Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG Wont open blocked by group policy


  • This topic is locked This topic is locked
9 replies to this topic

#1 P-Methley

P-Methley

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 20 September 2014 - 06:17 PM

think i have a virus or something as laptop isnt working as usual and wont allow me to change or open AVG i get a pop up of blocked by group policy contact administer.

 

i did the DDS but it only gave me one txt file the attach.txt and so as instructed i have attached it.

 

Would be grateful for any help at all :) Thanks

Attached Files



BC AdBot (Login to Remove)

 


m

#2 P-Methley

P-Methley
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 21 September 2014 - 09:49 AM

Any help would be really appreciated tried looking online for any kind of useful info on how to fix and getting nowere thanks again :)



#3 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:06:14 PM

Posted 22 September 2014 - 07:56 AM

Hello P-Methley and welcome to BleepingComputer!      :)

 

My name is Sirawit and I'm here to help you.

 

Please note that I'm currently in training and my fixes need to be check for approval first, that may delay our fix a bit, but I will normally reply back in 24 hours.

 

If I don't reply after 2 days, feel free to PM me.      :)

==========================================================================

Some points for you to keep in mind:

  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • Periodically update me on the condition of your computer, and provide detail in every post.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.

==========================================================================


Farbar Recovery Scan Tool (FRST)

  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop.
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should.
  • Double click the icon.
  • Click Yes to the disclaimer.
  • Make sure the Addition.txt box is checked.
  • Click Scan and allow the program to run.
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen.
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#4 P-Methley

P-Methley
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 22 September 2014 - 08:28 AM

Hi thank you im at work right now as soon as i get in (in 1 hours time) I will do the above I have a CD in which you could put music on would this be adequate to back up?

 

I don't mind losing things on my computer as nothing is important as such, it would be the Microsoft (Windows) I cant lose as not sure where my initial disks are kept.

 

Do i just back everything up onto the disc? Also wont it all be infected and as soon as i put it back onto the laptop once Virus/Trojan free? 

 

Also i tried the Farbar Recovery Scan Tool (FRST) but it only gave me one notepad the Attach.txt could i have done something wrong or is this normal? 

 

Many Thanks 

P-Methley


Edited by P-Methley, 22 September 2014 - 08:33 AM.


#5 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:06:14 PM

Posted 22 September 2014 - 08:32 AM

Yes that will be adequate.

 

You should back up your important documents etc, but not executable files or something like that.

 

FRST will give you 2 log files called FRST.txt and addition.txt not attach.txt.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#6 P-Methley

P-Methley
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 22 September 2014 - 08:37 AM

Great stuff thanks ill backup and then run the FRST again i meant the only notepad that opened up was addition.txt sorry.

 

Thank You :)



#7 P-Methley

P-Methley
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 22 September 2014 - 10:16 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 21-09-2014 01
Ran by teresa (administrator) on TERESA-PC on 22-09-2014 16:11:02
Running from C:\Users\teresa\Desktop
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgwdsvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
() C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgemcx.exe
() C:\Program Files\AVG SafeGuard toolbar\vprot.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3593744 2014-09-05] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [vProt] => C:\Program Files\AVG SafeGuard toolbar\vprot.exe [2640408 2014-08-26] ()
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)
HKLM\...\Run: [Fyloraizn] => C:\Users\teresa\AppData\Roaming\Sogyfiyt\beifvu.exe
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM Group Policy restriction on software: C:\Program Files (x86)\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files (x86)\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKU\S-1-5-21-867126240-888176814-2580854711-1000\...\Run: [OzonwEvula] => regsvr32.exe "C:\ProgramData\OzonwEvula\OzonwEvula.dat"
HKU\S-1-5-21-867126240-888176814-2580854711-1000\...\Run: [AxjepMapfu] => regsvr32.exe "C:\ProgramData\AxjepMapfu\AxjepMapfu.dat"
HKU\S-1-5-21-867126240-888176814-2580854711-1000\...\Run: [DAEMON Tools Lite] => C:\Program Files\DAEMON Tools Lite\DTLite.exe [3675352 2013-10-28] (Disc Soft Ltd)
HKU\S-1-5-21-867126240-888176814-2580854711-1000\...\Run: [AVG-Secure-Search-Update_1113a] => C:\Users\teresa\AppData\Roaming\AVG 1113a Campaign\AVG-Secure-Search-Update-1113a.exe /PROMPT /mid=91f772c96f6047d0aeeed15775694d49-124e641c40157b766ed085b2a81f82bf81593025 /CMPID=1113a
HKU\S-1-5-21-867126240-888176814-2580854711-1000\...\Run: [AVG-Secure-Search-Update_0214c] => C:\Users\teresa\AppData\Roaming\AVG 0214c Campaign\AVG-Secure-Search-Update-0214c.exe /PROMPT /mid=91f772c96f6047d0aeeed15775694d49-124e641c40157b766ed085b2a81f82bf81593025 /CMPID=0214c
HKU\S-1-5-21-867126240-888176814-2580854711-1000\...\MountPoints2: {ec5e186d-2078-11e3-b05d-001e338da4ba} - F:\setup.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x1004A7EE6ACDCD01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.aartemis.com/web/?type=ds&ts=1384716139&from=cor&uid=WDCXWD1600BEVS-26VAT0_WD-WXE908DC5748C5748&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.aartemis.com/web/?type=ds&ts=1384716139&from=cor&uid=WDCXWD1600BEVS-26VAT0_WD-WXE908DC5748C5748&q={searchTerms}
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe http://aartemis.com/?type=sc&ts=1384716139&from=cor&uid=WDCXWD1600BEVS-26VAT0_WD-WXE908DC5748C5748
SearchScopes: HKLM - DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.aartemis.com/web/?type=ds&ts=1384716139&from=cor&uid=WDCXWD1600BEVS-26VAT0_WD-WXE908DC5748C5748&q={searchTerms}
SearchScopes: HKLM - {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.aartemis.com/web/?type=ds&ts=1384716139&from=cor&uid=WDCXWD1600BEVS-26VAT0_WD-WXE908DC5748C5748&q={searchTerms}
SearchScopes: HKLM - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldmsd&cd=2XzuyEtN2Y1L1QzutDtDtBtCyCtA0DyEyE0EtB0EyC0CzztCtN0D0Tzu0CyCtByBtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=1582759947&ir=
SearchScopes: HKCU - DefaultScope {B806252A-B8DA-436E-AEB7-647109F2C876} URL = https://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=282369&p={searchTerms}
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL =
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKCU - {2CB7B96F-CD67-003D-E546-2694E6BD5BA4} URL =
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = https://mysearch.avg.com/search?cid={48280774-EE04-4F9F-93DE-7D56CC6A46BC}&mid=91f772c96f6047d0aeeed15775694d49-124e641c40157b766ed085b2a81f82bf81593025&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-18 19:30:19&v=18.1.9.799&pid=safeguard&sg=&sap=dsp&q={searchTerms}
SearchScopes: HKCU - {B806252A-B8DA-436E-AEB7-647109F2C876} URL = https://uk.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=282369&p={searchTerms}
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} ->  No File
Toolbar: HKCU - No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.9\ViProtocol.dll (AVG Secure Search)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @real.com/nprndlchromebrowserrecordext;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlchromebrowserrecordext.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlhtml5videoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin: @real.com/nprndlpepperflashvideoshim;version=1.3.3 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlpepperflashvideoshim.dll (RealNetworks, Inc.)
FF Plugin: @realnetworks.com/npdlplugin;version=1 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\npdlplugin.dll (RealDownloader)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\safeguard-secure-search.xml
FF HKLM\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014-08-05]
FF HKLM\...\Firefox\Extensions: [{DF153AFF-6948-45d7-AC98-4FC4AF8A08E2}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext

Chrome:
=======
CHR HomePage: Default -> hxxp://mysearch.avg.com?cid={48280774-EE04-4F9F-93DE-7D56CC6A46BC}&mid=91f772c96f6047d0aeeed15775694d49-124e641c40157b766ed085b2a81f82bf81593025&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-18 19:30:19&v=18.1.5.512&pid=safeguard&sg=&sap=hp
CHR StartupUrls: Default -> "https://mysearch.avg.com?cid={48280774-EE04-4F9F-93DE-7D56CC6A46BC}&mid=91f772c96f6047d0aeeed15775694d49-124e641c40157b766ed085b2a81f82bf81593025&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-18 19:30:19&v=18.1.9.799&pid=safeguard&sg=&sap=hp"
CHR NewTab: Default -> "chrome-extension://ndibdjnfmopecpmkdieinmbadjfpblof/pages/newtab.html"
CHR DefaultSearchKeyword: Default -> mysearch.avg.com__
CHR DefaultSearchProvider: Default -> AVG Secure Search
CHR DefaultSearchURL: Default -> https://mysearch.avg.com/search?cid={48280774-EE04-4F9F-93DE-7D56CC6A46BC}&mid=91f772c96f6047d0aeeed15775694d49-124e641c40157b766ed085b2a81f82bf81593025&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-04-18 19:30:19&v=18.1.9.799&pid=safeguard&sg=&sap=dsp&q={searchTerms}
CHR DefaultNewTabURL: Default -> https://mysearch.avg.com/chroment?espv=2&cid={48280774-EE04-4F9F-93DE-7D56CC6A46BC}&mid=91f772c96f6047d0aeeed15775694d49-124e641c40157b766ed085b2a81f82bf81593025&lang=en&ds=AVG&pr=fr&d=2014-04-18 19:30:19&v=18.1.9.799&pid=safeguard&sg=
CHR DefaultSuggestURL: Default -> http://toolbar.avg.com/acp?q={searchTerms}&o=1
CHR CustomProfile: C:\Users\teresa\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\teresa\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-06-01]
CHR Extension: (AVG Secure Search) - C:\Users\teresa\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof [2014-05-08]
CHR Extension: (Google Wallet) - C:\Users\teresa\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-18]
CHR Extension: (Iminent Chrome Toolbar) - C:\Users\teresa\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkhojieggfgllhllcegoffdcnmdeojgb [2014-01-31]
CHR Extension: (Extutil) - C:\Users\teresa\AppData\Local\Temp\D7ADFCCA-EE7E-442C-9999-C4D14FEF360B [2014-01-18]
CHR Extension: (Managera) - C:\Users\teresa\AppData\Local\Temp\38fdaae5-8e0e-493c-88ec-e05c3be06e42 [2014-01-08]
CHR HKLM\...\Chrome\Extension: [idhngdhcfkoamngbedgpaokgjbnpdiji] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Chrome\Ext\realdownloader.crx [2013-08-14]
CHR HKLM\...\Chrome\Extension: [pflphaooapbgpeakohlggbpidpppgdff] - C:\Users\teresa\AppData\Local\mysearchdial_speedial_v9.0.2.crx [2013-09-19]
CHR HKLM\...\Chrome\Extension: [pkhojieggfgllhllcegoffdcnmdeojgb] - C:\Program Files\IminentToolbar\1.8.28.3\iminent.crx [2013-11-14]
CHR HKCU\...\Chrome\Extension: [pflphaooapbgpeakohlggbpidpppgdff] - C:\Users\teresa\AppData\Local\mysearchdial_speedial_v9.0.2.crx [2013-09-19]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3364368 2014-09-05] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [293448 2014-09-05] (AVG Technologies CZ, s.r.o.)
R2 MBAMScheduler; C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe [1809720 2014-05-12] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [860472 2014-05-12] (Malwarebytes Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [39056 2013-08-14] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [121624 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [204056 2014-07-24] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [147736 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [21272 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [193304 2014-08-20] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [230680 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [98584 2014-08-06] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27416 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [199448 2014-07-02] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [42784 2014-08-11] (AVG Technologies)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [243128 2014-01-30] (Disc Soft Ltd)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2014-05-12] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-09-22] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2014-05-12] (Malwarebytes Corporation)
S3 iSafeKrnl; \??\C:\Program Files\iSafe\iSafeKrnl.sys [X]
S1 iSafeNetFilter; \??\C:\Program Files\iSafe\iSafeNetFilter.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-22 16:11 - 2014-09-22 16:11 - 00014971 _____ () C:\Users\teresa\Desktop\FRST.txt
2014-09-22 16:09 - 2014-09-22 16:09 - 00151600 _____ () C:\Windows\Minidump\092214-33992-01.dmp
2014-09-22 15:50 - 2014-09-22 15:50 - 01097728 _____ (Farbar) C:\Users\teresa\Desktop\FRST.exe
2014-09-21 21:02 - 2014-09-21 21:02 - 00151600 _____ () C:\Windows\Minidump\092114-37050-01.dmp
2014-09-21 20:08 - 2014-09-21 20:08 - 00151608 _____ () C:\Windows\Minidump\092114-34304-01.dmp
2014-09-21 18:19 - 2014-09-21 18:19 - 00151608 _____ () C:\Windows\Minidump\092114-33821-01.dmp
2014-09-21 17:48 - 2014-09-21 18:20 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\48230029.sys
2014-09-21 17:42 - 2014-09-22 16:10 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-21 17:41 - 2014-09-21 17:41 - 00001065 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-21 17:41 - 2014-09-21 17:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-21 17:41 - 2014-09-21 17:41 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-21 17:41 - 2014-09-21 17:41 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-21 17:41 - 2014-05-12 07:26 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-09-21 17:41 - 2014-05-12 07:25 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-21 17:41 - 2014-05-12 07:25 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-09-21 17:17 - 2014-09-21 17:17 - 00000000 ____D () C:\Users\teresa\AppData\Roaming\AVG2015
2014-09-21 00:58 - 2014-09-21 00:58 - 00000000 ____D () C:\ProgramData\AVG Secure Search
2014-09-20 23:30 - 2014-09-22 16:11 - 00000000 ____D () C:\FRST
2014-09-20 09:30 - 2014-09-20 09:30 - 00000000 ____D () C:\Users\teresa\AppData\Local\AVG Secure Search
2014-09-20 06:03 - 2014-09-20 06:03 - 00000940 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2014-09-20 05:26 - 2014-09-21 17:17 - 00000000 ____D () C:\ProgramData\AVG2015
2014-09-20 04:42 - 2014-09-21 17:17 - 00000000 ____D () C:\Users\teresa\AppData\Local\Avg2015
2014-09-20 04:41 - 2014-09-20 04:41 - 04579256 _____ (AVG Technologies) C:\Users\teresa\Downloads\avg_avct_stb_all_2015_5315_cm10.exe
2014-09-16 20:41 - 2014-09-16 20:41 - 00000000 ____D () C:\Windows\system32\%LocalAppData%
2014-09-16 20:40 - 2014-09-16 20:40 - 00000000 __SHD () C:\Windows\system32\%APPDATA%
2014-09-15 16:31 - 2014-09-21 17:17 - 00000000 ____D () C:\ProgramData\AxjepMapfu
2014-09-15 16:31 - 2014-09-20 23:21 - 00000000 ____D () C:\ProgramData\OzonwEvula
2014-09-14 10:43 - 2014-09-14 10:43 - 00151600 _____ () C:\Windows\Minidump\091414-35022-01.dmp
2014-09-14 05:45 - 2014-09-14 05:45 - 00145424 _____ () C:\Windows\Minidump\091414-37065-01.dmp
2014-09-14 05:24 - 2014-09-14 05:24 - 00151608 _____ () C:\Windows\Minidump\091414-29109-01.dmp
2014-09-13 18:54 - 2014-09-13 18:54 - 00151600 _____ () C:\Windows\Minidump\091314-24694-01.dmp
2014-09-13 12:53 - 2014-09-15 16:39 - 00000000 _____ () C:\Users\teresa\AppData\Local\nbpdhhbl.log
2014-09-13 12:48 - 2014-09-22 16:00 - 00000812 _____ () C:\Windows\Tasks\Security Center Update - 481391813.job
2014-09-13 12:48 - 2014-09-15 16:31 - 00000000 ____D () C:\Users\teresa\AppData\Roaming\Sogyfiyt
2014-09-13 12:46 - 2014-09-15 16:26 - 00388433 _____ () C:\Users\teresa\AppData\Local\ylmrbclm.log
2014-09-13 12:46 - 2014-09-15 16:26 - 00002708 _____ () C:\Users\teresa\AppData\Local\wsvuodhg.log
2014-09-13 12:46 - 2014-09-15 16:26 - 00000217 _____ () C:\Users\teresa\AppData\Local\dafhglik.log
2014-09-13 12:45 - 2014-09-15 16:39 - 01782749 _____ () C:\Users\teresa\AppData\Local\raanmokm.log
2014-09-13 12:44 - 2014-09-15 16:39 - 00000028 _____ () C:\Users\teresa\AppData\Local\pmghvkdy.log
2014-09-13 12:44 - 2014-09-15 16:26 - 00000054 _____ () C:\Users\teresa\AppData\Local\pjpoagmn.log
2014-09-13 12:44 - 2014-09-15 16:26 - 00000000 ____D () C:\Users\teresa\AppData\Local\njgrngnj
2014-09-13 12:44 - 2014-09-13 13:13 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-09-13 12:44 - 2014-09-13 12:44 - 00572608 _____ () C:\Users\teresa\AppData\Local\qdkuohkv.log
2014-09-13 12:44 - 2014-09-13 12:44 - 00000064 _____ () C:\ProgramData\dnlftyha.log
2014-09-13 12:44 - 2014-09-13 12:44 - 00000000 _____ () C:\Users\teresa\AppData\Local\qelxncbu.log
2014-09-13 12:44 - 2014-09-13 12:44 - 00000000 _____ () C:\Users\teresa\AppData\Local\lmgjhhjs.log
2014-08-26 16:27 - 2014-08-26 16:27 - 00000000 ____D () C:\ProgramData\Avg_Update_0814tb
2014-08-26 16:27 - 2014-08-26 16:27 - 00000000 ____D () C:\Program Files\AVG Security Toolbar

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-09-22 16:11 - 2014-09-22 16:11 - 00014971 _____ () C:\Users\teresa\Desktop\FRST.txt
2014-09-22 16:11 - 2014-09-20 23:30 - 00000000 ____D () C:\FRST
2014-09-22 16:10 - 2014-09-21 17:42 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-22 16:09 - 2014-09-22 16:09 - 00151600 _____ () C:\Windows\Minidump\092214-33992-01.dmp
2014-09-22 16:09 - 2013-09-18 17:09 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-09-22 16:09 - 2012-12-07 12:18 - 00000000 ____D () C:\Windows\Minidump
2014-09-22 16:09 - 2009-07-14 05:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-09-22 16:09 - 2009-07-14 05:39 - 00081082 _____ () C:\Windows\setupact.log
2014-09-22 16:07 - 2009-07-14 05:53 - 00032620 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-09-22 16:00 - 2014-09-13 12:48 - 00000812 _____ () C:\Windows\Tasks\Security Center Update - 481391813.job
2014-09-22 15:57 - 2012-11-28 19:59 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-09-22 15:50 - 2014-09-22 15:50 - 01097728 _____ (Farbar) C:\Users\teresa\Desktop\FRST.exe
2014-09-22 15:47 - 2012-11-28 14:41 - 00000000 ____D () C:\ProgramData\MFAData
2014-09-22 15:35 - 2013-09-18 17:09 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-09-22 15:34 - 2013-09-19 09:31 - 00000364 _____ () C:\Windows\Tasks\WpsUpdateTask_teresa.job
2014-09-21 21:09 - 2009-07-14 05:34 - 00021072 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-09-21 21:09 - 2009-07-14 05:34 - 00021072 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-09-21 21:02 - 2014-09-21 21:02 - 00151600 _____ () C:\Windows\Minidump\092114-37050-01.dmp
2014-09-21 20:08 - 2014-09-21 20:08 - 00151608 _____ () C:\Windows\Minidump\092114-34304-01.dmp
2014-09-21 18:20 - 2014-09-21 17:48 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\48230029.sys
2014-09-21 18:19 - 2014-09-21 18:19 - 00151608 _____ () C:\Windows\Minidump\092114-33821-01.dmp
2014-09-21 17:41 - 2014-09-21 17:41 - 00001065 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-09-21 17:41 - 2014-09-21 17:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-21 17:41 - 2014-09-21 17:41 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-21 17:41 - 2014-09-21 17:41 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-09-21 17:17 - 2014-09-21 17:17 - 00000000 ____D () C:\Users\teresa\AppData\Roaming\AVG2015
2014-09-21 17:17 - 2014-09-20 05:26 - 00000000 ____D () C:\ProgramData\AVG2015
2014-09-21 17:17 - 2014-09-20 04:42 - 00000000 ____D () C:\Users\teresa\AppData\Local\Avg2015
2014-09-21 17:17 - 2014-09-15 16:31 - 00000000 ____D () C:\ProgramData\AxjepMapfu
2014-09-21 00:58 - 2014-09-21 00:58 - 00000000 ____D () C:\ProgramData\AVG Secure Search
2014-09-20 23:21 - 2014-09-15 16:31 - 00000000 ____D () C:\ProgramData\OzonwEvula
2014-09-20 09:30 - 2014-09-20 09:30 - 00000000 ____D () C:\Users\teresa\AppData\Local\AVG Secure Search
2014-09-20 09:29 - 2013-09-27 16:05 - 00000000 ____D () C:\ProgramData\AVG2014
2014-09-20 09:29 - 2010-11-20 22:48 - 00045160 _____ () C:\Windows\PFRO.log
2014-09-20 06:14 - 2014-01-29 12:21 - 00000000 ___HD () C:\$AVG
2014-09-20 06:14 - 2013-12-09 09:45 - 00000000 ____D () C:\ProgramData\AVG Security Toolbar
2014-09-20 06:13 - 2014-04-01 08:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2014-09-20 06:03 - 2014-09-20 06:03 - 00000940 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2014-09-20 05:16 - 2014-01-29 10:29 - 00000000 ____D () C:\Program Files\AVG
2014-09-20 04:41 - 2014-09-20 04:41 - 04579256 _____ (AVG Technologies) C:\Users\teresa\Downloads\avg_avct_stb_all_2015_5315_cm10.exe
2014-09-20 04:33 - 2012-11-28 14:33 - 00000000 ____D () C:\Users\teresa\AppData\Roaming\vlc
2014-09-19 21:10 - 2013-08-23 23:24 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2014-09-19 20:55 - 2013-09-18 17:09 - 00000000 ____D () C:\Users\teresa\AppData\Roaming\Real
2014-09-19 20:47 - 2014-06-08 22:03 - 00000000 ____D () C:\Users\teresa\AppData\Roaming\DVDVideoSoft
2014-09-19 20:40 - 2014-01-15 00:19 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-09-19 20:10 - 2013-09-18 17:10 - 00000000 ____D () C:\Program Files\Real
2014-09-19 20:09 - 2014-08-05 21:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealNetworks
2014-09-19 20:09 - 2013-09-18 17:06 - 00000000 ____D () C:\ProgramData\Real
2014-09-16 20:41 - 2014-09-16 20:41 - 00000000 ____D () C:\Windows\system32\%LocalAppData%
2014-09-16 20:40 - 2014-09-16 20:40 - 00000000 __SHD () C:\Windows\system32\%APPDATA%
2014-09-16 17:48 - 2012-11-28 13:31 - 02004873 _____ () C:\Windows\WindowsUpdate.log
2014-09-15 16:39 - 2014-09-13 12:53 - 00000000 _____ () C:\Users\teresa\AppData\Local\nbpdhhbl.log
2014-09-15 16:39 - 2014-09-13 12:45 - 01782749 _____ () C:\Users\teresa\AppData\Local\raanmokm.log
2014-09-15 16:39 - 2014-09-13 12:44 - 00000028 _____ () C:\Users\teresa\AppData\Local\pmghvkdy.log
2014-09-15 16:31 - 2014-09-13 12:48 - 00000000 ____D () C:\Users\teresa\AppData\Roaming\Sogyfiyt
2014-09-15 16:26 - 2014-09-13 12:46 - 00388433 _____ () C:\Users\teresa\AppData\Local\ylmrbclm.log
2014-09-15 16:26 - 2014-09-13 12:46 - 00002708 _____ () C:\Users\teresa\AppData\Local\wsvuodhg.log
2014-09-15 16:26 - 2014-09-13 12:46 - 00000217 _____ () C:\Users\teresa\AppData\Local\dafhglik.log
2014-09-15 16:26 - 2014-09-13 12:44 - 00000054 _____ () C:\Users\teresa\AppData\Local\pjpoagmn.log
2014-09-15 16:26 - 2014-09-13 12:44 - 00000000 ____D () C:\Users\teresa\AppData\Local\njgrngnj
2014-09-15 08:30 - 2013-09-18 17:04 - 00000000 ____D () C:\Users\teresa\AppData\Roaming\uTorrent
2014-09-14 10:43 - 2014-09-14 10:43 - 00151600 _____ () C:\Windows\Minidump\091414-35022-01.dmp
2014-09-14 05:45 - 2014-09-14 05:45 - 00145424 _____ () C:\Windows\Minidump\091414-37065-01.dmp
2014-09-14 05:24 - 2014-09-14 05:24 - 00151608 _____ () C:\Windows\Minidump\091414-29109-01.dmp
2014-09-13 18:54 - 2014-09-13 18:54 - 00151600 _____ () C:\Windows\Minidump\091314-24694-01.dmp
2014-09-13 13:13 - 2014-09-13 12:44 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-09-13 12:44 - 2014-09-13 12:44 - 00572608 _____ () C:\Users\teresa\AppData\Local\qdkuohkv.log
2014-09-13 12:44 - 2014-09-13 12:44 - 00000064 _____ () C:\ProgramData\dnlftyha.log
2014-09-13 12:44 - 2014-09-13 12:44 - 00000000 _____ () C:\Users\teresa\AppData\Local\qelxncbu.log
2014-09-13 12:44 - 2014-09-13 12:44 - 00000000 _____ () C:\Users\teresa\AppData\Local\lmgjhhjs.log
2014-09-12 19:40 - 2013-09-18 17:09 - 00002134 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-09-10 18:58 - 2012-11-28 19:59 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-09-10 18:58 - 2012-11-28 19:59 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-09-05 22:55 - 2012-11-28 14:17 - 00000000 ____D () C:\Users\teresa
2014-09-05 21:45 - 2014-05-31 09:10 - 00000000 ____D () C:\Users\teresa\Downloads\Disturbed - Asylum.(2010).(pixie09)
2014-08-26 16:50 - 2014-04-18 19:29 - 00000000 ____D () C:\Program Files\AVG SafeGuard toolbar
2014-08-26 16:27 - 2014-08-26 16:27 - 00000000 ____D () C:\ProgramData\Avg_Update_0814tb
2014-08-26 16:27 - 2014-08-26 16:27 - 00000000 ____D () C:\Program Files\AVG Security Toolbar

Some content of TEMP:
====================
C:\Users\teresa\AppData\Local\Temp\56698uninstall.exe
C:\Users\teresa\AppData\Local\Temp\BackupSetup.exe
C:\Users\teresa\AppData\Local\Temp\DTLite4481-0347.exe
C:\Users\teresa\AppData\Local\Temp\kingsoft_office_2013_114.exe
C:\Users\teresa\AppData\Local\Temp\lowproc.exe
C:\Users\teresa\AppData\Local\Temp\nsc417B.exe
C:\Users\teresa\AppData\Local\Temp\nsc834E.exe
C:\Users\teresa\AppData\Local\Temp\nsh463C.exe
C:\Users\teresa\AppData\Local\Temp\nsh87B2.exe
C:\Users\teresa\AppData\Local\Temp\nsr3CA9.exe
C:\Users\teresa\AppData\Local\Temp\nsr7F18.exe
C:\Users\teresa\AppData\Local\Temp\nsx1EE9.exe
C:\Users\teresa\AppData\Local\Temp\RealPlayer_20130122.exe
C:\Users\teresa\AppData\Local\Temp\SearchProtectionSetup.exe
C:\Users\teresa\AppData\Local\Temp\SkypeSetup.exe
C:\Users\teresa\AppData\Local\Temp\SPSetup.exe
C:\Users\teresa\AppData\Local\Temp\Sqlite3.dll
C:\Users\teresa\AppData\Local\Temp\stubhelper.dll
C:\Users\teresa\AppData\Local\Temp\Toparcadehits.exe
C:\Users\teresa\AppData\Local\Temp\toparcadesetup.exe
C:\Users\teresa\AppData\Local\Temp\toparcupd.exe
C:\Users\teresa\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\teresa\AppData\Local\Temp\UpdateFlashPlayer_59711f04.exe
C:\Users\teresa\AppData\Local\Temp\uttA8ED.tmp.exe
C:\Users\teresa\AppData\Local\Temp\vcredist_x86.exe
C:\Users\teresa\AppData\Local\Temp\vlc-2.1.2-win32.exe
C:\Users\teresa\AppData\Local\Temp\VuuPC.exe
C:\Users\teresa\AppData\Local\Temp\yac_new.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-09-20 06:41

==================== End Of Log ============================


Additional scan result of Farbar Recovery Scan Tool (x86) Version: 21-09-2014 01
Ran by teresa at 2014-09-22 16:12:13
Running from C:\Users\teresa\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2014 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2014 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKCU\...\uTorrent) (Version: 3.4.2.32239 - BitTorrent Inc.)
Adobe Digital Editions 3.0 (HKLM\...\Adobe Digital Editions 3.0) (Version: 3.0 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.08) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
Apple Mobile Device Support (HKLM\...\{0592EF96-69D8-4E4B-9CC9-88F58EA86F01}) (Version: 7.0.0.117 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5315 - AVG Technologies)
AVG 2015 (Version: 15.0.4158 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5315 - AVG Technologies) Hidden
DAEMON Tools Lite (HKLM\...\DAEMON Tools Lite) (Version: 4.48.1.0347 - Disc Soft Ltd)
Google Chrome (HKLM\...\Google Chrome) (Version: 37.0.2062.120 - Google Inc.)
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
iTunes (HKLM\...\{C197BC08-3D82-4651-8886-E68C21578A38}) (Version: 11.1.3.8 - Apple Inc.)
Kingsoft Office 2013 (9.1.0.4256) (HKLM\...\Kingsoft Office) (Version: 9.1.0.4256 - Kingsoft Corp.)
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft .NET Framework 4.5 (Version: 4.5.50709 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mount&Blade Warband (HKLM\...\Mount&Blade Warband) (Version:  - )
RealDownloader (Version: 1.3.3 - RealNetworks, Inc.) Hidden
VBA (2627.01) (Version: 6.03.00.9402 - Microsoft Corporation) Hidden
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player 2.0.2 (HKLM\...\VLC media player) (Version: 2.0.2 - VideoLAN)
WinRAR 5.00 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.00.0 - win.rar GmbH)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-867126240-888176814-2580854711-1000_Classes\CLSID\{00b7e0ab-817a-44ad-a04b-d1148d524136}\InprocServer32 -> %SystemDrive%\Users\teresa\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-867126240-888176814-2580854711-1000_Classes\CLSID\{7c6e29bc-8b8b-4c3d-859e-af6cd158be0f}\InprocServer32 -> %SystemDrive%\Users\teresa\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-867126240-888176814-2580854711-1000_Classes\CLSID\{88d969c0-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\teresa\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-867126240-888176814-2580854711-1000_Classes\CLSID\{88d969c1-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\teresa\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-867126240-888176814-2580854711-1000_Classes\CLSID\{88d969c2-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\teresa\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-867126240-888176814-2580854711-1000_Classes\CLSID\{88d969c3-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\teresa\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-867126240-888176814-2580854711-1000_Classes\CLSID\{88d969c4-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\teresa\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-867126240-888176814-2580854711-1000_Classes\CLSID\{88d969c5-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\teresa\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-867126240-888176814-2580854711-1000_Classes\CLSID\{88d969c6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\teresa\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-867126240-888176814-2580854711-1000_Classes\CLSID\{88d969c8-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\teresa\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-867126240-888176814-2580854711-1000_Classes\CLSID\{88d969c9-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\teresa\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-867126240-888176814-2580854711-1000_Classes\CLSID\{88d969ca-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\teresa\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File
CustomCLSID: HKU\S-1-5-21-867126240-888176814-2580854711-1000_Classes\CLSID\{88d969d6-f192-11d4-a65f-0040963251e5}\InprocServer32 -> %SystemDrive%\Users\teresa\AppData\Roaming\Microsoft\MSXML2\msxml4.dll No File

==================== Restore Points  =========================

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 03:04 - 2009-06-10 22:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {027B907A-6D49-4EC3-AF22-24AD8735138D} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-09-18] (Google Inc.)
Task: {049AA67E-4149-4E0B-8F8F-2ECDBF5E2277} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-867126240-888176814-2580854711-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe
Task: {174F876A-F158-43D8-9ED8-CD9FC8855057} - System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-867126240-888176814-2580854711-1000 => C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {2E5A8B7F-19BA-4187-97C7-342D0AFDAEDD} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-867126240-888176814-2580854711-1000 => C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {7213F21B-EDE2-4960-B6CA-8E18EBDCBE97} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-867126240-888176814-2580854711-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe
Task: {7A92172B-05DF-4DB7-9E83-EA60E6420CF3} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-10] (Adobe Systems Incorporated)
Task: {7CB4F895-0013-4F01-B4EF-4787FCF8E16C} - System32\Tasks\UpdaterEX => C:\Users\teresa\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: {9328AE5A-69EA-4FF8-8E46-632B5AB14FEF} - System32\Tasks\Security Center Update - 481391813 => C:\Users\teresa\AppData\Roaming\Sogyfiyt\beifvu.exe <==== ATTENTION
Task: {9E96642A-321C-41A1-894A-BED991A64A6D} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {A53C1ECB-9868-41ED-B4EE-8F43F4A96FB7} - System32\Tasks\WpsUpdateTask_teresa => C:\Program Files\Kingsoft\Kingsoft Office\wtoolex\wpsupdate.exe [2013-08-11] (Zhuhai Kingsoft Office Software Co.,Ltd)
Task: {B007145F-3553-4482-B25C-3E05C1E79262} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-17] ()
Task: {EBA3F817-A477-4BFB-9666-12DE176A4E3D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-09-18] (Google Inc.)
Task: {F8646698-F45B-4D17-B857-F1014C126358} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-867126240-888176814-2580854711-1000 => C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe [2013-08-14] (RealNetworks, Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe
Task: C:\Windows\Tasks\Security Center Update - 481391813.job => C:\Users\teresa\AppData\Roaming\Sogyfiyt\beifvu.exe <==== ATTENTION
Task: C:\Windows\Tasks\UpdaterEX.job => C:\Users\teresa\AppData\Roaming\UPDATE~1\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
Task: C:\Windows\Tasks\WpsUpdateTask_teresa.job => C:\Program Files\Kingsoft\Kingsoft Office\wtoolex\wpsupdate.exe

==================== Loaded Modules (whitelisted) =============

2013-08-14 15:19 - 2013-08-14 15:19 - 00039056 _____ () C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
2014-04-18 19:29 - 2014-08-26 16:49 - 02640408 _____ () C:\Program Files\AVG SafeGuard toolbar\vprot.exe
2014-08-11 17:47 - 2014-08-11 17:47 - 00519704 _____ () C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\log4cplusU.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:661DFA1C

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: vToolbarUpdater18.1.9 => 2

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: iSafeNetFilter
Description: iSafeNetFilter
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: iSafeNetFilter
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (09/22/2014 04:10:52 PM) (Source: MsiInstaller) (EventID: 1024) (User: teresa-PC)
Description: Product: Adobe Reader XI (11.0.08) - Update '{AC76BA86-7AD7-0000-2550-7A8C40011009}' could not be installed. Error code 1625. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Error: (09/22/2014 04:10:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/22/2014 04:09:14 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195"1".
Dependent Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (09/22/2014 04:07:03 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\wevtsvc.dll for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Host Process for Windows Services because of this error.

Program: Host Process for Windows Services
File: C:\Windows\System32\wevtsvc.dll

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
 - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
 - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

Additional Data
Error value: C0000185
Disk type: 3

Error: (09/22/2014 04:07:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_eventlog, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: wevtsvc.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba2e
Exception code: 0xc0000006
Fault offset: 0x000d6aec
Faulting process id: 0x41c
Faulting application start time: 0xsvchost.exe_eventlog0
Faulting application path: svchost.exe_eventlog1
Faulting module path: svchost.exe_eventlog2
Report Id: svchost.exe_eventlog3

Error: (09/22/2014 04:06:26 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\winsta.dll for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Host Process for Windows Services because of this error.

Program: Host Process for Windows Services
File: C:\Windows\System32\winsta.dll

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
 - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
 - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

Additional Data
Error value: C0000185
Disk type: 3

Error: (09/22/2014 04:06:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_Schedule, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: WINSTA.dll, version: 6.1.7601.17514, time stamp: 0x4ce7ba4e
Exception code: 0xc0000006
Fault offset: 0x00008690
Faulting process id: 0x458
Faulting application start time: 0xsvchost.exe_Schedule0
Faulting application path: svchost.exe_Schedule1
Faulting module path: svchost.exe_Schedule2
Report Id: svchost.exe_Schedule3

Error: (09/22/2014 04:04:41 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Windows\System32\RacEngn.dll for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Host Process for Windows Tasks because of this error.

Program: Host Process for Windows Tasks
File: C:\Windows\System32\RacEngn.dll

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
 - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
 - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

Additional Data
Error value: C0000185
Disk type: 3

Error: (09/22/2014 04:04:41 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: taskhost.exe, version: 6.1.7601.17514, time stamp: 0x4ce78ca9
Faulting module name: RacEngn.dll, version: 6.1.7601.17514, time stamp: 0x4ce7b994
Exception code: 0xc0000006
Fault offset: 0x000db427
Faulting process id: 0x178c
Faulting application start time: 0xtaskhost.exe0
Faulting application path: taskhost.exe1
Faulting module path: taskhost.exe2
Report Id: taskhost.exe3

Error: (09/22/2014 04:02:18 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file C:\Users\teresa\Desktop\FRST.exe for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program Farbar Recovery Scan Tool because of this error.

Program: Farbar Recovery Scan Tool
File: C:\Users\teresa\Desktop\FRST.exe

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
 - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
 - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

Additional Data
Error value: C0000185
Disk type: 3

System errors:
=============
Error: (09/22/2014 04:10:38 PM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The HomeGroup Listener service terminated with service-specific error %%-2147023143.

Error: (09/22/2014 04:09:30 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
iSafeNetFilter

Error: (09/22/2014 04:09:20 PM) (Source: BugCheck) (EventID: 1001) (User: )
Description: 0x0000007a (0xc0444a58, 0xc0000185, 0x42b54860, 0x8894bcfb)C:\Windows\MEMORY.DMP092214-33992-01

Error: (09/22/2014 04:09:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Apple Mobile Device service failed to start due to the following error:
%%14001

Error: (09/22/2014 04:09:07 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 16:07:17 on ‎22/‎09/‎2014 was unexpected.

Error: (09/22/2014 04:06:45 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Error Reporting Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 120000 milliseconds: Restart the service.

Error: (09/22/2014 03:51:24 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.

Error: (09/22/2014 03:51:20 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.

Error: (09/22/2014 03:51:20 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.

Error: (09/22/2014 03:51:20 PM) (Source: atapi) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Ide\IdePort0.

Microsoft Office Sessions:
=========================
Error: (09/22/2014 04:10:52 PM) (Source: MsiInstaller) (EventID: 1024) (User: teresa-PC)
Description: Adobe Reader XI (11.0.08){AC76BA86-7AD7-0000-2550-7A8C40011009}1625(NULL)(NULL)(NULL)

Error: (09/22/2014 04:10:32 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (09/22/2014 04:09:14 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.6195"C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

Error: (09/22/2014 04:07:03 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: C:\Windows\System32\wevtsvc.dllHost Process for Windows ServicesC00001853

Error: (09/22/2014 04:07:03 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe_eventlog6.1.7600.163854a5bc100wevtsvc.dll6.1.7601.175144ce7ba2ec0000006000d6aec41c01cfd5d6f315a24aC:\Windows\System32\svchost.exec:\windows\system32\wevtsvc.dll1baf3c24-426a-11e4-b5de-001e338da4ba

Error: (09/22/2014 04:06:26 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: C:\Windows\System32\winsta.dllHost Process for Windows ServicesC00001853

Error: (09/22/2014 04:06:26 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe_Schedule6.1.7600.163854a5bc100WINSTA.dll6.1.7601.175144ce7ba4ec00000060000869045801cfd5d6f32d700cC:\Windows\system32\svchost.exeC:\Windows\system32\WINSTA.dll05d66a8f-426a-11e4-b5de-001e338da4ba

Error: (09/22/2014 04:04:41 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: C:\Windows\System32\RacEngn.dllHost Process for Windows TasksC00001853

Error: (09/22/2014 04:04:41 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: taskhost.exe6.1.7601.175144ce78ca9RacEngn.dll6.1.7601.175144ce7b994c0000006000db427178c01cfd676098dd6d9C:\Windows\system32\taskhost.exeC:\Windows\system32\RacEngn.dllc723b18a-4269-11e4-b5de-001e338da4ba

Error: (09/22/2014 04:02:18 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: C:\Users\teresa\Desktop\FRST.exeFarbar Recovery Scan ToolC00001853

CodeIntegrity Errors:
===================================
  Date: 2014-09-22 15:57:03.472
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\sfc_os.dll because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: Genuine Intel® CPU T1600 @ 1.66GHz
Percentage of memory in use: 44%
Total physical RAM: 1916 MB
Available physical RAM: 1063.8 MB
Total Pagefile: 3831.99 MB
Available Pagefile: 2709.73 MB
Total Virtual: 2047.88 MB
Available Virtual: 1897.3 MB

==================== Drives ================================

Drive c: (Vista) (Fixed) (Total:74.22 GB) (Free:22.32 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Data) (Fixed) (Total:73.36 GB) (Free:68.69 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: 45BD800F)
Partition 1: (Not Active) - (Size=1.5 GB) - (Type=27)
Partition 2: (Active) - (Size=74.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=73.4 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#8 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:06:14 PM

Posted 25 September 2014 - 06:00 AM

Hi P-Methley.
 
IMPORTANT NOTE: One or more of the identified infections is a backdoor Trojan.

Backdoor TrojansBotnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, paying bills, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for taxes, email, eBay, paypal and any other online activities. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse fundslost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password before connecting again.

Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

 

Please let me know what you want to do.

 

If you want to continue:

 

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link 

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error. 

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#9 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,154 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:06:14 PM

Posted 29 September 2014 - 06:42 AM

It had been three days since my last reply. Are you still with me?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,570 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:14 PM

Posted 01 October 2014 - 03:31 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users