TechSpot

Help with MoneyPak virus

Solved
By andy2082
Oct 27, 2013
  1. Hi, my computer keeps popping up with the MoneyPak virus. I can remove it temporarily by accessing the computer through another user and running Malwarebytes, but it recurs within a day or so. Below are my logs, any help appreciated. Andrew

    Malwarebytes Anti-Malware 1.75.0.1300
    www.malwarebytes.org
    Database version: v2013.10.27.05
    Windows 7 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Andrew :: ANDREW-PC [administrator]
    27/10/2013 15:48:35
    mbam-log-2013-10-27 (15-48-35).txt
    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 229231
    Time elapsed: 10 minute(s), 35 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 1
    HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|shell (Trojan.Agent.RNS) -> Data: explorer.exe,C:\Users\Andrew\AppData\Roaming\skype.dat -> Quarantined and deleted successfully.
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    (end)
    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16421
    Run by Andrew at 16:07:21 on 2013-10-27
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3004.1542 [GMT -4:00]
    .
    AV: COMODO Antivirus *Disabled/Updated* {B74CC7D2-B407-E1DC-1033-DD315BCDC8C8}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: COMODO Antivirus *Disabled/Updated* {0C2D2636-923D-EE52-2A83-E643204A8275}
    FW: COMODO Firewall *Disabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
    .
    ============== Running Processes ================
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Program Files\Common Files\COMODO\launcher_service.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
    C:\Windows\system32\nvvsvc.exe
    C:\Program Files\Acer Bio Protection\CompPtcVUI.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe
    C:\Program Files\Acer Bio Protection\BASVC.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Google\Update\1.3.21.165\GoogleCrashHandler.exe
    C:\Windows\system32\Dwm.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskhost.exe
    C:\Program Files\Launch Manager\LManager.exe
    C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Comodo\COMODO Internet Security\cistray.exe
    C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
    C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe
    C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
    C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Comodo\GeekBuddy\unit_manager.exe
    C:\Program Files\Comodo\GeekBuddy\unit.exe
    C:\Program Files\Comodo\COMODO Internet Security\cis.exe
    C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Users\Andrew\AppData\Local\Temp\nsvD625.tmp\ns8355.tmp
    C:\Windows\system32\conhost.exe
    C:\Users\Andrew\AppData\Local\Temp\nsvD625.tmp\PEV.DAT
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\conhost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k RPCSS
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    uURLSearchHooks: {472734EA-242A-422b-ADF8-83D1E48CC825} - <orphaned>
    BHO: AutorunsDisabled - <orphaned>
    BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
    BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
    BHO: ChromeFrame BHO: {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - c:\program files\google\chrome frame\application\30.0.1599.101\npchrome_frame.dll
    uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
    uRun: [Google Update] "c:\users\andrew\appdata\local\google\update\GoogleUpdate.exe" /c
    mRun: [LManager] c:\program files\launch manager\LManager.exe
    mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
    mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
    mRun: [COMODO Internet Security] c:\program files\comodo\comodo internet security\cistray.exe
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [Cisco AnyConnect Secure Mobility Agent for Windows] "c:\program files\cisco\cisco anyconnect secure mobility client\vpnui.exe" -minimized
    mRun: [tvncontrol] "c:\program files\common files\comodo\GeekBuddyRSP.exe" -controlservice -slave
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\startg~1.lnk - c:\program files\comodo\geekbuddy\launcher.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:147
    uPolicies-Explorer: NoDrives = dword:0
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:147
    mPolicies-Explorer: NoDrives = dword:0
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
    IE: {10954C80-4F0F-11d3-B17C-00C0DFE39736} - c:\program files\acer bio protection\PwdBank.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
    IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
    DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20110926150838
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://soem.webex.com/client/T27LC/webex/ieatgpc1.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: NameServer = 192.168.1.1
    TCP: Interfaces\{E78E00BB-66CB-4C40-B91C-51BEFE20CDE2} : DHCPNameServer = 192.168.1.1
    TCP: Interfaces\{E78E00BB-66CB-4C40-B91C-51BEFE20CDE2}\14C6D28416D6262716 : DHCPNameServer = 192.168.1.1 192.168.1.1
    TCP: Interfaces\{E78E00BB-66CB-4C40-B91C-51BEFE20CDE2}\64F445A5D275946494 : DHCPNameServer = 192.168.100.4
    TCP: Interfaces\{E78E00BB-66CB-4C40-B91C-51BEFE20CDE2}\84F6D656 : DHCPNameServer = 192.168.2.1
    Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
    Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\30.0.1599.101\npchrome_frame.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
    LSA: Notification Packages = c:\program files\acer bio protection\PwdFilter
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2013-9-10 97008]
    R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [2013-5-7 35064]
    R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2013-6-18 20072]
    R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2013-6-18 582936]
    R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2013-6-18 44752]
    R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-1-9 218176]
    R1 HMD;COMODO livePCsupport Hardware Monitor Driver;c:\windows\system32\drivers\hmd.sys [2013-10-4 15400]
    R1 RapportCerberus_56758;RapportCerberus_56758;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\baseline\RapportCerberus32_56758.sys [2013-8-26 330960]
    R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2013-9-10 148688]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2013-9-10 222416]
    R2 CLPSLauncher;COMODO LPS Launcher;c:\program files\common files\comodo\launcher_service.exe [2013-10-11 70352]
    R2 FPSensor;EgisTec-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\drivers\FPSensor.sys [2011-1-3 29744]
    R2 GeekBuddyRSP;GeekBuddyRSP Server;c:\program files\common files\comodo\GeekBuddyRSP.exe [2013-10-11 2327248]
    R2 IGBASVC;EgisTec Service;c:\program files\acer bio protection\BASVC.exe [2009-9-5 3450368]
    R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-10-25 418376]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-10-25 701512]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2013-9-10 1435928]
    R2 vpnagent;Cisco AnyConnect Secure Mobility Agent;c:\program files\cisco\cisco anyconnect secure mobility client\vpnagent.exe [2012-12-10 479224]
    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2009-5-20 59904]
    R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2011-1-3 116136]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-10-25 22856]
    R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
    S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-11-9 160944]
    S3 acsock;acsock;c:\windows\system32\drivers\acsock.sys [2012-6-7 92112]
    S3 cmdvirth;COMODO Virtual Service Manager;c:\program files\comodo\comodo internet security\cmdvirth.exe [2013-6-18 131288]
    S4 SwitchBoard;SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
    .
    =============== Created Last 30 ================
    .
    2013-10-26 13:55:40 -------- d--h--w- C:\VTRoot
    2013-10-26 13:55:38 2144 ----a-w- c:\windows\system32\drivers\fvstore.dat
    2013-10-26 03:04:12 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-10-26 03:04:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2013-10-20 23:12:35 -------- d-----w- c:\users\andrew\appdata\local\calibre-cache
    2013-10-13 23:42:33 -------- d-----w- c:\program files\common files\COMODO
    2013-10-04 08:15:04 15400 ----a-w- c:\windows\system32\drivers\hmd.sys
    2013-09-30 16:01:09 737280 ----a-w- c:\windows\iun6002.exe
    2013-09-30 15:57:29 -------- d-----w- c:\program files\AAZV Collected Proceedings 1968-2013
    .
    ==================== Find3M ====================
    .
    2013-10-04 08:15:04 15400 ----a-w- c:\windows\inf\hmd\hmd.sys
    2013-09-24 10:54:08 582936 ----a-w- c:\windows\system32\drivers\cmdguard.sys
    2013-09-24 10:54:08 44752 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
    2013-09-24 10:54:07 20072 ----a-w- c:\windows\system32\drivers\cmderd.sys
    2013-09-24 10:53:51 36000 ----a-w- c:\windows\system32\cmdcsr.dll
    2013-09-24 10:53:51 354240 ----a-w- c:\windows\system32\guard32.dll
    2013-09-24 10:53:35 280792 ----a-w- c:\windows\system32\cmdvrt32.dll
    2013-09-24 10:53:34 40664 ----a-w- c:\windows\system32\cmdkbd32.dll
    2013-09-11 03:18:28 97008 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2013-09-05 09:35:06 55504 ----a-w- c:\windows\system32\offreg.dll
    2013-08-03 01:21:57 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2013-08-03 01:21:57 1060864 ----a-w- c:\windows\system32\mfc71.dll
    .
    ============= FINISH: 16:07:51.40 ===============
     
  2. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2012-11-20.01)
    .
    Microsoft Windows 7 Home Premium
    Boot Device: \Device\HarddiskVolume2
    Install Date: 03/01/2011 11:13:53
    System Uptime: 27/10/2013 15:18:27 (1 hours ago)
    .
    Motherboard: Acer | | Aspire 5935
    Processor: Intel(R) Core(TM)2 Duo CPU P8700 @ 2.53GHz | uPGA-478 | 1596/266mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 450 GiB total, 232.431 GiB free.
    D: is CDROM ()
    F: is CDROM ()
    G: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
    Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
    Device ID: ROOT\NET\0000
    Manufacturer: Cisco Systems
    Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
    PNP Device ID: ROOT\NET\0000
    Service: vpnva
    .
    ==== System Restore Points ===================
    .
    RP207: 30/06/2013 22:04:11 - Scheduled Checkpoint
    RP208: 02/07/2013 19:34:30 - Installed Microsoft Office Professional Plus 2010
    RP209: 13/07/2013 14:10:28 - Scheduled Checkpoint
    RP210: 26/07/2013 22:35:33 - Scheduled Checkpoint
    RP211: 02/08/2013 20:55:21 - Removed AVG 2012
    RP212: 02/08/2013 20:57:27 - Removed AVG 2012
    RP213: 02/08/2013 21:07:37 - Device Driver Package Install: COMODO Network Service
    RP214: 10/08/2013 15:57:49 - Scheduled Checkpoint
    RP215: 17/08/2013 20:41:43 - Removed AVG PC TuneUp
    RP216: 17/08/2013 20:43:02 - Removed AVG PC TuneUp Language Pack (en-US)
    RP217: 18/08/2013 09:15:09 - Removed Avery Wizard 4.0.
    RP219: 26/08/2013 20:08:15 - Installed Rapport
    RP220: 03/09/2013 20:50:00 - Scheduled Checkpoint
    RP222: 12/09/2013 18:26:36 - Installed Rapport
    RP224: 18/09/2013 18:37:40 - Installed Rapport
    RP225: 21/09/2013 18:44:06 - Installed Cisco AnyConnect Secure Mobility Client
    RP226: 05/10/2013 20:34:15 - Scheduled Checkpoint
    RP227: 13/10/2013 20:29:24 - Scheduled Checkpoint
    RP228: 20/10/2013 18:29:43 - Installed calibre
    .
    ==== Installed Programs ======================
    .
    AAZV Collected Proceedings 1968-2013
    Acer Bio Protection
    Adobe AIR
    Adobe Community Help
    Adobe Flash Player 11 ActiveX
    Adobe Photoshop CS5
    Adobe Reader X
    ALPS Touch Pad Driver
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ASUS Android USB Drivers
    ASUS WebStorage Sync Agent
    µTorrent
    Avery Wizard 4.0
    Avidemux 2.6 (32-bit)
    BBC iPlayer Desktop
    Bonjour
    calibre
    CCleaner
    Cisco AnyConnect Secure Mobility Client
    Cisco AnyConnect Secure Mobility Client
    COMODO Internet Security Premium
    DAEMON Tools Lite
    Desktop Support Tools
    DjVuLibre+DjView
    doPDF 7.2 printer
    EA Shared Game Component: Activation
    ENE CIR Receiver Driver
    Fingerprint Solution
    Free FLAC to MP3 Converter 1.0
    GeekBuddy
    Google Chrome
    Google Chrome Frame
    Google Update Helper
    HD Tune Pro 4.60
    IBM SPSS Statistics 19
    ImgBurn
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 32
    JMicron Flash Media Controller Driver
    Launch Manager
    Malwarebytes Anti-Malware version 1.75.0.1300
    Microsoft .NET Framework 4.5
    Microsoft Application Error Reporting
    Microsoft Office Access MUI (English) 2010
    Microsoft Office Access Setup Metadata MUI (English) 2010
    Microsoft Office Excel MUI (English) 2010
    Microsoft Office Groove MUI (English) 2010
    Microsoft Office InfoPath MUI (English) 2010
    Microsoft Office OneNote MUI (English) 2010
    Microsoft Office Outlook MUI (English) 2010
    Microsoft Office PowerPoint MUI (English) 2010
    Microsoft Office Professional Plus 2010
    Microsoft Office Proof (English) 2010
    Microsoft Office Proof (French) 2010
    Microsoft Office Proof (Spanish) 2010
    Microsoft Office Proofing (English) 2010
    Microsoft Office Publisher MUI (English) 2010
    Microsoft Office Shared MUI (English) 2010
    Microsoft Office Shared Setup Metadata MUI (English) 2010
    Microsoft Office Word MUI (English) 2010
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft_VC80_ATL_x86
    Microsoft_VC80_CRT_x86
    Microsoft_VC80_MFC_x86
    Microsoft_VC80_MFCLOC_x86
    Microsoft_VC90_ATL_x86
    Microsoft_VC90_CRT_x86
    Microsoft_VC90_MFC_x86
    MSXML 4.0 SP3 Parser
    NirSoft VideoCacheView
    NVIDIA Drivers
    NVIDIA PhysX
    PDF Settings CS5
    PS3 Media Server
    Python 2.7.3
    QuickTime
    Rapport
    Realtek High Definition Audio Driver
    Skype Click to Call
    Skype™ 6.0
    SopCast 3.4.8
    Spybot - Search & Destroy
    StreamTorrent 1.0
    Synaptics Pointing Device Driver
    Torrent Stream 2.0.8.2
    Trusteer Endpoint Protection
    Upgrade Kit
    VirtualCloneDrive
    VitalSource Bookshelf
    VLC media player 2.0.7
    WebEx
    WinRAR 4.00 beta 4 (32-bit)
    XBMC
    .
    ==== Event Viewer Messages From Past Week ========
    .
    27/10/2013 15:21:09, Error: Microsoft-Windows-WMPNSS-Service [14338] - A new media server was not initialized because CoCreateInstance(CLSID_UPnPRegistrar) encountered error '0x80070422'. Verify that the UPnPHost service is running and that the UPnPHost component of Windows is installed properly.
    27/10/2013 15:17:28, Error: ACPI [13] - : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.
    26/10/2013 16:26:11, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR2.
    26/10/2013 16:22:57, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
    25/10/2013 22:26:13, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD CFRMD cmdGuard cmdHlp DfsC discache ElbyCDIO HMD inspect NetBIOS NetBT nsiproxy Psched RapportKELL rdbss spldr tdx Wanarpv6 WfpLwf ws2ifsl
    25/10/2013 22:26:13, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    25/10/2013 22:26:13, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    25/10/2013 22:26:13, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    25/10/2013 22:26:13, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    25/10/2013 22:26:13, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    25/10/2013 22:26:12, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    25/10/2013 22:26:12, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
    25/10/2013 22:26:12, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    25/10/2013 22:26:12, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    25/10/2013 22:13:14, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    25/10/2013 22:13:14, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    25/10/2013 22:13:14, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    25/10/2013 22:13:12, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    25/10/2013 22:13:04, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    .
    ==== End Of File ===========================
     
  3. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =================================

    Please download Farbar Recovery Scan Tool and save it to your Desktop.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please copy and paste it to your reply.
     
  4. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    Thanks Broni, below are the logs.
    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 28-10-2013
    Ran by Andrew (administrator) on ANDREW-PC on 28-10-2013 09:31:37
    Running from C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1FBC2KIE
    Microsoft Windows 7 Home Premium (X86) OS Language: English(US)
    Internet Explorer Version 9
    Boot Mode: Normal
    ==================== Processes (Whitelisted) ===================
    (Comodo Security Solutions, Inc.) C:\Program Files\Common Files\COMODO\launcher_service.exe
    (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
    (COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    (Trusteer Ltd.) C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    (Cisco Systems, Inc.) C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
    (NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
    (Egis Technology Inc.) C:\Program Files\Acer Bio Protection\CompPtcVUI.exe
    (Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    (Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
    (Comodo Security Solutions, Inc.) C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe
    (Egis Technology Inc.) C:\Program Files\Acer Bio Protection\BASVC.exe
    (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    (Google Inc.) C:\Program Files\Google\Update\1.3.21.165\GoogleCrashHandler.exe
    (Malwarebytes Corporation) C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    (Dritek System Inc.) C:\Program Files\Launch Manager\LManager.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    (COMODO) C:\Program Files\Comodo\COMODO Internet Security\cistray.exe
    (Cisco Systems, Inc.) C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
    (Comodo Security Solutions, Inc.) C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    (Trusteer Ltd.) C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    (Comodo Security Solutions, Inc.) C:\Program Files\Comodo\GeekBuddy\unit_manager.exe
    (Comodo Security Solutions, Inc.) C:\Program Files\Comodo\GeekBuddy\unit.exe
    (COMODO) C:\Program Files\Comodo\COMODO Internet Security\cis.exe
    (COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
    (Google Inc.) C:\Program Files\Google\Chrome Frame\Application\chrome.exe
    (Sun Microsystems, Inc.) C:\Program Files\Java\jre6\bin\javaw.exe
    () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\tsengine.exe
    () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\tsupdate.exe
    (Adobe Systems, Inc.) C:\Windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe
    (Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
    ==================== Registry (Whitelisted) ==================
    HKLM\...\Run: [LManager] - C:\Program Files\Launch Manager\LManager.exe [1157128 2009-08-18] (Dritek System Inc.)
    HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe [7731744 2009-09-04] (Realtek Semiconductor)
    HKLM\...\Run: [Apoint] - C:\Program Files\Apoint2K\Apoint.exe [212992 2009-07-08] (Alps Electric Co., Ltd.)
    HKLM\...\Run: [SynTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1537320 2009-06-18] (Synaptics Incorporated)
    HKLM\...\Run: [BCSSync] - C:\Program Files\Microsoft Office\Office14\BCSSync.exe [91520 2010-01-21] (Microsoft Corporation)
    HKLM\...\Run: [COMODO Internet Security] - C:\Program Files\Comodo\COMODO Internet Security\cistray.exe [1576152 2013-10-19] (COMODO)
    HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
    HKLM\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] - C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [527864 2012-12-10] (Cisco Systems, Inc.)
    HKLM\...\Run: [tvncontrol] - C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2013-10-11] (Comodo Security Solutions, Inc.)
    HKCU\...\Run: [OfficeSyncProcess] - C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE [717696 2010-01-16] (Microsoft Corporation)
    HKCU\...\Run: [Google Update] - C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [136176 2011-10-19] (Google Inc.)
    Lsa: [Notification Packages] C:\Program Files\Acer Bio Protection\PwdFilter
    ==================== Internet (Whitelisted) ====================
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
    URLSearchHook: HKCU - (No Name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - No File
    BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
    BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
    BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
    BHO: ChromeFrame BHO - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome Frame\Application\30.0.1599.101\npchrome_frame.dll (Google Inc.)
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
    DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} http://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20110926150838
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://soem.webex.com/client/T27LC/webex/ieatgpc1.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome Frame\Application\30.0.1599.101\npchrome_frame.dll (Google Inc.)
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    Winsock: Catalog5 08 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
    Tcpip\Parameters: [DhcpNameServer] 132.236.249.19 132.236.249.18 132.236.56.250
    Chrome:
    =======
    CHR HomePage: hxxp://www.google.com/
    CHR RestoreOnStartup: "hxxp://www.google.com/"
    CHR DefaultSearchURL: (Google) - http://www.google.com/search?q={sea...ource}&ie={inputEncoding?}&oe={outputEncoding?}
    CHR DefaultSuggestURL: (Google) - "suggest_url": "",
    CHR Plugin: (Shockwave Flash) - C:\Users\Andrew\AppData\Local\Google\Chrome\Application\30.0.1599.101\PepperFlash\pepflashplayer.dll ()
    CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
    CHR Plugin: (Native Client) - C:\Users\Andrew\AppData\Local\Google\Chrome\Application\30.0.1599.101\ppGoogleNaClPluginChrome.dll ()
    CHR Plugin: (Chrome PDF Viewer) - C:\Users\Andrew\AppData\Local\Google\Chrome\Application\30.0.1599.101\pdf.dll ()
    CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
    CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll (Apple Inc.)
    CHR Plugin: (QuickTime Plug-in 7.6.9) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll (Apple Inc.)
    CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
    CHR Plugin: (Java(TM) Platform SE 6 U32) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    CHR Plugin: (Torrent Stream P2P Multimedia Plug-in 2) - C:\Users\Andrew\AppData\Roaming\TorrentStream\player\npts_plugin.dll (Innovative Digital Technologies)
    CHR Plugin: (Java Deployment Toolkit 6.0.320.5) - C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
    CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.60129.0\npctrl.dll No File
    CHR Extension: (YouTube) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
    CHR Extension: (Google Search) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
    CHR Extension: (Chrome In-App Payments service) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
    CHR Extension: (TS Magic Player) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\ochbjojkpcmlfeagbaahkofepalngihg\1.1.29_0
    CHR Extension: (Gmail) - C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
    CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx
    CHR StartMenuInternet: Google Chrome - C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
    ========================== Services (Whitelisted) =================
    R2 CLPSLauncher; C:\Program Files\Common Files\COMODO\launcher_service.exe [70352 2013-10-11] (Comodo Security Solutions, Inc.)
    R2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [4832192 2013-10-19] (COMODO)
    S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [131288 2013-09-24] (COMODO)
    R2 GeekBuddyRSP; C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe [2327248 2013-10-11] (Comodo Security Solutions, Inc.)
    R2 IGBASVC; C:\Program Files\Acer Bio Protection\BASVC.exe [3450368 2009-09-05] (Egis Technology Inc.)
    R2 MBAMScheduler; C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
    R2 MBAMService; C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
    S2 SupportSoft RemoteAssist; C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe [386424 2012-09-04] (SupportSoft, Inc.)
    R2 vpnagent; C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe [479224 2012-12-10] (Cisco Systems, Inc.)
    ==================== Drivers (Whitelisted) ====================
    S3 acsock; C:\Windows\System32\DRIVERS\acsock.sys [92112 2012-12-10] (Cisco Systems, Inc.)
    S3 BVRPMPR5; C:\Windows\system32\drivers\BVRPMPR5.SYS [49904 2010-06-22] (Avanquest Software)
    R1 CFRMD; C:\Windows\System32\DRIVERS\CFRMD.sys [35064 2013-05-07] (Windows (R) Win 7 DDK provider)
    R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [20072 2013-09-24] (COMODO)
    R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [582936 2013-09-24] (COMODO)
    R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [44752 2013-09-24] (COMODO)
    R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [218176 2011-01-09] (DT Soft Ltd)
    R1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [26024 2009-12-17] (Elaborate Bytes AG)
    R2 FPSensor; C:\Windows\System32\Drivers\FPSensor.sys [29744 2011-01-03] (EgisTec)
    R1 HMD; C:\Windows\System32\DRIVERS\hmd.sys [15400 2013-10-04] ()
    R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [85464 2013-09-24] (COMODO)
    R2 int15; C:\Windows\system32\drivers\int15.sys [69632 2008-03-12] ()
    R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [22856 2013-04-04] (Malwarebytes Corporation)
    R1 RapportCerberus_56758; C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_56758.sys [330960 2013-08-26] ()
    R1 RapportEI; C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys [148688 2013-09-10] (Trusteer Ltd.)
    R1 RapportPG; C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [222416 2013-09-10] (Trusteer Ltd.)
    U5 AppMgmt; C:\Windows\system32\svchost.exe [20992 2009-07-13] (Microsoft Corporation)
    S3 catchme; \??\C:\Users\Andrew\AppData\Local\Temp\catchme.sys [x]
    U5 VWiFiFlt; C:\Windows\System32\Drivers\VWiFiFlt.sys [48128 2009-07-13] (Microsoft Corporation)
    S3 WinDriver6; system32\drivers\windrvr6.sys [x]
    U3 mbr; \??\C:\Users\Andrew\AppData\Local\Temp\mbr.sys [x]
    ==================== NetSvcs (Whitelisted) ===================

    ==================== One Month Created Files and Folders ========
    2013-10-28 09:31 - 2013-10-28 09:31 - 00000000 ____D C:\FRST
    2013-10-28 09:30 - 2013-10-28 09:30 - 01089183 _____ (Farbar) C:\Users\Andrew\Desktop\FRST.exe
    2013-10-27 16:08 - 2013-10-27 16:08 - 00009722 _____ C:\Users\Andrew\Desktop\attach.txt
    2013-10-27 16:08 - 2013-10-27 16:07 - 00013110 _____ C:\Users\Andrew\Desktop\dds.txt
    2013-10-27 15:49 - 2013-10-27 15:49 - 00688992 ____R (Swearware) C:\Users\Andrew\Desktop\dds.com
    2013-10-27 11:39 - 2013-10-27 11:40 - 00000004 _____ C:\Users\Andrew\AppData\Roaming\skype.ini
    2013-10-26 16:46 - 2013-10-26 16:47 - 12321834 _____ C:\Users\Andrew\Desktop\Ophthalmology_of_Exotic_Pets_epub.epub
    2013-10-26 09:55 - 2013-10-26 10:17 - 00002144 _____ C:\Windows\system32\Drivers\fvstore.dat
    2013-10-26 09:55 - 2013-10-26 09:55 - 00000000 ___HD C:\VTRoot
    2013-10-25 23:04 - 2013-10-25 23:04 - 00001071 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-10-25 23:04 - 2013-10-25 23:04 - 00000000 ____D C:\Users\fixer\AppData\Roaming\Malwarebytes
    2013-10-25 23:04 - 2013-10-25 23:04 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2013-10-25 23:04 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
    2013-10-25 23:03 - 2013-10-25 23:03 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\fixer\Desktop\mbam-setup-1.75.0.1300.exe
    2013-10-25 23:03 - 2013-10-25 23:03 - 00000000 ____D C:\Users\fixer\AppData\Roaming\Adobe
    2013-10-25 23:01 - 2013-10-25 23:01 - 00109992 _____ C:\Users\fixer\AppData\Local\GDIPFONTCACHEV1.DAT
    2013-10-25 23:01 - 2013-10-25 23:01 - 00000000 ____D C:\Users\fixer\AppData\Roaming\Apple Computer
    2013-10-25 23:00 - 2013-10-25 23:00 - 00001417 _____ C:\Users\fixer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    2013-10-25 23:00 - 2013-10-25 23:00 - 00000000 ____D C:\Users\fixer\AppData\Local\VirtualStore
    2013-10-25 22:59 - 2013-10-25 23:00 - 00000000 ____D C:\Users\fixer
    2013-10-25 22:59 - 2013-10-25 22:59 - 00000020 ___SH C:\Users\fixer\ntuser.ini
    2013-10-25 22:59 - 2013-01-31 20:22 - 00000000 ____D C:\Users\fixer\AppData\Roaming\TuneUp Software
    2013-10-25 22:59 - 2011-09-27 13:04 - 00000000 ____D C:\Users\fixer\AppData\Local\Trusteer
    2013-10-25 22:59 - 2011-04-29 04:28 - 00000000 ____D C:\Users\fixer\AppData\Roaming\Trusteer
    2013-10-25 22:59 - 2011-01-03 13:08 - 00000000 ____D C:\Users\fixer\AppData\Roaming\Macromedia
    2013-10-25 22:59 - 2009-07-14 00:42 - 00000000 ___RD C:\Users\fixer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories
    2013-10-25 22:59 - 2009-07-14 00:37 - 00000000 ___RD C:\Users\fixer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance
    2013-10-20 19:12 - 2013-10-20 19:12 - 00000000 ____D C:\Users\Andrew\AppData\Local\calibre-cache
    2013-10-20 18:05 - 2013-10-20 18:05 - 00000000 ____D C:\Users\Andrew\Downloads\A Song of Ice And Fire
    2013-10-19 18:59 - 2013-10-19 19:21 - 00000000 ____D C:\Users\Andrew\Downloads\Elysium 2013 HDRip x264 AC3-JYK
    2013-10-19 18:58 - 2013-10-19 19:52 - 00000000 ____D C:\Users\Andrew\Downloads\Pacific Rim (2013) [1080p]
    2013-10-19 18:58 - 2013-10-19 19:36 - 00000000 ____D C:\Users\Andrew\Downloads\Man of Steel (2013) [1080p]
    2013-10-15 12:48 - 2013-10-15 12:54 - 00000000 ____D C:\Users\Andrew\Downloads\An.*****.Abroad.3.BDRip.H264-BONE
    2013-10-13 19:42 - 2013-10-13 19:42 - 00000000 ____D C:\Program Files\Common Files\COMODO
    2013-10-12 08:46 - 2013-10-12 08:46 - 15886511 _____ C:\Users\Andrew\Desktop\finally_connected.zip
    2013-10-12 08:46 - 2013-10-12 08:46 - 00000000 ____D C:\Users\Andrew\Desktop\finally_connected
    2013-10-08 19:25 - 2013-10-28 06:53 - 00000000 ____D C:\Users\Andrew\Downloads\Dexter.S07.Season.7.COMPLETE.HDTV.x264-ASAP.EVOLVE
    2013-10-08 19:25 - 2013-10-08 19:27 - 00000000 ____D C:\Users\Andrew\Downloads\Dexter S07E06 HDTV x264-ASAP[ettv]
    2013-10-06 13:28 - 2013-10-06 13:37 - 00000000 ____D C:\Users\Andrew\Desktop\AAZV Collected
    2013-10-06 12:25 - 2013-10-27 15:18 - 00001306 _____ C:\Windows\PFRO.log
    2013-10-04 04:15 - 2013-10-04 04:15 - 00015400 _____ C:\Windows\system32\Drivers\hmd.sys
    2013-09-30 12:01 - 2013-09-30 11:57 - 00737280 _____ (Indigo Rose Corporation) C:\Windows\iun6002.exe
    2013-09-30 11:57 - 2013-09-30 12:01 - 00000000 ____D C:\Program Files\AAZV Collected Proceedings 1968-2013
    2013-09-30 11:57 - 2013-09-30 11:57 - 00001854 _____ C:\Users\Andrew\Desktop\AAZV Collected Proceedings 1968-2013.lnk
    2013-09-29 17:03 - 2013-09-29 17:31 - 00000000 ____D C:\Users\Andrew\Desktop\JZWM 2013 3
    2013-09-29 16:15 - 2013-09-29 16:15 - 02139531 _____ C:\Users\Andrew\Downloads\Martin_George_R_R_-A_Clash_of_Kings.epub
    ==================== One Month Modified Files and Folders =======
    2013-10-28 09:31 - 2013-10-28 09:31 - 00000000 ____D C:\FRST
    2013-10-28 09:31 - 2011-10-13 11:21 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2013-10-28 09:30 - 2013-10-28 09:30 - 01089183 _____ (Farbar) C:\Users\Andrew\Desktop\FRST.exe
    2013-10-28 09:28 - 2013-08-02 21:08 - 01474832 _____ C:\Windows\system32\Drivers\sfi.dat
    2013-10-28 09:28 - 2011-11-06 20:18 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-284424345-2181464997-1662967063-1001UA.job
    2013-10-28 09:28 - 2011-01-03 20:05 - 01136888 _____ C:\Windows\WindowsUpdate.log
    2013-10-28 06:53 - 2013-10-08 19:25 - 00000000 ____D C:\Users\Andrew\Downloads\Dexter.S07.Season.7.COMPLETE.HDTV.x264-ASAP.EVOLVE
    2013-10-27 18:31 - 2011-10-13 11:21 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2013-10-27 16:08 - 2013-10-27 16:08 - 00009722 _____ C:\Users\Andrew\Desktop\attach.txt
    2013-10-27 16:07 - 2013-10-27 16:08 - 00013110 _____ C:\Users\Andrew\Desktop\dds.txt
    2013-10-27 15:49 - 2013-10-27 15:49 - 00688992 ____R (Swearware) C:\Users\Andrew\Desktop\dds.com
    2013-10-27 15:26 - 2009-07-14 00:34 - 00014608 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2013-10-27 15:26 - 2009-07-14 00:34 - 00014608 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2013-10-27 15:18 - 2013-10-06 12:25 - 00001306 _____ C:\Windows\PFRO.log
    2013-10-27 15:18 - 2013-08-18 09:31 - 00006872 _____ C:\Windows\setupact.log
    2013-10-27 15:18 - 2011-08-14 17:28 - 00065536 _____ C:\Windows\system32\Ikeext.etl
    2013-10-27 15:18 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
    2013-10-27 11:40 - 2013-10-27 11:39 - 00000004 _____ C:\Users\Andrew\AppData\Roaming\skype.ini
    2013-10-27 11:28 - 2011-01-03 12:59 - 00000000 ____D C:\Users\Andrew\Calibre Library
    2013-10-27 10:50 - 2011-11-06 20:18 - 00000860 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-284424345-2181464997-1662967063-1001Core.job
    2013-10-27 10:45 - 2011-01-03 12:18 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
    2013-10-26 16:47 - 2013-10-26 16:46 - 12321834 _____ C:\Users\Andrew\Desktop\Ophthalmology_of_Exotic_Pets_epub.epub
    2013-10-26 16:20 - 2011-01-13 19:06 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\uTorrent
    2013-10-26 16:15 - 2009-07-13 22:37 - 00000000 ____D C:\Windows\tracing
    2013-10-26 10:17 - 2013-10-26 09:55 - 00002144 _____ C:\Windows\system32\Drivers\fvstore.dat
    2013-10-26 09:55 - 2013-10-26 09:55 - 00000000 ___HD C:\VTRoot
    2013-10-26 09:16 - 2009-07-14 00:52 - 00000000 ____D C:\Windows\addins
    2013-10-25 23:04 - 2013-10-25 23:04 - 00001071 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    2013-10-25 23:04 - 2013-10-25 23:04 - 00000000 ____D C:\Users\fixer\AppData\Roaming\Malwarebytes
    2013-10-25 23:04 - 2013-10-25 23:04 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
    2013-10-25 23:03 - 2013-10-25 23:03 - 10285040 _____ (Malwarebytes Corporation ) C:\Users\fixer\Desktop\mbam-setup-1.75.0.1300.exe
    2013-10-25 23:03 - 2013-10-25 23:03 - 00000000 ____D C:\Users\fixer\AppData\Roaming\Adobe
    2013-10-25 23:01 - 2013-10-25 23:01 - 00109992 _____ C:\Users\fixer\AppData\Local\GDIPFONTCACHEV1.DAT
    2013-10-25 23:01 - 2013-10-25 23:01 - 00000000 ____D C:\Users\fixer\AppData\Roaming\Apple Computer
    2013-10-25 23:00 - 2013-10-25 23:00 - 00001417 _____ C:\Users\fixer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
    2013-10-25 23:00 - 2013-10-25 23:00 - 00000000 ____D C:\Users\fixer\AppData\Local\VirtualStore
    2013-10-25 23:00 - 2013-10-25 22:59 - 00000000 ____D C:\Users\fixer
    2013-10-25 22:59 - 2013-10-25 22:59 - 00000020 ___SH C:\Users\fixer\ntuser.ini
    2013-10-22 19:08 - 2012-07-21 18:40 - 00000000 ____D C:\Users\Andrew\Documents\Presentations
    2013-10-20 19:12 - 2013-10-20 19:12 - 00000000 ____D C:\Users\Andrew\AppData\Local\calibre-cache
    2013-10-20 18:35 - 2011-01-03 12:58 - 00000934 _____ C:\Users\Public\Desktop\calibre - E-book management.lnk
    2013-10-20 18:35 - 2011-01-03 12:58 - 00000000 ____D C:\Program Files\Calibre2
    2013-10-20 18:05 - 2013-10-20 18:05 - 00000000 ____D C:\Users\Andrew\Downloads\A Song of Ice And Fire
    2013-10-19 19:52 - 2013-10-19 18:58 - 00000000 ____D C:\Users\Andrew\Downloads\Pacific Rim (2013) [1080p]
    2013-10-19 19:36 - 2013-10-19 18:58 - 00000000 ____D C:\Users\Andrew\Downloads\Man of Steel (2013) [1080p]
    2013-10-19 19:21 - 2013-10-19 18:59 - 00000000 ____D C:\Users\Andrew\Downloads\Elysium 2013 HDRip x264 AC3-JYK
    2013-10-18 11:06 - 2011-09-14 11:41 - 00002046 ____H C:\Users\Andrew\Documents\Default.rdp
    2013-10-18 08:15 - 2012-06-30 15:18 - 00000000 ____D C:\Users\Andrew\Documents\ACZM stuff to sort
    2013-10-18 08:14 - 2013-07-12 17:00 - 00000000 ____D C:\Users\Andrew\Desktop\Fwd__UF_primate_week
    2013-10-15 19:31 - 2012-11-03 13:39 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\.Torrent Stream
    2013-10-15 12:54 - 2013-10-15 12:48 - 00000000 ____D C:\Users\Andrew\Downloads\An.*****.Abroad.3.BDRip.H264-BONE
    2013-10-14 13:05 - 2013-09-16 21:30 - 00000000 ____D C:\Users\Andrew\Desktop\RE__
    2013-10-13 19:42 - 2013-10-13 19:42 - 00000000 ____D C:\Program Files\Common Files\COMODO
    2013-10-12 11:09 - 2011-05-21 13:16 - 00000000 ____D C:\Users\Andrew\AppData\Roaming\vlc
    2013-10-12 08:46 - 2013-10-12 08:46 - 15886511 _____ C:\Users\Andrew\Desktop\finally_connected.zip
    2013-10-12 08:46 - 2013-10-12 08:46 - 00000000 ____D C:\Users\Andrew\Desktop\finally_connected
    2013-10-08 19:27 - 2013-10-08 19:25 - 00000000 ____D C:\Users\Andrew\Downloads\Dexter S07E06 HDTV x264-ASAP[ettv]
    2013-10-06 13:37 - 2013-10-06 13:28 - 00000000 ____D C:\Users\Andrew\Desktop\AAZV Collected
    2013-10-04 04:15 - 2013-10-04 04:15 - 00015400 _____ C:\Windows\system32\Drivers\hmd.sys
    2013-09-30 12:01 - 2013-09-30 11:57 - 00000000 ____D C:\Program Files\AAZV Collected Proceedings 1968-2013
    2013-09-30 11:57 - 2013-09-30 12:01 - 00737280 _____ (Indigo Rose Corporation) C:\Windows\iun6002.exe
    2013-09-30 11:57 - 2013-09-30 11:57 - 00001854 _____ C:\Users\Andrew\Desktop\AAZV Collected Proceedings 1968-2013.lnk
    2013-09-29 17:31 - 2013-09-29 17:03 - 00000000 ____D C:\Users\Andrew\Desktop\JZWM 2013 3
    2013-09-29 16:15 - 2013-09-29 16:15 - 02139531 _____ C:\Users\Andrew\Downloads\Martin_George_R_R_-A_Clash_of_Kings.epub
    2013-09-29 12:52 - 2013-09-03 20:01 - 09917240 _____ C:\Users\Andrew\Desktop\TipsTrixCR.CUSHINGAndrew.LaserTherapy.pptx
    Files to move or delete:
    ====================
    C:\Users\Andrew\AppData\Roaming\skype.ini

    Some content of TEMP:
    ====================
    C:\Users\Andrew\AppData\Local\temp\jna1406651252787008340.dll
    C:\Users\Andrew\AppData\Local\temp\jna1631082396357456345.dll
    C:\Users\Andrew\AppData\Local\temp\jna2100906310486895729.dll
    C:\Users\Andrew\AppData\Local\temp\jna3062282274108672811.dll
    C:\Users\Andrew\AppData\Local\temp\jna3259756508778595380.dll
    C:\Users\Andrew\AppData\Local\temp\jna4663349691795808440.dll
    C:\Users\Andrew\AppData\Local\temp\jna6534607864291599732.dll
    C:\Users\Andrew\AppData\Local\temp\jna6635607039097959893.dll
    C:\Users\Andrew\AppData\Local\temp\jna6982923008890699174.dll
    C:\Users\Andrew\AppData\Local\temp\uttA255.tmp.exe

    ==================== Bamital & volsnap Check =================
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\wininit.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

    LastRegBack: 2013-10-22 12:46
    ==================== End Of Log ============================
     
  5. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    Additional scan result of Farbar Recovery Scan Tool (x86) Version: 28-10-2013
    Ran by Andrew at 2013-10-28 09:32:48
    Running from C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1FBC2KIE
    Boot Mode: Normal
    ==========================================================


    ==================== Security Center ========================

    AV: COMODO Antivirus (Enabled - Up to date) {B74CC7D2-B407-E1DC-1033-DD315BCDC8C8}
    AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    AS: COMODO Antivirus (Enabled - Up to date) {0C2D2636-923D-EE52-2A83-E643204A8275}
    FW: COMODO Firewall (Enabled) {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}

    ==================== Installed Programs ======================

    µTorrent (HKCU Version: 3.3.2.30180)
    AAZV Collected Proceedings 1968-2013
    Acer Bio Protection (Version: 6.2.56)
    Adobe AIR (Version: 3.7.0.2090)
    Adobe Community Help (Version: 3.0.0)
    Adobe Community Help (Version: 3.0.0.400)
    Adobe Flash Player 11 ActiveX (Version: 11.1.102.63)
    Adobe Photoshop CS5 (Version: 12.0)
    Adobe Reader X (Version: 10.0.0)
    ALPS Touch Pad Driver (Version: 7.5.2002.1404)
    Apple Application Support (Version: 2.3.4)
    Apple Mobile Device Support (Version: 6.1.0.13)
    Apple Software Update (Version: 2.1.3.127)
    ASUS Android USB Drivers (Version: 1.0.6292)
    ASUS WebStorage Sync Agent (Version: 1.1.13.147)
    Avery Wizard 4.0 (Version: 4.0.103)
    Avidemux 2.6 (32-bit) (Version: 2.6.1.8321)
    BBC iPlayer Desktop (Version: 3.2.15)
    Bonjour (Version: 3.0.0.10)
    calibre (Version: 1.7.0)
    CCleaner (Version: 4.04)
    Cisco AnyConnect Secure Mobility Client (Version: 3.0.11042)
    Cisco AnyConnect Secure Mobility Client (Version: 3.0.11042)
    COMODO Internet Security Premium (Version: 6.2.20728.2847)
    DAEMON Tools Lite (Version: 4.40.1.0127)
    Desktop Support Tools
    DjVuLibre+DjView (Version: 3.5.24+4.7c)
    doPDF 7.2 printer
    EA Shared Game Component: Activation (Version: 2.2.0)
    ENE CIR Receiver Driver (Version: 2.7.3.519)
    Fingerprint Solution (Version: 6.1.56.0)
    Free FLAC to MP3 Converter 1.0
    GeekBuddy (Version: 4.9.73)
    Google Chrome (HKCU Version: 30.0.1599.101)
    Google Chrome Frame (Version: 30.0.1599.101)
    Google Update Helper (Version: 1.3.21.165)
    HD Tune Pro 4.60
    IBM SPSS Statistics 19 (Version: 19.0.0)
    ImgBurn (Version: 2.5.0.0)
    iTunes (Version: 11.0.4.4)
    Java Auto Updater (Version: 2.0.7.1)
    Java(TM) 6 Update 32 (Version: 6.0.320)
    JMicron Flash Media Controller Driver (Version: 1.0.32.1)
    Launch Manager (Version: 3.0.03)
    Malwarebytes Anti-Malware version 1.75.0.1300 (Version: 1.75.0.1300)
    Microsoft .NET Framework 4.5 (Version: 4.5.50709)
    Microsoft Application Error Reporting (Version: 12.0.6012.5000)
    Microsoft Office Access MUI (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Office Excel MUI (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Office Groove MUI (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Office InfoPath MUI (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Office Professional Plus 2010 (Version: 14.0.4734.1000)
    Microsoft Office Proof (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Office Proof (French) 2010 (Version: 14.0.4734.1000)
    Microsoft Office Proof (Spanish) 2010 (Version: 14.0.4734.1000)
    Microsoft Office Proofing (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Office Shared MUI (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Office Word MUI (English) 2010 (Version: 14.0.4734.1000)
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs (Version: 12.0.4518.1014)
    Microsoft Silverlight (Version: 5.1.20125.0)
    Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (Version: 9.0.21022)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
    Microsoft_VC80_ATL_x86 (Version: 8.0.50727.4053)
    Microsoft_VC80_CRT_x86 (Version: 8.0.50727.4053)
    Microsoft_VC80_MFC_x86 (Version: 8.0.50727.4053)
    Microsoft_VC80_MFCLOC_x86 (Version: 8.0.50727.4053)
    Microsoft_VC90_ATL_x86 (Version: 1.00.0000)
    Microsoft_VC90_CRT_x86 (Version: 1.00.0000)
    Microsoft_VC90_MFC_x86 (Version: 1.00.0000)
    MSXML 4.0 SP3 Parser (Version: 4.30.2100.0)
    NirSoft VideoCacheView
    NVIDIA Drivers (Version: 1.3)
    NVIDIA PhysX (Version: 9.09.0814)
    PDF Settings CS5 (Version: 10.0)
    PS3 Media Server (Version: 1.72.0)
    Python 2.7.3 (Version: 2.7.3150)
    QuickTime (Version: 7.69.80.9)
    Rapport (Version: 3.5.1302.61)
    Realtek High Definition Audio Driver (Version: 6.0.1.5932)
    Skype Click to Call (Version: 5.10.9560)
    Skype™ 6.0 (Version: 6.0.126)
    SopCast 3.4.8 (Version: 3.4.8)
    Spybot - Search & Destroy (Version: 1.6.2)
    StreamTorrent 1.0
    Synaptics Pointing Device Driver (Version: 13.2.2.0)
    Torrent Stream 2.0.8.2 (HKCU Version: 2.0.8.2)
    Trusteer Endpoint Protection (Version: 3.5.1302.61)
    Upgrade Kit (Version: 1.00.3002)
    VirtualCloneDrive
    VitalSource Bookshelf (Version: 5.04.0010)
    VLC media player 2.0.7 (Version: 2.0.7)
    WebEx
    WinRAR 4.00 beta 4 (32-bit) (Version: 4.00.4)
    XBMC

    ==================== Restore Points =========================

    01-07-2013 02:04:11 Scheduled Checkpoint
    02-07-2013 23:34:30 Installed Microsoft Office Professional Plus 2010
    13-07-2013 18:10:28 Scheduled Checkpoint
    27-07-2013 02:35:33 Scheduled Checkpoint
    03-08-2013 00:55:21 Removed AVG 2012
    03-08-2013 00:57:27 Removed AVG 2012
    03-08-2013 01:07:37 Device Driver Package Install: COMODO Network Service
    10-08-2013 19:57:49 Scheduled Checkpoint
    18-08-2013 00:41:43 Removed AVG PC TuneUp
    18-08-2013 00:43:02 Removed AVG PC TuneUp Language Pack (en-US)
    18-08-2013 13:15:09 Removed Avery Wizard 4.0.
    27-08-2013 00:08:15 Installed Rapport
    04-09-2013 00:50:00 Scheduled Checkpoint
    12-09-2013 22:26:36 Installed Rapport
    18-09-2013 22:37:40 Installed Rapport
    21-09-2013 22:44:06 Installed Cisco AnyConnect Secure Mobility Client
    06-10-2013 00:34:15 Scheduled Checkpoint
    14-10-2013 00:29:24 Scheduled Checkpoint
    20-10-2013 22:29:43 Installed calibre

    ==================== Hosts content: ==========================

    2009-07-13 22:04 - 2012-09-02 20:49 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
    127.0.0.1 localhost

    ==================== Scheduled Tasks (whitelisted) =============

    Task: {11C588EB-0A80-437D-9F62-8FCD98401ABB} - System32\Tasks\COMODO\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9} => C:\Program Files\Comodo\COMODO Internet Security\cfpconfg.exe [2013-09-24] (COMODO)
    Task: {129C737A-6C5E-472F-AA38-583A190F7CE0} - System32\Tasks\{449849B4-299F-42A1-878F-B3B22968204B} => C:\Program Files\Skype\\Phone\Skype.exe [2012-11-09] (Skype Technologies S.A.)
    Task: {14C2F5E6-7BB2-495A-9DF0-88461577CECA} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-10-13] (Google Inc.)
    Task: {1B84B231-6516-45B9-96A3-0627F31FC392} - System32\Tasks\COMODO\COMODO Welcome {CEB54B45-2B5E-4FF5-9223-6735CD80FE69} => C:\Program Files\Comodo\COMODO Internet Security\cis.exe [2013-10-19] (COMODO)
    Task: {37E7992F-11FF-4509-8000-0870737BC7B5} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2011-10-13] (Google Inc.)
    Task: {4355C3B7-EF14-4A98-8A50-42C2673700FC} - System32\Tasks\Google Updater and Installer => C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-19] (Google Inc.)
    Task: {5FABEC1D-BF11-4319-A4BD-B1FBF1E3822C} - System32\Tasks\COMODO\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22} => C:\Program Files\Comodo\COMODO Internet Security\cfpconfg.exe [2013-09-24] (COMODO)
    Task: {6EC54964-10E1-42AE-A3AC-6980AE428F67} - System32\Tasks\Launch ASUS Sync Loader => C:\Program Files\ASUS\ASUS Sync\asusUPCTLoader.exe
    Task: {7C05FD66-A2F1-4F71-8AFD-F3BE2DE46397} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2013-07-22] (Piriform Ltd)
    Task: {8019A0FB-2F25-4EDA-A59E-FD7CD07A7ABF} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-284424345-2181464997-1662967063-1001UA => C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-19] (Google Inc.)
    Task: {8A91D91E-8859-47E6-A646-A77BB9899B7B} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-284424345-2181464997-1662967063-1001Core => C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-19] (Google Inc.)
    Task: {9B59180A-8542-483F-82A1-D442B65F551F} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-17] ()
    Task: {D28C2F7E-8128-40CE-9126-6D25D82A9684} - System32\Tasks\COMODO\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} => C:\Program Files\Comodo\COMODO Internet Security\cfpconfg.exe [2013-09-24] (COMODO)
    Task: {DB774116-0D5C-4CFC-8853-74A7DDB12CFB} - System32\Tasks\COMODO\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85} => C:\Program Files\Comodo\COMODO Internet Security\cfpconfg.exe [2013-09-24] (COMODO)
    Task: {E305F2BF-8C32-4BD0-861F-AA179DE0C58A} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
    Task: {E7AAFBB1-CA9C-4C77-90BE-3BC00F0A2B92} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-284424345-2181464997-1662967063-1001Core.job => C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe
    Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-284424345-2181464997-1662967063-1001UA.job => C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe
    Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe

    ==================== Loaded Modules (whitelisted) =============

    2010-01-09 20:18 - 2010-01-09 20:18 - 04254560 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
    2010-01-21 01:34 - 2010-01-21 01:34 - 08793952 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
    2012-06-27 15:09 - 2012-06-27 15:09 - 00557056 _____ () C:\Program Files\Trusteer\Rapport\bin\js32.dll
    2012-03-11 13:50 - 2013-08-26 20:12 - 00991984 _____ () C:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportMS.dll
    2013-09-25 21:32 - 2013-09-27 14:37 - 00121344 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\acestreamengine.Core.pyd
    2011-06-12 09:09 - 2011-06-12 09:09 - 00038400 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\_socket.pyd
    2011-06-12 09:09 - 2011-06-12 09:09 - 00720896 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\_ssl.pyd
    2013-09-25 21:32 - 2013-09-18 13:37 - 00018944 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\acestreamengine.pycompat.pyd
    2013-09-25 21:32 - 2013-09-27 14:37 - 02418688 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\acestreamengine.CoreApp.pyd
    2011-06-12 09:06 - 2011-06-12 09:06 - 00287232 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\_hashlib.pyd
    2011-06-12 09:06 - 2011-06-12 09:06 - 00106496 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\_ctypes.pyd
    2011-06-12 09:06 - 2011-06-12 09:06 - 00011776 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\select.pyd
    2011-01-18 17:56 - 2011-01-18 17:56 - 00334336 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\M2Crypto.__m2crypto.pyd
    2011-06-12 09:06 - 2011-06-12 09:06 - 00152576 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\pyexpat.pyd
    2012-02-07 12:37 - 2012-02-07 12:37 - 00098816 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\win32api.pyd
    2012-02-07 12:35 - 2012-02-07 12:35 - 00110080 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\pywintypes27.dll
    2012-02-07 12:38 - 2012-02-07 12:38 - 00358912 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\pythoncom27.dll
    2012-02-07 12:36 - 2012-02-07 12:36 - 00111616 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\win32file.pyd
    2012-02-07 12:36 - 2012-02-07 12:36 - 00024064 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\win32pdh.pyd
    2010-10-10 18:23 - 2010-10-10 18:23 - 00723968 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\apsw.pyd
    2013-01-29 12:20 - 2013-01-29 12:20 - 00082944 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\cpyamf.util.pyd
    2011-02-13 11:02 - 2011-02-13 11:02 - 00031232 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\Crypto.Cipher.AES.pyd
    2011-07-15 15:37 - 2011-07-15 15:37 - 00981504 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\wx._core_.pyd
    2011-07-15 15:38 - 2011-07-15 15:38 - 00746496 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\wx._gdi_.pyd
    2011-07-15 15:38 - 2011-07-15 15:38 - 00670720 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\wx._windows_.pyd
    2011-07-15 15:38 - 2011-07-15 15:38 - 00966144 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\wx._controls_.pyd
    2011-07-15 15:38 - 2011-07-15 15:38 - 00674816 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\wx._misc_.pyd
    2011-06-12 09:06 - 2011-06-12 09:06 - 00688128 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\unicodedata.pyd
    2013-01-29 12:20 - 2013-01-29 12:20 - 00066048 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\engine\lib\cpyamf.amf0.pyd
    2011-06-12 09:09 - 2011-06-12 09:09 - 00038400 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\_socket.pyd
    2011-06-12 09:09 - 2011-06-12 09:09 - 00720896 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\_ssl.pyd
    2011-07-15 15:37 - 2011-07-15 15:37 - 00981504 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\wx._core_.pyd
    2011-07-15 15:38 - 2011-07-15 15:38 - 00746496 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\wx._gdi_.pyd
    2011-07-15 15:38 - 2011-07-15 15:38 - 00670720 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\wx._windows_.pyd
    2011-07-15 15:38 - 2011-07-15 15:38 - 00966144 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\wx._controls_.pyd
    2011-07-15 15:38 - 2011-07-15 15:38 - 00674816 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\wx._misc_.pyd
    2011-06-12 09:06 - 2011-06-12 09:06 - 00287232 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\_hashlib.pyd
    2011-01-18 17:56 - 2011-01-18 17:56 - 00334336 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\M2Crypto.__m2crypto.pyd
    2011-06-12 09:06 - 2011-06-12 09:06 - 00011776 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\select.pyd
    2011-06-12 09:06 - 2011-06-12 09:06 - 00152576 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\pyexpat.pyd
    2012-02-07 12:37 - 2012-02-07 12:37 - 00098816 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\win32api.pyd
    2012-02-07 12:35 - 2012-02-07 12:35 - 00110080 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\pywintypes27.dll
    2012-02-07 12:38 - 2012-02-07 12:38 - 00358912 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\pythoncom27.dll
    2012-02-07 12:36 - 2012-02-07 12:36 - 00111616 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\win32file.pyd
    2012-02-07 12:36 - 2012-02-07 12:36 - 00024064 _____ () C:\Users\Andrew\AppData\Roaming\TorrentStream\updater\lib\win32pdh.pyd

    ==================== Alternate Data Streams (whitelisted) =========

    AlternateDataStreams: C:\ProgramData\TEMP:0B4227B4
    AlternateDataStreams: C:\ProgramData\TEMP:DFC5A2B2

    ==================== Safe Mode (whitelisted) ===================

    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SprtListen => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SprtListenPush => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SupportSoft RemoteAssist => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

    ==================== Faulty Device Manager Devices =============

    Name: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
    Description: Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows
    Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
    Manufacturer: Cisco Systems
    Service: vpnva
    Problem: : This device is disabled. (Code 22)
    Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


    ==================== Event log errors: =========================

    Application errors:
    ==================
    Error: (10/28/2013 06:51:49 AM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 36983516

    Error: (10/28/2013 06:51:49 AM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 36983516

    Error: (10/28/2013 06:51:49 AM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (10/27/2013 04:13:16 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 2948

    Error: (10/27/2013 04:13:16 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 2948

    Error: (10/27/2013 04:13:16 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (10/27/2013 04:13:15 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 1825

    Error: (10/27/2013 04:13:15 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 1825

    Error: (10/27/2013 04:13:15 PM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (10/27/2013 10:42:53 AM) (Source: Bonjour Service) (User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 55240765


    System errors:
    =============
    Error: (10/27/2013 06:24:16 PM) (Source: ACPI) (User: )
    Description: : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.

    Error: (10/27/2013 03:21:09 PM) (Source: WMPNetworkSvc) (User: )
    Description: 0x80070422

    Error: (10/27/2013 03:21:09 PM) (Source: WMPNetworkSvc) (User: )
    Description: 0x80070422

    Error: (10/27/2013 03:21:08 PM) (Source: WMPNetworkSvc) (User: )
    Description: 0x80070422

    Error: (10/27/2013 03:21:08 PM) (Source: WMPNetworkSvc) (User: )
    Description: 0x80070422

    Error: (10/27/2013 03:17:28 PM) (Source: ACPI) (User: )
    Description: : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly.

    Error: (10/27/2013 11:42:37 AM) (Source: WMPNetworkSvc) (User: )
    Description: 0x80070422

    Error: (10/27/2013 11:42:37 AM) (Source: WMPNetworkSvc) (User: )
    Description: 0x80070422

    Error: (10/27/2013 11:42:37 AM) (Source: WMPNetworkSvc) (User: )
    Description: 0x80070422

    Error: (10/27/2013 11:42:37 AM) (Source: WMPNetworkSvc) (User: )
    Description: 0x80070422


    Microsoft Office Sessions:
    =========================
    Error: (10/28/2013 06:51:49 AM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 36983516

    Error: (10/28/2013 06:51:49 AM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 36983516

    Error: (10/28/2013 06:51:49 AM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (10/27/2013 04:13:16 PM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 2948

    Error: (10/27/2013 04:13:16 PM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 2948

    Error: (10/27/2013 04:13:16 PM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (10/27/2013 04:13:15 PM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 1825

    Error: (10/27/2013 04:13:15 PM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: m->NextScheduledEvent 1825

    Error: (10/27/2013 04:13:15 PM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: Continuously busy for more than a second

    Error: (10/27/2013 10:42:53 AM) (Source: Bonjour Service)(User: )
    Description: Task Scheduling Error: m->NextScheduledSPRetry 55240765


    CodeIntegrity Errors:
    ===================================
    Date: 2013-09-13 20:57:10.387
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\nvd3dum.dll because the set of per-page image hashes could not be found on the system.

    Date: 2013-09-13 20:57:10.377
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\nvd3dum.dll because the set of per-page image hashes could not be found on the system.

    Date: 2013-09-13 20:44:07.178
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\nvd3dum.dll because the set of per-page image hashes could not be found on the system.

    Date: 2013-09-13 20:44:07.168
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\nvd3dum.dll because the set of per-page image hashes could not be found on the system.

    Date: 2013-09-13 20:43:54.176
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\nvd3dum.dll because the set of per-page image hashes could not be found on the system.

    Date: 2013-09-13 20:43:54.166
    Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\nvd3dum.dll because the set of per-page image hashes could not be found on the system.


    ==================== Memory info ===========================

    Percentage of memory in use: 53%
    Total physical RAM: 3003.91 MB
    Available physical RAM: 1384.78 MB
    Total Pagefile: 6006.1 MB
    Available Pagefile: 4133.79 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1879.96 MB

    ==================== Drives ================================

    Drive c: (ACER) (Fixed) (Total:450.3 GB) (Free:232.33 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

    ==================== MBR & Partition Table ==================

    ========================================================
    Disk: 0 (Size: 466 GB) (Disk ID: 4FA5E263)
    Partition 1: (Not Active) - (Size=12 GB) - (Type=27)
    Partition 2: (Active) - (Size=450 GB) - (Type=07 NTFS)
    Partition 3: (Not Active) - (Size=3 GB) - (Type=12)

    ==================== End Of Log ============================
     
  6. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Run FRST/FRST64 and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

    See if you can login to affected user account.
     

    Attached Files:

  7. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-10-2013
    Ran by Andrew at 2013-10-28 19:21:12 Run:1
    Running from C:\Users\Andrew\Desktop
    Boot Mode: Normal
    ==============================================
    Content of fixlist:
    *****************
    URLSearchHook: HKCU - (No Name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - No File
    CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
    CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\4.0.60129.0\npctrl.dll No File
    U3 mbr; \??\C:\Users\Andrew\AppData\Local\Temp\mbr.sys [x]
    C:\Users\Andrew\AppData\Local\Temp\mbr.sys
    2013-10-27 11:39 - 2013-10-27 11:40 - 00000004 _____ C:\Users\Andrew\AppData\Roaming\skype.ini
    *****************
    HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} => Value deleted successfully.
    C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll not found.
    c:\Program Files\Microsoft Silverlight\4.0.60129.0\npctrl.dll not found.
    mbr => Service deleted successfully.
    "C:\Users\Andrew\AppData\Local\Temp\mbr.sys" => File/Directory not found.
    C:\Users\Andrew\AppData\Roaming\skype.ini => Moved successfully.
    ==== End of Fixlog ====
     
  8. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    Thanks again. I can log in to the affected account, but have been able to - its just recurs every 2-3 days. So far, not since we started this process.
     
  9. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Very well.
    Stay in that account....

    [​IMG] Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop.
    • Close all the running programs
    • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download Malwarebytes Anti-Rootkit (MBAR) from HERE
    • Unzip downloaded file.
    • Open the folder where the contents were unzipped and run mbar.exe
    • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
    • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
    • Wait while the system shuts down and the cleanup process is performed.
    • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
    • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log-xxxxx.txt and system-log.txt
     
  10. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    RogueKiller V8.7.6 [Oct 28 2013] by Tigzy
    mail : tigzyRK<at>gmail<dot>com
    Feedback : http://www.adlice.com/forum/
    Website : http://www.adlice.com/softwares/roguekiller/
    Blog : http://tigzyrk.blogspot.com/
    Operating System : Windows 7 (6.1.7600 ) 32 bits version
    Started in : Normal mode
    User : Andrew [Admin rights]
    Mode : Remove -- Date : 10/28/2013 21:32:17
    | ARK || FAK || MBR |
    ¤¤¤ Bad processes : 0 ¤¤¤
    ¤¤¤ Registry Entries : 3 ¤¤¤
    [HJ POL][PUM] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
    ¤¤¤ Scheduled tasks : 2 ¤¤¤
    [V1][SUSP PATH] ROC_REG_JAN_DELETE.job : C:\ProgramData\AVG January 2013 Campaign\ROC.exe - /DELETE_FROM_SYSTEM=1 [7] -> DELETED
    [V2][SUSP PATH] ROC_REG_JAN_DELETE : C:\ProgramData\AVG January 2013 Campaign\ROC.exe - /DELETE_FROM_SYSTEM=1 [7] -> DELETED
    ¤¤¤ Startup Entries : 0 ¤¤¤
    ¤¤¤ Web browsers : 0 ¤¤¤
    ¤¤¤ Particular Files / Folders: ¤¤¤
    ¤¤¤ Driver : [LOADED] ¤¤¤
    [Inline] EAT @iexplore.exe (NtMapViewOfSection) : ntdll.dll -> HOOKED (Unknown @ 0x719F0022)
    [Inline] EAT @iexplore.exe (ZwMapViewOfSection) : ntdll.dll -> HOOKED (Unknown @ 0x719F0022)
    [Inline] EAT @iexplore.exe (CoCreateInstanceEx) : ole32.dll -> HOOKED (Unknown @ 0x71470022)
    [Inline] EAT @iexplore.exe (?_rooksdol_extension_instance@rooksdol_extension@rooksdol@@0PAV12@A) : rooksdol.dll -> HOOKED (Unknown @ 0xC89EB922)
    [Inline] EAT @iexplore.exe (GetAddrInfoExW) : WS2_32.dll -> HOOKED (Unknown @ 0x70DC0022)
    [Inline] EAT @iexplore.exe (connect) : WS2_32.dll -> HOOKED (Unknown @ 0x70D70022)
    [Inline] EAT @iexplore.exe (getaddrinfo) : WS2_32.dll -> HOOKED (Unknown @ 0x70D20022)
    [Inline] EAT @iexplore.exe (NtMapViewOfSection) : ntdll.dll -> HOOKED (Unknown @ 0x719F0022)
    [Inline] EAT @iexplore.exe (ZwMapViewOfSection) : ntdll.dll -> HOOKED (Unknown @ 0x719F0022)
    [Inline] EAT @iexplore.exe (CoCreateInstanceEx) : ole32.dll -> HOOKED (Unknown @ 0x71470022)
    [Inline] EAT @iexplore.exe (?_rooksdol_extension_instance@rooksdol_extension@rooksdol@@0PAV12@A) : rooksdol.dll -> HOOKED (Unknown @ 0xC89EB222)
    [Inline] EAT @iexplore.exe (GetAddrInfoExW) : WS2_32.dll -> HOOKED (Unknown @ 0x70DC0022)
    [Inline] EAT @iexplore.exe (connect) : WS2_32.dll -> HOOKED (Unknown @ 0x70D70022)
    [Inline] EAT @iexplore.exe (getaddrinfo) : WS2_32.dll -> HOOKED (Unknown @ 0x70D20022)
    ¤¤¤ External Hives: ¤¤¤
    ¤¤¤ Infection : ¤¤¤
    ¤¤¤ HOSTS File: ¤¤¤
    --> %SystemRoot%\System32\drivers\etc\hosts

    127.0.0.1 localhost

    ¤¤¤ MBR Check: ¤¤¤
    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) Hitachi HTS545050B9A300 +++++
    --- User ---
    [MBR] fd8a2f34c3d014d55c97de571036860b
    [BSP] 150299c26fbf149abfa2f2d269ded352 : Acer MBR Code
    Partition table:
    0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 63 | Size: 12291 Mo
    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 25174016 | Size: 461107 Mo
    2 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 969521152 | Size: 3540 Mo
    User = LL1 ... OK!
    User = LL2 ... OK!
    Finished : << RKreport[0]_D_10282013_213217.txt >>
    RKreport[0]_S_10282013_213043.txt
     
  11. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    Malwarebytes Anti-Rootkit BETA 1.07.0.1007
    www.malwarebytes.org
    Database version: v2013.10.28.11
    Windows 7 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Andrew :: ANDREW-PC [administrator]
    28/10/2013 21:51:23
    mbar-log-2013-10-28 (21-51-23).txt
    Scan type: Quick scan
    Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
    Scan options disabled:
    Objects scanned: 234531
    Time elapsed: 25 minute(s), 26 second(s)
    Memory Processes Detected: 0
    (No malicious items detected)
    Memory Modules Detected: 0
    (No malicious items detected)
    Registry Keys Detected: 0
    (No malicious items detected)
    Registry Values Detected: 0
    (No malicious items detected)
    Registry Data Items Detected: 0
    (No malicious items detected)
    Folders Detected: 0
    (No malicious items detected)
    Files Detected: 0
    (No malicious items detected)
    Physical Sectors Detected: 0
    (No malicious items detected)
    (end)
     
     
  12. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    ---------------------------------------
    Malwarebytes Anti-Rootkit BETA 1.07.0.1007

    (c) Malwarebytes Corporation 2011-2012

    OS version: 6.1.7600 Windows 7 x86

    Account is Administrative

    Internet Explorer version: 9.0.8112.16421

    Java version: 1.6.0_32

    File system is: NTFS
    Disk drives: C:\ DRIVE_FIXED
    CPU speed: 2.527000 GHz
    Memory total: 3149828096, free: 1709785088

    Downloaded database version: v2013.10.28.11
    Downloaded database version: v2013.10.11.02
    =======================================
    Initializing...
    ------------ Kernel report ------------
    10/28/2013 21:51:17
    ------------ Loaded modules -----------
    \SystemRoot\system32\ntkrnlpa.exe
    \SystemRoot\system32\halmacpi.dll
    \SystemRoot\system32\kdcom.dll
    \SystemRoot\system32\mcupdate_GenuineIntel.dll
    \SystemRoot\system32\PSHED.dll
    \SystemRoot\system32\BOOTVID.dll
    \SystemRoot\system32\CLFS.SYS
    \SystemRoot\system32\CI.dll
    \SystemRoot\System32\drivers\fnrtgxd.sys
    \SystemRoot\system32\drivers\Wdf01000.sys
    \SystemRoot\system32\drivers\WDFLDR.SYS
    \SystemRoot\system32\DRIVERS\ACPI.sys
    \SystemRoot\system32\DRIVERS\WMILIB.SYS
    \SystemRoot\system32\DRIVERS\msisadrv.sys
    \SystemRoot\system32\DRIVERS\pci.sys
    \SystemRoot\system32\DRIVERS\vdrvroot.sys
    \SystemRoot\System32\drivers\partmgr.sys
    \SystemRoot\system32\DRIVERS\compbatt.sys
    \SystemRoot\system32\DRIVERS\BATTC.SYS
    \SystemRoot\system32\DRIVERS\volmgr.sys
    \SystemRoot\System32\drivers\volmgrx.sys
    \SystemRoot\System32\drivers\mountmgr.sys
    \SystemRoot\system32\DRIVERS\iaStor.sys
    \SystemRoot\system32\DRIVERS\amdxata.sys
    \SystemRoot\system32\drivers\fltmgr.sys
    \SystemRoot\system32\drivers\fileinfo.sys
    \SystemRoot\System32\Drivers\Ntfs.sys
    \SystemRoot\System32\Drivers\msrpc.sys
    \SystemRoot\System32\Drivers\ksecdd.sys
    \SystemRoot\System32\Drivers\cng.sys
    \SystemRoot\System32\drivers\pcw.sys
    \SystemRoot\System32\Drivers\Fs_Rec.sys
    \SystemRoot\system32\drivers\ndis.sys
    \SystemRoot\system32\drivers\NETIO.SYS
    \SystemRoot\System32\Drivers\ksecpkg.sys
    \SystemRoot\System32\drivers\tcpip.sys
    \SystemRoot\System32\drivers\fwpkclnt.sys
    \SystemRoot\system32\DRIVERS\volsnap.sys
    \SystemRoot\System32\Drivers\spldr.sys
    \SystemRoot\System32\drivers\rdyboost.sys
    \SystemRoot\System32\Drivers\RapportKELL.sys
    \SystemRoot\System32\Drivers\mup.sys
    \SystemRoot\System32\drivers\hwpolicy.sys
    \SystemRoot\System32\DRIVERS\fvevol.sys
    \SystemRoot\system32\DRIVERS\disk.sys
    \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
    \SystemRoot\System32\DRIVERS\cmderd.sys
    \SystemRoot\system32\DRIVERS\cdrom.sys
    \SystemRoot\system32\DRIVERS\cmdguard.sys
    \SystemRoot\system32\DRIVERS\CFRMD.sys
    \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_56758.sys
    \SystemRoot\System32\Drivers\Null.SYS
    \SystemRoot\System32\Drivers\Beep.SYS
    \SystemRoot\System32\drivers\vga.sys
    \SystemRoot\System32\drivers\VIDEOPRT.SYS
    \SystemRoot\System32\drivers\watchdog.sys
    \SystemRoot\System32\DRIVERS\RDPCDD.sys
    \SystemRoot\system32\drivers\rdpencdd.sys
    \SystemRoot\system32\drivers\rdprefmp.sys
    \SystemRoot\System32\Drivers\Msfs.SYS
    \SystemRoot\System32\Drivers\Npfs.SYS
    \SystemRoot\system32\DRIVERS\tdx.sys
    \SystemRoot\system32\DRIVERS\TDI.SYS
    \SystemRoot\System32\DRIVERS\cmdhlp.sys
    \SystemRoot\System32\DRIVERS\netbt.sys
    \SystemRoot\system32\drivers\afd.sys
    \SystemRoot\system32\drivers\ws2ifsl.sys
    \SystemRoot\system32\DRIVERS\wfplwf.sys
    \SystemRoot\system32\DRIVERS\pacer.sys
    \SystemRoot\system32\DRIVERS\inspect.sys
    \SystemRoot\system32\DRIVERS\netbios.sys
    \SystemRoot\system32\DRIVERS\dtsoftbus01.sys
    \SystemRoot\system32\DRIVERS\wanarp.sys
    \SystemRoot\system32\DRIVERS\termdd.sys
    \SystemRoot\system32\DRIVERS\rdbss.sys
    \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
    \??\C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
    \SystemRoot\system32\drivers\nsiproxy.sys
    \SystemRoot\system32\DRIVERS\mssmbios.sys
    \SystemRoot\system32\DRIVERS\hmd.sys
    \SystemRoot\System32\Drivers\ElbyCDIO.sys
    \SystemRoot\System32\drivers\discache.sys
    \SystemRoot\System32\Drivers\dfsc.sys
    \SystemRoot\system32\DRIVERS\blbdrive.sys
    \SystemRoot\system32\DRIVERS\tunnel.sys
    \SystemRoot\system32\DRIVERS\intelppm.sys
    \SystemRoot\system32\DRIVERS\nvBridge.kmd
    \SystemRoot\system32\DRIVERS\igdkmd32.sys
    \SystemRoot\System32\drivers\dxgkrnl.sys
    \SystemRoot\System32\drivers\dxgmms1.sys
    \SystemRoot\system32\DRIVERS\nvlddmkm.sys
    \SystemRoot\system32\DRIVERS\usbuhci.sys
    \SystemRoot\system32\DRIVERS\USBPORT.SYS
    \SystemRoot\system32\DRIVERS\usbehci.sys
    \SystemRoot\system32\DRIVERS\HDAudBus.sys
    \SystemRoot\system32\DRIVERS\netw5v32.sys
    \SystemRoot\system32\DRIVERS\b57nd60x.sys
    \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
    \SystemRoot\system32\DRIVERS\CmBatt.sys
    \SystemRoot\system32\DRIVERS\i8042prt.sys
    \SystemRoot\system32\DRIVERS\DKbFltr.sys
    \SystemRoot\system32\DRIVERS\kbdclass.sys
    \SystemRoot\system32\DRIVERS\SynTP.sys
    \SystemRoot\system32\DRIVERS\USBD.SYS
    \SystemRoot\system32\DRIVERS\mouclass.sys
    \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    \SystemRoot\system32\DRIVERS\wmiacpi.sys
    \SystemRoot\system32\DRIVERS\enecir.sys
    \SystemRoot\system32\DRIVERS\CompositeBus.sys
    \SystemRoot\system32\DRIVERS\AgileVpn.sys
    \SystemRoot\system32\DRIVERS\rasl2tp.sys
    \SystemRoot\system32\DRIVERS\ndistapi.sys
    \SystemRoot\system32\DRIVERS\ndiswan.sys
    \SystemRoot\system32\DRIVERS\raspppoe.sys
    \SystemRoot\system32\DRIVERS\raspptp.sys
    \SystemRoot\system32\DRIVERS\rassstp.sys
    \SystemRoot\system32\DRIVERS\VClone.sys
    \SystemRoot\system32\DRIVERS\swenum.sys
    \SystemRoot\system32\DRIVERS\ks.sys
    \SystemRoot\system32\DRIVERS\circlass.sys
    \SystemRoot\system32\DRIVERS\umbus.sys
    \SystemRoot\system32\DRIVERS\usbhub.sys
    \SystemRoot\System32\Drivers\NDProxy.SYS
    \SystemRoot\system32\drivers\RTKVHDA.sys
    \SystemRoot\system32\drivers\portcls.sys
    \SystemRoot\system32\drivers\drmk.sys
    \SystemRoot\system32\DRIVERS\hidir.sys
    \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    \SystemRoot\system32\DRIVERS\kbdhid.sys
    \SystemRoot\system32\DRIVERS\mouhid.sys
    \SystemRoot\System32\win32k.sys
    \SystemRoot\System32\drivers\Dxapi.sys
    \SystemRoot\System32\Drivers\crashdmp.sys
    \SystemRoot\System32\Drivers\dump_iaStor.sys
    \SystemRoot\System32\Drivers\dump_dumpfve.sys
    \SystemRoot\System32\TSDDD.dll
    \SystemRoot\System32\Drivers\FPSensor.sys
    \SystemRoot\System32\ATMFD.DLL
    \SystemRoot\system32\DRIVERS\usbccgp.sys
    \SystemRoot\system32\drivers\luafv.sys
    \??\C:\Windows\system32\drivers\mbam.sys
    \SystemRoot\system32\drivers\WudfPf.sys
    \SystemRoot\System32\Drivers\usbvideo.sys
    \SystemRoot\system32\DRIVERS\lltdio.sys
    \SystemRoot\system32\DRIVERS\nwifi.sys
    \SystemRoot\system32\DRIVERS\ndisuio.sys
    \SystemRoot\system32\DRIVERS\rspndr.sys
    \SystemRoot\system32\drivers\HTTP.sys
    \SystemRoot\system32\DRIVERS\bowser.sys
    \SystemRoot\System32\drivers\mpsdrv.sys
    \SystemRoot\system32\DRIVERS\mrxsmb.sys
    \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    \SystemRoot\System32\cdd.dll
    \??\C:\Windows\system32\drivers\int15.sys
    \SystemRoot\system32\drivers\peauth.sys
    \SystemRoot\System32\Drivers\secdrv.SYS
    \SystemRoot\System32\DRIVERS\srvnet.sys
    \SystemRoot\System32\drivers\tcpipreg.sys
    \SystemRoot\System32\DRIVERS\srv2.sys
    \SystemRoot\System32\DRIVERS\srv.sys
    \SystemRoot\system32\DRIVERS\asyncmac.sys
    \??\C:\Users\Andrew\AppData\Local\Temp\mbr.sys
    \SystemRoot\system32\DRIVERS\monitor.sys
    \SystemRoot\system32\DRIVERS\hidusb.sys
    \SystemRoot\System32\Drivers\fastfat.SYS
    \SystemRoot\system32\drivers\spsys.sys
    \??\C:\Windows\system32\drivers\mbamchameleon.sys
    \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys
    \Windows\System32\ntdll.dll
    \Windows\System32\smss.exe
    \Windows\System32\apisetschema.dll
    \Windows\System32\autochk.exe
    \Windows\System32\lpk.dll
    \Windows\System32\rpcrt4.dll
    \Windows\System32\usp10.dll
    \Windows\System32\msvcrt.dll
    \Windows\System32\wininet.dll
    \Windows\System32\advapi32.dll
    \Windows\System32\oleaut32.dll
    \Windows\System32\gdi32.dll
    \Windows\System32\psapi.dll
    \Windows\System32\msctf.dll
    \Windows\System32\clbcatq.dll
    \Windows\System32\difxapi.dll
    \Windows\System32\shlwapi.dll
    \Windows\System32\normaliz.dll
    \Windows\System32\shell32.dll
    \Windows\System32\setupapi.dll
    \Windows\System32\Wldap32.dll
    \Windows\System32\sechost.dll
    \Windows\System32\iertutil.dll
    \Windows\System32\comdlg32.dll
    \Windows\System32\ole32.dll
    \Windows\System32\user32.dll
    \Windows\System32\kernel32.dll
    \Windows\System32\imagehlp.dll
    \Windows\System32\urlmon.dll
    \Windows\System32\imm32.dll
    \Windows\System32\ws2_32.dll
    \Windows\System32\nsi.dll
    \Windows\System32\KernelBase.dll
    \Windows\System32\cfgmgr32.dll
    \Windows\System32\crypt32.dll
    \Windows\System32\devobj.dll
    \Windows\System32\comctl32.dll
    \Windows\System32\wintrust.dll
    \Windows\System32\msasn1.dll
    ----------- End -----------
    Done!
    <<<1>>>
    Upper Device Name: \Device\Harddisk0\DR0
    Upper Device Object: 0xffffffff876f77d0
    Upper Device Driver Name: \Driver\Disk\
    Lower Device Name: \Device\Ide\IAAStorageDevice-1\
    Lower Device Object: 0xffffffff86caa028
    Lower Device Driver Name: \Driver\iaStor\
    <<<2>>>
    Physical Sector Size: 512
    Drive: 0, DevicePointer: 0xffffffff876f77d0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    --------- Disk Stack ------
    DevicePointer: 0xffffffff876f7410, DeviceName: Unknown, DriverName: \Driver\partmgr\
    DevicePointer: 0xffffffff876f77d0, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    DevicePointer: 0xffffffff86caa028, DeviceName: \Device\Ide\IAAStorageDevice-1\, DriverName: \Driver\iaStor\
    ------------ End ----------
    Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
    Upper DeviceData: 0x0, 0x0, 0x0
    Lower DeviceData: 0x0, 0x0, 0x0
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Scanning drivers directory: C:\WINDOWS\SYSTEM32\drivers...
    <<<2>>>
    <<<3>>>
    Volume: C:
    File system type: NTFS
    SectorSize = 512, ClusterSize = 4096, MFTRecordSize = 1024, MFTIndexSize = 4096 bytes
    Done!
    Drive 0
    Scanning MBR on drive 0...
    Inspecting partition table:
    MBR Signature: 55AA
    Disk Signature: 4FA5E263

    Partition information:

    Partition 0 type is Other (0x27)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 63 Numsec = 25173792

    Partition 1 type is Primary (0x7)
    Partition is ACTIVE.
    Partition starts at LBA: 25174016 Numsec = 944347136
    Partition is not bootable

    Partition 2 type is Other (0x12)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 969521152 Numsec = 7249920

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0 Numsec = 0

    Disk Size: 500107862016 bytes
    Sector size: 512 bytes

    Scanning physical sectors of unpartitioned space on drive 0 (1-62-976753168-976773168)...
    Done!
    Scan finished
    =======================================


    Removal queue found; removal started
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_i.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\Bootstrap_0_1_25174016_i.mbam...
    Removing C:\ProgramData\Malwarebytes' Anti-Malware (portable)\MBR_0_r.mbam...
    Removal finished
     
  13. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    [​IMG] Please download ComboFix from Here, Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      If the connection is not there use restore point you created prior to running Combofix.
    • Double click on combofix.exe & follow the prompts.

    • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
    **Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try the following...

    Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.
    Download Rkill (courtesy of BleepingComputer.com) to your desktop.
    There are 2 different versions. If one of them won't run then download and try to run the other one.
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
    iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

    Restart computer in safe mode

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    When the scan is done Notepad will open with rKill.txt log.
    NOTE. rKill.txt log will also be present on your desktop.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.
     
  14. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    ComboFix 13-10-28.01 - Andrew 29/10/2013 9:14.2.2 - x86
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.44.1033.18.3004.1848 [GMT -4:00]
    Running from: c:\users\Andrew\Desktop\ComboFix.exe
    AV: COMODO Antivirus *Disabled/Updated* {B74CC7D2-B407-E1DC-1033-DD315BCDC8C8}
    FW: COMODO Firewall *Disabled* {8F7746F7-FE68-E084-3B6C-7404A51E8FB3}
    SP: COMODO Antivirus *Disabled/Updated* {0C2D2636-923D-EE52-2A83-E643204A8275}
    SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Microsoft\Windows\DRM\5320.tmp
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_vpnagent
    .
    .
    ((((((((((((((((((((((((( Files Created from 2013-09-28 to 2013-10-29 )))))))))))))))))))))))))))))))
    .
    .
    2013-10-29 13:44 . 2013-10-29 13:44--------d-----w-c:\users\Public\AppData\Local\temp
    2013-10-29 13:44 . 2013-10-29 13:44--------d-----w-c:\users\Default\AppData\Local\temp
    2013-10-29 01:51 . 2013-10-29 02:25--------d-----w-c:\programdata\Malwarebytes' Anti-Malware (portable)
    2013-10-29 01:51 . 2013-10-29 01:51105176----a-w-c:\windows\system32\drivers\MBAMSwissArmy.sys
    2013-10-29 01:50 . 2013-10-29 01:5075992----a-w-c:\windows\system32\drivers\mbamchameleon.sys
    2013-10-28 13:31 . 2013-10-28 13:31--------d-----w-C:\FRST
    2013-10-26 13:55 . 2013-10-26 13:55--------d-----w-C:\VTRoot
    2013-10-26 13:55 . 2013-10-26 14:172144----a-w-c:\windows\system32\drivers\fvstore.dat
    2013-10-26 03:04 . 2013-10-26 03:04--------d-----w-c:\program files\Malwarebytes' Anti-Malware
    2013-10-26 03:04 . 2013-04-04 18:5022856----a-w-c:\windows\system32\drivers\mbam.sys
    2013-10-26 02:59 . 2013-10-26 03:00--------d-----w-c:\users\fixer
    2013-10-20 23:12 . 2013-10-20 23:12--------d-----w-c:\users\Andrew\AppData\Local\calibre-cache
    2013-10-13 23:42 . 2013-10-13 23:42--------d-----w-c:\program files\Common Files\COMODO
    2013-10-04 08:15 . 2013-10-04 08:1515400----a-w-c:\windows\system32\drivers\hmd.sys
    2013-09-30 16:01 . 2013-09-30 15:57737280----a-w-c:\windows\iun6002.exe
    2013-09-30 15:57 . 2013-09-30 16:01--------d-----w-c:\program files\AAZV Collected Proceedings 1968-2013
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-10-04 08:15 . 2013-10-04 08:1515400----a-w-c:\windows\inf\HMD\hmd.sys
    2013-09-24 10:54 . 2013-06-18 20:1685464----a-w-c:\windows\system32\drivers\inspect.sys
    2013-09-24 10:54 . 2013-06-18 20:16582936----a-w-c:\windows\system32\drivers\cmdguard.sys
    2013-09-24 10:54 . 2013-06-18 20:1644752----a-w-c:\windows\system32\drivers\cmdhlp.sys
    2013-09-24 10:54 . 2013-06-18 20:1620072----a-w-c:\windows\system32\drivers\cmderd.sys
    2013-09-24 10:53 . 2013-06-18 20:1536000----a-w-c:\windows\system32\cmdcsr.dll
    2013-09-24 10:53 . 2013-06-18 20:15354240----a-w-c:\windows\system32\guard32.dll
    2013-09-24 10:53 . 2013-06-18 20:15280792----a-w-c:\windows\system32\cmdvrt32.dll
    2013-09-24 10:53 . 2013-06-18 20:1540664----a-w-c:\windows\system32\cmdkbd32.dll
    2013-09-11 03:18 . 2013-09-11 03:1897008----a-w-c:\windows\system32\drivers\RapportKELL.sys
    2013-09-05 09:35 . 2013-09-05 09:3555504----a-w-c:\windows\system32\offreg.dll
    2013-08-03 01:21 . 2013-08-03 01:21348160----a-w-c:\windows\system32\msvcr71.dll
    2013-08-03 01:21 . 2013-08-03 01:211060864----a-w-c:\windows\system32\mfc71.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!AsusWSShellExt_B]
    @="{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}"
    [HKEY_CLASSES_ROOT\CLSID\{CC5FC992-B0AA-47CD-9DC2-83445083CBB8}]
    2012-09-27 07:341461248----a-w-c:\program files\ASUS\WebStorage Sync Agent\1.1.13.147\AsusWSShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!AsusWSShellExt_O]
    @="{618A47A2-528B-4D9A-AFC8-97D3233511E2}"
    [HKEY_CLASSES_ROOT\CLSID\{618A47A2-528B-4D9A-AFC8-97D3233511E2}]
    2012-09-27 07:341461248----a-w-c:\program files\ASUS\WebStorage Sync Agent\1.1.13.147\AsusWSShellExt.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\!AsusWSShellExt_U]
    @="{1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4D}"
    [HKEY_CLASSES_ROOT\CLSID\{1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4D}]
    2012-09-27 07:341461248----a-w-c:\program files\ASUS\WebStorage Sync Agent\1.1.13.147\AsusWSShellExt.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-01-16 717696]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LManager"="c:\program files\Launch Manager\LManager.exe" [2009-08-18 1157128]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-04 7731744]
    "Apoint"="c:\program files\Apoint2K\Apoint.exe" [2009-07-08 212992]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-06-18 1537320]
    "BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
    "COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cistray.exe" [2013-10-20 1576152]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
    "Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" [2012-12-10 527864]
    "tvncontrol"="c:\program files\Common Files\COMODO\GeekBuddyRSP.exe" [2013-10-11 2327248]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Start GeekBuddy.lnk - c:\program files\Comodo\GeekBuddy\launcher.exe "unit_manager.exe" [2013-10-11 49360]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 5 (0x5)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification PackagesREG_MULTI_SZ c:\program files\Acer Bio Protection\PwdFilter
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
    2010-03-06 03:44500208------w-c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUSWebStorage]
    2012-10-25 04:123574656----a-w-c:\program files\ASUS\WebStorage Sync Agent\1.1.13.147\AsusWSPanel.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2011-10-20 00:31136176----atw-c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2013-05-31 15:56152392----a-w-c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2009-06-08 22:5213789728----a-w-c:\windows\System32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
    2009-03-05 20:072260480--sha-r-c:\program files\Spybot - Search & Destroy\TeaTimer.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard]
    2010-02-19 13:37517096----a-w-c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "Google Update"="c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    "TorrentStream"=c:\users\Andrew\AppData\Roaming\TorrentStream\engine\tsengine.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "Cisco AnyConnect Secure Mobility Agent for Windows"="c:\program files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized
    .
    R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-11-09 160944]
    R3 acsock;acsock;c:\windows\system32\DRIVERS\acsock.sys [2012-12-10 92112]
    R3 cmdvirth;COMODO Virtual Service Manager;c:\program files\COMODO\COMODO Internet Security\cmdvirth.exe [2013-09-24 131288]
    R4 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
    S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2013-09-11 97008]
    S1 CFRMD;CFRMD;c:\windows\system32\DRIVERS\CFRMD.sys [2013-05-07 35064]
    S1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys [2013-09-24 20072]
    S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2013-09-24 582936]
    S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2013-09-24 44752]
    S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-01-09 218176]
    S1 HMD;COMODO livePCsupport Hardware Monitor Driver;c:\windows\system32\DRIVERS\hmd.sys [2013-10-04 15400]
    S1 RapportCerberus_56758;RapportCerberus_56758;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_56758.sys [2013-08-27 330960]
    S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [2013-09-11 148688]
    S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2013-09-11 222416]
    S2 CLPSLauncher;COMODO LPS Launcher;c:\program files\Common Files\COMODO\launcher_service.exe [2013-10-11 70352]
    S2 FPSensor;EgisTec-Corp Fingerprint Reader Driver (FPSensor.sys);c:\windows\system32\Drivers\FPSensor.sys [2011-01-03 29744]
    S2 GeekBuddyRSP;GeekBuddyRSP Server;c:\program files\Common Files\COMODO\GeekBuddyRSP.exe [2013-10-11 2327248]
    S2 IGBASVC;EgisTec Service;c:\program files\Acer Bio Protection\BASVC.exe [2009-09-05 3450368]
    S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2013-04-04 418376]
    S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2013-09-11 1435928]
    S3 enecir;ENE CIR Receiver;c:\windows\system32\DRIVERS\enecir.sys [2009-05-20 59904]
    S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-07-20 116136]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    .
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-10-13 15:21]
    .
    2013-10-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-10-13 15:21]
    .
    2013-10-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-284424345-2181464997-1662967063-1001Core.job
    - c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-07 00:31]
    .
    2013-10-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-284424345-2181464997-1662967063-1001UA.job
    - c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-07 00:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
    IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
    TCP: DhcpNameServer = 132.236.249.19 132.236.249.18 132.236.56.250
    DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} - hxxp://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20110926150838
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-XBMC - c:\program files\XBMC\uninstall.exe
    .
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-284424345-2181464997-1662967063-1001\Software\G*e*n*I*e*"!\FM Genie Scout 11]
    "GameDir"="c:\\Users\\Andrew\\Documents\\Sports Interactive\\Football Manager 2011\\games"
    "ShortlistDir"=""
    "FMPath"=""
    "ScreenshotsDir"="c:\\Users\\Andrew\\Documents\\Sports Interactive\\Football Manager 2011"
    "SaveDir"="c:\\Users\\Andrew\\Documents\\Sports Interactive\\Football Manager 2011\\"
    "HistoryDir"="c:\\FM Genie Scout 11\\History Points"
    "LangDB"="c:\\FM Genie Scout 11\\lang_db.dat"
    "LastSaveGame"="c:\\Users\\Andrew\\Documents\\Sports Interactive\\Football Manager 2011\\games\\Untitled Game.fm"
    "Language"="English"
    "LoadLangDB"=dword:00000001
    "CompressHistoryPoints"=dword:00000000
    "HighlightedAttributes"=dword:00000000
    "MinCondition"=dword:00000050
    "GraphStep"=dword:00000000
    "SkinName"="PSV Eindhoven"
    "LastUpdateCheck"=dword:00009eba
    "HighQualityGUI"=dword:00000001
    "AutomaticallyUpdateCheck"=dword:00000001
    "AdvancedGeneration"=dword:00000000
    "TranslateStaffSkills"=dword:00000001
    "TranslatePlayerSkills"=dword:00000001
    "TranslatePositions"=dword:00000001
    "ShowHistory"=dword:00000001
    "Version"=dword:00000080
    "UniqueID"="55-E480-E35F"
    "UseProxy"=dword:00000000
    "ProxyHost"=""
    "ProxyPort"=""
    "UseAuthentication"=dword:00000000
    "UserName"=""
    "UserPassword"=""
    "PlayerSearchFeatureNum"=dword:00000001
    "StaffSearchFeatureNum"=dword:00000000
    "ClubSearchFeatureNum"=dword:00000000
    "FilterByClubFeatureNum"=dword:00000000
    "CompareFeatureNum"=dword:00000000
    "ShortlistFeatureNum"=dword:00000001
    "ExportFeatureNum"=dword:00000000
    "HistoryFeatureNum"=dword:00000000
    "LanguageDBFeatureNum"=dword:00000002
    "HintsFeatureNum"=dword:00000000
    "GenieReportFeatureNum"=dword:00000000
    "TopFormationFeatureNum"=dword:00000000
    "ScreenshotFeatureNum"=dword:00000000
    "Currency"=dword:00000056
    .
    [HKEY_USERS\S-1-5-21-284424345-2181464997-1662967063-1001\Software\G*e*n*I*e*"!\FM Genie Scout 11g]
    "PicturesNumber"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'lsass.exe'(708)
    c:\windows\system32\guard32.dll
    c:\program files\Acer Bio Protection\PwdFilter.DLL
    .
    - - - - - - - > 'Explorer.exe'(2668)
    c:\windows\system32\guard32.dll
    c:\windows\system32\dhcpcsvc.DLL
    c:\windows\system32\dhcpcsvc6.DLL
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\nvvsvc.exe
    c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
    c:\windows\system32\nvvsvc.exe
    c:\program files\Acer Bio Protection\CompPtcVUI.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\COMODO\COMODO Internet Security\cavwp.exe
    c:\program files\Google\Update\1.3.21.165\GoogleCrashHandler.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\windows\system32\taskhost.exe
    c:\windows\system32\conhost.exe
    .
    **************************************************************************
    .
    Completion time: 2013-10-29 10:23:41 - machine was rebooted
    ComboFix-quarantined-files.txt 2013-10-29 14:23
    ComboFix2.txt 2012-09-03 00:50
    .
    Pre-Run: 245,025,996,800 bytes free
    Post-Run: 245,291,446,272 bytes free
    .
    - - End Of File - - CD0EDC903320BEAE339E6743F90551B1
    5586EABCC0D095DB340D873E2B236896
     
  15. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Looks good.

    How is computer doing?

    [​IMG] Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Scan button.
    • When the scan has finished click on Clean button.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the contents of that logfile with your next reply.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.

    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.

    [​IMG] Download OTL to your Desktop.
    Alternate download: http://www.itxassociates.com/OT-Tools/OTL.exe
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Scan All Users checkbox.
    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  16. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    Hi Broni. Computer so far seems ok - I get an error message regarding my VPN set up, but I can reinstall this after we are done. Below are the logs.

    # AdwCleaner v3.010 - Report created 30/10/2013 at 09:00:14
    # Updated 20/10/2013 by Xplode
    # Operating System : Windows 7 Home Premium (32 bits)
    # Username : Andrew - ANDREW-PC
    # Running from : C:\Users\Andrew\Desktop\adwcleaner.exe
    # Option : Clean

    ***** [ Services ] *****


    ***** [ Files / Folders ] *****

    Folder Deleted : C:\ProgramData\Trymedia
    Folder Deleted : C:\Users\Andrew\AppData\Local\Ilivid Player

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}
    Key Deleted : HKLM\Software\AVG Secure Search

    ***** [ Browsers ] *****

    -\\ Internet Explorer v9.0.8112.16421


    -\\ Google Chrome v

    [ File : C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\preferences ]


    *************************

    AdwCleaner[R0].txt - [2128 octets] - [30/10/2013 08:58:13]
    AdwCleaner[S0].txt - [2087 octets] - [30/10/2013 09:00:14]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2147 octets] ##########
     
  17. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Thisisu
    Version: 6.0.7 (10.15.2013:2)
    OS: Windows 7 Home Premium x86
    Ran by Andrew on 30/10/2013 at 9:06:46.71
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values



    ~~~ Registry Keys



    ~~~ Files



    ~~~ Folders

    Successfully deleted: [Empty Folder] C:\Users\Andrew\appdata\local\{F253A5DF-9E66-4593-A47D-1307016A43DE}



    ~~~ Chrome

    Successfully deleted: [Folder] C:\Users\Andrew\appdata\local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on 30/10/2013 at 9:14:33.93
    Computer was rebooted
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    OTL logfile created on: 10/30/2013 9:16:13 AM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Andrew\Desktop
    Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    2.93 Gb Total Physical Memory | 2.02 Gb Available Physical Memory | 69.03% Memory free
    5.87 Gb Paging File | 4.75 Gb Available in Paging File | 81.05% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 450.30 Gb Total Space | 228.51 Gb Free Space | 50.75% Space Free | Partition Type: NTFS

    Computer Name: ANDREW-PC | User Name: Andrew | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2013/10/30 08:57:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
    PRC - [2013/10/19 21:23:22 | 004,832,192 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe
    PRC - [2013/10/19 21:22:56 | 007,025,880 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO Internet Security\cis.exe
    PRC - [2013/10/19 21:22:56 | 001,576,152 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO Internet Security\cistray.exe
    PRC - [2013/10/11 18:25:47 | 000,237,960 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\1.3.21.165\GoogleCrashHandler.exe
    PRC - [2013/10/11 12:23:06 | 000,228,560 | ---- | M] (Comodo Security Solutions, Inc.) -- C:\Program Files\Comodo\GeekBuddy\unit_manager.exe
    PRC - [2013/10/11 12:23:04 | 000,217,808 | ---- | M] (Comodo Security Solutions, Inc.) -- C:\Program Files\Comodo\GeekBuddy\unit.exe
    PRC - [2013/10/11 12:23:04 | 000,070,352 | ---- | M] (Comodo Security Solutions, Inc.) -- C:\Program Files\Common Files\COMODO\launcher_service.exe
    PRC - [2013/10/11 10:35:22 | 002,327,248 | ---- | M] (Comodo Security Solutions, Inc.) -- C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe
    PRC - [2013/09/24 06:53:25 | 001,857,752 | ---- | M] (COMODO) -- C:\Program Files\Comodo\COMODO Internet Security\cavwp.exe
    PRC - [2013/09/10 23:18:16 | 002,476,312 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    PRC - [2013/09/10 23:18:16 | 001,435,928 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    PRC - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    PRC - [2010/01/16 09:54:08 | 000,717,696 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
    PRC - [2009/09/05 04:17:56 | 003,450,368 | ---- | M] (Egis Technology Inc.) -- C:\Program Files\Acer Bio Protection\BASVC.exe
    PRC - [2009/09/05 04:17:40 | 003,358,720 | ---- | M] (Egis Technology Inc.) -- C:\Program Files\Acer Bio Protection\CompPtcVUI.exe
    PRC - [2009/08/18 05:42:08 | 001,157,128 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe
    PRC - [2009/07/13 21:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2009/07/13 21:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe


    ========== Modules (No Company Name) ==========

    MOD - [2013/08/26 20:12:03 | 000,991,984 | ---- | M] () -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportMS\baseline\RapportMS.dll
    MOD - [2012/06/27 15:09:06 | 000,557,056 | ---- | M] () -- C:\Program Files\Trusteer\Rapport\bin\js32.dll
    MOD - [2010/01/21 01:34:10 | 008,793,952 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
    MOD - [2010/01/09 20:18:18 | 004,254,560 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF


    ========== Services (SafeList) ==========

    SRV - [2013/10/19 21:23:22 | 004,832,192 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\Comodo\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
    SRV - [2013/10/11 12:23:04 | 000,070,352 | ---- | M] (Comodo Security Solutions, Inc.) [Auto | Running] -- C:\Program Files\Common Files\COMODO\launcher_service.exe -- (CLPSLauncher)
    SRV - [2013/10/11 10:35:22 | 002,327,248 | ---- | M] (Comodo Security Solutions, Inc.) [Auto | Running] -- C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe -- (GeekBuddyRSP)
    SRV - [2013/09/24 06:53:27 | 000,131,288 | ---- | M] (COMODO) [On_Demand | Stopped] -- C:\Program Files\Comodo\COMODO Internet Security\cmdvirth.exe -- (cmdvirth)
    SRV - [2013/09/10 23:18:16 | 001,435,928 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
    SRV - [2013/04/04 14:50:32 | 000,418,376 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
    SRV - [2012/11/09 07:21:24 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
    SRV - [2012/09/04 19:08:56 | 000,386,424 | ---- | M] (SupportSoft, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe -- (SupportSoft RemoteAssist)
    SRV - [2010/02/19 09:37:14 | 000,517,096 | ---- | M] (Adobe Systems Incorporated) [Disabled | Stopped] -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe -- (SwitchBoard)
    SRV - [2010/01/21 17:51:12 | 030,963,576 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
    SRV - [2009/09/05 04:17:56 | 003,450,368 | ---- | M] (Egis Technology Inc.) [Auto | Running] -- C:\Program Files\Acer Bio Protection\BASVC.exe -- (IGBASVC)
    SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\windrvr6.sys -- (WinDriver6)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Andrew\AppData\Local\Temp\catchme.sys -- (catchme)
    DRV - [2013/10/04 04:15:04 | 000,015,400 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\hmd.sys -- (HMD)
    DRV - [2013/09/24 06:54:09 | 000,085,464 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\Windows\System32\drivers\inspect.sys -- (inspect)
    DRV - [2013/09/24 06:54:08 | 000,582,936 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\System32\drivers\cmdguard.sys -- (cmdGuard)
    DRV - [2013/09/24 06:54:08 | 000,044,752 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\Windows\System32\drivers\cmdhlp.sys -- (cmdHlp)
    DRV - [2013/09/24 06:54:07 | 000,020,072 | ---- | M] (COMODO) [File_System | System | Running] -- C:\Windows\System32\drivers\cmderd.sys -- (cmderd)
    DRV - [2013/09/10 23:18:28 | 000,222,416 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
    DRV - [2013/09/10 23:18:28 | 000,148,688 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys -- (RapportEI)
    DRV - [2013/09/10 23:18:28 | 000,097,008 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\RapportKELL.sys -- (RapportKELL)
    DRV - [2013/08/26 20:12:02 | 000,330,960 | ---- | M] () [Kernel | System | Running] -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\baseline\RapportCerberus32_56758.sys -- (RapportCerberus_56758)
    DRV - [2013/05/07 03:00:16 | 000,035,064 | ---- | M] (Windows (R) Win 7 DDK provider) [File_System | System | Running] -- C:\Windows\System32\drivers\CFRMD.sys -- (CFRMD)
    DRV - [2012/12/10 09:00:50 | 000,092,112 | R--- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\acsock.sys -- (acsock)
    DRV - [2012/06/07 11:25:20 | 000,023,976 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vpnva.sys -- (vpnva)
    DRV - [2011/01/09 10:50:39 | 000,218,176 | ---- | M] (DT Soft Ltd) [Kernel | System | Running] -- C:\Windows\System32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
    DRV - [2011/01/03 12:20:46 | 000,029,744 | ---- | M] (EgisTec) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\FPSensor.sys -- (FPSensor)
    DRV - [2010/06/22 01:14:28 | 000,049,904 | R--- | M] (Avanquest Software) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\BVRPMPR5.SYS -- (BVRPMPR5)
    DRV - [2009/07/20 07:39:20 | 000,116,136 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\jmcr.sys -- (JMCR)
    DRV - [2009/07/13 20:18:07 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSDPrint.sys -- (WSDPrintDevice)
    DRV - [2009/07/13 19:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
    DRV - [2009/07/13 18:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32)
    DRV - [2009/07/13 12:40:42 | 000,212,528 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
    DRV - [2009/06/08 21:25:00 | 009,760,096 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
    DRV - [2009/05/20 02:08:40 | 000,059,904 | ---- | M] (ENE TECHNOLOGY INC.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\enecir.sys -- (enecir)
    DRV - [2008/03/12 07:52:34 | 000,069,632 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\int15.sys -- (int15)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\..\SearchScopes,DefaultScope =
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


    IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope =
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope =
    IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope =

    IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope =

    IE - HKU\S-1-5-21-284424345-2181464997-1662967063-1001\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
    IE - HKU\S-1-5-21-284424345-2181464997-1662967063-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\S-1-5-21-284424345-2181464997-1662967063-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
    IE - HKU\S-1-5-21-284424345-2181464997-1662967063-1001\..\SearchScopes,DefaultScope =
    IE - HKU\S-1-5-21-284424345-2181464997-1662967063-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKU\S-1-5-21-284424345-2181464997-1662967063-1001\..\SearchScopes\{AA806B93-CAC2-4B04-847F-F18BEA841A10}: "URL" = http://www.google.com/search?q={sea...rce}&ie={inputEncoding?}&oe={outputEncoding?}
    IE - HKU\S-1-5-21-284424345-2181464997-1662967063-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\S-1-5-21-284424345-2181464997-1662967063-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


    ========== FireFox ==========

    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=1.6.0_32: C:\Windows\system32\npdeployJava1.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.7: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Andrew\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Andrew\AppData\Local\Google\Update\1.3.21.165\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@torrentstream.net/tsplugin,version=2.0.8.2: C:\Users\Andrew\AppData\Roaming\TorrentStream\player\npts_plugin.dll (Innovative Digital Technologies)

    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\magicplayer@torrentstream.org: C:\Users\Andrew\AppData\Roaming\TorrentStream\extensions\firefox\magicplayer@torrentstream.org [2013/09/25 20:31:57 | 000,000,000 | ---D | M]

    [2011/03/01 07:43:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Extensions
    [2011/03/01 07:43:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Extensions\home2@tomtom.com

    ========== Chrome ==========

    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = http://www.google.com/search?q={sea...rce}&ie={inputEncoding?}&oe={outputEncoding?}
    CHR - default_search_provider: suggest_url = ,
    CHR - homepage: http://www.google.com/
    CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Andrew\AppData\Local\Google\Chrome\Application\30.0.1599.101\PepperFlash\pepflashplayer.dll
    CHR - plugin: Chrome Remote Desktop Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Users\Andrew\AppData\Local\Google\Chrome\Application\30.0.1599.101\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Andrew\AppData\Local\Google\Chrome\Application\30.0.1599.101\pdf.dll
    CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin2.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin3.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin4.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin5.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin6.dll
    CHR - plugin: QuickTime Plug-in 7.6.9 (Enabled) = C:\Program Files\QuickTime\plugins\npqtplugin7.dll
    CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll
    CHR - plugin: Java(TM) Platform SE 6 U32 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
    CHR - plugin: iTunes Application Detector (Enabled) = C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    CHR - plugin: Torrent Stream P2P Multimedia Plug-in 2 (Enabled) = C:\Users\Andrew\AppData\Roaming\TorrentStream\player\npts_plugin.dll
    CHR - plugin: Java Deployment Toolkit 6.0.320.5 (Enabled) = C:\Windows\system32\npdeployJava1.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60129.0\npctrl.dll
    CHR - Extension: YouTube = C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0\
    CHR - Extension: Google Search = C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0\
    CHR - Extension: TS Magic Player = C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\ochbjojkpcmlfeagbaahkofepalngihg\1.1.29_0\
    CHR - Extension: Gmail = C:\Users\Andrew\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\

    O1 HOSTS File: ([2013/10/29 10:18:46 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
    O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
    O2 - BHO: (ChromeFrame BHO) - {ECB3C477-1A0A-44BD-BB57-78F9EFE34FA7} - C:\Program Files\Google\Chrome Frame\Application\30.0.1599.101\npchrome_frame.dll (Google Inc.)
    O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
    O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
    O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
    O4 - HKLM..\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe (Cisco Systems, Inc.)
    O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\Comodo\COMODO Internet Security\cistray.exe (COMODO)
    O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.)
    O4 - HKLM..\Run: [tvncontrol] C:\Program Files\Common Files\COMODO\GeekBuddyRSP.exe (Comodo Security Solutions, Inc.)
    O4 - HKU\S-1-5-21-284424345-2181464997-1662967063-1001..\Run: [OfficeSyncProcess] C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE (Microsoft Corporation)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 147
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-284424345-2181464997-1662967063-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\S-1-5-21-284424345-2181464997-1662967063-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 147
    O7 - HKU\S-1-5-21-284424345-2181464997-1662967063-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
    O8 - Extra context menu item: Se&nd to OneNote - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra Button: Quick-Launch Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer Bio Protection\PwdBank.exe (Egis Technology Inc.)
    O9 - Extra 'Tools' menuitem : Quick-Launch Area - {10954C80-4F0F-11d3-B17C-00C0DFE39736} - C:\Program Files\Acer Bio Protection\PwdBank.exe (Egis Technology Inc.)
    O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll (Microsoft Corporation)
    O9 - Extra Button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll (Microsoft Corporation)
    O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab (Microsoft Office Template and Media Control)
    O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} http://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20110926150838 (Reg Error: Key error.)
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://soem.webex.com/client/T27LC/webex/ieatgpc1.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 132.236.249.19 132.236.249.18 132.236.56.250
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{E78E00BB-66CB-4C40-B91C-51BEFE20CDE2}: DhcpNameServer = 132.236.249.19 132.236.249.18 132.236.56.250
    O18 - Protocol\Handler\gcf {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - C:\Program Files\Google\Chrome Frame\Application\30.0.1599.101\npchrome_frame.dll (Google Inc.)
    O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
    O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/10/30 09:04:26 | 000,000,000 | ---D | C] -- C:\Windows\ERUNT
    [2013/10/30 08:58:08 | 000,000,000 | ---D | C] -- C:\AdwCleaner
    [2013/10/30 08:57:35 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
    [2013/10/30 08:57:23 | 001,033,335 | ---- | C] (Thisisu) -- C:\Users\Andrew\Desktop\JRT.exe
    [2013/10/29 10:23:45 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2013/10/29 10:22:06 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2013/10/29 09:09:47 | 005,137,071 | R--- | C] (Swearware) -- C:\Users\Andrew\Desktop\ComboFix.exe
    [2013/10/28 21:51:17 | 000,105,176 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\MBAMSwissArmy.sys
    [2013/10/28 21:51:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes' Anti-Malware (portable)
    [2013/10/28 21:50:49 | 000,075,992 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamchameleon.sys
    [2013/10/28 21:50:43 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\mbar
    [2013/10/28 21:26:50 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\RK_Quarantine
    [2013/10/28 09:31:20 | 000,000,000 | ---D | C] -- C:\FRST
    [2013/10/28 09:30:57 | 001,089,183 | ---- | C] (Farbar) -- C:\Users\Andrew\Desktop\FRST.exe
    [2013/10/27 15:49:05 | 000,688,992 | R--- | C] (Swearware) -- C:\Users\Andrew\Desktop\dds.com
    [2013/10/26 09:55:40 | 000,000,000 | ---D | C] -- C:\VTRoot
    [2013/10/25 23:04:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2013/10/25 23:04:12 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2013/10/25 23:04:12 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2013/10/20 19:12:35 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Local\calibre-cache
    [2013/10/13 19:42:33 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\COMODO
    [2013/10/12 08:46:39 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\finally_connected
    [2013/10/06 13:28:28 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\AAZV Collected
    [2013/09/30 12:01:09 | 000,737,280 | ---- | C] (Indigo Rose Corporation) -- C:\Windows\iun6002.exe
    [2013/09/30 11:57:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AAZV Collected Proceedings 1968-2013
    [2013/09/30 11:57:29 | 000,000,000 | ---D | C] -- C:\Program Files\AAZV Collected Proceedings 1968-2013
    [9 C:\Users\Andrew\Desktop\*.tmp files -> C:\Users\Andrew\Desktop\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2013/10/30 09:13:28 | 000,014,608 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2013/10/30 09:13:28 | 000,014,608 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2013/10/30 09:10:50 | 000,666,176 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2013/10/30 09:10:50 | 000,125,820 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2013/10/30 09:06:31 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2013/10/30 09:06:17 | 000,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
    [2013/10/30 09:06:09 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2013/10/30 09:06:03 | 2362,368,000 | -HS- | M] () -- C:\hiberfil.sys
    [2013/10/30 08:57:35 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Desktop\OTL.exe
    [2013/10/30 08:57:24 | 001,033,335 | ---- | M] (Thisisu) -- C:\Users\Andrew\Desktop\JRT.exe
    [2013/10/30 08:56:52 | 001,060,070 | ---- | M] () -- C:\Users\Andrew\Desktop\adwcleaner.exe
    [2013/10/30 08:50:00 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-284424345-2181464997-1662967063-1001UA.job
    [2013/10/29 15:31:04 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2013/10/29 10:53:46 | 001,474,832 | ---- | M] () -- C:\Windows\System32\drivers\sfi.dat
    [2013/10/29 10:50:00 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-284424345-2181464997-1662967063-1001Core.job
    [2013/10/29 10:18:46 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2013/10/29 09:09:47 | 005,137,071 | R--- | M] (Swearware) -- C:\Users\Andrew\Desktop\ComboFix.exe
    [2013/10/28 21:51:17 | 000,105,176 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\MBAMSwissArmy.sys
    [2013/10/28 21:50:49 | 000,075,992 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamchameleon.sys
    [2013/10/28 21:20:28 | 000,067,187 | ---- | M] () -- C:\Users\Andrew\Desktop\Untitled-2.jpg
    [2013/10/28 19:43:14 | 000,025,754 | ---- | M] () -- C:\Users\Andrew\Desktop\Untitled-3.jpg
    [2013/10/28 19:35:38 | 003,538,944 | ---- | M] () -- C:\Users\Andrew\Desktop\RogueKiller.exe
    [2013/10/28 15:12:32 | 007,738,381 | ---- | M] () -- C:\Users\Andrew\Desktop\Haematology of Australian Mammals.pdf
    [2013/10/28 15:10:38 | 020,471,362 | ---- | M] () -- C:\Users\Andrew\Desktop\Medicine of Australian Mammals .pdf
    [2013/10/28 09:30:57 | 001,089,183 | ---- | M] (Farbar) -- C:\Users\Andrew\Desktop\FRST.exe
    [2013/10/27 15:49:06 | 000,688,992 | R--- | M] (Swearware) -- C:\Users\Andrew\Desktop\dds.com
    [2013/10/26 16:47:27 | 012,321,834 | ---- | M] () -- C:\Users\Andrew\Desktop\Ophthalmology_of_Exotic_Pets_epub.epub
    [2013/10/26 16:28:31 | 000,513,252 | ---- | M] () -- C:\Users\Andrew\Desktop\Johann River Otter tongue vesicl.JPG
    [2013/10/26 10:17:40 | 000,002,144 | ---- | M] () -- C:\Windows\System32\drivers\fvstore.dat
    [2013/10/25 23:04:14 | 000,001,071 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2013/10/20 18:35:42 | 000,000,934 | ---- | M] () -- C:\Users\Public\Desktop\calibre - E-book management.lnk
    [2013/10/20 10:37:52 | 000,938,637 | ---- | M] () -- C:\Users\Andrew\Desktop\10 Eval of diag Tests.pdf
    [2013/10/18 11:06:55 | 000,002,046 | -H-- | M] () -- C:\Users\Andrew\Documents\Default.rdp
    [2013/10/13 19:42:35 | 000,002,017 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Start GeekBuddy.lnk
    [2013/10/13 10:15:27 | 010,567,031 | ---- | M] () -- C:\Users\Andrew\Desktop\Avian Medicine - Samour.pdf
    [2013/10/12 08:46:29 | 015,886,511 | ---- | M] () -- C:\Users\Andrew\Desktop\finally_connected.zip
    [2013/10/10 20:42:30 | 000,715,863 | ---- | M] () -- C:\Users\Andrew\Desktop\PC JWD 2013 3 Papilloma hyaenas.pdf
    [2013/10/07 21:10:24 | 000,187,162 | ---- | M] () -- C:\Users\Andrew\Desktop\ACZM credentials.pdf
    [2013/10/06 12:46:57 | 000,081,558 | ---- | M] () -- C:\Users\Andrew\Desktop\www.amazon.co.uk_gp_orc_returns_labels_load.pdf
    [2013/10/06 12:45:54 | 000,081,726 | ---- | M] () -- C:\Users\Andrew\Desktop\www.amazon.co.uk_gp_orc_returns_labels_load_ie=UTF8&printerFriendly=label&rmaID=DLxq8BqKRRMA.pdf
    [2013/10/04 04:15:04 | 000,015,400 | ---- | M] () -- C:\Windows\System32\drivers\hmd.sys
    [2013/09/30 11:57:29 | 000,001,854 | ---- | M] () -- C:\Users\Andrew\Desktop\AAZV Collected Proceedings 1968-2013.lnk
    [2013/09/30 11:57:18 | 000,737,280 | ---- | M] (Indigo Rose Corporation) -- C:\Windows\iun6002.exe
    [9 C:\Users\Andrew\Desktop\*.tmp files -> C:\Users\Andrew\Desktop\*.tmp -> ]
    [1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2013/10/30 08:56:51 | 001,060,070 | ---- | C] () -- C:\Users\Andrew\Desktop\adwcleaner.exe
    [2013/10/28 19:43:24 | 000,067,187 | ---- | C] () -- C:\Users\Andrew\Desktop\Untitled-2.jpg
    [2013/10/28 19:43:11 | 000,025,754 | ---- | C] () -- C:\Users\Andrew\Desktop\Untitled-3.jpg
    [2013/10/28 19:35:38 | 003,538,944 | ---- | C] () -- C:\Users\Andrew\Desktop\RogueKiller.exe
    [2013/10/28 15:59:30 | 020,471,362 | ---- | C] () -- C:\Users\Andrew\Desktop\Medicine of Australian Mammals .pdf
    [2013/10/28 15:59:29 | 007,738,381 | ---- | C] () -- C:\Users\Andrew\Desktop\Haematology of Australian Mammals.pdf
    [2013/10/26 16:46:18 | 012,321,834 | ---- | C] () -- C:\Users\Andrew\Desktop\Ophthalmology_of_Exotic_Pets_epub.epub
    [2013/10/26 16:28:30 | 000,513,252 | ---- | C] () -- C:\Users\Andrew\Desktop\Johann River Otter tongue vesicl.JPG
    [2013/10/26 09:55:38 | 000,002,144 | ---- | C] () -- C:\Windows\System32\drivers\fvstore.dat
    [2013/10/25 23:04:14 | 000,001,071 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2013/10/20 10:37:45 | 000,938,637 | ---- | C] () -- C:\Users\Andrew\Desktop\10 Eval of diag Tests.pdf
    [2013/10/13 10:15:13 | 010,567,031 | ---- | C] () -- C:\Users\Andrew\Desktop\Avian Medicine - Samour.pdf
    [2013/10/12 08:46:17 | 015,886,511 | ---- | C] () -- C:\Users\Andrew\Desktop\finally_connected.zip
    [2013/10/10 20:42:30 | 000,715,863 | ---- | C] () -- C:\Users\Andrew\Desktop\PC JWD 2013 3 Papilloma hyaenas.pdf
    [2013/10/07 21:07:38 | 000,187,162 | ---- | C] () -- C:\Users\Andrew\Desktop\ACZM credentials.pdf
    [2013/10/06 12:46:57 | 000,081,558 | ---- | C] () -- C:\Users\Andrew\Desktop\www.amazon.co.uk_gp_orc_returns_labels_load.pdf
    [2013/10/06 12:45:54 | 000,081,726 | ---- | C] () -- C:\Users\Andrew\Desktop\www.amazon.co.uk_gp_orc_returns_labels_load_ie=UTF8&printerFriendly=label&rmaID=DLxq8BqKRRMA.pdf
    [2013/10/04 04:15:04 | 000,015,400 | ---- | C] () -- C:\Windows\System32\drivers\hmd.sys
    [2013/09/30 11:57:29 | 000,001,854 | ---- | C] () -- C:\Users\Andrew\Desktop\AAZV Collected Proceedings 1968-2013.lnk
    [2013/08/02 21:08:11 | 001,474,832 | ---- | C] () -- C:\Windows\System32\drivers\sfi.dat
    [2012/09/02 20:40:38 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
    [2012/09/02 20:40:38 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
    [2012/09/02 20:40:38 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2012/09/02 20:40:38 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2012/09/02 20:40:38 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2012/05/04 22:05:35 | 000,000,298 | -H-- | C] () -- C:\Users\Andrew\.JavaPowUpload.properties
    [2011/09/20 12:16:19 | 000,014,336 | -H-- | C] () -- C:\Users\Andrew\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2011/04/02 14:42:22 | 000,000,565 | ---- | C] () -- C:\Users\Andrew\AppData\Roaming\myMPQ.ini
    [2011/03/22 10:59:20 | 000,000,132 | ---- | C] () -- C:\Users\Andrew\AppData\Roaming\Adobe PNG Format CS5 Prefs
    [2011/03/14 11:39:24 | 000,000,132 | ---- | C] () -- C:\Users\Andrew\AppData\Roaming\Adobe GIF Format CS5 Prefs
    [2011/01/21 18:55:58 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
    [2011/01/12 15:59:59 | 000,064,317 | -H-- | C] () -- C:\Users\Andrew\Endocrine Big 5.pdf
    [2011/01/12 15:58:32 | 000,101,150 | -H-- | C] () -- C:\Users\Andrew\Toxicology Top 20.pdf
    [2011/01/12 15:58:16 | 000,092,240 | -H-- | C] () -- C:\Users\Andrew\Chronic Wasting Disease (CWD).pdf
    [2011/01/12 15:58:04 | 000,061,666 | -H-- | C] () -- C:\Users\Andrew\Ethylene Glycol (antifreeze) Poisoning.pdf
    [2011/01/12 15:57:51 | 000,059,734 | -H-- | C] () -- C:\Users\Andrew\Anticoagulant Rodenticide Toxicity.pdf
    [2011/01/12 15:57:40 | 000,053,296 | -H-- | C] () -- C:\Users\Andrew\Tetanus.pdf

    ========== ZeroAccess Check ==========

    [2009/07/14 00:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2009/07/13 21:16:14 | 012,866,560 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2009/07/13 21:15:20 | 000,605,696 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 21:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    ========== LOP Check ==========

    [2013/10/15 19:31:43 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\.Torrent Stream
    [2013/02/22 21:39:28 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\7 Sticky Notes
    [2012/10/18 14:00:16 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\ASUS
    [2013/02/26 21:34:12 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\ASUS WebStorage
    [2012/06/17 14:17:14 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Avery
    [2012/09/07 19:01:59 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\AVG
    [2013/01/17 12:22:12 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\avidemux
    [2013/07/01 15:04:19 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
    [2012/12/04 05:29:44 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\calibre
    [2012/01/17 13:30:03 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2011/10/13 11:52:36 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\DAEMON Tools Lite
    [2011/07/05 10:18:07 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Eclipse
    [2011/11/27 21:10:17 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\funkitron
    [2011/10/13 11:47:25 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\HD Tune Pro
    [2011/01/08 16:06:44 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\ImgBurn
    [2013/04/20 12:41:27 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\KillProcess
    [2011/11/13 21:32:19 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Leadertech
    [2012/10/18 13:56:59 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Outlook
    [2011/01/11 17:11:03 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Softland
    [2011/04/01 05:51:51 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Sports Interactive
    [2013/02/10 19:55:41 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
    [2012/10/10 14:12:31 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\StreamTorrent
    [2011/03/01 07:43:12 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\TomTom
    [2011/01/25 10:59:19 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Trusteer
    [2013/04/02 20:40:13 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\TuneUp Software
    [2013/10/26 16:20:41 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\uTorrent
    [2011/02/22 10:43:14 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\webex
    [2011/07/04 18:32:45 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Windows Live Writer
    [2011/04/29 04:28:30 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\Trusteer
    [2013/01/31 20:22:31 | 000,000,000 | ---D | M] -- C:\Users\Default\AppData\Roaming\TuneUp Software
    [2011/04/29 04:28:30 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\Trusteer
    [2013/01/31 20:22:31 | 000,000,000 | ---D | M] -- C:\Users\Default User\AppData\Roaming\TuneUp Software
    [2011/04/29 04:28:30 | 000,000,000 | ---D | M] -- C:\Users\fixer\AppData\Roaming\Trusteer
    [2013/01/31 20:22:31 | 000,000,000 | ---D | M] -- C:\Users\fixer\AppData\Roaming\TuneUp Software

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 180 bytes -> C:\ProgramData\TEMP:0B4227B4
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2

    < End of report >
     
  18. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    [​IMG] Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Code:
    :OTL
    DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\windrvr6.sys -- (WinDriver6)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Andrew\AppData\Local\Temp\catchme.sys -- (catchme)
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    O2 - BHO: (no name) - AutorunsDisabled - No CLSID value found.
    O16 - DPF: {0972B098-DEE9-4279-AC7E-4BAAA029102D} http://assets.photobox.com/assets/aurigma/ImageUploader5.cab?20110926150838 (Reg Error: Key error.)
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://soem.webex.com/client/T27LC/webex/ieatgpc1.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    @Alternate Data Stream - 180 bytes -> C:\ProgramData\TEMP:0B4227B4
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:DFC5A2B2
    
    :Services
    
    :Reg
    
    :Files
    C:\FRST
    
    :Commands
    [purity]
    [emptytemp]
    [emptyjava]
    [emptyflash]
    [Reboot]
    
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

    Last scans...

    [​IMG] Download Security Check from here or here and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
    NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.


    [​IMG] Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
      • Windows Defender
      • Other Services
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.

    [​IMG] Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.

    [​IMG] Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  19. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    Ran all those scans. Please note I did NOT click on delete quarantine files for ESET - did not see to do that. Many thanks.

    All processes killed
    ========== OTL ==========
    Service WinDriver6 stopped successfully!
    Service WinDriver6 deleted successfully!
    File system32\drivers\windrvr6.sys not found.
    Service catchme stopped successfully!
    Service catchme deleted successfully!
    File C:\Users\Andrew\AppData\Local\Temp\catchme.sys not found.
    Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\AutorunsDisabled\ deleted successfully.
    Starting removal of ActiveX control {0972B098-DEE9-4279-AC7E-4BAAA029102D}
    C:\Windows\Downloaded Program Files\ImageUploader5.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0972B098-DEE9-4279-AC7E-4BAAA029102D}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0972B098-DEE9-4279-AC7E-4BAAA029102D}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0972B098-DEE9-4279-AC7E-4BAAA029102D}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0972B098-DEE9-4279-AC7E-4BAAA029102D}\ not found.
    Starting removal of ActiveX control {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
    C:\Windows\Downloaded Program Files\ieatgpc.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    ADS C:\ProgramData\TEMP:0B4227B4 deleted successfully.
    ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\FRST\Quarantine folder moved successfully.
    C:\FRST\Logs folder moved successfully.
    C:\FRST\Hives\Users\00000002 folder moved successfully.
    C:\FRST\Hives\Users\00000001 folder moved successfully.
    C:\FRST\Hives\Users folder moved successfully.
    C:\FRST\Hives folder moved successfully.
    C:\FRST folder moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Andrew
    ->Temp folder emptied: 13597851 bytes
    ->Temporary Internet Files folder emptied: 151540086 bytes
    ->Java cache emptied: 506807 bytes
    ->Google Chrome cache emptied: 353691585 bytes
    ->Flash cache emptied: 57978 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 57472 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes
     
  20. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    Farbar Service Scanner Version: 24-10-2013
    Ran by Andrew (administrator) on 31-10-2013 at 16:10:16
    Running from "C:\Users\Andrew\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DRZXWPPF"
    Microsoft Windows 7 Home Premium (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=DWORD:0


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Action Center:
    ============


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\system32\nsisvc.dll => MD5 is legit
    C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
    C:\Windows\system32\dhcpcore.dll => MD5 is legit
    C:\Windows\system32\Drivers\afd.sys => MD5 is legit
    C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
    C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
    C:\Windows\system32\dnsrslvr.dll => MD5 is legit
    C:\Windows\system32\mpssvc.dll => MD5 is legit
    C:\Windows\system32\bfe.dll => MD5 is legit
    C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
    C:\Windows\system32\SDRSVC.dll => MD5 is legit
    C:\Windows\system32\vssvc.exe => MD5 is legit
    C:\Windows\system32\wscsvc.dll => MD5 is legit
    C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\Windows\system32\wuaueng.dll => MD5 is legit
    C:\Windows\system32\qmgr.dll => MD5 is legit
    C:\Windows\system32\es.dll => MD5 is legit
    C:\Windows\system32\cryptsvc.dll => MD5 is legit
    C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
    C:\Windows\system32\ipnathlp.dll => MD5 is legit
    C:\Windows\system32\iphlpsvc.dll => MD5 is legit
    C:\Windows\system32\svchost.exe => MD5 is legit
    C:\Windows\system32\rpcss.dll => MD5 is legit


    **** End of log ****

    ESET SCAN:

    C:\Users\Andrew\AppData\Roaming\AVG\Rescue\PC Tuneup 2011\130403102221074.rscmultiple threatsdeleted - quarantined
     
  21. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    I still need Security Check log.
     
  22. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    Sorry, missed this one.
    Results of screen317's Security Check version 0.99.76
    Windows 7 x86 (UAC is enabled)
    Out of date service pack!!
    Internet Explorer 10
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Disabled!
    COMODO Antivirus
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Spybot - Search & Destroy
    Malwarebytes Anti-Malware version 1.75.0.1300
    CCleaner
    Java(TM) 6 Update 32
    Java version out of Date!
    Google Chrome 30.0.1599.101
    Google Chrome 30.0.1599.69
    ````````Process Check: objlist.exe by Laurent````````
    Comodo Firewall cmdagent.exe
    Malwarebytes' Anti-Malware mbamscheduler.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 0%
    ````````````````````End of Log``````````````````````
     
  23. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    1. Update your Java version here: http://www.java.com/en/download/manual.jsp
    Alternate download: http://www.filehippo.com/search?q=java

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: If you're running 64-bit system make sure you install BOTH, 32-bit and 64-bit Java.

    Note 3: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it.
    • Run JavaRa.exe (Vista and 7 users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    =================================

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [emptyjava]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure Windows Updates are current.

    4. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Check if your browser plugins are up to date.
    Firefox - https://www.mozilla.org/en-US/plugincheck/
    other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    8. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly.

    9. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    11. (Windows XP only) Run defrag at your convenience.

    12. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    13. Read:
    How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
    Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

    14. Please, let me know, how your computer is doing.
     
  24. andy2082

    andy2082 TS Rookie Topic Starter Posts: 30

    Thanks Broni, followed those steps. So far no recurrence, computer doing well. Many thanks again, much appreciated. If I was to buy/download a virus checker / firewall package programme which would you recommend? I have Comodo currently but unsure how good it is.
     
  25. Broni

    Broni Malware Annihilator Posts: 47,975   +271

    Comodo is perfectly fine.

    Good luck and stay safe :)
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.