Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hit with powerliks virus and now Windows 7 PC won't boot


  • This topic is locked This topic is locked
25 replies to this topic

#1 bd43stew

bd43stew

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 27 December 2014 - 02:37 PM

I've been fighting off the powerliks virus the past few weeks and like other people just when you think it's gone it comes back. It looks like I was hit with some type of randsomware as well which seems to have been successfully removed but I now have corrupt jpg and MP3 files. Thankfully I think I have most of them backed up. My PC currently doesn't boot and comes up with the following problem signatures:
1. 6.1.7600.16385
2. 6.1.7600.16385
3. Unknown
4. 21200847
5. Autofailure
6. 2
7. 0x7e

Please help!

BC AdBot (Login to Remove)

 


m

#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 PM

Posted 01 January 2015 - 02:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/561163 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 bd43stew

bd43stew
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 03 January 2015 - 03:43 PM

I'm running Windows 7 Home Premium on a 64 bit system and I don't believe I have the original windows CD available.

 

Listed below are the logs you requested.  Thanks very much for your help!

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 MINIMAL
Internet Explorer: 10.0.9200.17148
Run by Brian at 15:14:21 on 2015-01-03
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8151.7097 [GMT -5:00]
.
AV: Panda Free Antivirus *Enabled/Updated* {3456760B-FDAA-FFFD-06C2-7BB528D2066C}
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Panda Free Antivirus *Enabled/Updated* {8F3797EF-DB90-F073-3C72-40C753554CD1}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Panda Firewall *Disabled* {0C6DF72E-B7C5-FEA5-2D9D-D280D6014117}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe
C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\helppane.exe
C:\Windows\syswow64\dllhost.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
mWinlogon: Userinit = C:\Windows\SysWOW64\userinit.exe,
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
uRun: [EPLTarget\P0000000000000000] C:\Windows\System32\spool\DRIVERS\x64\3\E_YATIHVA.EXE /EPT "EPLTarget\P0000000000000000" /M "WorkForce 645"
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
uRun: [iCloudServices] C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
uRun: [ApplePhotoStreams] C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [EPLTarget\P0000000000000001] C:\Windows\System32\spool\DRIVERS\x64\3\E_YATIHVA.EXE /EPT "EPLTarget\P0000000000000001" /M "WorkForce 645"
uRun: [AnyDVD] "C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVD.exe"
uRun: [Hobbyist Software VLC Streamer] "C:\Program Files (x86)\Hobbyist Software\VLC Streamer\VLC Streamer Configuration.exe" /startup
uRun: [Spotify Web Helper] "C:\Users\Brian\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe"
uRunOnce: [iCloud] "C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloud.exe"
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [BackupManagerTray] "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [EEventManager] "C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe"
mRun: [My Movies Tray] "C:\Program Files (x86)\Binnerup Consult\My Movies for Windows Media Center\My Movies Tray.exe"
mRun: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
mRun: [Codec Settings UAC Manager] "C:\Windows\System32\C2MP\CodecUACManager.exe"
mRun: [PSUAMain] "C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe" /LaunchSysTray
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] "C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe" "C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware"
StartupFolder: C:\Users\Brian\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Brian\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\CODECP~1.LNK - C:\Windows\SysWOW64\C2MP\UpdateChecker.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PHOTOF~1.LNK - C:\Program Files (x86)\Northstar\Photo Frame\Photo Frame.exe
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{42667D3A-8E39-4118-B9D1-2E470A90EFBB} : DHCPNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.71\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mWinlogon: Userinit = C:\Windows\SysWOW64\userinit.exe,
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R0 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-11-7 129752]
R2 NanoServiceMain;Panda Protection Service;C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe [2014-10-13 142072]
R2 PSUAService;Panda Product Service;C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe [2014-10-16 38136]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-11-30 56344]
S1 aswSnx;aswSnx;C:\Windows\System32\drivers\aswSnx.sys [2011-7-17 1031392]
S1 aswSP;aswSP;C:\Windows\System32\drivers\aswSP.sys [2010-8-2 304472]
S1 NNSALPC;NNSALPC;C:\Windows\System32\drivers\NNSAlpc.sys [2014-6-4 96800]
S1 NNSHTTP;NNSHTTP;C:\Windows\System32\drivers\NNSHttp.sys [2014-6-18 162336]
S1 NNSHTTPS;NNSHTTPS;C:\Windows\System32\drivers\NNSHttps.sys [2014-6-4 112160]
S1 NNSIDS;NNSIDS;C:\Windows\System32\drivers\NNSIds.sys [2014-6-4 115232]
S1 NNSNAHSL;Network Activity Hook Server LightWeight Filter Driver;C:\Windows\System32\drivers\NNSNAHSL.sys [2014-1-16 46336]
S1 NNSPICC;NNSPICC;C:\Windows\System32\drivers\NNSpicc.sys [2014-6-4 95776]
S1 NNSPIHSW;NNSPIHSW;C:\Windows\System32\drivers\NNSPihsw.sys [2014-6-4 70176]
S1 NNSPOP3;NNSPOP3;C:\Windows\System32\drivers\NNSPop3.sys [2014-6-4 125984]
S1 NNSPROT;NNSPROT;C:\Windows\System32\drivers\NNSProt.sys [2014-6-4 306720]
S1 NNSPRV;NNSPRV;C:\Windows\System32\drivers\NNSPrv.sys [2014-6-4 169504]
S1 NNSSMTP;NNSSMTP;C:\Windows\System32\drivers\NNSSmtp.sys [2014-6-4 115744]
S1 NNSSTRM;NNSSTRM;C:\Windows\System32\drivers\NNSStrm.sys [2014-6-4 261152]
S1 NNSTLSC;NNSTLSC;C:\Windows\System32\drivers\NNStlsc.sys [2014-6-4 109088]
S1 PSINKNC;PSINKNC;C:\Windows\System32\drivers\PSINKNC.sys [2014-7-24 195616]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [2009-5-14 759048]
S2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2009-12-3 203776]
S2 aswFsBlk;aswFsBlk;C:\Windows\System32\drivers\aswFsBlk.sys [2010-8-2 24408]
S2 aswMonFlt;aswMonFlt;C:\Windows\System32\drivers\aswMonFlt.sys [2010-8-2 66904]
S2 avast! Antivirus;avast! Antivirus;C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-12-24 44768]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 EPSON_PM_RPCV4_05;EPSON V3 Service4(05);C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE [2012-1-19 136576]
S2 EpsonCustomerParticipation;EpsonCustomerParticipation;C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe [2011-6-9 555392]
S2 Greg_Service;GRegService;C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe [2009-8-28 1150496]
S2 MSSQL$MYMOVIES;SQL Server (MYMOVIES);C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
S2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe [2009-8-12 62208]
S2 PandaAgent;Panda Devices Agent;C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [2014-10-9 66808]
S2 PSINAflt;PSINAflt;C:\Windows\System32\drivers\PSINAflt.sys [2014-10-13 163088]
S2 PSINFile;PSINFile;C:\Windows\System32\drivers\PSINFile.sys [2014-10-13 121616]
S2 PSINProc;PSINProc;C:\Windows\System32\drivers\PSINProc.sys [2014-7-24 122400]
S2 PSINProt;PSINProt;C:\Windows\System32\drivers\PSINProt.sys [2014-7-24 132128]
S2 PSINReg;PSINReg;C:\Windows\System32\drivers\PSINReg.sys [2014-10-13 107792]
S2 Updater Service;Updater Service;C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe [2009-11-30 240160]
S2 USBS3S4Detection;USBS3S4Detection;C:\OEM\USBDECTION\USBS3S4Detection.exe [2009-12-13 76320]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2010-6-16 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2010-6-16 79360]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2009-11-30 283824]
S3 MBfilt;MBfilt;C:\Windows\System32\drivers\MBfilt64.sys [2010-6-16 25600]
S3 PSKMAD;PSKMAD;C:\Windows\System32\drivers\PSKMAD.sys [2014-11-22 60400]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2011-7-1 59392]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2014-7-28 54784]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-6-18 1255736]
.
=============== Created Last 30 ================
.
2014-12-04 20:17:15 -------- d-----w- C:\Program Files (x86)\Stellar Phoenix JPEG Repair
.
==================== Find3M  ====================
.
2014-12-05 13:33:02 129752 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-12-05 12:47:46 96472 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-12-01 10:50:02 1031392 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2014-11-26 04:42:10 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-11-26 04:42:10 701104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-11-21 11:14:22 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-11-21 11:14:08 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-11-15 15:54:49 37624 ----a-w- C:\Windows\System32\drivers\TrueSight.sys
2014-11-11 03:08:52 241152 ----a-w- C:\Windows\System32\pku2u.dll
2014-11-11 03:08:48 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-11-11 02:44:32 186880 ----a-w- C:\Windows\SysWow64\pku2u.dll
2014-11-11 02:44:25 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll
2014-11-05 17:56:54 304640 ----a-w- C:\Windows\System32\generaltel.dll
2014-11-05 17:56:36 228864 ----a-w- C:\Windows\System32\aepdu.dll
2014-11-05 17:52:22 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-11-04 19:30:58 275080 ----a-w- C:\Windows\System32\MpSigStub.exe
2014-10-29 00:54:07 87200 ----a-w- C:\ProgramData\wrnhoah.tmp
2014-10-29 00:53:17 0 ----a-w- C:\Users\Brian\AppData\Roaming\ubgxjz.dll
2014-10-26 01:56:17 2237952 ----a-w- C:\Windows\System32\wininet.dll
2014-10-26 01:56:06 600064 ----a-w- C:\Windows\System32\vbscript.dll
2014-10-26 01:54:43 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2014-10-26 01:54:36 67072 ----a-w- C:\Windows\System32\iesetup.dll
2014-10-26 01:54:36 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2014-10-26 01:53:54 1509376 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-10-26 00:36:01 1762816 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-10-26 00:35:53 523776 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-10-26 00:34:48 2861568 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-10-26 00:34:43 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-10-26 00:34:43 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2014-10-26 00:34:16 1441280 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-10-26 00:19:11 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2014-10-26 00:13:06 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-10-25 23:22:53 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2014-10-25 23:17:32 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2014-10-25 01:57:59 77824 ----a-w- C:\Windows\System32\packager.dll
2014-10-25 01:32:37 67584 ----a-w- C:\Windows\SysWow64\packager.dll
2014-10-18 02:05:23 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2014-10-18 01:33:18 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2014-10-14 02:16:37 155064 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2014-10-14 02:13:06 683520 ----a-w- C:\Windows\System32\termsrv.dll
2014-10-14 02:13:00 3241984 ----a-w- C:\Windows\System32\msi.dll
2014-10-14 02:12:57 1460736 ----a-w- C:\Windows\System32\lsasrv.dll
2014-10-14 02:09:31 146432 ----a-w- C:\Windows\System32\msaudite.dll
2014-10-14 02:07:31 681984 ----a-w- C:\Windows\System32\adtschema.dll
2014-10-14 01:50:47 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2014-10-14 01:50:41 2363904 ----a-w- C:\Windows\SysWow64\msi.dll
2014-10-14 01:49:38 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2014-10-14 01:47:30 146432 ----a-w- C:\Windows\SysWow64\msaudite.dll
2014-10-14 01:46:02 681984 ----a-w- C:\Windows\SysWow64\adtschema.dll
2014-10-13 20:04:37 107792 ----a-w- C:\Windows\System32\drivers\PSINReg.sys
2014-10-13 20:04:36 163088 ----a-w- C:\Windows\System32\drivers\PSINAflt.sys
2014-10-13 20:04:36 121616 ----a-w- C:\Windows\System32\drivers\PSINFile.sys
2014-10-10 00:57:42 3198976 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 15:17:46.23 ===============
 

Attached Files



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:53 PM

Posted 03 January 2015 - 10:26 PM

Greetings bd43stew and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. While I review our situation please run the below for me after booting into Safe Mode as is necessary.

===================================================

Uninstalling a Program using Add/Remove Program

--------------------

I recommend the uninstalling of the below listed program(s).
  • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type appwiz.cpl and press Enter
  • A list of installed programs will be displayed
  • Uninstall the following by clicking on the program(s) below (and any other similar names) and selecting Remove or Uninstall

Avast

  • Attempt to reboot your computer into Normal Mode
===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop <<< Important
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Did Avast uninstall?
  • FRST results
  • Addition log
  • System Summary Information
  • Are you able to boot into Normal Mode?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:53 PM

Posted 06 January 2015 - 09:57 AM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 bd43stew

bd43stew
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 06 January 2015 - 10:39 PM

Thanks very much Gary for your help!  I was able to uninstall Avast and that allowed me to boot in normal mode so it looks like we have progress already!  I have also attached the system summary file you requested.

 

Note I am still having trouble with the FARBAR request.  I tried downloading it to a different PC and copying it over but that didn't work.  I hesitate to plug the Ethernet cable back into the infected PC and download it there but it looks like that might be my only choice at this point.  I'd appreciate your recommendation on this when you have a moment.

 

Thank you again for all of your help!

Brian

Attached Files



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:53 PM

Posted 06 January 2015 - 10:44 PM

Hi Brian,

I am glad we made some progress. What happens when you try to transfer FRST to the infected desktop, or is it that you can transfer it but it won't run?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 bd43stew

bd43stew
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 06 January 2015 - 11:29 PM

I actually can't download it to the other PC due to virus protection and don't want to change settings on that one (not mine). Would it be OK to download directly to infected pc or is that not a good idea?

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:53 PM

Posted 07 January 2015 - 11:33 AM

Yes, please connect the infected PC to the internet, install a fresh copy of Avast then continue with the FRST steps.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 bd43stew

bd43stew
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 07 January 2015 - 08:18 PM

Thanks for your guidance.  Below are the FRST results.

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 07-01-2015
Ran by Brian at 2015-01-07 19:59:28
Running from C:\Users\Brian\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Panda Free Antivirus (Enabled - Up to date) {3456760B-FDAA-FFFD-06C2-7BB528D2066C}
AV: avast! Antivirus (Enabled - Up to date) {17AD7D40-BA12-9C46-7131-94903A54AD8B}
AS: Panda Free Antivirus (Enabled - Up to date) {8F3797EF-DB90-F073-3C72-40C753554CD1}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: avast! Antivirus (Enabled - Up to date) {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: Panda Firewall (Disabled) {0C6DF72E-B7C5-FEA5-2D9D-D280D6014117}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ABBYY FineReader 9.0 Sprint (HKLM-x32\...\ABBYY FineReader 9.0 Sprint) (Version: 9.01.513.58212 - ABBYY)
ABBYY FineReader 9.0 Sprint (x32 Version: 9.01.513.58212 - ABBYY) Hidden
Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.0.2.12610 - Adobe Systems Inc.)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.239 - Adobe Systems Incorporated)
Adobe Reader 9.2 MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-A91000000001}) (Version: 9.2.0 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.6 (HKLM-x32\...\Adobe Shockwave Player) (Version: 11.6.0.626 - Adobe Systems, Inc.)
Advertising Center (x32 Version: 0.0.0.2 - Nero AG) Hidden
Amazon MP3 Downloader 1.0.17 (HKLM-x32\...\Amazon MP3 Downloader) (Version: 1.0.17 - Amazon Services LLC)
AnyDVD (HKLM-x32\...\AnyDVD) (Version: 7.4.4.0 - SlySoft)
Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ATI AVIVO64 Codecs (Version: 10.12.0.41118 - ATI Technologies Inc.) Hidden
ATI Catalyst Install Manager (HKLM\...\{6B559E62-24D2-D29C-2C02-26B671BDA8A1}) (Version: 3.0.754.0 - ATI Technologies, Inc.)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 10.0.2208 - AVAST Software)
Backup Manager Advance (x32 Version: 2.0.2.19 - NewTech Infosystems) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Cakewalk XL Pack (HKLM-x32\...\Cakewalk XL Pack_is1) (Version: 1.2 - Cakewalk Music Software)
ccc-core-static (x32 Version: 2009.1118.1260.23275 - ATI) Hidden
Company of Heroes - FAKEMSI (x32 Version: 2.0.0.0 - THQ Inc.) Hidden
Company of Heroes (HKLM-x32\...\Company of Heroes) (Version: 2.602.0 - THQ Inc.)
Company of Heroes 2 (HKLM-x32\...\Steam App 231430) (Version:  - Relic Entertainment)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Dropbox (HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...\Dropbox) (Version: 2.10.30 - Dropbox, Inc.)
Epson Connect (HKLM-x32\...\{64BA551C-9AF6-495C-93F3-D1270E0045FC}) (Version:  - )
Epson Customer Participation (HKLM\...\{814FA673-A085-403C-9545-747FC1495069}) (Version: 1.0.0.0 - SEIKO EPSON CORPORATION)
Epson Download Navigator (HKLM-x32\...\{10F63395-157F-4B93-AB4D-702A2FF11942}) (Version: 1.0.1 - SEIKO EPSON CORPORATION)
Epson Event Manager (HKLM-x32\...\{FA9D303D-0FB2-49C7-9397-8E6B11EA892D}) (Version: 2.50.0001 - SEIKO EPSON CORPORATION)
Epson FAX Utility (HKLM-x32\...\{0CBE6C93-CB2E-4378-91EE-12BE6D4E2E4A}) (Version: 1.20.00 - SEIKO EPSON CORPORATION)
Epson PC-FAX Driver (HKLM-x32\...\EPSON PC-FAX Driver 2) (Version:  - )
EPSON Scan (HKLM-x32\...\EPSON Scanner) (Version:  - Seiko Epson Corporation)
EPSON WorkForce 645 Series Printer Uninstall (HKLM\...\EPSON WorkForce 645 Series) (Version:  - SEIKO EPSON Corporation)
EpsonNet Print (HKLM-x32\...\{3E31400D-274E-4647-916C-2CACC3741799}) (Version: 2.4j - SEIKO EPSON CORPORATION)
Free Realms (HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...\SOE-Free Realms) (Version:  - Sony Online Entertainment)
GameSpy Arcade (HKLM-x32\...\GameSpy Arcade) (Version:  - )
Gateway Games (HKLM-x32\...\WildTangent gateway Master Uninstall) (Version: 1.0.0.71 - WildTangent)
Gateway InfoCentre (HKLM-x32\...\Gateway InfoCentre) (Version: 3.02.3000 - Gateway Incorporated)
Gateway MyBackup (HKLM-x32\...\InstallShield_{30075A70-B5D2-440B-AFA3-FB2021740121}) (Version: 2.0.2.19 - NewTech Infosystems)
Gateway Recovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 4.05.3005 - Gateway Incorporated)
Gateway Registration (HKLM-x32\...\Gateway Registration) (Version: 1.02.3006 - Gateway Incorporated)
Gateway ScreenSaver (HKLM-x32\...\Gateway Screensaver) (Version: 1.1.0812 - Gateway Incorporated)
Gateway Updater (HKLM-x32\...\{EE171732-BEB4-4576-887D-CB62727F01CA}) (Version: 1.01.3017 - Gateway Incorporated)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.71 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
HandBrake 0.9.9 (HKLM-x32\...\HandBrake) (Version: 0.9.9 - )
iCloud (HKLM\...\{2AAF09D5-4B3F-4975-B6A9-ECE2631FC942}) (Version: 4.0.5.20 - Apple Inc.)
Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3002 - Gateway Incorporated)
iGadget 6.2 (HKLM-x32\...\iGadget_is1) (Version: 6.2 - Purple Ghost Software, Inc.)
ImagXpress (x32 Version: 7.0.74.0 - Nero AG) Hidden
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 6.0.0.1179 - Intel Corporation)
Intel® Matrix Storage Manager (HKLM\...\{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}) (Version:  - Intel Corporation)
iTunes (HKLM\...\{2ABBBD91-91E5-4AD7-929A-FE15D1DC0576}) (Version: 12.0.1.26 - Apple Inc.)
JMicron JMB36X Driver (HKLM-x32\...\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}) (Version: 1.00.0000 - JMicron Technology Corp.)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
MarkelSoft Dupe Eliminator for iTunes 9.22 (HKLM-x32\...\4092-2816-3317-2888) (Version: 9.22 - MarkelSoft, Inc.)
Maxtor OneTouch (HKLM-x32\...\InstallShield_{231F68F4-70E4-41A6-BEDA-7E7934169B54}) (Version: 2.00.0029 - Maxtor)
Maxtor OneTouch (x32 Version: 2.00.0029 - Maxtor) Hidden
Media Player Codec Pack 4.3.4 (HKLM-x32\...\Media Player - Codec Pack) (Version: 4.3.4 - Media Player Codec Pack)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office PowerPoint Viewer 2007 (English) (HKLM-x32\...\{95120000-00AF-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Suite Activation Assistant (HKLM-x32\...\{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}) (Version: 2.9 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 (HKLM-x32\...\Microsoft SQL Server 2005) (Version:  - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft SQL Server Native Client (HKLM\...\{9ACF3FDB-C8E6-444C-8C64-13A221F7BFFD}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft SQL Server Setup Support Files (English) (HKLM-x32\...\{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft SQL Server VSS Writer (HKLM\...\{B636C9B9-A3F2-4DCE-ADCC-72E095018385}) (Version: 9.00.5000.00 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (HKLM\...\{B6E3757B-5E77-3915-866A-CCFC4B8D194C}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175 (HKLM\...\{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}) (Version: 8.0.51011 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM-x32\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Works (HKLM-x32\...\{67E03279-F703-408F-B4BF-46B5FC8D70CD}) (Version: 9.7.0621 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML4 Parser (HKLM-x32\...\{01501EBA-EC35-4F9F-8889-3BE346E5DA13}) (Version: 1.0.0 - Microsoft Game Studios)
My Movies for Windows Media Center (HKLM-x32\...\{00B165C5-5846-4107-A5CA-4A7FDB4E49E8}) (Version: 4.0.6.102 - Binnerup Consult)
Napoleon: Total War (HKLM-x32\...\Steam App 34030) (Version:  - The Creative Assembly)
Nero 9 Essentials (HKLM-x32\...\{3fcfa6ab-bd54-4615-b200-bf48fa80e93b}) (Version:  - Nero AG)
Norton Security Scan (HKLM-x32\...\NSS) (Version: 4.1.0.28 - Symantec Corporation)
Panda Cloud Cleaner (HKLM-x32\...\{92B2B132-C7F0-43DC-921A-4493C04F78A4}_is1) (Version: 1.0.104 - Panda Security)
Panda Devices Agent (HKLM-x32\...\Panda Devices Agent) (Version: 1.03.04 - Panda Security)
Panda Devices Agent (x32 Version: 1.05.00 - Panda Security) Hidden
Panda Free Antivirus (HKLM-x32\...\Panda Universal Agent Endpoint) (Version: 15.00.04.0000 - Panda Security)
Panda Free Antivirus (Version: 7.23.00.0000 - Panda Security) Hidden
Photo Frame (HKLM-x32\...\{733C5FC0-F0C4-405B-A983-61C24CC60E39}_is1) (Version: 5.0.0.3 - Northstar Systems Corp.)
QuickTime 7 (HKLM-x32\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5969 - Realtek Semiconductor Corp.)
Rise of Nations (HKLM-x32\...\RiseOfNationsExpansion 1.0) (Version: 1.0 - Microsoft)
SONAR Home Studio 6 (HKLM-x32\...\SONARHome_is1) (Version: 15.0 - Cakewalk Music Software)
Spotify (HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...\Spotify) (Version: 0.9.14.13.gba5645ad - Spotify AB)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve)
Stellar Phoenix JPEG Repair (HKLM-x32\...\Stellar Phoenix JPEG Repair_is1) (Version: 2.0.0.0 - Stellar Information Systems Ltd)
THX TruStudio PC (HKLM-x32\...\{F1F5C7EE-23BB-47A3-943E-9F290DD267F0}) (Version: 1.0 - Creative Technology Limited)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VirtualCloneDrive (HKLM-x32\...\VirtualCloneDrive) (Version: 5.4.7.0 - Elaborate Bytes)
VLC Streamer 4.70 (HKLM-x32\...\VLC Streamer_is1) (Version:  - )
Welcome Center (HKLM-x32\...\Gateway Welcome Center) (Version: 1.00.3008 - Gateway Incorporated)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3502.0922 - Microsoft Corporation)
Windows Live Sync (HKLM-x32\...\{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}) (Version: 14.0.8089.726 - Microsoft Corporation)
WinRAR archiver (HKLM-x32\...\WinRAR archiver) (Version:  - )
Wizard101 (HKLM-x32\...\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}) (Version: 1.0.0 - KingsIsle Entertainment, Inc.)
World in Conflict - DEMO (HKLM-x32\...\{D24CD157-E4C4-4184-9465-B5C025E736AD}) (Version: 1.0.0.0 - Massive Entertainment AB)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Brian\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Brian\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Brian\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\Brian\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll (Dropbox, Inc.)

==================== Restore Points  =========================

02-12-2014 03:39:09 Windows Update
06-01-2015 23:10:24 Scheduled Checkpoint
07-01-2015 18:55:15 avast! antivirus system restore point
07-01-2015 19:04:46 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0080D3E6-8382-42B0-A9DA-8E669DFEB3A1} - System32\Tasks\{919421E9-41E7-4970-9339-0E89116B17E1} => pcalua.exe -a "D:\dvdxcopy1.5.2\20.04 DVDXCopy.exe" -d D:\dvdxcopy1.5.2
Task: {1811977C-DE31-473D-9D92-750372854154} - System32\Tasks\Norton Security Scan for Brian => C:\Program Files (x86)\Norton Security Scan\Engine\4.1.0.28\Nss.exe [2014-11-03] (Symantec Corporation)
Task: {1DB19CDD-6F99-4ECC-9CEC-1247D49B2038} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {1DCB1F9B-CADB-450A-8F38-C837300E7337} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-20] (Google Inc.)
Task: {5A3FC3F6-A0E6-440B-83FA-86C2CB1AC453} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-25] (Adobe Systems Incorporated)
Task: {8A28305D-3F42-48C4-B3D3-287E89C6BB89} - System32\Tasks\Microsoft\Windows\Media Center\Extender\Update media permissions for Mcx1-GATEWAY => C:\Windows\ehome\McxTask.exe [2009-07-13] (Microsoft Corporation)
Task: {C4BDE0E9-FF36-4617-805E-0F28C642B3D6} - System32\Tasks\{45BCBB25-A729-42CD-BC7B-F572E2E47AF2} => pcalua.exe -a "C:\Users\Brian\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7GPSWHO5\Express_HD_EN_1_1_127[1].exe" -d C:\Users\Brian\Desktop
Task: {C6D92330-BCAC-4B1F-8872-A1B86E89A1B8} - System32\Tasks\{1036CF4D-70B5-4E7C-94DC-682F03A451CA} => pcalua.exe -a D:\Setup.exe -d D:\
Task: {C85A750D-E847-46B0-97E0-4EEE791997F2} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-20] (Google Inc.)
Task: {F890E57B-9002-4E15-AA4C-312BD98FF34D} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2015-01-07] (AVAST Software)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\Norton Security Scan for Brian.job => C:\PROGRA~2\NORTON~2\Engine\410~1.28\Nss.exe

==================== Loaded Modules (whitelisted) =============

2009-12-13 21:19 - 2009-12-09 04:24 - 00076320 _____ () C:\OEM\USBDECTION\USBS3S4Detection.exe
2010-08-12 17:41 - 2010-03-15 10:28 - 00052224 _____ () C:\Program Files (x86)\WinRAR\rarext64.dll
2013-08-04 07:00 - 2013-08-04 07:00 - 00075864 _____ () C:\Program Files (x86)\SlySoft\AnyDVD\ADvdDiscHlp64.exe
2014-02-12 20:58 - 2014-02-12 20:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 13:05 - 2014-10-11 13:05 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2013-04-12 12:23 - 2013-04-12 12:23 - 00612664 _____ () C:\Program Files (x86)\Panda Security\Panda Security Protection\SQLite3.dll
2009-02-02 20:33 - 2009-02-02 20:33 - 00460199 _____ () C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\sqlite3.dll
2008-09-28 20:55 - 2008-09-28 20:55 - 01076224 _____ () C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\ACE.dll
2015-01-07 18:52 - 2015-01-07 18:52 - 00043008 _____ () c:\users\brian\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmph9deby.dll
2013-08-23 14:01 - 2013-08-23 14:01 - 25100288 _____ () C:\Users\Brian\AppData\Roaming\Dropbox\bin\libcef.dll
2015-01-07 18:58 - 2015-01-07 18:58 - 02909696 _____ () C:\Program Files\AVAST Software\Avast\defs\15010701\algo.dll
2015-01-07 18:58 - 2015-01-07 18:58 - 38562088 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2014-11-26 09:32 - 2014-11-25 01:39 - 01077064 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.71\libglesv2.dll
2014-11-26 09:32 - 2014-11-25 01:39 - 00211272 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.71\libegl.dll
2014-11-26 09:32 - 2014-11-25 01:39 - 09009480 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.71\pdf.dll
2014-11-26 09:32 - 2014-11-25 01:39 - 01677128 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.71\ffmpegsumo.dll
2015-01-07 19:59 - 2014-12-09 12:25 - 01097808 _____ () C:\Program Files (x86)\Google\Update\Install\{5B321458-6291-4DDC-8E9C-465623DE01C8}\39.0.2171.95_39.0.2171.71_chrome_updater.exe

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NanoServiceMain => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSUAService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NanoServiceMain => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\plsapp => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PSUAService => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-2642928640-133285897-1896044851-500 - Administrator - Disabled)
Brian (S-1-5-21-2642928640-133285897-1896044851-1001 - Administrator - Enabled) => C:\Users\Brian
Guest (S-1-5-21-2642928640-133285897-1896044851-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2642928640-133285897-1896044851-1002 - Limited - Enabled)
Mcx1-GATEWAY (S-1-5-21-2642928640-133285897-1896044851-1003 - Limited - Enabled) => C:\Users\Mcx1-GATEWAY

==================== Faulty Device Manager Devices =============

Name: Standard PS/2 Keyboard
Description: Standard PS/2 Keyboard
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (01/07/2015 07:56:02 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 600: ERROR: read_msg errno 0 (The operation completed successfully.)

Error: (01/07/2015 07:56:02 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: ERROR: mDNSPlatformReadTCP - recv: 10053

Error: (01/07/2015 07:06:58 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 480: ERROR: read_msg errno 0 (The operation completed successfully.)

Error: (01/07/2015 07:06:58 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: ERROR: mDNSPlatformReadTCP - recv: 10053

Error: (01/06/2015 10:04:32 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Program Files\Alwil Software\Avast5\setup\avast.setup Files\Alwil Software\Avast5\setup\avast.setup"  /uninstwiz ; Description = avast! Free Antivirus Setup; Error = 0x8007043c).

Error: (12/05/2014 08:31:48 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Brian\Desktop\mbar\mbar.exe ; Description = Malwarebytes Anti-Rootkit Restore Point; Error = 0x8007043c).

Error: (12/05/2014 08:31:48 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Brian\Desktop\mbar\mbar.exe ; Description = Malwarebytes Anti-Rootkit Restore Point; Error = 0x8007043c).

Error: (12/03/2014 10:42:46 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Brian\Desktop\mbar\mbar.exe ; Description = Malwarebytes Anti-Rootkit Restore Point; Error = 0x8007043c).

Error: (12/03/2014 10:42:46 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Brian\Desktop\mbar\mbar.exe ; Description = Malwarebytes Anti-Rootkit Restore Point; Error = 0x8007043c).

Error: (11/28/2014 07:47:19 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: ERROR: handle_resolve_request bad interfaceIndex 24

System errors:
=============
Error: (01/07/2015 06:52:42 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/07/2015 06:50:46 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
awpomqgi

Error: (01/07/2015 06:50:25 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
%%5

Error: (01/06/2015 11:31:44 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (01/06/2015 10:30:15 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/06/2015 10:28:26 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
awpomqgi

Error: (01/06/2015 10:28:21 PM) (Source: Service Control Manager) (EventID: 7006) (User: )
Description: The ScRegSetValueExW call failed for FailureActions with the following error:
%%5

Error: (01/06/2015 10:14:44 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Error: (01/06/2015 10:11:08 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/06/2015 10:10:21 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {10465E40-E8EC-4C58-B725-594524948D5A}

Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Processor: Intel® Core™ i7 CPU 860 @ 2.80GHz
Percentage of memory in use: 34%
Total physical RAM: 8151.09 MB
Available physical RAM: 5310.13 MB
Total Pagefile: 16300.37 MB
Available Pagefile: 13293.5 MB
Total Virtual: 8192 MB
Available Virtual: 8191.82 MB

==================== Drives ================================

Drive c: (Gateway) (Fixed) (Total:1381.17 GB) (Free:2.62 GB) NTFS
Drive d: (WDO_Media64) (CDROM) (Total:0.28 GB) (Free:0 GB) UDF
Drive e: (Media) (Fixed) (Total:1863.01 GB) (Free:7.09 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1397.3 GB) (Disk ID: 40F2CD64)
Partition 1: (Not Active) - (Size=16 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=1381.2 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 39020B5F)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 07-01-2015
Ran by Brian (administrator) on GATEWAY on 07-01-2015 19:57:47
Running from C:\Users\Brian\Desktop
Loaded Profile: Brian (Available profiles: Brian & Mcx1-GATEWAY)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(ABBYY) C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(SEIKO EPSON CORPORATION) C:\Program Files\EPSON\EpsonCustomerParticipation\EPCP.exe
(SEIKO EPSON CORPORATION) C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_WT50RP.EXE
(Acer Incorporated) C:\Program Files (x86)\Gateway\Registration\GregHSRW.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(Acer) C:\Program Files\Gateway\Gateway Updater\UpdaterService.exe
() C:\OEM\USBDECTION\USBS3S4Detection.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_YATIHVA.EXE
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(SEIKO EPSON CORPORATION) C:\Windows\System32\spool\drivers\x64\3\E_YATIHVA.EXE
(SlySoft, Inc.) C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVDtray.exe
(Hobbyist Software) C:\Program Files (x86)\Hobbyist Software\VLC Streamer\VLC Streamer Configuration.exe
(Spotify Ltd) C:\Users\Brian\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe
(NewTech Infosystems, Inc.) C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe
(North Star com.) C:\Program Files (x86)\Northstar\Photo Frame\Photo Frame.exe
(Dropbox, Inc.) C:\Users\Brian\AppData\Roaming\Dropbox\bin\Dropbox.exe
(SEIKO EPSON CORPORATION) C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
(Binnerup Consult) C:\Program Files (x86)\Binnerup Consult\My Movies for Windows Media Center\My Movies Tray.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
() C:\Program Files (x86)\SlySoft\AnyDVD\ADvdDiscHlp64.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-10-13] (Intel Corporation)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [8312352 2009-10-28] (Realtek Semiconductor)
HKLM-x32\...\Run: [JMB36X IDE Setup] => C:\Windows\RaidTool\xInsIDE.exe [36864 2007-03-20] ()
HKLM-x32\...\Run: [BackupManagerTray] => C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe [244480 2009-08-12] (NewTech Infosystems, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-10-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [UpdReg] => C:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [935288 2009-09-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60712 2014-10-11] (Apple Inc.)
HKLM-x32\...\Run: [EEventManager] => C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe [979328 2010-10-12] (SEIKO EPSON CORPORATION)
HKLM-x32\...\Run: [My Movies Tray] => C:\Program Files (x86)\Binnerup Consult\My Movies for Windows Media Center\My Movies Tray.exe [501280 2014-01-19] (Binnerup Consult)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-10] (Elaborate Bytes AG)
HKLM-x32\...\Run: [Codec Settings UAC Manager] => C:\Windows\SysWOW64\C2MP\CodecUACManager.exe [58648 2014-09-27] ()
HKLM-x32\...\Run: [PSUAMain] => C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe [37624 2014-10-16] (Panda Security, S.L.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-10-02] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5225064 2015-01-07] (AVAST Software)
HKLM\...\Winlogon: [Userinit] C:\Windows\SysWOW64\userinit.exe,
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...\Run: [EPLTarget\P0000000000000000] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIHVA.EXE [239488 2011-04-24] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...\Run: [MobileDocuments] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\Steam.exe [1940160 2014-11-11] (Valve Corporation)
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...\Run: [EPLTarget\P0000000000000001] => C:\Windows\system32\spool\DRIVERS\x64\3\E_YATIHVA.EXE [239488 2011-04-24] (SEIKO EPSON CORPORATION)
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...\Run: [AnyDVD] => C:\Program Files (x86)\SlySoft\AnyDVD\AnyDVD.exe [93096 2014-03-02] (SlySoft, Inc.)
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...\Run: [Hobbyist Software VLC Streamer] => C:\Program Files (x86)\Hobbyist Software\VLC Streamer\VLC Streamer Configuration.exe [1190728 2014-06-07] (Hobbyist Software)
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...\Run: [Spotify Web Helper] => C:\Users\Brian\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe [1514040 2014-11-28] (Spotify Ltd)
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackUpdateChecker.lnk
ShortcutTarget: CodecPackUpdateChecker.lnk -> C:\Windows\SysWOW64\C2MP\UpdateChecker.exe ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Photo Frame.lnk
ShortcutTarget: Photo Frame.lnk -> C:\Program Files (x86)\Northstar\Photo Frame\Photo Frame.exe (North Star com.)
Startup: C:\Users\Brian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Brian\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
BootExecute: autocheck autochk * PCloudBroom64.exe \systemroot\system32\BroomData.bitPCloudBroom64.exe \systemroot\system32\BroomData.bit

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2642928640-133285897-1896044851-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACGW
SearchScopes: HKU\S-1-5-21-2642928640-133285897-1896044851-1001 -> URL http://search.conduit.com/Results.aspx?ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=5&UP=SP0DF6EC83-76C3-42AC-B584-5EF6A56F5077&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-2642928640-133285897-1896044851-1001 -> SuggestionsURL_JSON http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
SearchScopes: HKU\S-1-5-21-2642928640-133285897-1896044851-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
Toolbar: HKU\S-1-5-21-2642928640-133285897-1896044851-1001 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {6A060448-60F9-11D5-A6CD-0002B31F7455}
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-2642928640-133285897-1896044851-1001: @soe.sony.com/installer,version=1.0.3 -> C:\Users\Brian\AppData\Local\Microsoft\Internet Explorer\Downloaded Program Files\npsoe.dll ()
FF Plugin HKU\S-1-5-21-2642928640-133285897-1896044851-1001: amazon.com/AmazonMP3DownloaderPlugin -> C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101799.dll (Amazon.com, Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-01-07]

Chrome:
=======
CHR Profile: C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-11-01]
CHR Extension: (Google Docs) - C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-11-01]
CHR Extension: (Google Drive) - C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-11-01]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-11-01]
CHR Extension: (YouTube) - C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-11-01]
CHR Extension: (Google Search) - C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-11-01]
CHR Extension: (Google Sheets) - C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-11-01]
CHR Extension: (Avast Online Security) - C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-01-07]
CHR Extension: (Google Wallet) - C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-11-01]
CHR Extension: (Gmail) - C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-11-01]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-01-07]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2015-01-07] (AVAST Software)
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2010-06-16] (Creative Labs) [File not signed]
S3 Creative Audio Engine Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2010-06-16] (Creative Labs) [File not signed]
R2 MSSQL$MYMOVIES; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
R2 NanoServiceMain; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSANHost.exe [142072 2014-10-13] (Panda Security, S.L.)
R2 PandaAgent; C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [66808 2014-10-09] (Panda Security, S.L.)
R2 PSUAService; C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAService.exe [38136 2014-10-16] (Panda Security, S.L.)
R2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] ()

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 AnyDVD; C:\Windows\System32\Drivers\AnyDVD.sys [138664 2014-02-15] (SlySoft, Inc.)
R3 AnyDVD; C:\Windows\SysWOW64\Drivers\AnyDVD.sys [138664 2014-02-15] (SlySoft, Inc.)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2015-01-07] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [87912 2015-01-07] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2015-01-07] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2015-01-07] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2015-01-07] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2015-01-07] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2015-01-07] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2015-01-07] ()
R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [487216 2014-09-13] (Symantec Corporation)
R1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [96800 2014-06-04] (Panda Security, S.L.)
R1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [162336 2014-06-18] (Panda Security, S.L.)
R1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [112160 2014-06-04] (Panda Security, S.L.)
R1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [115232 2014-06-04] (Panda Security, S.L.)
R1 NNSNAHSL; C:\Windows\System32\DRIVERS\NNSNAHSL.sys [46336 2014-01-16] (Panda Security, S.L.)
R1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [95776 2014-06-04] (Panda Security, S.L.)
R1 NNSPIHSW; C:\Windows\System32\DRIVERS\NNSPihsw.sys [70176 2014-06-04] (Panda Security, S.L.)
R1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [125984 2014-06-04] (Panda Security, S.L.)
R1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [306720 2014-06-04] (Panda Security, S.L.)
R1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [169504 2014-06-04] (Panda Security, S.L.)
R1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [115744 2014-06-04] (Panda Security, S.L.)
R1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [261152 2014-06-04] (Panda Security, S.L.)
R1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [109088 2014-06-04] (Panda Security, S.L.)
R2 PSINAflt; C:\Windows\System32\DRIVERS\PSINAflt.sys [163088 2014-10-13] (Panda Security, S.L.)
R2 PSINFile; C:\Windows\System32\DRIVERS\PSINFile.sys [121616 2014-10-13] (Panda Security, S.L.)
R1 PSINKNC; C:\Windows\System32\DRIVERS\psinknc.sys [195616 2014-07-24] (Panda Security, S.L.)
R2 PSINProc; C:\Windows\System32\DRIVERS\PSINProc.sys [122400 2014-07-24] (Panda Security, S.L.)
R2 PSINProt; C:\Windows\System32\DRIVERS\PSINProt.sys [132128 2014-07-24] (Panda Security, S.L.)
R2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [107792 2014-10-13] (Panda Security, S.L.)
R3 PSKMAD; C:\Windows\System32\DRIVERS\PSKMAD.sys [60400 2014-03-25] (Panda Security, S.L.)
S0 awpomqgi; System32\drivers\dghwxur.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-07 19:57 - 2015-01-07 19:57 - 00020993 _____ () C:\Users\Brian\Desktop\FRST.txt
2015-01-07 19:57 - 2015-01-07 19:57 - 00000000 ____D () C:\FRST
2015-01-07 19:56 - 2015-01-07 19:56 - 02124288 _____ (Farbar) C:\Users\Brian\Desktop\FRST64.exe
2015-01-07 19:00 - 2015-01-07 19:00 - 00000000 ____D () C:\Users\Brian\AppData\Roaming\AVAST Software
2015-01-07 18:59 - 2015-01-07 18:59 - 00001971 _____ () C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2015-01-07 18:59 - 2015-01-07 18:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2015-01-07 18:58 - 2015-01-07 18:59 - 01050432 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2015-01-07 18:58 - 2015-01-07 18:59 - 00087912 _____ (AVAST Software) C:\Windows\system32\Drivers\aswmonflt.sys
2015-01-07 18:58 - 2015-01-07 18:58 - 00436624 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2015-01-07 18:58 - 2015-01-07 18:58 - 00364512 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2015-01-07 18:58 - 2015-01-07 18:58 - 00267632 _____ () C:\Windows\system32\Drivers\aswVmm.sys
2015-01-07 18:58 - 2015-01-07 18:58 - 00116728 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2015-01-07 18:58 - 2015-01-07 18:58 - 00093568 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2015-01-07 18:58 - 2015-01-07 18:58 - 00083280 _____ (AVAST Software) C:\Windows\system32\Drivers\aswmonflt.sys.1420675174766
2015-01-07 18:58 - 2015-01-07 18:58 - 00065776 _____ () C:\Windows\system32\Drivers\aswRvrt.sys
2015-01-07 18:58 - 2015-01-07 18:58 - 00043152 _____ (AVAST Software) C:\Windows\avastSS.scr
2015-01-07 18:58 - 2015-01-07 18:58 - 00029208 _____ () C:\Windows\system32\Drivers\aswHwid.sys
2015-01-07 18:58 - 2015-01-07 18:57 - 01050432 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys.1420675173939
2015-01-07 18:55 - 2015-01-07 18:55 - 00000000 ____D () C:\Program Files\AVAST Software
2015-01-07 18:52 - 2015-01-07 18:55 - 00000000 ____D () C:\ProgramData\AVAST Software
2015-01-03 15:17 - 2015-01-03 15:17 - 00016808 _____ () C:\Users\Brian\Desktop\attach.txt
2015-01-03 15:17 - 2015-01-03 15:17 - 00015876 _____ () C:\Users\Brian\Desktop\dds.txt
2015-01-03 15:06 - 2015-01-03 15:06 - 00688992 ____R (Swearware) C:\Users\Brian\Desktop\dds.com
2015-01-03 15:05 - 2015-01-03 15:05 - 00688992 _____ (Swearware) C:\Users\Brian\Downloads\dds.com
2015-01-03 15:03 - 2015-01-03 15:03 - 00798080 _____ ( ) C:\Users\Brian\Downloads\FileOpenerSetup.exe
2015-01-03 15:03 - 2015-01-03 15:03 - 00798080 _____ ( ) C:\Users\Brian\Downloads\FileOpenerSetup (1).exe
2014-12-27 13:49 - 2014-12-27 13:49 - 00268744 _____ () C:\Windows\Minidump\122714-233502-01.dmp

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-07 19:58 - 2010-06-17 00:23 - 01303776 _____ () C:\Windows\WindowsUpdate.log
2015-01-07 19:56 - 2010-06-18 06:34 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-07 19:42 - 2012-07-07 17:06 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-07 19:31 - 2010-06-18 06:34 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-07 19:00 - 2014-09-08 19:48 - 00004182 _____ () C:\Windows\System32\Tasks\avast! Emergency Update
2015-01-07 19:00 - 2009-07-13 23:45 - 00018736 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-07 19:00 - 2009-07-13 23:45 - 00018736 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-07 18:54 - 2011-02-28 19:41 - 00003922 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{C56969D9-E45A-40FE-B401-F7EF6324816F}
2015-01-07 18:54 - 2009-07-14 00:13 - 00849462 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-07 18:51 - 2013-04-06 10:56 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-01-07 18:51 - 2012-02-14 21:52 - 00002520 _____ () C:\Windows\wininit.ini
2015-01-07 18:50 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-07 18:50 - 2009-07-13 23:51 - 00075253 _____ () C:\Windows\setupact.log
2015-01-06 22:26 - 2009-11-30 03:44 - 00672036 _____ () C:\Windows\PFRO.log
2014-12-27 13:49 - 2014-04-04 21:53 - 00000000 ____D () C:\Windows\Minidump

Some content of TEMP:
====================
C:\Users\Brian\AppData\Local\Temp\bdca-vy6.dll
C:\Users\Brian\AppData\Local\Temp\Company_of_Heroes_DownloadManager_EN.exe
C:\Users\Brian\AppData\Local\Temp\comver.dll
C:\Users\Brian\AppData\Local\Temp\Couponscom.exe
C:\Users\Brian\AppData\Local\Temp\dateinj01.dll
C:\Users\Brian\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Brian\AppData\Local\Temp\drm_dyndata_7330014.dll
C:\Users\Brian\AppData\Local\Temp\drm_dyndata_7380012.dll
C:\Users\Brian\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmph9deby.dll
C:\Users\Brian\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Brian\AppData\Local\Temp\ISSetup.dll
C:\Users\Brian\AppData\Local\Temp\ose00001.exe
C:\Users\Brian\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\Brian\AppData\Local\Temp\SpOrder.dll
C:\Users\Brian\AppData\Local\Temp\wget.exe
C:\Users\Brian\AppData\Local\Temp\_setup.dll
C:\Users\Brian\AppData\Local\Temp\{4FD0A8A5-B26D-48BB-89DA-274AEB69571B}.exe
C:\Users\Mcx1-GATEWAY\AppData\Local\Temp\nqjgryvb.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-01-06 23:02

==================== End Of Log ============================



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:53 PM

Posted 07 January 2015 - 09:41 PM

Thank you for the information Brian. A lot to tackle in this Post but I must first advise you of the following.

===================================================

BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Please let me know if you have already noticed evidences of financial institution irregularities. Those accounts should be monitored from this point forward.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 

Here are some thoughts I have put together for people who ask what they should do in light of the infection. Ultimately each user must decide for themselves what to do and the below are things you might want to consider.

It is necessary for us to at least make you aware of the worse case scenario. This is because of the potential Backdoor Trojans bring with them, but it is not a determination on our part that your situation currently falls within this worse case scenario.

Ultimately it is a personal decision whether to reformat or not. What decision should you make to let you sleep well at night? It is different for different people. I will say whether rightly or wrongly most people decide to clean and not reformat, at least initially.

The only insight I can offer is how I evaluate the issue personally even though I have never had a Backdoor Trojan on my computer. One of the primary purposes for malicious software is to somehow separate you from your money. It seems reasonable to assume that a thief trying to take your money via a Backdoor Trojan will hit you hard, and quickly. Once your computer starts to act up and you become suspicious you have the opportunity to eliminate access to your computer and change the information taken, namely account and password information. The key to this, in my opinion, is whether or not you have noticed any irregularities in your banking or other financial institutions, or things like email and social network accounts (i.e. Facebook). If you have not seen any evidence of that then you may question whether your information has truly been stolen. If it seems it hasn't, and your critical information has been changed, it is reasonable to be more confident you are safe but you must stop short of claiming an absolute guarantee.

If, after careful consideration you decide not to reformat your computer it would be wise to continue monitoring your sensitive data and don't wait to address future symptoms on your computer which seem to be malware related.

The bottom line, the only way to be absolutely sure to be rid of a Backdoor Trojan is to reformat. The decision is yours.

Oh My!


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

===================================================

Multiple Antivirus Programs

-------------------

This was my fault for having you reinstall Avast when you had another Antivirus program installed....

I do not recommend that you have more than one anti virus product installed on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please remove all but one of the Antivirus programs currently on your computer, even if only one is running. You can do this via Add/Remove Programs, or Programs and Features in the Control Panel.
 

Panda Free Antivirus
avast! Antivirus


===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, click Run, then select I agree if it appears
  • Click Scan
  • Once the scan has completed youi will see Pending. Please check elements you don't want to remove above the progress bar
  • Click on Clean
  • Confirm the cleaning and rebooting of your computer by clicking OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can also find the logfile at C:\AdwCleaner\AdwCleaner.txt
===================================================

Junkware Removal Tool by thisisu

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
SearchScopes: HKU\S-1-5-21-2642928640-133285897-1896044851-1001 -> URL http://search.conduit.com/Results.aspx?ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=5&UP=SP0DF6EC83-76C3-42AC-B584-5EF6A56F5077&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-2642928640-133285897-1896044851-1001 -> SuggestionsURL_JSON http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
SearchScopes: HKU\S-1-5-21-2642928640-133285897-1896044851-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKU\S-1-5-21-2642928640-133285897-1896044851-1001 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll No File
S0 awpomqgi; System32\drivers\dghwxur.sys [X]
C:\Users\Brian\AppData\Local\Temp\bdca-vy6.dll
C:\Users\Brian\AppData\Local\Temp\Company_of_Heroes_DownloadManager_EN.exe
C:\Users\Brian\AppData\Local\Temp\comver.dll
C:\Users\Brian\AppData\Local\Temp\Couponscom.exe
C:\Users\Brian\AppData\Local\Temp\dateinj01.dll
C:\Users\Brian\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Brian\AppData\Local\Temp\drm_dyndata_7330014.dll
C:\Users\Brian\AppData\Local\Temp\drm_dyndata_7380012.dll
C:\Users\Brian\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmph9deby.dll
C:\Users\Brian\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Brian\AppData\Local\Temp\ISSetup.dll
C:\Users\Brian\AppData\Local\Temp\ose00001.exe
C:\Users\Brian\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\Brian\AppData\Local\Temp\SpOrder.dll
C:\Users\Brian\AppData\Local\Temp\wget.exe
C:\Users\Brian\AppData\Local\Temp\_setup.dll
C:\Users\Brian\AppData\Local\Temp\{4FD0A8A5-B26D-48BB-89DA-274AEB69571B}.exe
C:\Users\Mcx1-GATEWAY\AppData\Local\Temp\nqjgryvb.dll
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Brian\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Brian\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\plsapp => ""="service"
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

SystemLook by jpshortstuff

--------------------
  • Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
Download Mirror #3 For 64-bit users

  • Double-click SystemLook.exe to run it.
  • Vista\Windows 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:service
*awpomqgi*
:process
*awpomqgi*
:filefind
*awpomqgi*
:regfind
*awpomqgi*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply or, if necessary zip and attach the file.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Were you able to successfully remove an Antivirus program?
  • AdwCleaner log
  • Junkware log
  • Fixlog
  • SystemLook log
  • Update on computer behavior

Edited by Oh My!, 07 January 2015 - 09:43 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:53 PM

Posted 12 January 2015 - 09:14 PM

Greetings,

===================================================

3 Day Bump

It has been more than 3 days since my last post.
  • Do you still need help with this?
  • If after 48hrs you have not replied to this thread then it will have to be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:53 PM

Posted 15 January 2015 - 10:24 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,538 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:53 PM

Posted 15 January 2015 - 04:59 PM

This topic has been re-opened at the request of the person who originally posted.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 bd43stew

bd43stew
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 18 January 2015 - 07:38 PM

Thank you for your patience!  I was able to uninstall the Panda antivirus program and have also attached the logs you required.
 
Brian

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-01-2015
Ran by Brian at 2015-01-18 17:24:10 Run:1
Running from C:\Users\Brian\Desktop
Loaded Profile: Brian (Available profiles: Brian & Mcx1-GATEWAY)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
SearchScopes: HKU\S-1-5-21-2642928640-133285897-1896044851-1001 -> URL http://search.conduit.com/Results.aspx?ctid=CT3324790&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=5&UP=SP0DF6EC83-76C3-42AC-B584-5EF6A56F5077&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-2642928640-133285897-1896044851-1001 -> SuggestionsURL_JSON http://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
SearchScopes: HKU\S-1-5-21-2642928640-133285897-1896044851-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKU\S-1-5-21-2642928640-133285897-1896044851-1001 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll No File
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll No File
S0 awpomqgi; System32\drivers\dghwxur.sys [X]
C:\Users\Brian\AppData\Local\Temp\bdca-vy6.dll
C:\Users\Brian\AppData\Local\Temp\Company_of_Heroes_DownloadManager_EN.exe
C:\Users\Brian\AppData\Local\Temp\comver.dll
C:\Users\Brian\AppData\Local\Temp\Couponscom.exe
C:\Users\Brian\AppData\Local\Temp\dateinj01.dll
C:\Users\Brian\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Brian\AppData\Local\Temp\drm_dyndata_7330014.dll
C:\Users\Brian\AppData\Local\Temp\drm_dyndata_7380012.dll
C:\Users\Brian\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmph9deby.dll
C:\Users\Brian\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\Brian\AppData\Local\Temp\ISSetup.dll
C:\Users\Brian\AppData\Local\Temp\ose00001.exe
C:\Users\Brian\AppData\Local\Temp\SearchWithGoogleUpdate.exe
C:\Users\Brian\AppData\Local\Temp\SpOrder.dll
C:\Users\Brian\AppData\Local\Temp\wget.exe
C:\Users\Brian\AppData\Local\Temp\_setup.dll
C:\Users\Brian\AppData\Local\Temp\{4FD0A8A5-B26D-48BB-89DA-274AEB69571B}.exe
C:\Users\Mcx1-GATEWAY\AppData\Local\Temp\nqjgryvb.dll
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Brian\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Brian\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\plsapp => ""="service"

*****************

"HKU\S-1-5-21-2642928640-133285897-1896044851-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-2642928640-133285897-1896044851-1001\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\URL => value deleted successfully.
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\SuggestionsURL_JSON => value deleted successfully.
"HKU\S-1-5-21-2642928640-133285897-1896044851-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key deleted successfully.
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => Key not found.
HKU\S-1-5-21-2642928640-133285897-1896044851-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
"HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/ShockwavePlayer" => Key deleted successfully.
awpomqgi => Service deleted successfully.
C:\Users\Brian\AppData\Local\Temp\bdca-vy6.dll => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\Company_of_Heroes_DownloadManager_EN.exe => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\comver.dll => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\Couponscom.exe => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\dateinj01.dll => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\dllnt_dump.dll => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\drm_dyndata_7330014.dll => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\drm_dyndata_7380012.dll => Moved successfully.
"C:\Users\Brian\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmph9deby.dll" => File/Directory not found.
C:\Users\Brian\AppData\Local\Temp\FlashPlayerUpdate.exe => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\ISSetup.dll => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\ose00001.exe => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\SearchWithGoogleUpdate.exe => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\SpOrder.dll => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\wget.exe => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\_setup.dll => Moved successfully.
C:\Users\Brian\AppData\Local\Temp\{4FD0A8A5-B26D-48BB-89DA-274AEB69571B}.exe => Moved successfully.
C:\Users\Mcx1-GATEWAY\AppData\Local\Temp\nqjgryvb.dll => Moved successfully.
"HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}" => Key deleted successfully.
HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found.
"HKU\S-1-5-21-2642928640-133285897-1896044851-1001_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}" => Key deleted successfully.
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\plsapp" => Key deleted successfully.

==== End of Fixlog 17:24:11 ====
# AdwCleaner v4.108 - Report created 18/01/2015 at 17:19:00
# Updated 17/01/2015 by Xplode
# Database : 2015-01-13.2 [Local]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Brian - GATEWAY
# Running from : C:\Users\Brian\Desktop\adwcleaner_4.108.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Aimersoft Video Converter Ultimate
Folder Deleted : C:\ProgramData\Partner
Folder Deleted : C:\Users\Brian\AppData\Local\Slick Savings
Folder Deleted : C:\Users\Brian\Documents\Aimersoft Video Converter Ultimate

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
Key Deleted : HKLM\SOFTWARE\Classes\AppID\SelectionLinks.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbCommonUtils.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\TbHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler
Key Deleted : HKLM\SOFTWARE\Classes\ComObject.DeskbarEnabler.1
Key Deleted : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils
Key Deleted : HKLM\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbDownloadManager.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbPropertyManager.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbRequest
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbRequest.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbTask
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.TbTask.1
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper
Key Deleted : HKLM\SOFTWARE\Classes\TbHelper.ToolbarHelper.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar3.SearchProviderManager.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4CE516A7-F7AC-4628-B411-8F886DC5733E}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9F34B17E-FF0D-4FAB-97C4-9713FEE79052}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B87F8B63-7274-43FD-87FA-09D3B7496148}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{300BEC06-B743-4D19-86B9-11DC711D7FFB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{BF921DD3-732A-4A11-933B-A5EA49F2FD2C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D83B296A-2FA6-425B-8AE8-A1F33D99FBD6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EE171732-BEB4-4576-887D-CB62727F01CA}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.17183


-\\ Google Chrome v39.0.2171.95

[C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [6119 octets] - [18/01/2015 17:17:06]
AdwCleaner[S0].txt - [5736 octets] - [18/01/2015 17:19:00]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5796 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Home Premium x64
Ran by Brian on Sun 01/18/2015 at 17:54:49.06
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-2642928640-133285897-1896044851-1001\Software\Microsoft\Internet Explorer\Main\\Start Page



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{11111111-1111-1111-1111-110211181104}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110211181104}



~~~ Files

Successfully deleted: [File] "C:\Windows\wininit.ini"



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Brian\AppData\Roaming\getrighttogo"
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{1F287247-4429-4485-8825-67B07ACE11C9}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{27C61264-F105-4155-9B20-C4E2A8706278}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{2F9BC0B9-4666-44A9-9231-B0655AFAC6B9}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{3ECBACBA-0309-45D5-9CE8-E475D2264124}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{53692A25-AAF2-497A-BAB7-BC44D8B1D4D8}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{6A8A6723-8B5B-43EB-AB43-DC2B45F0F11A}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{774A583C-7F84-4121-AD59-CA1771BD70F5}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{82731137-5366-43BD-8F78-1EE37665DB55}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{8CD3E805-BCCD-4F06-92C9-4190907F79DF}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{95CA2DF2-82E2-4527-A3A7-AB7DEF1071BC}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{9C19504E-6F9D-437D-939F-C9515E6021A7}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{9E198317-461B-4380-84C6-AB741205160D}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{A59DB467-7BE0-4690-9976-7972E8C8B000}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{BBF6911B-1DE8-44CA-8B96-290E8B31F869}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{C262308B-0B62-45C1-9D1B-9B2FA6FCB66F}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{C5E2CDEE-BE0A-4B4E-9E37-77C5844953C5}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{D093B940-90EE-4C8F-A9A0-83619645992E}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{E4192E7E-C608-45CD-AE15-A73917143A42}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{EC7CE930-F217-42A2-8D6F-8B7DAF346B00}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{F0708F6C-C5A1-44A5-AD68-F75F44315697}
Successfully deleted: [Empty Folder] C:\Users\Brian\appdata\local\{FEDA171D-9A08-4244-9F5E-548B8F04EF12}



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 01/18/2015 at 18:02:05.87
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SystemLook 30.07.11 by jpshortstuff
Log created at 17:26 on 18/01/2015 by Brian
Administrator - Elevation successful

========== service ==========

*awpomqgi* - Unable to open Service Handle.

========== process ==========

*awpomqgi* - Unable to open process handle.

========== filefind ==========

Searching for "*awpomqgi*"
No files found.

========== regfind ==========

Searching for "*awpomqgi*"
No data found.

-= EOF =-

Attached Files


Edited by Oh My!, 19 January 2015 - 10:40 AM.
Posted logs





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users