Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe COM Surrogate surge+


  • This topic is locked This topic is locked
37 replies to this topic

#1 hertelbd

hertelbd

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 06 November 2014 - 03:20 PM

I have seen this topic posted elsewhere, but was told to post specifically because each computer is infected differently.
Anyway, it appears to be the same issue as others. dllhost.exe multiplies and draws CPU power also crashing powershell every once in a while.

It is also affecting Web surfing; erasing browsing history, piling up Temp. Internet files, and appears to be accessing the internet on its own, as I have found evidence of sites I never visit.

 

I am on an HP, Windows 7, 32-bit, running an AMD Athalon II x2 255

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17344
Run by Pastor at 11:23:30 on 2014-11-06
#Option MBR scan  is disabled.
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.1791.869 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Xobni\XobniService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE
C:\Program Files\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
C:\Program Files\EmbarqVALite\EMBARQHelpHelper.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\Keystatus.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Pastor\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Windows\System32\WUDFHost.exe
C:\Program Files\AVG\AVG2012\avgcfgex.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\dllhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://centurylink.net/
uSearch Bar = Preserve
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - c:\program files\hewlett-packard\hp support framework\resources\hpnetworkcheck\HPNetworkCheckPlugin.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [ROC_ROC_APR2013_AV] c:\users\pastor\appdata\roaming\avg april 2013 campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 2879cf00495747d1a9d73120d3e3aa97-ebd6a1e697d6c6abeab7a19c05fbd81b6f48493a --CMPID ROC_APR2013_AV --CMPIDEXTRA 2012
uRun: [Spotify Web Helper] "c:\users\pastor\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRun: [GoogleChromeAutoLaunch_2C8F01A3E5E6A707EBE084C7FAB0E45B] "c:\program files\google\chrome\application\chrome.exe" --no-startup-window
mRun: [hpsysdrv] c:\program files\hewlett-packard\hp odometer\hpsysdrv.exe
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [HP KEYBOARDx] "c:\program files\hewlett-packard\hp desktop keyboard\HPKEYBOARDx.EXE"
mRun: [HP Remote Solution] c:\program files\hewlett-packard\hp remote solution\HP_Remote_Solution.exe
mRun: [BATINDICATOR] c:\program files\hewlett-packard\hp mainstream keyboard\BATINDICATOR.exe
mRun: [LaunchHPOSIAPP] c:\program files\hewlett-packard\hp mainstream keyboard\LaunchApp.exe
mRun: [EmbarqVALite_McciTrayApp] "c:\program files\embarqvalite\EMBARQHelpHelper.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [SMessaging] c:\users\pastor\appdata\local\strongvault online backup\SMessaging.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRunOnce: [NCPluginUpdater] "c:\program files\hewlett-packard\hp health check\activecheck\product_line\NCPluginUpdater.exe" Update
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - c:\program files\hewlett-packard\hp support framework\resources\hpnetworkcheck\NCLauncherFromIE.exe
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
TCP: NameServer = 10.0.0.1
TCP: Interfaces\{E3713459-85F3-452F-9BF0-B0440E988562} : DHCPNameServer = 10.0.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\38.0.2125.111\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-11-8 250080]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-4-11 302368]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2013-10-16 5175856]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2013-11-4 92160]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-7-18 47640]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2010-11-16 13880]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-12-10 142176]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-10-15 108032]
S3 OxPPort;OxPPort;c:\windows\system32\drivers\OxPPort.sys [2011-2-8 82048]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-19 52224]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
.
=============== Created Last 30 ================
.
2014-11-06 16:22:34 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-06 16:22:11 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-06 16:22:11 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-06 16:22:11 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-06 16:22:11 -------- d-----w- c:\programdata\Malwarebytes
2014-11-06 16:22:11 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-11-06 16:20:36 -------- d-----w- c:\users\pastor\appdata\local\Programs
2014-11-05 14:51:24 -------- d-----w- c:\windows\pss
2014-11-01 01:39:32 62576 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{a993cfd2-1923-4bf9-b193-1f45b67e2d4a}\offreg.dll
2014-11-01 01:24:34 8901368 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{a993cfd2-1923-4bf9-b193-1f45b67e2d4a}\mpengine.dll
2014-10-30 19:59:44 -------- d-----w- c:\users\pastor\appdata\local\Okhics
2014-10-30 19:59:40 -------- d-----w- c:\users\pastor\appdata\local\YgPack
2014-10-23 13:34:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2014-10-23 13:34:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2014-10-23 13:34:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2014-10-23 13:34:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2014-10-23 13:34:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2014-10-23 13:29:11 -------- d-----w- c:\program files\iPod
2014-10-23 13:29:07 -------- d-----w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2014-10-23 13:29:07 -------- d-----w- c:\program files\iTunes
2014-10-21 16:01:54 -------- d--h--w- c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
2014-10-15 20:05:33 81560 ----a-w- c:\windows\system32\mscories.dll
2014-10-15 20:04:58 67072 ----a-w- c:\windows\system32\packager.dll
.
==================== Find3M  ====================
.
2014-10-28 11:35:00 229000 ------w- c:\windows\system32\MpSigStub.exe
2014-10-10 01:44:58 230912 ----a-w- c:\windows\system32\generaltel.dll
2014-10-10 01:44:35 396288 ----a-w- c:\windows\system32\aepdu.dll
2014-10-10 01:39:38 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-10-02 19:23:20 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2014-10-02 19:23:20 69632 ----a-w- c:\windows\system32\QuickTime.qts
2014-09-29 00:41:36 2379264 ----a-w- c:\windows\system32\win32k.sys
2014-09-25 22:32:04 2017280 ----a-w- c:\windows\system32\inetcpl.cpl
2014-09-25 01:40:50 519680 ----a-w- c:\windows\system32\qdvd.dll
2014-09-24 18:09:38 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-09-24 18:09:38 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-09-19 01:25:12 4201472 ----a-w- c:\windows\system32\jscript9.dll
2014-09-19 01:14:57 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-09-19 01:14:44 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-09-19 01:02:07 454656 ----a-w- c:\windows\system32\vbscript.dll
2014-09-19 01:01:47 61952 ----a-w- c:\windows\system32\iesetup.dll
2014-09-19 01:01:03 51200 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-09-19 00:59:40 61952 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-09-19 00:50:16 112128 ----a-w- c:\windows\system32\ieUnatt.exe
2014-09-19 00:50:15 108032 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-09-19 00:49:31 597504 ----a-w- c:\windows\system32\jscript9diag.dll
2014-09-19 00:44:23 646144 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-09-19 00:36:23 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-09-19 00:18:55 1068032 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-09-18 23:59:11 1810944 ----a-w- c:\windows\system32\wininet.dll
2014-09-18 01:32:52 2363904 ----a-w- c:\windows\system32\msi.dll
2014-09-09 21:47:10 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-04 05:04:15 372736 ----a-w- c:\windows\system32\rastls.dll
2014-08-23 01:46:55 305152 ----a-w- c:\windows\system32\gdi32.dll
.
============= FINISH: 11:24:54.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:24 PM

Posted 12 November 2014 - 12:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/555041 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 hertelbd

hertelbd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 12 November 2014 - 12:47 PM

I believe I have solved the problem in running ESETPoweliksCleaner I saw in other threads with the same issue. The cleaner found poweliks and removed it. So far, everything seems back to normal, but a double-check would not hurt.

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.17420
Run by Pastor at 11:38:28 on 2014-11-12
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.1791.271 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\PDF Complete\pdfsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE
C:\Program Files\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\Keystatus.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Pastor\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\MsSpellCheckingFacility.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Windows\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://centurylink.net/
uSearch Bar = Preserve
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: AVG Do Not Track: {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: HP Network Check Helper: {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - c:\program files\hewlett-packard\hp support framework\resources\hpnetworkcheck\HPNetworkCheckPlugin.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [ROC_ROC_APR2013_AV] c:\users\pastor\appdata\roaming\avg april 2013 campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 2879cf00495747d1a9d73120d3e3aa97-ebd6a1e697d6c6abeab7a19c05fbd81b6f48493a --CMPID ROC_APR2013_AV --CMPIDEXTRA 2012
uRun: [Spotify Web Helper] "c:\users\pastor\appdata\roaming\spotify\data\SpotifyWebHelper.exe"
uRun: [GoogleChromeAutoLaunch_2C8F01A3E5E6A707EBE084C7FAB0E45B] "c:\program files\google\chrome\application\chrome.exe" --no-startup-window
mRun: [hpsysdrv] c:\program files\hewlett-packard\hp odometer\hpsysdrv.exe
mRun: [PDF Complete] c:\program files\pdf complete\pdfsty.exe
mRun: [HP KEYBOARDx] "c:\program files\hewlett-packard\hp desktop keyboard\HPKEYBOARDx.EXE"
mRun: [HP Remote Solution] c:\program files\hewlett-packard\hp remote solution\HP_Remote_Solution.exe
mRun: [BATINDICATOR] c:\program files\hewlett-packard\hp mainstream keyboard\BATINDICATOR.exe
mRun: [LaunchHPOSIAPP] c:\program files\hewlett-packard\hp mainstream keyboard\LaunchApp.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [SMessaging] c:\users\pastor\appdata\local\strongvault online backup\SMessaging.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRunOnce: [NCPluginUpdater] "c:\program files\hewlett-packard\hp health check\activecheck\product_line\NCPluginUpdater.exe" Update
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {25510184-5A38-4A99-B273-DCA8EEF6CD08} - c:\program files\hewlett-packard\hp support framework\resources\hpnetworkcheck\NCLauncherFromIE.exe
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
TCP: NameServer = 10.0.0.1
TCP: Interfaces\{E3713459-85F3-452F-9BF0-B0440E988562} : DHCPNameServer = 10.0.0.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\38.0.2125.111\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-11-8 250080]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-4-11 302368]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2013-10-16 5175856]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\hewlett-packard\hp support framework\HPSA_Service.exe [2013-11-4 92160]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2011-7-18 47640]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2010-11-16 13880]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2012-12-10 142176]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\ieetwcollector.exe [2014-11-11 102912]
S3 OxPPort;OxPPort;c:\windows\system32\drivers\OxPPort.sys [2011-2-8 82048]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-19 52224]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
.
=============== Created Last 30 ================
.
2014-11-12 14:26:39 -------- d-sh--w- c:\users\pastor\appdata\local\EmieBrowserModeList
2014-11-09 00:52:27 8901368 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{845f62fe-8586-4b19-a324-9b08f395f411}\mpengine.dll
2014-11-06 16:22:34 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-06 16:22:11 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-06 16:22:11 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-06 16:22:11 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-06 16:22:11 -------- d-----w- c:\programdata\Malwarebytes
2014-11-06 16:22:11 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-11-06 16:20:36 -------- d-----w- c:\users\pastor\appdata\local\Programs
2014-11-05 14:51:24 -------- d-----w- c:\windows\pss
2014-10-30 19:59:44 -------- d-----w- c:\users\pastor\appdata\local\Okhics
2014-10-30 19:59:40 -------- d-----w- c:\users\pastor\appdata\local\YgPack
2014-10-23 13:34:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2014-10-23 13:34:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2014-10-23 13:34:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2014-10-23 13:34:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2014-10-23 13:34:47 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2014-10-23 13:29:11 -------- d-----w- c:\program files\iPod
2014-10-23 13:29:07 -------- d-----w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2014-10-23 13:29:07 -------- d-----w- c:\program files\iTunes
2014-10-21 16:01:54 -------- d--h--w- c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
2014-10-15 20:07:41 372736 ----a-w- c:\windows\system32\rastls.dll
.
==================== Find3M  ====================
.
2014-11-11 20:26:48 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-11-11 20:26:48 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-11-06 03:28:20 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-11-06 03:28:06 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-11-06 03:13:43 501248 ----a-w- c:\windows\system32\vbscript.dll
2014-11-06 03:13:36 62464 ----a-w- c:\windows\system32\iesetup.dll
2014-11-06 03:12:44 47616 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-11-06 03:10:58 64000 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-11-06 02:59:36 115712 ----a-w- c:\windows\system32\ieUnatt.exe
2014-11-06 02:59:34 102912 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-11-06 02:58:38 620032 ----a-w- c:\windows\system32\jscript9diag.dll
2014-11-06 02:51:33 667648 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-11-06 02:42:36 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-06 02:21:49 4298240 ----a-w- c:\windows\system32\jscript9.dll
2014-11-06 02:21:25 2051072 ----a-w- c:\windows\system32\inetcpl.cpl
2014-11-06 02:20:37 1155072 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-11-06 01:52:35 1892864 ----a-w- c:\windows\system32\wininet.dll
2014-11-05 17:50:47 254464 ----a-w- c:\windows\system32\generaltel.dll
2014-11-05 17:50:28 203776 ----a-w- c:\windows\system32\aepdu.dll
2014-11-05 17:47:40 302592 ----a-w- c:\windows\system32\aeinv.dll
2014-10-28 11:35:00 229000 ------w- c:\windows\system32\MpSigStub.exe
2014-10-25 01:32:37 67584 ----a-w- c:\windows\system32\packager.dll
2014-10-18 01:33:18 571904 ----a-w- c:\windows\system32\oleaut32.dll
2014-10-14 01:56:19 136632 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2014-10-14 01:50:50 523776 ----a-w- c:\windows\system32\termsrv.dll
2014-10-14 01:50:41 2363904 ----a-w- c:\windows\system32\msi.dll
2014-10-14 01:50:39 1059840 ----a-w- c:\windows\system32\lsasrv.dll
2014-10-14 01:47:30 146432 ----a-w- c:\windows\system32\msaudite.dll
2014-10-14 01:46:02 681984 ----a-w- c:\windows\system32\adtschema.dll
2014-10-10 00:45:54 2379264 ----a-w- c:\windows\system32\win32k.sys
2014-10-03 01:44:42 442880 ----a-w- c:\windows\system32\AUDIOKSE.dll
2014-10-03 01:44:31 275968 ----a-w- c:\windows\system32\EncDump.dll
2014-10-03 01:44:26 475136 ----a-w- c:\windows\system32\audiosrv.dll
2014-10-03 01:44:26 374784 ----a-w- c:\windows\system32\AudioEng.dll
2014-10-03 01:44:26 195584 ----a-w- c:\windows\system32\AudioSes.dll
2014-10-02 19:23:20 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2014-10-02 19:23:20 69632 ----a-w- c:\windows\system32\QuickTime.qts
2014-09-25 01:40:50 519680 ----a-w- c:\windows\system32\qdvd.dll
2014-09-19 09:23:55 172032 ----a-w- c:\windows\system32\wdigest.dll
2014-09-19 09:23:52 65536 ----a-w- c:\windows\system32\TSpkg.dll
2014-09-19 09:23:49 248832 ----a-w- c:\windows\system32\schannel.dll
2014-09-19 09:23:46 221184 ----a-w- c:\windows\system32\ncrypt.dll
2014-09-19 09:23:45 259584 ----a-w- c:\windows\system32\msv1_0.dll
2014-09-19 09:23:42 550912 ----a-w- c:\windows\system32\kerberos.dll
2014-09-19 09:23:36 17408 ----a-w- c:\windows\system32\credssp.dll
2014-09-09 21:47:10 2048 ----a-w- c:\windows\system32\tzres.dll
2014-08-23 01:46:55 305152 ----a-w- c:\windows\system32\gdi32.dll
2014-08-21 06:26:21 1237504 ----a-w- c:\windows\system32\msxml3.dll
2014-08-21 06:23:10 2048 ----a-w- c:\windows\system32\msxml3r.dll
.
============= FINISH: 11:40:31.95 ===============
 



#4 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:24 AM

Posted 12 November 2014 - 03:43 PM


Minion%20Welcome.jpg


My name's Naathim and I'm a GeekU Minion! Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat :)

Before we start please note the following:

icon_arrow.gif Analysis and research take some time, also sometimes real life gets in the way, please be patient.
icon_arrow.gif Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
icon_arrow.gif Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
icon_arrow.gif Paste the logs in your posts, attachments make my work harder and more complicated.
icon_arrow.gif Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.
icon_arrow.gif Note that we may live in totally different time zones, what may cause some delays between answers.

icon_idea.gif I can't foresee everything, so if anything unexpected happens, please stop and inform me!
icon_idea.gif There are no silly questions. Never be afraid to ask if in doubt!

Let's start and enjoy the fight! :)



FRST.gif Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.
There will be two versions to download: 32-bit and 64-bit. Please download the one that is designed for your system. If you don't know which one should it be, download both of them and try each other out. Only one will run - this is the right one. Please leave it and delete the other.
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • When the tool opens click Yes to disclaimer.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please include their content in your next reply.

Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#5 hertelbd

hertelbd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 12 November 2014 - 03:55 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-11-2014
Ran by Pastor (administrator) on PASTOR-HP on 12-11-2014 14:52:35
Running from C:\Users\Pastor\Desktop
Loaded Profile: Pastor (Available profiles: Pastor)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgcsrvx.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(InterVideo) C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
(Alcatel-Lucent) C:\Program Files\Common Files\Motive\McciCMService.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
(PDF Complete Inc) C:\Program Files\PDF Complete\pdfsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
() C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
() C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
(Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgnsx.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
() C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2012\avgtray.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
() C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\Keystatus.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Spotify Ltd) C:\Users\Pastor\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\CNYHKEY.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\program files\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [PDF Complete] => C:\Program Files\PDF Complete\pdfsty.exe [664600 2010-09-28] (PDF Complete Inc)
HKLM\...\Run: [HP KEYBOARDx] => C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE [710656 2010-02-11] (Hewlett-Packard)
HKLM\...\Run: [HP Remote Solution] => C:\Program Files\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe [656896 2009-08-24] (Hewlett-Packard)
HKLM\...\Run: [BATINDICATOR] => C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe [2068992 2009-05-08] (Hewlett-Packard)
HKLM\...\Run: [LaunchHPOSIAPP] => C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe [385024 2009-04-03] (Hewlett-Packard)
HKLM\...\Run: [LogMeIn GUI] => "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM\...\Run: [AVG_TRAY] => C:\Program Files\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [SMessaging] => C:\Users\Pastor\AppData\Local\Strongvault Online Backup\SMessaging.exe
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2014-10-21] (Hewlett-Packard)
HKU\S-1-5-21-2525090079-2822706772-1044160896-1001\...\Run: [DW6] => "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
HKU\S-1-5-21-2525090079-2822706772-1044160896-1001\...\Run: [ROC_ROC_APR2013_AV] => C:\Users\Pastor\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 2879cf00495747d1a9d73120d3e3aa97-ebd6a1e697d6c6abeab7a19c05fbd81b6f48493a --CMPID ROC_APR2013_AV --CM (the data entry has 13 more characters).
HKU\S-1-5-21-2525090079-2822706772-1044160896-1001\...\Run: [Spotify Web Helper] => C:\Users\Pastor\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1168896 2013-12-02] (Spotify Ltd)
HKU\S-1-5-21-2525090079-2822706772-1044160896-1001\...\Run: [GoogleChromeAutoLaunch_2C8F01A3E5E6A707EBE084C7FAB0E45B] => C:\Program Files\Google\Chrome\Application\chrome.exe [854344 2014-10-21] (Google Inc.)
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xF0FDC8CD74F8CF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurylink.net/
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=CMDTDF
SearchScopes: HKLM - {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=CMDTDF
SearchScopes: HKCU - {ec29edf6-ad3c-4e1c-a087-d6cb81400c43} URL =
BHO: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  No File
BHO: AVG Do Not Track -> {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -> C:\Program Files\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1

FireFox:
========
FF Plugin: @Apple.com/iTunes,version=1.0 -> C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files\AVG\AVG2012\Firefox4
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG2012\Firefox4 [2012-02-14]
FF HKLM\...\Firefox\Extensions: [{F53C93F1-07D5-430c-86D4-C9531B27DFAF}] - C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack
FF Extension: AVG Do Not Track - C:\Program Files\AVG\AVG2012\Firefox\DoNotTrack [2012-05-07]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.centurylink.net/"
CHR Profile: C:\Users\Pastor\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Pastor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-10-06]
CHR Extension: (Google Docs) - C:\Users\Pastor\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-10-06]
CHR Extension: (Google Drive) - C:\Users\Pastor\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-10-06]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Pastor\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-10-06]
CHR Extension: (YouTube) - C:\Users\Pastor\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-10-06]
CHR Extension: (Google Search) - C:\Users\Pastor\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-10-06]
CHR Extension: (Google Sheets) - C:\Users\Pastor\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-10-06]
CHR Extension: (Hangouts) - C:\Users\Pastor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nckgahadagoaajjgafhacjanaoiihapd [2014-10-06]
CHR Extension: (Google Wallet) - C:\Users\Pastor\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-10-06]
CHR Extension: (Gmail) - C:\Users\Pastor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-10-06]
CHR HKLM\...\Chrome\Extension: [jmfkcklnlgedgbglfkkgedjfmejoahla] - C:\Program Files\AVG\AVG2012\Chrome\safesearch.crx [2012-07-26]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe [5175856 2013-10-16] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
R2 ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [370792 2010-03-04] ()
S3 GameConsoleService; C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe [246520 2010-06-18] (WildTangent, Inc.)
R2 HP Support Assistant Service; C:\Program Files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company) [File not signed]
R2 McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [319488 2010-01-28] (Alcatel-Lucent) [File not signed]
R2 nSvcIp; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [167528 2010-03-04] ()
R2 pdfcDispatcher; C:\Program Files\PDF Complete\pdfsvc.exe [1119768 2010-09-28] (PDF Complete Inc)
S2 PSI_SVC_2; "C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe" [X]
S2 XobniService; "C:\Program Files\Xobni\XobniService.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [142176 2012-12-10] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfilterx.sys [24144 2011-12-23] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [24896 2012-04-19] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [17232 2011-12-23] (AVG Technologies CZ, s.r.o. )
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [250080 2012-11-08] (AVG Technologies CZ, s.r.o.)
R1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [41040 2011-12-23] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [31952 2012-01-31] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [302368 2013-04-11] (AVG Technologies CZ, s.r.o.)
S3 MREMP50; C:\Program Files\Common Files\Motive\MREMP50.sys [21248 2010-01-28] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MRESP50; C:\Program Files\Common Files\Motive\MRESP50.sys [20096 2010-01-28] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 OxPPort; C:\Windows\system32\DRIVERS\OxPPort.sys [82048 2008-07-31] (OEM)
S4 RsFx0102; C:\Windows\System32\DRIVERS\RsFx0102.sys [242712 2008-07-10] (Microsoft Corporation)
S3 s616bus; C:\Windows\System32\DRIVERS\s616bus.sys [83208 2007-04-03] (MCCI Corporation)
S3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [45056 2012-12-13] (Apple, Inc.) [File not signed]
R3 vpcbus; C:\Windows\System32\DRIVERS\vpchbus.sys [172416 2010-11-20] (Microsoft Corporation)
R1 vpcnfltr; C:\Windows\System32\DRIVERS\vpcnfltr.sys [48128 2010-11-20] (Microsoft Corporation)
R3 vpcusb; C:\Windows\System32\DRIVERS\vpcusb.sys [78336 2010-11-20] (Microsoft Corporation)
R1 vpcvmm; C:\Windows\System32\drivers\vpcvmm.sys [296064 2010-11-20] (Microsoft Corporation)
S2 LMIInfo; \??\C:\Program Files\LogMeIn\x86\RaInfo.sys [X]
S4 LMIRfsClientNP; No ImagePath
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
U3 mbr; \??\C:\Users\Pastor\AppData\Local\Temp\mbr.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-12 14:52 - 2014-11-12 14:53 - 00015856 _____ () C:\Users\Pastor\Desktop\FRST.txt
2014-11-12 14:52 - 2014-11-12 14:52 - 00000000 ____D () C:\FRST
2014-11-12 14:50 - 2014-11-12 14:51 - 01107968 _____ (Farbar) C:\Users\Pastor\Desktop\FRST.exe
2014-11-12 11:41 - 2014-11-12 11:41 - 00004664 _____ () C:\Users\Pastor\Desktop\attach.txt
2014-11-12 11:41 - 2014-11-12 11:40 - 00015368 _____ () C:\Users\Pastor\Desktop\dds.txt
2014-11-12 08:26 - 2014-11-12 08:26 - 00000000 __SHD () C:\Users\Pastor\AppData\Local\EmieBrowserModeList
2014-11-12 08:17 - 2014-11-12 08:17 - 00000056 _____ () C:\Windows\setupact.log
2014-11-12 08:17 - 2014-11-12 08:17 - 00000000 _____ () C:\Windows\setuperr.log
2014-11-11 17:48 - 2014-11-05 21:12 - 00047616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-11-11 17:48 - 2014-11-05 20:59 - 00102912 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-11-11 17:48 - 2014-11-05 20:42 - 00060416 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-11-11 17:48 - 2014-11-05 11:50 - 00254464 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-11 17:48 - 2014-11-05 11:50 - 00203776 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-11 17:48 - 2014-11-05 11:47 - 00302592 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-11 17:48 - 2014-10-24 19:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-11 17:48 - 2014-10-17 19:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-11 17:48 - 2014-10-13 19:56 - 00136632 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-11 17:48 - 2014-10-13 19:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-11 17:48 - 2014-10-13 19:50 - 01059840 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-11 17:48 - 2014-10-13 19:50 - 00523776 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-11 17:48 - 2014-10-13 19:47 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-11 17:48 - 2014-10-13 19:46 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-11 17:48 - 2014-10-09 18:45 - 02379264 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-11 17:48 - 2014-10-02 19:44 - 00475136 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-11 17:48 - 2014-10-02 19:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-11 17:48 - 2014-10-02 19:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-11 17:48 - 2014-10-02 19:44 - 00275968 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-11 17:48 - 2014-10-02 19:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2014-11-11 17:48 - 2014-09-19 03:23 - 00550912 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-11 17:48 - 2014-09-19 03:23 - 00259584 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-11-11 17:48 - 2014-09-19 03:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-11 17:48 - 2014-09-19 03:23 - 00221184 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-11-11 17:48 - 2014-09-19 03:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-11-11 17:48 - 2014-09-19 03:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-11-11 17:48 - 2014-09-19 03:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-11-11 17:48 - 2014-08-21 00:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-11 17:48 - 2014-08-21 00:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-11-11 17:48 - 2014-08-11 19:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2014-11-11 17:47 - 2014-11-07 13:23 - 00341168 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-11 17:47 - 2014-11-05 21:28 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-11 17:47 - 2014-11-05 21:28 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-11-11 17:47 - 2014-11-05 21:13 - 00501248 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-11-11 17:47 - 2014-11-05 21:13 - 00062464 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-11 17:47 - 2014-11-05 21:10 - 19781632 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-11 17:47 - 2014-11-05 21:10 - 00064000 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-11-11 17:47 - 2014-11-05 21:05 - 02277376 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-11 17:47 - 2014-11-05 21:04 - 00047104 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-11 17:47 - 2014-11-05 21:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-11 17:47 - 2014-11-05 21:00 - 00478208 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-11 17:47 - 2014-11-05 20:59 - 00115712 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-11-11 17:47 - 2014-11-05 20:58 - 00620032 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-11-11 17:47 - 2014-11-05 20:51 - 00667648 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-11-11 17:47 - 2014-11-05 20:48 - 00418304 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-11 17:47 - 2014-11-05 20:37 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-11 17:47 - 2014-11-05 20:36 - 00076288 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-11 17:47 - 2014-11-05 20:34 - 00285696 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-11 17:47 - 2014-11-05 20:22 - 00688640 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-11 17:47 - 2014-11-05 20:22 - 00683008 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-11 17:47 - 2014-11-05 20:21 - 04298240 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-11 17:47 - 2014-11-05 20:21 - 02051072 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-11 17:47 - 2014-11-05 20:20 - 01155072 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-11-11 17:47 - 2014-11-05 20:03 - 12819456 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-11 17:47 - 2014-11-05 19:52 - 01892864 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-11 17:47 - 2014-11-05 19:48 - 01310208 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-11 17:47 - 2014-11-05 19:47 - 00708096 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-11-10 11:29 - 2014-11-10 11:29 - 00000395 _____ () C:\INSTALL.LOG
2014-11-10 08:52 - 2014-11-10 08:52 - 00016392 _____ () C:\Users\Pastor\Desktop\ESETPoweliksCleaner.exe_20141110.085213.2964.log
2014-11-10 08:48 - 2014-11-10 08:48 - 00186568 _____ (ESET) C:\Users\Pastor\Desktop\ESETPoweliksCleaner.exe
2014-11-06 11:16 - 2014-11-06 11:16 - 00688992 ____R (Swearware) C:\Users\Pastor\Desktop\dds.com
2014-11-06 10:22 - 2014-11-09 16:18 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-06 10:22 - 2014-11-06 10:22 - 00001066 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-06 10:22 - 2014-11-06 10:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-06 10:22 - 2014-11-06 10:22 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-11-06 10:22 - 2014-11-06 10:22 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-11-06 10:22 - 2014-10-01 11:11 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-11-06 10:22 - 2014-10-01 11:11 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-11-06 10:22 - 2014-10-01 11:11 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-11-05 08:51 - 2014-11-05 11:24 - 00000000 ____D () C:\Windows\pss
2014-10-30 13:59 - 2014-10-31 10:48 - 00000000 ____D () C:\Users\Pastor\AppData\Local\YgPack
2014-10-30 13:59 - 2014-10-31 10:48 - 00000000 ____D () C:\Users\Pastor\AppData\Local\Okhics
2014-10-23 07:34 - 2014-10-23 07:34 - 00001817 _____ () C:\Users\Public\Desktop\QuickTime Player.lnk
2014-10-23 07:34 - 2014-10-23 07:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2014-10-23 07:34 - 2014-10-23 07:34 - 00000000 ____D () C:\Program Files\QuickTime
2014-10-23 07:30 - 2014-10-23 07:30 - 00001755 _____ () C:\Users\Public\Desktop\iTunes.lnk
2014-10-23 07:30 - 2014-10-23 07:30 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2014-10-23 07:29 - 2014-10-23 07:29 - 00000000 ____D () C:\ProgramData\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2014-10-23 07:29 - 2014-10-23 07:29 - 00000000 ____D () C:\Program Files\iTunes
2014-10-23 07:29 - 2014-10-23 07:29 - 00000000 ____D () C:\Program Files\iPod
2014-10-21 10:01 - 2014-10-21 10:41 - 00000000 ___HD () C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
2014-10-15 14:07 - 2014-09-03 23:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2014-10-15 14:05 - 2014-07-16 19:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\system32\winsta.dll
2014-10-15 14:05 - 2014-07-16 19:39 - 03221504 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-10-15 14:05 - 2014-07-16 19:39 - 01051136 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2014-10-15 14:05 - 2014-07-16 19:39 - 00304128 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-10-15 14:05 - 2014-07-16 19:39 - 00131584 _____ (Microsoft Corporation) C:\Windows\system32\aaclient.dll
2014-10-15 14:05 - 2014-07-16 19:39 - 00130048 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorekmts.dll
2014-10-15 14:05 - 2014-07-16 19:03 - 00184320 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2014-10-15 14:05 - 2014-07-16 19:02 - 00031232 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2014-10-15 14:05 - 2014-07-08 19:29 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDYAK.DLL
2014-10-15 14:05 - 2014-07-08 19:29 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDTAT.DLL
2014-10-15 14:05 - 2014-07-08 19:29 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU1.DLL
2014-10-15 14:05 - 2014-07-08 19:29 - 00006144 _____ (Microsoft Corporation) C:\Windows\system32\KBDBASH.DLL
2014-10-15 14:05 - 2014-07-08 19:29 - 00005632 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU.DLL
2014-10-15 14:05 - 2014-07-08 16:30 - 00419992 _____ () C:\Windows\system32\locale.nls
2014-10-15 14:05 - 2014-06-18 16:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2014-10-15 14:05 - 2014-06-18 16:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2014-10-15 14:05 - 2014-06-18 16:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-12 14:39 - 2014-07-08 10:30 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-12 14:25 - 2011-02-08 23:14 - 02071688 _____ () C:\Windows\WindowsUpdate.log
2014-11-12 14:18 - 2012-04-12 09:56 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-11-12 12:22 - 2009-07-13 20:37 - 00000000 ____D () C:\Windows\rescache
2014-11-12 12:21 - 2009-07-13 22:34 - 00021680 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-12 12:21 - 2009-07-13 22:34 - 00021680 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-12 10:06 - 2014-09-18 14:07 - 00065536 _____ () C:\Users\Pastor\Desktop\CoinSERIES.xls
2014-11-12 10:03 - 2012-07-30 19:01 - 00000000 ____D () C:\Users\Pastor\PreSchool
2014-11-12 09:46 - 2009-07-13 20:37 - 00000000 ____D () C:\Windows\Microsoft.NET
2014-11-12 09:17 - 2011-02-08 23:29 - 00000000 ____D () C:\ProgramData\PDFC
2014-11-12 08:33 - 2012-02-14 14:46 - 00000000 ____D () C:\Windows\system32\Drivers\AVG
2014-11-12 08:23 - 2009-07-25 06:54 - 00875450 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-12 08:18 - 2014-07-08 10:30 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-12 08:17 - 2009-07-13 22:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-12 08:16 - 2009-07-13 22:33 - 00426208 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-12 08:15 - 2014-05-12 07:26 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-11 17:59 - 2011-04-12 07:22 - 00000052 _____ () C:\Windows\system32\DOErrors.log
2014-11-11 17:58 - 2011-11-22 12:00 - 00000000 _____ () C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-11-11 17:56 - 2013-10-04 11:13 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-11 17:50 - 2011-04-12 09:14 - 100445232 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-11-11 14:26 - 2012-04-12 09:56 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-11-11 14:26 - 2011-06-19 06:40 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-11-10 14:28 - 2011-07-18 09:31 - 00000000 ____D () C:\Users\Pastor\Hymnody
2014-11-10 08:09 - 2014-06-10 16:36 - 00000324 _____ () C:\Windows\Tasks\HPCeeScheduleForPastor.job
2014-11-05 16:24 - 2013-10-01 10:14 - 00000000 ____D () C:\Users\Pastor\SERMONS
2014-11-05 15:51 - 2009-07-13 20:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-11-05 11:25 - 2014-07-08 10:30 - 00000000 ____D () C:\Program Files\Common Files\WebM Project
2014-11-05 08:22 - 2011-11-09 11:29 - 00000000 ____D () C:\Users\Pastor\Bible Study
2014-10-31 11:12 - 2009-07-13 22:52 - 00000000 ____D () C:\Windows\system32\restore
2014-10-31 10:48 - 2012-02-14 14:46 - 00000000 ____D () C:\ProgramData\AVG2012
2014-10-31 07:22 - 2009-07-13 22:53 - 00032598 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-10-30 07:08 - 2011-08-17 19:08 - 00000332 _____ () C:\Windows\Tasks\HPCeeScheduleForPASTOR-HP$.job
2014-10-28 05:35 - 2011-05-14 12:19 - 00229000 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-10-27 12:45 - 2014-10-06 14:08 - 00002131 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-10-23 07:29 - 2011-08-02 08:52 - 00000000 ____D () C:\Program Files\Common Files\Apple
2014-10-23 07:28 - 2014-09-25 07:28 - 00000000 ____D () C:\ProgramData\188F1432-103A-4ffb-80F1-36B633C5C9E1

Some content of TEMP:
====================
C:\Users\Pastor\AppData\Local\Temp\VALiteRemove_Cleanup.exe
C:\Users\Pastor\AppData\Local\Temp\VALiteRemove_Kill.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-11-05 17:13

==================== End Of Log ============================


Additional scan result of Farbar Recovery Scan Tool (x86) Version: 10-11-2014
Ran by Pastor at 2014-11-12 14:53:20
Running from C:\Users\Pastor\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG Anti-Virus Free Edition 2012 (Enabled - Up to date) {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AS: AVG Anti-Virus Free Edition 2012 (Enabled - Up to date) {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7-zip (HKLM\...\7-zip) (Version:  - )
Adobe AIR (HKLM\...\Adobe AIR) (Version: 3.2.0.2070 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.223 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
Agatha Christie - Peril at End House (Version: 2.2.0.95 - WildTangent) Hidden
Amazon MP3 Downloader 1.0.17 (HKLM\...\Amazon MP3 Downloader) (Version: 1.0.17 - Amazon Services LLC)
Amazon MP3 Uploader (HKLM\...\com.amazon.music.uploader) (Version: 1.0.8 - Amazon Services LLC)
Amazon MP3 Uploader (Version: 1.0.8 - Amazon Services LLC) Hidden
Apple Application Support (HKLM\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{235EBB33-3DA1-46DF-AADE-9955123409CB}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
AVG 2012 (HKLM\...\AVG) (Version: 2012.1.2247 - AVG Technologies)
AVG 2012 (Version: 12.0.4189 - AVG Technologies) Hidden
AVG 2012 (Version: 12.1.2247 - AVG Technologies) Hidden
Bejeweled 2 Deluxe (Version: 2.2.0.95 - WildTangent) Hidden
Blackhawk Striker 2 (Version: 2.2.0.95 - WildTangent) Hidden
Blasterball 3 (Version: 2.2.0.95 - WildTangent) Hidden
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
Bounce Symphony (Version: 2.2.0.95 - WildTangent) Hidden
Build-a-lot 2 (Version: 2.2.0.95 - WildTangent) Hidden
Cake Mania (Version: 2.2.0.95 - WildTangent) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 3.22 - Piriform)
Chuzzle Deluxe (Version: 2.2.0.95 - WildTangent) Hidden
Compatibility Pack for the 2007 Office system (HKLM\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
CPH Software Updater (HKLM\...\{30DE8A35-B579-46CD-AF13-B9C58EBFF481}) (Version: 1.1.0001 - Concordia Publishing House)
Dell Laser Printer 1110 Software Uninstall (HKLM\...\Dell Laser Printer 1110) (Version:  - )
Diner Dash 2 Restaurant Rescue (Version: 2.2.0.95 - WildTangent) Hidden
Dora's World Adventure (Version: 2.2.0.95 - WildTangent) Hidden
Escape Rosecliff Island (Version: 2.2.0.95 - WildTangent) Hidden
Farm Frenzy (Version: 2.2.0.95 - WildTangent) Hidden
FATE (Version: 2.2.0.95 - WildTangent) Hidden
Final Drive Nitro (Version: 2.2.0.95 - WildTangent) Hidden
Google Chrome (HKLM\...\Google Chrome) (Version: 38.0.2125.111 - Google Inc.)
Google Update Helper (Version: 1.3.25.5 - Google Inc.) Hidden
Heroes of Hellas 2 - Olympia (Version: 2.2.0.95 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.2.2.3 (Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP Connect Solutions (HKLM\...\{BE1C9464-DEBB-4DA6-B19A-8EC634F22D73}) (Version: 1.0.0.4 - Hewlett-Packard)
HP Desktop Keyboard (HKLM\...\HP Keyboard_is1) (Version: 1.0.0.13 - Hewlett-Packard)
HP Games (HKLM\...\WildTangent hp Master Uninstall) (Version: 1.0.1.5 - WildTangent)
HP MAINSTREAM KEYBOARD (HKLM\...\{B40D7926-AE5F-41EA-8AC6-56C0E2F00E9D}) (Version: 1.4.3.0 - Hewlett-Packard)
HP Odometer (HKLM\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP Remote Solution (HKLM\...\HP Remote Solution) (Version: 1.1.14.0 - Hewlett-Packard)
HP Setup (HKLM\...\{60F641EA-DFFB-4419-A1A7-4FF575BA87BE}) (Version: 1.2.4093.3340 - Hewlett-Packard)
HP Support Assistant (HKLM\...\{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE}) (Version: 7.4.45.4 - Hewlett-Packard Company)
HP Support Information (HKLM\...\{7F2A11F4-EAE8-4325-83EC-E3E99F85169E}) (Version: 10.1.1000 - Hewlett-Packard)
HP Vision Hardware Diagnostics (HKLM\...\{D79A02E9-6713-4335-9668-AAC7474C0C0E}) (Version: 2.1.6.0 - Hewlett-Packard)
InterVideo WinDVD 8 (HKLM\...\InstallShield_{5FEBF468-5AC2-4C66-AD80-DF85C085AA73}) (Version: 8.5.10.84 - InterVideo Inc.)
InterVideo WinDVD 8 (Version: 8.5.10.84 - InterVideo Inc.) Hidden
ISA 2 basic (HKLM\...\ISA 2 basic) (Version: 2.1.5.0 - Scripture4all Foundation)
iTunes (HKLM\...\{5D928931-D1D2-4A93-A82D-BF60D0E7CFA5}) (Version: 12.0.1.26 - Apple Inc.)
Jewel Quest Solitaire 2 (Version: 2.2.0.95 - WildTangent) Hidden
Kyocera Product Library (HKLM\...\Kyocera Product Library) (Version: 4.2.1909 - KYOCERA Document Solutions Inc.)
Lutheran Service Builder 2 (HKLM\...\{9262A59D-230C-4589-B96E-2CBA6E58544F}) (Version: 2.3.0001 - Concordia Publishing House)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Standard Edition 2003 (HKLM\...\{91120409-6000-11D3-8CFE-0150048383C9}) (Version: 11.0.8173.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2008 (HKLM\...\Microsoft SQL Server 10 Release) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2008 Browser (HKLM\...\{C688457E-03FD-4941-923B-A27F4D42A7DD}) (Version: 10.0.1600.22 - Microsoft Corporation)
Microsoft SQL Server 2008 Native Client (HKLM\...\{D9D937B0-E842-4130-9588-B948E876904A}) (Version: 10.0.1600.22 - Microsoft Corporation)
Microsoft SQL Server 2008 Setup Support Files (English) (HKLM\...\{9D6D76A6-4328-49E8-97A7-531A74841DA5}) (Version: 10.0.1600.22 - Microsoft Corporation)
Microsoft SQL Server VSS Writer (HKLM\...\{B857D868-F8B0-43EE-BC2B-D9E5ED21F237}) (Version: 10.0.1600.22 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (HKLM\...\{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft_VC90_CRT_x86 (HKLM\...\{DF2035BE-5820-4965-BD97-7FAF8D4A7879}) (Version: 1.0.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mystery P.I. - The London Caper (Version: 2.2.0.95 - WildTangent) Hidden
NVIDIA Display Control Panel (HKLM\...\NVIDIA Display Control Panel) (Version: 6.14.11.9739 - NVIDIA Corporation)
NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10.61.39 - NVIDIA Corporation)
NVIDIA ForceWare Network Access Manager (HKLM\...\{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}) (Version: 1.00.7330.0 - NVIDIA Corporation)
Open PLS in Windows Media Player 2.3.0 (HKLM\...\{F868C16D-75F8-4EE8-BCBF-422D0833415D}_is1) (Version: 2.3 - Jon Galloway)
PDF Complete Special Edition (HKLM\...\PDF Complete) (Version: 4.0.9 - PDF Complete, Inc)
Penguins! (Version: 2.2.0.95 - WildTangent) Hidden
Plants vs. Zombies (Version: 2.2.0.95 - WildTangent) Hidden
PlayReady PC Runtime x86 (HKLM\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Poker Superstars III (Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (Version: 2.2.0.95 - WildTangent) Hidden
Polar Golfer (Version: 2.2.0.95 - WildTangent) Hidden
QuickTime 7 (HKLM\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6196 - Realtek Semiconductor Corp.)
Recovery Manager (Version: 5.5.2926 - CyberLink Corp.) Hidden
Rosetta Stone 2.1.4.2Asms (HKLM\...\Rosetta Stone 2.1.4.2Asms) (Version: 2.1.4.2 - Fairfield Language Technologies)
Sql Server Customer Experience Improvement Program (Version: 10.0.1600.22 - Microsoft Corporation) Hidden
Strongvault Online Backup (Version: 5.0.2.34 - Strongvault Online Backup) Hidden <==== ATTENTION
Virtual Families (Version: 2.2.0.95 - WildTangent) Hidden
Virtual Villagers 4 - The Tree of Life (Version: 2.2.0.95 - WildTangent) Hidden
Wheel of Fortune 2 (Version: 2.2.0.95 - WildTangent) Hidden
Windows Live ID Sign-in Assistant (HKLM\...\{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}) (Version: 6.500.3165.0 - Microsoft Corporation)
Xobni Core (Version: 1.0.0 - Xobni, Inc.) Hidden
Zuma Deluxe (Version: 2.2.0.95 - WildTangent) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2525090079-2822706772-1044160896-1001_Classes\CLSID\{3f04dadf-6ea4-44d1-a507-03cad176f443}\InprocServer32 -> C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll (Amazon.com, Inc.)
CustomCLSID: HKU\S-1-5-21-2525090079-2822706772-1044160896-1001_Classes\CLSID\{56CBD3CF-BF99-4DF5-851F-F5B9B57496A1}\InprocServer32 -> C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}\actxprxy.dll No File

==================== Restore Points  =========================

31-10-2014 17:12:42 Scheduled Checkpoint
01-11-2014 01:23:56 Windows Update
07-11-2014 14:03:02 Windows Update
11-11-2014 23:48:57 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 20:04 - 2009-06-10 15:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {186BFFCE-F93D-4C2E-A33A-8D8E22C141E9} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {3F53F143-9BDB-47FB-9513-DF6C1112A8CE} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-17] ()
Task: {5914D329-02EE-4DA0-B725-9B2F8B1F268A} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-11-04] (Hewlett-Packard Company)
Task: {5E1B324B-3020-4922-A177-3A54AAA8E22F} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2012-08-22] (Piriform Ltd)
Task: {5E9B5969-7AAF-4783-B223-DEB9B6B38817} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2014-05-12] (Hewlett-Packard Company)
Task: {6E9692D7-05E4-4837-A293-48A12E3AEC16} - System32\Tasks\HPCeeScheduleForPASTOR-HP$ => C:\Program Files\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15] (Hewlett-Packard)
Task: {A72FADDC-3146-4EA0-A881-BDEFA0FA464A} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-11-04] (Hewlett-Packard Company)
Task: {BF3A059E-AC3E-40BD-BC26-6E198357D6B2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-07-08] (Google Inc.)
Task: {D5573E50-86EE-4DA2-BD88-36BDA5E17618} - System32\Tasks\HPCeeScheduleForPastor => C:\Program Files\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15] (Hewlett-Packard)
Task: {DF27795B-455C-4694-B86D-C3FF32B1EAD5} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-07-08] (Google Inc.)
Task: {EBCC1AE0-7A08-494C-90DC-3CC6B10FA91C} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-11] (Adobe Systems Incorporated)
Task: {EDE3790D-C188-40D1-BF2C-4CF3D7ABB966} - System32\Tasks\HPOSIAPP32 => C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe [2009-02-27] ()

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPCeeScheduleForPASTOR-HP$.job => C:\Program Files\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\Windows\Tasks\HPCeeScheduleForPastor.job => C:\Program Files\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe

==================== Loaded Modules (whitelisted) =============

2009-09-04 04:38 - 2009-09-04 04:38 - 00020594 _____ () C:\Windows\System32\DELS3L3.DLL
2014-01-20 13:17 - 2014-01-20 13:17 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 12:05 - 2014-10-11 12:05 - 01044776 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2011-02-08 23:24 - 2010-03-04 19:23 - 00370792 _____ () C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
2011-02-08 23:24 - 2010-03-04 19:22 - 00062568 _____ () C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nv_common.dll
2011-02-08 23:24 - 2010-03-04 19:23 - 00565864 _____ () C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\SpecialCase.dll
2011-02-08 23:24 - 2010-03-04 19:23 - 00167528 _____ () C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
2011-02-08 23:30 - 2009-02-27 21:13 - 00053248 _____ () C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
2011-02-08 23:30 - 2009-07-02 16:58 - 00406016 _____ () C:\Program Files\Hewlett-Packard\HP Desktop Keyboard\Keystatus.exe
2011-02-08 23:30 - 2009-02-19 19:22 - 00028672 _____ () C:\Program Files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\WMINPUT.DLL

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-2525090079-2822706772-1044160896-500 - Administrator - Disabled)
Guest (S-1-5-21-2525090079-2822706772-1044160896-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2525090079-2822706772-1044160896-1007 - Limited - Enabled)
Pastor (S-1-5-21-2525090079-2822706772-1044160896-1001 - Administrator - Enabled) => C:\Users\Pastor

==================== Faulty Device Manager Devices =============

Name: LogMeIn Kernel Information Provider
Description: LogMeIn Kernel Information Provider
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: LMIInfo
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (11/12/2014 00:55:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4368

Error: (11/12/2014 00:55:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4368

Error: (11/12/2014 00:55:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/12/2014 00:55:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 3354

Error: (11/12/2014 00:55:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 3354

Error: (11/12/2014 00:55:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/12/2014 00:55:41 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1014

Error: (11/12/2014 00:55:41 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1014

Error: (11/12/2014 00:55:41 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/12/2014 08:17:50 AM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.

Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

System errors:
=============
Error: (11/12/2014 00:09:24 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer DBC90Y81
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{E3713459-85F3-452F-9BF0-B0440E988.
The master browser is stopping or an election is being forced.

Error: (11/12/2014 11:45:22 AM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer DBC90Y81
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{E3713459-85F3-452F-9BF0-B0440E988.
The master browser is stopping or an election is being forced.

Error: (11/12/2014 10:05:48 AM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer DBC90Y81
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{E3713459-85F3-452F-9BF0-B0440E988.
The master browser is stopping or an election is being forced.

Error: (11/12/2014 09:29:49 AM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer DBC90Y81
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{E3713459-85F3-452F-9BF0-B0440E988.
The master browser is stopping or an election is being forced.

Error: (11/12/2014 08:17:50 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (11/12/2014 08:17:50 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Windows Search service terminated with service-specific error %%-1073473535.

Error: (11/12/2014 08:17:19 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The XobniService service failed to start due to the following error:
%%2

Error: (11/12/2014 08:17:18 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Protexis Licensing V2 service failed to start due to the following error:
%%2

Error: (11/12/2014 08:17:14 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The LogMeIn Kernel Information Provider service failed to start due to the following error:
%%3

Error: (11/11/2014 06:53:42 PM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer DBC90Y81
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{E3713459-85F3-452F-9BF0-B0440E988.
The master browser is stopping or an election is being forced.

Microsoft Office Sessions:
=========================
Error: (11/12/2014 00:55:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4368

Error: (11/12/2014 00:55:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4368

Error: (11/12/2014 00:55:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/12/2014 00:55:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 3354

Error: (11/12/2014 00:55:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 3354

Error: (11/12/2014 00:55:42 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/12/2014 00:55:41 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 1014

Error: (11/12/2014 00:55:41 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 1014

Error: (11/12/2014 00:55:41 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (11/12/2014 08:17:50 AM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description:
Details:
 The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

==================== Memory info ===========================

Processor: AMD Athlon™ II X2 255 Processor
Percentage of memory in use: 64%
Total physical RAM: 1791.3 MB
Available physical RAM: 628.25 MB
Total Pagefile: 3645.61 MB
Available Pagefile: 1925.14 MB
Total Virtual: 2047.88 MB
Available Virtual: 1897.31 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:221.74 GB) (Free:173.91 GB) NTFS
Drive d: (HP_RECOVERY) (Fixed) (Total:11.04 GB) (Free:1.34 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 232.9 GB) (Disk ID: 1AA3ACDF)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=221.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#6 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:24 AM

Posted 12 November 2014 - 03:59 PM

Did somebody else help you lately on a forum?

Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#7 hertelbd

hertelbd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 12 November 2014 - 04:11 PM

No, this is the only forum I have visited, but, as I replied to the Bot, I did read other threads with similar issues to mine.
Previously, I had run AVG, Malwarebytes, and CCleaner, but it did not resolve the issue. I read on here that ESETPoweliksCleaner was recommended and ran that. The program said it found poweliks and removed it.
Things have been ok, but double-checking never hurt.



#8 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:24 AM

Posted 12 November 2014 - 04:13 PM

Sure. Please find and post the ESET Poweliks Cleaner logfile.

Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#9 hertelbd

hertelbd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 12 November 2014 - 04:15 PM

[2014.11.10 08:52:13.709] - Begin
[2014.11.10 08:52:13.723] -
[2014.11.10 08:52:13.742] -     ....................................
[2014.11.10 08:52:13.745] -   ..::::::::::::::::::....................
[2014.11.10 08:52:13.750] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Poweliks
[2014.11.10 08:52:13.756] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 1.0.0.1
[2014.11.10 08:52:13.760] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: Oct 15 2014
[2014.11.10 08:52:13.763] -  .::EE:::::::::::::SS:.EE..........TT......
[2014.11.10 08:52:13.767] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2014.11.10 08:52:13.769] -   ..::::::::::::::::::....................    1992-2013. All rights reserved.
[2014.11.10 08:52:13.771] -     ....................................
[2014.11.10 08:52:13.771] -
[2014.11.10 08:52:13.772] - --------------------------------------------------------------------------------
[2014.11.10 08:52:13.772] -
[2014.11.10 08:52:13.773] - INFO: OS: 6.1.7601 SP1
[2014.11.10 08:52:13.774] - INFO: Product Type: Workstation
[2014.11.10 08:52:13.775] - INFO: WoW64: False
[2014.11.10 08:52:13.776] - INFO: Machine guid: 10B0875A-3896-464A-84E5-C7126FA947FA
[2014.11.10 08:52:13.777] -
[2014.11.10 08:52:15.618] - INFO: Scanning for system infection...
[2014.11.10 08:52:15.618] - --------------------------------------------------------------------------------
[2014.11.10 08:52:15.618] -
[2014.11.10 08:52:15.618] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.10 08:52:15.696] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.10 08:52:15.769] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.10 08:52:15.770] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.10 08:52:15.770] - INFO: Processing classes...
[2014.11.10 08:52:15.842] - INFO: Processing clsid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{3f04dadf-6ea4-44d1-a507-03cad176f443}]
[2014.11.10 08:52:15.842] - INFO: Processing clsid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{56CBD3CF-BF99-4DF5-851F-F5B9B57496A1}]
[2014.11.10 08:52:15.842] - INFO: Processing clsid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.10 08:52:15.842] - WARNING: Found suspicous classid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.10 08:52:15.843] - INFO: Processing clsid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{3f04dadf-6ea4-44d1-a507-03cad176f443}]
[2014.11.10 08:52:15.843] - INFO: Processing clsid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{56CBD3CF-BF99-4DF5-851F-F5B9B57496A1}]
[2014.11.10 08:52:15.843] - INFO: Processing clsid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.10 08:52:15.843] - WARNING: Found suspicous classid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.10 08:52:15.843] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.10 08:52:15.877] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.10 08:52:15.877] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.10 08:52:15.877] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.10 08:52:15.877] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.10 08:52:15.878] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.10 08:52:15.878] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.10 08:52:15.878] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.10 08:52:15.879] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.10 08:52:15.879] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2014.11.10 08:52:15.913] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.10 08:52:15.914] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.10 08:52:15.914] - INFO: Win32/Poweliks found
[2014.11.10 08:52:30.052] - INFO: process: dllhost.exe, pid 7600, parent 4368
[2014.11.10 08:52:30.056] - INFO: Terminated process pid = 7600
[2014.11.10 08:52:30.057] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.10 08:52:30.058] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]...
[2014.11.10 08:52:30.059] - INFO: Processing [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.10 08:52:30.059] - INFO: Processing [HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce]...
[2014.11.10 08:52:30.059] - INFO: Processing classes...
[2014.11.10 08:52:30.059] - INFO: Processing clsid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{3f04dadf-6ea4-44d1-a507-03cad176f443}]
[2014.11.10 08:52:30.059] - INFO: Processing clsid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{56CBD3CF-BF99-4DF5-851F-F5B9B57496A1}]
[2014.11.10 08:52:30.060] - INFO: Processing clsid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.10 08:52:30.060] - INFO: Deleted classid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]
[2014.11.10 08:52:30.083] - INFO: Processing clsid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{3f04dadf-6ea4-44d1-a507-03cad176f443}]
[2014.11.10 08:52:30.083] - INFO: Processing clsid [\Registry\User\S-1-5-21-2525090079-2822706772-1044160896-1001\SOFTWARE\Classes\CLSID\{56CBD3CF-BF99-4DF5-851F-F5B9B57496A1}]
[2014.11.10 08:52:30.083] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.10 08:52:30.083] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.10 08:52:30.083] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.10 08:52:30.083] - INFO: Processing invalid values in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.10 08:52:30.083] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.10 08:52:30.083] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.10 08:52:30.084] - INFO: Processing value [] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.10 08:52:30.084] - INFO: Processing value [ServerExecutable] = [%systemroot%\system32\wbem\wmiprvse.exe]
[2014.11.10 08:52:30.084] - INFO: Processing invalid subkeys in [HKLM\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32]...
[2014.11.10 08:52:30.084] - INFO: Processing [HKLM\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}]...
[2014.11.10 08:52:30.084] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.10 08:52:30.084] - INFO: Processing subkey [\Registry\Machine\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32]
[2014.11.10 08:52:30.084] - INFO: Cleaning status: 0
[2014.11.10 08:52:38.234] - End
 



#10 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:24 AM

Posted 12 November 2014 - 04:18 PM

That is fine.



51a5bf3d99e8a-ComboFixlogo16.png Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!


Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.
  • Right-click on 51a5bf3d99e8a-ComboFixlogo16.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the disclaimer and agree if prompted to install Recovery Console.
  • Do not take any actions while ComboFix goes through your System - it may cause it to stall!
  • This scan may take some time!
  • When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).
Include that log in your next reply.
icon_idea.gif If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
icon_idea.gif Don't forget to re-enable your previously switched-off protection software!

Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#11 hertelbd

hertelbd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 13 November 2014 - 12:29 PM

ComboFix 14-11-12.01 - Pastor 11/13/2014  11:12:21.1.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.1791.1115 [GMT -6:00]
Running from: c:\users\Pastor\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Thumbs.db
.
.
(((((((((((((((((((((((((   Files Created from 2014-10-13 to 2014-11-13  )))))))))))))))))))))))))))))))
.
.
2014-11-13 17:21 . 2014-11-13 17:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-11-12 20:52 . 2014-11-12 20:53 -------- d-----w- C:\FRST
2014-11-12 14:26 . 2014-11-12 14:26 -------- d-sh--w- c:\users\Pastor\AppData\Local\EmieBrowserModeList
2014-11-11 23:48 . 2014-10-18 01:33 571904 ----a-w- c:\windows\system32\oleaut32.dll
2014-11-09 00:52 . 2014-10-20 08:37 8901368 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{845F62FE-8586-4B19-A324-9B08F395F411}\mpengine.dll
2014-11-06 16:22 . 2014-11-09 22:18 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-06 16:22 . 2014-11-06 16:22 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-11-06 16:22 . 2014-11-06 16:22 -------- d-----w- c:\programdata\Malwarebytes
2014-11-06 16:22 . 2014-10-01 17:11 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-06 16:22 . 2014-10-01 17:11 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-06 16:22 . 2014-10-01 17:11 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-06 16:20 . 2014-11-06 16:20 -------- d-----w- c:\users\Pastor\AppData\Local\Programs
2014-10-30 19:59 . 2014-10-31 16:48 -------- d-----w- c:\users\Pastor\AppData\Local\Okhics
2014-10-30 19:59 . 2014-10-31 16:48 -------- d-----w- c:\users\Pastor\AppData\Local\YgPack
2014-10-23 13:34 . 2014-10-23 13:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2014-10-23 13:34 . 2014-10-23 13:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2014-10-23 13:34 . 2014-10-23 13:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2014-10-23 13:34 . 2014-10-23 13:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2014-10-23 13:34 . 2014-10-23 13:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2014-10-23 13:34 . 2014-10-23 13:34 -------- d-----w- c:\program files\QuickTime
2014-10-23 13:29 . 2014-10-23 13:29 -------- d-----w- c:\program files\iPod
2014-10-23 13:29 . 2014-10-23 13:29 -------- d-----w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2014-10-23 13:29 . 2014-10-23 13:29 -------- d-----w- c:\program files\iTunes
2014-10-21 16:01 . 2014-10-21 16:41 -------- d--h--w- c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
2014-10-15 20:07 . 2014-09-04 05:04 372736 ----a-w- c:\windows\system32\rastls.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-11 20:26 . 2012-04-12 15:56 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-11-11 20:26 . 2011-06-19 12:40 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-10-28 11:35 . 2011-05-14 18:19 229000 ------w- c:\windows\system32\MpSigStub.exe
2014-10-02 19:23 . 2014-10-02 19:23 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2014-10-02 19:23 . 2014-10-02 19:23 69632 ----a-w- c:\windows\system32\QuickTime.qts
2014-09-25 01:40 . 2014-10-01 14:39 519680 ----a-w- c:\windows\system32\qdvd.dll
2014-09-09 21:47 . 2014-09-23 18:02 2048 ----a-w- c:\windows\system32\tzres.dll
2014-08-23 01:46 . 2014-08-28 14:36 305152 ----a-w- c:\windows\system32\gdi32.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Spotify Web Helper"="c:\users\Pastor\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-12-02 1168896]
"GoogleChromeAutoLaunch_2C8F01A3E5E6A707EBE084C7FAB0E45B"="c:\program files\Google\Chrome\Application\chrome.exe" [2014-10-22 854344]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2010-09-28 664600]
"HP KEYBOARDx"="c:\program files\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE" [2010-02-11 710656]
"HP Remote Solution"="c:\program files\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 656896]
"BATINDICATOR"="c:\program files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe" [2009-05-09 2068992]
"LaunchHPOSIAPP"="c:\program files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe" [2009-04-04 385024]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-10-11 60712]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-11-19 2598520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-10-15 157480]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2014-10-02 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NCPluginUpdater"="c:\program files\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" [2014-10-22 21720]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-11-06 102912]
R3 OxPPort;OxPPort;c:\windows\system32\DRIVERS\OxPPort.sys [2008-07-31 82048]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-06 1343400]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]
R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2012-04-19 24896]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2012-01-31 31952]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2012-11-08 250080]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2013-04-11 302368]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2013-10-16 5175856]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2013-11-05 92160]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2010-09-28 1119768]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2010-11-17 13880]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2012-12-10 142176]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys [2011-12-23 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2011-12-23 17232]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-10-27 18:40 1089352 ----a-w- c:\program files\Google\Chrome\Application\38.0.2125.111\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 20:26]
.
2014-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-07-08 16:30]
.
2014-11-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-07-08 16:30]
.
2014-10-30 c:\windows\Tasks\HPCeeScheduleForPASTOR-HP$.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 10:43]
.
2014-11-10 c:\windows\Tasks\HPCeeScheduleForPastor.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 10:43]
.
2013-01-27 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\programdata\AVG January 2013 Campaign\ROC.exe [2013-01-21 21:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://centurylink.net/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: //about.htm/
Trusted Zone: //Exclude.htm/
Trusted Zone: //FWEvent.htm/
Trusted Zone: //LanguageSelection.htm/
Trusted Zone: //Message.htm/
Trusted Zone: //MyAgttryCmd.htm/
Trusted Zone: //MyAgttryNag.htm/
Trusted Zone: //MyNotification.htm/
Trusted Zone: //NOCLessUpdate.htm/
Trusted Zone: //quarantine.htm/
Trusted Zone: //ScanNow.htm/
Trusted Zone: //strings.vbs/
Trusted Zone: //Template.htm/
Trusted Zone: //Update.htm/
Trusted Zone: //VirFound.htm/
Trusted Zone: mcafee.com\*
Trusted Zone: mcafeeasap.com\betavscan
Trusted Zone: mcafeeasap.com\vs
Trusted Zone: mcafeeasap.com\www
TCP: DhcpNameServer = 10.0.0.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-ROC_ROC_APR2013_AV - c:\users\Pastor\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe
HKLM-Run-LogMeIn GUI - c:\program files\LogMeIn\x86\LogMeInSystray.exe
HKLM-Run-SMessaging - c:\users\Pastor\AppData\Local\Strongvault Online Backup\SMessaging.exe
AddRemove-{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE} - c:\program files\InstallShield Installation Information\{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE}\setup.exe
AddRemove-{F868C16D-75F8-4EE8-BCBF-422D0833415D}_is1 - c:\program files\OpenPlsInWMP\unins000.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-11-13  11:26:53
ComboFix-quarantined-files.txt  2014-11-13 17:26
.
Pre-Run: 184,368,459,776 bytes free
Post-Run: 184,334,995,456 bytes free
.
- - End Of File - - 838AD3615FF002E482D5D265B8CD2F6C
E61EFF7C9C0065A570E667F6CA896A90
 



#12 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:24 AM

Posted 14 November 2014 - 02:36 AM

Are you sure that AVG2012 will protect you from the modern threats?


51a5bf3d99e8a-ComboFixlogo16.png Fix with ComboFix

Let's prepare a Script for ComboFix to mark some things for being deleted.
  • Press the WindowsKey.png + R on your keyboard at the same time.
  • A Run window should appear in the lower left corner. Type in notepad.exe and press Enter.
  • In the shown window paste in the following script:
    Folder::
    c:\users\Pastor\AppData\Local\Okhics
    c:\users\Pastor\AppData\Local\YgPack
    
    DirLook::
    c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
    c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
    
    DDS::
    uInternet Settings,ProxyOverride = *.local
    
    Domains::
    
  • Go to File menu and select Save as.
  • Make sure that the Save as type option is set to Text files (*.txt) and the place to save will be your desktop.
  • Name the file CFScript and select Save.
Your CFScript.txt file should appear on your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
  • Now drag your CFScript file and drop it onto the 51a5bf3d99e8a-ComboFixlogo16.png icon:
    CFScript.gif
  • This will start ComboFix. Let it run uninterrupted!
  • A reboot may be needed during this run. Allow it.
  • When finished, it shall produce a log for you at C:\ComboFix.txt and display it.
Please include that log in your next reply.

icon_idea.gif If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
icon_idea.gif Do not forget to turn on your previously switched-off protection software!

Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#13 hertelbd

hertelbd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 14 November 2014 - 09:16 AM

Well, obviously, I'm not sure anymore since I was infected! :)
I hope to be able to run some checks every now and then and that will take care of things, in the future.



#14 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:04:24 AM

Posted 14 November 2014 - 09:23 AM

I will have some more recommendations later, when we will finish the cleaning :)

Do the ComboFix action please.

Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#15 hertelbd

hertelbd
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:24 PM

Posted 14 November 2014 - 11:04 AM

ComboFix 14-11-12.01 - Pastor 11/14/2014   8:50.2.2 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.1791.1034 [GMT -6:00]
Running from: c:\users\Pastor\Desktop\ComboFix.exe
Command switches used :: c:\users\Pastor\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Pastor\AppData\Local\Okhics
c:\users\Pastor\AppData\Local\Okhics\AXSLE.1
c:\users\Pastor\AppData\Local\YgPack
c:\users\Pastor\AppData\Local\YgPack\DWANative.1
.
.
(((((((((((((((((((((((((   Files Created from 2014-10-14 to 2014-11-14  )))))))))))))))))))))))))))))))
.
.
2014-11-14 14:58 . 2014-11-14 14:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-11-12 20:52 . 2014-11-12 20:53 -------- d-----w- C:\FRST
2014-11-12 14:26 . 2014-11-12 14:26 -------- d-sh--w- c:\users\Pastor\AppData\Local\EmieBrowserModeList
2014-11-11 23:48 . 2014-10-18 01:33 571904 ----a-w- c:\windows\system32\oleaut32.dll
2014-11-09 00:52 . 2014-10-20 08:37 8901368 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{845F62FE-8586-4B19-A324-9B08F395F411}\mpengine.dll
2014-11-06 16:22 . 2014-11-09 22:18 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-06 16:22 . 2014-11-06 16:22 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-11-06 16:22 . 2014-11-06 16:22 -------- d-----w- c:\programdata\Malwarebytes
2014-11-06 16:22 . 2014-10-01 17:11 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-06 16:22 . 2014-10-01 17:11 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-06 16:22 . 2014-10-01 17:11 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-06 16:20 . 2014-11-06 16:20 -------- d-----w- c:\users\Pastor\AppData\Local\Programs
2014-10-23 13:34 . 2014-10-23 13:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2014-10-23 13:34 . 2014-10-23 13:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2014-10-23 13:34 . 2014-10-23 13:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2014-10-23 13:34 . 2014-10-23 13:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2014-10-23 13:34 . 2014-10-23 13:34 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2014-10-23 13:34 . 2014-10-23 13:34 -------- d-----w- c:\program files\QuickTime
2014-10-23 13:29 . 2014-10-23 13:29 -------- d-----w- c:\program files\iPod
2014-10-23 13:29 . 2014-10-23 13:29 -------- d-----w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB
2014-10-23 13:29 . 2014-10-23 13:29 -------- d-----w- c:\program files\iTunes
2014-10-21 16:01 . 2014-10-21 16:41 -------- d--h--w- c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
2014-10-15 20:07 . 2014-09-04 05:04 372736 ----a-w- c:\windows\system32\rastls.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-11 20:26 . 2012-04-12 15:56 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-11-11 20:26 . 2011-06-19 12:40 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-10-28 11:35 . 2011-05-14 18:19 229000 ------w- c:\windows\system32\MpSigStub.exe
2014-10-02 19:23 . 2014-10-02 19:23 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2014-10-02 19:23 . 2014-10-02 19:23 69632 ----a-w- c:\windows\system32\QuickTime.qts
2014-09-25 01:40 . 2014-10-01 14:39 519680 ----a-w- c:\windows\system32\qdvd.dll
2014-09-09 21:47 . 2014-09-23 18:02 2048 ----a-w- c:\windows\system32\tzres.dll
2014-08-23 01:46 . 2014-08-28 14:36 305152 ----a-w- c:\windows\system32\gdi32.dll
.
.
((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4} ----
.
2014-10-21 16:01 . 2014-10-21 16:03 226120 ---ha-w- c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}\333c1a3f07c8a
.
---- Directory of c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB ----
.
2014-10-23 13:30 . 2014-10-23 13:30 3982 ----a-w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB\x86\DIFxInstallLog.txt
2012-10-08 21:19 . 2012-10-08 21:19 115672 ----a-w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB\x86\DifXInst32.exe
2012-10-08 21:19 . 2012-10-08 21:19 1977816 ----a-w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB\GEARDIFx.exe
2012-10-03 21:14 . 2012-10-03 21:14 323464 ----a-w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB\x86\DIFxAPI.dll
2012-10-03 21:14 . 2012-10-03 21:14 106928 ----a-w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB\x86\GEARAspi.dll
2012-10-03 21:14 . 2012-10-03 21:14 2704 ----a-w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB\x86\GEARAspiWDM.inf
2012-10-03 21:14 . 2012-10-03 21:14 7587 ----a-w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB\x86\gearaspiwdmx86.cat
2012-10-03 21:14 . 2012-10-03 21:14 26840 ----a-w- c:\programdata\B0FFCDD9-5261-4e59-B29A-17A4FABDEBAB\x86\x86\GEARAspiWDM.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"Spotify Web Helper"="c:\users\Pastor\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2013-12-02 1168896]
"GoogleChromeAutoLaunch_2C8F01A3E5E6A707EBE084C7FAB0E45B"="c:\program files\Google\Chrome\Application\chrome.exe" [2014-10-22 854344]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2010-09-28 664600]
"HP KEYBOARDx"="c:\program files\Hewlett-Packard\HP Desktop Keyboard\HPKEYBOARDx.EXE" [2010-02-11 710656]
"HP Remote Solution"="c:\program files\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe" [2009-08-25 656896]
"BATINDICATOR"="c:\program files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\BATINDICATOR.exe" [2009-05-09 2068992]
"LaunchHPOSIAPP"="c:\program files\Hewlett-Packard\HP MAINSTREAM KEYBOARD\LaunchApp.exe" [2009-04-04 385024]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2014-10-11 60712]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-11-19 2598520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2014-10-15 157480]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2014-10-02 421888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NCPluginUpdater"="c:\program files\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe" [2014-10-22 21720]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [2013-10-16 5175856]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [x]
R2 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-11-06 102912]
R3 OxPPort;OxPPort;c:\windows\system32\DRIVERS\OxPPort.sys [2008-07-31 82048]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-06 1343400]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2008-07-11 47128]
R4 RsFx0102;RsFx0102 Driver;c:\windows\system32\DRIVERS\RsFx0102.sys [2008-07-10 242712]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2008-07-11 369688]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2012-04-19 24896]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2012-01-31 31952]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2012-11-08 250080]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2013-04-11 302368]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [2012-02-14 193288]
S2 HP Support Assistant Service;HP Support Assistant Service;c:\program files\Hewlett-Packard\HP Support Framework\hpsa_service.exe [2013-11-05 92160]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [2010-09-28 1119768]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2010-11-17 13880]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2012-12-10 142176]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\avgidsfilterx.sys [2011-12-23 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2011-12-23 17232]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-10-27 18:40 1089352 ----a-w- c:\program files\Google\Chrome\Application\38.0.2125.111\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 20:26]
.
2014-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-07-08 16:30]
.
2014-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2014-07-08 16:30]
.
2014-10-30 c:\windows\Tasks\HPCeeScheduleForPASTOR-HP$.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 10:43]
.
2014-11-14 c:\windows\Tasks\HPCeeScheduleForPastor.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15 10:43]
.
2013-01-27 c:\windows\Tasks\ROC_REG_JAN_DELETE.job
- c:\programdata\AVG January 2013 Campaign\ROC.exe [2013-01-21 21:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://centurylink.net/
TCP: DhcpNameServer = 10.0.0.1
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-11-14  08:59:21
ComboFix-quarantined-files.txt  2014-11-14 14:59
ComboFix2.txt  2014-11-13 17:27
.
Pre-Run: 184,377,049,088 bytes free
Post-Run: 184,329,629,696 bytes free
.
- - End Of File - - FE467EE609F7A600B788CE5D2A527B5F
E61EFF7C9C0065A570E667F6CA896A90
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users