]
07/13/2009  05:41 PM    <SYMLINK>      MpCommu.dll [c:\windows\system32\config]
07/13/2009  05:41 PM    <SYMLINK>      MpOAV.dll [c:\windows\system32\config]
07/13/2009  05:41 PM    <SYMLINK>      MpRTP.dll [c:\windows\system32\config]
07/13/2009  05:41 PM    <SYMLINK>      MpSvc.dll [c:\windows\system32\config]
07/13/2009  05:39 PM    <SYMLINK>      MSASCui.exe [c:\windows\system32\config]
11/20/2010  07:24 PM    <SYMLINK>      MsMpCom.dll [c:\windows\system32\config]
07/13/2009  05:29 PM    <SYMLINK>      MsMpLics.dll [c:\windows\system32\config]
07/13/2009  05:41 PM    <SYMLINK>      MsMpRes.dll [c:\windows\system32\config]
              11 File(s)      3,867,136 bytes

     Total Files Listed:
              53 File(s)     18,532,409 bytes
              70 Dir(s)  410,935,947,264 bytes free

========= End of CMD: =========

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0527DFE8-71F3-406E-BF2A-1896512B72A2} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0527DFE8-71F3-406E-BF2A-1896512B72A2} => Key deleted successfully.
C:\Windows\System32\Tasks\Ad-Aware Antivirus Scheduled Scan => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Ad-Aware Antivirus Scheduled Scan => Key deleted successfully.
C:\PROGRA~2\AD-AWA~1 => Moved successfully.
C:\ProgramData\Temp => ":0ECF32C6" ADS removed successfully.
C:\Users\George\AppData\Local\Temp => Moved successfully.

==== End of Fixlog ====



#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:18 AM

Posted 03 February 2014 - 05:09 PM

Hi,

 

 

Good work.

 

Next please download the following file => [attachment=146706:fixlist.txt] and save it to the Desktop.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

 

Go ahead and rename C:\Program Files\Windows Defender.old back to its original name => C:\Program Files\Windows Defender

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Also reboot the computer once in order for the changes to take effect.

 

 

Regards,

Georgi

 

 

 

 


cXfZ4wS.png


#13 art_vandelay

art_vandelay
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:05:18 PM

Posted 03 February 2014 - 05:21 PM

Ran those steps and rebooted.  Here is Fixlog.txt:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2014 04
Ran by sheila at 2014-02-03 14:13:39 Run:2
Running from C:\Users\sheila\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
end

*****************

"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking started.
"C:\Program Files\Microsoft Security Client\Backup" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\DbgHelp.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Drivers" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\en-us" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\EppManifest.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\mpevmsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpOAv.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MSESysprep.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpEng.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\msseces.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\msseoobe.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\msseooberes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsseWat.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisIpsPlugin.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisLog.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisSrv.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\NisWFP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Setup.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SetupRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\shellext.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\sqmapi.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SymSrv.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\SymSrv.yes" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking completed.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

The system needs a manual reboot.

==== End of Fixlog ====



#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:18 AM

Posted 03 February 2014 - 06:25 PM

Hi,

 

 

How are things now?

 

I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps: (the most of them should take no more than 10 minutes each).

 

 

STEP 1

 

  • Please download RogueKillerx64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 2
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed!!
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3

 

 

Please download Malwarebytes Anti-Rootkit mbamicontw5.gif and save it to your desktop.

  • Be sure to print out and follow these instructions for performing a scan.
  • Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  • When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  • Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  • Copy and paste the contents of these two log files in your next reply.

Note: Further documentation on this tool can be found in the ReadMe.rtf file which is located in the Malwarebytes Anti-Rootkit (mbar) folder.

 

 

STEP 4

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 5

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

 

STEP 6

 

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 

 

STEP 7

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:03:18 AM

Posted 12 February 2014 - 04:56 AM

Hi,

 

Are you still there?

 

 

Regards,

Georgi


cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users