Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG/Malwarebytes disabled by unknown Trojan


  • This topic is locked This topic is locked
71 replies to this topic

#1 scotiabahn

scotiabahn

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 10 July 2015 - 05:55 AM

So... I was browsing with IE on my Toshiba laptop (Vista Home Premium) and the screen flickers a few times, and then I get admin passowrd requests (which I cancel), AVG detects a Trojan and I select 'protect' and then the system reboots...

 

When it comes back up, AVG won't run, nor will MalwareBytes (which I installed recently to assist my son with an unrelated problem (different PC, different network, different city!))

 

Can't get into safe mode initially, but work around that using MSCONFIG settings and lots of reboots...

 

Now in safe mode as default, but can't get AVG or MalwareBytes to run...

 

Downloaded HijackThis on a separate machine for starters - log hereafter, but would appreciate some guidance on what to do next...

 

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 11:36:32, on 10/07/2015
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16644)

Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Users\office\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [Toshiba Registration] C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [LWS] C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Zune Launcher] "E:\zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2015\avgui.exe" /TRAYONLY
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: eBay.co.uk - Buy It Sell It Love It - {76577871-04EC-495E-A12B-91F7C3600AFA} - http://rover.ebay.com/rover/1/710-44557-9400-3/4 (file missing)
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Amazon.co.uk - {8A918C1D-E123-4E36-B562-5C1519E434CE} - http://www.amazon.co.uk/exec/obidos/redirect-home?tag=Toshibaukbholink-21&site=home (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://global.nas.gov.uk/dana-cached/sc/JuniperSetupClient.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2015\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2015\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Update Service (gupdate1c9b378a3fd2872) (gupdate1c9b378a3fd2872) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: UMVPFSrv - Logitech Inc. - C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe

--
End of file - 7482 bytes



BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 10 July 2015 - 06:21 AM

Hi,
 
Welcome to the forums.
 
Let me see if I can help.
 
Don't do anything other than what I suggest for now please.
 
Can you boot into normal mode?  If you can then do this in normal mode.  Otherwise safe mode is fine.
 
Please download Rkill by Grinler and save it to your desktop.

  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista/Windows7, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.

<<<<<<<<<<

Next...

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Minimize use of that computer in the meantime

 

<<<<<<<<<<

which I installed recently to assist my son with an unrelated problem (different PC, different network, different city!))

which I installed recently to assist my son with an unrelated problem (different PC, different network, different city!))

 

 

And please tell me more about this

 

Thanks


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 scotiabahn

scotiabahn
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 10 July 2015 - 07:16 AM

Thank you for the guidance!

 

I'm not using the affected machine, at all except for fixing it...

 

I need to transfer these tools to the affected machine and then run them - I'll do that and reply in a while...

 

As for my son's problem, well, he managed to compromise his bank acount logon by going to a spoofed website. The bank saved his money... Once he'd upgraded AVG to the most recent it detected something nasty and dealt with it. I got him to run Malwarebytes/CCleaner as well... It's been on my laptop for ages, but I updated it so that I could guide him to use it... No further threats were found...

 

I'll go run RKill and FRST...

 

Thanks again



#4 scotiabahn

scotiabahn
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 10 July 2015 - 07:44 AM

Transferred Rkill from link1 - no Administrator option, and double click did nothing...

 

Transferred Rkill from link 2 - Administrator option so tried running it, no effect...

 

Went back to the first one, still nothing, but worked when I 'Open'ed  it or at least I got a flash of DOS command box very briefly so presumed it had run...

 

Then I ran FRST... logs hereafter

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-07-2015
Ran by office (administrator) on OFFICE-PC on 10-07-2015 13:30:36
Running from C:\Users\office\Desktop
Loaded Profiles: office (Available Profiles: office)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Safe Mode (minimal)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPStart] => C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-08-15] (Synaptics, Inc.)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4702208 2007-08-09] (Realtek Semiconductor)
HKLM\...\Run: [NDSTray.exe] => NDSTray.exe
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [411192 2007-03-29] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] => C:\Program Files\Toshiba\SmoothView\SmoothView.exe [509496 2007-04-03] (TOSHIBA Corporation)
HKLM\...\Run: [Toshiba Registration] => C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe [571024 2007-05-04] (Toshiba)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1348904 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [ArcSoft Connection Service] => C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [98616 2008-04-17] (ArcSoft Inc.)
HKLM\...\Run: [Skytel] => C:\Windows\Skytel.exe [1826816 2007-08-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [LWS] => C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe [205336 2011-08-12] (Logitech Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [IntelliPoint] => C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [Zune Launcher] => E:\zune\ZuneLauncher.exe [159456 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3727824 2015-06-16] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2015-06-17] (Apple Inc.)
HKU\S-1-5-21-453005111-129219787-228039054-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-453005111-129219787-228039054-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-453005111-129219787-228039054-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5489944 2014-12-12] (Piriform Ltd)
BootExecute:

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-453005111-129219787-228039054-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-453005111-129219787-228039054-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-453005111-129219787-228039054-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {8617C7CA-993C-4730-A8F9-79E802AA9F89} URL = http://www.google.co.uk/search?q={searchTerms}&rls=com.microsoft:*:IE-SearchBox&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7;
SearchScopes: HKLM -> {8617C7CA-993C-4730-A8F9-79E802AA9F89} URL = http://www.google.co.uk/search?q={searchTerms}&rls=com.microsoft:*:IE-SearchBox&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7;
SearchScopes: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> DefaultScope {6BDCF34F-45CC-4F8F-863D-D6CEEB67F4F5} URL = http://www.bing.com/search?q={searchTerms}&form=OSDSRC
SearchScopes: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> {6BDCF34F-45CC-4F8F-863D-D6CEEB67F4F5} URL = http://www.bing.com/search?q={searchTerms}&form=OSDSRC
SearchScopes: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> {8617C7CA-993C-4730-A8F9-79E802AA9F89} URL = http://www.google.co.uk/search?q={searchTerms}&rls=com.microsoft:*:IE-SearchBox&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7;
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-04-17] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-10-09] (Skype Technologies S.A.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-04-17] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> No Name - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} -  No File
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://global.nas.gov.uk/dana-cached/sc/JuniperSetupClient.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-10-09] (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{0F21DAD6-A0CC-4076-A194-39D40E4AB817}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{1C49565E-3196-4D54-AC4C-0DFFDAD678FA}: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [2010-01-12] (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-04-17] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-04-17] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @Motive.com/NpMotive,version=1.0 -> C:\Program Files\Common Files\Motive\npMotive.dll [2011-05-26] (Motive, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-04-29] (Adobe Systems Inc.)
FF Plugin: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files\Yahoo!\Common\npyaxmpb.dll [2006-11-03] (Yahoo! Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-02-03]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [102712 2008-04-17] (ArcSoft Inc.) [File not signed]
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3461072 2015-06-16] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [312816 2015-06-16] (AVG Technologies CZ, s.r.o.)
S2 CFSvcs; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [40960 2006-11-14] (TOSHIBA CORPORATION) [File not signed]
S2 gupdate1c9b378a3fd2872; C:\Program Files\Google\Update\GoogleUpdate.exe [107912 2014-10-22] (Google Inc.)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
S2 McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [319488 2011-03-23] (Alcatel-Lucent) [File not signed]
S2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136 2013-10-09] (Skype Technologies S.A.)
S2 TNaviSrv; C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe [77824 2007-08-01] (TOSHIBA Corporation) [File not signed]
S2 TODDSrv; C:\Windows\system32\TODDSrv.exe [114688 2006-05-25] (TOSHIBA Corporation) [File not signed]
S2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.) [File not signed]
S2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-19] (Microsoft Corporation)
S3 WMZuneComm; E:\zune\WMZuneComm.exe [268512 2011-08-05] (Microsoft Corporation)
S3 ZuneNetworkSvc; E:\zune\ZuneNss.exe [6363872 2011-08-05] (Microsoft Corporation)
S3 ZuneWlanCfgSvc; E:\zune\ZuneWlanCfgSvc.exe [444640 2011-08-05] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 Afc; C:\Windows\System32\drivers\Afc.sys [11776 2005-02-23] (Arcsoft, Inc.) [File not signed]
S3 ampa; C:\Windows\system32\ampa.sys [12728 2011-12-26] () [File not signed]
S1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [132576 2015-03-11] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [227808 2015-05-19] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [190944 2015-05-12] (AVG Technologies CZ, s.r.o.)
S1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [29664 2015-05-14] (AVG Technologies CZ, s.r.o.)
S1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [206816 2015-04-15] (AVG Technologies CZ, s.r.o.)
S0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [290272 2015-05-07] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [169440 2015-05-12] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [35808 2015-03-20] (AVG Technologies CZ, s.r.o.)
S1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [213984 2015-05-12] (AVG Technologies CZ, s.r.o.)
S3 LVPr2Mon; C:\Windows\System32\Drivers\LVPr2Mon.sys [25824 2010-05-07] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-06-18] (Malwarebytes Corporation)
S3 MREMP50; C:\Program Files\Common Files\Motive\MREMP50.sys [21248 2011-05-26] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MRESP50; C:\Program Files\Common Files\Motive\MRESP50.sys [20096 2011-05-26] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S1 NEOFLTR_700_18809; C:\Windows\system32\Drivers\NEOFLTR_700_18809.SYS [86600 2011-07-08] (Juniper Networks)
S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [21784 2011-08-01] (Microsoft Corporation)
S3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [347648 2009-06-10] (Realtek Semiconductor Corporation                           )
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12872 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67656 2010-05-10] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 A2DDA; \??\C:\Users\office\Downloads\EmsisoftEmergencyKit\Run\a2ddax86.sys [X]
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-19] (Microsoft Corporation)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\Users\office\AppData\Local\Temp\catchme.sys [X]
S3 ewsercd; system32\DRIVERS\ewsercd.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 hwusbdev; system32\DRIVERS\ewusbdev.sys [X]
S3 hwusbfake; system32\DRIVERS\ewusbfake.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 LVUSBSta; system32\DRIVERS\LVUSBSta.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PID_PEPI; system32\DRIVERS\LV302V32.SYS [X]
S3 Tosrfcom; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-10 13:30 - 2015-07-10 13:31 - 00015220 _____ C:\Users\office\Desktop\FRST.txt
2015-07-10 13:30 - 2015-07-10 13:30 - 00000000 ____D C:\FRST
2015-07-10 13:29 - 2015-07-10 13:09 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\office\Desktop\rkill.com
2015-07-10 13:20 - 2015-07-10 13:10 - 01636352 _____ (Farbar) C:\Users\office\Desktop\FRST.exe
2015-07-10 11:36 - 2015-07-10 11:36 - 00007483 _____ C:\Users\office\Desktop\hijackthis.log
2015-07-09 21:14 - 2015-07-09 21:14 - 00028044 _____ C:\Windows\system32\cc_20150709_211441.reg
2015-07-09 21:07 - 2015-07-09 21:08 - 00295424 _____ C:\Windows\system32\FNTCACHE.DAT
2015-07-09 21:07 - 2015-07-09 21:07 - 00000772 _____ C:\Windows\PFRO.log
2015-07-09 20:57 - 2015-07-09 20:57 - 00000000 ____D C:\Users\office\Desktop\backups
2015-07-09 20:53 - 2015-07-09 20:36 - 00050688 _____ (Atribune.org) C:\Users\office\Desktop\ATF-Cleaner.exe
2015-07-09 20:52 - 2015-07-09 20:48 - 00388608 _____ (Trend Micro Inc.) C:\Users\office\Desktop\HijackThis.exe
2015-07-09 20:29 - 2015-07-09 20:29 - 00074752 _____ C:\Users\office\AppData\Local\GDIPFONTCACHEV1.DAT
2015-07-09 20:25 - 2015-07-09 20:25 - 00013066 _____ C:\ComboFix.txt
2015-07-09 20:11 - 2015-07-09 18:50 - 05632279 ____R (Swearware) C:\Users\office\Desktop\ComboFix.exe
2015-07-09 20:11 - 2011-06-26 07:45 - 00256000 _____ C:\Windows\PEV.exe
2015-07-09 20:11 - 2010-11-07 18:20 - 00208896 _____ C:\Windows\MBR.exe
2015-07-09 20:11 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-07-09 20:11 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-07-09 20:11 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-07-09 20:11 - 2000-08-31 01:00 - 00098816 _____ C:\Windows\sed.exe
2015-07-09 20:11 - 2000-08-31 01:00 - 00080412 _____ C:\Windows\grep.exe
2015-07-09 20:11 - 2000-08-31 01:00 - 00068096 _____ C:\Windows\zip.exe
2015-07-09 20:10 - 2015-07-09 20:25 - 00000000 ____D C:\Qoobox
2015-07-08 20:06 - 2015-07-09 18:07 - 00000000 ____D C:\Windows\amlog
2015-07-05 10:57 - 2015-07-05 11:04 - 00409384 _____ C:\Users\office\Desktop\Agile basics.pptx
2015-07-01 15:17 - 2015-07-09 03:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-01 15:17 - 2015-07-09 03:44 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-07-01 15:17 - 2015-07-01 15:21 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-07-01 15:17 - 2015-06-18 08:41 - 00094936 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-07-01 15:17 - 2015-06-18 08:41 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-07-01 11:58 - 2015-07-01 11:59 - 00000000 ____D C:\Program Files\QuickTime
2015-07-01 11:58 - 2015-07-01 11:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2015-07-01 11:58 - 2015-07-01 11:58 - 00000000 ____D C:\ProgramData\Apple Computer
2015-06-30 19:51 - 2015-06-03 11:46 - 00516387 _____ C:\Users\office\Desktop\Agile for NRS Solutions Team_Session 1 v2.00.pptx
2015-06-17 00:23 - 2015-06-17 00:23 - 00094208 _____ (Apple Inc.) C:\Windows\system32\QuickTimeVR.qtx
2015-06-17 00:23 - 2015-06-17 00:23 - 00069632 _____ (Apple Inc.) C:\Windows\system32\QuickTime.qts

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-09 21:17 - 2010-03-23 12:48 - 00007944 _____ C:\Users\office\AppData\Local\d3d9caps.dat
2015-07-09 20:57 - 2008-06-02 18:27 - 00000000 ____D C:\Users\office\AppData\Temp
2015-07-09 20:23 - 2009-08-28 16:29 - 00000000 ____D C:\Windows\ERDNT
2015-07-09 20:22 - 2006-11-02 11:23 - 00000215 _____ C:\Windows\system.ini
2015-07-09 20:21 - 2008-03-24 16:25 - 00000000 ____D C:\Users\office
2015-07-09 20:10 - 2006-11-02 11:33 - 00759582 _____ C:\Windows\system32\PerfStringBackup.INI
2015-07-09 18:39 - 2008-04-02 18:49 - 00000000 ____D C:\ProgramData\TEMP
2015-07-09 03:44 - 2010-10-20 16:30 - 00000000 ____D C:\ProgramData\MFAData
2015-07-09 03:44 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\system32\spool
2015-07-09 03:44 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\system32\Msdtc
2015-07-09 03:44 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\registration
2015-07-09 03:44 - 2006-11-02 11:22 - 58982400 _____ C:\Windows\system32\config\software_previous
2015-07-09 03:44 - 2006-11-02 11:22 - 30932992 _____ C:\Windows\system32\config\system_previous
2015-07-09 03:41 - 2006-11-02 11:22 - 47448064 _____ C:\Windows\system32\config\components_previous
2015-07-09 03:41 - 2006-11-02 11:22 - 00262144 _____ C:\Windows\system32\config\security_previous
2015-07-09 03:41 - 2006-11-02 11:22 - 00057344 _____ C:\Windows\system32\config\sam_previous
2015-07-08 18:12 - 2012-12-21 12:11 - 00000000 ____D C:\Windows\pss
2015-07-08 18:12 - 2006-11-02 11:22 - 00262144 _____ C:\Windows\system32\config\default_previous
2015-07-08 18:11 - 2010-01-30 17:53 - 00000000 ____D C:\Users\office\AppData\Roaming\Skype
2015-07-08 07:39 - 2012-04-03 07:56 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-08 07:24 - 2009-06-30 17:30 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-08 07:24 - 2006-11-02 13:47 - 00003696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-08 07:24 - 2006-11-02 13:47 - 00003696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-08 07:23 - 2006-11-02 14:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-07 22:01 - 2006-11-02 14:01 - 00032646 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-07-07 21:20 - 2009-06-30 17:30 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-01 15:19 - 2012-12-21 19:11 - 00000940 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-01 15:17 - 2010-04-27 18:08 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2015-07-01 15:17 - 2009-08-27 08:17 - 00000000 ____D C:\Users\office\AppData\Roaming\Malwarebytes
2015-07-01 15:17 - 2009-08-27 08:17 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-06-29 17:58 - 2008-04-05 10:50 - 00000000 ____D C:\Users\office\Documents\bt bills online
2015-06-27 16:24 - 2014-10-23 08:39 - 00000883 _____ C:\Users\Public\Desktop\AVG 2015.lnk
2015-06-27 16:24 - 2014-03-31 15:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-06-23 17:39 - 2012-04-03 07:56 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-06-23 17:39 - 2011-06-05 11:19 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-06-21 10:12 - 2010-01-30 17:52 - 00000000 ____D C:\ProgramData\Skype
2015-06-18 08:41 - 2012-12-21 19:11 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

==================== Files in the root of some directories =======

2010-03-23 12:48 - 2015-07-09 21:17 - 0007944 _____ () C:\Users\office\AppData\Local\d3d9caps.dat
2008-05-06 21:02 - 2013-09-18 18:46 - 0016384 _____ () C:\Users\office\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2010-01-30 17:55 - 2010-01-30 17:55 - 0000056 ____H () C:\ProgramData\ezsidmv.dat

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

safeboot: {c68829b9-61be-11dc-a82b-00a0d17fd2ee} => The system is configured to boot to Safe Mode <===== ATTENTION!

LastRegBack: 2015-07-10 11:50

==================== End of log ============================

 

and Addition...

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 09-07-2015
Ran by office at 2015-07-10 13:32:06
Running from C:\Users\office\Desktop
Boot Mode: Safe Mode (minimal)
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-453005111-129219787-228039054-500 - Administrator - Disabled)
Guest (S-1-5-21-453005111-129219787-228039054-501 - Limited - Enabled)
office (S-1-5-21-453005111-129219787-228039054-1000 - Administrator - Enabled) => C:\Users\office

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acrobat.com (HKLM\...\{6D8D64BE-F500-55B6-705D-DFD08AFE0624}) (Version: 1.7.186 - Adobe Systems Incorporated)
Adobe Flash Player 18 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 18.0.0.194 - Adobe Systems Incorporated)
Adobe Reader X (10.1.14) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.14 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.5 (HKLM\...\Adobe Shockwave Player) (Version: 11.5.6.606 - Adobe Systems, Inc.)
AOMEI Partition Assistant Standard Edition 5.2 (HKLM\...\{02F850ED-FD0E-4ED1-BE0B-54981f5BD3D4}_is1) (Version:  - Aomei Technology Co., Ltd.)
Apple Application Support (HKLM\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ArcSoft Software Suite (HKLM\...\{497A1721-088F-41EF-8876-B43C9DA5528B}) (Version:  - ArcSoft)
ATI Catalyst Install Manager (HKLM\...\{4160DC5B-4C56-D0C3-C5FD-F5BDAD3C882B}) (Version: 3.0.641.0 - ATI Technologies, Inc.)
Avanquest update (HKLM\...\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}) (Version: 1.29 - Avanquest Software)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.6037 - AVG Technologies)
AVG 2015 (Version: 15.0.4365 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.6037 - AVG Technologies) Hidden
Bejeweled 2 Deluxe (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110265407}) (Version:  - Oberon Media)
Bluetooth Stack for Windows by Toshiba (HKLM\...\{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}) (Version: v5.10.14(T) - )
BT Broadband Desktop Help (HKLM\...\BT Broadband Desktop Help) (Version:  - )
CameraHelperMsi (Version: 13.30.1395.0 - Logitech) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.01 - Piriform)
CD/DVD Drive Acoustic Silencer (HKLM\...\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}) (Version: 2.01.03 - TOSHIBA)
Cradle of Rome (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11219217}) (Version:  - Oberon Media)
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
Defraggler (HKLM\...\Defraggler) (Version: 2.15 - Piriform)
DVD MovieFactory for TOSHIBA (HKLM\...\{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}) (Version: 5.3 - Ulead Systems, Inc.)
erLT (Version: 1.20.138.34 - Logitech, Inc.) Hidden
Free CD to MP3 Converter (HKLM\...\Free CD to MP3 Converter) (Version:  - )
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.27.5 - Google Inc.) Hidden
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Java 8 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Juniper Networks Secure Application Manager (HKLM\...\Neoteris_Secure_Application_Manager) (Version: 7.0.0.18809 - Juniper Networks)
Juniper Networks Setup Client (HKU\S-1-5-21-453005111-129219787-228039054-1000\...\Juniper_Setup_Client) (Version: 2.2.5.10685 - Juniper Networks)
Logitech Vid (HKLM\...\{4FBCEA31-5D18-4212-9231-DE7CF1BE7DBB}) (Version: 1.70.1044 - Logitech Inc.)
Logitech Webcam Software (HKLM\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.0 - Logitech Inc.)
Logitech Webcam Software Driver Package (HKLM\...\lvdrivers_12.0) (Version: 12.0.1278 - Logitech Inc.)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft IntelliPoint 8.2 (HKLM\...\Microsoft IntelliPoint 8.2) (Version: 8.20.468.0 - Microsoft Corporation)
Microsoft Money (HKLM\...\{1D643CD0-4DD6-11D7-A4E0-000874180BB3}) (Version: 12.0.120 - Microsoft)
Microsoft Money System Pack (HKLM\...\{8C64E149-54BA-11D6-91B1-00500462BE80}) (Version: 12.0.120 - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-0015-0000-0000-0000000FF1CE}_AccessR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Access 2007 (HKLM\...\AccessR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs (HKLM\...\{90120000-00B2-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB941833) (HKLM\...\{C523D256-313D-4866-B36A-F3DE528246EF}) (Version: 4.20.9849.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
myphotobook 3.1 (HKLM\...\myphotobook) (Version: 3.1 - myphotobook)
NetMeeting 3.01 (HKLM\...\NetMeeting) (Version:  - )
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
OU Flashcards (HKLM\...\OU Flashcards) (Version:  - )
PHOTOfunSTUDIO -viewer- (HKLM\...\{9A9DBEBC-C800-4776-A970-D76D6AA405B1}) (Version: 2.00.000 - Panasonic)
QuickTime 7 (HKLM\...\{627FFC10-CE0A-497F-BA2B-208CAC638010}) (Version: 7.77.80.95 - Apple Inc.)
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista (HKLM\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 1.00.0000 - Realtek)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5464 - Realtek Semiconductor Corp.)
REALTEK RTL8187B Wireless LAN Driver (HKLM\...\{7095FD27-37F0-4750-9DE8-D37DC0043706}) (Version: Package:1.00.0008 Driver:6.1089.601.2007 - REALTEK Semiconductor Corp.)
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01 (HKLM\...\{59F6A514-9813-47A3-948C-8A155460CC2A}) (Version: 3.51.01 - )
Search Settings 1.2 (HKLM\...\{D0C73318-7B4A-4D16-A0C4-3B83F075EA88}) (Version:  - ) <==== ATTENTION
Segoe UI (Version: 15.4.2271.0615 - Microsoft Corp) Hidden
Skype Click to Call (HKLM\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.13.13771 - Skype Technologies S.A.)
Skype™ 7.5 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.5.102 - Skype Technologies S.A.)
SpywareBlaster 5.0 (HKLM\...\SpywareBlaster_is1) (Version: 5.0.0 - BrightFort LLC)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 4.44.1000 - SUPERAntiSpyware.com)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 11.2.4.0 - Synaptics)
ThinkVantage Secure Data Disposal v1.3 (HKLM\...\{1219A9F1-B57E-48C0-AC15-09F423F02F95}) (Version: 1.3 - Lenovo)
TOSHIBA Assist (HKLM\...\{12B3A009-A080-4619-9A2A-C6DB151D8D67}) (Version: 2.01.04 - TOSHIBA)
TOSHIBA ConfigFree (HKLM\...\{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}) (Version: 7.00.32 - TOSHIBA)
TOSHIBA Disc Creator (HKLM\...\{5DA0E02F-970B-424B-BF41-513A5018E4C0}) (Version: 2.0.0.8 - TOSHIBA Corporation)
TOSHIBA DVD PLAYER (HKLM\...\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}) (Version: 1.10.08 - TOSHIBA Corporation)
TOSHIBA Extended Tiles for Windows Mobility Center (HKLM\...\InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}) (Version: 1.01.00 - TOSHIBA Corporation)
TOSHIBA Hardware Setup (HKLM\...\{BFC85CDC-BD7C-4FDD-9507-8D74B5A79404}) (Version: 2.00.06 - )
TOSHIBA Manuals (HKLM\...\{0F4F4815-76AD-4B26-8763-72F3344041C2}) (Version: 7.30 - TOSHIBA)
Toshiba Online Product Information (HKLM\...\{2290A680-4083-410A-ADCC-7092C67FC052}) (Version: 1.00.0012 - TOSHIBA)
TOSHIBA SD Memory Utilities (HKLM\...\{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}) (Version: 1.8.1.1 - TOSHIBA)
TOSHIBA Software Modem (HKLM\...\TOSHIBA Software Modem) (Version: 2.1.77 (SM2177ALD04) - Agere Systems)
TOSHIBA Supervisor Password (HKLM\...\{2BDF38E0-1A7F-4220-B4B7-118DD45E5E13}) (Version: 2.00.02 - )
TOSHIBA Value Added Package (HKLM\...\InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}) (Version: 1.0.30 - TOSHIBA Corporation)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-0015-0000-0000-0000000FF1CE}_AccessR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Windows 7 Upgrade Advisor (HKLM\...\{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}) (Version: 2.0.5000.0 - Microsoft Corporation)
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
Windows Media Encoder 9 Series (HKLM\...\Windows Media Encoder 9) (Version:  - )
Zune (HKLM\...\Zune) (Version: 04.08.2345.00 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-453005111-129219787-228039054-1000_Classes\CLSID\{25815CC0-43F4-3C75-8C3A-A139D9ADE740}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)

==================== Restore Points =========================

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 11:23 - 2015-07-09 20:22 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {2E2C6FF7-73D3-41A3-83C9-2E9FE9C9B5E6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-22] (Google Inc.)
Task: {40D254A3-F78A-4070-AFD1-4B656975A6D2} - System32\Tasks\{43584AA4-C690-4F52-99C9-A43DB451CFAF} => C:\Program Files\Skype\Phone\Skype.exe
Task: {44E34C81-9562-4717-9AD2-8F1A8409C4A5} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-12-12] (Piriform Ltd)
Task: {6A11E32B-3A30-4886-A18E-989189496BA9} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {7A58ED22-96F3-4960-B088-23DF002984AA} - System32\Tasks\Microsoft_Hardware_Launch_IPoint_exe => C:\Program Files\Microsoft IntelliPoint\IPoint.exe [2011-08-01] (Microsoft Corporation)
Task: {7FE815D8-A57A-4391-97F0-9AFB249BF44A} - System32\Tasks\{8D0FA9D8-92DD-4B08-A860-FA7D0C525F35} => C:\Program Files\Skype\Phone\Skype.exe
Task: {A0280392-EDA8-461E-A123-C17E1A4BCACF} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-06-23] (Adobe Systems Incorporated)
Task: {B6FE97F8-6B98-4FCC-8093-F46373E5169B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-22] (Google Inc.)
Task: {BEB8754D-D21B-4055-9CCC-CE5A57CD953E} - System32\Tasks\Microsoft\Windows\WindowsCalendar\Reminders - office => C:\Program Files\Windows Calendar\WinCal.exe [2009-04-11] (Microsoft Corporation)
Task: {D9380357-FEF4-442E-A725-5E06EF1F7D7F} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\ProgramData\TEMP:BB24555F
AlternateDataStreams: C:\ProgramData\TEMP:C46995DA

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\1001movie.com -> 1001movie.com

There are 6092 more restricted sites.

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-453005111-129219787-228039054-1000\Control Panel\Desktop\\Wallpaper -> E:\assorted pictures moved from C\quokka.jpg
DNS Servers: Media is not connected to internet.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Users^office^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^runctf.lnk => C:\Windows\pss\runctf.lnk.Startup
MSCONFIG\startupreg: APSDaemon => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: Logitech Vid => "C:\Program Files\Logitech\Vid\Vid.exe" -bootmode
MSCONFIG\startupreg: Logitech Vid HD => "C:\Program Files\Logitech\Vid\vid.exe" -bootmode
MSCONFIG\startupreg: LWS => C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: SUPERAntiSpyware => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [TCP Query User{ECF40191-B96B-41F9-B091-E367671DC260}C:\program files\internet explorer\iexplore.exe] => (Allow) C:\program files\internet explorer\iexplore.exe
FirewallRules: [UDP Query User{721FCD4A-004B-4046-9ABA-887B12381F71}C:\program files\internet explorer\iexplore.exe] => (Allow) C:\program files\internet explorer\iexplore.exe
FirewallRules: [{4CC097C8-7F44-4BE0-AE85-884DCE462AB3}] => (Allow) svchost.exe
FirewallRules: [TCP Query User{44E4D253-7815-478E-BA08-63519CB58D1F}C:\program files\netmeeting\conf.exe] => (Allow) C:\program files\netmeeting\conf.exe
FirewallRules: [UDP Query User{752A45A0-D5D8-4793-95AF-564CCB99A93E}C:\program files\netmeeting\conf.exe] => (Allow) C:\program files\netmeeting\conf.exe
FirewallRules: [{6EBA339E-23DE-41CD-BDD8-A4578B3C6E49}] => (Allow) C:\Program Files\Logitech\Vid\Vid.exe
FirewallRules: [{7EBA2756-FE46-4FDC-B517-5F2CA5AADAC5}] => (Allow) C:\Program Files\Logitech\Vid\Vid.exe
FirewallRules: [{F3DFEFED-CF42-4B74-A6BF-FC1D21B0DCB1}] => (Allow) C:\Program Files\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{E649FEF5-6C3F-48B3-9A27-670126ABEA74}] => (Allow) LPort=2869
FirewallRules: [{03FED3A5-FFFD-49BC-8E64-B14D0040F17B}] => (Allow) LPort=1900
FirewallRules: [{B4C6767E-7E8A-4787-AC83-778C0A44AB36}] => (Allow) LPort=80
FirewallRules: [{AF73453A-8096-49F2-A66B-D4490016FA96}] => (Allow) LPort=80
FirewallRules: [{2113B5D1-27CF-4EDE-B2EB-95BCFEA1FC8C}] => (Allow) LPort=80
FirewallRules: [{904AED14-7B9C-4E3E-95EF-D37DD1159BD1}] => (Allow) C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
FirewallRules: [TCP Query User{D49AD9A0-4A35-49A3-98BA-282284A904AA}C:\program files\logitech\vid\vid.exe] => (Allow) C:\program files\logitech\vid\vid.exe
FirewallRules: [UDP Query User{049E72C7-DBE2-498F-B0DB-585DFB97FF19}C:\program files\logitech\vid\vid.exe] => (Allow) C:\program files\logitech\vid\vid.exe
FirewallRules: [TCP Query User{20DBC9DC-8D42-4827-8D17-DA4DFAB236EF}C:\program files\java\jre7\bin\javaw.exe] => (Block) C:\program files\java\jre7\bin\javaw.exe
FirewallRules: [UDP Query User{E962E0F0-3219-4901-9368-D6F67A807F85}C:\program files\java\jre7\bin\javaw.exe] => (Block) C:\program files\java\jre7\bin\javaw.exe
FirewallRules: [TCP Query User{492D7D67-2475-462B-BFEE-80A81D8557BA}C:\windows\explorer.exe] => (Allow) C:\windows\explorer.exe
FirewallRules: [UDP Query User{5505B6B0-9254-46E8-AB8F-6FC4C21E26AC}C:\windows\explorer.exe] => (Allow) C:\windows\explorer.exe
FirewallRules: [{07C2B795-8C06-46FC-967C-2694D3C2D12B}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [TCP Query User{17CACFC1-2F9A-4391-8C7B-426C7F9073D5}C:\program files\java\jre7\bin\jp2launcher.exe] => (Block) C:\program files\java\jre7\bin\jp2launcher.exe
FirewallRules: [UDP Query User{DDA6B168-1F29-4F23-A6E3-A3414FFF855A}C:\program files\java\jre7\bin\jp2launcher.exe] => (Block) C:\program files\java\jre7\bin\jp2launcher.exe
FirewallRules: [{CD5CC703-192B-47BB-A5D8-45D80EB550AA}] => (Allow) C:\Program Files\AVG\AVG2015\avgmfapx.exe
FirewallRules: [{1FE1008E-A416-47BD-AB82-7F2BDDEB50ED}] => (Allow) C:\Program Files\AVG\AVG2015\avgmfapx.exe
FirewallRules: [{E83B5D95-B93E-44B4-A7E0-6E5F85606CD1}] => (Allow) C:\Program Files\AVG\AVG2015\avgnsx.exe
FirewallRules: [{CA7F94F2-447F-49B7-BE3A-AEB6C55BB538}] => (Allow) C:\Program Files\AVG\AVG2015\avgnsx.exe
FirewallRules: [{B0B07681-70AF-4E36-91D9-7C3992AABC26}] => (Allow) C:\Program Files\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{FBAB0498-D28B-4DAA-B91F-79D751DF21E3}] => (Allow) C:\Program Files\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{78176D7B-3E73-4C56-A3FA-E47937605E1A}] => (Allow) C:\Program Files\AVG\AVG2015\avgemcx.exe
FirewallRules: [{C9DB5C60-63AC-4F17-8E8D-4ABF500994CA}] => (Allow) C:\Program Files\AVG\AVG2015\avgemcx.exe

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (07/10/2015 11:33:07 AM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/09/2015 09:08:19 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/09/2015 08:25:27 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/09/2015 08:24:18 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/09/2015 08:21:57 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/09/2015 08:12:42 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point on volume (Process = C:\Windows\system32\wbem\wmiprvse.exe; Descripton = ComboFix created restore point; Hr = 0x8007043c).

System errors:
=============
Error: (07/10/2015 11:34:05 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (07/10/2015 11:34:05 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (07/10/2015 11:34:05 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (07/10/2015 11:34:05 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (07/10/2015 11:34:05 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: AFD
Avgdiskx
AVGIDSDriver
AVGIDSShim
Avgldx86
Avglogx
Avgtdix
DfsC
NEOFLTR_700_18809
NetBIOS
netbt
nsiproxy
PSched
RasAcd
rdbss
SASDIFSV
SASKUTIL
Smb
spldr
tdx
Wanarpv6
ws2ifsl

Error: (07/10/2015 11:34:05 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Network List ServiceNetwork Location Awareness%%1068

Error: (07/10/2015 11:34:05 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Network Location AwarenessNetwork Store Interface Service%%1068

Error: (07/10/2015 11:34:05 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: Network ConnectionsNetwork Store Interface Service%%1068

Error: (07/10/2015 11:34:05 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: IP HelperNetwork Store Interface Service%%1068

Error: (07/10/2015 11:34:05 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: AVGIDSAgentAVGIDSDriver%%31

Microsoft Office:
=========================

CodeIntegrity Errors:
===================================
  Date: 2015-07-10 13:31:53.915
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 13:31:52.620
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 13:31:51.356
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 13:31:50.108
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 13:31:48.455
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 13:31:47.176
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 13:31:45.912
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 13:31:44.648
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 13:31:07.707
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 13:31:06.428
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: AMD Athlon™ 64 X2 Dual-Core Processor TK-57
Percentage of memory in use: 28%
Total physical RAM: 1917.32 MB
Available physical RAM: 1364.57 MB
Total Virtual: 4075.89 MB
Available Virtual: 3729.75 MB

==================== Drives ================================

Drive c: (Vista) (Fixed) (Total:50.34 GB) (Free:9.47 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (FLASH DRIVE) (Removable) (Total:7.2 GB) (Free:7.17 GB) FAT32
Drive e: (Data) (Fixed) (Total:22.72 GB) (Free:5.39 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 74.5 GB) (Disk ID: D525A86A)
Partition 1: (Not Active) - (Size=1.5 GB) - (Type=27)
Partition 2: (Active) - (Size=50.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=22.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7.2 GB) (Disk ID: DCB5308D)
Partition 1: (Active) - (Size=7.2 GB) - (Type=0B)

==================== End of log ============================



#5 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 10 July 2015 - 08:41 AM

Well done. I will need some time to carefully review these logs and plan your next step. Please clarify for me what happens when you try to boot into normal mode and tell me if you purposely configured your computer to boot into safe mode.

Thanks
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#6 scotiabahn

scotiabahn
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 10 July 2015 - 09:13 AM

I haven't tried to get into Normal as that was all the Trojan was allowing at one point - I couldn't get into any 'Safe' mode. I ran MSCONFIG from Run, went to the Boot tab and set Safe Boot/Minimal so that's all that comes up at the moment... Last time I was in Normal it was much the same as Safe - no AVG or Malwarebytes or anything useful.

 

I thought it was safer to stick with Safe for the time being, just in case this Trojan or whatever wants network access... At least that's prevented, but if you think it would be better if I went into Normal at any time, I can (I think!) by resetting MSCONFIG...

 

Many thanks



#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 10 July 2015 - 09:55 AM

I would like the logs in normal mode please. 

 

Do this to fix the safe mode configuration. 
 
Boot into safe mode then download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.

Let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt).

 

<<<<<<<<<<
 
Re-boot. You should now be in normal mode.

 

<<<<<<<<<<

Repeat the steps in post #2...

http://www.bleepingcomputer.com/forums/t/582402/avgmalwarebytes-disabled-by-unknown-trojan/#entry3757059
 
Please be sure to place a check in the additions.txt box in FRST.

 

<<<<<<<<<<
 
So I will need..
 
Fixlist.txt, FRST.txt and Addition.txt in normal mode.

Thanks

Attached Files


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 scotiabahn

scotiabahn
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 10 July 2015 - 12:22 PM

That kept me busy...  :)

 

First bit worked perfectly...  here's the log from the fix...

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 09-07-2015
Ran by office at 2015-07-10 17:43:48 Run:1
Running from C:\Users\office\Desktop
Loaded Profiles: office (Available Profiles: office)
Boot Mode: Safe Mode (minimal)

==============================================

fixlist content:
*****************
safeboot: {c68829b9-61be-11dc-a82b-00a0d17fd2ee} => The system is configured to boot to Safe Mode <===== ATTENTION!
*****************

The operation completed successfully.

==== End of Fixlog 17:43:48 ====

 

The system rebooted into 'Normal' mode, although it was very slow at times, less responsive than 'Safe' - things kept hanging, like Explorer... But I then moved on to the rest of guidance. If I'm honest, because of the way the system was hanging and then zooming to catch up, I'm not 100% sure that RKill ran... There was certainly a flash on the screen amongst several that could have been a DOS box flashing up briefly... I have run FRST as requested though and logs hereafter..

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-07-2015
Ran by office (administrator) on OFFICE-PC on 10-07-2015 18:02:49
Running from C:\Users\office\Desktop
Loaded Profiles: office (Available Profiles: office)
Platform: Microsoft® Windows Vista™ Home Premium  Service Pack 2 (X86) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Logitech Inc.) C:\Program Files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe
(Microsoft Corporation) C:\Windows\System32\SLsvc.exe
(ATI Technologies Inc.) C:\Windows\System32\Ati2evxx.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPStart.exe
(Realtek Semiconductor) C:\Windows\RtHDVCpl.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
(Logitech Inc.) C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
(Microsoft Corporation) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
(Microsoft Corporation) E:\zune\ZuneLauncher.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Microsoft Corporation) C:\Windows\ehome\ehtray.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmpnscfg.exe
(ArcSoft Inc.) C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
(Agere Systems) C:\Windows\System32\agrsmsvc.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
(Alcatel-Lucent) C:\Program Files\Common Files\Motive\McciCMService.exe
(Microsoft Corporation) C:\Windows\ehome\ehmsas.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynToshiba.exe
(TOSHIBA Corporation) C:\Windows\System32\TODDSrv.exe
(TOSHIBA Corporation) C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
(Ulead Systems, Inc.) C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Piriform Ltd) C:\Program Files\CCleaner\CCleaner.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(TOSHIBA CORPORATION) C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\mobsync.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
(Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
(Microsoft Corporation) C:\Windows\System32\sdclt.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPStart] => C:\Program Files\Synaptics\SynTP\SynTPStart.exe [102400 2007-08-15] (Synaptics, Inc.)
HKLM\...\Run: [RtHDVCpl] => C:\Windows\RtHDVCpl.exe [4702208 2007-08-09] (Realtek Semiconductor)
HKLM\...\Run: [NDSTray.exe] => NDSTray.exe
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [411192 2007-03-29] (TOSHIBA Corporation)
HKLM\...\Run: [SmoothView] => C:\Program Files\Toshiba\SmoothView\SmoothView.exe [509496 2007-04-03] (TOSHIBA Corporation)
HKLM\...\Run: [Toshiba Registration] => C:\Program Files\Toshiba\Registration\ToshibaRegistration.exe [571024 2007-05-04] (Toshiba)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1348904 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [ArcSoft Connection Service] => C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [98616 2008-04-17] (ArcSoft Inc.)
HKLM\...\Run: [Skytel] => C:\Windows\Skytel.exe [1826816 2007-08-03] (Realtek Semiconductor Corp.)
HKLM\...\Run: [LWS] => C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe [205336 2011-08-12] (Logitech Inc.)
HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [IntelliPoint] => C:\Program Files\Microsoft IntelliPoint\ipoint.exe [1821576 2011-08-01] (Microsoft Corporation)
HKLM\...\Run: [Zune Launcher] => E:\zune\ZuneLauncher.exe [159456 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3727824 2015-06-16] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [335232 2015-04-10] (Oracle Corporation)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM\...\Run: [QuickTime Task] => C:\Program Files\QuickTime\QTTask.exe [421888 2015-06-17] (Apple Inc.)
HKU\S-1-5-21-453005111-129219787-228039054-1000\...\Run: [ehTray.exe] => C:\Windows\ehome\ehTray.exe [125952 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-453005111-129219787-228039054-1000\...\Run: [WMPNSCFG] => C:\Program Files\Windows Media Player\WMPNSCFG.exe [202240 2008-01-19] (Microsoft Corporation)
HKU\S-1-5-21-453005111-129219787-228039054-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5489944 2014-12-12] (Piriform Ltd)
BootExecute:

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-453005111-129219787-228039054-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-453005111-129219787-228039054-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-453005111-129219787-228039054-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {8617C7CA-993C-4730-A8F9-79E802AA9F89} URL = http://www.google.co.uk/search?q={searchTerms}&rls=com.microsoft:*:IE-SearchBox&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7;
SearchScopes: HKLM -> {8617C7CA-993C-4730-A8F9-79E802AA9F89} URL = http://www.google.co.uk/search?q={searchTerms}&rls=com.microsoft:*:IE-SearchBox&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7;
SearchScopes: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> DefaultScope {6BDCF34F-45CC-4F8F-863D-D6CEEB67F4F5} URL = http://www.bing.com/search?q={searchTerms}&form=OSDSRC
SearchScopes: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> {6BDCF34F-45CC-4F8F-863D-D6CEEB67F4F5} URL = http://www.bing.com/search?q={searchTerms}&form=OSDSRC
SearchScopes: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> {8617C7CA-993C-4730-A8F9-79E802AA9F89} URL = http://www.google.co.uk/search?q={searchTerms}&rls=com.microsoft:*:IE-SearchBox&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7;
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-04-17] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-10-09] (Skype Technologies S.A.)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-04-17] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> No Name - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} -  No File
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://global.nas.gov.uk/dana-cached/sc/JuniperSetupClient.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} -  No File
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2013-10-09] (Skype Technologies S.A.)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{0F21DAD6-A0CC-4076-A194-39D40E4AB817}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{1C49565E-3196-4D54-AC4C-0DFFDAD678FA}: [DhcpNameServer] 192.168.1.254

FireFox:
========
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [2010-01-12] (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-04-17] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-04-17] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40416.0\npctrl.dll [2015-04-15] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeLive,version=1.5 -> C:\Program Files\Microsoft\Office Live\npOLW.dll [2010-04-26] (Microsoft Corp.)
FF Plugin: @microsoft.com/WPF,version=3.5 -> c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll [2008-07-30] (Microsoft Corporation)
FF Plugin: @Motive.com/NpMotive,version=1.0 -> C:\Program Files\Common Files\Motive\npMotive.dll [2011-05-26] (Motive, Inc.)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2015-04-29] (Adobe Systems Inc.)
FF Plugin: yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1 -> C:\Program Files\Yahoo!\Common\npyaxmpb.dll [2006-11-03] (Yahoo! Inc.)
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-02-03]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 ACDaemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [102712 2008-04-17] (ArcSoft Inc.) [File not signed]
S2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3461072 2015-06-16] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [312816 2015-06-16] (AVG Technologies CZ, s.r.o.)
R2 CFSvcs; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [40960 2006-11-14] (TOSHIBA CORPORATION) [File not signed]
S2 gupdate1c9b378a3fd2872; C:\Program Files\Google\Update\GoogleUpdate.exe [107912 2014-10-22] (Google Inc.)
S2 MBAMService; C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe [1133880 2015-06-18] (Malwarebytes Corporation)
R2 McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe [319488 2011-03-23] (Alcatel-Lucent) [File not signed]
R2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3275136 2013-10-09] (Skype Technologies S.A.)
R2 TNaviSrv; C:\Program Files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe [77824 2007-08-01] (TOSHIBA Corporation) [File not signed]
R2 TODDSrv; C:\Windows\system32\TODDSrv.exe [114688 2006-05-25] (TOSHIBA Corporation) [File not signed]
R2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.) [File not signed]
R2 UMVPFSrv; C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [450848 2012-01-18] (Logitech Inc.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [272952 2008-01-19] (Microsoft Corporation)
S3 WMZuneComm; E:\zune\WMZuneComm.exe [268512 2011-08-05] (Microsoft Corporation)
S3 ZuneNetworkSvc; E:\zune\ZuneNss.exe [6363872 2011-08-05] (Microsoft Corporation)
S3 ZuneWlanCfgSvc; E:\zune\ZuneWlanCfgSvc.exe [444640 2011-08-05] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 Afc; C:\Windows\System32\drivers\Afc.sys [11776 2005-02-23] (Arcsoft, Inc.) [File not signed]
S3 ampa; C:\Windows\system32\ampa.sys [12728 2011-12-26] () [File not signed]
R1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [132576 2015-03-11] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [227808 2015-05-19] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [190944 2015-05-12] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [29664 2015-05-14] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [206816 2015-04-15] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [290272 2015-05-07] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [169440 2015-05-12] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [35808 2015-03-20] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [213984 2015-05-12] (AVG Technologies CZ, s.r.o.)
S3 LVPr2Mon; C:\Windows\System32\Drivers\LVPr2Mon.sys [25824 2010-05-07] ()
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [23256 2015-06-18] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [51928 2015-06-18] (Malwarebytes Corporation)
S3 MREMP50; C:\Program Files\Common Files\Motive\MREMP50.sys [21248 2011-05-26] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
S3 MRESP50; C:\Program Files\Common Files\Motive\MRESP50.sys [20096 2011-05-26] (Printing Communications Assoc., Inc. (PCAUSA)) [File not signed]
R1 NEOFLTR_700_18809; C:\Windows\system32\Drivers\NEOFLTR_700_18809.SYS [86600 2011-07-08] (Juniper Networks)
S3 NuidFltr; C:\Windows\System32\DRIVERS\NuidFltr.sys [21784 2011-08-01] (Microsoft Corporation)
R3 RTL8187B; C:\Windows\System32\DRIVERS\RTL8187B.sys [347648 2009-06-10] (Realtek Semiconductor Corporation                           )
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [12872 2010-02-17] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [67656 2010-05-10] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 A2DDA; \??\C:\Users\office\Downloads\EmsisoftEmergencyKit\Run\a2ddax86.sys [X]
U5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-19] (Microsoft Corporation)
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\Users\office\AppData\Local\Temp\catchme.sys [X]
S3 ewsercd; system32\DRIVERS\ewsercd.sys [X]
S3 hwdatacard; system32\DRIVERS\ewusbmdm.sys [X]
S3 hwusbdev; system32\DRIVERS\ewusbdev.sys [X]
S3 hwusbfake; system32\DRIVERS\ewusbfake.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 LVUSBSta; system32\DRIVERS\LVUSBSta.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
S3 PID_PEPI; system32\DRIVERS\LV302V32.SYS [X]
S3 Tosrfcom; No ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-10 18:03 - 2015-07-10 18:03 - 00000000 ____D C:\Users\office\AppData\Local\Apple
2015-07-10 18:02 - 2015-07-10 18:03 - 00018041 _____ C:\Users\office\Desktop\FRST.txt
2015-07-10 17:57 - 2015-07-10 13:23 - 01943800 _____ (Bleeping Computer, LLC) C:\Users\office\Desktop\rkill.exe
2015-07-10 17:52 - 2015-07-10 17:52 - 00000000 _____ C:\Windows\setuperr.log
2015-07-10 17:52 - 2015-07-10 17:52 - 00000000 _____ C:\Windows\setupact.log
2015-07-10 17:49 - 2015-07-10 18:03 - 00002309 _____ C:\Windows\WindowsUpdate.log
2015-07-10 17:49 - 2015-07-10 17:49 - 00023788 _____ C:\Windows\system32\CFG1893723034
2015-07-10 17:46 - 2015-07-10 17:46 - 00000000 ____D C:\Users\office\AppData\Local\Adobe
2015-07-10 13:30 - 2015-07-10 18:02 - 00000000 ____D C:\FRST
2015-07-10 13:20 - 2015-07-10 13:10 - 01636352 _____ (Farbar) C:\Users\office\Desktop\FRST.exe
2015-07-10 11:36 - 2015-07-10 11:36 - 00007483 _____ C:\Users\office\Desktop\hijackthis.log
2015-07-09 21:14 - 2015-07-09 21:14 - 00028044 _____ C:\Windows\system32\cc_20150709_211441.reg
2015-07-09 21:07 - 2015-07-09 21:08 - 00295424 _____ C:\Windows\system32\FNTCACHE.DAT
2015-07-09 21:07 - 2015-07-09 21:07 - 00000772 _____ C:\Windows\PFRO.log
2015-07-09 20:57 - 2015-07-09 20:57 - 00000000 ____D C:\Users\office\Desktop\backups
2015-07-09 20:53 - 2015-07-09 20:36 - 00050688 _____ (Atribune.org) C:\Users\office\Desktop\ATF-Cleaner.exe
2015-07-09 20:52 - 2015-07-09 20:48 - 00388608 _____ (Trend Micro Inc.) C:\Users\office\Desktop\HijackThis.exe
2015-07-09 20:29 - 2015-07-09 20:29 - 00074752 _____ C:\Users\office\AppData\Local\GDIPFONTCACHEV1.DAT
2015-07-09 20:25 - 2015-07-09 20:25 - 00013066 _____ C:\ComboFix.txt
2015-07-09 20:11 - 2015-07-09 18:50 - 05632279 ____R (Swearware) C:\Users\office\Desktop\ComboFix.exe
2015-07-09 20:11 - 2011-06-26 07:45 - 00256000 _____ C:\Windows\PEV.exe
2015-07-09 20:11 - 2010-11-07 18:20 - 00208896 _____ C:\Windows\MBR.exe
2015-07-09 20:11 - 2009-04-20 05:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-07-09 20:11 - 2000-08-31 01:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-07-09 20:11 - 2000-08-31 01:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-07-09 20:11 - 2000-08-31 01:00 - 00098816 _____ C:\Windows\sed.exe
2015-07-09 20:11 - 2000-08-31 01:00 - 00080412 _____ C:\Windows\grep.exe
2015-07-09 20:11 - 2000-08-31 01:00 - 00068096 _____ C:\Windows\zip.exe
2015-07-09 20:10 - 2015-07-09 20:25 - 00000000 ____D C:\Qoobox
2015-07-08 20:06 - 2015-07-09 18:07 - 00000000 ____D C:\Windows\amlog
2015-07-05 10:57 - 2015-07-05 11:04 - 00409384 _____ C:\Users\office\Desktop\Agile basics.pptx
2015-07-01 15:17 - 2015-07-09 03:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-07-01 15:17 - 2015-07-09 03:44 - 00000000 ____D C:\Program Files\Malwarebytes Anti-Malware
2015-07-01 15:17 - 2015-07-01 15:21 - 00098520 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-07-01 15:17 - 2015-06-18 08:41 - 00094936 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-07-01 15:17 - 2015-06-18 08:41 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-07-01 11:58 - 2015-07-01 11:59 - 00000000 ____D C:\Program Files\QuickTime
2015-07-01 11:58 - 2015-07-01 11:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QuickTime
2015-07-01 11:58 - 2015-07-01 11:58 - 00000000 ____D C:\ProgramData\Apple Computer
2015-06-30 19:51 - 2015-06-03 11:46 - 00516387 _____ C:\Users\office\Desktop\Agile for NRS Solutions Team_Session 1 v2.00.pptx
2015-06-17 00:23 - 2015-06-17 00:23 - 00094208 _____ (Apple Inc.) C:\Windows\system32\QuickTimeVR.qtx
2015-06-17 00:23 - 2015-06-17 00:23 - 00069632 _____ (Apple Inc.) C:\Windows\system32\QuickTime.qts

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-07-10 17:53 - 2008-06-02 18:27 - 00000000 ____D C:\Users\office\AppData\Temp
2015-07-10 17:52 - 2009-06-30 17:30 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-07-10 17:52 - 2006-11-02 14:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-07-10 17:52 - 2006-11-02 13:47 - 00003696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2015-07-10 17:52 - 2006-11-02 13:47 - 00003696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2015-07-09 21:17 - 2010-03-23 12:48 - 00007944 _____ C:\Users\office\AppData\Local\d3d9caps.dat
2015-07-09 20:23 - 2009-08-28 16:29 - 00000000 ____D C:\Windows\ERDNT
2015-07-09 20:22 - 2006-11-02 11:23 - 00000215 _____ C:\Windows\system.ini
2015-07-09 20:21 - 2008-03-24 16:25 - 00000000 ____D C:\Users\office
2015-07-09 20:10 - 2006-11-02 11:33 - 00759582 _____ C:\Windows\system32\PerfStringBackup.INI
2015-07-09 18:39 - 2008-04-02 18:49 - 00000000 ____D C:\ProgramData\TEMP
2015-07-09 03:44 - 2010-10-20 16:30 - 00000000 ____D C:\ProgramData\MFAData
2015-07-09 03:44 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\system32\spool
2015-07-09 03:44 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\system32\Msdtc
2015-07-09 03:44 - 2006-11-02 12:18 - 00000000 ____D C:\Windows\registration
2015-07-09 03:44 - 2006-11-02 11:22 - 58982400 _____ C:\Windows\system32\config\software_previous
2015-07-09 03:44 - 2006-11-02 11:22 - 30932992 _____ C:\Windows\system32\config\system_previous
2015-07-09 03:41 - 2006-11-02 11:22 - 47448064 _____ C:\Windows\system32\config\components_previous
2015-07-09 03:41 - 2006-11-02 11:22 - 00262144 _____ C:\Windows\system32\config\security_previous
2015-07-09 03:41 - 2006-11-02 11:22 - 00057344 _____ C:\Windows\system32\config\sam_previous
2015-07-08 18:12 - 2012-12-21 12:11 - 00000000 ____D C:\Windows\pss
2015-07-08 18:12 - 2006-11-02 11:22 - 00262144 _____ C:\Windows\system32\config\default_previous
2015-07-08 18:11 - 2010-01-30 17:53 - 00000000 ____D C:\Users\office\AppData\Roaming\Skype
2015-07-08 07:39 - 2012-04-03 07:56 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-07-07 22:01 - 2006-11-02 14:01 - 00032646 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-07-07 21:20 - 2009-06-30 17:30 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-07-01 15:19 - 2012-12-21 19:11 - 00000940 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-07-01 15:17 - 2010-04-27 18:08 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2015-07-01 15:17 - 2009-08-27 08:17 - 00000000 ____D C:\Users\office\AppData\Roaming\Malwarebytes
2015-07-01 15:17 - 2009-08-27 08:17 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-06-29 17:58 - 2008-04-05 10:50 - 00000000 ____D C:\Users\office\Documents\bt bills online
2015-06-27 16:24 - 2014-10-23 08:39 - 00000883 _____ C:\Users\Public\Desktop\AVG 2015.lnk
2015-06-27 16:24 - 2014-03-31 15:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-06-23 17:39 - 2012-04-03 07:56 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-06-23 17:39 - 2011-06-05 11:19 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-06-21 10:12 - 2010-01-30 17:52 - 00000000 ____D C:\ProgramData\Skype
2015-06-18 08:41 - 2012-12-21 19:11 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys

==================== Files in the root of some directories =======

2010-03-23 12:48 - 2015-07-09 21:17 - 0007944 _____ () C:\Users\office\AppData\Local\d3d9caps.dat
2008-05-06 21:02 - 2013-09-18 18:46 - 0016384 _____ () C:\Users\office\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2010-01-30 17:55 - 2010-01-30 17:55 - 0000056 ____H () C:\ProgramData\ezsidmv.dat

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-07-10 18:03

==================== End of log ============================

 

and the Additions...

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 09-07-2015
Ran by office at 2015-07-10 18:04:57
Running from C:\Users\office\Desktop
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-453005111-129219787-228039054-500 - Administrator - Disabled)
Guest (S-1-5-21-453005111-129219787-228039054-501 - Limited - Enabled)
office (S-1-5-21-453005111-129219787-228039054-1000 - Administrator - Enabled) => C:\Users\office

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Disabled - Up to date) {4D41356F-32AD-7C42-C820-63775EE4F413}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2015 (Disabled - Up to date) {F620D48B-1497-73CC-F290-58052563BEAE}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acrobat.com (HKLM\...\{6D8D64BE-F500-55B6-705D-DFD08AFE0624}) (Version: 1.7.186 - Adobe Systems Incorporated)
Adobe Flash Player 18 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 18.0.0.194 - Adobe Systems Incorporated)
Adobe Reader X (10.1.14) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.14 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.5 (HKLM\...\Adobe Shockwave Player) (Version: 11.5.6.606 - Adobe Systems, Inc.)
AOMEI Partition Assistant Standard Edition 5.2 (HKLM\...\{02F850ED-FD0E-4ED1-BE0B-54981f5BD3D4}_is1) (Version:  - Aomei Technology Co., Ltd.)
Apple Application Support (HKLM\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ArcSoft Software Suite (HKLM\...\{497A1721-088F-41EF-8876-B43C9DA5528B}) (Version:  - ArcSoft)
ATI Catalyst Install Manager (HKLM\...\{4160DC5B-4C56-D0C3-C5FD-F5BDAD3C882B}) (Version: 3.0.641.0 - ATI Technologies, Inc.)
Avanquest update (HKLM\...\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}) (Version: 1.29 - Avanquest Software)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.6037 - AVG Technologies)
AVG 2015 (Version: 15.0.4365 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.6037 - AVG Technologies) Hidden
Bejeweled 2 Deluxe (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110265407}) (Version:  - Oberon Media)
Bluetooth Stack for Windows by Toshiba (HKLM\...\{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}) (Version: v5.10.14(T) - )
BT Broadband Desktop Help (HKLM\...\BT Broadband Desktop Help) (Version:  - )
CameraHelperMsi (Version: 13.30.1395.0 - Logitech) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.01 - Piriform)
CD/DVD Drive Acoustic Silencer (HKLM\...\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}) (Version: 2.01.03 - TOSHIBA)
Cradle of Rome (HKLM\...\{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11219217}) (Version:  - Oberon Media)
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
Defraggler (HKLM\...\Defraggler) (Version: 2.15 - Piriform)
DVD MovieFactory for TOSHIBA (HKLM\...\{F214EAA4-A069-4BAF-9DA4-4DB8BEEDE485}) (Version: 5.3 - Ulead Systems, Inc.)
erLT (Version: 1.20.138.34 - Logitech, Inc.) Hidden
Free CD to MP3 Converter (HKLM\...\Free CD to MP3 Converter) (Version:  - )
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.27.5 - Google Inc.) Hidden
Java 7 Update 67 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Java 8 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Juniper Networks Secure Application Manager (HKLM\...\Neoteris_Secure_Application_Manager) (Version: 7.0.0.18809 - Juniper Networks)
Juniper Networks Setup Client (HKU\S-1-5-21-453005111-129219787-228039054-1000\...\Juniper_Setup_Client) (Version: 2.2.5.10685 - Juniper Networks)
Logitech Vid (HKLM\...\{4FBCEA31-5D18-4212-9231-DE7CF1BE7DBB}) (Version: 1.70.1044 - Logitech Inc.)
Logitech Webcam Software (HKLM\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.0 - Logitech Inc.)
Logitech Webcam Software Driver Package (HKLM\...\lvdrivers_12.0) (Version: 12.0.1278 - Logitech Inc.)
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft IntelliPoint 8.2 (HKLM\...\Microsoft IntelliPoint 8.2) (Version: 8.20.468.0 - Microsoft Corporation)
Microsoft Money (HKLM\...\{1D643CD0-4DD6-11D7-A4E0-000874180BB3}) (Version: 12.0.120 - Microsoft)
Microsoft Money System Pack (HKLM\...\{8C64E149-54BA-11D6-91B1-00500462BE80}) (Version: 12.0.120 - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-0015-0000-0000-0000000FF1CE}_AccessR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Access 2007 (HKLM\...\AccessR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs (HKLM\...\{90120000-00B2-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MSXML 4.0 SP2 (KB927978) (HKLM\...\{37477865-A3F1-4772-AD43-AAFC6BCFF99F}) (Version: 4.20.9841.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB936181) (HKLM\...\{C04E32E0-0416-434D-AFB9-6969D703A9EF}) (Version: 4.20.9848.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB941833) (HKLM\...\{C523D256-313D-4866-B36A-F3DE528246EF}) (Version: 4.20.9849.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
myphotobook 3.1 (HKLM\...\myphotobook) (Version: 3.1 - myphotobook)
NetMeeting 3.01 (HKLM\...\NetMeeting) (Version:  - )
OGA Notifier 2.0.0048.0 (Version: 2.0.0048.0 - Microsoft Corporation) Hidden
OU Flashcards (HKLM\...\OU Flashcards) (Version:  - )
PHOTOfunSTUDIO -viewer- (HKLM\...\{9A9DBEBC-C800-4776-A970-D76D6AA405B1}) (Version: 2.00.000 - Panasonic)
QuickTime 7 (HKLM\...\{627FFC10-CE0A-497F-BA2B-208CAC638010}) (Version: 7.77.80.95 - Apple Inc.)
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista (HKLM\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 1.00.0000 - Realtek)
Realtek High Definition Audio Driver (HKLM\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5464 - Realtek Semiconductor Corp.)
REALTEK RTL8187B Wireless LAN Driver (HKLM\...\{7095FD27-37F0-4750-9DE8-D37DC0043706}) (Version: Package:1.00.0008 Driver:6.1089.601.2007 - REALTEK Semiconductor Corp.)
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01 (HKLM\...\{59F6A514-9813-47A3-948C-8A155460CC2A}) (Version: 3.51.01 - )
Search Settings 1.2 (HKLM\...\{D0C73318-7B4A-4D16-A0C4-3B83F075EA88}) (Version:  - ) <==== ATTENTION
Segoe UI (Version: 15.4.2271.0615 - Microsoft Corp) Hidden
Skype Click to Call (HKLM\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 6.13.13771 - Skype Technologies S.A.)
Skype™ 7.5 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.5.102 - Skype Technologies S.A.)
SpywareBlaster 5.0 (HKLM\...\SpywareBlaster_is1) (Version: 5.0.0 - BrightFort LLC)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 4.44.1000 - SUPERAntiSpyware.com)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 11.2.4.0 - Synaptics)
ThinkVantage Secure Data Disposal v1.3 (HKLM\...\{1219A9F1-B57E-48C0-AC15-09F423F02F95}) (Version: 1.3 - Lenovo)
TOSHIBA Assist (HKLM\...\{12B3A009-A080-4619-9A2A-C6DB151D8D67}) (Version: 2.01.04 - TOSHIBA)
TOSHIBA ConfigFree (HKLM\...\{78C6A78A-8B03-48C8-A47C-78BA1FCA2307}) (Version: 7.00.32 - TOSHIBA)
TOSHIBA Disc Creator (HKLM\...\{5DA0E02F-970B-424B-BF41-513A5018E4C0}) (Version: 2.0.0.8 - TOSHIBA Corporation)
TOSHIBA DVD PLAYER (HKLM\...\{6C5F3BDC-0A1B-4436-A696-5939629D5C31}) (Version: 1.10.08 - TOSHIBA Corporation)
TOSHIBA Extended Tiles for Windows Mobility Center (HKLM\...\InstallShield_{617C36FD-0CBE-4600-84B2-441CEB12FADF}) (Version: 1.01.00 - TOSHIBA Corporation)
TOSHIBA Hardware Setup (HKLM\...\{BFC85CDC-BD7C-4FDD-9507-8D74B5A79404}) (Version: 2.00.06 - )
TOSHIBA Manuals (HKLM\...\{0F4F4815-76AD-4B26-8763-72F3344041C2}) (Version: 7.30 - TOSHIBA)
Toshiba Online Product Information (HKLM\...\{2290A680-4083-410A-ADCC-7092C67FC052}) (Version: 1.00.0012 - TOSHIBA)
TOSHIBA SD Memory Utilities (HKLM\...\{EBFF48F5-3CFA-436F-8FD5-94FB01D3A0A7}) (Version: 1.8.1.1 - TOSHIBA)
TOSHIBA Software Modem (HKLM\...\TOSHIBA Software Modem) (Version: 2.1.77 (SM2177ALD04) - Agere Systems)
TOSHIBA Supervisor Password (HKLM\...\{2BDF38E0-1A7F-4220-B4B7-118DD45E5E13}) (Version: 2.00.02 - )
TOSHIBA Value Added Package (HKLM\...\InstallShield_{FEDD27A0-B306-45EF-BF58-B527406B42C8}) (Version: 1.0.30 - TOSHIBA Corporation)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-0015-0000-0000-0000000FF1CE}_AccessR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Windows 7 Upgrade Advisor (HKLM\...\{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}) (Version: 2.0.5000.0 - Microsoft Corporation)
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
Windows Media Encoder 9 Series (HKLM\...\Windows Media Encoder 9) (Version:  - )
Zune (HKLM\...\Zune) (Version: 04.08.2345.00 - Microsoft Corporation)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-453005111-129219787-228039054-1000_Classes\CLSID\{25815CC0-43F4-3C75-8C3A-A139D9ADE740}\InprocServer32 -> C:\Windows\system32\mscoree.dll (Microsoft Corporation)

==================== Restore Points =========================

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 11:23 - 2015-07-09 20:22 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {2E2C6FF7-73D3-41A3-83C9-2E9FE9C9B5E6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-22] (Google Inc.)
Task: {40D254A3-F78A-4070-AFD1-4B656975A6D2} - System32\Tasks\{43584AA4-C690-4F52-99C9-A43DB451CFAF} => C:\Program Files\Skype\Phone\Skype.exe
Task: {44E34C81-9562-4717-9AD2-8F1A8409C4A5} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-12-12] (Piriform Ltd)
Task: {5642C28D-F6CA-40D3-9A3C-6E2D7948AC2E} - System32\Tasks\Microsoft\Windows\WindowsCalendar\Reminders - office => C:\Program Files\Windows Calendar\WinCal.exe [2009-04-11] (Microsoft Corporation)
Task: {6A11E32B-3A30-4886-A18E-989189496BA9} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {7A58ED22-96F3-4960-B088-23DF002984AA} - System32\Tasks\Microsoft_Hardware_Launch_IPoint_exe => C:\Program Files\Microsoft IntelliPoint\IPoint.exe [2011-08-01] (Microsoft Corporation)
Task: {7FE815D8-A57A-4391-97F0-9AFB249BF44A} - System32\Tasks\{8D0FA9D8-92DD-4B08-A860-FA7D0C525F35} => C:\Program Files\Skype\Phone\Skype.exe
Task: {A0280392-EDA8-461E-A123-C17E1A4BCACF} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-06-23] (Adobe Systems Incorporated)
Task: {B6FE97F8-6B98-4FCC-8093-F46373E5169B} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-22] (Google Inc.)
Task: {D9380357-FEF4-442E-A725-5E06EF1F7D7F} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2007-09-13 16:16 - 2007-07-27 22:26 - 00159744 _____ () C:\Windows\system32\atitmmxx.dll
2010-05-07 18:35 - 2010-05-07 18:35 - 02143576 _____ () C:\Program Files\Logitech\LWS\Webcam Software\QtCore4.dll
2010-05-07 18:35 - 2010-05-07 18:35 - 07954776 _____ () C:\Program Files\Logitech\LWS\Webcam Software\QtGui4.dll
2010-05-07 18:36 - 2010-05-07 18:36 - 00340824 _____ () C:\Program Files\Logitech\LWS\Webcam Software\QtXml4.dll
2010-05-07 18:37 - 2010-05-07 18:37 - 00027480 _____ () C:\Program Files\Logitech\LWS\Webcam Software\imageformats\QGif4.dll
2010-05-07 18:37 - 2010-05-07 18:37 - 00126808 _____ () C:\Program Files\Logitech\LWS\Webcam Software\imageformats\QJpeg4.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\ProgramData\TEMP:BB24555F
AlternateDataStreams: C:\ProgramData\TEMP:C46995DA

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\008k.com -> 008k.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\00hq.com -> 00hq.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0190-dialers.com -> 0190-dialers.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\01i.info -> 01i.info
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\02pmnzy5eo29bfk4.com -> 02pmnzy5eo29bfk4.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0411dd.com -> 0411dd.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0511zfhl.com -> 0511zfhl.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\05p.com -> 05p.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0632qyw.com -> 0632qyw.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\07ic5do2myz3vzpk.com -> 07ic5do2myz3vzpk.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\08nigbmwk43i01y6.com -> 08nigbmwk43i01y6.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\093qpeuqpmz6ebfa.com -> 093qpeuqpmz6ebfa.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0calories.net -> 0calories.net
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0cj.net -> 0cj.net
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\0scan.com -> 0scan.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\1-britney-spears-nude.com -> 1-britney-spears-nude.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\1-domains-registrations.com -> 1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\1-se.com -> 1-se.com
IE restricted site: HKU\S-1-5-21-453005111-129219787-228039054-1000\...\1001movie.com -> 1001movie.com

There are 6092 more restricted sites.

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-453005111-129219787-228039054-1000\Control Panel\Desktop\\Wallpaper -> E:\assorted pictures moved from C\quokka.jpg
DNS Servers: 192.168.1.254

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^Users^office^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^runctf.lnk => C:\Windows\pss\runctf.lnk.Startup
MSCONFIG\startupreg: APSDaemon => "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: Logitech Vid => "C:\Program Files\Logitech\Vid\Vid.exe" -bootmode
MSCONFIG\startupreg: Logitech Vid HD => "C:\Program Files\Logitech\Vid\vid.exe" -bootmode
MSCONFIG\startupreg: LWS => C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe -hide
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: SUPERAntiSpyware => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [WinCollab-DFSR-In-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-DFSR-Out-TCP] => (Allow) %SystemRoot%\system32\dfsr.exe
FirewallRules: [WinCollab-In-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-TCP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-In-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [WinCollab-Out-UDP] => (Allow) %ProgramFiles%\Windows Collaboration\WinCollab.exe
FirewallRules: [TCP Query User{ECF40191-B96B-41F9-B091-E367671DC260}C:\program files\internet explorer\iexplore.exe] => (Allow) C:\program files\internet explorer\iexplore.exe
FirewallRules: [UDP Query User{721FCD4A-004B-4046-9ABA-887B12381F71}C:\program files\internet explorer\iexplore.exe] => (Allow) C:\program files\internet explorer\iexplore.exe
FirewallRules: [{4CC097C8-7F44-4BE0-AE85-884DCE462AB3}] => (Allow) svchost.exe
FirewallRules: [TCP Query User{44E4D253-7815-478E-BA08-63519CB58D1F}C:\program files\netmeeting\conf.exe] => (Allow) C:\program files\netmeeting\conf.exe
FirewallRules: [UDP Query User{752A45A0-D5D8-4793-95AF-564CCB99A93E}C:\program files\netmeeting\conf.exe] => (Allow) C:\program files\netmeeting\conf.exe
FirewallRules: [{6EBA339E-23DE-41CD-BDD8-A4578B3C6E49}] => (Allow) C:\Program Files\Logitech\Vid\Vid.exe
FirewallRules: [{7EBA2756-FE46-4FDC-B517-5F2CA5AADAC5}] => (Allow) C:\Program Files\Logitech\Vid\Vid.exe
FirewallRules: [{F3DFEFED-CF42-4B74-A6BF-FC1D21B0DCB1}] => (Allow) C:\Program Files\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{E649FEF5-6C3F-48B3-9A27-670126ABEA74}] => (Allow) LPort=2869
FirewallRules: [{03FED3A5-FFFD-49BC-8E64-B14D0040F17B}] => (Allow) LPort=1900
FirewallRules: [{B4C6767E-7E8A-4787-AC83-778C0A44AB36}] => (Allow) LPort=80
FirewallRules: [{AF73453A-8096-49F2-A66B-D4490016FA96}] => (Allow) LPort=80
FirewallRules: [{2113B5D1-27CF-4EDE-B2EB-95BCFEA1FC8C}] => (Allow) LPort=80
FirewallRules: [{904AED14-7B9C-4E3E-95EF-D37DD1159BD1}] => (Allow) C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
FirewallRules: [TCP Query User{D49AD9A0-4A35-49A3-98BA-282284A904AA}C:\program files\logitech\vid\vid.exe] => (Allow) C:\program files\logitech\vid\vid.exe
FirewallRules: [UDP Query User{049E72C7-DBE2-498F-B0DB-585DFB97FF19}C:\program files\logitech\vid\vid.exe] => (Allow) C:\program files\logitech\vid\vid.exe
FirewallRules: [TCP Query User{20DBC9DC-8D42-4827-8D17-DA4DFAB236EF}C:\program files\java\jre7\bin\javaw.exe] => (Block) C:\program files\java\jre7\bin\javaw.exe
FirewallRules: [UDP Query User{E962E0F0-3219-4901-9368-D6F67A807F85}C:\program files\java\jre7\bin\javaw.exe] => (Block) C:\program files\java\jre7\bin\javaw.exe
FirewallRules: [TCP Query User{492D7D67-2475-462B-BFEE-80A81D8557BA}C:\windows\explorer.exe] => (Allow) C:\windows\explorer.exe
FirewallRules: [UDP Query User{5505B6B0-9254-46E8-AB8F-6FC4C21E26AC}C:\windows\explorer.exe] => (Allow) C:\windows\explorer.exe
FirewallRules: [{07C2B795-8C06-46FC-967C-2694D3C2D12B}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [TCP Query User{17CACFC1-2F9A-4391-8C7B-426C7F9073D5}C:\program files\java\jre7\bin\jp2launcher.exe] => (Block) C:\program files\java\jre7\bin\jp2launcher.exe
FirewallRules: [UDP Query User{DDA6B168-1F29-4F23-A6E3-A3414FFF855A}C:\program files\java\jre7\bin\jp2launcher.exe] => (Block) C:\program files\java\jre7\bin\jp2launcher.exe
FirewallRules: [{CD5CC703-192B-47BB-A5D8-45D80EB550AA}] => (Allow) C:\Program Files\AVG\AVG2015\avgmfapx.exe
FirewallRules: [{1FE1008E-A416-47BD-AB82-7F2BDDEB50ED}] => (Allow) C:\Program Files\AVG\AVG2015\avgmfapx.exe
FirewallRules: [{E83B5D95-B93E-44B4-A7E0-6E5F85606CD1}] => (Allow) C:\Program Files\AVG\AVG2015\avgnsx.exe
FirewallRules: [{CA7F94F2-447F-49B7-BE3A-AEB6C55BB538}] => (Allow) C:\Program Files\AVG\AVG2015\avgnsx.exe
FirewallRules: [{B0B07681-70AF-4E36-91D9-7C3992AABC26}] => (Allow) C:\Program Files\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{FBAB0498-D28B-4DAA-B91F-79D751DF21E3}] => (Allow) C:\Program Files\AVG\AVG2015\avgdiagex.exe
FirewallRules: [{78176D7B-3E73-4C56-A3FA-E47937605E1A}] => (Allow) C:\Program Files\AVG\AVG2015\avgemcx.exe
FirewallRules: [{C9DB5C60-63AC-4F17-8E8D-4ABF500994CA}] => (Allow) C:\Program Files\AVG\AVG2015\avgemcx.exe

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (07/10/2015 06:02:42 PM) (Source: Windows Backup) (EventID: 4103) (User: )
Description: File backup failed due to an error writing to the backup location H:\. The error is: The backup location cannot be found or is not valid. Review your backup settings and check your hardware configuration. (0x81000006).

Error: (07/10/2015 05:44:09 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 512) (User: )
Description:
Details:
Could not query the status of the EventSystem service.

System Error:
A system shutdown is in progress.

Error: (07/10/2015 05:41:44 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/10/2015 05:37:00 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/10/2015 11:33:07 AM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/09/2015 09:08:19 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/09/2015 08:25:27 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/09/2015 08:24:18 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/09/2015 08:21:57 PM) (Source: EventSystem) (EventID: 4609) (User: )
Description: d:\longhorn\com\complus\src\events\tier1\eventsystemobj.cpp458007043c

Error: (07/09/2015 08:12:42 PM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point on volume (Process = C:\Windows\system32\wbem\wmiprvse.exe; Descripton = ComboFix created restore point; Hr = 0x8007043c).

System errors:
=============
Error: (07/10/2015 06:01:32 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: 30000Eventlog

Error: (07/10/2015 06:01:32 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: 30000ShellHWDetection

Error: (07/10/2015 06:01:32 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: 30000ShellHWDetection

Error: (07/10/2015 06:01:32 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: Windows Update

Error: (07/10/2015 05:59:50 PM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: 30000ShellHWDetection

Error: (07/10/2015 05:58:51 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (07/10/2015 05:53:40 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: MBAMService%%1053

Error: (07/10/2015 05:53:40 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: 30000MBAMService

Error: (07/10/2015 05:53:40 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: AVG WatchDog%%1053

Error: (07/10/2015 05:53:40 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: 30000AVG WatchDog

Microsoft Office:
=========================

CodeIntegrity Errors:
===================================
  Date: 2015-07-10 18:04:33.850
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 18:04:32.035
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 18:04:30.282
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 18:04:28.471
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 18:04:26.074
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 18:04:24.298
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 18:04:22.566
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 18:04:20.865
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mbamchameleon.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 18:03:30.189
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

  Date: 2015-07-10 18:03:28.323
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\drivers\mwac.sys because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: AMD Athlon™ 64 X2 Dual-Core Processor TK-57
Percentage of memory in use: 88%
Total physical RAM: 1917.32 MB
Available physical RAM: 215.77 MB
Total Virtual: 4079.89 MB
Available Virtual: 2055.45 MB

==================== Drives ================================

Drive c: (Vista) (Fixed) (Total:50.34 GB) (Free:9.42 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (FLASH DRIVE) (Removable) (Total:7.2 GB) (Free:7.17 GB) FAT32
Drive e: (Data) (Fixed) (Total:22.72 GB) (Free:5.39 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 74.5 GB) (Disk ID: D525A86A)
Partition 1: (Not Active) - (Size=1.5 GB) - (Type=27)
Partition 2: (Active) - (Size=50.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=22.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 7.2 GB) (Disk ID: DCB5308D)
Partition 1: (Active) - (Size=7.2 GB) - (Type=0B)

==================== End of log ============================

 

As it was behaving so strangely, I've shut down the infected laptop for the time being but will reboot as and when needed...



#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 10 July 2015 - 02:41 PM

Ok. Thanks. Nice work.  You might want to print this out.  Please take your time.  Much to do.  If you run into troubles simply STOP and ask me.

<<<<<<<<<

I wouldn't ever run Combofix again without expert help. It can damage your computer beyond repair! I will need a look at that log. I will gather it up with my fix below. The output from the fix below might be too long to copy and paste into one post. You can try. If it doesn't fit then you have 2 options to get the fixlog.txt to me for my review.

1) Break it up over several posts
2) Attach it

<<<<<<<<<<

Do this next...


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

 

start

CreateRestorePoint:
CloseProcesses:
CMD:type C:\ComboFix.txt
Hosts:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-453005111-129219787-228039054-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-453005111-129219787-228039054-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {8617C7CA-993C-4730-A8F9-79E802AA9F89} URL = http://www.google.co.uk/search?q={searchTerms}&rls=com.microsoft:*:IE-SearchBox&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7;
SearchScopes: HKLM -> {8617C7CA-993C-4730-A8F9-79E802AA9F89} URL = http://www.google.co.uk/search?q={searchTerms}&rls=com.microsoft:*:IE-SearchBox&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7;
SearchScopes: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> DefaultScope {6BDCF34F-45CC-4F8F-863D-D6CEEB67F4F5} URL = http://www.bing.com/search?q={searchTerms}&form=OSDSRC
SearchScopes: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> {6BDCF34F-45CC-4F8F-863D-D6CEEB67F4F5} URL = http://www.bing.com/search?q={searchTerms}&form=OSDSRC
SearchScopes: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> {8617C7CA-993C-4730-A8F9-79E802AA9F89} URL = http://www.google.co.uk/search?q={searchTerms}&rls=com.microsoft:*:IE-SearchBox&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7;
Toolbar: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> No Name - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://global.nas.gov.uk/dana-cached/sc/JuniperSetupClient.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - No File
ShellExecuteHooks: - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No File [ ]
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\ProgramData\TEMP:BB24555F
AlternateDataStreams: C:\ProgramData\TEMP:C46995DA
EmptyTemp:

End

Save the files as fixlist.txt in the same folder where the FRST.exe running from.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

<<<<<<<<<<

Download: DelDomains.inf
Locate DelDomains.inf right-click and select: Install
Note: you will not see any on-screen action ...
This will remove all entries in the Trusted, Restricted,and Enhanced Security Configuration Zones.
 
<<<<<<<<<<

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait a bit.
  • Click on I agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

<<<<<<<<<<
 
Shut down your protection software (if its not still disabled) now to avoid potential conflicts.
 
Temporarily disable your AV program so it does not interfere with the next 2 scans.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.
 
<<<<<<<<<<
 
thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

<<<<<<<<<<

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:

autoclean;
ipconfig /flushdns;b

Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

<<<<<<<<<<

Download RogueKiller from one of the following links and save it to your desktop:

  • Link 1
  • Link 2
    • Close all programs and disconnect any USB or external drives before running the tool.
    • Double-click RogueKiller.exe to run the tool (Vista or 7 users: Right-click and select Run As Administrator).
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", click the Delete button.
    • When the Status box shows "Deleting Finished", click the "Report" button to show the log.
    • Copy and paste the report that opens into your next reply.
      • The log can also be found in the following location: C:\ProgramData\RogueKiller\Logs\RKreport_DEL_mmddyyyy_hhmmss.log
      • >>For XP users, you must first show hidden files/folders, then the log location is here: C:\Documents and Settings\All Users\Application data\RogueKiller\Logs\RKreport_DEL_mmddyyyy_hhmmss.log

<<<<<<<<<<
 
Please re-enable your AV software if possible now.
 
<<<<<<<<<<
 
Lastly run FRST.exe again and place a check in the Additions.txt box
 
Please provide:

  • Fixlist.txt
  • AdwCleaner.txt
  • JRT.txt
  • Zoek-results.log
  • RKreport.log
  • FRST.txt
  • Addition.txt
  • What problems remain?

Thanks


Edited by thcbytes, 10 July 2015 - 06:57 PM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 scotiabahn

scotiabahn
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 10 July 2015 - 03:02 PM

A question before I start... The fixlist references a Sibelius entry and one for global.nas.gov.uk... they are valid items on this laptop - we own a copy of sibelius (music software) and NAS relates to my wife's work... Do they definitely need to be fixed?

 

Ignore this... my wife's stuff is out of date, she tells me :) ... and we can always reinstall Sibelius! 


Edited by scotiabahn, 10 July 2015 - 03:16 PM.


#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 10 July 2015 - 04:04 PM

Those do not need to be removed.  Simply remove them from the script if you like.  Was doing some housekeeping.  They are active x objects.  Worse case scenario they can be easily restored by a 'restore' script. 


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 scotiabahn

scotiabahn
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 10 July 2015 - 04:37 PM

Some progress but hit a snag with JRT not running, details at the bottom.

 

 

Started with FRST and I left the script as suggested and ran it...

 

 

Fixlog:-

 

Fix result of Farbar Recovery Scan Tool (x86) Version: 09-07-2015
Ran by office at 2015-07-10 21:30:41 Run:2
Running from C:\Users\office\Desktop
Loaded Profiles: office (Available Profiles: office)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
CloseProcesses:
CMD:type C:\ComboFix.txt
Hosts:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-453005111-129219787-228039054-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-453005111-129219787-228039054-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {8617C7CA-993C-4730-A8F9-79E802AA9F89} URL = http://www.google.co.uk/search?q={searchTerms}&rls=com.microsoft:*:IE-SearchBox&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7;
SearchScopes: HKLM -> {8617C7CA-993C-4730-A8F9-79E802AA9F89} URL = http://www.google.co.uk/search?q={searchTerms}&rls=com.microsoft:*:IE-SearchBox&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7;
SearchScopes: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> DefaultScope {6BDCF34F-45CC-4F8F-863D-D6CEEB67F4F5} URL = http://www.bing.com/search?q={searchTerms}&form=OSDSRC
SearchScopes: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> {6BDCF34F-45CC-4F8F-863D-D6CEEB67F4F5} URL = http://www.bing.com/search?q={searchTerms}&form=OSDSRC
SearchScopes: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> {8617C7CA-993C-4730-A8F9-79E802AA9F89} URL = http://www.google.co.uk/search?q={searchTerms}&rls=com.microsoft:*:IE-SearchBox&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7;
Toolbar: HKU\S-1-5-21-453005111-129219787-228039054-1000 -> No Name - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://global.nas.gov.uk/dana-cached/sc/JuniperSetupClient.cab
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - No File
ShellExecuteHooks: - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No File [ ]
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\ProgramData\TEMP:BB24555F
AlternateDataStreams: C:\ProgramData\TEMP:C46995DA
EmptyTemp:

End
*****************

Error: (0) Failed to create a restore point.
Processes closed successfully.

========= type C:\ComboFix.txt =========

ComboFix 15-07-08.01 - office 09/07/2015  20:14:26.2.2 - x86 MINIMAL
Microsoft� Windows Vista� Home Premium   6.0.6002.2.1252.44.1033.18.1917.1294 [GMT 1:00]
Running from: c:\users\office\Desktop\ComboFix.exe
AV: AVG AntiVirus Free Edition 2015 *Enabled/Updated* {4D41356F-32AD-7C42-C820-63775EE4F413}
SP: AVG AntiVirus Free Edition 2015 *Enabled/Updated* {F620D48B-1497-73CC-F290-58052563BEAE}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Skype\Phone\Skype.exe
c:\programdata\pcdfdata
c:\users\office\AppData\Roaming\skype.ini
c:\users\office\Documents\wpe52E5.TMP
c:\users\office\GoToAssistDownloadHelper.exe
c:\windows\msdownld.tmp
c:\windows\system32\pt
c:\windows\system32\pt\toscdspd.cpl.mui
.
.
(((((((((((((((((((((((((   Files Created from 2015-06-09 to 2015-07-09  )))))))))))))))))))))))))))))))
.
.
2015-07-09 19:22 . 2015-07-09 19:22 -------- d-----w- c:\users\office\AppData\Local\temp
2015-07-09 19:22 . 2015-07-09 19:22 -------- d-----w- c:\users\Public\AppData\Local\temp
2015-07-09 19:22 . 2015-07-09 19:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-07-08 19:06 . 2015-07-09 17:07 -------- d-----w- c:\windows\amlog
2015-07-08 15:51 . 2015-07-08 15:51 -------- d-----w- c:\program files\Common Files\Microsoft
2015-07-01 14:17 . 2015-07-01 14:21 98520 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-07-01 14:17 . 2015-06-18 07:41 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-07-01 14:17 . 2015-06-18 07:41 94936 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-07-01 14:17 . 2015-07-09 02:44 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2015-07-01 10:59 . 2015-07-01 10:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2015-07-01 10:59 . 2015-07-01 10:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2015-07-01 10:59 . 2015-07-01 10:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2015-07-01 10:59 . 2015-07-01 10:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2015-07-01 10:59 . 2015-07-01 10:59 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2015-07-01 10:58 . 2015-07-01 10:59 -------- d-----w- c:\program files\QuickTime
2015-07-01 10:58 . 2015-07-01 10:58 -------- d-----w- c:\programdata\Apple Computer
2015-06-16 23:23 . 2015-06-16 23:23 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2015-06-16 23:23 . 2015-06-16 23:23 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-06-23 16:39 . 2012-04-03 06:56 778416 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2015-06-23 16:39 . 2011-06-05 10:19 142512 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-06-18 07:41 . 2012-12-21 18:11 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-05-19 08:57 . 2015-05-19 08:57 227808 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2015-05-14 12:49 . 2015-05-14 12:49 29664 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys
2015-05-12 13:46 . 2015-05-12 13:46 213984 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2015-05-12 13:45 . 2015-05-12 13:45 190944 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2015-05-12 13:45 . 2015-05-12 13:45 169440 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2015-05-07 12:52 . 2015-05-07 12:52 290272 ----a-w- c:\windows\system32\drivers\avglogx.sys
2015-04-30 16:03 . 2015-06-01 20:40 279040 ----a-w- c:\windows\system32\schannel.dll
2015-04-30 13:14 . 2015-06-01 20:33 102608 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2015-04-19 21:24 . 2015-06-01 20:35 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2015-04-19 21:24 . 2015-06-01 20:35 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2015-04-19 21:24 . 2015-06-01 20:35 189952 ----a-w- c:\windows\system32\d3d10core.dll
2015-04-19 21:24 . 2015-06-01 20:35 1029120 ----a-w- c:\windows\system32\d3d10.dll
2015-04-19 20:19 . 2015-06-01 20:35 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2015-04-19 20:18 . 2015-06-01 20:35 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2015-04-19 20:13 . 2015-06-01 20:35 682496 ----a-w- c:\windows\system32\d2d1.dll
2015-04-19 20:12 . 2015-06-01 20:35 1072640 ----a-w- c:\windows\system32\DWrite.dll
2015-04-19 20:12 . 2015-06-01 20:35 801792 ----a-w- c:\windows\system32\FntCache.dll
2015-04-19 04:59 . 2015-06-01 20:35 2065408 ----a-w- c:\windows\system32\win32k.sys
2015-04-17 10:23 . 2015-04-17 10:24 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2015-04-15 12:05 . 2015-04-15 12:05 206816 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2015-04-14 01:35 . 2015-04-14 01:35 875720 ----a-w- c:\windows\system32\msvcr120_clr0400.dll
2015-04-14 01:35 . 2015-04-14 01:35 536776 ----a-w- c:\windows\system32\msvcp120_clr0400.dll
2015-04-10 23:22 . 2015-06-01 20:19 279552 ----a-w- c:\windows\system32\services.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner.exe" [2014-12-12 5489944]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"RtHDVCpl"="RtHDVCpl.exe" [2007-08-09 4702208]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-04-03 509496]
"Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2007-05-04 571024]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"Skytel"="Skytel.exe" [2007-08-03 1826816]
"LWS"="c:\program files\Logitech\LWS\Webcam Software\LWS.exe" [2011-08-12 205336]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
"Zune Launcher"="e:\zune\ZuneLauncher.exe" [2011-08-05 159456]
"AVG_UI"="c:\program files\AVG\AVG2015\avgui.exe" [2015-06-16 3727824]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2015-04-10 335232]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-12-19 1022152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2015-06-16 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Users^office^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^runctf.lnk]
path=c:\users\office\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk
backup=c:\windows\pss\runctf.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-09-13 19:51 59720 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid]
2010-05-11 15:43 6061400 ----a-w- c:\program files\Logitech\Vid\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Vid HD]
2010-05-11 15:43 6061400 ----a-w- c:\program files\Logitech\Vid\Vid.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LWS]
2011-08-12 11:18 205336 ----a-w- c:\program files\Logitech\LWS\Webcam Software\LWS.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2015-06-16 23:23 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-09-28 14:04 2424560 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\users\office\Downloads\EmsisoftEmergencyKit\Run\a2ddax86.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ECACHE
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ    FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2015-07-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 16:39]
.
2015-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-02 06:57]
.
2015-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-02 06:57]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
SafeBoot-WudfPf
SafeBoot-WudfRd
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2015-07-09 20:22
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_18_0_0_194_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_18_0_0_194_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2015-07-09  20:25:19
ComboFix-quarantined-files.txt  2015-07-09 19:25
.
Pre-Run: 10,280,677,376 bytes free
Post-Run: 10,200,821,760 bytes free
.
- - End Of File - - 5407BCAEE177388A038D8B51C6D73151
5C616939100B85E558DA92B899A0FC36

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully.
Hosts restored successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
"HKU\S-1-5-21-453005111-129219787-228039054-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully.
HKU\S-1-5-21-453005111-129219787-228039054-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8617C7CA-993C-4730-A8F9-79E802AA9F89}" => key removed successfully.
HKCR\CLSID\{8617C7CA-993C-4730-A8F9-79E802AA9F89} => key not found.
HKU\S-1-5-21-453005111-129219787-228039054-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
"HKU\S-1-5-21-453005111-129219787-228039054-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6BDCF34F-45CC-4F8F-863D-D6CEEB67F4F5}" => key removed successfully.
HKCR\CLSID\{6BDCF34F-45CC-4F8F-863D-D6CEEB67F4F5} => key not found.
"HKU\S-1-5-21-453005111-129219787-228039054-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{8617C7CA-993C-4730-A8F9-79E802AA9F89}" => key removed successfully.
HKCR\CLSID\{8617C7CA-993C-4730-A8F9-79E802AA9F89} => key not found.
HKU\S-1-5-21-453005111-129219787-228039054-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} => value removed successfully.
HKCR\CLSID\{E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} => key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}" => key removed successfully.
HKCR\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5} => key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{80AEEC0E-A2BE-4B8D-985F-350FE869DC40}" => key removed successfully.
HKCR\CLSID\{80AEEC0E-A2BE-4B8D-985F-350FE869DC40} => key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}" => key removed successfully.
HKCR\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} => key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{A8F2B9BD-A6A0-486A-9744-18920D898429}" => key removed successfully.
HKCR\CLSID\{A8F2B9BD-A6A0-486A-9744-18920D898429} => key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}" => key removed successfully.
HKCR\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7} => key not found.
"HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{F27237D7-93C8-44C2-AC6E-D6057B9A918F}" => key removed successfully.
"HKCR\CLSID\{F27237D7-93C8-44C2-AC6E-D6057B9A918F}" => key removed successfully.
"HKCR\PROTOCOLS\Handler\livecall" => key removed successfully.
HKCR\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => key not found.
"HKCR\PROTOCOLS\Handler\msnim" => key removed successfully.
HKCR\CLSID\{828030A1-22C1-4009-854F-8E305202313F} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => value removed successfully.
HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => key not found.
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully..
C:\ProgramData\TEMP => ":BB24555F" ADS removed successfully..
C:\ProgramData\TEMP => ":C46995DA" ADS removed successfully..
EmptyTemp: => 31 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 21:36:19 ====

 

After the Reboot, I installed DelDomains... And then moved on AdwCleaner - here's the logfile from that...

 

# AdwCleaner v4.208 - Logfile created 10/07/2015 at 21:51:59
# Updated 09/07/2015 by Xplode
# Database : 2015-07-10.1 [Server]
# Operating system : Windows Vista ™ Home Premium Service Pack 2 (x86)
# Username : office - OFFICE-PC
# Running from : C:\Users\office\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

File Deleted : C:\Windows\Installer\8c1fd.msi

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\Search Settings
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\AVG SafeGuard toolbar
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\Avg Secure Update
Key Deleted : HKLM\SOFTWARE\AVG SafeGuard toolbar
Key Deleted : HKLM\SOFTWARE\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Search Settings
Key Deleted : HKU\.DEFAULT\Software\Avg Secure Update
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D0C73318-7B4A-4D16-A0C4-3B83F075EA88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00B2-0409-0000-0000000FF1CE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{D0C73318-7B4A-4D16-A0C4-3B83F075EA88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{90120000-00B2-0409-0000-0000000FF1CE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\81337C0DA4B761D40A4CB3380F57AE88
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\81337C0DA4B761D40A4CB3380F57AE88
Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\81337C0DA4B761D40A4CB3380F57AE88
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\CC94835868BCA58489B0D79DE655BCB1

***** [ Web browsers ] *****

-\\ Internet Explorer v9.0.8112.16644

*************************

AdwCleaner[R0].txt - [2502 bytes] - [10/07/2015 21:49:36]
AdwCleaner[S0].txt - [2471 bytes] - [10/07/2015 21:51:59]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2530  bytes] ##########

 

I then tried to get JRT to run but nothing seemed to happen. According to the download page I should see at least a DOS screen and I got nothing, no sign of the job running in task manager either. I double-checked the instructions but I had followed things correctly - no AV programs running (After this faile I did see whether I could get AVG or MalwareBytes to start but no joy...)

 

I've written in BOLD to differentiate from the logs... I didn't run anything else after JRT failed...



#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 AM

Posted 10 July 2015 - 07:19 PM

Ok.  Hang in there.  We will get it.
 
This next...
 
We need to search for a few things with SystemLook:

  • Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop
  • Double-click the program to run it, paste the entire text into the main text box:
    :filefind
    *runctf* 
    :folderfind
    *pss*
    :regfind
    runctf
    
  • Click the Look button to start the scan
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

<<<<<<<<<<
 
Run RKill then try to run JRT.  Please remember to always right click and run as admin.  If RKill/JRT fails then move on to RKill/Zoek then RKill/RK as outlined in the previous post.
 
Let me know if you run into troubles.

 

Thanks


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 scotiabahn

scotiabahn
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 11 July 2015 - 03:28 AM

Please confirm that a 64-bit version of SystemLook is right - my laptop is definitely 32-bit...

 

Will carry on with RKill/JRT guidance as in the latest reply...



#15 scotiabahn

scotiabahn
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:33 AM

Posted 11 July 2015 - 04:12 AM

RKill/JRT had no effect...

 

Moved on to Zeok with script... This started and got to a step it calls 'create environment variables' about half an hour ago but it's unclear to me whether it's still actually doing anything... Task manager shows it as running, but I'm not seeing much activity from the related processes...

 

Will keep an eye on it for now - I know some things can take a while, particularly on an older machine...

 

[update - Zoek still not apparently doing anything after an hour plus... Wife is taking me to a garden centre(!) - back later to see what's happening...]


Edited by scotiabahn, 11 July 2015 - 04:48 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users