Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Remove Virus Win64/Patched.C with infected rpcss.dll file


  • This topic is locked This topic is locked
13 replies to this topic

#1 prestonjjrtr

prestonjjrtr

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 30 November 2014 - 10:30 PM

For a while now, AVG has identified a virus that it is unable to remove. The exact message is "Virus identified Win64/Patched.C" with "c:\Windows\System32\rpcss.dll" . AVG found the following registry keys with reference to infected file C:\Windows\system32\rpcss.dll:
 
HKLM\SYSTEM\ControlSet001\services\DcomLaunch
HKLM\SYSTEM\ControlSet001\services\RpcSs
HKLM\SYSTEM\ControlSet002\services\DcomLaunch
HKLM\SYSTEM\ControlSet002\services\RpcSs
 
AVG has been unable to remove the threat. I tried running Malwarebytes and it was unable to remove it either.
 

In addition I tried searching for rpcss.dll with the FRST tool and it would hang and never complete.

 
I have Windows 7 64bit computer with IE 9.
 

Thanks for your help, time and efforts in helping me resolve this problem.

 

Joellen

 

 

Here are the logs:

 

 
 
FRST.txt info
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 30-11-2014 01
Ran by Joellen (administrator) on JOELLEN-HP on 30-11-2014 20:49:54
Running from C:\Users\Joellen\Desktop
Loaded Profile: Joellen (Available profiles: Joellen)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2012\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2012\avgfws.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(PDF Complete Inc) C:\Program Files (x86)\PDF Complete\pdfsvc.exe
(Roxio) C:\Program Files (x86)\Roxio\RoxioNow Player\RNowSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Apricorn) C:\Program Files (x86)\Apricorn\SMART-ER\SMART-ER Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\WINDOWS LIVE\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\WINDOWS LIVE\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
() C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\ModLEDKey.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2012\avgemca.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(Apricorn) C:\Program Files (x86)\Apricorn\SMART-ER\SMART-ER.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\CNYHKEY.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_15_0_0_152_ActiveX.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-01-14] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [BATINDICATOR] => C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\BATINDICATOR.exe
HKLM-x32\...\Run: [LaunchHPOSIAPP] => C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\LaunchApp.exe [385024 2009-04-03] (Hewlett-Packard)
HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [656920 2011-02-01] (PDF Complete Inc)
HKLM-x32\...\Run: [Microsoft Default Manager] => C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [AVG_TRAY] => C:\Program Files (x86)\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2014-11-11] (Hewlett-Packard)
HKU\S-1-5-21-772605068-1663628801-3090605291-1000\...\MountPoints2: {da0afe8d-b1dd-11e0-b87e-e069958d31c5} - J:\unlock.exe autoplay=true
HKU\S-1-5-18\...\RunOnce: [FlashPlayerUpdate] => C:\Windows\system32\Macromed\Flash\FlashUtil64_15_0_0_152_ActiveX.exe [540336 2014-09-15] (Adobe Systems Incorporated)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SMART-ER.lnk
ShortcutTarget: SMART-ER.lnk -> C:\Program Files (x86)\Apricorn\SMART-ER\SMART-ER.exe (Apricorn)
BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart
==================== Internet (Whitelisted) ====================
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
HKU\S-1-5-21-772605068-1663628801-3090605291-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/sch/ebayadvsearch/?rt=nc
HKU\S-1-5-21-772605068-1663628801-3090605291-1000\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPDSK/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPDSK/1
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPDSK/1
URLSearchHook: HKU\S-1-5-21-772605068-1663628801-3090605291-1000 - (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM -> {26528B36-1695-4908-84F2-6E570AAAAB86} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {26528B36-1695-4908-84F2-6E570AAAAB86} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-772605068-1663628801-3090605291-1000 -> DefaultScope {EC2F27A6-B3A7-44D4-843C-9815A218BEF9} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
SearchScopes: HKU\S-1-5-21-772605068-1663628801-3090605291-1000 -> {26528B36-1695-4908-84F2-6E570AAAAB86} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-772605068-1663628801-3090605291-1000 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.com/web?q={searchterms}&l=dis&o=HPDTDF
SearchScopes: HKU\S-1-5-21-772605068-1663628801-3090605291-1000 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKU\S-1-5-21-772605068-1663628801-3090605291-1000 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-772605068-1663628801-3090605291-1000 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=http://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-772605068-1663628801-3090605291-1000 -> {EC2F27A6-B3A7-44D4-843C-9815A218BEF9} URL = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
BHO: AVG Do Not Track -> {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -> C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll (AVG Technologies CZ, s.r.o.)
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files (x86)\AVG\AVG2012\avgssiea.dll (AVG Technologies CZ, s.r.o.)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
BHO-x32: AVG Do Not Track -> {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -> C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll (AVG Technologies CZ, s.r.o.)
BHO-x32: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files (x86)\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
BHO-x32: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Bing Bar BHO -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
Toolbar: HKLM-x32 - No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKU\S-1-5-21-772605068-1663628801-3090605291-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-772605068-1663628801-3090605291-1000 -> No Name - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
Toolbar: HKU\S-1-5-21-772605068-1663628801-3090605291-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
DPF: HKLM-x32 {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect114a.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgppa.dll (AVG Technologies CZ, s.r.o.)
Handler-x32: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
FireFox:
========
FF Plugin: @java.com/DTPlugin,version=10.40.2 -> C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.40.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.5.1 -> C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.5.1 -> C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpWinExt,version=5.0 -> C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\npwinext.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\1\NP_wtapp.dll ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-772605068-1663628801-3090605291-1000: @hulu.com/Hulu Desktop -> C:\Windows\..\Users\Default\AppData\Local\HuluDesktop\instances\0.9.13.1\npHDPlg.dll (Hulu LLC)
FF HKLM-x32\...\Firefox\Extensions: [msntoolbar@msn.com] - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\Firefox
FF Extension: Bing Bar - C:\Program Files (x86)\MSN Toolbar\Platform\6.0.2282.0\Firefox [2011-04-20]
FF HKLM-x32\...\Firefox\Extensions: [{27182e60-b5f3-411c-b545-b44205977502}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension
FF Extension: Search Helper Extension - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension [2011-04-20]
FF HKLM-x32\...\Firefox\Extensions: [{3252b9ae-c69a-4eaf-9502-dc9c1f6c009e}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension
FF Extension: Default Manager - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DMExtension [2011-04-20]
FF HKLM-x32\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files (x86)\AVG\AVG2012\Firefox4
FF Extension: AVG Safe Search - C:\Program Files (x86)\AVG\AVG2012\Firefox4 [2012-05-17]
FF HKLM-x32\...\Firefox\Extensions: [{F53C93F1-07D5-430c-86D4-C9531B27DFAF}] - C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack
FF Extension: AVG Do Not Track - C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack [2012-05-17]
Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [jmfkcklnlgedgbglfkkgedjfmejoahla] - C:\Program Files (x86)\AVG\AVG2012\Chrome\safesearch.crx [2012-07-26]
CHR HKLM-x32\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\Program Files (x86)\AVG\AVG2012\Chrome\donottrack.crx [2012-04-20]
==================== Services (Whitelisted) =================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
S3 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
R2 avgfws; C:\Program Files (x86)\AVG\AVG2012\avgfws.exe [2322000 2014-11-04] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [5175856 2013-10-16] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
S2 CLKMSVC10_38F51D56; c:\Program Files (x86)\Cyberlink\PowerDVD10\NavFilter\kmsvc.exe [241648 2011-01-25] (CyberLink)
R2 DcomLaunch; C:\Windows\system32\rpcss.dll [528384 2010-11-20] (Microsoft Corporation) [File not signed]
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company) [File not signed]
R2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1127448 2011-02-01] (PDF Complete Inc)
R2 RpcSs; C:\Windows\system32\rpcss.dll [528384 2010-11-20] (Microsoft Corporation) [File not signed]
R2 SMART-ERService; C:\Program Files (x86)\Apricorn\SMART-ER\SMART-ER Service.exe [69632 2007-06-04] (Apricorn) [File not signed]
==================== Drivers (Whitelisted) ====================
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [48992 2011-05-23] (AVG Technologies CZ, s.r.o.)
R3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [127328 2012-12-10] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [307040 2012-11-08] (AVG Technologies CZ, s.r.o.)
R1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [384800 2014-11-04] (AVG Technologies CZ, s.r.o.)
S3 WDC_SAM; C:\Windows\System32\DRIVERS\wdcsam64.sys [14464 2009-02-13] (Western Digital Technologies) [File not signed]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
==================== NetSvcs (Whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-11-30 20:49 - 2014-11-30 20:50 - 00021146 _____ () C:\Users\Joellen\Desktop\FRST.txt
2014-11-30 20:47 - 2014-11-30 20:48 - 02117120 _____ (Farbar) C:\Users\Joellen\Desktop\FRST64.exe
2014-11-30 16:50 - 2014-11-30 16:50 - 19828376 _____ (Malwarebytes Corporation ) C:\Users\Joellen\Desktop\mbam-setup-2.0.3.1025.exe
2014-11-30 16:10 - 2014-11-30 16:10 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{FD72F17D-9865-47D9-AA67-D83DF995C0F4}
2014-11-29 20:29 - 2014-11-29 20:29 - 00000000 _____ () C:\autoexec.bat
2014-11-29 19:51 - 2014-11-29 19:51 - 02998656 _____ (Enigma Software Group USA, LLC.) C:\Users\Joellen\Desktop\SpyHunter-Installer.exe
2014-11-29 13:25 - 2014-11-29 13:25 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{EF8A8775-7499-4909-BC96-8E308EA62BA3}
2014-11-28 12:20 - 2014-11-28 12:20 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{F7D2BEC1-9012-49F0-915A-7BAD4906A445}
2014-11-27 14:48 - 2014-11-27 14:48 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{540B1070-2CDA-4B71-8D91-80ADAA2917D9}
2014-11-27 00:44 - 2014-11-27 00:44 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{E838A7D7-C140-421C-A46F-CAE3E978E1D5}
2014-11-26 23:31 - 2014-11-26 23:31 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{0D11B453-A782-4CB7-A3F1-4E1082730564}
2014-11-26 23:22 - 2014-11-26 23:23 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{637E214B-804C-424E-B440-0AABEDFC45C7}
2014-11-26 09:47 - 2014-11-26 09:47 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{FAEE8DE9-627A-41E1-9F3E-8D25D63BE3DA}
2014-11-25 16:21 - 2014-11-25 16:21 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{CB9BC817-9FD5-411A-ACCC-36E4829191FE}
2014-11-25 13:14 - 2014-11-25 13:14 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{5DC9BA22-3320-474C-A1EB-41EC9F911A61}
2014-11-25 13:10 - 2014-11-25 13:10 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{106F6D97-3DB0-4EC6-81D8-9FBF0794FF0C}
2014-11-25 01:05 - 2014-11-25 01:05 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{6D2CB7B8-7E5E-4C07-90EF-D49F6C151AA3}
2014-11-24 10:10 - 2014-11-24 10:10 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{F953C331-480C-4920-93A7-1A578BAAFB15}
2014-11-23 12:51 - 2014-11-23 12:52 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{8CE9D550-8BA6-4C3C-8C75-FA91AD0A771E}
2014-11-23 00:15 - 2014-11-23 00:15 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{9CBEDF2E-1016-437B-B2A8-398EDCD2C003}
2014-11-22 23:47 - 2014-11-22 23:47 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{CD724A3C-DE7D-461B-9365-9F2EBF94FC9B}
2014-11-22 17:20 - 2014-11-22 17:20 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{3914E2E4-D3CF-4148-BA56-979F08EA9287}
2014-11-22 16:56 - 2014-11-22 16:56 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{706AD2B6-7C70-4354-B237-07257152A073}
2014-11-22 12:58 - 2014-11-22 12:58 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{5E9B9DAD-800C-4345-984D-3DB1E9A8614A}
2014-11-21 09:30 - 2014-11-21 09:31 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{C8E14328-74A8-436C-B536-35CFB88FB211}
2014-11-20 17:12 - 2014-11-20 17:12 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{A8C80AD1-7A60-450C-BCDD-1B3177E6BF4A}
2014-11-20 09:44 - 2014-11-20 09:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2014-11-19 23:19 - 2014-11-19 23:20 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{5AA39B51-43E7-4CD6-83C8-B506F870C956}
2014-11-19 16:51 - 2014-11-19 16:51 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{D5FF15E1-F65E-42F7-B31F-6C2B422A4E19}
2014-11-19 12:31 - 2014-11-19 12:31 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{22993F26-FC0E-414E-87A4-9EF9CC08084D}
2014-11-18 23:26 - 2014-11-18 23:27 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{438DD4B3-050C-407F-B189-1BF78E6B531F}
2014-11-18 10:02 - 2014-11-18 10:02 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{77F8136E-7245-4436-ADB7-1696B8FA227B}
2014-11-17 21:52 - 2014-11-17 21:52 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{7B4E3599-6C71-4AF9-91CC-0A4A664CB612}
2014-11-17 09:50 - 2014-11-17 09:51 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{FDEB1C38-2861-456B-98A0-20E7F4B6869B}
2014-11-16 14:02 - 2014-11-16 14:02 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{D2CF354B-60C1-4AC9-9734-E33F8CC45396}
2014-11-16 13:27 - 2014-11-16 13:28 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{60362CFE-A547-4F44-AE50-C8DD13BF6249}
2014-11-15 17:36 - 2014-11-15 17:36 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{899D614F-CD67-4BDB-9EFB-4CB833ACEA39}
2014-11-14 22:57 - 2014-11-14 22:57 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{9B63553A-0250-47E0-9BAF-CA253B04C8FF}
2014-11-14 10:09 - 2014-11-14 10:10 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{733B3790-1C55-4F47-BE63-7852993BC49D}
2014-11-13 09:01 - 2014-11-13 09:01 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{51E89CE3-93B3-45F6-B002-E4FDCD6393ED}
2014-11-12 13:33 - 2014-11-12 13:33 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{BC589F50-3342-4388-9356-7370A79E9952}
2014-11-11 22:58 - 2014-11-11 22:58 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{4C2C3163-46FD-49B4-9B21-B2C53B71EC8C}
2014-11-11 09:40 - 2014-11-11 09:40 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{7F6E0195-7D71-4CB0-8815-9F99ABCE0729}
2014-11-11 08:57 - 2014-11-11 08:57 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{FAB12BFD-D575-455A-85AD-BC256FC03C39}
2014-11-10 20:42 - 2014-11-10 20:42 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{87B84611-02FA-4335-95AB-B55152F2FBE0}
2014-11-10 08:31 - 2014-11-10 08:31 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{4BBE8E27-F21B-4A5F-B833-AB393FDC21F6}
2014-11-09 12:19 - 2014-11-09 12:19 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{1D462FB8-C5C9-4D71-AE5F-580C17368EFC}
2014-11-08 11:33 - 2014-11-08 11:33 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{F9C12D14-BDF3-4272-A500-45745C97F776}
2014-11-07 23:32 - 2014-11-07 23:32 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{4D75E2AE-21EB-4815-8FF2-5D35431CA086}
2014-11-07 09:23 - 2014-11-07 09:23 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{29784FFC-42C7-4286-8FA4-CD94B6FB48E0}
2014-11-06 18:08 - 2014-11-06 18:08 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{F549E9EB-7693-4BD1-995A-C668970F3F82}
2014-11-06 17:28 - 2014-11-06 17:29 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{3CA06EB3-A6F5-417F-ABEE-CF2B4CBB171B}
2014-11-05 23:35 - 2014-11-05 23:36 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{2CAB1ADC-BAA4-43FB-AB66-FE7C4FB7BBD4}
2014-11-05 11:11 - 2014-11-05 11:11 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{A51B2A59-78B7-4222-ABCC-671697ACB81E}
2014-11-04 23:29 - 2014-11-04 23:29 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{06218C1F-C27D-4D43-B359-3D88ECF3969C}
2014-11-04 09:56 - 2014-11-04 09:56 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{CCD283E0-59A7-4513-84EC-B2B7F94E0C70}
2014-11-04 00:33 - 2014-11-04 00:33 - 00384800 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\Drivers\avgtdia.sys
2014-11-03 21:25 - 2014-11-03 21:25 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{135C5BE6-BCEF-4435-98DD-3D2800B4D6B2}
2014-11-03 08:58 - 2014-11-03 08:58 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{E46B3FE4-C4E1-42E6-A828-1674AFA48146}
2014-11-02 23:51 - 2014-11-02 23:52 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{470074CD-BFE7-423B-891B-A844798EA055}
2014-11-02 11:13 - 2014-11-02 11:13 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{C9F2D3DC-BB35-4A86-8891-54BFE3209F92}
2014-11-01 22:52 - 2014-11-01 22:52 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{3A9A566A-3C0A-4710-A9AF-109863B7A975}
2014-11-01 10:50 - 2014-11-01 10:50 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{7ED160F3-7D9B-4FC5-A9CB-1EDE1E98701B}
2014-10-31 21:43 - 2014-10-31 21:43 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{6FE0A6BB-4E33-4328-94B7-2E61DA6BC9BF}
2014-10-31 08:29 - 2014-10-31 08:30 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{D00DE9BC-17A9-45FA-B672-946154CE42DA}
==================== One Month Modified Files and Folders =======
(If an entry is included in the fixlist, the file\folder will be moved.)
2014-11-30 20:49 - 2014-09-26 18:02 - 00000000 ____D () C:\FRST
2014-11-30 20:28 - 2009-07-13 22:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-30 20:28 - 2009-07-13 22:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-30 20:25 - 2011-07-14 22:06 - 02096848 _____ () C:\Windows\WindowsUpdate.log
2014-11-30 20:21 - 2014-09-28 19:23 - 00000000 ___SD () C:\32788R22FWJFW
2014-11-30 20:21 - 2013-06-02 22:01 - 00000350 _____ () C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2014-11-30 20:21 - 2013-01-22 01:52 - 00000354 _____ () C:\Windows\Tasks\ROC_JAN2013_TB_rmv.job
2014-11-30 20:21 - 2011-04-20 03:20 - 00000000 ____D () C:\ProgramData\PDFC
2014-11-30 20:20 - 2009-07-13 23:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-30 20:20 - 2009-07-13 22:51 - 00063471 _____ () C:\Windows\setupact.log
2014-11-30 20:05 - 2010-11-20 21:47 - 00086798 _____ () C:\Windows\PFRO.log
2014-11-30 20:04 - 2011-07-19 00:17 - 00000000 ____D () C:\Users\Joellen\AppData\Roaming\SoftGrid Client
2014-11-30 17:57 - 2009-07-13 23:13 - 00780156 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-30 17:34 - 2014-09-29 10:35 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-11-30 16:56 - 2013-04-13 04:15 - 00000000 ____D () C:\Users\Joellen\AppData\Roaming\Malwarebytes
2014-11-30 16:56 - 2013-04-13 04:15 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-11-30 03:26 - 2011-07-14 22:07 - 00000000 ____D () C:\Windows\system32\Drivers\AVG
2014-11-28 13:04 - 2014-05-30 01:06 - 00000340 _____ () C:\Windows\Tasks\HPCeeScheduleForJoellen.job
2014-11-28 02:10 - 2014-05-30 01:06 - 00003198 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForJoellen
2014-11-28 02:09 - 2011-10-28 19:04 - 00000000 _____ () C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-11-28 02:09 - 2011-07-15 12:00 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2014-11-27 23:31 - 2011-07-17 22:32 - 00000000 ____D () C:\Users\Joellen\AppData\Local\CrashDumps
2014-11-20 09:44 - 2012-05-17 11:55 - 00000967 _____ () C:\Users\Public\Desktop\AVG 2012.lnk
2014-11-20 09:44 - 2011-07-14 21:53 - 00000000 ____D () C:\ProgramData\MFAData
2014-11-19 22:26 - 2012-01-29 21:22 - 00000000 ____D () C:\Windows\Minidump
2014-11-19 22:26 - 2011-04-20 03:33 - 00338262 ____N () C:\Windows\Minidump\111914-49062-01.dmp
2014-11-07 09:36 - 2011-07-19 00:37 - 00000000 ____D () C:\Users\Joellen\Documents\Joey
2014-11-05 23:42 - 2011-07-19 00:35 - 00000000 ____D () C:\Users\Joellen\Documents\Tommy
Some content of TEMP:
====================
C:\Users\Joellen\AppData\Local\Temp\avguidx.dll
C:\Users\Joellen\AppData\Local\Temp\CommonInstaller.exe
C:\Users\Joellen\AppData\Local\Temp\HPHelpUpdater.exe
C:\Users\Joellen\AppData\Local\Temp\iGearedHelper.dll
C:\Users\Joellen\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Joellen\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\Joellen\AppData\Local\Temp\jre-7u5-windows-i586-iftw.exe
C:\Users\Joellen\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Joellen\AppData\Local\Temp\Resource.exe
C:\Users\Joellen\AppData\Local\Temp\sp53904.exe
C:\Users\Joellen\AppData\Local\Temp\sp54931.exe
C:\Users\Joellen\AppData\Local\Temp\sp58915.exe
C:\Users\Joellen\AppData\Local\Temp\sp64126.exe
C:\Users\Joellen\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\Joellen\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\Joellen\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Joellen\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Joellen\AppData\Local\Temp\~Unta13.exe

==================== Bamital & volsnap Check =================
(There is no automatic fix for files that do not pass verification.)
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll
[2010-11-20 21:24] - [2010-11-20 21:24] - 0528384 ____A (Microsoft Corporation) 897248AC2316B2C22589E01549B821F6
ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-11-25 01:55
==================== End Of Log ============================
 
 
 
 
 
 
 
FRST Addition.txt
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 30-11-2014 01
Ran by Joellen at 2014-11-30 20:51:25
Running from C:\Users\Joellen\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================
(If an entry is included in the fixlist, it will be removed.)
AV: AVG Internet Security 2012 (Enabled - Up to date) {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AS: AVG Internet Security 2012 (Enabled - Up to date) {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Internet Security 2012 (Enabled) {621CC794-9486-F902-D092-0484E8EA828B}
==================== Installed Programs ======================
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.3.9130 - Adobe Systems Inc.)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Adobe Reader X (10.1.12) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.12 - Adobe Systems Incorporated)
Agatha Christie - Peril at End House (x32 Version: 2.2.0.95 - WildTangent) Hidden
ATI Catalyst Install Manager (HKLM\...\{9A6AD916-D45D-1D1C-E2C0-A0402F511999}) (Version: 3.0.808.0 - ATI Technologies, Inc.)
ATI Stream SDK v2 Developer (HKLM\...\{80C27FE9-C6C4-F5C8-EAD3-09E7E0102E78}) (Version: 2.2.0.0 - ATI Technologies Inc.)
AVG 2012 (HKLM\...\AVG) (Version: 2012.1.2249 - AVG Technologies)
AVG 2012 (Version: 12.0.4189 - AVG Technologies) Hidden
AVG 2012 (Version: 12.1.2249 - AVG Technologies) Hidden
Bejeweled 2 Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Bejeweled 3 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Bing Bar (HKLM-x32\...\{08234a0d-cf39-4dca-99f0-0c5cb496da81}) (Version: 6.0.2282.0 - Microsoft Corporation)
Bing Bar Platform (x32 Version: 6.0.2282.0 - Microsoft Corporation) Hidden
Bing Rewards Client Installer (x32 Version: 16.0.345.0 - Microsoft Corporation) Hidden
Blackhawk Striker 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Blasterball 3 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Blio (HKLM-x32\...\{9368DDD5-CE7F-4BD7-A83A-F00FABE338EC}) (Version: 2.2.6699 - K-NFB Reading Technology, Inc.)
Bounce Symphony (x32 Version: 2.2.0.95 - WildTangent) Hidden
Build-a-lot 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
Cake Mania (x32 Version: 2.2.0.95 - WildTangent) Hidden
ccc-core-static (x32 Version: 2011.0113.2337.42366 - ATI) Hidden
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
CyberLink PowerDVD 10 (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.1.2615 - CyberLink Corp.)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Diner Dash 2 Restaurant Rescue (x32 Version: 2.2.0.95 - WildTangent) Hidden
Dora's World Adventure (x32 Version: 2.2.0.95 - WildTangent) Hidden
Farm Frenzy (x32 Version: 2.2.0.95 - WildTangent) Hidden
FATE - The Traitor Soul (x32 Version: 2.2.0.95 - WildTangent) Hidden
H&R Block Standard 2011 (HKLM-x32\...\{5C52EC19-3B77-4B03-BBE8-E7F58ED92D73}) (Version: 11.01.6901 - HRB Technology, LLC.)
Hewlett-Packard ACLM.NET v1.2.2.3 (x32 Version: 1.00.0000 - Hewlett-Packard Company) Hidden
HP Games (HKLM-x32\...\WildTangent hp Master Uninstall) (Version: 1.0.2.4 - WildTangent)
HP Keyboard (HKLM-x32\...\{B40D7926-AE5F-41EA-8AC6-56C0E2F00E9D}) (Version: 1.5.0.4 - Hewlett-Packard)
HP LinkUp (HKLM-x32\...\{C1AD9241-3ADD-483F-914D-071F3E50855A}) (Version: 2.01.026 - Hewlett-Packard)
HP MediaSmart/TouchSmart Netflix (HKLM-x32\...\{BB760C1D-98F4-4E38-8CC4-3B67329AA981}) (Version: 1.0.6.0 - Hewlett-Packard)
HP MovieStore (HKLM-x32\...\{9008D736-35CA-40DB-A2BE-5F32D954E5AA}) (Version: 2.0 - Hewlett-Packard)
HP Odometer (HKLM-x32\...\{B8AC1A89-FFD1-4F97-8051-E505A160F562}) (Version: 2.10.0000 - Hewlett-Packard)
HP Officejet Pro 8500 A910 Basic Device Software (HKLM\...\{EE7C94CC-BECB-4000-B5E3-D895307B9D5E}) (Version: 22.50.231.0 - Hewlett-Packard Co.)
HP Officejet Pro 8500 A910 Help (HKLM-x32\...\{871B2A9D-0F12-44B3-88C1-E0CB10A232E4}) (Version: 140.0.2.2 - Hewlett Packard)
HP Officejet Pro 8500 A910 Product Improvement Study (HKLM\...\{0308919C-E317-4293-8D3C-97EF307BCDBC}) (Version: 22.50.231.0 - Hewlett-Packard Co.)
HP Product Detection (HKLM-x32\...\{F13FBD0E-5CE1-4A3F-A4F0-C8633CB7B4DD}) (Version: 11.10.1000 - HP)
HP Setup (HKLM-x32\...\{210A03F5-B2ED-4947-B27E-516F50CBB292}) (Version: 8.6.4530.3651 - Hewlett-Packard Company)
HP Setup Manager (HKLM-x32\...\{AE856388-AFAD-4753-81DF-D96B19D0A17C}) (Version: 1.1.13253.3682 - Hewlett-Packard Company)
HP Support Assistant (HKLM-x32\...\{E35A3B13-78CD-4967-8AC8-AA9FDA693EDE}) (Version: 7.4.45.4 - Hewlett-Packard Company)
HP Support Information (HKLM-x32\...\{7F2A11F4-EAE8-4325-83EC-E3E99F85169E}) (Version: 10.1.1000 - Hewlett-Packard)
HP Update (HKLM-x32\...\{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}) (Version: 5.002.006.003 - Hewlett-Packard)
HP Vision Hardware Diagnostics (HKLM\...\{D79A02E9-6713-4335-9668-AAC7474C0C0E}) (Version: 2.5.0.0 - Hewlett-Packard)
Hulu Desktop (HKU\S-1-5-21-772605068-1663628801-3090605291-1000\...\HuluDesktop) (Version: 0.9.13 - Hulu LLC)
HydraVision (x32 Version: 4.2.184.0 - ATI Technologies Inc.) Hidden
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Java 7 Update 40 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417040FF}) (Version: 7.0.400 - Oracle)
Java™ 7 Update 5 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217005FF}) (Version: 7.0.50 - Oracle)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Kobo (HKLM-x32\...\Kobo) (Version: 1.6 - Kobo Inc.)
LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.3609 - CyberLink Corp.)
LabelPrint (x32 Version: 2.5.3609 - CyberLink Corp.) Hidden
Mah Jong Medley (x32 Version: 2.2.0.95 - WildTangent) Hidden
Marketsplash Shortcuts (HKLM-x32\...\{16FCDD97-AE09-476B-88CD-261D852BD34C}) (Version: 1.0.1.7 - Hewlett-Packard)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20125.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Mystery P.I. - Stolen in San Francisco (x32 Version: 2.2.0.95 - WildTangent) Hidden
Namco All-Stars PAC-MAN (x32 Version: 2.2.0.95 - WildTangent) Hidden
PDF Complete Special Edition (HKLM-x32\...\PDF Complete) (Version: 4.0.35 - PDF Complete, Inc)
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.95 - WildTangent) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
PlayReady PC Runtime x86 (HKLM-x32\...\{CCA5EAAD-92F4-4B7A-B5EE-14294C66AB61}) (Version: 1.3.0 - Microsoft Corporation)
Poker Superstars III (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Bowler (x32 Version: 2.2.0.95 - WildTangent) Hidden
Polar Golfer (x32 Version: 2.2.0.95 - WildTangent) Hidden
Power2Go (HKLM-x32\...\InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}) (Version: 6.1.4817 - CyberLink Corp.)
Power2Go (x32 Version: 6.1.4817 - CyberLink Corp.) Hidden
PressReader (HKLM-x32\...\{912CED74-88D3-4C5B-ACB0-132318649765}) (Version: 5.10.1217.0 - NewspaperDirect Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6387 - Realtek Semiconductor Corp.)
Recovery Manager (x32 Version: 5.5.3621 - CyberLink Corp.) Hidden
Remote Graphics Receiver (HKLM-x32\...\{16FC3056-90C0-4757-8A68-64D8DA846ADA}) (Version: 5.4.5 - Hewlett-Packard)
RoxioNow Player (HKLM-x32\...\{0EDEB615-1A60-425E-8306-0E10519C7B55}) (Version: 1.9.5.103 - RoxioNow)
Slingo Supreme (x32 Version: 2.2.0.95 - WildTangent) Hidden
SMART-ER (HKLM-x32\...\{AA3A6E2F-2A2D-43FC-9EBC-AB0FBA4B1DA7}) (Version: 2.0.0.4 - Apricorn)
Update Installer for WildTangent Games App (x32 Version: - WildTangent) Hidden
Virtual Villagers 4 - The Tree of Life (x32 Version: 2.2.0.95 - WildTangent) Hidden
Visual Studio 2008 x64 Redistributables (HKLM-x32\...\{FCDBEA60-79F0-4FAE-BBA8-55A26C609A49}) (Version: 10.0.0.2 - AVG Technologies)
Wheel of Fortune 2 (x32 Version: 2.2.0.95 - WildTangent) Hidden
WildTangent Games App (HP Games) (x32 Version: 4.0.5.21 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Zinio Reader 4 (HKLM-x32\...\ZinioReader4.9310D8F796442B71068C511E15D70529A702D19D.1) (Version: 4.0.3184 - Zinio LLC)
Zinio Reader 4 (x32 Version: 4.0.3184 - Zinio LLC) Hidden
Zuma Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
==================== Custom CLSID (selected items): ==========================
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
CustomCLSID: HKU\S-1-5-21-772605068-1663628801-3090605291-1000_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\mpr.dll No File
CustomCLSID: HKU\S-1-5-21-772605068-1663628801-3090605291-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 -> C:\Windows\system32\shell32.dll (Microsoft Corporation)
==================== Restore Points =========================
11-07-2014 06:22:48 Scheduled Checkpoint
18-07-2014 07:06:28 Scheduled Checkpoint
26-07-2014 07:41:59 Scheduled Checkpoint
02-08-2014 12:53:27 Windows Update
10-08-2014 05:52:35 Scheduled Checkpoint
17-08-2014 08:02:49 Scheduled Checkpoint
25-08-2014 05:38:57 Scheduled Checkpoint
01-09-2014 07:42:19 Scheduled Checkpoint
09-09-2014 10:36:06 Scheduled Checkpoint
17-09-2014 07:38:27 Scheduled Checkpoint
24-09-2014 07:50:47 Scheduled Checkpoint
29-09-2014 03:20:15 ComboFix created restore point
06-10-2014 06:16:32 Scheduled Checkpoint
22-10-2014 01:57:04 Scheduled Checkpoint
29-10-2014 06:05:14 Scheduled Checkpoint
05-11-2014 07:03:03 Scheduled Checkpoint
12-11-2014 07:25:54 Scheduled Checkpoint
20-11-2014 06:27:24 Scheduled Checkpoint
27-11-2014 07:49:49 Scheduled Checkpoint
==================== Hosts content: ==========================
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
2009-07-13 20:34 - 2009-06-10 15:00 - 00000824 ____N C:\Windows\system32\Drivers\etc\hosts
==================== Scheduled Tasks (whitelisted) =============
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
Task: {09050E82-910C-4ECB-BA76-E9BB0B58A81A} - System32\Tasks\HPOSIAPP64 => C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\ModLEDKey.exe [2009-02-27] ()
Task: {18E22D66-7131-4A01-BDD7-EE8403E5DFE2} - System32\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv => C:\Windows\TEMP\{89ADA0F2-0C46-4DC7-9244-1058ADC3DA00}.exe
Task: {19DDD9B1-A1DC-42D3-9AD8-1D3CB6749946} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Warranty Opt-In(No) => c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\Detection_PostWarrantyAlert.exe [2014-01-14] (Hewlett-Packard)
Task: {2E1C3233-04FF-4A4D-BF1B-BA6667DBB2CB} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {2F09C407-EE2E-4D62-B0F5-88CADACC268A} - System32\Tasks\ROC_JAN2013_TB_rmv => C:\Program Files (x86)\AVG Secure Search\PostInstall\ROC.exe
Task: {3BE86E4C-F291-46E8-BBC7-F97CDA75437E} - System32\Tasks\Hewlett-Packard\HP Support Assistant\PC Health Analysis => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-11-04] (Hewlett-Packard Company)
Task: {98133CAC-D151-4CD9-9043-658CED114553} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker_DeviceScan => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2014-10-21] (Hewlett-Packard)
Task: {AEDD60B2-583A-467C-8B63-E030795CBBCB} - System32\Tasks\HPCustParticipation HP Officejet Pro 8500 A910 => C:\Program Files\HP\HP Officejet Pro 8500 A910\Bin\HPCustPartic.exe [2010-11-16] (Hewlett-Packard Co.)
Task: {BAEB38EA-08BE-49D8-B03D-75C0E972B868} - System32\Tasks\HPCeeScheduleForJoellen => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2011-07-15] (Hewlett-Packard)
Task: {BBB23748-2A86-4834-A050-F6C8E49237D0} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Update Check => C:\ProgramData\Hewlett-Packard\HP Support Framework\Resources\Updater7\HPSFUpdater.exe [2014-05-12] (Hewlett-Packard Company)
Task: {DF79A679-984E-4916-96D4-B3D58655B019} - System32\Tasks\Hewlett-Packard\HP Support Assistant\WarrantyChecker => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPWarrantyCheck\HPWarrantyChecker.exe [2014-10-21] (Hewlett-Packard)
Task: {E2CF1F4A-6FD3-4196-BBA6-E11E7594462D} - System32\Tasks\Hewlett-Packard\HP Support Assistant\Warranty Opt-In(Yes) => c:\program files (x86)\hewlett-packard\hp health check\activecheck\product_line\Detection_PostWarrantyAlert.exe [2014-01-14] (Hewlett-Packard)
Task: {EFB7AA85-32A2-4E3F-9383-708FF4E1B8AF} - System32\Tasks\Hewlett-Packard\HP Support Assistant\HP Support Assistant Quick Start => C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSF.exe [2013-11-04] (Hewlett-Packard Company)
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{89ADA0F2-0C46-4DC7-9244-1058ADC3DA00}.exe
Task: C:\Windows\Tasks\HPCeeScheduleForJoellen.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\Windows\Tasks\ROC_JAN2013_TB_rmv.job => C:\Program Files (x86)\AVG Secure Search\PostInstall\ROC.exe
==================== Loaded Modules (whitelisted) =============
2011-04-20 03:13 - 2009-02-27 20:13 - 00053248 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\ModLEDKey.exe
2011-01-14 00:36 - 2011-01-14 00:36 - 00243712 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2010-04-12 16:59 - 2010-04-12 16:59 - 00098304 ____R () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\Branding.dll
2010-12-22 10:54 - 2010-12-22 10:54 - 00028672 _____ () C:\Program Files (x86)\ATI Technologies\ATI.ACE\Branding\BrandingResources.dll
2011-04-20 03:13 - 2009-02-19 18:22 - 00028672 _____ () C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\WMINPUT.DLL
==================== Alternate Data Streams (whitelisted) =========
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PEVSystemStart => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\procexp90.Sys => ""="Driver"
==================== EXE Association (whitelisted) =============
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========
(Currently there is no automatic fix for this section.)
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WDDMStatus.lnk => C:\Windows\pss\WDDMStatus.lnk.CommonStartup
MSCONFIG\startupreg: Norton Online Backup => C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
MSCONFIG\startupreg: vProt => "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
========================= Accounts: ==========================
Administrator (S-1-5-21-772605068-1663628801-3090605291-500 - Administrator - Disabled)
Guest (S-1-5-21-772605068-1663628801-3090605291-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-772605068-1663628801-3090605291-1002 - Limited - Enabled)
Joellen (S-1-5-21-772605068-1663628801-3090605291-1000 - Administrator - Enabled) => C:\Users\Joellen
==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================
Application errors:
==================
Error: (11/30/2014 08:22:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/30/2014 08:07:26 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/30/2014 05:35:08 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/30/2014 04:06:48 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/30/2014 03:54:14 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/29/2014 07:47:00 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/29/2014 02:32:45 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/29/2014 09:06:38 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 9.0.8112.16483 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: 388
Start Time: 01d00be5a0babefc
Termination Time: 13
Application Path: C:\Program Files\Internet Explorer\iexplore.exe
Report Id:
Error: (11/29/2014 01:48:39 AM) (Source: SideBySide) (EventID: 63) (User: )
Description: Activation context generation failed for "assemblyIdentity1".Error in manifest or policy file "assemblyIdentity2" on line assemblyIdentity3.
The value "MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINOR" of attribute "version" in element "assemblyIdentity" is invalid.
Error: (11/29/2014 00:17:25 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

System errors:
=============
Error: (11/30/2014 05:07:00 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume C:.
Error: (11/30/2014 05:07:00 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.
Error: (11/30/2014 05:07:00 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume C:.
Error: (11/30/2014 05:07:00 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.
Error: (11/30/2014 05:07:00 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume C:.
Error: (11/30/2014 05:07:00 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.
Error: (11/30/2014 05:07:00 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume C:.
Error: (11/30/2014 05:07:00 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.
Error: (11/30/2014 05:07:00 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume C:.
Error: (11/30/2014 05:07:00 PM) (Source: Ntfs) (EventID: 55) (User: )
Description: The file system structure on the disk is corrupt and unusable.
Please run the chkdsk utility on the volume OS.

Microsoft Office Sessions:
=========================
Error: (11/30/2014 08:22:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/30/2014 08:07:26 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/30/2014 05:35:08 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/30/2014 04:06:48 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/30/2014 03:54:14 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/29/2014 07:47:00 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/29/2014 02:32:45 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
Error: (11/29/2014 09:06:38 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: iexplore.exe9.0.8112.1648338801d00be5a0babefc13C:\Program Files\Internet Explorer\iexplore.exe
Error: (11/29/2014 01:48:39 AM) (Source: SideBySide) (EventID: 63) (User: )
Description: assemblyIdentityversionMAJOR_VERSION.MINOR_VERSION.BUILD_NUMBER_MAJOR.BUILD_NUMBER_MINORC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dllC:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll3
Error: (11/29/2014 00:17:25 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

==================== Memory info ===========================
Processor: Intel® Core™ i7-2600S CPU @ 2.80GHz
Percentage of memory in use: 48%
Total physical RAM: 8174.54 MB
Available physical RAM: 4240.54 MB
Total Pagefile: 16347.25 MB
Available Pagefile: 12037.56 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB
==================== Drives ================================
Drive c: (OS) (Fixed) (Total:1385.69 GB) (Free:918.41 GB) NTFS
Drive d: (HP_RECOVERY) (Fixed) (Total:11.48 GB) (Free:1.4 GB) NTFS ==>[System with boot components (obtained from reading drive)]
==================== MBR & Partition Table ==================
==================== End Of Log ============================
 
 
 
 


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:48 AM

Posted 01 December 2014 - 12:20 PM

Hello prestonjjrtr,

  •  

     

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.

 

 

 

1.

We need to find a replacement file on your system

Please do the following:
 

  •   Open FRST

       
  • Type the following in the edit box after "Search:"

        rpcss.dll


    Click Search button and post the log it makes to your reply.


Edited by fireman4it, 01 December 2014 - 12:21 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 prestonjjrtr

prestonjjrtr
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 01 December 2014 - 08:08 PM

I have tried to search for the rpcss.dll using the FRST program but the FRST just runs and runs and runs.  I let it run for an hour, but it doesn't have any results.  Should it take this long ??  I'm running FRST as Administrator. 


I do have a copy of the rpcss.dll file that I found on the internet for Windows 7 64 bit that I have downloaded to my desktop.  Both rpcss.dll files have the same File and Product Version number which is 6.1.7601.17514 for Windows 7 64 bit.  However, the infected rpcss.dll file size is 516KB and the good rpcss.dll file is 500KB.


Edited by prestonjjrtr, 01 December 2014 - 08:17 PM.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:48 AM

Posted 01 December 2014 - 08:18 PM

Do you have a usb flash drive you can use?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 prestonjjrtr

prestonjjrtr
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 01 December 2014 - 08:20 PM

Yes, I have the FRST on a usb flash drive.  I copied the FRST to the desktop and ran the FRST.  Should I try running FRST from the flash drive ?

 

Yes I have a USB flash drive I can use


Edited by prestonjjrtr, 01 December 2014 - 08:21 PM.


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:48 AM

Posted 01 December 2014 - 09:28 PM

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

 

2.

We need to find a replacement file on your system

Please do the following:

  •    
  • boot into System Recovery Options and run FRST64.

       
  • Type the following in the edit box after "Search:"

          rpcss.dll


    Click Search button and post the log it makes to your reply.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 prestonjjrtr

prestonjjrtr
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 02 December 2014 - 12:43 AM

I was able to run the FRST scan from the safe boot mode and the results are below.

 

However, when I tried to search for rpcss.dll and let it run for 90 minutes with no results, I've also attached a pic of the search log which is basically blank. 

 

FRST scan log from safe boot mode

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 01-12-2014
Ran by SYSTEM on MININT-LNM1Q1L on 01-12-2014 21:59:01
Running from K:\
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-01-13] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [BATINDICATOR] => C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\BATINDICATOR.exe
HKLM-x32\...\Run: [LaunchHPOSIAPP] => C:\Program Files (x86)\Hewlett-Packard\HP Keyboard\LaunchApp.exe [385024 2009-04-03] (Hewlett-Packard)
HKLM-x32\...\Run: [PDF Complete] => C:\Program Files (x86)\PDF Complete\pdfsty.exe [656920 2011-02-01] (PDF Complete Inc)
HKLM-x32\...\Run: [Microsoft Default Manager] => C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [439568 2010-05-10] (Microsoft Corporation)
HKLM-x32\...\Run: [AVG_TRAY] => C:\Program Files (x86)\AVG\AVG2012\avgtray.exe [2598520 2012-11-19] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2014-11-11] (Hewlett-Packard)
BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AVG Security Toolbar Service; C:\Program Files (x86)\AVG\AVG10\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
S2 avgfws; C:\Program Files (x86)\AVG\AVG2012\avgfws.exe [2322000 2014-11-03] (AVG Technologies CZ, s.r.o.)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2012\avgidsagent.exe [5175856 2013-10-15] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)
S2 CLKMSVC10_38F51D56; c:\Program Files (x86)\Cyberlink\PowerDVD10\NavFilter\kmsvc.exe [241648 2011-01-25] (CyberLink)
S2 pdfcDispatcher; C:\Program Files (x86)\PDF Complete\pdfsvc.exe [1127448 2011-02-01] (PDF Complete Inc)
S2 SMART-ERService; C:\Program Files (x86)\Apricorn\SMART-ER\SMART-ER Service.exe [69632 2007-06-04] (Apricorn)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
S1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6a.sys [48992 2011-05-22] (AVG Technologies CZ, s.r.o.)
S3 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [127328 2012-12-10] (AVG Technologies CZ, s.r.o. )
S3 AVGIDSFilter; C:\Windows\System32\DRIVERS\avgidsfiltera.sys [29776 2011-12-23] (AVG Technologies CZ, s.r.o. )
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [307040 2012-11-08] (AVG Technologies CZ, s.r.o.)
S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [384800 2014-11-03] (AVG Technologies CZ, s.r.o.)
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-01 15:48 - 2014-12-01 15:48 - 00000000 ____D () C:\Users\Joellen\Desktop\FRST-OlderVersion
2014-12-01 15:47 - 2014-12-01 15:48 - 02117120 _____ (Farbar) C:\Users\Joellen\Desktop\FRST64.exe
2014-12-01 15:46 - 2014-12-01 15:47 - 00000000 ____D () C:\Users\Joellen\Desktop\FRST64 OLD
2014-12-01 14:01 - 2014-12-01 14:01 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{2A475D6F-9EAC-494D-9DAD-0E31255E1881}
2014-12-01 14:00 - 2014-12-01 14:00 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{D5A86845-F789-4C01-9FDC-919A676E3A72}
2014-11-30 20:37 - 2014-11-30 20:38 - 00260390 _____ () C:\Users\Joellen\Desktop\rpcss-Win7x64.zip
2014-11-30 18:54 - 2014-12-01 16:34 - 00000214 _____ () C:\Users\Joellen\Desktop\Search.txt
2014-11-30 18:51 - 2014-11-30 18:52 - 00028005 _____ () C:\Users\Joellen\Desktop\Addition.txt
2014-11-30 18:49 - 2014-11-30 18:52 - 00034627 _____ () C:\Users\Joellen\Desktop\FRST.txt
2014-11-30 14:50 - 2014-11-30 14:50 - 19828376 _____ (Malwarebytes Corporation ) C:\Users\Joellen\Desktop\mbam-setup-2.0.3.1025.exe
2014-11-30 14:10 - 2014-11-30 14:10 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{FD72F17D-9865-47D9-AA67-D83DF995C0F4}
2014-11-29 18:29 - 2014-11-29 18:29 - 00000000 _____ () C:\autoexec.bat
2014-11-29 17:51 - 2014-11-29 17:51 - 02998656 _____ (Enigma Software Group USA, LLC.) C:\Users\Joellen\Desktop\SpyHunter-Installer.exe
2014-11-29 11:25 - 2014-11-29 11:25 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{EF8A8775-7499-4909-BC96-8E308EA62BA3}
2014-11-28 10:20 - 2014-11-28 10:20 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{F7D2BEC1-9012-49F0-915A-7BAD4906A445}
2014-11-27 12:48 - 2014-11-27 12:48 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{540B1070-2CDA-4B71-8D91-80ADAA2917D9}
2014-11-26 22:44 - 2014-11-26 22:44 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{E838A7D7-C140-421C-A46F-CAE3E978E1D5}
2014-11-26 21:31 - 2014-11-26 21:31 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{0D11B453-A782-4CB7-A3F1-4E1082730564}
2014-11-26 21:22 - 2014-11-26 21:23 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{637E214B-804C-424E-B440-0AABEDFC45C7}
2014-11-26 07:47 - 2014-11-26 07:47 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{FAEE8DE9-627A-41E1-9F3E-8D25D63BE3DA}
2014-11-25 14:21 - 2014-11-25 14:21 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{CB9BC817-9FD5-411A-ACCC-36E4829191FE}
2014-11-25 11:14 - 2014-11-25 11:14 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{5DC9BA22-3320-474C-A1EB-41EC9F911A61}
2014-11-25 11:10 - 2014-11-25 11:10 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{106F6D97-3DB0-4EC6-81D8-9FBF0794FF0C}
2014-11-24 23:05 - 2014-11-24 23:05 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{6D2CB7B8-7E5E-4C07-90EF-D49F6C151AA3}
2014-11-24 08:10 - 2014-11-24 08:10 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{F953C331-480C-4920-93A7-1A578BAAFB15}
2014-11-23 10:51 - 2014-11-23 10:52 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{8CE9D550-8BA6-4C3C-8C75-FA91AD0A771E}
2014-11-22 22:15 - 2014-11-22 22:15 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{9CBEDF2E-1016-437B-B2A8-398EDCD2C003}
2014-11-22 21:47 - 2014-11-22 21:47 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{CD724A3C-DE7D-461B-9365-9F2EBF94FC9B}
2014-11-22 15:20 - 2014-11-22 15:20 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{3914E2E4-D3CF-4148-BA56-979F08EA9287}
2014-11-22 14:56 - 2014-11-22 14:56 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{706AD2B6-7C70-4354-B237-07257152A073}
2014-11-22 10:58 - 2014-11-22 10:58 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{5E9B9DAD-800C-4345-984D-3DB1E9A8614A}
2014-11-21 07:30 - 2014-11-21 07:31 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{C8E14328-74A8-436C-B536-35CFB88FB211}
2014-11-20 15:12 - 2014-11-20 15:12 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{A8C80AD1-7A60-450C-BCDD-1B3177E6BF4A}
2014-11-19 21:19 - 2014-11-19 21:20 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{5AA39B51-43E7-4CD6-83C8-B506F870C956}
2014-11-19 14:51 - 2014-11-19 14:51 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{D5FF15E1-F65E-42F7-B31F-6C2B422A4E19}
2014-11-19 10:31 - 2014-11-19 10:31 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{22993F26-FC0E-414E-87A4-9EF9CC08084D}
2014-11-18 21:26 - 2014-11-18 21:27 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{438DD4B3-050C-407F-B189-1BF78E6B531F}
2014-11-18 08:02 - 2014-11-18 08:02 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{77F8136E-7245-4436-ADB7-1696B8FA227B}
2014-11-17 19:52 - 2014-11-17 19:52 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{7B4E3599-6C71-4AF9-91CC-0A4A664CB612}
2014-11-17 07:50 - 2014-11-17 07:51 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{FDEB1C38-2861-456B-98A0-20E7F4B6869B}
2014-11-16 12:02 - 2014-11-16 12:02 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{D2CF354B-60C1-4AC9-9734-E33F8CC45396}
2014-11-16 11:27 - 2014-11-16 11:28 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{60362CFE-A547-4F44-AE50-C8DD13BF6249}
2014-11-15 15:36 - 2014-11-15 15:36 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{899D614F-CD67-4BDB-9EFB-4CB833ACEA39}
2014-11-14 20:57 - 2014-11-14 20:57 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{9B63553A-0250-47E0-9BAF-CA253B04C8FF}
2014-11-14 08:09 - 2014-11-14 08:10 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{733B3790-1C55-4F47-BE63-7852993BC49D}
2014-11-13 07:01 - 2014-11-13 07:01 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{51E89CE3-93B3-45F6-B002-E4FDCD6393ED}
2014-11-12 11:33 - 2014-11-12 11:33 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{BC589F50-3342-4388-9356-7370A79E9952}
2014-11-11 20:58 - 2014-11-11 20:58 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{4C2C3163-46FD-49B4-9B21-B2C53B71EC8C}
2014-11-11 07:40 - 2014-11-11 07:40 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{7F6E0195-7D71-4CB0-8815-9F99ABCE0729}
2014-11-11 06:57 - 2014-11-11 06:57 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{FAB12BFD-D575-455A-85AD-BC256FC03C39}
2014-11-10 18:42 - 2014-11-10 18:42 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{87B84611-02FA-4335-95AB-B55152F2FBE0}
2014-11-10 06:31 - 2014-11-10 06:31 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{4BBE8E27-F21B-4A5F-B833-AB393FDC21F6}
2014-11-09 10:19 - 2014-11-09 10:19 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{1D462FB8-C5C9-4D71-AE5F-580C17368EFC}
2014-11-08 09:33 - 2014-11-08 09:33 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{F9C12D14-BDF3-4272-A500-45745C97F776}
2014-11-07 21:32 - 2014-11-07 21:32 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{4D75E2AE-21EB-4815-8FF2-5D35431CA086}
2014-11-07 07:23 - 2014-11-07 07:23 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{29784FFC-42C7-4286-8FA4-CD94B6FB48E0}
2014-11-06 16:08 - 2014-11-06 16:08 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{F549E9EB-7693-4BD1-995A-C668970F3F82}
2014-11-06 15:28 - 2014-11-06 15:29 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{3CA06EB3-A6F5-417F-ABEE-CF2B4CBB171B}
2014-11-05 21:35 - 2014-11-05 21:36 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{2CAB1ADC-BAA4-43FB-AB66-FE7C4FB7BBD4}
2014-11-05 09:11 - 2014-11-05 09:11 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{A51B2A59-78B7-4222-ABCC-671697ACB81E}
2014-11-04 21:29 - 2014-11-04 21:29 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{06218C1F-C27D-4D43-B359-3D88ECF3969C}
2014-11-04 07:56 - 2014-11-04 07:56 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{CCD283E0-59A7-4513-84EC-B2B7F94E0C70}
2014-11-03 22:33 - 2014-11-03 22:33 - 00384800 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\System32\Drivers\avgtdia.sys
2014-11-03 19:25 - 2014-11-03 19:25 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{135C5BE6-BCEF-4435-98DD-3D2800B4D6B2}
2014-11-03 06:58 - 2014-11-03 06:58 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{E46B3FE4-C4E1-42E6-A828-1674AFA48146}
2014-11-02 21:51 - 2014-11-02 21:52 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{470074CD-BFE7-423B-891B-A844798EA055}
2014-11-02 09:13 - 2014-11-02 09:13 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{C9F2D3DC-BB35-4A86-8891-54BFE3209F92}
2014-11-01 20:52 - 2014-11-01 20:52 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{3A9A566A-3C0A-4710-A9AF-109863B7A975}
2014-11-01 08:50 - 2014-11-01 08:50 - 00000000 ____D () C:\Users\Joellen\AppData\Local\{7ED160F3-7D9B-4FC5-A9CB-1EDE1E98701B}

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-12-01 21:59 - 2014-09-26 16:02 - 00000000 ____D () C:\FRST
2014-12-01 21:37 - 2011-07-28 19:12 - 00000000 ____D () C:\ProgramData\Recovery
2014-12-01 19:56 - 2011-07-14 20:06 - 01109323 _____ () C:\Windows\WindowsUpdate.log
2014-12-01 19:56 - 2009-07-13 20:45 - 00024608 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-12-01 19:56 - 2009-07-13 20:45 - 00024608 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-12-01 19:50 - 2014-09-28 17:23 - 00000000 ___SD () C:\32788R22FWJFW
2014-12-01 19:50 - 2013-06-02 20:01 - 00000350 _____ () C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2014-12-01 19:50 - 2013-01-21 23:52 - 00000354 _____ () C:\Windows\Tasks\ROC_JAN2013_TB_rmv.job
2014-12-01 19:50 - 2011-04-20 01:20 - 00000000 ____D () C:\ProgramData\PDFC
2014-12-01 19:49 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-12-01 19:49 - 2009-07-13 20:51 - 00065485 _____ () C:\Windows\setupact.log
2014-12-01 18:49 - 2011-07-18 22:17 - 00000000 ____D () C:\Users\Joellen\AppData\Roaming\SoftGrid Client
2014-12-01 18:40 - 2009-07-13 21:13 - 00780156 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-11-30 21:25 - 2011-07-14 20:07 - 00000000 ____D () C:\Windows\System32\Drivers\AVG
2014-11-30 20:55 - 2011-07-18 22:37 - 00000000 ____D () C:\Users\Joellen\Documents\Joey
2014-11-30 18:05 - 2010-11-20 19:47 - 00086798 _____ () C:\Windows\PFRO.log
2014-11-30 15:34 - 2014-09-29 08:35 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-11-30 14:56 - 2013-04-13 02:15 - 00000000 ____D () C:\Users\Joellen\AppData\Roaming\Malwarebytes
2014-11-30 14:56 - 2013-04-13 02:15 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-11-28 11:04 - 2014-05-29 23:06 - 00000340 _____ () C:\Windows\Tasks\HPCeeScheduleForJoellen.job
2014-11-28 00:10 - 2014-05-29 23:06 - 00003198 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForJoellen
2014-11-28 00:09 - 2011-10-28 17:04 - 00000000 _____ () C:\Windows\System32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-11-28 00:09 - 2011-07-15 10:00 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2014-11-27 21:31 - 2011-07-17 20:32 - 00000000 ____D () C:\Users\Joellen\AppData\Local\CrashDumps
2014-11-20 07:44 - 2012-05-17 09:55 - 00000967 _____ () C:\Users\Public\Desktop\AVG 2012.lnk
2014-11-20 07:44 - 2011-07-14 19:53 - 00000000 ____D () C:\ProgramData\MFAData
2014-11-19 20:26 - 2012-01-29 19:22 - 00000000 ____D () C:\Windows\Minidump
2014-11-19 20:26 - 2011-04-20 01:33 - 00338262 ____N () C:\Windows\Minidump\111914-49062-01.dmp
2014-11-05 21:42 - 2011-07-18 22:35 - 00000000 ____D () C:\Users\Joellen\Documents\Tommy

Some content of TEMP:
====================
C:\Users\Joellen\AppData\Local\Temp\avguidx.dll
C:\Users\Joellen\AppData\Local\Temp\CommonInstaller.exe
C:\Users\Joellen\AppData\Local\Temp\HPHelpUpdater.exe
C:\Users\Joellen\AppData\Local\Temp\iGearedHelper.dll
C:\Users\Joellen\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Joellen\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\Joellen\AppData\Local\Temp\jre-7u5-windows-i586-iftw.exe
C:\Users\Joellen\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\Joellen\AppData\Local\Temp\Resource.exe
C:\Users\Joellen\AppData\Local\Temp\sp53904.exe
C:\Users\Joellen\AppData\Local\Temp\sp54931.exe
C:\Users\Joellen\AppData\Local\Temp\sp58915.exe
C:\Users\Joellen\AppData\Local\Temp\sp64126.exe
C:\Users\Joellen\AppData\Local\Temp\ToolbarInstaller.exe
C:\Users\Joellen\AppData\Local\Temp\UNINSTALL.EXE
C:\Users\Joellen\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Joellen\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Joellen\AppData\Local\Temp\~Unta13.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2010-11-20 19:24] - [2010-11-20 19:24] - 0528384 ____A (Microsoft Corporation) 897248AC2316B2C22589E01549B821F6

 ATTENTION ======> If the system is having audio adware rpcss.dll is patched. Google the MD5, if the MD5 is unique the file is infected.
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

Restore point made on: 2014-07-10 22:23:11
Restore point made on: 2014-07-17 23:06:56
Restore point made on: 2014-07-25 23:42:32
Restore point made on: 2014-08-02 04:54:01
Restore point made on: 2014-08-09 21:53:19
Restore point made on: 2014-08-17 00:03:38
Restore point made on: 2014-08-24 21:39:28
Restore point made on: 2014-08-31 23:42:58
Restore point made on: 2014-09-09 02:36:56
Restore point made on: 2014-09-16 23:39:08
Restore point made on: 2014-09-23 23:51:43
Restore point made on: 2014-09-28 19:20:59
Restore point made on: 2014-10-05 22:17:29
Restore point made on: 2014-10-21 17:57:33
Restore point made on: 2014-10-28 22:05:46
Restore point made on: 2014-11-04 23:03:30
Restore point made on: 2014-11-11 23:26:19
Restore point made on: 2014-11-19 22:27:54
Restore point made on: 2014-11-26 23:50:23

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 8174.54 MB
Available physical RAM: 6981.78 MB
Total Pagefile: 8172.73 MB
Available Pagefile: 6961.24 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:1385.69 GB) (Free:916.73 GB) NTFS
Drive e: (HP_RECOVERY) (Fixed) (Total:11.48 GB) (Free:1.4 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive k: (Lexar) (Removable) (Total:7.46 GB) (Free:7.46 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 1397.3 GB) (Disk ID: A4697449)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=1385.7 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=11.5 GB) - (Type=07 NTFS)

========================================================
Disk: 5 (Size: 7.5 GB) (Disk ID: ACB8AD8C)
Partition 1: (Not Active) - (Size=7.5 GB) - (Type=0B)

LastRegBack: 2014-11-24 23:55

==================== End Of Log ============================

 

 

 

Search rpcss.dll from safe boot mode never completed

 

 

Farbar Recovery Scan Tool (x64) Version: 01-12-2014
Ran by SYSTEM at 2014-12-01 22:00:45
Running from K:\
Boot Mode: Recovery

================== Search Files: "rpcss.dll" =============

 

 

Let me know how to proceed. 

 

Thanks so much for your help, time and efforts it is really appreciated.

 

Joellen



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:48 AM

Posted 02 December 2014 - 08:04 PM

You are not to run it from safemode. It's suppose to be from the System Recovery Options. Please read my directions again for running Frst in the System Recovery Options.

 

If this doesn't work please follow these directions::

Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop

Link 1
Link 2

  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • RcAuto1.gif
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    whatnext.png
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.
 


Edited by fireman4it, 02 December 2014 - 08:07 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 prestonjjrtr

prestonjjrtr
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 03 December 2014 - 08:33 PM

For some reason even when I disable the Windows Firewall and AVG 2012, the Combofix will stall and not run.   I also tried to rerun the FRST tool and let it run for 2 hours and didn't get any results.  Not sure what to try next.



#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:48 AM

Posted 03 December 2014 - 09:21 PM

Try running Combofix in SAFEMODE

 

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:48 AM

Posted 05 December 2014 - 11:38 AM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 prestonjjrtr

prestonjjrtr
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 05 December 2014 - 07:57 PM

Hi again, Sorry for the delay.  I will try running Combofix in safe mode on Saturday and I'll let you know the results.  Thanks again and talk soon !



#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:48 AM

Posted 07 December 2014 - 06:39 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:48 AM

Posted 09 December 2014 - 09:57 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users