Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected, screen goes black, unable to fix issue. HELP please!!


  • This topic is locked This topic is locked
8 replies to this topic

#1 assaadw

assaadw

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 08 February 2015 - 05:01 PM

Hello,

 

I have tried using malware antibytes which usually does the job, even eset online virus-scanner doesn't help here.

 

My screen gets black and I'm forced to reboot as nothing else works. I used Malware antibytes, eset, Junkremoval, adwcleaner and it removed infected files but still the same issue reappearing.

 

Help please! I will follow your procedures step by step.

 

Thanks

Sam


Edited by assaadw, 08 February 2015 - 05:08 PM.


BC AdBot (Login to Remove)

 


#2 assaadw

assaadw
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 10 February 2015 - 08:48 PM

Anyone? The issue seems to happen over and over and it's exam time :(



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:08 AM

Posted 12 February 2015 - 10:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

Wait for further instructions.

#4 assaadw

assaadw
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 13 February 2015 - 07:52 PM

Hi Nasdaq,

 

Thanks so much. Haven't been able to use it because of exams... here it is:

 

RogueKiller V10.2.0.0 (x64) [Jan 19 2015] by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Abbas [Administrator]
Mode : Delete -- Date : 02/13/2015  19:40:00
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 14 ¤¤¤
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer :   -> Not selected
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer :   -> Not selected
[PUM.Proxy] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer :   -> Not selected
[PUM.Proxy] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer :   -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_5  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_5  -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_5  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_5  -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2971341904-2727500288-3529390253-1001\Software\Microsoft\Internet Explorer\Main | Start Page :http://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_5  -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2971341904-2727500288-3529390253-1001\Software\Microsoft\Internet Explorer\Main | Start Page :http://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_5  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Data +++++
--- User ---
[MBR] 9699ee3a42f586a3fb171464eac64f22
[BSP] 45ef0935b630baf7b6784240cc3bbf8a : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 101767 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 208828935 | Size: 374968 MB
User = LL1 ... OK
Error reading LL2 MBR! ([57] The parameter is incorrect. )
 
+++++ PhysicalDrive1: FFS +++++
--- User ---
[MBR] 3454eeeab0e9ed6742ba4b3be31c88cb
[BSP] 39d893dde9b74690865d92694c67e46d : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] OS/2-HIBER (0x84) [HIDDEN!] Offset (sectors): 2048 | Size: 4094 MB
User = LL1 ... OK
Error reading LL2 MBR! ([57] The parameter is incorrect. )
 
 
============================================
RKreport_SCN_02132015_193913.log
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 12-02-2015
Ran by Abbas (administrator) on ABBAS-HP on 13-02-2015 19:46:52
Running from C:\Users\Abbas\Desktop\Farb
Loaded Profiles: Abbas (Available profiles: Abbas)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe
(HP) C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgemca.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Windows\SysWOW64\irstrtsv.exe
() C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Pharos Systems International) C:\Program Files (x86)\PharosSystems\Core\CTskMstr.exe
(Intel® Corporation) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
(SecureW2 B.V.) C:\Program Files (x86)\SecureW2\sw2_service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Intel® Corporation) C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(AuthenTec Inc.) C:\Program Files (x86)\HP SimplePass\TouchControl.exe
() C:\Program Files (x86)\HP SimplePass\IEWebSiteLogon.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Google Inc.) C:\Users\Abbas\AppData\Local\Google\Update\GoogleUpdate.exe
(Google Inc.) C:\Users\Abbas\AppData\Local\Google\Chrome\Application\chrome.exe
() C:\Users\Abbas\AppData\Roaming\Avg_Update_1014av\AVG-Secure-Search-Update_1014av.exe
(Dropbox, Inc.) C:\Users\Abbas\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(PowerISO Computing, Inc.) C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe
(SecureW2 B.V.) C:\Program Files (x86)\SecureW2\sw2_tray.exe
(Google Inc.) C:\Users\Abbas\AppData\Local\Google\Chrome\Application\chrome.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2015\avgui.exe
(Google Inc.) C:\Users\Abbas\AppData\Local\Google\Chrome\Application\chrome.exe
() C:\ProgramData\Avg_Update_1014av\AVG-Secure-Search-Update_1014av.exe
(Google Inc.) C:\Users\Abbas\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Abbas\AppData\Local\Google\Chrome\Application\chrome.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Bluetooth\btplayerctrl.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(CyberLink) C:\Program Files (x86)\CyberLink\YouCam\YCMMirage.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
(Intel® Corporation) C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Microsoft Corporation) C:\Windows\System32\msra.exe
(Microsoft Corporation) C:\Windows\System32\sdchange.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [1425408 2012-03-03] (IDT, Inc.)
HKLM\...\Run: [BLEServicesCtrl] => C:\Program Files (x86)\Intel\Bluetooth\BleServicesCtrl.exe [178960 2012-03-15] (Intel Corporation)
HKLM\...\Run: [BTMTrayAgent] => rundll32.exe "C:\Program Files (x86)\Intel\Bluetooth\btmshell.dll",TrayApp
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291608 2012-01-27] (Intel Corporation)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [180224 2009-07-26] (PowerISO Computing, Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [43816 2014-07-31] (Apple Inc.)
HKLM-x32\...\Run: [SecureW2 Tray] => C:\Program Files (x86)\SecureW2\sw2_tray.exe [218024 2012-12-10] (SecureW2 B.V.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [HP CoolSense] => C:\Program Files (x86)\Hewlett-Packard\HP CoolSense\CoolSense.exe [1343904 2012-11-05] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2014-01-17] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-09-01] (Apple Inc.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2015\avgui.exe [3674576 2015-01-06] (AVG Technologies CZ, s.r.o.)
HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2015-02-03] (Hewlett-Packard)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2971341904-2727500288-3529390253-1001\...\Run: [Google Update] => C:\Users\Abbas\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-08-26] (Google Inc.)
HKU\S-1-5-21-2971341904-2727500288-3529390253-1001\...\Run: [GoogleChromeAutoLaunch_EB2B0ECF8EE689AAA8DBC06BD4E27450] => C:\Users\Abbas\AppData\Local\Google\Chrome\Application\chrome.exe [843592 2015-02-04] (Google Inc.)
HKU\S-1-5-21-2971341904-2727500288-3529390253-1001\...\Run: [AVG-Secure-Search-Update_1014av] => C:\Users\Abbas\AppData\Roaming\Avg_Update_1014av\AVG-Secure-Search-Update_1014av.exe [2774040 2014-09-23] ()
HKU\S-1-5-21-2971341904-2727500288-3529390253-1001\...\MountPoints2: H - H:\LaunchU3.exe -a
HKU\S-1-5-21-2971341904-2727500288-3529390253-1001\...\MountPoints2: {4c603eea-6f2c-11e2-88c4-685d43c81dbe} - H:\LaunchU3.exe -a
Startup: C:\Users\Abbas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Abbas\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Abbas\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Abbas\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Abbas\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Abbas\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Abbas\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Abbas\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Abbas\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_5
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_5
HKU\S-1-5-21-2971341904-2727500288-3529390253-1001\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.symantec.com/enterprise/security_response/index.jsp?inid=biz_SR_sep_V12_1_MR_5
HKU\S-1-5-21-2971341904-2727500288-3529390253-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/HPNOT/1
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://www.ebay.com/sch/i.html?_nkw={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2971341904-2727500288-3529390253-1001 -> {02E69AF2-5633-45A5-B2D0-D147E029A353} URL = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2971341904-2727500288-3529390253-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://www.ebay.com/sch/i.html?_nkw={searchTerms}
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
Toolbar: HKU\S-1-5-21-2971341904-2727500288-3529390253-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {6A060448-60F9-11D5-A6CD-0002B31F7455} 
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
 
FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @authentec.com/ffwloplugin -> C:\Program Files (x86)\HP SimplePass\npffwloplugin.dll ( HP)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.0.59 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @mcgrawhill.com/ChemDrawMGH,version=12.0 -> C:\Program Files (x86)\CambridgeSoft\ChemOffice2010\ChemDrawMGH\NPCDPMGH32.dll (CambridgeSoft Corp.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\2\NP_wtapp.dll ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2971341904-2727500288-3529390253-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Abbas\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-2971341904-2727500288-3529390253-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Abbas\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\Abbas\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Abbas\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-22]
CHR Extension: (YouTube) - C:\Users\Abbas\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-08-27]
CHR Extension: (Adblock Plus) - C:\Users\Abbas\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2013-07-15]
CHR Extension: (Google Search) - C:\Users\Abbas\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-08-27]
CHR Extension: (AdBlock) - C:\Users\Abbas\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2013-07-15]
CHR Extension: (Google Wallet) - C:\Users\Abbas\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-08]
CHR Extension: (Gmail) - C:\Users\Abbas\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-08-27]
CHR HKLM-x32\...\Chrome\Extension: [hmbkhknacohfhbmmpnmbkgdffdbildof] - C:\Program Files (x86)\HP SimplePass\tschrome.crx [2012-12-12]
StartMenuInternet: Google Chrome.TWKHCYSFK6IDHX4ADQQLXDZBTI - C:\Users\Abbas\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe [3440080 2015-01-06] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe [309232 2015-01-06] (AVG Technologies CZ, s.r.o.)
R2 FPLService; C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe [1641768 2013-02-07] (HP)
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company) [File not signed]
R2 irstrtsv; C:\Windows\SysWOW64\irstrtsv.exe [193536 2012-02-06] (Intel Corporation)
R2 ISCTAgent; C:\Program Files\Intel\Intel® Smart Connect Technology Agent\iSCTAgent.exe [133632 2012-02-09] ()
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [161560 2012-02-08] (Intel Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 Pharos Systems ComTaskMaster; C:\Program Files (x86)\PharosSystems\Core\CTskMstr.exe [345600 2010-01-14] (Pharos Systems International) [File not signed]
R2 SW2SVC; C:\Program Files (x86)\SecureW2\sw2_service.exe [107432 2012-12-10] (SecureW2 B.V.)
S3 TrueService; C:\Program Files\Common Files\AuthenTec\TrueService.exe [401856 2013-01-07] (AuthenTec, Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 ZeroConfigService; C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe [2669840 2012-02-26] (Intel® Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [153368 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [260888 2014-12-08] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [203544 2014-11-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [243480 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [313624 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [124184 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [274200 2014-10-10] (AVG Technologies CZ, s.r.o.)
R3 hswpan; C:\Windows\system32\drivers\hswpan.sys [109056 2012-01-27] (Ozmo Inc)
R3 ikbevent; C:\Windows\System32\DRIVERS\ikbevent.sys [25536 2012-02-09] ()
R3 imsevent; C:\Windows\System32\DRIVERS\imsevent.sys [25536 2012-02-09] ()
R3 irstrtdv; C:\Windows\system32\drivers\irstrtdv.sys [26504 2012-02-07] (Intel Corporation)
R3 ISCT; C:\Windows\system32\drivers\ISCTD64.sys [44992 2012-02-09] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-02-13] (Malwarebytes Corporation)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [63704 2014-11-21] (Malwarebytes Corporation)
S3 pwdspio; C:\Windows\system32\pwdspio.sys [13280 2010-04-09] ()
R3 SmbDrv; C:\Windows\system32\drivers\Smb_driver.sys [21264 2012-03-01] (Synaptics Incorporated)
R3 WPRO_41_2001; C:\Windows\System32\drivers\WPRO_41_2001.sys [34752 2015-02-13] ()
S3 pwdrvio; \??\C:\Windows\system32\pwdrvio.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-13 19:46 - 2015-02-13 19:46 - 00000000 ____D () C:\FRST
2015-02-13 19:45 - 2015-02-13 19:46 - 00000000 ____D () C:\Users\Abbas\Desktop\Farb
2015-02-13 19:41 - 2015-02-13 19:41 - 00001794 _____ () C:\Users\Abbas\Desktop\Invitation13.msrcIncident
2015-02-13 19:21 - 2015-02-13 19:35 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-02-13 19:21 - 2015-02-13 19:21 - 18570328 _____ () C:\Users\Abbas\Desktop\RogueKillerX64.exe
2015-02-13 19:21 - 2015-02-13 19:21 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-02-13 19:12 - 2015-02-13 19:14 - 00094656 _____ (CACE Technologies) C:\Windows\system32\WPRO_41_2001woem.tmp
2015-02-08 15:39 - 2015-02-08 15:39 - 02347384 _____ (ESET) C:\Users\Abbas\Desktop\esetsmartinstaller_enu.exe
2015-02-08 14:00 - 2015-02-08 17:10 - 00000000 ____D () C:\AdwCleaner
2015-02-08 13:42 - 2015-02-13 19:14 - 00000520 _____ () C:\Windows\Tasks\AVG_SYS_TASK_1014av.job
2015-02-08 13:42 - 2015-02-13 19:14 - 00000388 _____ () C:\Windows\Tasks\AVG_SYS_TASK_1014av_DELETE.job
2015-02-08 13:42 - 2015-02-08 13:42 - 00002890 _____ () C:\Windows\System32\Tasks\AVG_SYS_TASK_1014av_DELETE
2015-02-08 13:42 - 2015-02-08 13:42 - 00002814 _____ () C:\Windows\System32\Tasks\AVG_SYS_TASK_1014av
2015-02-08 13:42 - 2015-02-08 13:42 - 00000000 ____D () C:\Users\Abbas\AppData\Roaming\Avg_Update_1014av
2015-02-08 13:42 - 2015-02-08 13:42 - 00000000 ____D () C:\ProgramData\Avg_Update_1014av
2015-02-08 13:40 - 2015-02-08 13:40 - 00000000 ____D () C:\Users\Abbas\AppData\Roaming\AVG2015
2015-02-08 13:39 - 2015-02-08 13:39 - 00000967 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2015-02-08 13:39 - 2015-02-08 13:39 - 00000000 ___HD () C:\$AVG
2015-02-08 13:39 - 2015-02-08 13:39 - 00000000 ____D () C:\Users\Abbas\AppData\Roaming\TuneUp Software
2015-02-08 13:39 - 2015-02-08 13:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-02-08 13:39 - 2015-02-08 13:39 - 00000000 ____D () C:\ProgramData\AVG2015
2015-02-08 13:38 - 2015-02-08 13:38 - 00000000 ____D () C:\Program Files (x86)\AVG
2015-02-08 13:37 - 2015-02-13 19:19 - 00000000 ____D () C:\ProgramData\MFAData
2015-02-08 13:37 - 2015-02-08 14:59 - 00000000 ____D () C:\Users\Abbas\AppData\Local\Avg2015
2015-02-08 13:37 - 2015-02-08 13:37 - 00000000 ____D () C:\Users\Abbas\AppData\Local\MFAData
2015-02-08 13:36 - 2015-02-08 13:37 - 04637504 _____ (AVG Technologies) C:\Users\Abbas\Desktop\avg_free_stb_all_2015_5557_cnet.exe
2015-02-07 11:16 - 2015-02-13 19:14 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-02-07 11:16 - 2015-02-07 11:16 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-02-07 11:16 - 2015-02-07 11:16 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-02-07 11:16 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-02-07 11:16 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-02-07 10:49 - 2015-02-07 10:49 - 00000000 ____D () C:\Users\Abbas\AppData\Roaming\TeamViewer
2015-01-15 19:14 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 21:22 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 21:22 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 21:22 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-14 21:22 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-14 21:22 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-14 21:22 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-14 21:22 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-14 21:22 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-14 21:22 - 2014-12-11 12:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-14 21:22 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 21:22 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-14 21:22 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-02-13 19:45 - 2012-03-24 21:56 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-02-13 19:45 - 2012-03-24 21:56 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-02-13 19:32 - 2012-08-27 03:48 - 02032933 _____ () C:\Windows\WindowsUpdate.log
2015-02-13 19:26 - 2009-07-13 23:45 - 00031472 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-02-13 19:26 - 2009-07-13 23:45 - 00031472 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-02-13 19:25 - 2014-05-04 20:17 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-13 19:18 - 2009-07-14 00:13 - 00782470 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-02-13 19:14 - 2014-05-04 20:17 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-13 19:14 - 2013-07-15 15:56 - 00000200 _____ () C:\Windows\Tasks\AutoKMS.job
2015-02-13 19:14 - 2013-06-03 18:04 - 00000000 ___RD () C:\Users\Abbas\Dropbox
2015-02-13 19:14 - 2013-06-03 18:01 - 00000000 ____D () C:\Users\Abbas\AppData\Roaming\Dropbox
2015-02-13 19:14 - 2012-07-22 01:06 - 00034752 _____ () C:\Windows\system32\Drivers\WPRO_41_2001.sys
2015-02-13 19:14 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-02-13 19:14 - 2009-07-13 23:51 - 00089754 _____ () C:\Windows\setupact.log
2015-02-13 19:06 - 2010-11-20 22:47 - 04672378 _____ () C:\Windows\PFRO.log
2015-02-13 19:04 - 2014-02-26 22:31 - 00003186 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForAbbas
2015-02-13 19:04 - 2014-02-26 22:31 - 00000332 _____ () C:\Windows\Tasks\HPCeeScheduleForAbbas.job
2015-02-13 19:04 - 2012-08-26 13:45 - 00000856 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2971341904-2727500288-3529390253-1001Core.job
2015-02-13 19:03 - 2013-07-15 15:56 - 00000200 _____ () C:\Windows\Tasks\AutoKMSDaily.job
2015-02-12 15:32 - 2012-08-26 12:01 - 00003926 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{FA8592A1-4469-4539-AB68-BC1BABA81D2F}
2015-02-12 15:14 - 2013-06-03 18:04 - 00001021 _____ () C:\Users\Abbas\Desktop\Dropbox.lnk
2015-02-12 15:14 - 2013-06-03 18:01 - 00000000 ____D () C:\Users\Abbas\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2015-02-08 15:36 - 2014-11-16 16:34 - 00000000 ____D () C:\Users\Abbas\AppData\Local\Popcorn-Time
2015-02-08 14:16 - 2013-06-22 17:23 - 00000000 ____D () C:\Users\Abbas\AppData\Roaming\Real
2015-02-08 13:27 - 2013-06-22 17:23 - 00000000 ____D () C:\Program Files (x86)\Real
2015-02-08 13:27 - 2013-06-22 16:58 - 00000000 ____D () C:\ProgramData\Real
2015-02-08 13:25 - 2013-06-03 09:31 - 00000000 ____D () C:\Windows\system32\Drivers\SEP
2015-02-08 13:23 - 2012-08-28 03:08 - 00000000 ____D () C:\Users\Abbas\AppData\Local\CrashDumps
2015-02-07 12:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\Help
2015-02-07 11:16 - 2013-06-03 10:21 - 00001108 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-02-07 11:16 - 2013-06-03 10:21 - 00000000 ____D () C:\Users\Abbas\AppData\Roaming\Malwarebytes
2015-02-07 11:16 - 2013-06-03 10:21 - 00000000 ____D () C:\ProgramData\Malwarebytes
2015-02-07 11:16 - 2013-06-03 10:21 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes' Anti-Malware
2015-02-06 20:20 - 2014-05-04 20:17 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-02-06 20:20 - 2014-05-04 20:17 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-02-04 20:13 - 2013-06-22 17:24 - 00003340 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2971341904-2727500288-3529390253-1001
2015-02-04 20:13 - 2013-06-22 17:24 - 00003206 _____ () C:\Windows\System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2971341904-2727500288-3529390253-1001
2015-02-04 17:02 - 2012-08-26 13:45 - 00003878 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2971341904-2727500288-3529390253-1001UA
2015-02-04 17:02 - 2012-08-26 13:45 - 00003482 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2971341904-2727500288-3529390253-1001Core
2015-02-04 17:02 - 2012-08-26 13:45 - 00000908 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2971341904-2727500288-3529390253-1001UA.job
2015-02-02 21:16 - 2013-11-19 16:43 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2015-02-02 21:16 - 2013-11-19 16:42 - 00000000 _____ () C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2015-01-28 15:50 - 2014-05-04 20:19 - 00002044 _____ () C:\Users\Public\Desktop\Google Slides.lnk
2015-01-28 15:50 - 2014-05-04 20:19 - 00002042 _____ () C:\Users\Public\Desktop\Google Sheets.lnk
2015-01-28 15:50 - 2014-05-04 20:19 - 00002032 _____ () C:\Users\Public\Desktop\Google Docs.lnk
2015-01-28 15:50 - 2014-05-04 20:19 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2015-01-25 14:12 - 2012-08-26 11:52 - 00000000 ____D () C:\Users\Abbas
2015-01-22 10:41 - 2014-04-16 16:47 - 00254241 _____ () C:\notify_debug.txt
2015-01-17 18:45 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2015-01-17 14:02 - 2012-08-26 13:29 - 00000000 ____D () C:\Users\Abbas\Documents\Symantec
2015-01-15 16:10 - 2013-08-17 09:34 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-15 16:03 - 2013-05-05 11:07 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
 
==================== Files in the root of some directories =======
 
2013-07-15 16:01 - 2013-07-15 16:01 - 0000000 _____ () C:\Users\Abbas\AppData\Roaming\AbsoluteReminder.xml
2012-09-01 22:28 - 2012-09-01 22:28 - 0000017 _____ () C:\Users\Abbas\AppData\Local\resmon.resmoncfg
 
Some content of TEMP:
====================
C:\Users\Abbas\AppData\Local\Temp\CrInstHelper.dll
C:\Users\Abbas\AppData\Local\Temp\del.EXE
C:\Users\Abbas\AppData\Local\Temp\Delta.exe
C:\Users\Abbas\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Abbas\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpcirfoj.dll
C:\Users\Abbas\AppData\Local\Temp\Extract.exe
C:\Users\Abbas\AppData\Local\Temp\FastFreeConverterUpdt_v4.0.exe
C:\Users\Abbas\AppData\Local\Temp\FastFreeConverterUpdt_v4.1.exe
C:\Users\Abbas\AppData\Local\Temp\FD42.exe
C:\Users\Abbas\AppData\Local\Temp\FRG.exe
C:\Users\Abbas\AppData\Local\Temp\helper.exe
C:\Users\Abbas\AppData\Local\Temp\HPHelpUpdater.exe
C:\Users\Abbas\AppData\Local\Temp\installhelper.dll
C:\Users\Abbas\AppData\Local\Temp\lowproc.exe
C:\Users\Abbas\AppData\Local\Temp\msvcp100.dll
C:\Users\Abbas\AppData\Local\Temp\msvcr100.dll
C:\Users\Abbas\AppData\Local\Temp\PreferencesJson.exe
C:\Users\Abbas\AppData\Local\Temp\propsys.dll
C:\Users\Abbas\AppData\Local\Temp\Resource.exe
C:\Users\Abbas\AppData\Local\Temp\Runner.exe
C:\Users\Abbas\AppData\Local\Temp\smplayer-0.6.9-win32.exe
C:\Users\Abbas\AppData\Local\Temp\SP57090.exe
C:\Users\Abbas\AppData\Local\Temp\SP58693.exe
C:\Users\Abbas\AppData\Local\Temp\sp58915.exe
C:\Users\Abbas\AppData\Local\Temp\SP59202.exe
C:\Users\Abbas\AppData\Local\Temp\SP60051.exe
C:\Users\Abbas\AppData\Local\Temp\SP61037.exe
C:\Users\Abbas\AppData\Local\Temp\SP61399.exe
C:\Users\Abbas\AppData\Local\Temp\sp62291.exe
C:\Users\Abbas\AppData\Local\Temp\sp64126.exe
C:\Users\Abbas\AppData\Local\Temp\sqlite3.exe
C:\Users\Abbas\AppData\Local\Temp\SRAssetsHelper.dll
C:\Users\Abbas\AppData\Local\Temp\stubhelper.dll
C:\Users\Abbas\AppData\Local\Temp\The_Weather_Channel_Application.exe
C:\Users\Abbas\AppData\Local\Temp\uninst1.exe
C:\Users\Abbas\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Abbas\AppData\Local\Temp\WSSetup.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-02-03 21:33
 
==================== End Of Log ============================
cleardot.gif
 
 
 

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:08 AM

Posted 14 February 2015 - 09:26 AM

Run this tool to clean your Temporary files/Folders.

Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program.
  • TFC will close all open programs itself in order to run.
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted, it should not take long to finish.
  • Once it's finished, click OK to reboot.
  • If it does not reboot, reboot your system manually.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

() C:\Users\Abbas\AppData\Roaming\Avg_Update_1014av\AVG-Secure-Search-Update_1014av.exe
() C:\ProgramData\Avg_Update_1014av\AVG-Secure-Search-Update_1014av.exe
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2971341904-2727500288-3529390253-1001\...\Run: [AVG-Secure-Search-Update_1014av] => C:\Users\Abbas\AppData\Roaming\Avg_Update_1014av\AVG-Secure-Search-Update_1014av.exe [2774040 2014-09-23] ()
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://dts.search.ask.com/sr?src=ieb&gct=ds&appid=420&systemid=406&v=a15402-156&apn_uid=7003269045584875&apn_dtid=BND406&o=APN10645&apn_ptnrs=AG6&q={searchTerms}
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKU\S-1-5-21-2971341904-2727500288-3529390253-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 pwdrvio; \??\C:\Windows\system32\pwdrvio.sys [X]
AlternateDataStreams: C:\ProgramData\Temp:58DD92AC

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===
 

ATTENTION: System Restore is disabled.


Follow the instructions on this page to enable System Restore.
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7

How is the computer running now?

#6 assaadw

assaadw
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 14 February 2015 - 10:21 PM

Sorry Nasdaq haven't been able to do anything today because whenever I plug my charger in, I see a blue screen (not the dump, just the display turns Navy Blue and stays that way. I have to remove the plug and reboot for it to reboot and as soon as I plug it back in, I get either a black screen or a Navy Blue screen and there's nothing I can do. Tried to change the power settings but to no avail).

 

Any thoughts? It's an HP Envy 4-1015dx ultrabook with Windows 7 64 bits



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:08 AM

Posted 15 February 2015 - 10:08 AM

Looking at this Google search it seem to me that you have some hardware problems.
https://www.google.ca/search?q=my+charger+in%2C+I+see+a+blue+screen&oq=my+charger+in%2C+I+see+a+blue+screen&aqs=chrome..69i57&sourceid=chrome&es_sm=122&ie=UTF-8

Since this is not malwre and not my forte I suggest you start a new topic in the Hardware forum.
Some one with that expertise may be able to help you.
http://www.bleepingcomputer.com/forums/f/138/external-hardware/

When this is repaired please follow my instructions on this topic.

I will keep it open until you return.

#8 assaadw

assaadw
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 15 February 2015 - 01:45 PM

Thanks very much Nasdaq. Was actually helping a relative who is in NJ with your advice. Finally, he's going to get it checked out as it definitely looks like a hardware/motherboard issue.

 

Thanks so much for your time.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:08 AM

Posted 15 February 2015 - 02:29 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users