Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chrome, IE unable to connect to internet after rootkit infection


  • This topic is locked This topic is locked
38 replies to this topic

#1 dkweller

dkweller

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 30 October 2014 - 07:45 AM

Laptop running Vista got infected.  Was using avast, and it identified a rootkit.  I think it has been disabled.  Browsers unable to connect.  I have tried several of the basic troubleshooting tips found online, including those found at http://www.selectrealsecurity.com/fix-internet-connection

I ran combofix and here is the log.

 

ComboFix 14-10-29.01 - Katherine Weller 10/30/2014   5:07.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3000.1926 [GMT -7:00]
Running from: F:\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Dealio Toolbar
c:\program files\Dealio Toolbar\config.ini
c:\program files\Dealio Toolbar\DealioToolbarIE.dll
c:\program files\Dealio Toolbar\Res\amazon.gif
c:\program files\Dealio Toolbar\Res\apple.gif
c:\program files\Dealio Toolbar\Res\barnes.gif
c:\program files\Dealio Toolbar\Res\bestbuy.gif
c:\program files\Dealio Toolbar\Res\dealio_logo.gif
c:\program files\Dealio Toolbar\Res\dealio_logo_hover.gif
c:\program files\Dealio Toolbar\Res\ebay.gif
c:\program files\Dealio Toolbar\Res\icon_settings.gif
c:\program files\Dealio Toolbar\Res\macys.gif
c:\program files\Dealio Toolbar\Res\newegg.gif
c:\program files\Dealio Toolbar\Res\overstock.gif
c:\program files\Dealio Toolbar\Res\search-button-hover.gif
c:\program files\Dealio Toolbar\Res\search-button.gif
c:\program files\Dealio Toolbar\Res\search-chevron-hover.gif
c:\program files\Dealio Toolbar\Res\search-chevron.gif
c:\program files\Dealio Toolbar\Res\search_amazon.gif
c:\program files\Dealio Toolbar\Res\search_dealio.gif
c:\program files\Dealio Toolbar\Res\search_ebay.gif
c:\program files\Dealio Toolbar\Res\search_yahoo.gif
c:\program files\Dealio Toolbar\Res\separator.gif
c:\program files\Dealio Toolbar\Res\target.gif
c:\program files\Dealio Toolbar\Res\walmart.gif
c:\program files\Dealio Toolbar\Res\widgets.xml
c:\program files\Dealio Toolbar\SearchSettings.dll
c:\program files\Dealio Toolbar\SearchSettingsRes409.dll
c:\program files\Dealio Toolbar\sscfg.ini
c:\program files\Dealio Toolbar\trz20AB.tmp
c:\program files\Dealio Toolbar\WidgiHelper.exe
c:\program files\SearchProtect
c:\program files\SearchProtect\EULA.txt
c:\program files\SearchProtect\Main\rep\SystemRepository.dat
c:\program files\SearchProtect\UI\dialogs\Consent\consent.css
c:\program files\SearchProtect\UI\dialogs\Consent\consent.html
c:\program files\SearchProtect\UI\dialogs\Consent\consent.js
c:\program files\SearchProtect\UI\dialogs\Consent\defaults.js
c:\program files\SearchProtect\UI\dialogs\Images\Apply-default.png
c:\program files\SearchProtect\UI\dialogs\Images\Apply-onclick.png
c:\program files\SearchProtect\UI\dialogs\Images\Apply-Rollover.png
c:\program files\SearchProtect\UI\dialogs\Images\bg-dia.png
c:\program files\SearchProtect\UI\dialogs\Images\bg-uninstall.png
c:\program files\SearchProtect\UI\dialogs\Images\bg-with-logo.png
c:\program files\SearchProtect\UI\dialogs\Images\bg.png
c:\program files\SearchProtect\UI\dialogs\Images\bgNotif.png
c:\program files\SearchProtect\UI\dialogs\Images\bgSettings.png
c:\program files\SearchProtect\UI\dialogs\Images\bgSettingsDS.png
c:\program files\SearchProtect\UI\dialogs\Images\bgUninstall.png
c:\program files\SearchProtect\UI\dialogs\Images\btnBlue.png
c:\program files\SearchProtect\UI\dialogs\Images\btnClose.png
c:\program files\SearchProtect\UI\dialogs\Images\btnSilver.png
c:\program files\SearchProtect\UI\dialogs\Images\button-bg.png
c:\program files\SearchProtect\UI\dialogs\Images\checkbox.png
c:\program files\SearchProtect\UI\dialogs\Images\checkbox_checked.png
c:\program files\SearchProtect\UI\dialogs\Images\checkbox_def.png
c:\program files\SearchProtect\UI\dialogs\Images\close-win-def.png
c:\program files\SearchProtect\UI\dialogs\Images\close-win-over-click.png
c:\program files\SearchProtect\UI\dialogs\Images\gray-bg.png
c:\program files\SearchProtect\UI\dialogs\Images\hez-def-grey.png
c:\program files\SearchProtect\UI\dialogs\Images\hez-def.png
c:\program files\SearchProtect\UI\dialogs\Images\hez-selected.png
c:\program files\SearchProtect\UI\dialogs\Images\hez.png
c:\program files\SearchProtect\UI\dialogs\Images\icon-win.png
c:\program files\SearchProtect\UI\dialogs\Images\info-icon.png
c:\program files\SearchProtect\UI\dialogs\Images\menu-rollover.png
c:\program files\SearchProtect\UI\dialogs\Images\menu-selected.png
c:\program files\SearchProtect\UI\dialogs\Images\radio-button-def.png
c:\program files\SearchProtect\UI\dialogs\Images\radio-button-selected.png
c:\program files\SearchProtect\UI\dialogs\Images\radio-button.png
c:\program files\SearchProtect\UI\dialogs\Images\radio-button2.png
c:\program files\SearchProtect\UI\dialogs\Images\Settings-icon.png
c:\program files\SearchProtect\UI\dialogs\Images\SP_DialogBG.png
c:\program files\SearchProtect\UI\dialogs\Images\text-field.png
c:\program files\SearchProtect\UI\dialogs\Images\v.png
c:\program files\SearchProtect\UI\dialogs\Images\x.png
c:\program files\SearchProtect\UI\dialogs\libs\defaults.js
c:\program files\SearchProtect\UI\dialogs\libs\dialogUtils.js
c:\program files\SearchProtect\UI\dialogs\libs\jquery.1.7.1.min.js
c:\program files\SearchProtect\UI\dialogs\libs\json2.min.js
c:\program files\SearchProtect\UI\dialogs\libs\main.js
c:\program files\SearchProtect\UI\dialogs\libs\SPDialogAPI.js
c:\program files\SearchProtect\UI\dialogs\protection\defaults.js
c:\program files\SearchProtect\UI\dialogs\protection\protection.css
c:\program files\SearchProtect\UI\dialogs\protection\protection.html
c:\program files\SearchProtect\UI\dialogs\protection\protection.js
c:\program files\SearchProtect\UI\dialogs\protectionDS\defaults.js
c:\program files\SearchProtect\UI\dialogs\protectionDS\protectionDS.css
c:\program files\SearchProtect\UI\dialogs\protectionDS\protectionDS.html
c:\program files\SearchProtect\UI\dialogs\protectionDS\protectionDS.js
c:\program files\SearchProtect\UI\dialogs\settings.html
c:\program files\SearchProtect\UI\dialogs\settings\defaults.js
c:\program files\SearchProtect\UI\dialogs\settings\settings.css
c:\program files\SearchProtect\UI\dialogs\settings\settings.html
c:\program files\SearchProtect\UI\dialogs\settings\settings.js
c:\program files\SearchProtect\UI\dialogs\style.css
c:\program files\SearchProtect\UI\dialogs\uninstall\defaults.js
c:\program files\SearchProtect\UI\dialogs\uninstall\uninstall.css
c:\program files\SearchProtect\UI\dialogs\uninstall\uninstall.html
c:\program files\SearchProtect\UI\dialogs\uninstall\uninstall.js
c:\programdata\2308189059
c:\programdata\2308189059\BIT18CD.tmp
c:\users\Katherine Weller\AppData\Local\nsa2566.tmp
c:\users\Katherine Weller\AppData\Local\nso2D68.tmp
c:\users\Katherine Weller\AppData\Local\nsx7651.tmp
c:\users\Katherine Weller\AppData\Roaming\.#
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_ProtectMonitor
.
.
(((((((((((((((((((((((((   Files Created from 2014-09-28 to 2014-10-30  )))))))))))))))))))))))))))))))
.
.
2014-10-30 12:17 . 2014-10-30 12:20 -------- d-----w- c:\users\Katherine Weller\AppData\Local\temp
2014-10-30 12:17 . 2014-10-30 12:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-24 15:29 . 2014-10-24 15:29 -------- d---a-w- C:\G122_VistaDriver
2014-10-21 04:10 . 2014-10-21 04:10 -------- d-----w- c:\program files\CCleaner
2014-10-07 01:14 . 2014-10-07 01:14 -------- d-----w- c:\program files\predm
2014-10-06 23:04 . 2014-10-06 23:04 -------- d-----w- c:\users\Katherine Weller\AppData\Roaming\ap_logs
2014-10-06 23:04 . 2014-10-06 23:04 -------- d-----w- c:\users\Katherine Weller\AppData\Roaming\ap_movie
2014-10-06 22:49 . 2014-10-06 20:01 55824 ----a-w- c:\windows\system32\drivers\{be5bf058-a067-4076-8c2e-22b9345a0260}Gt.sys
2014-10-06 21:47 . 2014-10-07 00:58 -------- d-----w- c:\program files\Klip Pal
2014-10-06 21:45 . 2014-10-07 01:16 -------- d-----w- c:\program files\Optimizer Pro
2014-10-06 21:44 . 2014-09-01 18:29 19840 ----a-w- c:\windows\system32\drivers\pcwatch.sys
2014-10-06 21:38 . 2014-10-06 21:38 18872 ----a-w- c:\windows\system32\drivers\SPPD.sys
2014-10-06 21:38 . 2014-10-06 21:38 -------- d-----w- c:\users\Katherine Weller\AppData\Local\SearchProtect
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-09-24 06:14 . 2012-07-08 16:40 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-09-24 06:14 . 2011-12-15 19:45 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-09-15 16:06 . 2009-10-03 15:44 231568 ------w- c:\windows\system32\MpSigStub.exe
2014-09-09 06:24 . 2014-09-24 10:02 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-09 01:24 . 2014-10-15 09:10 8806800 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1A0FA64D-B89E-49B8-A7B6-E085452D7130}\mpengine.dll
2014-09-02 19:55 . 2014-09-02 19:55 34244 ----a-w- C:\monitorsvc.exe
2014-08-23 01:03 . 2014-08-28 10:00 297984 ----a-w- c:\windows\system32\gdi32.dll
2014-08-22 23:26 . 2014-08-28 10:00 2054656 ----a-w- c:\windows\system32\win32k.sys
2014-08-19 01:46 . 2014-09-12 10:11 916992 ----a-w- c:\windows\system32\wininet.dll
2014-08-19 01:40 . 2014-09-12 10:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2014-08-19 01:40 . 2014-09-12 10:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2014-08-19 01:39 . 2014-09-12 10:11 71680 ----a-w- c:\windows\system32\iesetup.dll
2014-08-19 01:39 . 2014-09-12 10:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
2014-08-19 01:38 . 2014-09-12 10:11 18944 ----a-w- c:\windows\system32\corpol.dll
2014-08-19 00:10 . 2014-09-12 10:11 385024 ----a-w- c:\windows\system32\html.iec
2014-08-18 22:33 . 2014-09-12 10:11 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2014-08-18 22:30 . 2014-09-12 10:11 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-05-15 01:05 121392 ----a-w- c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Uploader"="c:\program files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe" [2014-04-30 126056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1049896]
"PlayMovie"="c:\program files\Acer Arcade Deluxe\PlayMovie\PMVService.exe" [2008-04-18 167936]
"RtHDVCpl"="RtHDVCpl.exe" [2008-06-13 6183456]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"eDataSecurity Loader"="c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe" [2008-05-15 526896]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-18 30192]
"Acer Assist Launcher"="c:\program files\Acer\Acer Assist\launcher.exe" [2007-11-19 1261568]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]
"DBAgent"="c:\program files\Seagate\Seagate Dashboard 2.0\DBAgent.exe" [2014-04-30 1519176]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\PrintMaster Gold 17\Remind.exe [2006-2-22 344064]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCleaner Monitoring]
2014-09-26 14:04 4811032 ----a-w- c:\program files\CCleaner\CCleaner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-05-10 09:41 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-09-10 22:02 809480 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ   FontCache
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ   HPSLPSVC
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-09-25 03:19 1096520 ----a-w- c:\program files\Google\Chrome\Application\37.0.2062.124\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-08 06:14]
.
2014-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-09 23:08]
.
2014-10-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-09 23:08]
.
2014-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2465496490-2242960893-1086147276-1000Core.job
- c:\users\Katherine Weller\AppData\Local\Google\Update\GoogleUpdate.exe [2012-12-30 19:24]
.
2014-10-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2465496490-2242960893-1086147276-1000UA.job
- c:\users\Katherine Weller\AppData\Local\Google\Update\GoogleUpdate.exe [2012-12-30 19:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.etsy.com/people/katherineweller?ref=si_pr
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1108&m=aspire_5735
LSP: c:\windows\system32\MyOSProtect.dll
TCP: DhcpNameServer = 192.168.254.254
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
SafeBoot-pcwatch.sys
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-10-30 05:22
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\PlayMovie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3508)
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
c:\program files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\acer\Mobility Center\MobilityService.exe
c:\program files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe
c:\program files\Seagate\Seagate Dashboard 2.0\MobileService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Spybot - Search & Destroy\SDWinSec.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2014-10-30  05:26:08 - machine was rebooted
ComboFix-quarantined-files.txt  2014-10-30 12:26
.
Pre-Run: 8,453,242,880 bytes free
Post-Run: 7,475,077,120 bytes free
.
- - End Of File - - 775CE91A84366F19AC9E166BF2300B9E
6FC6F9186C07BCA94E140F63BFE6E9B4

Edited by hamluis, 30 October 2014 - 08:04 AM.
Moved from Web Browsing/Email to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,633 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:54 PM

Posted 04 November 2014 - 03:55 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/553986 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:54 PM

Posted 09 November 2014 - 09:59 AM

Greetings dkweller and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. While I review our situation please run the below for me.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop <<< Important
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 dkweller

dkweller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 09 November 2014 - 10:23 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-11-2014 01
Ran by Katherine Weller (administrator) on KATHERINEWEL-PC on 09-11-2014 19:02:26
Running from F:\
Loaded Profile: Katherine Weller (Available profiles: Katherine Weller)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(Agere Systems) C:\Windows\System32\agrsmsvc.exe
() C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
(Egis Incorporated) C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSService.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
() C:\Acer\Mobility Center\MobilityService.exe
(Seagate Technology LLC) C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe
(Seagate Technology LLC) C:\Program Files\Seagate\Seagate Dashboard 2.0\MobileService.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Safer Networking Ltd.) C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Acer Corp.) C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(Egis Incorporated) C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
(Google) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Seagate Technology LLC) C:\Program Files\Seagate\Seagate Dashboard 2.0\DBAgent.exe
(Safer Networking Limited) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
(Google) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
(Realtek Semiconductor Corp.) C:\Users\Katherine Weller\AppData\Local\temp\RtkBtMnt.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
(Hewlett-Packard Co.) C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Hewlett-Packard) C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
(Seagate Technology LLC) C:\Program Files\Seagate\Seagate Dashboard 2.0\DeviceAgent.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1049896 2008-04-25] (Synaptics, Inc.)
HKLM\...\Run: [PlayMovie] => C:\Program Files\Acer Arcade Deluxe\PlayMovie\PMVService.exe [167936 2008-04-18] (Acer Corp.)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [6183456 2008-06-13] (Realtek Semiconductor)
HKLM\...\Run: [Skytel] => C:\Windows\Skytel.exe [1826816 2007-11-20] (Realtek Semiconductor Corp.)
HKLM\...\Run: [eDataSecurity Loader] => C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDSloader.exe [526896 2008-05-14] (Egis Incorporated)
HKLM\...\Run: [Google Desktop Search] => C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-06-18] (Google)
HKLM\...\Run: [Acer Assist Launcher] => C:\Program Files\Acer\Acer Assist\launcher.exe [1261568 2007-11-19] ()
HKLM\...\Run: [Acer Product Registration] => C:\Program Files\Acer\Acer Registration\ACE1.exe [3387392 2007-11-26] (Leader Technologies)
HKLM\...\Run: [DBAgent] => C:\Program Files\Seagate\Seagate Dashboard 2.0\DBAgent.exe [1519176 2014-04-30] (Seagate Technology LLC)
HKU\S-1-5-21-2465496490-2242960893-1086147276-1000\...\Run: [SpybotSD TeaTimer] => C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2144088 2009-01-26] (Safer Networking Limited)
HKU\S-1-5-21-2465496490-2242960893-1086147276-1000\...\Run: [Uploader] => C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.Uploader.exe [126056 2014-04-30] (Seagate Technology LLC)
HKU\S-1-5-21-2465496490-2242960893-1086147276-1000\...\Run: [Google Update] => C:\Users\Katherine Weller\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-09-17] (Google Inc.)
AppInit_DLLs: c:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll => c:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll [123392 2010-06-18] (Google)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Event Reminder.lnk
ShortcutTarget: Event Reminder.lnk -> C:\Program Files\PrintMaster Gold 17\Remind.exe (Broderbund Properties LLC)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
ShellIconOverlayIdentifiers: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll (Egis Inc.)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.etsy.com/people/katherineweller?ref=si_pr
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1108&m=aspire_5735
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2465496490-2242960893-1086147276-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM - {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = 
SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=Xj_b294UhMPdWQm9SNbuj7kRzck?q={searchTerms}
SearchScopes: HKCU - {BA9A5390-C0EA-4ACB-AA55-A2EED88239F2} URL = http://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&type=135963&p={searchTerms}
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: ShowBarObj Class -> {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} -> C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ActiveToolBand.dll (Egis)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Google Gears Helper -> {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} -> C:\Program Files\Google\Google Gears\Internet Explorer\0.5.36.0\gears.dll (Google Inc.)
BHO: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM - Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\eDStoolbar.dll (Egis Incorporated.)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - c:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Winsock: Catalog9 01 C:\Windows\system32\MyOSProtect.dll File Not found ()
Winsock: Catalog9 02 C:\Windows\system32\MyOSProtect.dll File Not found ()
Winsock: Catalog9 03 C:\Windows\system32\MyOSProtect.dll File Not found ()
Winsock: Catalog9 04 C:\Windows\system32\MyOSProtect.dll File Not found ()
Winsock: Catalog9 16 C:\Windows\system32\MyOSProtect.dll File Not found ()
Tcpip\Parameters: [DhcpNameServer] 192.168.254.254
 
FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @videolan.org/vlc,version=2.0.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Katherine Weller\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Katherine Weller\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-09]
FF HKLM\...\Firefox\Extensions: [{000a9d1c-beef-4f90-9363-039d445309b8}] - C:\Program Files\Google\Google Gears\Firefox
FF Extension: Google Gears - C:\Program Files\Google\Google Gears\Firefox [2010-03-05]
FF HKLM\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010-11-11]
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=MAD9F84DB-0248-4799-B3A5-0B8B94BED0EB&SearchSource=55&CUI=&UM=6&UP=SPD44C9FA1-55F5-4F2C-BF59-F6B917C11883&SSPV=
CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=MAD9F84DB-0248-4799-B3A5-0B8B94BED0EB&SearchSource=55&CUI=&UM=6&UP=SPD44C9FA1-55F5-4F2C-BF59-F6B917C11883&SSPV="
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Katherine Weller\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.2.464\_platform_specific\win_x86\widevinecdmadapter.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\37.0.2062.124\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\37.0.2062.124\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\37.0.2062.124\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (AmazonMP3DownloaderPlugin) - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10171.dll (Amazon.com, Inc.)
CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll No File
CHR Plugin: (VLC Web Plugin) - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
CHR Plugin: (Google Update) - C:\Users\Katherine Weller\AppData\Local\Google\Update\1.3.23.9\npGoogleUpdate3.dll No File
CHR Plugin: (Facebook Plugin) - C:\Users\Katherine Weller\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll ( )
CHR Plugin: (Google Talk Plugin) - C:\Users\Katherine Weller\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
CHR Plugin: (Google Talk Plugin Video Renderer) - C:\Users\Katherine Weller\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
CHR Plugin: (Windows Presentation Foundation) - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_12_0_0_70.dll No File
CHR Profile: C:\Users\Katherine Weller\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Katherine Weller\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-25]
CHR Extension: (Pin It Button) - C:\Users\Katherine Weller\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpdjojdkbbmdfjfahjcgigfpmkopogic [2014-05-13]
CHR Extension: (Google Wallet) - C:\Users\Katherine Weller\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-13]
CHR StartMenuInternet: Google Chrome - chrome.exe
 
========================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 CLHNService; C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe [81504 2008-01-16] () [File not signed]
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-06-18] (Google)
R3 hpqcxs08; C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll [253568 2009-11-18] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll [137344 2009-11-18] (Hewlett-Packard Co.) [File not signed]
R2 HPSLPSVC; C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL [700032 2010-01-29] (Hewlett-Packard Co.) [File not signed]
R2 LightScribeService; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [61440 2007-01-17] (Hewlett-Packard Company) [File not signed]
R2 MobilityService; C:\Acer\Mobility Center\MobilityService.exe [110592 2007-12-06] () [File not signed]
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [44032 2010-01-18] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [53760 2010-01-18] (Hewlett-Packard) [File not signed]
R2 SBSDWSCService; C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
R2 Seagate Dashboard Services; C:\Program Files\Seagate\Seagate Dashboard 2.0\Seagate.Dashboard.DASWindowsService.exe [16000 2014-04-30] (Seagate Technology LLC)
R2 Seagate MobileBackup Service; C:\Program Files\Seagate\Seagate Dashboard 2.0\MobileService.exe [157264 2014-04-30] (Seagate Technology LLC)
S4 MyOSProtect; C:\Program Files\Web Protect\MyOSProtect.exe [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 AFS; C:\Windows\system32\Drivers\AFS.sys [79052 2009-03-07] (Oak Technology Inc.) [File not signed]
R2 NTIPPKernel; C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\NTIPPKernel.sys [122368 2008-01-16] (Cyberlink Corp.) [File not signed]
R1 pcwatch; C:\Windows\system32\Drivers\pcwatch.sys [19840 2014-09-01] () [File not signed] <==== ATTENTION
S3 SPPD; C:\Windows\system32\drivers\SPPD.sys [18872 2014-10-06] ()
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; C:\Program Files\Acer Arcade Deluxe\PlayMovie\000.fcl [61424 2008-04-18] (Cyberlink Corp.)
R1 {be5bf058-a067-4076-8c2e-22b9345a0260}Gt; C:\Windows\System32\drivers\{be5bf058-a067-4076-8c2e-22b9345a0260}Gt.sys [55824 2014-10-06] (StdLib)
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-20] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S0 PSDNServ; system32\drivers\PSDNServ.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-09 19:02 - 2014-11-09 19:02 - 00000000 ____D () C:\FRST
2014-10-30 04:26 - 2014-10-30 04:26 - 00017321 _____ () C:\ComboFix.txt
2014-10-30 04:04 - 2014-10-30 04:26 - 00000000 ____D () C:\Qoobox
2014-10-30 04:04 - 2014-10-30 04:24 - 00000000 ____D () C:\Windows\erdnt
2014-10-30 04:04 - 2011-06-25 22:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-10-30 04:04 - 2010-11-07 09:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-10-30 04:04 - 2009-04-19 20:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-10-30 04:04 - 2000-08-30 16:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-10-30 04:04 - 2000-08-30 16:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-10-30 04:04 - 2000-08-30 16:00 - 00098816 _____ () C:\Windows\sed.exe
2014-10-30 04:04 - 2000-08-30 16:00 - 00080412 _____ () C:\Windows\grep.exe
2014-10-30 04:04 - 2000-08-30 16:00 - 00068096 _____ () C:\Windows\zip.exe
2014-10-30 03:47 - 2014-10-30 03:47 - 00000610 _____ () C:\Users\Katherine Weller\Documents\hosts.txt
2014-10-30 03:42 - 2014-10-30 03:45 - 00000761 _____ () C:\Users\Katherine Weller\Desktop\hosts.txt
2014-10-24 07:29 - 2014-10-24 07:29 - 00000000 ____D () C:\G122_VistaDriver
2014-10-20 20:59 - 2014-10-20 20:59 - 00000000 _____ () C:\Windows\setuperr.log
2014-10-20 20:59 - 2014-10-20 20:59 - 00000000 _____ () C:\Windows\setupact.log
2014-10-20 20:32 - 2014-11-09 18:58 - 00035848 _____ () C:\Windows\WindowsUpdate.log
2014-10-20 20:28 - 2014-11-09 18:55 - 00775402 _____ () C:\Windows\PFRO.log
2014-10-20 20:22 - 2014-10-20 20:22 - 00311182 _____ () C:\Users\Katherine Weller\Documents\cc_20141020_212215.reg
2014-10-20 20:10 - 2014-10-20 20:10 - 00000768 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-10-20 20:10 - 2014-10-20 20:10 - 00000000 ____D () C:\Program Files\CCleaner
2014-10-20 19:40 - 2014-10-20 19:42 - 00000000 _____ () C:\Windows\system32\sfcdetails.txt
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2014-11-09 19:02 - 2006-11-02 02:33 - 00794076 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-09 18:56 - 2009-11-09 15:09 - 00000902 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-09 18:56 - 2006-11-02 04:47 - 00003552 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-09 18:56 - 2006-11-02 04:47 - 00003552 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-09 18:55 - 2006-11-02 05:01 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-09 18:55 - 2006-11-02 04:47 - 00875152 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-30 04:46 - 2006-11-02 05:01 - 00032648 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-10-30 04:26 - 2006-11-02 03:18 - 00000000 __RHD () C:\Users\Default
2014-10-30 04:26 - 2006-11-02 03:18 - 00000000 ___RD () C:\Users\Public
2014-10-30 04:20 - 2006-11-02 02:23 - 00000215 _____ () C:\Windows\system.ini
2014-10-30 04:18 - 2006-11-02 02:22 - 51118080 _____ () C:\Windows\system32\config\software.bak
2014-10-30 04:18 - 2006-11-02 02:22 - 49020928 _____ () C:\Windows\system32\config\COMPON~3.bak
2014-10-30 04:18 - 2006-11-02 02:22 - 37486592 _____ () C:\Windows\system32\config\system.bak
2014-10-30 04:18 - 2006-11-02 02:22 - 00524288 _____ () C:\Windows\system32\config\default.bak
2014-10-30 04:18 - 2006-11-02 02:22 - 00262144 _____ () C:\Windows\system32\config\security.bak
2014-10-30 04:18 - 2006-11-02 02:22 - 00262144 _____ () C:\Windows\system32\config\sam.bak
2014-10-30 04:15 - 2012-12-29 16:46 - 00000952 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2465496490-2242960893-1086147276-1000UA.job
2014-10-30 04:14 - 2014-05-02 10:21 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-30 03:19 - 2009-11-09 15:09 - 00000906 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-20 21:37 - 2010-12-11 08:58 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-10-20 21:32 - 2008-12-26 20:33 - 00127488 _____ () C:\Users\Katherine Weller\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-10-20 21:29 - 2014-01-26 10:26 - 00000000 ____D () C:\ProgramData\AVAST Software
2014-10-20 20:34 - 2008-12-26 02:38 - 00294144 _____ () C:\Users\Katherine Weller\AppData\Local\GDIPFONTCACHEV1.DAT
2014-10-20 20:26 - 2014-06-22 06:09 - 00000000 ____D () C:\Users\Katherine Weller\AppData\Roaming\Dropbox
2014-10-20 20:13 - 2009-09-01 07:15 - 00000000 ____D () C:\Windows\Minidump
2014-10-20 20:13 - 2008-02-05 15:25 - 00000000 ____D () C:\Windows\Panther
2014-10-20 19:09 - 2006-11-02 03:18 - 00000000 ____D () C:\Windows\system32\LogFiles
2014-10-19 20:24 - 2008-12-27 08:48 - 00037818 _____ () C:\Users\Katherine Weller\AppData\Roaming\wklnhst.dat
2014-10-15 14:14 - 2012-12-29 16:46 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2465496490-2242960893-1086147276-1000Core.job
 
Some content of TEMP:
====================
C:\Users\Katherine Weller\AppData\Local\temp\RtkBtMnt.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2014-11-09 19:03
 
==================== End Of Log ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 09-11-2014 01
Ran by Katherine Weller at 2014-11-09 19:03:32
Running from F:\
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
32 Bit HP CIO Components Installer (Version: 7.1.4 - Hewlett-Packard) Hidden
Acer Assist (HKLM\...\Acer Assist) (Version:  - Acer Incorporated)
Acer eDataSecurity Management (HKLM\...\{A5633652-3795-4829-BB0B-644F0279E279}) (Version: 3.0.3062 - Egis Inc.)
Acer GridVista (HKLM\...\GridVista) (Version: 2.72.317 - )
Acer Mobility Center Plug-In (HKLM\...\{11316260-6666-467B-AC34-183FCB5D4335}) (Version: 3.0.3000 - Acer Inc.)
Acer Registration (HKLM\...\Acer Registration) (Version:  - Acer - Leader Technologies)
Acer ScreenSaver (HKLM\...\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}) (Version: 1.11.0805 - Acer Incorporated)
Acrobat.com (HKLM\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1.377 - Adobe Systems Incorporated)
Acrobat.com (Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Activation Assistant for the 2007 Microsoft Office suites (HKLM\...\Activation Assistant for the 2007 Microsoft Office suites) (Version:  - Microsoft Corporation)
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0 - Microsoft Corporation) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Adobe Reader X (10.1.4) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.4 - Adobe Systems Incorporated)
Agere Systems HDA Modem (HKLM\...\Agere Systems Soft Modem) (Version:  - Agere Systems)
Amazon MP3 Downloader 1.0.17 (HKLM\...\Amazon MP3 Downloader) (Version: 1.0.17 - Amazon Services LLC)
Apple Application Support (HKLM\...\{3FA365DF-2D68-45ED-8F83-8C8A33E65143}) (Version: 1.1.0 - Apple Inc.)
Apple Software Update (HKLM\...\{6956856F-B6B3-4BE0-BA0B-8F495BE32033}) (Version: 2.1.1.116 - Apple Inc.)
Bing Rewards Client Installer (Version: 16.0.345.0 - Microsoft Corporation) Hidden
BufferChm (Version: 140.0.212.000 - Hewlett-Packard) Hidden
Canon Inkjet Printer Driver Add-On Module (HKLM\...\CANONIJINBOXADDON100) (Version:  - )
Canon PhotoRecord (HKLM\...\{D958FAC4-BAE0-4B1D-A42E-DE9BFDE7DDEE}) (Version: 02.02.00013 - Cisra)
Canon PIXMA iP3000 (HKLM\...\CANONBJ_Deinstall_CNMCP61.DLL) (Version:  - )
CCleaner (HKLM\...\CCleaner) (Version: 4.18 - Piriform)
Coupon Printer for Windows (HKLM\...\Coupon Printer for Windows5.0.0.0) (Version: 5.0.0.0 - Coupons.com Incorporated)
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version:  3.0 - CutePDF.com)
D110 (Version: 140.0.283.000 - Hewlett-Packard) Hidden
Dealio Toolbar v4.0.1 (HKLM\...\{94C3BB3A-56A1-43DE-A242-8B41F46E97EF}) (Version: 1.0.1 - Spigot, Inc.) <==== ATTENTION
Destinations (Version: 140.0.77.000 - Hewlett-Packard) Hidden
DeviceDiscovery (Version: 140.0.212.000 - Hewlett-Packard) Hidden
eSobi v2 (HKLM\...\InstallShield_{15D967B5-A4BE-42AE-9E84-64CD062B25AA}) (Version: 2.0.3.000189 - esobi Inc.)
eSobi v2 (Version: 2.0.3.000189 - esobi Inc.) Hidden
FamilySearch Indexing 3.12.1 (HKLM\...\0591-8077-9297-0833) (Version: 3.12.1 - FamilySearch)
GIMP (HKLM\...\{46BBA993-5554-42E7-8042-E760D92A580A}) (Version: 2.6.11 - Spencer Kimball)
Google Chrome (HKLM\...\Google Chrome) (Version: 37.0.2062.124 - Google Inc.)
Google Desktop (HKLM\...\Google Desktop) (Version: 5.9.1005.12335 - Google)
Google Gears (HKLM\...\{2FA41EBB-3F5A-35C3-85D6-51EC72A11FBD}) (Version: 0.5.3600 - Google)
Google Talk Plugin (HKLM\...\{C1E3DFE7-4EAD-3E9E-A826-E06055BA5921}) (Version: 5.4.2.18903 - Google)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden
GPBaseService2 (Version: 140.0.211.000 - Hewlett-Packard) Hidden
HP Customer Participation Program 14.0 (HKLM\...\HPExtendedCapabilities) (Version: 14.0 - HP)
HP Imaging Device Functions 14.0 (HKLM\...\HP Imaging Device Functions) (Version: 14.0 - HP)
HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.2024 - HP Photo Creations Powered by RocketLife)
HP Photosmart D110 All-In-One Driver Software 14.0 Rel. 7 (HKLM\...\{DBC1DE57-B55A-4D57-9769-1DB9BE506AF7}) (Version: 14.0 - HP)
HP Smart Web Printing 4.60 (HKLM\...\HP Smart Web Printing) (Version: 4.60 - HP)
HP Solution Center 14.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 14.0 - HP)
HP Update (HKLM\...\{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}) (Version: 5.003.001.001 - Hewlett-Packard)
HPAppStudio (Version: 140.0.95.000 - Hewlett-Packard) Hidden
HPDiagnosticAlert (Version: 1.00.0000 - Microsoft) Hidden
HPPhotoGadget (Version: 140.0.524.000 - Hewlett-Packard) Hidden
HPProductAssistant (Version: 140.0.212.000 - Hewlett-Packard) Hidden
Intel® Graphics Media Accelerator Driver (HKLM\...\HDMI) (Version:  - Intel Corporation)
Launch Manager (HKLM\...\LManager) (Version:  - )
LG United Mobile Drivers (HKLM\...\{55031CEF-CE75-4A5C-8DEA-60577820529B}) (Version: 3.10.1.0 - LG Electronics)
LightScribe  1.4.142.1 (Version: 1.4.142.1 - http://www.lightscribe.com) Hidden
Macromedia Shockwave Player (HKLM\...\Macromedia Shockwave Player) (Version:  - )
Malwarebytes' Anti-Malware (HKLM\...\Malwarebytes' Anti-Malware_is1) (Version:  - Malwarebytes Corporation)
MarketResearch (Version: 140.0.212.000 - Hewlett-Packard) Hidden
Marvell Miniport Driver (HKLM\...\Marvell Miniport Driver) (Version: 10.55.3.3 - Marvell)
Micrografx Windows Draw 6 LE (HKLM\...\WindowsDraw6) (Version:  - )
Microsoft .NET Framework 1.1 (HKLM\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2698023) (HKLM\...\M2698023) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB2833941) (HKLM\...\M2833941) (Version:  - )
Microsoft .NET Framework 1.1 Security Update (KB979906) (HKLM\...\M979906) (Version:  - )
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office PowerPoint 2003 (HKLM\...\{90180409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Web Publishing Wizard 1.52 (HKLM\...\WebPost) (Version:  - )
Microsoft Works (HKLM\...\{6D52C408-B09A-4520-9B18-475B81D393F1}) (Version: 08.05.0818 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Network (Version: 140.0.215.000 - Hewlett-Packard) Hidden
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
Orion (HKLM\...\{5B63A470-9334-44D1-AF61-6CE2DB565AE9}) (Version: 2.0.1 - Convesoft)
PhotoNow! (HKLM\...\{D36DD326-7280-11D8-97C8-000129760CBE}) (Version: 1.1.4619 - CyberLink Corp.)
PowerDirector (HKLM\...\InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}) (Version: 6.5.2713 - CyberLink Corp.)
PowerDirector (Version: 6.5.2713 - CyberLink Corp.) Hidden
PrintMaster Gold 17 (HKLM\...\{C4DCAD15-B754-4FD9-8035-713FE919B118}) (Version: 17.00.0000 - Broderbund Software)
PS_AIO_07_D110_SW_Min (Version: 140.0.142.000 - Hewlett-Packard) Hidden
QuickTransfer (Version: 140.0.98.000 - Hewlett-Packard) Hidden
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5643 - Realtek Semiconductor Corp.)
Realtek USB 2.0 Card Reader (HKLM\...\{DC24971E-1946-445D-8A82-CE685433FA7D}) (Version: 3.0.1.3 - Realtek Semiconductor Corp.)
Scan (Version: 140.0.80.000 - Hewlett-Packard) Hidden
Seagate Dashboard (HKLM\...\{67445E65-3D93-428F-83A5-446F7D02689A}) (Version: 3.1.3.0 - Seagate)
SmartWebPrinting (Version: 140.0.186.000 - Hewlett-Packard) Hidden
SolutionCenter (Version: 140.0.214.000 - Hewlett-Packard) Hidden
Spelling Dictionaries Support For Adobe Reader 9 (HKLM\...\{AC76BA86-7AD7-5464-3428-900000000004}) (Version: 9.0.0 - Adobe Systems Incorporated)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
Status (Version: 140.0.256.000 - Hewlett-Packard) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 11.1.4.0 - Synaptics)
Toolbox (Version: 140.0.428.000 - Hewlett-Packard) Hidden
TrayApp (Version: 140.0.212.000 - Hewlett-Packard) Hidden
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VLC media player 2.0.4 (HKLM\...\VLC media player) (Version: 2.0.4 - VideoLAN)
WebReg (Version: 140.0.212.017 - Hewlett-Packard) Hidden
Windows Live ID Sign-in Assistant (HKLM\...\{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}) (Version: 6.500.3165.0 - Microsoft Corporation)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\Katherine Weller\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Users\Katherine Weller\AppData\Local\Google\Update\1.3.24.15\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Users\Katherine Weller\AppData\Local\Google\Update\1.3.24.15\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{32C3FEAE-0877-4767-8C20-62A5829A0945}\InprocServer32 -> C:\Users\Katherine Weller\AppData\Roaming\Facebook\axfbootloader.dll ( )
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{39125640-8D80-11DC-A2FE-C5C455D89593}\InprocServer32 -> C:\Users\Katherine Weller\AppData\Local\Google\Google Talk Plugin\googletalkax.dll (Google)
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{3f04dadf-6ea4-44d1-a507-03cad176f443}\InprocServer32 -> C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin10171.dll (Amazon.com, Inc.)
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{4052D303-74C5-49EA-BC6B-66099C8D4007}\InprocServer32 -> C:\Program Files\Google\Google Desktop Search\GoogleDesktopAPI2.dll (Google)
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Users\Katherine Weller\AppData\Local\Google\Update\1.3.24.15\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Katherine Weller\AppData\Local\Google\Update\1.3.24.15\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{AB9F4455-E591-4132-A386-0B91EAEDB96C}\InprocServer32 -> C:\Users\Katherine Weller\AppData\Local\Google\Google Talk Plugin\o1dax.dll (Google)
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\Katherine Weller\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\Katherine Weller\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{C98FE784-B96E-41e1-8399-1337AE3E539F}\InprocServer32 -> C:\Users\Katherine Weller\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll ( )
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Users\Katherine Weller\AppData\Local\Google\Update\1.3.24.15\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2465496490-2242960893-1086147276-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Katherine Weller\AppData\Local\Google\Update\1.3.24.15\psuser.dll (Google Inc.)
 
==================== Restore Points  =========================
 
21-10-2014 04:58:09 avast! antivirus system restore point
21-10-2014 05:18:11 avast! antivirus system restore point
30-10-2014 12:05:14 ComboFix created restore point
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2006-11-02 02:23 - 2014-10-30 04:19 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {18883852-8D82-4F3E-9423-8E87862A53D2} - System32\Tasks\Seagate_Install_Launch => C:\Program Files\Seagate\Seagate Dashboard 2.0\Dashboard.exe [2014-04-30] (Seagate Technology LLC)
Task: {3ACF7993-4641-4AB0-96A1-D4D80905A9E4} - System32\Tasks\APSnotifierPP3 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {4484419F-A6B2-4081-BAF8-667B319CEB2B} - System32\Tasks\Katherine Weller DBAgent 2 0 => C:\Program Files\Seagate\Seagate Dashboard 2.0\DBAgent.exe [2014-04-30] (Seagate Technology LLC)
Task: {5CBE4F12-36D1-448B-9F74-F7C225AFA578} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2009-11-09] (Google Inc.)
Task: {7686E14A-E67F-468B-9C07-4EDF001CE58A} - System32\Tasks\APSnotifierPP2 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {896E2499-6946-4F0F-9A8F-986806EC6185} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe
Task: {95C29989-0F92-4927-A30D-38BE3D8D8BAC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2009-11-09] (Google Inc.)
Task: {A95C5B87-46D0-46E5-AB33-0B0CAD7025E9} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2465496490-2242960893-1086147276-1000UA => C:\Users\Katherine Weller\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-17] (Google Inc.)
Task: {C6AC9B83-0ADF-42E2-A721-01CF31EF5574} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2465496490-2242960893-1086147276-1000Core => C:\Users\Katherine Weller\AppData\Local\Google\Update\GoogleUpdate.exe [2012-09-17] (Google Inc.)
Task: {CA92B807-E783-407D-8AD3-FF55EDA0BCEA} - System32\Tasks\APSnotifierPP1 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {D16D6F0D-123F-405E-9743-70BD7983119A} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30] (Apple Inc.)
Task: {FFE8FA4D-845E-4F96-802C-4FFB0297F93B} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-23] (Adobe Systems Incorporated)
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2465496490-2242960893-1086147276-1000Core.job => C:\Users\Katherine Weller\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2465496490-2242960893-1086147276-1000UA.job => C:\Users\Katherine Weller\AppData\Local\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) =============
 
2008-04-30 01:59 - 2008-01-16 17:35 - 00081504 _____ () C:\Program Files\Acer Arcade Deluxe\HomeMedia\Kernel\DMP\CLHNService.exe
2008-11-10 13:30 - 2007-12-06 16:15 - 00110592 _____ () C:\Acer\Mobility Center\MobilityService.exe
2008-11-10 13:30 - 2007-11-27 15:08 - 00032768 _____ () C:\Acer\Mobility Center\MobilityInterface.dll
2008-05-14 17:05 - 2008-05-14 17:05 - 00227888 _____ () C:\Program Files\Acer\Empowering Technology\eDataSecurity\x86\ShowErrMsg.dll
2008-12-26 02:37 - 2010-06-18 05:11 - 00034816 _____ () C:\Program Files\Google\Google Desktop Search\gzlib.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\ProgramData\TEMP:9E22BBE8
AlternateDataStreams: C:\ProgramData\TEMP:FC420CE6
AlternateDataStreams: C:\ProgramData\TEMP:FEBEC560
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MyOSProtect => ""="service"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
MSCONFIG\startupreg: HP Software Update => C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
MSCONFIG\startupreg: LManager => C:\PROGRA~1\LAUNCH~1\LManager.exe
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-2465496490-2242960893-1086147276-500 - Administrator - Disabled)
ASPNET (S-1-5-21-2465496490-2242960893-1086147276-1003 - Limited - Enabled)
Guest (S-1-5-21-2465496490-2242960893-1086147276-501 - Limited - Enabled)
Katherine Weller (S-1-5-21-2465496490-2242960893-1086147276-1000 - Administrator - Enabled) => C:\Users\Katherine Weller
 
==================== Faulty Device Manager Devices =============
 
Name: isatap.westell.com
Description: Microsoft ISATAP Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
Name: isatap.myhome.westell.com
Description: Microsoft ISATAP Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
Name: Photosmart D110 series
Description: Photosmart D110 series
Class Guid: {4d36e971-e325-11ce-bfc1-08002be10318}
Manufacturer: HP
Service: 
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (11/09/2014 06:59:57 PM) (Source: Microsoft-Windows-SpoolerSpoolss) (EventID: 1031) (User: NT AUTHORITY)
Description: 0x80072af9
 
Error: (11/09/2014 06:58:26 PM) (Source: Microsoft-Windows-SpoolerSpoolss) (EventID: 1031) (User: NT AUTHORITY)
Description: 0x80072af9
 
Error: (11/09/2014 06:56:19 PM) (Source: Microsoft-Windows-SpoolerSpoolss) (EventID: 1031) (User: NT AUTHORITY)
Description: 0x80072af9
 
Error: (11/09/2014 06:56:01 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/30/2014 04:25:39 AM) (Source: Microsoft-Windows-SpoolerSpoolss) (EventID: 1031) (User: NT AUTHORITY)
Description: 0x80072af9
 
Error: (10/30/2014 04:22:39 AM) (Source: Microsoft-Windows-SpoolerSpoolss) (EventID: 1031) (User: NT AUTHORITY)
Description: 0x80072af9
 
Error: (10/30/2014 04:19:33 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (10/30/2014 04:19:28 AM) (Source: Microsoft-Windows-SpoolerSpoolss) (EventID: 1031) (User: NT AUTHORITY)
Description: 0x80072af9
 
Error: (10/30/2014 03:23:07 AM) (Source: Microsoft-Windows-SpoolerSpoolss) (EventID: 1031) (User: NT AUTHORITY)
Description: 0x80072af9
 
Error: (10/30/2014 03:20:06 AM) (Source: Microsoft-Windows-SpoolerSpoolss) (EventID: 1031) (User: NT AUTHORITY)
Description: 0x80072af9
 
 
System errors:
=============
Error: (11/09/2014 06:59:57 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: Print Spooler3
 
Error: (11/09/2014 06:58:46 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: Windows Update%%2147952506
 
Error: (11/09/2014 06:58:26 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Print Spooler2600001Restart the service
 
Error: (11/09/2014 06:58:08 PM) (Source: Microsoft-Windows-Bits-Client) (EventID: 16392) (User: NT AUTHORITY)
Description: 2147952506
 
Error: (11/09/2014 06:57:38 PM) (Source: Microsoft-Windows-Bits-Client) (EventID: 16392) (User: NT AUTHORITY)
Description: 2147952506
 
Error: (11/09/2014 06:57:38 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {4991D34B-80A1-4291-83B6-3328366B9097}
 
Error: (11/09/2014 06:57:09 PM) (Source: Microsoft-Windows-Bits-Client) (EventID: 16392) (User: NT AUTHORITY)
Description: 2147952506
 
Error: (11/09/2014 06:56:19 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: Print Spooler1600001Restart the service
 
Error: (11/09/2014 06:56:15 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: PSDNServ
 
Error: (11/09/2014 06:56:01 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: IPsec Policy Agent%%10106
 
 
Microsoft Office Sessions:
=========================
 
CodeIntegrity Errors:
===================================
  Date: 2014-10-20 02:57:45.488
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:43.895
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:42.254
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:40.668
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:37.018
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:35.368
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:33.850
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:32.274
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:29.227
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22577_none_b36309477fb64a54\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:27.590
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22577_none_b36309477fb64a54\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Pentium® Dual CPU T3400 @ 2.16GHz
Percentage of memory in use: 37%
Total physical RAM: 3000.12 MB
Available physical RAM: 1865.87 MB
Total Pagefile: 6242.49 MB
Available Pagefile: 5133.04 MB
Total Virtual: 2047.88 MB
Available Virtual: 1895.28 MB
 
==================== Drives ================================
 
Drive c: (ACER) (Fixed) (Total:69.65 GB) (Free:6.84 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:69.64 GB) (Free:69.18 GB) NTFS
Drive f: (MATTHEW) (Removable) (Total:0.49 GB) (Free:0.4 GB) FAT
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 149.1 GB) (Disk ID: CE0AE441)
Partition 1: (Not Active) - (Size=9.8 GB) - (Type=27)
Partition 2: (Active) - (Size=69.6 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=69.6 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 504.5 MB) (Disk ID: 6F20736B)
No partition Table on disk 1.
Disk 1 is a removable device.
 
==================== End Of Log ============================

 

Attached File  summary.zip   80.21KB   1 downloads



#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:54 PM

Posted 09 November 2014 - 10:56 PM

Greetings,

Please consider and do this.

===================================================

Spybot S&D No Longer Recommended

--------------------

MVPS.org is no longer recommending Spybot S&D due to poor testing results. (scroll down on the web site and read under Freeware Antispyware Products)

I recommend uninstalling Spybot Search & Destroy at least while we are addressing your issues. The presence of this program can make cleaning your computer more difficult.

If you choose to uninstall please go to Start, Control Panel, Add/Remove Programs (or Programs and Features) and uninstall the program.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2465496490-2242960893-1086147276-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKCU - {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = http://www.trovi.com/Results.aspx?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=MAD9F84DB-0248-4799-B3A5-0B8B94BED0EB&SearchSource=58&CUI=&UM=6&UP=SPD44C9FA1-55F5-4F2C-BF59-F6B917C11883&q={searchTerms}&SSPV=
SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=Xj_b294UhMPdWQm9SNbuj7kRzck?q={searchTerms}
SearchScopes: HKCU - {C8179A73-3526-41A4-812A-C86D681DCF98} URL = http://websearch.ask.com/redirect?client=ie&tb=MP3R7&o=15863&src=crm&q={searchTerms}&locale=en_US&apn_ptnrs=RV&apn_dtid=YYYYYYYYUS&apn_uid=ceb8cbcc-0775-4551-b243-0dcac3645bd6&apn_sauid=B512EB6B-A3B0-455A-9DF1-FC0F5B1F6B07
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
S4 MyOSProtect; C:\Program Files\Web Protect\MyOSProtect.exe [X]
R1 pcwatch; C:\Windows\system32\Drivers\pcwatch.sys [19840 2014-09-01] () [File not signed] <==== ATTENTION
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S0 PSDNServ; system32\drivers\PSDNServ.sys [X]
Task: {3ACF7993-4641-4AB0-96A1-D4D80905A9E4} - System32\Tasks\APSnotifierPP3 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {7686E14A-E67F-468B-9C07-4EDF001CE58A} - System32\Tasks\APSnotifierPP2 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {CA92B807-E783-407D-8AD3-FF55EDA0BCEA} - System32\Tasks\APSnotifierPP1 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:9E22BBE8
AlternateDataStreams: C:\ProgramData\TEMP:FC420CE6
AlternateDataStreams: C:\ProgramData\TEMP:FEBEC560
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MyOSProtect => ""="service"
C:\Windows\system32\Drivers\pcwatch.sys
C:\Program Files\AnyProtectEx
cmd: netsh winsock reset
Reboot:
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • Your computer will automatically reboot
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Check your internet access
===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, click Run, then select I agree if it appears
  • Click Scan
  • Once the scan has completed click on Clean
  • Confirm the cleaning and rebooting of your computer by clicking OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can also find the logfile at C:\AdwCleaner\AdwCleaner.txt
===================================================

Junkware Removal Tool by thisisu

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • AdwCleaner log
  • Junkware log
  • Do you have internet access?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 dkweller

dkweller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 10 November 2014 - 12:49 AM

No internet access yet, tried Chrome and IE.  By the way, your help thus far is so appreciated!

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-11-2014 01
Ran by Katherine Weller at 2014-11-09 21:15:55 Run:1
Running from C:\Users\Katherine Weller\Desktop
Loaded Profile: Katherine Weller (Available profiles: Katherine Weller)
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2465496490-2242960893-1086147276-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKCU - {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = http://www.trovi.com/Results.aspx?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&IS ID=MAD9F84DB-0248-4799-B3A5-0B8B94BED0EB&SearchSource=58&CUI=&UM=6&UP=SPD4 4C9FA1-55F5-4F2C-BF59-F6B917C11883&q={searchTerms}&SSPV=
SearchScopes: HKCU -
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
S4 MyOSProtect; C:\Program Files\Web Protect\MyOSProtect.exe [X]
R1 pcwatch; C:\Windows\system32\Drivers\pcwatch.sys [19840 2014-09-01] () [File not signed] <==== ATTENTION
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S0 PSDNServ; system32\drivers\PSDNServ.sys [X]
Task: {3ACF7993-4641-4AB0-96A1-D4D80905A9E4} -
System32\Tasks\APSnotifierPP3 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {7686E14A-E67F-468B-9C07-4EDF001CE58A} - System32\Tasks\APSnotifierPP2 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {CA92B807-E783-407D-8AD3-FF55EDA0BCEA} - System32\Tasks\APSnotifierPP1 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:9E22BBE8
AlternateDataStreams: C:\ProgramData\TEMP:FC420CE6
AlternateDataStreams: C:\ProgramData\TEMP:FEBEC560
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MyOSProtect => ""="service"
C:\Windows\system32\Drivers\pcwatch.sys
C:\Program Files\AnyProtectEx
cmd: netsh winsock reset
Reboot:
*****************
 
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-2465496490-2242960893-1086147276-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}" => Key deleted successfully.
"HKCR\CLSID\{2E00D31D-D171-423D-836D-1A4D7EA7F1A9}" => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\SearchScopes: HKCU - => Value not found.
{70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=Xj_b294UhMPdWQm9SNbuj7kRzck?q={searchTerms} => Error: No automatic fix found for this entry.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C8179A73-3526-41A4-812A-C86D681DCF98}" => Key deleted successfully.
"HKCR\CLSID\{C8179A73-3526-41A4-812A-C86D681DCF98}" => Key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Key deleted successfully.
"HKCR\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => Key not found.
MyOSProtect => Error deleting Service
pcwatch => Unable to stop service
pcwatch => Error deleting Service
catchme => Service deleted successfully.
IpInIp => Service deleted successfully.
NwlnkFlt => Service deleted successfully.
NwlnkFwd => Service deleted successfully.
PSDNServ => Service deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\Task: {3ACF7993-4641-4AB0-96A1-D4D80905A9E4} -" => Key not found.
System32\Tasks\APSnotifierPP3 => C:\Program Files\AnyProtectEx\AnyProtect.exe <==== ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7686E14A-E67F-468B-9C07-4EDF001CE58A}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7686E14A-E67F-468B-9C07-4EDF001CE58A}" => Key deleted successfully.
C:\Windows\System32\Tasks\APSnotifierPP2 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\APSnotifierPP2" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CA92B807-E783-407D-8AD3-FF55EDA0BCEA}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA92B807-E783-407D-8AD3-FF55EDA0BCEA}" => Key deleted successfully.
C:\Windows\System32\Tasks\APSnotifierPP1 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\APSnotifierPP1" => Key deleted successfully.
C:\ProgramData\TEMP => ":9E22BBE8" ADS removed successfully.
C:\ProgramData\TEMP => ":FC420CE6" ADS removed successfully.
C:\ProgramData\TEMP => ":FEBEC560" ADS removed successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\MyOSProtect" => Key deleted successfully.
Could not move "C:\Windows\system32\Drivers\pcwatch.sys" => Scheduled to move on reboot.
"C:\Program Files\AnyProtectEx" => File/Directory not found.
 
=========  netsh winsock reset =========
 
Access is denied.
 
 
 
========= End of CMD: =========
 
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-11-09 21:18:16)<=
 
"C:\Windows\system32\Drivers\pcwatch.sys" => File could not move.
 
==== End of Fixlog ====
 
 
# AdwCleaner v4.101 - Report created 09/11/2014 at 21:33:42
# Updated 09/11/2014 by Xplode
# Database : 2014-11-07.1 [Local]
# Operating System : Windows Vista ™ Home Premium Service Pack 2 (32 bits)
# Username : Katherine Weller - KATHERINEWEL-PC
# Running from : C:\Users\Katherine Weller\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
[#] Service Deleted : MyOSProtect
[#] Service Deleted : pcwatch
[#] Service Deleted : SPPD
[#] Service Deleted : {be5bf058-a067-4076-8c2e-22b9345a0260}Gt
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Program Files\Convesoft
Folder Deleted : C:\Program Files\Optimizer Pro
Folder Deleted : C:\Program Files\predm
Folder Deleted : C:\Users\Katherine Weller\AppData\Local\SearchProtect
Folder Deleted : C:\Users\Katherine Weller\AppData\LocalLow\Dealio
Folder Deleted : C:\Users\Katherine Weller\AppData\LocalLow\HPAppData
Folder Deleted : C:\Users\Katherine Weller\AppData\LocalLow\Search Settings
Folder Deleted : C:\Users\Katherine Weller\AppData\Roaming\ap_logs
Folder Deleted : C:\Users\Katherine Weller\Documents\Optimizer Pro
File Deleted : C:\monitorsvc.exe
File Deleted : C:\Windows\system32\drivers\pcwatch.sys
File Deleted : C:\Windows\system32\MyOSProtect.ini
File Deleted : C:\Windows\system32\MyOSProtectOff.ini
File Deleted : C:\Windows\system32\\drivers\{be5bf058-a067-4076-8c2e-22b9345a0260}Gt.sys
File Deleted : C:\Users\Katherine Weller\Desktop\Continue Live Installation.lnk
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\Google\Chrome\Extensions\pfkfdlcdbajamklbneflfbcmfgddmpae
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\pfkfdlcdbajamklbneflfbcmfgddmpae
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FE9271F2-6EFD-44B0-A826-84C829536E93}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : HKCU\Software\AnyProtect
Key Deleted : HKCU\Software\APN PIP
Key Deleted : HKCU\Software\Convesoft
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Optimizer Pro
Key Deleted : HKCU\Software\Search Settings
Key Deleted : HKCU\Software\TutoTag
Key Deleted : HKCU\Software\WebProtect
Key Deleted : HKCU\Software\WEDLMNGR
Key Deleted : HKCU\Software\StormWatch
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\Dealio
Key Deleted : HKLM\SOFTWARE\Dealio
Key Deleted : HKLM\SOFTWARE\Freeze.com
Key Deleted : HKLM\SOFTWARE\PIP
Key Deleted : HKLM\SOFTWARE\Search Settings
Key Deleted : HKLM\SOFTWARE\Tutorials
Key Deleted : HKLM\SOFTWARE\WebProtect
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{94C3BB3A-56A1-43DE-A242-8B41F46E97EF}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.0.0
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{94C3BB3A-56A1-43DE-A242-8B41F46E97EF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AnyProtect
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\MyPC Backup
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\PCSU-SL_is1
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\SearchProtect
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Coupon Printer for Windows5.0.0.0
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\00E944CB89111313EAF35A0553F547F9
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\53F55AF3F4049ED3FA6EA6F88E414E24
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\68E4BF4B11615E03C97732FD581AB607
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CE3DDAB2D152683FBCEB4866BCD2B0F
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AF6CE16AFEA5C9A39B766468A8B35C21
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB1E44269B58F433A8C8E671E37CFDCF
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\074A36B543391D44FA16C62EBD65A59E
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\074A36B543391D44FA16C62EBD65A59E
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\074A36B543391D44FA16C62EBD65A59E
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v8.0.6001.19561
 
 
-\\ Google Chrome v37.0.2062.124
 
[C:\Users\Katherine Weller\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Katherine Weller\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Katherine Weller\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=MAD9F84DB-0248-4799-B3A5-0B8B94BED0EB&SearchSource=58&CUI=&UM=6&UP=SPD44C9FA1-55F5-4F2C-BF59-F6B917C11883&q={searchTerms}&SSPV=
[C:\Users\Katherine Weller\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.trovi.com/Results.aspx?gd=&ctid=CT3330390&octid=EB_ORIGINAL_CTID&ISID=MAD9F84DB-0248-4799-B3A5-0B8B94BED0EB&SearchSource=58&CUI=&UM=6&UP=SPD44C9FA1-55F5-4F2C-BF59-F6B917C11883&q={searchTerms}&SSPV=
[C:\Users\Katherine Weller\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://astromenda.com/results.php?f=4&q={searchTerms}&a=cmi&cd=2XzuyEtN2Y1L1QzutDtDtBtAyE0EyEtAyE0ByBtAzyzy0DtCtN0D0Tzu0StCtDtCtDtN1L2XzutAtFtBtFtCtFyDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2SyB0FtCzzyDtD0D0DtGtDtDyEtDtG0CyBzy0EtGyCtCtD0DtGtC0B0D0E0EtAzzyEyBtCzy0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyEyCyEtCyByEtB0FtG0FtDtAyBtGyEtAtA0BtGzyyCyB0EtGtBtByC0EtByBzyzy0D0BtBtC2Q&cr=943633407&ir=
[C:\Users\Katherine Weller\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://movies.netflix.com/WiSearch?raw_query=&ac_category_type=none&ac_rel_posn=-1&ac_abs_posn=-1&v1={searchTerms}&search_submit=
 
*************************
 
AdwCleaner[R0].txt - [8869 octets] - [09/11/2014 21:27:51]
AdwCleaner[S0].txt - [8955 octets] - [09/11/2014 21:33:42]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9015 octets] ##########
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.7 (11.08.2014:1)
OS: Windows Vista ™ Home Premium x86
Ran by Katherine Weller on Sun 11/09/2014 at 21:39:09.86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
Successfully deleted: [File] C:\Windows\System32\Tasks\APSnotifierPP3
Successfully deleted: [File] "C:\Windows\couponprinter.ocx"
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Program Files\coupons"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 11/09/2014 at 21:42:11.38
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:54 PM

Posted 10 November 2014 - 09:35 AM

Thank you,

Please do these things.

===================================================

Elevated Command

--------------------
  • Click Start and type cmd in the Search box.
  • You will see cmd in the upper part.
  • Right-click cmd above and select "Run As Administrator".
  • Type the following after the command prompt then hit Enter

netsh winsock reset

  • Reboot your computer
  • Attempt to access the internet
===================================================

Farbar's Service Scanner

--------------------
  • Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services

  • Press Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
===================================================

Farbar's MiniToolBox

--------------------
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the icon to launch the program
  • Make sure only the following options are checked:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log

  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Did the command run successfully or did you get an error?
  • Do you have internet?
  • FSS.txt
  • Result.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 dkweller

dkweller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 10 November 2014 - 08:04 PM

Got "access is denied" after typing your instructions in the command prompt

 

Farbar Service Scanner Version: 21-07-2014
Ran by Katherine Weller (administrator) on 10-11-2014 at 16:55:05
Running from "C:\Users\Katherine Weller\Desktop"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.
 
BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
Checking LEGACY_BITS: ATTENTION!=====> Unable to open LEGACY_BITS\0000 registry key. The key does not exist.
 
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcsvc.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\ipnathlp.dll => File is digitally signed
C:\Windows\system32\iphlpsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
 
 
**** End of log ****
 
 
MiniToolBox by Farbar  Version: 21-07-2014
Ran by Katherine Weller (administrator) on 10-11-2014 at 16:58:33
Running from "C:\Users\Katherine Weller\Desktop"
Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
 
127.0.0.1       localhost
 
========================= IP Configuration: ================================
 
Atheros AR5B91 Wireless Network Adapter = Wireless Network Connection (Connected)
Generic Marvell Yukon 88E8071 based Ethernet Controller = Local Area Connection (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : KatherineWel-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : netgear.com
 
Wireless LAN adapter Wireless Network Connection:
 
   Connection-specific DNS Suffix  . : netgear.com
   Description . . . . . . . . . . . : Atheros AR5B91 Wireless Network Adapter
   Physical Address. . . . . . . . . : 00-23-4E-43-4B-73
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e13b:402:8260:d183%14(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.254.18(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, November 10, 2014 4:01:34 PM
   Lease Expires . . . . . . . . . . : Tuesday, November 11, 2014 4:01:33 PM
   Default Gateway . . . . . . . . . : 192.168.254.254
   DHCP Server . . . . . . . . . . . : 192.168.254.254
   DHCPv6 IAID . . . . . . . . . . . : 301998926
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-10-AA-5C-F5-00-1D-72-DB-BE-7C
   DNS Servers . . . . . . . . . . . : 192.168.254.254
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Ethernet adapter Local Area Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : netgear.com
   Description . . . . . . . . . . . : Generic Marvell Yukon 88E8071 based Ethernet Controller
   Physical Address. . . . . . . . . : 00-1D-72-DB-BE-7C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection* 11:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  192.168.254.254
 
Ping request could not find host google.com. Please check the name and try again.
 
Server:  UnKnown
Address:  192.168.254.254
 
Ping request could not find host yahoo.com. Please check the name and try again.
 
 
 
Pinging  with 32 bytes of data:
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
 
 
Ping statistics for :
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
 
===========================================================================
Interface List
 14 ...00 23 4e 43 4b 73 ...... Atheros AR5B91 Wireless Network Adapter
 13 ...00 1d 72 db be 7c ...... Generic Marvell Yukon 88E8071 based Ethernet Controller
  1 ........................... Software Loopback Interface 1
 10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0  192.168.254.254   192.168.254.18     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.254.0    255.255.255.0         On-link    192.168.254.18    281
   192.168.254.18  255.255.255.255         On-link    192.168.254.18    281
  192.168.254.255  255.255.255.255         On-link    192.168.254.18    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.254.18    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.254.18    281
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 14    281 fe80::/64                On-link
 14    281 fe80::e13b:402:8260:d183/128
                                    On-link
  1    306 ff00::/8                 On-link
 14    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\Windows\system32\NLAapi.dll [48128] (Microsoft Corporation)
Catalog5 02 C:\Windows\system32\napinsp.dll [50176] (Microsoft Corporation)
Catalog5 03 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 04 C:\Windows\system32\pnrpnsp.dll [62464] (Microsoft Corporation)
Catalog5 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog5 06 C:\Windows\system32\winrnr.dll [19968] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\MyOSProtect.dll [File not found] ()
Catalog9 02 C:\Windows\system32\MyOSProtect.dll [File not found] ()
Catalog9 03 C:\Windows\system32\MyOSProtect.dll [File not found] ()
Catalog9 04 C:\Windows\system32\MyOSProtect.dll [File not found] ()
Catalog9 05 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\MyOSProtect.dll [File not found] ()
Catalog9 17 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 20 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 21 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 22 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 23 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 24 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 25 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
Catalog9 26 C:\Windows\system32\mswsock.dll [223232] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (11/10/2014 04:54:00 PM) (Source: Application Hang) (User: )
Description: The program Explorer.EXE version 6.0.6002.18005 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel.
Process ID: ce4
Start Time: 01cffd42b6a81e05
Termination Time: 0
 
Error: (11/10/2014 04:06:17 PM) (Source: Microsoft-Windows-SpoolerSpoolss) (User: NT AUTHORITY)
Description: 0x80072af9
 
Error: (11/10/2014 04:03:16 PM) (Source: Microsoft-Windows-SpoolerSpoolss) (User: NT AUTHORITY)
Description: 0x80072af9
 
Error: (11/10/2014 04:01:39 PM) (Source: Microsoft-Windows-SpoolerSpoolss) (User: NT AUTHORITY)
Description: 0x80072af9
 
Error: (11/10/2014 04:01:38 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (11/10/2014 04:55:10 PM) (Source: Microsoft-Windows-Bits-Client) (User: NT AUTHORITY)
Description: 2147952506
 
Error: (11/10/2014 04:06:17 PM) (Source: Service Control Manager) (User: )
Description: Print Spooler3
 
Error: (11/10/2014 04:04:01 PM) (Source: Service Control Manager) (User: )
Description: Windows Update%%2147952506
 
Error: (11/10/2014 04:03:17 PM) (Source: Service Control Manager) (User: )
Description: Print Spooler2600001Restart the service
 
Error: (11/10/2014 04:01:40 PM) (Source: Service Control Manager) (User: )
Description: Print Spooler1600001Restart the service
 
Error: (11/10/2014 04:01:39 PM) (Source: Service Control Manager) (User: )
Description: IPsec Policy Agent%%10106
 
Error: (11/10/2014 04:01:39 PM) (Source: Service Control Manager) (User: )
Description: Parallel port driver%%1058
 
 
Microsoft Office Sessions:
=========================
 
CodeIntegrity Errors:
===================================
  Date: 2014-10-20 02:57:45.488
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:43.895
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:42.254
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:40.668
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22713_none_b39feb737f8937a0\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:37.018
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:35.368
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:33.850
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:32.274
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22636_none_b38d4a937f96be60\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:29.227
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22577_none_b36309477fb64a54\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2014-10-20 02:57:27.590
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6001.22577_none_b36309477fb64a54\tcpip.sys because the set of per-page image hashes could not be found on the system.
 
 
**** End of log ****
 

 



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:54 PM

Posted 10 November 2014 - 09:36 PM

Thank you,

Please do this.

===================================================

Manually Importing an Attached Registry Key (.reg) File

-------------------
  • Download and save it to your desktop
  • Right click on the file and select Merge
  • Once you receive confirmation the information was successfully merged reboot your computer
  • Reboot your computer
===================================================

Complete Internet Repair

--------------------
  • Please download comintrep.zip and save it to your desktop
  • Double click the icon and select Run
  • Click Extract
  • Double click the Complete Internet Repair folder on your desktop
  • Double click the CIntRep.exe icon
  • Place a checkmark next to the following entries:

Reset Internet Protocol (TCP/IP)
Repair Winsock (Reset Catalog)
Renew Internet Connections
Flush DNS Resolver Cache

  • Click Go!
  • Ignore any error messages for now
  • Click OK to reboot your computer
  • Check your internet access
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Was the registry merge successful?
  • Complete Internet repair log
  • Do you have internet?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 dkweller

dkweller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 11 November 2014 - 12:41 AM

No internet.  When attempting to merge legacy_bits, got error message, "cannot import...: Error accessing the registry"

Below is ComInt log

 

 
 
                                            ./
                                          (o o)
--------------------------------------oOOo-(_)-oOOo--------------------------------------
[10/11/2014 21:32:26] Resetting all TCP/IP Interfaces, Please wait.....
-----------------------------------------------------------------------------------------
[10/11/2014 21:32:27] TCP/IP interfaces reset successful.
[10/11/2014 21:32:27] TCP/IP v6 interfaces reset successful.
[10/11/2014 21:32:27] You may need to restart your computer for the settings to take effect.
[10/11/2014 21:32:27] Finished resetting the Internet Protocol (TCP/IP).
 
-----------------------------------------------------------------------------------------
[10/11/2014 21:32:27] Attempting to reset Winsock catalog, Please wait.....
-----------------------------------------------------------------------------------------
[10/11/2014 21:32:28] Could not reset the Winsock Catalog.
[10/11/2014 21:32:28] Finished repairing Winsock
 
-----------------------------------------------------------------------------------------
[10/11/2014 21:32:28] Releasing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[10/11/2014 21:32:28] Successfully released TCP/IP connections.
 
-----------------------------------------------------------------------------------------
[10/11/2014 21:32:28] Renewing TCP/IP connections, Please wait.....
-----------------------------------------------------------------------------------------
[10/11/2014 21:32:31] Successfully renewed TCP/IP adapters.
 
-----------------------------------------------------------------------------------------
[10/11/2014 21:32:31] Configuring the Windows Event Log Service, Please wait.....
-----------------------------------------------------------------------------------------
[10/11/2014 21:32:32] Windows Event Log Service Configured.
[10/11/2014 21:32:32] Starting the Windows Event Log Service.....
[10/11/2014 21:32:33] Windows Event Log Service Started Successfully.
 
-----------------------------------------------------------------------------------------
[10/11/2014 21:32:33] Flushing DNS Resolver Cache, Please wait.....
-----------------------------------------------------------------------------------------
[10/11/2014 21:32:33] Successfully flushed DNS Resolver Cache.
[10/11/2014 21:32:33] Refreshing all DHCP leases and re-registering DNS names, Please wait.....
[10/11/2014 21:32:36] Registration of the DNS resource records has been initiated.
[10/11/2014 21:32:36] Note: Any errors will be reported in the 'Event Viewer' in about 15 minutes.
[10/11/2014 21:32:36] Note: Click on 'File' and then 'Event Viewer...' to open the Event Viewer.
 
-----------------------------------------------------------------------------------------
[10/11/2014 21:32:36] You will need to reboot your computer before the settings will take effect.
-----------------------------------------------------------------------------------------
[10/11/2014 21:32:42] Your computer is restarting now.....
 
-----------------------------------------------------------------------------------------
 


#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:54 PM

Posted 11 November 2014 - 02:15 PM

Thank you for the information. We are hitting some roadblocks.

Please do this.

===================================================

Farbar's MiniRegTool

--------------------
  • Please download MiniRegTool.zip (for 32 bit systems) or MiniRegTool64.zip (for 64 bit systems) and save it to your desktop
  • Unzip the folder and double click the icon
  • When you run the tool this is what you will see

MiniReg.gif

  • Copy and paste the following into the white box:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS

  • Check the Unlock Keys radio button.
  • Press the Go button and post the result.
===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:filefind
winsock.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • MiniRegTool report
  • SystemLook report

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 dkweller

dkweller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 11 November 2014 - 02:34 PM

MiniReg Tool result:  "Unlock operation completed"  Didn't see any other log generated, just that message.

 

SystemLook 30.07.11 by jpshortstuff
Log created at 11:28 on 11/11/2014 by Katherine Weller
Administrator - Elevation successful
 
========== filefind ==========
 
Searching for "winsock.dll"
C:\Windows\System32\WINSOCK.DLL --a---- 2864 bytes [07:10 02/11/2006] [07:10 02/11/2006] 68485C5EF0E2EFCEBF21BBB1042B823B
C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6001.18000_none_fe0d791a728dd79c\WINSOCK.DLL --a---- 2864 bytes [07:10 02/11/2006] [07:10 02/11/2006] 68485C5EF0E2EFCEBF21BBB1042B823B
C:\Windows\winsxs\x86_microsoft-windows-ntvdm-system32_31bf3856ad364e35_6.0.6002.18005_none_fff8f2266fafa2e8\WINSOCK.DLL --a---- 2864 bytes [07:10 02/11/2006] [07:10 02/11/2006] 68485C5EF0E2EFCEBF21BBB1042B823B
 
-= EOF =-


#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:54 PM

Posted 11 November 2014 - 02:49 PM

Thank you,

Please try the registry import steps in Post #9 again and see if we get different results.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 dkweller

dkweller
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 11 November 2014 - 03:00 PM

Still get same message when try to merge, "CAnnot import....:Error accessing the registry"



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,630 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:01:54 PM

Posted 11 November 2014 - 03:25 PM

OK, this please.

===================================================

Stopping a Service

--------------------
  • Go to Start and type cmd.exe in the Search box.
  • Right-click on cmd.exe and select Run As Administrator
  • Type the following then press Enter

sc stop bits

  • If you are notified the service was successfully stopped attempt the registry key import again.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Any success?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users