Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rpcss.dll not signed black screen with cursor


  • This topic is locked This topic is locked
43 replies to this topic

#1 cle2jel

cle2jel

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my house
  • Local time:05:14 AM

Posted 01 November 2014 - 09:51 AM

Had a virus.  AVG could not remove.  rpcss.dll was infected.  I replaced it according to a fix I found online and it ended up in the black screen with a cursor.  I switched the files back and the virus was still there.  Using information that I found on Bleeping computer I tried a few fixes.  After running Farbar, a fix, and then Rougekiller in safe mode, I am back to the Black screen with cursor and can't get back to windows.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 26-10-2014
Ran by SYSTEM on MININT-TT31N5B on 01-11-2014 10:41:23
Running from C:\Users\John\Desktop\FIX
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ISW] => C:\Program Files\CheckPoint\ZAForceField\ForceField.exe [1125504 2011-11-03] (Check Point Software Technologies)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-16] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [ZoneAlarm] => C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe [73360 2011-11-09] (Check Point Software Technologies LTD)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3649040 2014-10-16] (AVG Technologies CZ, s.r.o.)
HKU\John\...\Run: [UIOptional] => C:\Windows\system32\rundll32.exe "C:\Users\John\AppData\Local\UIOptional\UIOptional.dll",DllRegisterServer <===== ATTENTION
HKU\John\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [6501656 2014-10-23] (Piriform Ltd)
HKU\John\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe [851632 2014-08-02] (Adobe Systems Incorporated)
HKU\John\...\Policies\Explorer: [HideSCAHealth] 1

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269; C:\Program Files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [457200 2009-06-02] ()
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3487248 2014-10-16] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [298080 2014-10-16] (AVG Technologies CZ, s.r.o.)
S2 BOT4Service; C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe [39408 2010-09-13] ()
S2 IswSvc; C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe [827520 2011-11-03] (Check Point Software Technologies)
S3 nosGetPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll [58944 2010-11-29] (NOS Microsystems Ltd.)
S3 RoxMediaDB13; C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [1099248 2010-07-16] (Sonic Solutions)
S2 vsmon; C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe [2420616 2011-11-09] (Check Point Software Technologies LTD)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [262424 2014-10-07] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-18] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [124184 2014-10-05] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-10-10] (AVG Technologies CZ, s.r.o.)
S3 epmntdrv; C:\Windows\system32\epmntdrv.sys [16776 2011-07-29] ()
S3 epmntdrv; C:\Windows\SysWOW64\epmntdrv.sys [14216 2011-07-29] ()
S3 EuGdiDrv; C:\Windows\system32\EuGdiDrv.sys [9096 2011-07-29] ()
S3 EuGdiDrv; C:\Windows\SysWOW64\EuGdiDrv.sys [8456 2011-07-29] ()
S2 ISWKL; C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys [33672 2011-11-03] (Check Point Software Technologies)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-10-26] (Malwarebytes Corporation)
S3 prwntdrv; C:\Windows\system32\prwntdrv.sys [16776 2010-08-25] ()
S3 prwntdrv; C:\Windows\SysWOW64\prwntdrv.sys [13704 2010-08-25] ()
S3 pwdrvio; C:\Windows\system32\pwdrvio.sys [17136 2011-09-05] ()
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
S3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [34808 2014-10-26] ()
S1 Vsdatant; C:\Windows\System32\DRIVERS\vsdatant.sys [454232 2011-05-07] (Check Point Software Technologies LTD)
S3 pwdspio; \??\C:\Windows\system32\pwdspio.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-26 15:52 - 2014-10-26 15:59 - 00034808 _____ () C:\Windows\System32\Drivers\TrueSight.sys
2014-10-26 15:52 - 2014-10-26 15:52 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-10-26 15:45 - 2014-10-26 15:45 - 00000574 _____ () C:\Users\John\Documents\cc_20141026_194513.reg
2014-10-26 05:16 - 2014-10-26 05:16 - 00000000 _____ () C:\prefs.js
2014-10-25 13:49 - 2014-11-01 10:41 - 00000000 ____D () C:\FRST
2014-10-25 13:48 - 2014-11-01 10:41 - 00000000 ____D () C:\Users\John\Desktop\FIX
2014-10-24 17:03 - 2014-10-24 17:03 - 00198798 _____ () C:\Users\John\Desktop\rpcss.zip
2014-10-24 07:24 - 2014-10-25 13:45 - 00009876 _____ () C:\Windows\setupact.log
2014-10-24 07:24 - 2014-10-24 07:24 - 00000000 _____ () C:\Windows\setuperr.log
2014-10-24 07:23 - 2014-10-24 07:24 - 00030720 _____ () C:\Windows\PFRO.log
2014-10-24 07:21 - 2014-10-24 07:21 - 00008902 _____ () C:\Users\John\Documents\cc_20141024_112147.reg
2014-10-24 07:15 - 2014-10-24 07:15 - 00000000 ____D () C:\Users\John\AppData\Roaming\AVG2015
2014-10-24 07:12 - 2014-10-24 07:12 - 00000965 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2014-10-24 07:11 - 2014-10-24 07:14 - 00000000 ____D () C:\ProgramData\AVG2015
2014-10-24 07:09 - 2014-10-26 04:58 - 00000000 ____D () C:\Users\John\AppData\Local\Avg2015
2014-10-22 14:00 - 2014-10-22 14:00 - 00000000 __SHD () C:\found.003
2014-10-19 08:50 - 2014-10-19 10:42 - 00000000 ____D () C:\Users\John\Downloads\r2d2
2014-10-19 08:40 - 2014-10-19 08:45 - 00000000 ____D () C:\Users\John\Downloads\New folder
2014-10-19 08:36 - 2014-10-19 08:39 - 00000000 ____D () C:\Users\John\Downloads\NES Super Mario Sounds
2014-10-18 11:45 - 2014-10-18 11:45 - 00001494 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-10-18 11:44 - 2014-10-18 11:45 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2014-10-18 11:44 - 2014-10-18 11:45 - 00000000 ____D () C:\Program Files\iTunes
2014-10-18 11:44 - 2014-10-18 11:44 - 00000000 ____D () C:\Program Files\iPod
2014-10-18 11:30 - 2014-10-18 11:30 - 00002652 _____ () C:\Users\John\Documents\cc_20141018_153005.reg
2014-10-10 11:14 - 2014-10-10 11:14 - 00274200 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys
2014-10-07 17:43 - 2014-10-07 17:43 - 00262424 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgidsdrivera.sys
2014-10-05 17:41 - 2014-10-05 17:41 - 00124184 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgmfx64.sys

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-26 17:38 - 2013-06-24 03:13 - 00001638 _____ () C:\Users\John\Desktop\avgrep.txt
2014-10-26 17:06 - 2014-08-02 12:41 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2014-10-26 16:10 - 2014-08-02 12:41 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-26 16:10 - 2011-10-13 17:40 - 00000000 ____D () C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE
2014-10-26 15:50 - 2011-11-26 19:03 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-26 15:50 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-26 15:49 - 2014-08-02 07:58 - 01220935 _____ () C:\Windows\WindowsUpdate.log
2014-10-26 15:49 - 2009-07-13 21:08 - 00032568 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-10-26 14:48 - 2011-11-26 19:03 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-26 08:28 - 2011-03-26 15:48 - 00000000 ____D () C:\ProgramData\iRinger
2014-10-26 06:43 - 2010-12-19 17:55 - 00000000 ____D () C:\Users\John\AppData\Local\VirtualStore
2014-10-26 05:38 - 2010-12-19 18:08 - 00000000 ____D () C:\ProgramData\MFAData
2014-10-25 23:00 - 2011-02-18 14:45 - 00000000 ____D () C:\ProgramData\TEMP
2014-10-25 13:54 - 2009-07-13 20:45 - 00021520 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-25 13:54 - 2009-07-13 20:45 - 00021520 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-25 13:50 - 2009-07-13 21:13 - 00782510 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-10-24 17:06 - 2010-12-22 17:22 - 00000000 ____D () C:\Windows\pss
2014-10-24 16:43 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\System32\NDF
2014-10-24 07:23 - 2014-08-02 06:00 - 00000000 ____D () C:\ProgramData\AVG2014
2014-10-24 07:19 - 2010-12-28 19:04 - 00000000 ____D () C:\Users\John\AppData\Roaming\uTorrent
2014-10-24 07:18 - 2010-12-19 18:36 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-10-24 07:18 - 2010-12-19 18:36 - 00000000 ____D () C:\Program Files\CCleaner
2014-10-24 07:15 - 2010-12-19 18:24 - 00000000 ____D () C:\Program Files (x86)\AVG
2014-10-24 07:14 - 2013-01-17 06:47 - 00000000 ___HD () C:\$AVG
2014-10-19 02:43 - 2011-11-26 19:03 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-19 02:43 - 2011-11-26 19:03 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-10-18 11:45 - 2010-12-21 14:34 - 00000000 ____D () C:\Itunes
2014-10-18 11:44 - 2014-09-20 04:13 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-10-18 11:44 - 2010-12-20 16:03 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-10-18 11:27 - 2013-01-12 07:05 - 00000000 ____D () C:\Users\John\AppData\Roaming\TeamViewer
2014-10-18 11:26 - 2014-06-15 17:16 - 00000000 ____D () C:\Windows\Minidump

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-2818826639-2832681556-2377604591-1001\$68ed5391a7ad2b063a4e17b007e9c7a3

ZeroAccess:
C:\Users\John\AppData\Local\{68ed5391-a7ad-2b06-3a4e-17b007e9c7a3}
C:\Users\John\AppData\Local\{68ed5391-a7ad-2b06-3a4e-17b007e9c7a3}\@

Files to move or delete:
====================
C:\ProgramData\eh7ir.bat
C:\ProgramData\eh7ir.reg
C:\Users\John\mbam-setup-1.50.1.1100.exe

Some content of TEMP:
====================
C:\Users\John\AppData\Local\Temp\dllnt_dump.dll

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2010-11-20 19:24] - [2014-05-19 04:50] - 0376832 ____A (Microsoft Corporation) 7660F01D3B38ACA1747E397D21D790AF

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 8189.55 MB
Available physical RAM: 7322.83 MB
Total Pagefile: 8187.75 MB
Available Pagefile: 7325.66 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.41 GB) (Free:97.88 GB) NTFS
Drive d: (New Volume) (Fixed) (Total:1863.01 GB) (Free:363.27 GB) NTFS
Drive f: (UDF Volume) (CDROM) (Total:3.12 GB) (Free:0 GB) UDF
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 1463074E)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.4 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 6A46794D)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 14.8 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

LastRegBack: 2014-10-25 20:44

==================== End Of Log ============================


Edited by hamluis, 01 November 2014 - 10:09 AM.
Moved from Win 7 to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:14 AM

Posted 01 November 2014 - 10:29 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Lets get going now :thumbup2:

==========================
 
Hi cle2jel,

I must give you this warning:
 
Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, steal critical system information, and download and execute files.
 
I highly suggest you to disconnect this PC from the Internet immediately, and if possible use a clean computer and a flash drive to transfer the programs I request for you to run. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. It would be wise to contact those same financial institutions to notify them of your situation.
 
Due to the nature of this trojan, your computer is very likely to be compromised. There is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
 
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 
We can still clean this machine, but I can't guarantee that it will be 100% secure afterwards. If you decide to continue cleaning this machine, follow on with the rest of the steps posted below. If you do not want to clean this machine, please let me know.
 
--------------

On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive (if you already have FRST.exe saved on the USB then skip this step).
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========


Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • In the search box, type svchost.exe;rpcss.dll
  • Press Search File(s) button.
  • It will make a log (Search.txt) on the flash drive. Please copy and paste it to your reply.

--------------

To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • Search.txt log

xXToffeeXx~


Edited by xXToffeeXx, 01 November 2014 - 10:29 AM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 cle2jel

cle2jel
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my house
  • Local time:05:14 AM

Posted 01 November 2014 - 12:15 PM

Thank you for the quick response Toffee.

The pc that is infected is no longer connected the internet, and is not used for any banking.  It is mainly used for ITunes and some video and picture editing/storage.  Here is the log you requested.



#4 cle2jel

cle2jel
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my house
  • Local time:05:14 AM

Posted 01 November 2014 - 12:23 PM

My 1 year old was playing with the keyboard and sent that last message before I had the Log.  The scan is still going will Post ASAP.



#5 cle2jel

cle2jel
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my house
  • Local time:05:14 AM

Posted 01 November 2014 - 01:52 PM

Farbar Recovery Scan Tool (x64) Version: 26-10-2014
Ran by SYSTEM at 2014-11-01 11:35:25
Running from C:\Users\John\Desktop\FIX
Boot Mode: Recovery

================== Search Files: "svchost.exe;rpcss.dll" =============

C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2009-07-13 15:19][2009-07-13 17:14] 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866

C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe
[2009-07-13 15:31][2009-07-13 17:39] 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D

C:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[2010-11-20 19:24][2010-11-20 19:24] 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

C:\Windows\SysWOW64\svchost.exe
[2009-07-13 15:19][2009-07-13 17:14] 0020992 ____A (Microsoft Corporation) 54A47F6B5E09A77E61649109C6A08866

C:\Windows\System32\rpcss.dll
[2010-11-20 19:24][2014-05-19 04:50] 0376832 ____A (Microsoft Corporation) 7660F01D3B38ACA1747E397D21D790AF

C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE\Chameleon\Windows\svchost.exe
[2014-08-02 12:41][2014-10-01 07:09] 0761656 ____A (MalwareBytes) C0AFB3C7E6C7CA3F6E42FF242BBBCB1F

X:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7601.17514_none_13e15f101bed4826\svchost.exe
[2010-11-20 01:37][2009-07-13 17:39] 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D

X:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll
[2010-11-20 02:36][2010-11-20 05:27] 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

X:\Windows\System32\rpcss.dll
[2010-11-20 02:36][2010-11-20 05:27] 0512000 ____A (Microsoft Corporation) 5C627D1B1138676C0A7AB2C2C190D123

X:\Windows\System32\svchost.exe
[2010-11-20 01:37][2009-07-13 17:39] 0027136 ____A (Microsoft Corporation) C78655BC80301D76ED4FEF1C1EA40A7D

====== End Of Search ======



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:14 AM

Posted 01 November 2014 - 03:42 PM

Hi cle2jel,
 
Running a fix Using Farbar's Recovery Scan Tool in the Recovery Environment:

  • From your clean computer, press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
HKLM-x32\...\Run: [] => [X]
HKU\John\...\Run: [UIOptional] => C:\Windows\system32\rundll32.exe "C:\Users\John\AppData\Local\UIOptional\UIOptional.dll",DllRegisterServer <===== ATTENTION
C:\Users\John\AppData\Local\UIOptional
C:\$Recycle.Bin\S-1-5-21-2818826639-2832681556-2377604591-1001\$68ed5391a7ad2b063a4e17b007e9c7a3
C:\Users\John\AppData\Local\{68ed5391-a7ad-2b06-3a4e-17b007e9c7a3}
C:\Users\John\AppData\Local\{68ed5391-a7ad-2b06-3a4e-17b007e9c7a3}\@
Replace: C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe C:\Windows\System32\svchost.exe
Replace: X:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll
  • Insert the USB device into your infected computer
  • Follow the process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool.

On a clean machine, please download Farbar Recovery Scan Tool and save it to the USB (feel free to use the frst download from my last instructions, if you still have it on the USB).
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

==========

On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Select Command Prompt

==========

Once in the Command Prompt:

  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • It will make a log (Fixlog.txt) on the flash drive. Please copy and paste it to your reply.

Please try and boot into normal mode. Let me know if you are able to or not.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 cle2jel

cle2jel
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my house
  • Local time:05:14 AM

Posted 01 November 2014 - 07:51 PM

Fix applied and the reboot was a success!

Awaiting the next phase of instructions.



#8 cle2jel

cle2jel
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my house
  • Local time:05:14 AM

Posted 01 November 2014 - 07:55 PM

Moments later a display driver quit then recovered.  Then the Blue screen.  Rebooted to safe mode for now.  seems stable



#9 cle2jel

cle2jel
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my house
  • Local time:05:14 AM

Posted 01 November 2014 - 08:43 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 26-10-2014
Ran by SYSTEM at 2014-11-01 20:47:03 Run:2
Running from C:\Users\John\Desktop\FIX
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
HKLM-x32\...\Run: [] => [X]
HKU\John\...\Run: [UIOptional] => C:\Windows\system32\rundll32.exe "C:\Users\John\AppData\Local\UIOptional\UIOptional.dll",DllRegisterServer <===== ATTENTION
C:\Users\John\AppData\Local\UIOptional
C:\$Recycle.Bin\S-1-5-21-2818826639-2832681556-2377604591-1001\$68ed5391a7ad2b063a4e17b007e9c7a3
C:\Users\John\AppData\Local\{68ed5391-a7ad-2b06-3a4e-17b007e9c7a3}
C:\Users\John\AppData\Local\{68ed5391-a7ad-2b06-3a4e-17b007e9c7a3}\@
Replace: C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe C:\Windows\System32\svchost.exe
Replace: X:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll C:\Windows\System32\rpcss.dll
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKU\John\Software\Microsoft\Windows\CurrentVersion\Run\\UIOptional => value deleted successfully.
C:\Users\John\AppData\Local\UIOptional => Moved successfully.
C:\$Recycle.Bin\S-1-5-21-2818826639-2832681556-2377604591-1001\$68ed5391a7ad2b063a4e17b007e9c7a3 => Moved successfully.
C:\Users\John\AppData\Local\{68ed5391-a7ad-2b06-3a4e-17b007e9c7a3} => Moved successfully.
"C:\Users\John\AppData\Local\{68ed5391-a7ad-2b06-3a4e-17b007e9c7a3}\@" => File/Directory not found.
Could not find C:\Windows\System32\svchost.exe.
C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe copied successfully to C:\Windows\System32\svchost.exe
C:\Windows\System32\rpcss.dll => Moved successfully.
X:\Windows\winsxs\amd64_microsoft-windows-com-base-qfe-rpcss_31bf3856ad364e35_6.1.7601.17514_none_c7f0e16b547f887d\rpcss.dll copied successfully to C:\Windows\System32\rpcss.dll

==== End of Fixlog ====



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:14 AM

Posted 02 November 2014 - 07:51 AM

Hi cle2jel,
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 cle2jel

cle2jel
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my house
  • Local time:05:14 AM

Posted 02 November 2014 - 12:15 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-11-2014
Ran by John (administrator) on CHUCKNORRIS on 02-11-2014 12:06:09
Running from C:\Users\John\Desktop\FIX\New folder
Loaded Profile: John (Available profiles: John)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Safe Mode (minimal)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgscana.exe
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner64.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ISW] => C:\Program Files\CheckPoint\ZAForceField\ForceField.exe [1125504 2011-11-03] (Check Point Software Technologies)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-16] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [ZoneAlarm] => C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe [73360 2011-11-09] (Check Point Software Technologies LTD)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3649040 2014-10-16] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [54072 2014-10-01] (Malwarebytes Corporation)
HKU\S-1-5-21-2818826639-2832681556-2377604591-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [6501656 2014-10-23] (Piriform Ltd)
HKU\S-1-5-21-2818826639-2832681556-2377604591-1001\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-2818826639-2832681556-2377604591-1001\...\MountPoints2: F - F:\AUTORUN.EXE
HKU\S-1-5-21-2818826639-2832681556-2377604591-1001\...\MountPoints2: {d3d47295-a6ac-11e0-82f4-1c6f6540c110} - H:\LaunchU3.exe -a
HKU\S-1-5-21-2818826639-2832681556-2377604591-1001\...409d6c4515e9\InprocServer32: [Default-shell32]  <==== ATTENTION!
HKU\S-1-5-21-2818826639-2832681556-2377604591-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_14_0_0_145_ActiveX.exe [851632 2014-08-02] (Adobe Systems Incorporated)
HKU\S-1-5-18\...A8F59079A8D5}\localserver32:  <==== ATTENTION!

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xCD677B75E99FCB01
URLSearchHook: HKLM-x32 - ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files (x86)\ZoneAlarm_Security\prxtbZone.dll (Conduit Ltd.)
URLSearchHook: HKCU - ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files (x86)\ZoneAlarm_Security\prxtbZone.dll (Conduit Ltd.)
SearchScopes: HKLM - DefaultScope {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B} URL =
SearchScopes: HKLM-x32 - DefaultScope {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B} URL =
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: ZoneAlarm Security Engine Registrar -> {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} -> C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: ContributeBHO Class -> {074C1DC5-9320-4A9A-947D-C042949C6216} -> C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll (Adobe Systems, Inc.)
BHO-x32: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: ZoneAlarm Security Engine Registrar -> {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} -> C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
BHO-x32: ZoneAlarm Security Toolbar -> {91da5e8a-3318-4f8c-b67e-5964de3ab546} -> C:\Program Files (x86)\ZoneAlarm_Security\prxtbZone.dll (Conduit Ltd.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
Toolbar: HKLM - ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
Toolbar: HKLM-x32 - ZoneAlarm Security Toolbar - {91da5e8a-3318-4f8c-b67e-5964de3ab546} - C:\Program Files (x86)\ZoneAlarm_Security\prxtbZone.dll (Conduit Ltd.)
Toolbar: HKLM-x32 - ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
Toolbar: HKLM-x32 - Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\IEPlugin\contributeieplugin.dll (Adobe Systems, Inc.)
Toolbar: HKCU - ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
Toolbar: HKCU - No Name - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} -  No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -  No File
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_3_300_271.dll ()
FF Plugin: @java.com/DTPlugin,version=10.9.2 -> C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.9.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_271.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Itunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @checkpoint.com/FFApi -> C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker\bin\npFFApi.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\4.0.51204.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nosltd.com/getPlus+®,version=1.6.2.97 -> C:\Program Files (x86)\NOS\bin\np_gp.dll (NOS Microsystems Ltd.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 -> C:\Users\John\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 -> C:\Users\John\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: CouponNetwork.com/CMDUniversalCouponPrintActivator -> C:\Users\John\AppData\Roaming\CATALI~2\NPBCSK~1.DLL (Catalina Marketing Corporation)
FF HKLM\...\Firefox\Extensions: [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}] - C:\Program Files\CheckPoint\ZAForceField\TrustChecker
FF Extension: No Name - C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2011-11-13]
FF HKLM-x32\...\Firefox\Extensions: [{FFB96CC1-7EB3-449D-B827-DB661701C6BB}] - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker
FF Extension: ZoneAlarm Security Engine - C:\Program Files\CheckPoint\ZAForceField\WOW64\TrustChecker [2011-11-13]
FF HKLM-x32\...\Firefox\Extensions: [{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}] - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9}
FF Extension: Adobe Contribute Toolbar - C:\Program Files (x86)\Adobe\Adobe Contribute CS5\Plugins\FirefoxPlugin\{01A8CA0A-4C96-465b-A49B-65C46FAD54F9} [2011-11-15]

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269; C:\Program Files (x86)\Roxio\BackOnTrack\App\SaibSVC.exe [457200 2009-06-02] ()
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3487248 2014-10-16] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [298080 2014-10-16] (AVG Technologies CZ, s.r.o.)
S2 BOT4Service; C:\Program Files (x86)\Roxio\BackOnTrack\App\BService.exe [39408 2010-09-13] ()
S2 IswSvc; C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe [827520 2011-11-03] (Check Point Software Technologies)
S3 nosGetPlusHelper; C:\Program Files (x86)\NOS\bin\getPlus_Helper_3004.dll [58944 2010-11-29] (NOS Microsystems Ltd.)
S3 RoxMediaDB13; C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxMediaDB13.exe [1099248 2010-07-16] (Sonic Solutions)
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S2 vsmon; C:\Program Files (x86)\CheckPoint\ZoneAlarm\vsmon.exe [2420616 2011-11-09] (Check Point Software Technologies LTD)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [262424 2014-10-07] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-18] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [124184 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-10-10] (AVG Technologies CZ, s.r.o.)
S3 epmntdrv; C:\Windows\system32\epmntdrv.sys [16776 2011-07-29] () [File not signed]
S3 epmntdrv; C:\Windows\SysWOW64\epmntdrv.sys [14216 2011-07-29] () [File not signed]
S3 EuGdiDrv; C:\Windows\system32\EuGdiDrv.sys [9096 2011-07-29] () [File not signed]
S3 EuGdiDrv; C:\Windows\SysWOW64\EuGdiDrv.sys [8456 2011-07-29] () [File not signed]
U0 fqoandkp; C:\Windows\System32\drivers\mxsv.sys [79064 2014-11-01] (Malwarebytes Corporation)
S2 ISWKL; C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys [33672 2011-11-03] (Check Point Software Technologies)
S3 Netaapl; C:\Windows\System32\DRIVERS\netaapl64.sys [22528 2011-05-10] (Apple Inc.) [File not signed]
S3 prwntdrv; C:\Windows\system32\prwntdrv.sys [16776 2010-08-25] () [File not signed]
S3 prwntdrv; C:\Windows\SysWOW64\prwntdrv.sys [13704 2010-08-25] () [File not signed]
S3 pwdrvio; C:\Windows\system32\pwdrvio.sys [17136 2011-09-05] () [File not signed]
S3 RimUsb; C:\Windows\System32\Drivers\RimUsb_AMD64.sys [27520 2007-05-14] (Research In Motion Limited)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [34808 2014-10-26] ()
S1 Vsdatant; C:\Windows\System32\DRIVERS\vsdatant.sys [454232 2011-05-07] (Check Point Software Technologies LTD)
S3 pwdspio; \??\C:\Windows\system32\pwdspio.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-01 23:47 - 2009-07-13 20:39 - 00027136 _____ (Microsoft Corporation) C:\Windows\system32\svchost.exe
2014-11-01 20:45 - 2014-11-01 20:45 - 00079064 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mxsv.sys
2014-10-26 18:52 - 2014-10-26 18:59 - 00034808 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-10-26 18:52 - 2014-10-26 18:52 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-10-26 18:45 - 2014-10-26 18:45 - 00000574 _____ () C:\Users\John\Documents\cc_20141026_194513.reg
2014-10-26 08:16 - 2014-10-26 08:16 - 00000000 _____ () C:\prefs.js
2014-10-25 16:49 - 2014-11-02 12:06 - 00000000 ____D () C:\FRST
2014-10-25 16:48 - 2014-11-02 12:05 - 00000000 ____D () C:\Users\John\Desktop\FIX
2014-10-24 20:03 - 2014-10-24 20:03 - 00198798 _____ () C:\Users\John\Desktop\rpcss.zip
2014-10-24 10:21 - 2014-10-24 10:21 - 00008902 _____ () C:\Users\John\Documents\cc_20141024_112147.reg
2014-10-24 10:15 - 2014-10-24 10:15 - 00000000 ____D () C:\Users\John\AppData\Roaming\AVG2015
2014-10-24 10:12 - 2014-10-24 10:12 - 00000965 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2014-10-24 10:11 - 2014-10-24 10:14 - 00000000 ____D () C:\ProgramData\AVG2015
2014-10-24 10:09 - 2014-10-26 07:58 - 00000000 ____D () C:\Users\John\AppData\Local\Avg2015
2014-10-22 17:00 - 2014-10-22 17:00 - 00000000 __SHD () C:\found.003
2014-10-19 11:50 - 2014-10-19 13:42 - 00000000 ____D () C:\Users\John\Downloads\r2d2
2014-10-19 11:40 - 2014-10-19 11:45 - 00000000 ____D () C:\Users\John\Downloads\New folder
2014-10-19 11:36 - 2014-10-19 11:39 - 00000000 ____D () C:\Users\John\Downloads\NES Super Mario Sounds
2014-10-18 14:45 - 2014-10-18 14:45 - 00001494 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-10-18 14:45 - 2014-10-18 14:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-10-18 14:44 - 2014-10-18 14:45 - 00000000 ____D () C:\ProgramData\E1864A66-75E3-486a-BD95-D1B7D99A84A7
2014-10-18 14:44 - 2014-10-18 14:45 - 00000000 ____D () C:\Program Files\iTunes
2014-10-18 14:44 - 2014-10-18 14:44 - 00000000 ____D () C:\Program Files\iPod
2014-10-18 14:30 - 2014-10-18 14:30 - 00002652 _____ () C:\Users\John\Documents\cc_20141018_153005.reg
2014-10-10 14:14 - 2014-10-10 14:14 - 00274200 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgtdia.sys
2014-10-07 20:43 - 2014-10-07 20:43 - 00262424 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgidsdrivera.sys
2014-10-05 20:41 - 2014-10-05 20:41 - 00124184 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgmfx64.sys

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-02 12:09 - 2009-07-14 00:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-01 20:46 - 2013-06-24 06:13 - 00136964 _____ () C:\Users\John\Desktop\avgrep.txt
2014-11-01 20:45 - 2009-07-14 00:32 - 00000000 ____D () C:\Windows\Performance
2014-11-01 20:34 - 2014-08-02 15:41 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-01 20:32 - 2014-06-15 20:16 - 00000000 ____D () C:\Windows\Minidump
2014-11-01 19:51 - 2011-11-26 22:03 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-01 19:50 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-26 19:10 - 2014-08-02 15:41 - 00001106 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-26 19:10 - 2014-08-02 15:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-26 19:10 - 2011-10-13 20:40 - 00000000 ____D () C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE
2014-10-26 18:49 - 2009-07-14 00:08 - 00032568 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-10-26 17:48 - 2011-11-26 22:03 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-26 11:28 - 2011-03-26 18:48 - 00000000 ____D () C:\ProgramData\iRinger
2014-10-26 09:43 - 2010-12-19 20:55 - 00000000 ____D () C:\Users\John\AppData\Local\VirtualStore
2014-10-26 08:38 - 2010-12-19 21:08 - 00000000 ____D () C:\ProgramData\MFAData
2014-10-26 02:00 - 2011-02-18 17:45 - 00000000 ____D () C:\ProgramData\TEMP
2014-10-25 16:54 - 2009-07-13 23:45 - 00021520 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-25 16:54 - 2009-07-13 23:45 - 00021520 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-24 20:06 - 2010-12-22 20:22 - 00000000 ____D () C:\Windows\pss
2014-10-24 19:43 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-10-24 10:23 - 2014-08-02 09:00 - 00000000 ____D () C:\ProgramData\AVG2014
2014-10-24 10:19 - 2010-12-28 22:04 - 00000000 ____D () C:\Users\John\AppData\Roaming\uTorrent
2014-10-24 10:18 - 2010-12-19 21:36 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2014-10-24 10:18 - 2010-12-19 21:36 - 00000000 ____D () C:\Program Files\CCleaner
2014-10-24 10:15 - 2010-12-19 21:24 - 00000000 ____D () C:\Program Files (x86)\AVG
2014-10-24 10:14 - 2014-05-29 08:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2014-10-24 10:14 - 2013-01-17 09:47 - 00000000 ___HD () C:\$AVG
2014-10-19 05:43 - 2011-11-26 22:03 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-19 05:43 - 2011-11-26 22:03 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-10-18 14:45 - 2010-12-21 17:34 - 00000000 ____D () C:\Itunes
2014-10-18 14:44 - 2014-09-20 07:13 - 00000000 ____D () C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
2014-10-18 14:44 - 2010-12-20 19:03 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-10-18 14:27 - 2013-01-12 10:05 - 00000000 ____D () C:\Users\John\AppData\Roaming\TeamViewer

Files to move or delete:
====================
C:\ProgramData\eh7ir.bat
C:\ProgramData\eh7ir.reg
C:\Users\John\mbam-setup-1.50.1.1100.exe

Some content of TEMP:
====================
C:\Users\John\AppData\Local\Temp\GLB1A2B.EXE

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-10-25 23:44

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 02-11-2014
Ran by John at 2014-11-02 12:11:14
Running from C:\Users\John\Desktop\FIX\New folder
Boot Mode: Safe Mode (minimal)
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}
FW: ZoneAlarm Free Firewall (Enabled) {E6380B7E-D4B2-19F1-083E-56486607704B}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKCU\...\uTorrent) (Version: 3.4.1.30740 - BitTorrent Inc.)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.5.1.17730 - Adobe Systems Inc.)
Adobe Community Help (HKLM-x32\...\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 3.0.0.400 - Adobe Systems Incorporated)
Adobe Creative Suite 5 Master Collection (HKLM-x32\...\{288DB08D-0708-4A94-B055-55B99E39EB62}) (Version: 5.0 - Adobe Systems Incorporated)
Adobe Download Manager (HKLM-x32\...\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}) (Version: 1.6.2.97 - NOS Microsystems Ltd.)
Adobe Flash Player 11 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 11.3.300.271 - Adobe Systems Incorporated)
Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Media Player (HKLM-x32\...\com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.8 - Adobe Systems Incorporated)
Adobe PageMaker 7.0 (HKLM-x32\...\Adobe PageMaker 7.0) (Version: 7.0 - Adobe Systems, Inc.)
Adobe Reader X (10.1.8) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.8 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{C6579A65-9CAE-4B31-8B6B-3306E0630A66}) (Version: 2.1.3.127 - Apple Inc.)
Arrivalguides To Go (HKLM-x32\...\Main.none) (Version: v1.1 - Fastcheck AB)
Arrivalguides To Go (x32 Version: 1.1 - Fastcheck AB) Hidden
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5557 - AVG Technologies)
AVG 2015 (Version: 15.0.4189 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5557 - AVG Technologies) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Bonjour Print Services (HKLM\...\{0DA20600-6130-443B-9D4B-F30520315FA6}) (Version: 2.0.2.0 - Apple Inc.)
Boxee (HKLM-x32\...\BOXEE) (Version:  - Boxee)
Boxee Media Manager (HKLM-x32\...\DDF24890-577B-4273-8CB8-5EF7B3CA9E89) (Version: 1.0.71 - Boxee)
calibre (HKLM-x32\...\{E4A8DDAF-4A26-4B5E-A657-E547B17292AE}) (Version: 0.9.3 - Kovid Goyal)
Catalina Savings Printer (HKLM-x32\...\{37331C16-3E97-4A20-80D8-BFB43AB0E2FB}) (Version: 1.0.0 - Catalina Marketing Corp) <==== ATTENTION
CCleaner (HKLM\...\CCleaner) (Version: 4.19 - Piriform)
ChromecastApp (HKCU\...\{079ede36-133d-44b0-8053-c7c1fa8d2e0d}_is1) (Version: 1.5.316.0 - Google Inc.)
Conduit Engine (x32 Version:  - Conduit Ltd.) Hidden <==== ATTENTION
doPDF 7.3 printer (HKLM\...\doPDF 7 printer_is1) (Version:  - Softland)
Dragon NaturallySpeaking 11 (HKLM-x32\...\{EFFA53BC-8C04-2E21-3D90-A13B1697B0CA}) (Version: 11.50.100 - Nuance Communications Inc.)
EASEUS Deleted File Recovery 3.0.1 (HKLM-x32\...\EASEUS Deleted File Recovery 3.0.1_is1) (Version:  - EASEUS)
EASEUS Partition Master 9.1.0 Home Edition (HKLM-x32\...\EASEUS Partition Master Home Edition_is1) (Version:  - EASEUS)
EASEUS Partition Recovery 5.0.1 (HKLM-x32\...\EASEUS Partition Recovery_is1) (Version:  - EASEUS)
Exif Tag Remover 4.1 (HKLM-x32\...\Exif Tag Remover_is1) (Version:  - RL Vision)
FastStone Image Viewer 4.6 (HKLM-x32\...\FastStone Image Viewer) (Version: 4.6 - FastStone Soft)
Free DWG Viewer 7.1 (HKLM-x32\...\{B8B4D43C-EAA0-4EEC-B93E-D4D012316286}) (Version: 7.1 - IGC)
Free YouTube Downloader 3.5.128 (HKLM-x32\...\{A7E19604-93AF-4611-8C9F-CE509C2B286F}_is1) (Version:  - HOW Inc.)
Google Earth Plug-in (HKLM-x32\...\{4AB54F11-2F8C-11E3-B09F-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (x32 Version: 1.3.25.5 - Google Inc.) Hidden
iCloud (HKLM\...\{CE97E4D3-9F91-4D72-8A29-ED9EA90E5A15}) (Version: 2.1.3.25 - Apple Inc.)
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
Java 7 Update 9 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417009FF}) (Version: 7.0.90 - Oracle)
Java™ 6 Update 24 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83216022FF}) (Version: 6.0.240 - Oracle)
LEGO Digital Designer (HKLM-x32\...\New LEGO Digital Designer) (Version:  - LEGO A/S)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Camera Codec Pack (HKLM\...\{D5D8CB90-785A-458E-A5D1-3D084A1B4EE9}) (Version: 16.4.1620.0719 - Microsoft Corporation)
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM-x32\...\{91140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUSR_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version:  - Microsoft)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM-x32\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 4.0.51204.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411 (HKLM-x32\...\{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}) (Version: 9.0.30411 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mobipocket Converter (HKLM-x32\...\DigitalEditions) (Version:  - http://www.ebook-converter.com)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Pazera Free MP4 to AVI Converter 1.6 (HKLM-x32\...\{42442BC6-5A92-4BC2-9E0C-3D359D548A21}_is1) (Version: 1.6 - Jacek Pazera)
PCSX2 - Playstation 2 Emulator (HKLM-x32\...\pcsx2-r5350) (Version:  - )
PDF Settings CS5 (x32 Version: 10.0 - Adobe Systems Incorporated) Hidden
PeerBlock 1.2 (r693) (HKLM\...\{015C5B35-B678-451C-9AEE-821E8D69621C}_is1) (Version: 1.2.0.693 - PeerBlock, LLC)
Plex Media Server (HKLM-x32\...\{e9921c42-812d-4b39-9c02-612724349e82}) (Version: 0.9.907 - Plex, Inc.)
Plex Media Server (x32 Version: 0.9.907 - Plex, Inc.) Hidden
PowerISO (HKLM-x32\...\PowerISO) (Version: 4.6 - PowerISO Computing, Inc.)
PxMergeModule (x32 Version: 1.00.0000 - Your Company Name) Hidden
QuickTime (HKLM-x32\...\{0E64B098-8018-4256-BA23-C316A43AD9B0}) (Version: 7.72.80.56 - Apple Inc.)
RBVirtualFolder64Inst (Version: 1.00.0000 - Roxio, Inc.) Hidden
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.30.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 2.0.30.0 - Renesas Electronics Corporation) Hidden
Roboreader (HKLM-x32\...\Roboreader) (Version:  - )
Roxio CinePlayer (HKLM-x32\...\{C03F3D5B-0D83-4F81-A324-32F4E7F1BF6A}) (Version: 5.6 - Roxio)
Roxio Creator 2011 Pro (HKLM-x32\...\{4433FF9E-AF21-4E41-B296-4E13BF4D52F5}) (Version: 13.0 - Roxio)
Roxio PhotoShow (HKLM-x32\...\Roxio PhotoShow) (Version: 6.0 - Sonic Solutions)
RSA SecurID Software Token (HKLM-x32\...\{1E7941DC-32F1-467D-8351-8955A038A76E}) (Version: 4.1.1 - RSA, The Security Division of EMC)
SmartSound Common Data (HKLM-x32\...\InstallShield_{B8A2869E-30CA-40C5-9CF8-BD7354E57EF8}) (Version: 1.1.0 - SmartSound Software Inc.)
SmartSound Common Data (x32 Version: 1.1.0 - SmartSound Software Inc.) Hidden
SmartSound Quicktracks 5 (HKLM-x32\...\InstallShield_{2F8BA3FD-1FA9-4279-B696-712ABB12F09F}) (Version: 5.1.7 - SmartSound Software Inc.)
SmartSound Quicktracks 5 (x32 Version: 5.1.7 - SmartSound Software Inc.) Hidden
Stepok's RAW Importer (HKLM-x32\...\Stepok's RAW Importer) (Version:  - )
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)
ThreeDify Designer 5.3.3 (HKLM-x32\...\{38AC0DF3-3DF4-4D15-9870-A43060F6FF42}}_is1) (Version:  - ThreeDify)
UltraMon (HKLM\...\{537056B7-32A4-4408-9B54-0341963C7C9C}) (Version: 3.1.0 - Realtime Soft Ltd)
VC 9.0 Runtime (x32 Version: 1.0.0 - Check Point Software Technologies Ltd) Hidden
VD64Inst (Version: 1.00.0000 - Roxio, Inc.) Hidden
Visual C++ 9.0 Runtime for Dragon NaturallySpeaking 64bit (x64) (HKLM\...\{4A5A427F-BA39-4BF0-7777-9A47FBE60C9F}) (Version: 11.0.200 - Nuance Communications Inc.)
Visual Studio 2008 x64 Redistributables (HKLM-x32\...\{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}) (Version: 10.0.0.2 - AVG Technologies)
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player 2.0.5 (HKLM-x32\...\VLC media player) (Version: 2.0.5 - VideoLAN)
WBFS Manager 3.0 (HKLM-x32\...\WBFS Manager 3.0) (Version: 3.0 - AlexDP)
WinRAR archiver (HKLM\...\WinRAR archiver) (Version:  - )
Yahoo! Detect (HKLM-x32\...\YTdetect) (Version:  - )
ZoneAlarm Firewall (x32 Version: 10.1.065.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Free (HKLM-x32\...\ZoneAlarm Free) (Version: 10.1.065.000 - Check Point)
ZoneAlarm Security (x32 Version: 10.1.065.000 - Check Point Software Technologies Ltd.) Hidden
ZoneAlarm Security Toolbar (HKLM-x32\...\ZoneAlarm_Security Toolbar) (Version: 6.7.0.6 - ZoneAlarm Security)
ZoneAlarm Toolbar (Version:  - Check Point Software Technologies) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2818826639-2832681556-2377604591-1001_Classes\CLSID\{4D766FD3-B880-49D3-B7BD-6CF925221E04}\InprocServer32 -> C:\Program Files\Roxio 2011\Virtual Drive 10\DC_ShellExt64.dll (Sonic Solutions)
CustomCLSID: HKU\S-1-5-21-2818826639-2832681556-2377604591-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\John\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2818826639-2832681556-2377604591-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-2818826639-2832681556-2377604591-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\John\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll (Google Inc.)

==================== Restore Points  =========================

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2011-11-15 20:41 - 00002000 ____A C:\Windows\system32\Drivers\etc\hosts
0.0.0.0       localhost
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com
127.0.0.1 activate-sjc0.adobe.com
0.0.0.0       localhost
127.0.0.1 activate.adobe.com
127.0.0.1 practivate.adobe.com
127.0.0.1 ereg.adobe.com
127.0.0.1 activate.wip3.adobe.com
127.0.0.1 wip3.adobe.com
127.0.0.1 3dns-3.adobe.com
127.0.0.1 3dns-2.adobe.com
127.0.0.1 adobe-dns.adobe.com
127.0.0.1 adobe-dns-2.adobe.com
127.0.0.1 adobe-dns-3.adobe.com
127.0.0.1 ereg.wip3.adobe.com
127.0.0.1 activate-sea.adobe.com
127.0.0.1 wwis-dubc1-vip60.adobe.com

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {1296D8AE-C987-4504-AC1E-B3E6AC3DA7AD} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTION
Task: {38A03BD8-0E39-4DE6-ACE7-9D55B68BB35A} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2818826639-2832681556-2377604591-1001UA => C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2014-03-08] (Google Inc.)
Task: {49DB2CD5-2256-497B-B882-C1745FDB2A0E} - System32\Tasks\{2648023D-9859-4DFE-B1DE-EE61F4A0A472} => C:\Program Files (x86)\WorldOfGoo\WorldOfGoo.exe
Task: {51600096-CB63-4CC8-8A0A-45B62B64B665} - System32\Tasks\4580 => Wscript.exe C:\Users\John\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION
Task: {5DCB13C3-B51E-4AA6-AAEB-B22331944518} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-17] ()
Task: {6CB47C0C-2313-426C-8C48-22043CCF71E3} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-10-23] (Piriform Ltd)
Task: {7DECF7FC-CB65-4FC4-A620-F209E08E61FA} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2818826639-2832681556-2377604591-1001Core => C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe [2014-03-08] (Google Inc.)
Task: {8A85BEC7-60E5-489C-8D53-842E96BC1FF2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-19] (Google Inc.)
Task: {9FE3E5F8-1A85-462F-B6C1-3052D56FAA8A} - System32\Tasks\Adobe online update program => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2013-04-04] (Adobe Systems Incorporated)
Task: {A8D3AD84-FCE3-4614-AD53-AF31722AAF7A} - System32\Tasks\{6683DC46-AD17-4575-B4DA-BCA86DEF0E7E} => C:\Program Files (x86)\WorldOfGoo\WorldOfGoo.exe
Task: {B559F35E-6459-4433-BB69-C62E4F8D168C} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-08-02] (Adobe Systems Incorporated)
Task: {D84F9DAB-CA80-469F-AB7A-CE8DF3DDAA95} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {DB052495-745C-4363-82EA-8E4EBF39C126} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-19] (Google Inc.)
Task: {F1C2B9FC-EA69-4BBF-88EF-F8F6F4C7B992} - System32\Tasks\AdobeAAMUpdater-1.0-ChuckNorris-John => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2010-03-06] (Adobe Systems Incorporated)
Task: {FC243ED1-84C1-41EF-9F43-8AAE4294B22A} - System32\Tasks\{452060ED-AEBD-4BFB-9AE9-CE6BC4A3FC5A} => C:\Program Files (x86)\WorldOfGoo\WorldOfGoo.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2818826639-2832681556-2377604591-1001Core.job => C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2818826639-2832681556-2377604591-1001UA.job => C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe

==================== Loaded Modules (whitelisted) =============

2011-03-17 00:07 - 2011-03-17 00:07 - 04297568 _____ () C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2013-10-31 13:47 - 2013-10-31 13:47 - 00954696 _____ () C:\Program Files\Common Files\Apple\Internet Services\ShellStreams64.dll
2011-01-29 09:05 - 2010-03-15 11:28 - 00166400 _____ () C:\Program Files\WinRAR\rarext.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:0FF263E8
AlternateDataStreams: C:\Users\John\AppData\Local\GbwDIZmDIM2Hs:Uo1IR8iqFKl7rXYBKeGIxuzu

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vsmon => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Tenda Wireless Utility.lnk => C:\Windows\pss\Tenda Wireless Utility.lnk.CommonStartup
MSCONFIG\startupfolder: C:^Users^John^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft SharePoint Workspace.lnk => C:\Windows\pss\Microsoft SharePoint Workspace.lnk.Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: Adobe Reader Speed Launcher => "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: AdobeCS5ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: BCSSync => "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: Google Update => "C:\Users\John\AppData\Local\Google\Update\GoogleUpdate.exe" /c
MSCONFIG\startupreg: ISW => C:\Program Files\CheckPoint\ZAForceField\ForceField.exe /icon="hidden"
MSCONFIG\startupreg: iTunesHelper => "C:\Itunes\iTunesHelper.exe"
MSCONFIG\startupreg: Malwarebytes Anti-Malware => C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
MSCONFIG\startupreg: pbooxnz => regsvr32.exe /s "C:\Users\John\AppData\Local\Microsoft\pbooxnz.dll"
MSCONFIG\startupreg: Plex Media Server => "C:\Program Files (x86)\Plex\Plex Media Server\Plex Media Server.exe"
MSCONFIG\startupreg: RoxWatchTray => "C:\Program Files (x86)\Common Files\Roxio Shared\13.0\SharedCOM\RoxWatchTray13.exe"
MSCONFIG\startupreg: Sidebar => C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: SwitchBoard => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

========================= Accounts: ==========================

Administrator (S-1-5-21-2818826639-2832681556-2377604591-500 - Administrator - Disabled)
Guest (S-1-5-21-2818826639-2832681556-2377604591-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2818826639-2832681556-2377604591-1009 - Limited - Enabled)
John (S-1-5-21-2818826639-2832681556-2377604591-1001 - Administrator - Enabled) => C:\Users\John

==================== Faulty Device Manager Devices =============

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (11/01/2014 07:55:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/01/2014 07:51:35 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/26/2014 07:03:08 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/26/2014 06:58:58 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/26/2014 06:55:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_WerSvc, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Exception code: 0xc0000005
Fault offset: 0x00000000000011f0
Faulting process id: 0x23dc
Faulting application start time: 0xsvchost.exe_WerSvc0
Faulting application path: svchost.exe_WerSvc1
Faulting module path: svchost.exe_WerSvc2
Report Id: svchost.exe_WerSvc3

Error: (10/26/2014 06:53:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24
Exception code: 0xc0000005
Fault offset: 0x0000000000018e5d
Faulting process id: 0xd18
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (10/26/2014 06:53:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Exception code: 0xc0000005
Fault offset: 0x0000000000001344
Faulting process id: 0xd18
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (10/26/2014 06:51:47 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_fdPHost, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Exception code: 0xc0000005
Fault offset: 0x0000000000001750
Faulting process id: 0x1c2c
Faulting application start time: 0xsvchost.exe_fdPHost0
Faulting application path: svchost.exe_fdPHost1
Faulting module path: svchost.exe_fdPHost2
Report Id: svchost.exe_fdPHost3

Error: (10/26/2014 06:50:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/26/2014 06:49:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_Winmgmt, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Exception code: 0xc0000005
Fault offset: 0x0000000000001750
Faulting process id: 0x2528
Faulting application start time: 0xsvchost.exe_Winmgmt0
Faulting application path: svchost.exe_Winmgmt1
Faulting module path: svchost.exe_Winmgmt2
Report Id: svchost.exe_Winmgmt3

System errors:
=============
Error: (11/02/2014 00:05:34 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/02/2014 08:11:35 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/01/2014 08:45:36 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/01/2014 08:42:08 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/01/2014 08:41:47 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/01/2014 08:41:47 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068fdPHost{D3DCB472-7261-43CE-924B-0704BD730D5F}

Error: (11/01/2014 08:41:47 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1068fdPHost{145B4335-FE2A-4927-A040-7C35AD3180EF}

Error: (11/01/2014 08:27:28 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Error: (11/01/2014 07:55:47 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (11/01/2014 07:54:32 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error:
%%1068

Microsoft Office Sessions:
=========================
Error: (11/01/2014 07:55:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (11/01/2014 07:51:35 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/26/2014 07:03:08 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/26/2014 06:58:58 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/26/2014 06:55:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe_WerSvc6.1.7600.163854a5bc3c1svchost.exe6.1.7600.163854a5bc3c1c000000500000000000011f023dc01cff1773fc7ed16C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe86f5352d-5d6b-11e4-a00b-1c6f6540c110

Error: (10/26/2014 06:53:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe6.1.7600.163854a5bc3c1ntdll.dll6.1.7601.18247521eaf24c00000050000000000018e5dd1801cff09d0f0f0c13C:\Windows\system32\svchost.exeC:\Windows\SYSTEM32\ntdll.dll39bfac43-5d6b-11e4-a00b-1c6f6540c110

Error: (10/26/2014 06:53:04 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe6.1.7600.163854a5bc3c1svchost.exe6.1.7600.163854a5bc3c1c00000050000000000001344d1801cff09d0f0f0c13C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe398ed78c-5d6b-11e4-a00b-1c6f6540c110

Error: (10/26/2014 06:51:47 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe_fdPHost6.1.7600.163854a5bc3c1svchost.exe6.1.7600.163854a5bc3c1c000000500000000000017501c2c01cff1774d94b0c0C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe0b4b3541-5d6b-11e4-a00b-1c6f6540c110

Error: (10/26/2014 06:50:10 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/26/2014 06:49:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe_Winmgmt6.1.7600.163854a5bc3c1svchost.exe6.1.7600.163854a5bc3c1c00000050000000000001750252801cff177477e5fafC:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exec52e7d11-5d6a-11e4-a00b-1c6f6540c110

CodeIntegrity Errors:
===================================
  Date: 2014-10-26 06:42:55.301
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-26 06:06:35.721
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-26 05:51:30.558
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-26 04:36:46.765
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-26 03:44:46.124
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-26 02:41:45.437
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-26 02:08:06.561
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-26 00:02:25.864
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-25 21:46:32.962
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll because the set of per-page image hashes could not be found on the system.

  Date: 2014-10-25 21:39:08.857
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: AMD Phenom™ II X6 1090T Processor
Percentage of memory in use: 55%
Total physical RAM: 8189.55 MB
Available physical RAM: 3675.31 MB
Total Pagefile: 16377.29 MB
Available Pagefile: 13847.8 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.41 GB) (Free:99.48 GB) NTFS
Drive e: (New Volume) (Fixed) (Total:1863.01 GB) (Free:363.27 GB) NTFS
Drive g: (TOSHIBA EXT) (Fixed) (Total:931.51 GB) (Free:509.18 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 1463074E)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.4 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 6A46794D)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 14.8 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

========================================================
Disk: 3 (MBR Code: Windows 7 or Vista) (Size: 931.5 GB) (Disk ID: B6F0CFD2)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:14 AM

Posted 02 November 2014 - 03:01 PM

Hi cle2jel,
 
Going over your logs I noticed that you have µTorrent installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
 
If you wish to keep it, please do not use it until your computer is cleaned.

--------------
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
HKU\S-1-5-21-2818826639-2832681556-2377604591-1001\...409d6c4515e9\InprocServer32: [Default-shell32]  <==== ATTENTION!
HKU\S-1-5-21-2818826639-2832681556-2377604591-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
SearchScopes: HKLM - DefaultScope {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B} URL =
SearchScopes: HKLM-x32 - DefaultScope {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B} URL =
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
BHO-x32: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
Toolbar: HKCU - No Name - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} -  No File
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 cle2jel

cle2jel
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my house
  • Local time:05:14 AM

Posted 02 November 2014 - 04:51 PM

HKU\S-1-5-21-2818826639-2832681556-2377604591-1001\...409d6c4515e9\InprocServer32: [Default-shell32]  <==== ATTENTION!
HKU\S-1-5-21-2818826639-2832681556-2377604591-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-18\...A8F59079A8D5}\localserver32:  <==== ATTENTION!
SearchScopes: HKLM - DefaultScope {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B} URL =
SearchScopes: HKLM-x32 - DefaultScope {B7971660-A1CE-4FDD-B9E0-2C37D77AFB0B} URL =
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
BHO-x32: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} ->  No File
Toolbar: HKCU - No Name - {91DA5E8A-3318-4F8C-B67E-5964DE3AB546} -  No File



#14 cle2jel

cle2jel
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:my house
  • Local time:05:14 AM

Posted 02 November 2014 - 04:57 PM

utorrent is also gone



#15 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:14 AM

Posted 03 November 2014 - 11:50 AM

Hi cle2jel,

 

Does booting into normal mode still cause a blue screen?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users