Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Two Problems- Zero Access and AVG ZA removal tool


  • This topic is locked This topic is locked
11 replies to this topic

#1 wrongheaded2

wrongheaded2

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 09 February 2014 - 06:37 AM

I ran RKill b/c computer was slowing down, notified of 3 lines of ZA rootkit entries. Ran AVG ZA removal tool which aborted during installation, locking out the network interface. AVG tool won't uninstall b/c installation was incomplete, and no internet access to finish and then uninstall.         Attached File  Attach.txt   5.42KB   2 downloads             Attached File  txt.txt   17.31KB   7 downloads



BC AdBot (Login to Remove)

 


m

#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:28 AM

Posted 09 February 2014 - 11:30 AM

Greetings and  :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know. I am in training and an instructor will need to check my fixes so a little delay may happen at times.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now   :thumbup2:

 

--------------

 

Hi wrongheaded2,

 

I will be handling your log to help you get cleaned up. Please give me some time to look it over, and I will get back to you as soon as possible. 

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:28 AM

Posted 09 February 2014 - 12:33 PM

Hi wrongheaded2,

 

Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, steal critical system information, and download and execute files.
 
I highly suggest you to disconnect this PC from the Internet immediately, and if possible use a clean computer and a flash drive to transfer the programs I request for you to run. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would be wise to contact those same financial institutions to notify them of your situation.
 
Due to the nature of this trojan, your computer is very likely to be compromised. There is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
 
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 
We can still clean this machine, but I can't guarantee that it will be 100% secure afterwards. If you decide to continue cleaning this machine, follow on with the rest of the steps posted below. If you do not want to clean this machine, please let me know.

 

--------------

 

I do not recommend that you have more than one anti-virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti-virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't. 
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove two of these; AVG 2014VIPRE Internet Security or PC Tools Spyware Doctor with AntiVirus 9.1

AVG removal tool (make sure to download the 2014 64 bit one) - http://www.avg.com/gb-en/utilities

 

--------------

 

Bleeping Computer does not recommend the use of registry cleaners/optimizers:

 

There are numerous programs which purport to improve system performance, make repairs and tune up a computer. Many of them include such features as a registry cleaner, registry optimizer, disk optimizer, etc. Some of these programs even incorporate optimization and registry cleaning features alongside anti-malware capabilities. These registry cleaners and optimizers claim to speed up your computer by finding and removing orphaned and corrupt registry entries that are responsible for slowing down system performance. There is no statistical evidence to back such claims. Advertisements to do so are borderline scams intended to goad users into using an unnecessary and potential dangerous product.

 

See the whole post here: http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/?p=2853053

 

Therefore I suggest going to to add/remove in the control panel and removing these programs: Advanced System Optimizer and RegCure Pro

 

--------------

 

Running Combofix:


Download Combofix from this link and save it to your desktop

  • Close any open browsers or any other programs that are open.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • You can also find the log here: C:\ComboFix.txt

 

Please also note:

  • Do not click combofix's window while it's running. That may cause combofix to stall.
  • Combofix may reboot your computer a number of times, this is normal.
  • If you receive an error, "Illegal operation attempted on a registry key that has been marked for deletion,"  then please restart the computer to resolve this.

 

--------------

To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • ComboFix.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 wrongheaded2

wrongheaded2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 09 February 2014 - 04:30 PM

Attached File  ComboFix.txt   34.73KB   10 downloads

 

I attached the combofix.txt file because I could copy but pasting wasn't an option. I apologize for my illiteracy.



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:28 AM

Posted 11 February 2014 - 11:05 AM

Hi wrongheaded2,
 
No worries on that then. You can always try Ctrl and V together to paste as well.

 

Uninstall a Program:

  • Click the Windows logo on the taskbar and then click on the "Control Panel" option.
  • Click on Uninstall a program under the Programs section. 
  • A list of programs installed will be "populated", this may take a bit of time.
  • If they exist, uninstall the following by clicking on the following entries and selecting "remove":

AVG SafeGuard toolbar

  • Additional instructions can be found here if needed.

--------------
 
Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

--------------
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 

--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • AdwCleaner log
  • FRST.txt
  • Addition.txt

xXToffeeXx~


Edited by xXToffeeXx, 11 February 2014 - 11:06 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 wrongheaded2

wrongheaded2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 11 February 2014 - 02:54 PM

Toffee, here are the files you requested.

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 10-02-2014 01
Ran by Ed at 2014-02-11 14:47:07
Running from F:\Bleeping
Boot Mode: Normal
==========================================================

==================== Security Center ========================

AV: ThreatTrack Security VIPRE (Disabled - Out of date) {FFE93D16-FD09-0282-C7D3-8B1731B6A051}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: ThreatTrack Security VIPRE (Disabled - Out of date) {4488DCF2-DB33-0D0C-FD63-B0654A31EAEC}
FW: ThreatTrack Security VIPRE (Disabled) {C7D2BC33-B766-03DA-EC8C-2222CF65E72A}

==================== Installed Programs ======================

ABBYY FineReader 6.0 Sprint (x32 Version: 6.00.1990.41618 - ABBYY Software House)
Adobe Digital Editions 2.0 (x32 Version: 2.0 - Adobe Systems Incorporated)
Adobe Flash Player 12 ActiveX (x32 Version: 12.0.0.44 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.06) (x32 Version: 11.0.06 - Adobe Systems Incorporated)
Advanced Audio FX Engine (x32 Version: 1.12.05 - Creative Technology Ltd)
Amazon MP3 Downloader 1.0.17 (x32 Version: 1.0.17 - Amazon Services LLC)
Amazon MP3 Downloader 1.0.18 (HKCU Version: 1.0.18 - Amazon Services LLC)
ARO 2012 (Version: 8.0 - Support.com)
AVG 2014 (Version: 14.0.3697 - AVG Technologies) Hidden
AVG 2014 (Version: 2014.0.4335 - AVG Technologies)
AVG SafeGuard toolbar (x32 Version: 17.3.0.49 - AVG Technologies)
AVS Update Manager 1.0 (x32 Version:  - Online Media Technologies Ltd.)
AVS Video Converter 8 (x32 Version:  - Online Media Technologies Ltd.)
AVS4YOU Software Navigator 1.4 (x32 Version:  - Online Media Technologies Ltd.)
Belarc Advisor 8.3 (x32 Version: 8.3.2.0 - Belarc Inc.)
Brother MFL-Pro Suite MFC-J4510DW (x32 Version: 1.0.3.0 - Brother Industries, Ltd.)
Browser Guard 4.0 (x32 Version: 4.0.0.1884 - PC Tools)
CCleaner (Version: 4.10 - Piriform)
CyberLink PowerDVD 9.5 (x32 Version: 9.5.1.3426 - CyberLink Corp.)
CyberLink PowerDVD 9.5 (x32 Version: 9.5.1.3426 - CyberLink Corp.) Hidden
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition (x32 Version:  - Microsoft)
Defraggler (Version: 2.16 - Piriform)
Dell Webcam Central (x32 Version: 1.40.05 - Creative Technology Ltd)
DriverUpdate (x32 Version: 2.2.32366 - SlimWare Utilities, Inc.)
ErrorEND (Version: 1.0.9.3 - Seven Servos Software, Inc.)
EZ Vinyl/Tape Converter by Ion Audio 11.5.0 (x32 Version: 11.5.0 - Ion Audio LLC)
File Uploader (x32 Version: 1.1.1 - Nikon)
Google Chrome (x32 Version: 32.0.1700.107 - Google Inc.)
Google Earth (x32 Version: 7.1.2.2041 - Google)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Toolbar for Internet Explorer (x32 Version: 7.5.4805.320 - Google Inc.)
Google Update Helper (x32 Version: 1.3.22.3 - Google Inc.) Hidden
Intel® Graphics Media Accelerator Driver (x32 Version: 8.15.10.2104 - Intel Corporation)
Java 7 Update 51 (64-bit) (Version: 7.0.510 - Oracle)
Junk Mail filter update (x32 Version: 14.0.8089.726 - Microsoft Corporation) Hidden
Live! Cam Avatar Creator (x32 Version: 4.6.3009.1 - Creative Technology Ltd)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Application Error Reporting (Version: 12.0.6015.5000 - Microsoft Corporation) Hidden
Microsoft Choice Guard (x32 Version: 2.0.48.0 - Microsoft Corporation) Hidden
Microsoft Mouse and Keyboard Center (Version: 2.2.173.0 - Microsoft Corporation)
Microsoft Mouse and Keyboard Center (Version: 2.2.173.0 - Microsoft Corporation) Hidden
Microsoft Office Access MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Access Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Excel MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Office 64-bit Components 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office OneNote MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Outlook MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office PowerPoint MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Professional 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation)
Microsoft Office Proof (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (French) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proof (Spanish) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Proofing (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Publisher MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2010 (Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Shared Setup Metadata MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Single Image 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Office Word MUI (English) 2010 (x32 Version: 14.0.7015.1000 - Microsoft Corporation) Hidden
Microsoft Silverlight (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (x32 Version: 3.1.0000 - Microsoft Corporation)
Microsoft Sync Framework Runtime Native v1.0 (x86) (x32 Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Sync Framework Services Native v1.0 (x86) (x32 Version: 1.0.1215.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (x32 Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x32 Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (x32 Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (x32 Version: 9.0.30729.6161 - Microsoft Corporation)
MSVCRT (x32 Version: 14.0.1468.721 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (x32 Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (x32 Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (x32 Version: 4.30.2117.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (x32 Version: 4.30.2100.0 - Microsoft Corporation)
Nikon Message Center (x32 Version: 0.92.000 - Nikon)
Nikon Transfer (x32 Version: 1.3.0 - Nikon)
Nuance PaperPort 12 (x32 Version: 12.1.0005 - Nuance Communications, Inc.)
Panorama Maker (x32 Version:  - ArcSoft)
PaperPort Image Printer 64-bit (Version: 14.00.0000 - Nuance Communications, Inc.)
PC Tools Spyware Doctor with AntiVirus 9.1 (x32 Version: 9.1 - PC Tools)
PlayMemories Home (x32 Version: 7.0.00.11271 - Sony Corporation)
RealDownloader (x32 Version: 1.3.3 - RealNetworks, Inc.) Hidden
RealNetworks - Microsoft Visual C++ 2008 Runtime (x32 Version: 9.0 - RealNetworks, Inc) Hidden
RealNetworks - Microsoft Visual C++ 2010 Runtime (x32 Version: 10.0 - RealNetworks, Inc) Hidden
RealPlayer (x32 Version: 16.0.3 - RealNetworks)
Realtek High Definition Audio Driver (x32 Version: 6.0.1.6088 - Realtek Semiconductor Corp.)
RealUpgrade 1.1 (x32 Version: 1.1.0 - RealNetworks, Inc.) Hidden
Service Pack 2 for Microsoft Office 2010 (KB2687455) 32-Bit Edition (x32 Version:  - Microsoft) Hidden
Shared C Run-time for x64 (Version: 10.0.0 - McAfee)
Synaptics Pointing Device Driver (Version: 14.0.15.0 - Synaptics Incorporated)
TurboTax 2011 (x32 Version:  - Intuit, Inc)
TurboTax 2011 WinPerFedFormset (x32 Version: 011.000.3351 - Intuit Inc.) Hidden
TurboTax 2011 WinPerReleaseEngine (x32 Version: 011.000.0496 - Intuit Inc.) Hidden
TurboTax 2011 WinPerTaxSupport (x32 Version: 011.000.0222 - Intuit Inc.) Hidden
TurboTax 2011 wnyiper (x32 Version: 011.000.1628 - Intuit Inc.) Hidden
TurboTax 2011 wrapper (x32 Version: 011.000.0121 - Intuit Inc.) Hidden
TurboTax 2012 (x32 Version: 2012.0 - Intuit, Inc)
TurboTax 2012 WinPerFedFormset (x32 Version: 012.000.2114 - Intuit Inc.) Hidden
TurboTax 2012 WinPerReleaseEngine (x32 Version: 012.000.0451 - Intuit Inc.) Hidden
TurboTax 2012 WinPerTaxSupport (x32 Version: 012.000.0179 - Intuit Inc.) Hidden
TurboTax 2012 wnyiper (x32 Version: 012.000.1503 - Intuit Inc.) Hidden
TurboTax 2012 wrapper (x32 Version: 012.000.0127 - Intuit Inc.) Hidden
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2494150) (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589352) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2597087) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2826026) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Office 2010 (KB2850079) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition (x32 Version:  - Microsoft)
Update for Microsoft Word 2010 (KB2837593) 32-Bit Edition (x32 Version:  - Microsoft)
VIPRE Internet Security (x32 Version: 7.0.6.2 - ThreatTrack Security, Inc.) Hidden
Visual Studio 2008 x64 Redistributables (x32 Version: 10.0.0.2 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (x32 Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Windows Live Call (x32 Version: 14.0.8064.0206 - Microsoft Corporation) Hidden
Windows Live Communications Platform (x32 Version: 14.0.8064.206 - Microsoft Corporation) Hidden
Windows Live Essentials (x32 Version: 14.0.8089.0726 - Microsoft Corporation)
Windows Live Essentials (x32 Version: 14.0.8089.726 - Microsoft Corporation) Hidden
Windows Live Mail (x32 Version: 14.0.8089.0726 - Microsoft Corporation) Hidden
Windows Live Messenger (x32 Version: 14.0.8089.0726 - Microsoft Corporation) Hidden
Windows Live Movie Maker (x32 Version: 14.0.8091.0730 - Microsoft Corporation) Hidden
Windows Live Photo Gallery (x32 Version: 14.0.8081.709 - Microsoft Corporation) Hidden
Windows Live Sign-in Assistant (x32 Version: 5.000.818.5 - Microsoft Corporation)
Windows Live Sync (x32 Version: 14.0.8089.726 - Microsoft Corporation)
Windows Live Toolbar (x32 Version: 14.0.8064.206 - Microsoft Corporation) Hidden
Windows Live Upload Tool (x32 Version: 14.0.8014.1029 - Microsoft Corporation)
Windows Live Writer (x32 Version: 14.0.8089.0726 - Microsoft Corporation) Hidden
Wondershare DVD Creator(Build 2.6.1) (x32 Version:  - Wondershare)

==================== Restore Points  =========================

01-02-2014 00:26:01 Scheduled Checkpoint
02-02-2014 01:30:16 Advanced System Optimizer
05-02-2014 23:13:24 Installed Java 7 Update 51
05-02-2014 23:20:07 Removed Java™ 6 Update 45
05-02-2014 23:20:44 Removed Java 7 Update 51
05-02-2014 23:29:08 Installed Java 7 Update 51 (64-bit)
07-02-2014 14:16:34 Installed AVG 2014
07-02-2014 14:17:25 Installed AVG 2014

==================== Hosts content: ==========================

2009-07-13 21:34 - 2014-02-09 13:51 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

Task: {20B1BC79-2045-44B4-AD70-E33AE656898F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-07-02] (Google Inc.)
Task: {2EF2D7C5-77F4-402C-8E10-B843746B7935} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-2596667638-1028196044-3400182665-1002 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2013-10-25] (RealNetworks, Inc.)
Task: {305C4FF1-DC96-4C14-BC7B-517C3488BF72} - System32\Tasks\Microsoft_MKC_Logon_Task_ipoint.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2013-05-13] (Microsoft Corporation)
Task: {357B7A48-CE33-4FEA-A39D-6ECD4ED67B6E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-07-02] (Google Inc.)
Task: {37881F56-1F91-4CEA-A8F0-59276C491824} - System32\Tasks\Microsoft_MKC_Logon_Task_itype.exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2013-05-13] (Microsoft Corporation)
Task: {3C92E347-E4AA-4965-BA84-42A5DEE6321E} - System32\Tasks\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan => c:\Program Files\Microsoft Security Client\MpCmdRun.exe
Task: {3F5298AA-5AF2-4A7D-8E8E-A46909B19A0F} - System32\Tasks\Microsoft_Hardware_Launch_ipoint_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe [2013-05-13] (Microsoft Corporation)
Task: {4AA7AC02-C387-4E01-B1CE-A44F81542649} - System32\Tasks\{6FE1B3A3-3E23-4CCB-9DB3-E8DEBC4910A4} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
Task: {4BC03A83-97CF-44EE-B113-0DECB9B2FA2D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-02-05] (Adobe Systems Incorporated)
Task: {6C3F08BB-658E-4EF0-9ABC-C3442E04AB89} - System32\Tasks\{DFA9C8B8-95EF-42F8-AC9F-529E613B63D5} => C:\Program Files (x86)\Real\RealPlayer\realplay.exe [2013-11-22] (RealNetworks, Inc.)
Task: {6D3AC18E-4F01-4C88-BB46-1B95D4AFA225} - System32\Tasks\Microsoft_Hardware_Launch_itype_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe [2013-05-13] (Microsoft Corporation)
Task: {6F8E1E1D-61FD-49AC-B1F3-799E5200B4D9} - System32\Tasks\ARO 2012 => C:\Program Files (x86)\ARO 2012\ARO.exe [2012-10-16] (Support.com, Inc.)
Task: {6F98BB16-284D-479B-8246-5B0FB4868925} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2596667638-1028196044-3400182665-1002 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe [2013-10-25] (RealNetworks, Inc.)
Task: {8001DF3A-F232-4147-AADD-88A59A20C157} - System32\Tasks\Microsoft_Hardware_Launch_mousekeyboardcenter_exe => c:\Program Files\Microsoft Mouse and Keyboard Center\mousekeyboardcenter.exe [2013-05-13] (Microsoft)
Task: {97316E6A-5BDD-49F8-9DB4-C184600705C7} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-2596667638-1028196044-3400182665-1002 => C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe [2013-08-14] (RealNetworks, Inc.)
Task: {9D9AFF80-DDBB-432F-B7B4-75558010006C} - System32\Tasks\Installation App Launcher => C:\Program Files (x86)\Lexmark 5600-6600 Series\lxduamon.exe
Task: {9E6BC927-B75D-451B-9F30-C32BD04C5BBF} - System32\Tasks\{B068639F-E01C-497B-983A-A2B049DC55E3} => C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
Task: {CF195B7A-B31C-47F7-A38E-235301303CAF} - System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-2596667638-1028196044-3400182665-1002 => C:\Program Files (x86)\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {FF86E9E7-F8E1-4A07-9548-4900A93A6337} - System32\Tasks\{44F29CCA-4605-49D8-BE23-1B1599B32690} => C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe [2013-12-21] (Adobe Systems Incorporated)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\ARO 2012.job => C:\Program Files (x86)\ARO 2012\ARO.exe
Task: C:\Windows\Tasks\DriverUpdate Startup.job => C:\Program Files (x86)\DriverUpdate\DriverUpdate.exe
Task: C:\Windows\Tasks\ErrorEND.job => C:\Program Files\ErrorEND\ErrorEND.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\ParetoLogic Update Version3 Startup Task.job => C:\Program Files (x86)\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe

==================== Loaded Modules (whitelisted) =============

2012-11-23 09:53 - 2012-11-23 09:53 - 00329592 _____ () C:\Program Files (x86)\GFI\LanGuard 11 Agent\apistrings.dll
2012-11-23 09:56 - 2012-11-23 09:56 - 00159608 _____ () C:\Program Files (x86)\GFI\LanGuard 11 Agent\modlop.dll
2012-11-23 09:54 - 2012-11-23 09:54 - 00100728 _____ () C:\Program Files (x86)\GFI\LanGuard 11 Agent\httpserverattplugin.dll
2012-11-23 09:46 - 2012-11-23 09:46 - 02029600 _____ () C:\Program Files (x86)\GFI\LanGuard 11 Agent\crmimodule.dll
2012-11-23 09:58 - 2012-11-23 09:58 - 00208760 _____ () C:\Program Files (x86)\GFI\LanGuard 11 Agent\patchautodownload.dll
2009-07-13 16:03 - 2009-07-13 20:15 - 00364544 _____ () C:\Windows\SysWOW64\msjetoledb40.dll
2012-12-07 10:02 - 2012-12-07 10:02 - 00183160 _____ () C:\Program Files (x86)\GFI\LanGuard 11 Agent\scanmngsys.dll
2012-11-23 09:58 - 2012-11-23 09:58 - 00049528 _____ () C:\Program Files (x86)\GFI\LanGuard 11 Agent\schedcompactdb.dll
2012-11-23 09:58 - 2012-11-23 09:58 - 00054648 _____ () C:\Program Files (x86)\GFI\LanGuard 11 Agent\schedupdates.dll
2013-11-01 15:11 - 2013-11-01 15:11 - 00090624 _____ () C:\Program Files (x86)\PasswordBox\libwebsocketswin32.dll
2013-08-14 15:19 - 2013-08-14 15:19 - 00039056 _____ () C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
2012-02-20 22:26 - 2012-02-20 22:26 - 00160768 _____ () C:\Program Files (x86)\VIPRE\unrar.dll
2013-06-05 13:22 - 2009-02-27 15:38 - 00139264 ____R () C:\Program Files (x86)\Brother\BrUtilities\BrLogAPI.dll
2014-01-21 14:17 - 2014-01-07 14:53 - 00190752 _____ () C:\Program Files (x86)\VIPRE\Definitions\libBase64.dll
2014-01-21 14:17 - 2014-01-07 14:53 - 00178464 _____ () C:\Program Files (x86)\VIPRE\Definitions\libMachoUniv.dll

==================== Alternate Data Streams (whitelisted) =========

AlternateDataStreams: C:\ProgramData\Temp:430C6D84
AlternateDataStreams: C:\ProgramData\Temp:DFC5A2B2
AlternateDataStreams: C:\Users\Ed\Documents\20120110182803.mpg:TOC.WMV
AlternateDataStreams: C:\Users\Ed\Documents\The Blog of Michael R_ Eades, M_D_.eml:OECustomProperty
AlternateDataStreams: C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_0favicon-2079221766
AlternateDataStreams: C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_1favicon1313128964
AlternateDataStreams: C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_2favicon-2092717923

==================== Safe Mode (whitelisted) ===================

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdAuxService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdCoreService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBAMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SBPIMSvc => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sdAuxService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sdCoreService => ""="Service"

==================== Disabled items from MSCONFIG ==============

==================== Faulty Device Manager Devices =============

Name: AVG network filter service
Description: AVG network filter service
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: Avgfwfd
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (02/11/2014 02:43:00 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/10/2014 07:43:47 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="*",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (02/10/2014 07:43:25 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.

Error: (02/08/2014 10:35:03 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"1".
Dependent Assembly rpshellextension.1.0,language="*",type="win32",version="1.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (02/08/2014 10:34:03 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"1".Error in manifest or policy file "WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"2" on line WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"3.
Component identity found in manifest does not match the identity of the component requested.
Reference is WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1".
Definition is WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1".
Please use sxstrace.exe for detailed diagnosis.

Error: (02/08/2014 10:03:12 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/07/2014 08:38:59 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/07/2014 08:29:03 PM) (Source: RasClient) (User: )
Description: CoId={A88D6EDA-5216-4E32-98B6-2384D8DC4A16}: The user MININT-O5DENPH\Ed dialed a connection named Broadband Connection which has failed. The error code returned on failure is 638.

Error: (02/07/2014 08:24:14 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/07/2014 07:01:25 PM) (Source: RasClient) (User: )
Description: CoId={ED6216D9-DC29-422E-A280-99560A1A6214}: The user MININT-O5DENPH\Ed dialed a connection named Broadband Connection which has failed. The error code returned on failure is 651.

System errors:
=============
Error: (02/11/2014 02:41:30 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Avgfwfd

Error: (02/11/2014 02:41:28 PM) (Source: Service Control Manager) (User: )
Description: The vToolbarUpdater17.3.0 service failed to start due to the following error:
%%2

Error: (02/11/2014 02:41:18 PM) (Source: Service Control Manager) (User: )
Description: The HitmanPro Scheduler service failed to start due to the following error:
%%2

Error: (02/10/2014 05:46:57 PM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Error: (02/09/2014 02:00:56 PM) (Source: DCOM) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Error: (02/09/2014 01:51:11 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (02/09/2014 01:50:42 PM) (Source: Application Popup) (User: )
Description: \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (02/09/2014 01:50:42 PM) (Source: Application Popup) (User: )
Description: \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.

Error: (02/09/2014 01:49:13 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (02/09/2014 01:44:48 PM) (Source: Service Control Manager) (User: )
Description: The BackupService service terminated unexpectedly.  It has done this 1 time(s).

Microsoft Office Sessions:
=========================
Error: (02/11/2014 02:43:00 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/10/2014 07:43:47 PM) (Source: SideBySide)(User: )
Description: rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"C:\Windows\Installer\{C8E8D2E3-EF6A-4B1D-A09E-7B27EBE2F3CE}\recordingmanager.exe

Error: (02/10/2014 07:43:25 PM) (Source: SideBySide)(User: )
Description: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1"c:\program files (x86)\windows live\photo gallery\MovieMaker.Exec:\program files (x86)\windows live\photo gallery\WLMFDS.DLL8

Error: (02/08/2014 10:35:03 PM) (Source: SideBySide)(User: )
Description: rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"C:\Windows\Installer\{C8E8D2E3-EF6A-4B1D-A09E-7B27EBE2F3CE}\recordingmanager.exe

Error: (02/08/2014 10:34:03 PM) (Source: SideBySide)(User: )
Description: WLMFDS,processorArchitecture="AMD64",type="win32",version="1.0.0.1"WLMFDS,processorArchitecture="x86",type="win32",version="1.0.0.1"c:\program files (x86)\windows live\photo gallery\MovieMaker.Exec:\program files (x86)\windows live\photo gallery\WLMFDS.DLL8

Error: (02/08/2014 10:03:12 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/07/2014 08:38:59 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/07/2014 08:29:03 PM) (Source: RasClient)(User: )
Description: {A88D6EDA-5216-4E32-98B6-2384D8DC4A16}MININT-O5DENPH\EdBroadband Connection638

Error: (02/07/2014 08:24:14 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (02/07/2014 07:01:25 PM) (Source: RasClient)(User: )
Description: {ED6216D9-DC29-422E-A280-99560A1A6214}MININT-O5DENPH\EdBroadband Connection651

CodeIntegrity Errors:
===================================
  Date: 2014-02-09 13:50:42.686
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-02-09 13:50:42.626
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-02-09 13:50:42.566
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-02-09 13:50:42.506
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-03-17 12:32:36.524
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-03-17 12:32:36.524
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-03-17 12:32:36.514
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-03-16 08:59:12.618
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-03-16 08:59:12.608
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

  Date: 2013-03-16 08:59:12.608
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Common Files\McAfee\VSCore\mfeelamk.sys because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Percentage of memory in use: 30%
Total physical RAM: 5940.52 MB
Available physical RAM: 4099.8 MB
Total Pagefile: 11879.23 MB
Available Pagefile: 10217.2 MB
Total Virtual: 8192 MB
Available Virtual: 8191.81 MB

==================== Drives ================================

Drive c: (OSDisk) (Fixed) (Total:582.5 GB) (Free:207.25 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Recovery) (Fixed) (Total:13.66 GB) (Free:7.48 GB) NTFS
Drive f: () (Removable) (Total:59.61 GB) (Free:59.24 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596 GB) (Disk ID: BC1A5B73)
Partition 1: (Active) - (Size=582 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=14 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 60 GB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=60 GB) - (Type=0C)

==================== End Of Log ============================

 

# AdwCleaner v3.018 - Report created 11/02/2014 at 14:26:46
# Updated 28/01/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Ed - MININT-O5DENPH
# Running from : F:\Bleeping\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

***** [ Files / Folders ] *****

File Found : C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\7y5fyw9g.default\searchplugins\avg-secure-search.xml
File Found : C:\Windows\Tasks\paretologic registration3.job
File Found : C:\Windows\Tasks\paretologic update version3.job
Folder Found : C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Folder Found C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Found C:\Program Files (x86)\Common Files\ParetoLogic
Folder Found C:\ProgramData\ParetoLogic
Folder Found C:\ProgramData\Systweak
Folder Found C:\Users\Ed\AppData\Local\PackageAware
Folder Found C:\Users\Ed\AppData\Roaming\DriverCure
Folder Found C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ParetoLogic
Folder Found C:\Users\Ed\AppData\Roaming\Systweak

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Found : HKCU\Software\APN PIP
Key Found : HKCU\Software\IGearSettings
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKCU\Software\ParetoLogic
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : [x64] HKCU\Software\APN PIP
Key Found : [x64] HKCU\Software\IGearSettings
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : [x64] HKCU\Software\ParetoLogic
Key Found : [x64] HKCU\Software\YahooPartnerToolbar
Key Found : HKLM\Software\AVG Security Toolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Found : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Found : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Found : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Found : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
Key Found : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Found : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Found : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Found : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Found : HKLM\Software\ParetoLogic
Key Found : HKLM\Software\PIP
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Value Found : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [Avg@toolbar]

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428

-\\ Mozilla Firefox v

[ File : C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\7y5fyw9g.default\prefs.js ]

Line Found : user_pref("browser.search.defaultenginename", "AVG Secure Search");
Line Found : user_pref("browser.search.selectedEngine", "AVG Secure Search");
Line Found : user_pref("keyword.URL", "hxxp://isearch.avg.com/search?cid=%7B2cca074c-aa1f-4dcd-93c9-8d4299311af1%7D&mid=0a3325f14b0447d1bad2c5b7f37e064a-52341b72a37a7881f2e5e3d571c447f3f46706f6&ds=ft011&v=11.0.0.9[...]

-\\ Google Chrome v32.0.1700.107

[ File : C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [6650 octets] - [11/02/2014 14:26:46]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [6710 octets] ##########

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 10-02-2014 01
Ran by Ed (administrator) on MININT-O5DENPH on 11-02-2014 14:46:10
Running from F:\Bleeping
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 11
Boot Mode: Normal

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(Microsoft Corporation) C:\Windows\system32\WLANExt.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(ArcSoft, Inc.) C:\Users\Ed\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe
(Threat Expert Ltd.) C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
(GFI Software Development Ltd.) C:\Program Files (x86)\GFI\LanGuard 11 Agent\lnssatt.exe
(Microsoft Corporation) C:\Windows\system32\msiexec.exe
(PasswordBox, Inc.) C:\Program Files (x86)\PasswordBox\pbbtnService.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe
(Sony Corporation) C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
(ThreatTrack Security, Inc.) C:\Program Files (x86)\VIPRE\SBPIMSvc.exe
(PC Tools) C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Acresso Corporation) C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
(Creative Technology Ltd) C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe
(cyberlink) C:\Program Files (x86)\CyberLink\Shared files\brs.exe
(Nikon Corporation) C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe
(Sony Corporation) C:\Program Files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\Browny02\BrYNSvc.exe
(Nuance Communications, Inc.) C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgui.exe
(Microsoft Corporation) c:\Program Files\Microsoft Mouse and Keyboard Center\ipoint.exe
(Microsoft Corporation) c:\Program Files\Microsoft Mouse and Keyboard Center\itype.exe
(ThreatTrack Security, Inc.) C:\Program Files (x86)\VIPRE\SBAMSvc.exe
(Brother Industries, Ltd.) C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
(ThreatTrack Security, Inc.) C:\Program Files (x86)\VIPRE\SBAMTray.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RealPlay.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [IgfxTray] - DOWS\SYSTEM32\IGFXTRAY.EXE
HKLM\...\Run: [HotKeysCmds] - DOWS\SYSTEM32\HKCMD.EXE
HKLM\...\Run: [Persistence] - DOWS\SYSTEM32\IGFXPERS.EXE
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10144288 2010-04-13] (Realtek Semiconductor)
HKLM\...\Run: [MSC] - KEY
HKLM\...\Run: [ifaut] - ",GETMARKER
HKLM\...\Run: [SBRegRebootCleaner] - "c:\users\ed\appdata\local\temp\Downloads\CartSdk\sbrc.exe" <===== ATTENTION
HKLM-x32\...\Run: [Dell Webcam Central] - C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM-x32\...\Run: [RemoteControl9] - C:\Program Files (x86)\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM-x32\...\Run: [PDVD9LanguageShortcut] - C:\Program Files (x86)\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM-x32\...\Run: [BDRegion] - C:\Program Files (x86)\Cyberlink\Shared Files\brs.exe [75048 2010-10-26] (cyberlink)
HKLM-x32\...\Run: [Nikon Transfer Monitor] - C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe [485208 2008-09-30] (Nikon Corporation)
HKLM-x32\...\Run: [ISTray] - C:\Program Files (x86)\PC Tools\PC Tools Security\pctsGui.exe [2717816 2012-11-01] (PC Tools)
HKLM-x32\...\Run: [PMBVolumeWatcher] - C:\Program Files (x86)\Sony\PlayMemories Home\PMBVolumeWatcher.exe [739936 2012-11-27] (Sony Corporation)
HKLM-x32\...\Run: [ControlCenter4] - C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [143360 2012-05-29] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] - C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [3076096 2012-04-12] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [TkBellExe] - C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe [295512 2013-11-22] (RealNetworks, Inc.)
HKLM-x32\...\Run: [IndexSearch] - C:\Program Files (x86)\Nuance\PaperPort\IndexSearch.exe [46952 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [PaperPort PTD] - C:\Program Files (x86)\Nuance\PaperPort\pptd40nt.exe [30568 2011-08-02] (Nuance Communications, Inc.)
HKLM-x32\...\Run: [SBAMTray] - C:\Program Files (x86)\VIPRE\SBAMTray.exe [3216272 2013-09-05] (ThreatTrack Security, Inc.)
HKLM-x32\...\Run: [AVG_UI] - C:\Program Files (x86)\AVG\AVG2014\avgui.exe [4962320 2014-01-22] (AVG Technologies CZ, s.r.o.)
HKU\S-1-5-21-2596667638-1028196044-3400182665-1002\...\Run: [ISUSPM] - C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe [222496 2009-05-05] (Acresso Corporation)
HKU\S-1-5-21-2596667638-1028196044-3400182665-1002\...\Run: [swg] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-07-02] (Google Inc.)
HKU\S-1-5-21-2596667638-1028196044-3400182665-1002\...\Run: [AmazonMP3DownloaderHelper] - C:\Users\Ed\AppData\Local\Program Files\Amazon\MP3 Downloader\AmazonMP3DownloaderHelper.exe [400704 2013-05-22] ()

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
URLSearchHook: HKCU - PC Tools Browser Guard - {472734EA-242A-422b-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKCU - {6D02E8F1-340A-429B-82AF-83830A563729} URL = http://search.yahoo.com/search?fr=mcafee&p={SearchTerms}
BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120627003421.dll No File
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: PC Tools Browser Guard BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO-x32: No Name - {5C255C8A-E604-49b4-9D64-90988571CECB} -  No File
BHO-x32: PasswordBox Helper - {5DB69B97-934B-451D-94DB-32EF802A01CD} - C:\Program Files (x86)\PasswordBox\Application\pbbtn.dll (PasswordBox, Inc.)
BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120627003421.dll No File
BHO-x32: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO-x32: VIPRE Search Guard Helper - {963C8283-AE7F-4AA6-9B3B-847A8FC62C5E} - C:\Program Files (x86)\VIPRE\VSGN.dll ()
BHO-x32: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\PCTBrowserDefender.dll (Threat Expert Ltd.)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKLM-x32 - VIPRE Search Guard Toolbar - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} - C:\Program Files (x86)\VIPRE\VSGN.dll ()
Toolbar: HKCU - No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -  No File
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
DPF: HKLM-x32 {1842B0EE-B597-11D4-8997-00104BD12D94} http://www.pcpitstop.com/internet/pcpConnCheck.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -  No File
Handler: vipresg - {47BE2E5B-703B-444F-ABD3-05717D2191C6} -  No File
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
Handler-x32: vipresg - {47BE2E5B-703B-444F-ABD3-05717D2191C6} - C:\Program Files (x86)\VIPRE\VSGN.dll ()
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1 216.165.129.158

FireFox:
========
FF ProfilePath: C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\7y5fyw9g.default
FF Homepage: hxxp://mysearch.avg.com?cid={D5181F81-39B4-40A0-99D7-8956775256A7}&mid=0a3325f14b0447d1bad2c5b7f37e064a-52341b72a37a7881f2e5e3d571c447f3f46706f6&lang=en&ds=ts019&coid=avgtbdists&pr=sa&d=2013-11-04 17:32:35&v=17.1.3.2&pid=safeguard&sg=0&sap=hp
FF NetworkProxy: "type", 0
FF Plugin: @java.com/DTPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.51.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @Google.com/GoogleEarthPlugin - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.7.2 - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE - disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=16.0.3.51 - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlchromebrowserrecordext;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlpepperflashvideoshim;version=1.3.3 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=16.0.3.51 - C:\Program Files (x86)\Real\RealPlayer\Netscape6\nprpplugin.dll (RealPlayer)
FF Plugin-x32: @realnetworks.com/npdlplugin;version=1 - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin-x32: @tools.google.com/Google Update;version=3 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 - C:\Program Files (x86)\Google\Update\1.3.22.3\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: amazon.com/AmazonMP3DownloaderPlugin - C:\Users\Ed\AppData\Local\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10181.dll (Amazon.com, Inc.)
FF SearchPlugin: C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\7y5fyw9g.default\searchplugins\safeguard-secure-search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\McSiteAdvisor.xml
FF Extension: Printing Helper - C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\7y5fyw9g.default\Extensions\pwdwtymvbd@pwdwtymvbd.org.xpi [1644-09-15]
FF HKLM-x32\...\Firefox\Extensions: [{D19CA586-DD6C-4a0a-96F8-14644F340D60}] - C:\Program Files (x86)\Common Files\McAfee\SystemCore
FF HKLM-x32\...\Firefox\Extensions: [{cb84136f-9c44-433a-9048-c5cd9df1dc16}] - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\Firefox\
FF Extension: Browser Guard Toolbar - C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\Firefox\ []
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2013-11-07]
FF HKLM-x32\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext\ []
FF StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======
CHR HomePage: hxxp://mysearch.avg.com/?cid={D5181F81-39B4-40A0-99D7-8956775256A7}&mid=0a3325f14b0447d1bad2c5b7f37e064a-52341b72a37a7881f2e5e3d571c447f3f46706f6&lang=en&ds=ts019&pr=sa&d=2013-09-21 22:14:45&v=17.1.3.2&pid=safeguard&sg=0&sap=hp
CHR RestoreOnStartup: "sync": {
      "suppress_start"
CHR DefaultSearchKeyword: mysearch.avg.com
CHR DefaultSearchProvider: AVG Secure Search
CHR DefaultSearchURL: http://mysearch.avg.com/search?cid={D5181F81-39B4-40A0-99D7-8956775256A7}&mid=0a3325f14b0447d1bad2c5b7f37e064a-52341b72a37a7881f2e5e3d571c447f3f46706f6&lang=en&ds=ts019&coid=avgtbdists&pr=sa&d=2013-11-04 17:32:35&v=17.1.3.2&pid=safeguard&sg=0&sap=dsp&q={searchTerms}
CHR DefaultNewTabURL:
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.107\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.107\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.107\pdf.dll ()
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (AmazonMP3DownloaderPlugin) - C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll (Amazon.com, Inc.)
CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Java™ Platform SE 6 U45) - C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (RealNetworks™ RealDownloader Chrome Background Extension Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
CHR Plugin: (RealNetworks™ RealDownloader HTML5VideoShim Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealNetworks™ RealDownloader PepperFlashVideoShim Plug-In (32-bit) ) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
CHR Plugin: (RealDownloader Plugin) - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
CHR Plugin: (Java Deployment Toolkit 6.0.450.6) - C:\Windows\SysWOW64\npdeployJava1.dll (Oracle Corporation)
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrl.dll No File
CHR Plugin: (RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) ) - c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
CHR Plugin: (RealPlayer Download Plugin) - c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
CHR Extension: (Google Docs) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-09-01]
CHR Extension: (Google Drive) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-09-01]
CHR Extension: (YouTube) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-09-01]
CHR Extension: (Google Search) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-09-01]
CHR Extension: (RealDownloader) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji [2013-09-01]
CHR Extension: (Google Wallet) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-01]
CHR Extension: (Gmail) - C:\Users\Ed\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-09-01]
CHR HKLM-x32\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]

==================== Services (Whitelisted) =================

R2 BackupService; C:\Users\Ed\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe [83512 2010-07-01] (ArcSoft, Inc.)
R2 Browser Defender Update Service; C:\Program Files (x86)\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe [580728 2012-10-23] (Threat Expert Ltd.)
S2 CLKMSVC10_9EC60124; C:\Program Files (x86)\CyberLink\PowerDVD9\NavFilter\kmsvc.exe [236016 2010-10-26] (CyberLink)
R2 gfi_lanss11_attservice; C:\Program Files (x86)\GFI\LanGuard 11 Agent\lnssatt.exe [133496 2012-11-23] (GFI Software Development Ltd.)
R2 PasswordBox; C:\Program Files (x86)\PasswordBox\pbbtnService.exe [67584 2013-11-01] (PasswordBox, Inc.)
R2 PDFProFiltSrvPP; C:\Program Files (x86)\Nuance\PaperPort\PDFProFiltSrvPP.exe [145256 2011-08-02] (Nuance Communications, Inc.)
R2 PMBDeviceInfoProvider; C:\Program Files (x86)\Sony\PlayMemories Home\PMBDeviceInfoProvider.exe [479840 2012-11-27] (Sony Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()
R2 SBAMSvc; C:\Program Files (x86)\VIPRE\SBAMSvc.exe [3937472 2013-09-05] (ThreatTrack Security, Inc.)
R2 SBPIMSvc; C:\Program Files (x86)\VIPRE\SBPIMSvc.exe [176016 2013-09-05] (ThreatTrack Security, Inc.)
R2 sdAuxService; C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe [403416 2012-10-31] (PC Tools)
S2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [X]
S2 vToolbarUpdater17.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\17.3.0\ToolbarUpdater.exe [X]

==================== Drivers (Whitelisted) ====================

R0 amdkmpfd; C:\Windows\System32\DRIVERS\amdkmpfd.sys [36096 2013-05-21] (Advanced Micro Devices, Inc.)
S1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [57144 2013-09-26] ()
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [294712 2013-10-31] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [46368 2013-11-21] (AVG Technologies)
S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [41032 2013-05-23] (ThreatTrack Security)
S3 gfiutil; C:\Windows\System32\drivers\gfiutil.sys [31264 2013-09-04] (ThreatTrack Security)
S3 hitmanpro36; C:\Windows\system32\drivers\hitmanpro36.sys [30496 2012-11-08] ()
R3 L1C; C:\Windows\System32\DRIVERS\L1C60x64.sys [72744 2009-12-22] (Atheros Communications, Inc.)
S3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [98688 2012-03-20] (Microsoft Corporation)
S3 PCTBD; C:\Windows\System32\Drivers\PCTBD64.sys [77144 2012-10-23] (PC Tools)
R0 PCTCore; C:\Windows\System32\drivers\PCTCore64.sys [413448 2012-10-22] (PC Tools)
R0 pctDS; C:\Windows\System32\drivers\pctDS64.sys [453896 2012-02-28] (PC Tools)
S3 pctplsm; C:\Windows\System32\drivers\pctplsm64.sys [87968 2012-11-01] (PC Tools)
R1 PCTSD; C:\Windows\System32\Drivers\PCTSD64.sys [253256 2012-11-01] (PC Tools)
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
R2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [88928 2013-06-18] (ThreatTrack Security, Inc.)
S3 Serial; C:\Windows\system32\drivers\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [16152 2013-10-04] ()
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0; \??\c:\gencotst\pcdsrvc_x64.pkms [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2099-12-00 01:00 - 21552-30453-00 00:00 - 00000000 _____ () C:\Users\Ed\Documents\lpt1
2014-02-11 14:46 - 2014-02-11 14:46 - 00000000 ____D () C:\FRST
2014-02-11 14:26 - 2014-02-11 14:40 - 00000000 ____D () C:\AdwCleaner
2014-02-10 08:38 - 2014-02-10 18:14 - 00000000 ____D () C:\Users\Ed\Documents\!!AAAA!!!!!!!!!!SAVE NEW 2 10 14
2014-02-09 13:52 - 2014-02-09 13:52 - 00035562 _____ () C:\ComboFix.txt
2014-02-09 06:28 - 2014-02-09 06:28 - 00017721 _____ () C:\Users\Ed\Desktop\Bleeping txt.txt
2014-02-09 06:28 - 2014-02-09 06:28 - 00005550 _____ () C:\Users\Ed\Desktop\Bleeping attach.txt
2014-02-09 06:20 - 2014-02-09 06:20 - 00017721 _____ () C:\Users\Ed\Desktop\dds.txt
2014-02-09 06:20 - 2014-02-09 06:20 - 00005550 _____ () C:\Users\Ed\Desktop\attach.txt
2014-02-07 09:21 - 2014-02-07 09:21 - 00000000 ____D () C:\Users\Ed\AppData\Roaming\AVG2014
2014-02-07 09:20 - 2014-02-07 09:20 - 00279088 _____ () C:\Windows\Minidump\020714-35552-01.dmp
2014-02-07 09:19 - 2014-02-07 09:19 - 657071642 _____ () C:\Windows\MEMORY.DMP
2014-02-07 09:18 - 2014-02-07 09:18 - 00000000 ____D () C:\ProgramData\AVG2014
2014-02-07 09:18 - 2014-02-07 09:18 - 00000000 ____D () C:\$AVG
2014-02-07 09:17 - 2014-02-07 09:17 - 00000000 ____D () C:\Program Files (x86)\AVG
2014-02-07 09:12 - 2014-02-07 09:12 - 00000000 ____D () C:\Users\Ed\AppData\Local\MFAData
2014-02-07 09:12 - 2014-02-07 09:12 - 00000000 ____D () C:\Users\Ed\AppData\Local\Avg2014
2014-02-07 08:55 - 2014-02-07 08:56 - 00003392 _____ () C:\Users\Ed\Desktop\Rkill.txt
2014-02-07 08:54 - 2014-02-07 08:54 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Ed\Downloads\rkill.exe
2014-02-06 06:05 - 2014-02-11 14:41 - 00002146 _____ () C:\Windows\setupact.log
2014-02-06 06:05 - 2014-02-06 06:05 - 00000000 _____ () C:\Windows\setuperr.log
2014-02-06 06:04 - 2014-02-11 14:41 - 00001828 _____ () C:\Windows\PFRO.log
2014-02-05 18:29 - 2014-02-05 18:29 - 00312744 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-02-05 18:29 - 2014-02-05 18:29 - 00189352 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-02-05 18:29 - 2014-02-05 18:29 - 00189352 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-02-05 18:29 - 2014-02-05 18:29 - 00108968 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-02-05 18:29 - 2014-02-05 18:29 - 00000000 ____D () C:\Program Files\Java
2014-02-05 18:27 - 2014-02-05 18:28 - 30796712 _____ (Oracle Corporation) C:\Users\Ed\Downloads\jre-7u51-windows-x64.exe
2014-02-05 18:14 - 2014-02-05 18:14 - 00000139 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_51-b13.log
2014-02-05 18:14 - 2014-02-05 18:14 - 00000000 _____ () C:\Windows\SysWOW64\REN7B13.tmp
2014-02-05 18:14 - 2014-02-05 18:14 - 00000000 _____ () C:\Windows\SysWOW64\REN7B12.tmp
2014-02-05 18:12 - 2014-02-05 18:12 - 00921000 _____ (Oracle Corporation) C:\Users\Ed\Downloads\chromeinstall-7u51.exe
2014-02-05 17:58 - 2014-02-05 17:58 - 00002992 _____ () C:\Windows\System32\Tasks\{44F29CCA-4605-49D8-BE23-1B1599B32690}
2014-02-04 18:39 - 2014-02-04 18:39 - 01863926 _____ () C:\Users\Ed\Documents\Why we fck.mht
2014-02-04 18:35 - 2014-02-04 18:35 - 00897265 _____ () C:\Users\Ed\Documents\The elegant secret to self-discipline.mht
2014-02-02 12:31 - 2014-02-02 12:31 - 00000000 ____D () C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon
2014-02-01 20:38 - 2014-02-01 20:40 - 00000000 ____D () C:\Users\Ed\Documents\The Persians
2014-02-01 20:25 - 2014-02-01 20:28 - 15070576 _____ (Systweak Software ) C:\Users\Ed\Downloads\aso3setup.exe
2014-02-01 19:43 - 2014-02-01 19:43 - 00000000 ____D () C:\Users\Ed\Documents\SIMON
2014-01-27 23:35 - 2014-01-27 23:35 - 00021213 _____ () C:\Users\Ed\Documents\Why creative people tend to be eccentric.htm
2014-01-27 23:35 - 2014-01-27 23:35 - 00000000 ____D () C:\Users\Ed\Documents\Why creative people tend to be eccentric_files
2014-01-22 10:05 - 2014-02-07 10:47 - 00003346 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2596667638-1028196044-3400182665-1002
2014-01-22 08:52 - 2014-01-22 08:52 - 00206080 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\system32\Drivers\ssudmdm.sys
2014-01-22 08:52 - 2014-01-22 08:52 - 00108800 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\system32\Drivers\ssudbus.sys
2014-01-21 14:19 - 2014-01-21 14:19 - 00001904 _____ () C:\Users\Public\Desktop\VIPRE.lnk
2014-01-21 14:19 - 2014-01-21 14:19 - 00000000 ____D () C:\Users\Ed\AppData\Roaming\deb27c1a-00e6-4263-94b2-8b78ea4d32ae
2014-01-21 14:18 - 2013-09-05 21:33 - 00048016 _____ (ThreatTrack Security, Inc.) C:\Windows\system32\sbbd.exe
2014-01-21 14:17 - 2014-01-21 14:19 - 00000000 ____D () C:\Program Files (x86)\VIPRE
2014-01-21 14:17 - 2014-01-21 14:17 - 00000000 ____D () C:\Users\Default\AppData\Roaming\VIPRE
2014-01-21 14:17 - 2014-01-21 14:17 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\VIPRE
2014-01-21 14:17 - 2014-01-21 14:17 - 00000000 ____D () C:\ProgramData\GFI
2014-01-21 14:17 - 2014-01-21 14:17 - 00000000 ____D () C:\Program Files (x86)\GFI
2014-01-21 14:15 - 2014-01-21 14:19 - 00000000 ____D () C:\ProgramData\VIPRE
2014-01-21 14:11 - 2014-01-21 14:17 - 00000000 ____D () C:\Users\Ed\AppData\Roaming\VIPRE
2014-01-21 14:11 - 2014-01-21 14:11 - 00000000 ____D () C:\Users\Ed\AppData\Local\VIPRE
2014-01-14 14:39 - 2013-11-26 20:41 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2014-01-14 14:39 - 2013-11-26 20:41 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2014-01-14 14:39 - 2013-11-26 20:41 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2014-01-14 14:39 - 2013-11-26 20:41 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2014-01-14 14:39 - 2013-11-26 20:41 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2014-01-14 14:39 - 2013-11-26 20:41 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2014-01-14 14:39 - 2013-11-26 20:41 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2014-01-14 14:39 - 2013-11-26 06:40 - 00376768 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\netio.sys
2014-01-14 14:39 - 2013-11-26 05:32 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

==================== One Month Modified Files and Folders =======

2099-12-00 00:00 - 21552-30453-00 00:00 - 00000000 _____ () C:\Users\Ed\Documents\lpt1
2014-02-11 14:46 - 2014-02-11 14:46 - 00000000 ____D () C:\FRST
2014-02-11 14:46 - 2013-08-24 20:05 - 01478052 _____ () C:\Windows\WindowsUpdate.log
2014-02-11 14:41 - 2014-02-06 06:05 - 00002146 _____ () C:\Windows\setupact.log
2014-02-11 14:41 - 2014-02-06 06:04 - 00001828 _____ () C:\Windows\PFRO.log
2014-02-11 14:41 - 2011-07-02 18:48 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-02-11 14:41 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-11 14:40 - 2014-02-11 14:26 - 00000000 ____D () C:\AdwCleaner
2014-02-11 14:28 - 2009-07-14 00:13 - 00804166 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-11 14:27 - 2011-07-02 18:48 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-02-11 14:25 - 2013-06-07 05:04 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-02-10 18:14 - 2014-02-10 08:38 - 00000000 ____D () C:\Users\Ed\Documents\!!AAAA!!!!!!!!!!SAVE NEW 2 10 14
2014-02-10 18:14 - 2011-10-15 16:43 - 00000000 ____D () C:\Users\Ed\Documents\CERAMICS
2014-02-09 14:41 - 2012-04-17 15:41 - 00000000 ____D () C:\Users\Ed\Documents\TurboTax
2014-02-09 14:27 - 2012-04-17 15:33 - 00000774 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2014-02-09 13:52 - 2014-02-09 13:52 - 00035562 _____ () C:\ComboFix.txt
2014-02-09 13:52 - 2012-08-07 19:03 - 00000000 ____D () C:\Qoobox
2014-02-09 13:51 - 2009-07-13 21:34 - 00000215 _____ () C:\Windows\system.ini
2014-02-09 06:28 - 2014-02-09 06:28 - 00017721 _____ () C:\Users\Ed\Desktop\Bleeping txt.txt
2014-02-09 06:28 - 2014-02-09 06:28 - 00005550 _____ () C:\Users\Ed\Desktop\Bleeping attach.txt
2014-02-09 06:20 - 2014-02-09 06:20 - 00017721 _____ () C:\Users\Ed\Desktop\dds.txt
2014-02-09 06:20 - 2014-02-09 06:20 - 00005550 _____ () C:\Users\Ed\Desktop\attach.txt
2014-02-08 22:09 - 2009-07-13 23:45 - 00028528 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-08 22:09 - 2009-07-13 23:45 - 00028528 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-07 20:32 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-02-07 10:47 - 2014-01-22 10:05 - 00003346 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2596667638-1028196044-3400182665-1002
2014-02-07 10:31 - 2013-06-06 14:58 - 00000000 ____D () C:\Users\Ed\Desktop\install
2014-02-07 10:30 - 2012-02-11 17:07 - 00000000 ____D () C:\ProgramData\MFAData
2014-02-07 10:23 - 2013-12-09 21:52 - 00003368 _____ () C:\Windows\System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-2596667638-1028196044-3400182665-1002
2014-02-07 09:21 - 2014-02-07 09:21 - 00000000 ____D () C:\Users\Ed\AppData\Roaming\AVG2014
2014-02-07 09:20 - 2014-02-07 09:20 - 00279088 _____ () C:\Windows\Minidump\020714-35552-01.dmp
2014-02-07 09:20 - 2012-03-03 18:00 - 00000000 ____D () C:\Windows\Minidump
2014-02-07 09:19 - 2014-02-07 09:19 - 657071642 _____ () C:\Windows\MEMORY.DMP
2014-02-07 09:18 - 2014-02-07 09:18 - 00000000 ____D () C:\ProgramData\AVG2014
2014-02-07 09:18 - 2014-02-07 09:18 - 00000000 ____D () C:\$AVG
2014-02-07 09:17 - 2014-02-07 09:17 - 00000000 ____D () C:\Program Files (x86)\AVG
2014-02-07 09:12 - 2014-02-07 09:12 - 00000000 ____D () C:\Users\Ed\AppData\Local\MFAData
2014-02-07 09:12 - 2014-02-07 09:12 - 00000000 ____D () C:\Users\Ed\AppData\Local\Avg2014
2014-02-07 08:56 - 2014-02-07 08:55 - 00003392 _____ () C:\Users\Ed\Desktop\Rkill.txt
2014-02-07 08:54 - 2014-02-07 08:54 - 01933048 _____ (Bleeping Computer, LLC) C:\Users\Ed\Downloads\rkill.exe
2014-02-07 04:04 - 2012-02-01 16:47 - 00003938 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{ACC5B4AE-5FA0-4AE6-9DEF-8A7744401445}
2014-02-06 06:05 - 2014-02-06 06:05 - 00000000 _____ () C:\Windows\setuperr.log
2014-02-05 18:29 - 2014-02-05 18:29 - 00312744 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2014-02-05 18:29 - 2014-02-05 18:29 - 00189352 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2014-02-05 18:29 - 2014-02-05 18:29 - 00189352 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2014-02-05 18:29 - 2014-02-05 18:29 - 00108968 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2014-02-05 18:29 - 2014-02-05 18:29 - 00000000 ____D () C:\Program Files\Java
2014-02-05 18:28 - 2014-02-05 18:27 - 30796712 _____ (Oracle Corporation) C:\Users\Ed\Downloads\jre-7u51-windows-x64.exe
2014-02-05 18:15 - 2013-10-31 13:34 - 00000000 ____D () C:\ProgramData\Oracle
2014-02-05 18:14 - 2014-02-05 18:14 - 00000139 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_51-b13.log
2014-02-05 18:14 - 2014-02-05 18:14 - 00000000 _____ () C:\Windows\SysWOW64\REN7B13.tmp
2014-02-05 18:14 - 2014-02-05 18:14 - 00000000 _____ () C:\Windows\SysWOW64\REN7B12.tmp
2014-02-05 18:14 - 2012-04-28 00:44 - 00000000 ____D () C:\Program Files (x86)\Java
2014-02-05 18:12 - 2014-02-05 18:12 - 00921000 _____ (Oracle Corporation) C:\Users\Ed\Downloads\chromeinstall-7u51.exe
2014-02-05 17:58 - 2014-02-05 17:58 - 00002992 _____ () C:\Windows\System32\Tasks\{44F29CCA-4605-49D8-BE23-1B1599B32690}
2014-02-05 07:55 - 2013-09-21 21:14 - 00000000 ____D () C:\Program Files (x86)\AVG SafeGuard toolbar
2014-02-05 01:36 - 2013-06-07 05:04 - 00692616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-02-05 01:36 - 2013-06-07 05:04 - 00071048 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-02-05 01:36 - 2013-06-07 05:04 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-02-04 18:39 - 2014-02-04 18:39 - 01863926 _____ () C:\Users\Ed\Documents\Why we fck.mht
2014-02-04 18:35 - 2014-02-04 18:35 - 00897265 _____ () C:\Users\Ed\Documents\The elegant secret to self-discipline.mht
2014-02-03 15:09 - 2013-09-08 05:31 - 00002189 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-02-02 12:31 - 2014-02-02 12:31 - 00000000 ____D () C:\Users\Ed\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Amazon
2014-02-01 20:40 - 2014-02-01 20:38 - 00000000 ____D () C:\Users\Ed\Documents\The Persians
2014-02-01 20:28 - 2014-02-01 20:25 - 15070576 _____ (Systweak Software ) C:\Users\Ed\Downloads\aso3setup.exe
2014-02-01 19:43 - 2014-02-01 19:43 - 00000000 ____D () C:\Users\Ed\Documents\SIMON
2014-02-01 19:08 - 2013-01-22 18:57 - 00002372 _____ () C:\Windows\system32\LexFiles.ulf
2014-02-01 19:08 - 2013-01-20 18:06 - 00000000 ____D () C:\Program Files (x86)\Lexmark Toolbar
2014-02-01 19:07 - 2013-04-09 05:50 - 00000386 _____ () C:\lxdd.log
2014-02-01 19:07 - 2013-01-22 18:59 - 00000000 ____D () C:\Program Files (x86)\Lexmark Fax Solutions
2014-01-27 23:35 - 2014-01-27 23:35 - 00021213 _____ () C:\Users\Ed\Documents\Why creative people tend to be eccentric.htm
2014-01-27 23:35 - 2014-01-27 23:35 - 00000000 ____D () C:\Users\Ed\Documents\Why creative people tend to be eccentric_files
2014-01-25 08:08 - 2013-01-30 21:04 - 00000000 ____D () C:\Program Files\CCleaner
2014-01-24 14:07 - 2013-11-21 17:48 - 00000000 ____D () C:\Program Files (x86)\PasswordBox
2014-01-22 08:52 - 2014-01-22 08:52 - 00206080 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\system32\Drivers\ssudmdm.sys
2014-01-22 08:52 - 2014-01-22 08:52 - 00108800 _____ (DEVGURU Co., LTD.(www.devguru.co.kr)) C:\Windows\system32\Drivers\ssudbus.sys
2014-01-21 17:58 - 2011-07-03 05:27 - 00000000 ____D () C:\Users\Ed\AppData\Local\Adobe
2014-01-21 14:19 - 2014-01-21 14:19 - 00001904 _____ () C:\Users\Public\Desktop\VIPRE.lnk
2014-01-21 14:19 - 2014-01-21 14:19 - 00000000 ____D () C:\Users\Ed\AppData\Roaming\deb27c1a-00e6-4263-94b2-8b78ea4d32ae
2014-01-21 14:19 - 2014-01-21 14:17 - 00000000 ____D () C:\Program Files (x86)\VIPRE
2014-01-21 14:19 - 2014-01-21 14:15 - 00000000 ____D () C:\ProgramData\VIPRE
2014-01-21 14:17 - 2014-01-21 14:17 - 00000000 ____D () C:\Users\Default\AppData\Roaming\VIPRE
2014-01-21 14:17 - 2014-01-21 14:17 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\VIPRE
2014-01-21 14:17 - 2014-01-21 14:17 - 00000000 ____D () C:\ProgramData\GFI
2014-01-21 14:17 - 2014-01-21 14:17 - 00000000 ____D () C:\Program Files (x86)\GFI
2014-01-21 14:17 - 2014-01-21 14:11 - 00000000 ____D () C:\Users\Ed\AppData\Roaming\VIPRE
2014-01-21 14:17 - 2013-03-17 17:32 - 00000000 ____D () C:\Users\Ed\AppData\Roaming\GFI Software
2014-01-21 14:11 - 2014-01-21 14:11 - 00000000 ____D () C:\Users\Ed\AppData\Local\VIPRE
2014-01-16 17:41 - 2013-03-17 19:29 - 00000000 ____D () C:\Windows\Patches
2014-01-15 17:28 - 2009-07-13 23:45 - 00427480 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-01-15 08:02 - 2013-12-18 21:57 - 00000000 ____D () C:\Windows\system32\MRT
2014-01-15 08:00 - 2011-07-01 09:29 - 86054176 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-01-14 03:51 - 2009-07-14 00:08 - 00032596 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

ZeroAccess:
C:\Users\Ed\AppData\Local\{8345bfca-c9ab-7e87-073d-8b5ac307534d}

Files to move or delete:
====================
C:\ProgramData\PKP_DLdu.DAT

Some content of TEMP:
====================
C:\Users\Ed\AppData\Local\Temp\Quarantine.exe

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

LastRegBack: 2014-02-08 22:31

==================== End Of Log ============================

 

 

 

Thanks so much for your help!     ED



#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:28 AM

Posted 12 February 2014 - 01:28 PM

Hi wrongheaded2,

 

Please take note of the multiple antivirus warning from my last post:

 

I do not recommend that you have more than one anti-virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti-virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:

1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't. 
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove two of these; AVG 2014VIPRE Internet Security or PC Tools Spyware Doctor with AntiVirus 9.1

AVG removal tool (make sure to download the 2014 64 bit one) - http://www.avg.com/gb-en/utilities

 

--------------

 

Uninstall a program using add/remove programs:

  • Click the Windows logo on the taskbar and then click on the "Control Panel" option.
  • Click on Uninstall a program under the Programs section. 
  • A list of programs installed will be "populated", this may take a bit of time.
  • If they exist, uninstall the following by clicking on the following entries and selecting "remove":

ARO 2012

  • Additional instructions can be found here if needed.

 

--------------

 

Double click on AdwCleaner.exe to run the tool again.

  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

--------------

 

We need to run a fix with FRST:

  • Press ctrl + R and type notepad into the run box which appears. Press enter.
  • Copy and paste the script below in the notepad document:​
Task: {4AA7AC02-C387-4E01-B1CE-A44F81542649} - System32\Tasks\{6FE1B3A3-3E23-4CCB-9DB3-E8DEBC4910A4} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe
Task: C:\Windows\Tasks\ErrorEND.job => C:\Program Files\ErrorEND\ErrorEND.exe
AlternateDataStreams: C:\ProgramData\Temp:430C6D84
AlternateDataStreams: C:\ProgramData\Temp:DFC5A2B2
HKLM\...\Run: [SBRegRebootCleaner] - "c:\users\ed\appdata\local\temp\Downloads\CartSdk\sbrc.exe" <===== ATTENTION
BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120627003421.dll No File
C:\ProgramData\PKP_DLdu.DAT
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

 

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

 

--------------

 

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 

--------------

 

Please post the log Rkill made into your next reply. It should be located on your desktop, named rkill.txt.

 

--------------

 

To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • New AdwCleaner log
  • Fixlog.txt
  • FSS log
  • Rkill.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 wrongheaded2

wrongheaded2
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 14 February 2014 - 07:53 PM






     
 
Inbox 
 x  
     

     
 
Trash 
 x  
     


















BleepingComputer.com 

 
 
Feb 12 (2 days ago)
 



BleepingComputer.com wrongheaded2, xXToffeeXx has just posted a reply to a to... 
 













BleepingComputer.com 

 
 
Feb 12 (2 days ago)
 



BleepingComputer.com wrongheaded2, xXToffeeXx has just posted a reply to a to... 
 
















ed_demattia tds.net <ed_demattia@tds.net>  
 

Feb 13 (1 day ago)
 
 


 



to BleepingComput. 

 
 









# AdwCleaner v3.018 - Report created 12/02/2014 at 19:47:06
# Updated 28/01/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Ed - MININT-O5DENPH
 # Running from : F:\Bleeping\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

File Deleted : C:\Users\Ed\AppData\Local\Temp\Uninstall.exe

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Secure Search

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v

[ File : C:\Users\Ed\AppData\Roaming\Mozilla\Firefox\Profiles\7y5fyw9g.default\prefs.js ]













Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-02-2014 01
 Ran by Ed at 2014-02-12 20:11:31 Run:1
Running from F:\Bleeping
Boot Mode: Normal
==============================================

Content of fixlist:
*****************

Task: {4AA7AC02-C387-4E01-B1CE-A44F81542649} - System32\Tasks\{6FE1B3A3-3E23-4CCB-9DB3-E8DEBC4910A4} => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security
 Scan 2.0\kss.exe
Task: C:\Windows\Tasks\ErrorEND.job => C:\Program Files\ErrorEND\ErrorEND.exe
AlternateDataStreams: C:\ProgramData\Temp:430C6D84
AlternateDataStreams: C:\ProgramData\Temp:DFC5A2B2
HKLM\...\Run: [SBRegRebootCleaner] - "c:\users\ed\appdata\local\temp\Downloads\CartSdk\sbrc.exe" <===== ATTENTION
 BHO-x32: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120627003421.dll No File
C:\ProgramData\PKP_DLdu.DAT

*****************

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4AA7AC02-C387-4E01-B1CE-A44F81542649} => Error deleting key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4AA7AC02-C387-4E01-B1CE-A44F81542649} => Error deleting key
 C:\Windows\System32\Tasks\{6FE1B3A3-3E23-4CCB-9DB3-E8DEBC4910A4} => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{6FE1B3A3-3E23-4CCB-9DB3-E8DEBC4910A4} => Error deleting key
 C:\Windows\Tasks\ErrorEND.job => Moved successfully.
C:\ProgramData\Temp => ":430C6D84" ADS removed successfully.
C:\ProgramData\Temp => ":DFC5A2B2" ADS removed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\SBRegRebootCleaner => Value deleted successfully.
 HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{7DB2D5A0-7241-4E79-B68D-6309F01C5231} => Key deleted successfully.
 C:\ProgramData\PKP_DLdu.DAT => Moved successfully.

==== End of Fixlog ====










Farbar Service Scanner Version: 02-02-2014
Ran by Ed (administrator) on 12-02-2014 at 20:15:10
 Running from "G:\Bleeping"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Other errors
 Attempt to access Yahoo.com returned error: Other errors


Windows Firewall:
=============

Firewall Disabled Policy: 
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
 "EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy: 
========================


Action Center:
============

Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.


Windows Update:
============

Windows Autoupdate Disabled Policy: 
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
 C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
 C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
 C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
 C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****










Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
  http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 02/12/2014 08:18:09 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = dword:00000000

Checking Windows Service Integrity: 

 * No issues found.

Searching for Missing Digital Signatures: 

 * No issues found.

Checking HOSTS File: 

 * HOSTS file entries found: 

  127.0.0.1       localhost

Program finished at: 02/12/2014 08:18:15 PM
Execution time: 0 hours(s), 0 minute(s), and 6 seconds(s)










Thanks, Toffee!!



#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:28 AM

Posted 16 February 2014 - 04:23 PM

Hi wrongheaded2,
 
We need to run a registry script:
  • First, make a system restore point using these instructions
  • Click the Windows Start Orb in the bottom-left
  • In the search box, type notepad, then click on Notepad to open it
  • Copy and paste the following text into the notepad document:
    Windows  Registry  Editor  Version  5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}]
    "AutoStart"=""
  • Click on File, then Save As...
  • Click on your Desktop as the save location, then in the file name box type: fix.reg
  • Click save and close the notepad document
  • Double-click the file fix.reg on your desktop
    note: if prompted by User Account Control, select Yes or Allow so the fix can continue
  • A message will appear about adding information into the registry, click Yes when prompted
  • A prompt should appear that the information was added successfully
    note: if not, please note the error message and post it in your next reply
  • Right-click on fix.reg and click Delete, then click Yes to confirm.

--------------
 
Please download Malwarebytes Anti-Malware photo.jpg?sz=48 and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Double-click on the renamed file to install, then follow these instructions for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.

Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
 

--------------
 
Please run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop, please copy and paste the contents into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:
  • Malwarebytes log
  • New FRST.txt log
xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:28 AM

Posted 17 February 2014 - 07:07 AM

Hi,

 

Just to let you know, I'm going to be away for a few days and won't be able to post. Another colleague will continue working with you on getting the problem sorted.

 

Sorry for the inconvenience.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:28 AM

Posted 21 February 2014 - 02:39 PM

Hi wrongheaded2,

 

This is a 3 day bump:

 

It has been more than 3 days since my last post.

  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

 

xXToffeeXx~


Edited by xXToffeeXx, 21 February 2014 - 02:39 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,571 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:28 AM

Posted 24 February 2014 - 11:45 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users