Jump to content

Remnants from Ransom Removal


Recommended Posts

I was infected with the Ransom Trojan.  I had Malwarebytes Pro running at the time but I still got infected.  I ran Malwarebytes in safe mode with the latest update and it didn't detect it.  I then ran Kapersky rescue disk and that removed it, but when booting the computer (win7/pro) I get an error which I believe originates from the run.bat or start.bat? calling on a dll that no longer exists because it was part of the Ransom Trojan.  The dll is called by SupportApp.bat.  Is there a log I can view that tells me what is happening during boot-up?  Can the boot instructions be edited?

 

Thank you, Jim

Link to post
Share on other sites

Hello jimthom and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
    • Startup Repair

      System Restore

      Windows Complete PC Restore

      Windows Memory Diagnostic Tool

      Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter

    Note: Replace letter e with the drive letter of your flash drive.

  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
Link to post
Share on other sites

Hi Maniac;

This is the txt file saved by FRST:

Thanks, Jim

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-07-2013
Ran by SYSTEM on 06-07-2013 14:27:07
Running from G:\
Windows 7 Professional (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [390720 2011-02-01] (Acronis)
HKLM-x32\...\Winlogon: [shell] C:\PROGRA~3\irinz6q.bat [x ] ()
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-04-27] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [ASUS Easy Update] C:\Program Files (x86)\ASUS\ASUS Easy Update\ALU.exe [195200 2009-12-30] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2013-03-15] (Google)
HKLM-x32\...\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [5550984 2011-09-22] (Acronis)
HKLM-x32\...\Run: [sAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe [2536760 2011-09-21] (Acronis)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [2236080 2013-06-26] ()
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.143.296\AsusWSPanel.exe /S [740736 2012-08-03] (ASUS Cloud Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
AppInit_DLLs-x32: c:\progra~3\browse~1\25976~1.107\{c16c1~1\mngr.dll c:\progra~2\google\google~1\go36f4~1.dll [123392 2013-03-15] (Google)
Startup: C:\ProgramData\Start Menu\Programs\Startup\LaunchMate.lnk
ShortcutTarget: LaunchMate.lnk -> C:\Program Files (x86)\LaunchMate\LnchMate.exe (TDRWare)
Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk
ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\q6zniri.dat (No File)

==================== Services (Whitelisted) =================

S3 ASOVPNHelper; C:\Program Files (x86)\Astrill\ASOvpnSvc.exe [434928 2012-05-25] (Astrill)
S3 ASProxy; C:\Program Files (x86)\Astrill\ASProxy.exe [1918888 2013-02-18] (Astrill)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-17] (AVG Technologies CZ, s.r.o.)
S3 GoogleDesktopManager-051210-111108; C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [30192 2013-03-15] (Google)
S2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [346976 2011-03-14] ()
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-03] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-03] (Malwarebytes Corporation)
S2 SCM_Service; C:\Windows\SysWOW64\WinService.exe [180224 2007-07-16] ()
S2 vToolbarUpdater15.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe [1598128 2013-06-26] (AVG Secure Search)

==================== Drivers (Whitelisted) ====================

S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] ()
S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] ()
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-04] ()
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-04] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-06] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-06] ()
S3 asvpndrv; C:\Windows\System32\DRIVERS\asvpndrv.sys [31744 2012-02-29] (Astrill)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-28] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-07] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-07] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-07] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-07] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-07] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-20] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-06-26] (AVG Technologies)
S3 EST_BusEnum; C:\Windows\System32\DRIVERS\GenBus.sys [29696 2009-10-05] ( )
S3 EST_Server; C:\Windows\System32\DRIVERS\GenHC.sys [199168 2009-10-05] ( )
S3 IT9135BDA; C:\Windows\System32\Drivers\IT9135BDA.sys [164736 2012-09-30] (ITE                      )
S3 ITECIRfilter; C:\Windows\System32\DRIVERS\ITECIRfilter.sys [28264 2011-03-21] (ITE Tech. Inc. )
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [33096 2012-05-08] ()
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [33096 2012-05-08] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-03] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-03] (Malwarebytes Corporation)
S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-21] ()
S3 NUS_Bus; C:\Windows\System32\DRIVERS\NUS_Bus.sys [30208 2010-01-27] (Elite Silicon Technology Inc.)
S3 RTL8187; C:\Windows\System32\DRIVERS\wg111v2.sys [340992 2007-12-25] (NETGEAR Inc.)
S3 ewusbnet; system32\DRIVERS\ewusbnet.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-06 14:26 - 2013-07-06 14:26 - 00000000 ____D C:\FRST
2013-07-05 18:10 - 2013-07-05 18:10 - 00002549 ____A C:\Users\Jim\Desktop\Remnants from Ransom Removal - Malware Removal Help - Malwarebytes Forum.url
2013-07-04 20:09 - 2013-07-04 20:10 - 00006866 ____A C:\Users\Jim\Documents\cc_20130705_140944.reg
2013-07-04 19:57 - 2013-07-04 19:57 - 00001274 ____A C:\Windows\PFRO.log
2013-07-04 19:49 - 2013-07-04 19:49 - 00000000 ____D C:\Users\Jim\AppData\Roaming\OpenCandy
2013-07-04 19:33 - 2013-07-04 19:35 - 03469871 ____A (LIGHTNING UK!) C:\Users\Jim\Downloads\SetupImgBurn_2.5.8.0.exe
2013-07-04 19:23 - 2013-07-04 19:23 - 00043456 ____A C:\Users\Jim\Downloads\base_file_2.5.8.0.zip
2013-06-30 21:16 - 2013-06-30 21:15 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-06-28 17:09 - 2013-06-28 17:09 - 00064768 ____A C:\Users\Jim\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-28 17:08 - 2013-07-05 20:12 - 00001456 ____A C:\Windows\setupact.log
2013-06-28 17:08 - 2013-06-28 17:08 - 00297656 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-28 17:08 - 2013-06-28 17:08 - 00000000 ____A C:\Windows\setuperr.log
2013-06-27 04:19 - 2013-06-28 12:35 - 00000014 ____A C:\ProgramData\irinz6q.bat
2013-06-27 04:19 - 2013-06-27 16:15 - 95023320 ___AT C:\ProgramData\irinz6q.pad
2013-06-27 04:19 - 2013-06-27 16:15 - 00000000 ____A C:\ProgramData\kjhy64.txt
2013-06-27 04:19 - 2013-06-27 04:19 - 00000153 ____A C:\ProgramData\irinz6q.reg
2013-06-25 18:18 - 2013-06-25 19:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-06-25 04:55 - 2013-06-25 04:55 - 00000000 ____D C:\Program Files (x86)\Auslogics
2013-06-24 21:38 - 2013-07-05 14:58 - 00018471 ____A C:\Users\Jim\Documents\Blood Pressure.ods
2013-06-19 01:56 - 2013-07-05 15:08 - 00013969 ____A C:\Users\Jim\Documents\Forecast Data 3 days.ods
2013-06-17 21:42 - 2013-06-17 21:42 - 00000308 ____A C:\Users\Jim\Desktop\Home Oasis Kitchen & Bath Checkout.url
2013-06-16 04:57 - 2013-06-16 04:57 - 00051646 ____A C:\Users\Jim\Documents\cc_20130616_225704.reg
2013-06-11 19:19 - 2013-06-11 20:28 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-06-11 15:01 - 2013-05-16 20:05 - 17824768 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-11 15:01 - 2013-05-16 19:27 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-11 15:01 - 2013-05-16 19:09 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-11 15:01 - 2013-05-16 19:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-11 15:01 - 2013-05-16 19:02 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-11 15:01 - 2013-05-16 19:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-11 15:01 - 2013-05-16 19:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-11 15:01 - 2013-05-16 18:58 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-11 15:01 - 2013-05-16 18:56 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-11 15:01 - 2013-05-16 18:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-11 15:01 - 2013-05-16 18:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-11 15:01 - 2013-05-16 18:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-11 15:01 - 2013-05-16 18:53 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-11 15:01 - 2013-05-16 18:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-11 15:01 - 2013-05-16 18:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-11 15:01 - 2013-05-16 18:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-11 15:01 - 2013-05-16 15:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-11 15:01 - 2013-05-16 14:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-11 15:01 - 2013-05-16 14:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-11 15:01 - 2013-05-16 14:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-11 15:01 - 2013-05-16 14:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-11 15:01 - 2013-05-16 14:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-06-11 15:01 - 2013-05-16 14:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-06-11 15:01 - 2013-05-16 14:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-11 15:01 - 2013-05-16 14:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-11 15:01 - 2013-05-16 14:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-06-11 15:01 - 2013-05-16 14:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-06-11 15:01 - 2013-05-16 14:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-11 15:01 - 2013-05-16 14:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-11 15:01 - 2013-05-16 14:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-06-11 15:01 - 2013-05-16 14:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-11 15:01 - 2013-05-16 14:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-11 14:45 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-11 14:45 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-11 14:45 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-11 14:45 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-11 14:45 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-11 14:45 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-11 14:45 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-11 14:45 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-11 14:45 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-11 14:45 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-11 14:44 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-11 14:44 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-11 14:44 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-11 14:44 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-11 14:44 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-11 14:44 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-06-11 14:44 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-06-11 14:44 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-11 14:44 - 2013-03-31 14:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-06-08 03:18 - 2013-07-05 20:12 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job

==================== One Month Modified Files and Folders =======

2013-07-06 14:26 - 2013-07-06 14:26 - 00000000 ____D C:\FRST
2013-07-05 20:15 - 2011-05-17 16:23 - 02056482 ____A C:\Windows\WindowsUpdate.log
2013-07-05 20:15 - 2009-07-13 20:45 - 00015408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-05 20:15 - 2009-07-13 20:45 - 00015408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-05 20:12 - 2013-06-28 17:08 - 00001456 ____A C:\Windows\setupact.log
2013-07-05 20:12 - 2013-06-08 03:18 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job
2013-07-05 20:12 - 2013-06-03 00:06 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-07-05 20:12 - 2011-12-10 18:10 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-05 20:12 - 2011-05-20 16:20 - 00000437 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2013-07-05 20:12 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-05 19:17 - 2012-06-11 07:29 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-05 19:10 - 2011-12-10 18:10 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-05 18:30 - 2009-07-13 21:13 - 00738832 ____A C:\Windows\System32\PerfStringBackup.INI
2013-07-05 18:10 - 2013-07-05 18:10 - 00002549 ____A C:\Users\Jim\Desktop\Remnants from Ransom Removal - Malware Removal Help - Malwarebytes Forum.url
2013-07-05 15:18 - 2011-07-03 00:58 - 00000000 ____D C:\ProgramData\opencpn
2013-07-05 15:08 - 2013-06-19 01:56 - 00013969 ____A C:\Users\Jim\Documents\Forecast Data 3 days.ods
2013-07-05 14:58 - 2013-06-24 21:38 - 00018471 ____A C:\Users\Jim\Documents\Blood Pressure.ods
2013-07-05 14:34 - 2011-05-18 02:24 - 00000000 ____D C:\ProgramData\MFAData
2013-07-05 04:39 - 2011-06-07 23:02 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Skype
2013-07-04 20:10 - 2013-07-04 20:09 - 00006866 ____A C:\Users\Jim\Documents\cc_20130705_140944.reg
2013-07-04 19:57 - 2013-07-04 19:57 - 00001274 ____A C:\Windows\PFRO.log
2013-07-04 19:49 - 2013-07-04 19:49 - 00000000 ____D C:\Users\Jim\AppData\Roaming\OpenCandy
2013-07-04 19:35 - 2013-07-04 19:33 - 03469871 ____A (LIGHTNING UK!) C:\Users\Jim\Downloads\SetupImgBurn_2.5.8.0.exe
2013-07-04 19:23 - 2013-07-04 19:23 - 00043456 ____A C:\Users\Jim\Downloads\base_file_2.5.8.0.zip
2013-07-03 21:11 - 2012-02-18 13:08 - 00000000 ____D C:\Windows\pss
2013-07-03 19:57 - 2013-01-06 19:33 - 00000000 ____D C:\Program Files (x86)\SupportAppCB
2013-07-03 14:02 - 2011-05-19 05:21 - 00000272 ____A C:\Users\Jim\Documents\spider.sav
2013-06-30 22:11 - 2012-09-05 22:45 - 00000000 ____D C:\Users\Jim\AppData\Local\Avg2013
2013-06-30 21:23 - 2012-09-05 23:10 - 00000000 ____D C:\Program Files (x86)\Java
2013-06-30 21:15 - 2013-06-30 21:16 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-06-30 21:15 - 2012-09-05 23:11 - 00867240 ____A (Oracle Corporation) C:\Windows\SysWOW64\npdeployJava1.dll
2013-06-30 21:15 - 2011-05-20 20:43 - 00789416 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-06-28 17:09 - 2013-06-28 17:09 - 00064768 ____A C:\Users\Jim\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-28 17:08 - 2013-06-28 17:08 - 00297656 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-28 17:08 - 2013-06-28 17:08 - 00000000 ____A C:\Windows\setuperr.log
2013-06-28 15:56 - 2011-07-15 17:10 - 00000000 ____D C:\Users\Jim\AppData\Roaming\uTorrent
2013-06-28 12:35 - 2013-06-27 04:19 - 00000014 ____A C:\ProgramData\irinz6q.bat
2013-06-27 20:50 - 2012-09-05 22:55 - 00000000 ____D C:\ProgramData\AVG Secure Search
2013-06-27 16:15 - 2013-06-27 04:19 - 95023320 ___AT C:\ProgramData\irinz6q.pad
2013-06-27 16:15 - 2013-06-27 04:19 - 00000000 ____A C:\ProgramData\kjhy64.txt
2013-06-27 04:19 - 2013-06-27 04:19 - 00000153 ____A C:\ProgramData\irinz6q.reg
2013-06-26 23:27 - 2012-09-05 22:54 - 00045856 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2013-06-26 23:27 - 2012-09-05 22:54 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2013-06-25 19:17 - 2013-06-25 18:18 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-06-25 15:18 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-06-25 04:55 - 2013-06-25 04:55 - 00000000 ____D C:\Program Files (x86)\Auslogics
2013-06-21 04:29 - 2011-08-01 01:31 - 00000000 ____D C:\Users\Jim\AppData\Local\Mirillis
2013-06-20 01:21 - 2011-07-15 17:12 - 00000000 ____D C:\Program Files (x86)\uTorrent
2013-06-18 02:38 - 2013-06-01 15:05 - 00013451 ____A C:\Users\Jim\Documents\Forecast Data.ods
2013-06-17 21:42 - 2013-06-17 21:42 - 00000308 ____A C:\Users\Jim\Desktop\Home Oasis Kitchen & Bath Checkout.url
2013-06-16 04:57 - 2013-06-16 04:57 - 00051646 ____A C:\Users\Jim\Documents\cc_20130616_225704.reg
2013-06-15 05:20 - 2011-05-20 19:50 - 00000000 ____D C:\Program Files\CCleaner
2013-06-14 14:28 - 2009-07-13 21:08 - 00032562 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-13 14:24 - 2011-06-07 23:01 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-06-13 14:24 - 2011-06-07 23:01 - 00000000 ____D C:\ProgramData\Skype
2013-06-11 20:29 - 2012-04-02 04:21 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-11 20:29 - 2011-05-27 18:10 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-11 20:28 - 2013-06-11 19:19 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-06-11 14:56 - 2011-05-17 03:58 - 75825640 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

Files to move or delete:
====================
C:\Users\Jim\AppData\Roaming\skype.ini
C:\ProgramData\irinz6q.bat
C:\ProgramData\irinz6q.pad
C:\ProgramData\irinz6q.reg

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

Restore point made on: 2013-07-04 19:53:07

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 4095.24 MB
Available physical RAM: 3448.89 MB
Total Pagefile: 4093.39 MB
Available Pagefile: 3442.36 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB

==================== Drives ================================

Drive c: (WIN7) (Fixed) (Total:80 GB) (Free:30.91 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:203.05 GB) (Free:188.26 GB) NTFS (Disk=0 Partition=3)
Drive g: () (Removable) (Total:0.1 GB) (Free:0.1 GB) FAT (Disk=2 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 05DA1A21)
Partition 1: (Not Active) - (Size=15 GB) - (Type=1B)
Partition 2: (Active) - (Size=80 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=203 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=39 MB) - (Type=EF)

========================================================
Disk: 2 (Size: 100 MB) (Disk ID: CD37E914)
Partition 1: (Active) - (Size=100 MB) - (Type=06)

LastRegBack: 2013-05-03 22:36

==================== End Of Log ============================

Link to post
Share on other sites

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

HKLM-x32\...\Winlogon: [shell] C:\PROGRA~3\irinz6q.bat [x ] ()

ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\q6zniri.dat (No File)

2013-06-27 04:19 - 2013-06-28 12:35 - 00000014 ____A C:\ProgramData\irinz6q.bat

2013-06-27 04:19 - 2013-06-27 16:15 - 95023320 ___AT C:\ProgramData\irinz6q.pad

2013-06-27 04:19 - 2013-06-27 16:15 - 00000000 ____A C:\ProgramData\kjhy64.txt

2013-06-27 04:19 - 2013-06-27 04:19 - 00000153 ____A C:\ProgramData\irinz6q.reg

C:\Users\Jim\AppData\Roaming\skype.ini

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites

Thanks Maniac, here is the text file from the lixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-07-2013
Ran by SYSTEM at 2013-07-07 16:34:33 Run:1
Running from G:\
Boot Mode: Recovery
==============================================

HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value was restored successfully.
C:\PROGRA~3\q6zniri.dat not found.
C:\ProgramData\irinz6q.bat => Moved successfully.
C:\ProgramData\irinz6q.pad => Moved successfully.
C:\ProgramData\kjhy64.txt => Moved successfully.
C:\ProgramData\irinz6q.reg => Moved successfully.
C:\Users\Jim\AppData\Roaming\skype.ini => Moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Maniac; when I boot normally there is still the error message regarding 'file not found' from, I think:

 

Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk
ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\q6zniri.dat (No File)

 

Can I now just delete the entire folder  C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup?

I can also disable it with CCleaner so it doesn't run at startup.

Thanks, Jim

Link to post
Share on other sites

Here it is:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-07-2013
Ran by SYSTEM on 08-07-2013 22:52:15
Running from G:\
Windows 7 Professional (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [390720 2011-02-01] (Acronis)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-04-27] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [ASUS Easy Update] C:\Program Files (x86)\ASUS\ASUS Easy Update\ALU.exe [195200 2009-12-30] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2013-03-15] (Google)
HKLM-x32\...\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [5550984 2011-09-22] (Acronis)
HKLM-x32\...\Run: [sAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe [2536760 2011-09-21] (Acronis)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [2236080 2013-06-26] ()
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.143.296\AsusWSPanel.exe /S [740736 2012-08-03] (ASUS Cloud Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
AppInit_DLLs-x32: c:\progra~3\browse~1\25976~1.107\{c16c1~1\mngr.dll c:\progra~2\google\google~1\go36f4~1.dll [123392 2013-03-15] (Google)
Startup: C:\ProgramData\Start Menu\Programs\Startup\LaunchMate.lnk
ShortcutTarget: LaunchMate.lnk -> C:\Program Files (x86)\LaunchMate\LnchMate.exe (TDRWare)
Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk
ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\q6zniri.dat (No File)

==================== Services (Whitelisted) =================

S3 ASOVPNHelper; C:\Program Files (x86)\Astrill\ASOvpnSvc.exe [434928 2012-05-25] (Astrill)
S3 ASProxy; C:\Program Files (x86)\Astrill\ASProxy.exe [1918888 2013-02-18] (Astrill)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-17] (AVG Technologies CZ, s.r.o.)
S3 GoogleDesktopManager-051210-111108; C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [30192 2013-03-15] (Google)
S2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [346976 2011-03-14] ()
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-03] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-03] (Malwarebytes Corporation)
S2 SCM_Service; C:\Windows\SysWOW64\WinService.exe [180224 2007-07-16] ()
S2 vToolbarUpdater15.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe [1598128 2013-06-26] (AVG Secure Search)

==================== Drivers (Whitelisted) ====================

S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] ()
S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] ()
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-04] ()
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-04] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-06] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-06] ()
S3 asvpndrv; C:\Windows\System32\DRIVERS\asvpndrv.sys [31744 2012-02-29] (Astrill)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-28] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-07] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-07] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-07] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-07] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-07] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-20] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-06-26] (AVG Technologies)
S3 EST_BusEnum; C:\Windows\System32\DRIVERS\GenBus.sys [29696 2009-10-05] ( )
S3 EST_Server; C:\Windows\System32\DRIVERS\GenHC.sys [199168 2009-10-05] ( )
S3 IT9135BDA; C:\Windows\System32\Drivers\IT9135BDA.sys [164736 2012-09-30] (ITE                      )
S3 ITECIRfilter; C:\Windows\System32\DRIVERS\ITECIRfilter.sys [28264 2011-03-21] (ITE Tech. Inc. )
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [33096 2012-05-08] ()
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [33096 2012-05-08] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-03] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-03] (Malwarebytes Corporation)
S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-21] ()
S3 NUS_Bus; C:\Windows\System32\DRIVERS\NUS_Bus.sys [30208 2010-01-27] (Elite Silicon Technology Inc.)
S3 RTL8187; C:\Windows\System32\DRIVERS\wg111v2.sys [340992 2007-12-25] (NETGEAR Inc.)
S3 ewusbnet; system32\DRIVERS\ewusbnet.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-08 03:29 - 2013-07-08 03:30 - 00009212 ____A C:\Users\Jim\Documents\Offshore.ods
2013-07-06 14:26 - 2013-07-06 14:26 - 00000000 ____D C:\FRST
2013-07-05 18:10 - 2013-07-05 18:10 - 00002549 ____A C:\Users\Jim\Desktop\Remnants from Ransom Removal - Malware Removal Help - Malwarebytes Forum.url
2013-07-04 20:09 - 2013-07-04 20:10 - 00006866 ____A C:\Users\Jim\Documents\cc_20130705_140944.reg
2013-07-04 19:57 - 2013-07-04 19:57 - 00001274 ____A C:\Windows\PFRO.log
2013-07-04 19:49 - 2013-07-04 19:49 - 00000000 ____D C:\Users\Jim\AppData\Roaming\OpenCandy
2013-07-04 19:33 - 2013-07-04 19:35 - 03469871 ____A (LIGHTNING UK!) C:\Users\Jim\Downloads\SetupImgBurn_2.5.8.0.exe
2013-07-04 19:23 - 2013-07-04 19:23 - 00043456 ____A C:\Users\Jim\Downloads\base_file_2.5.8.0.zip
2013-06-30 21:16 - 2013-06-30 21:15 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-06-28 17:09 - 2013-06-28 17:09 - 00064768 ____A C:\Users\Jim\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-28 17:08 - 2013-07-08 04:42 - 00001960 ____A C:\Windows\setupact.log
2013-06-28 17:08 - 2013-06-28 17:08 - 00297656 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-28 17:08 - 2013-06-28 17:08 - 00000000 ____A C:\Windows\setuperr.log
2013-06-25 18:18 - 2013-06-25 19:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-06-25 04:55 - 2013-06-25 04:55 - 00000000 ____D C:\Program Files (x86)\Auslogics
2013-06-24 21:38 - 2013-07-07 21:25 - 00019412 ____A C:\Users\Jim\Documents\Blood Pressure.ods
2013-06-19 01:56 - 2013-07-05 15:08 - 00013969 ____A C:\Users\Jim\Documents\Forecast Data 3 days.ods
2013-06-17 21:42 - 2013-06-17 21:42 - 00000308 ____A C:\Users\Jim\Desktop\Home Oasis Kitchen & Bath Checkout.url
2013-06-16 04:57 - 2013-06-16 04:57 - 00051646 ____A C:\Users\Jim\Documents\cc_20130616_225704.reg
2013-06-11 19:19 - 2013-06-11 20:28 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-06-11 15:01 - 2013-05-16 20:05 - 17824768 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-11 15:01 - 2013-05-16 19:27 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-11 15:01 - 2013-05-16 19:09 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-11 15:01 - 2013-05-16 19:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-11 15:01 - 2013-05-16 19:02 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-11 15:01 - 2013-05-16 19:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-11 15:01 - 2013-05-16 19:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-11 15:01 - 2013-05-16 18:58 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-11 15:01 - 2013-05-16 18:56 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-11 15:01 - 2013-05-16 18:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-11 15:01 - 2013-05-16 18:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-11 15:01 - 2013-05-16 18:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-11 15:01 - 2013-05-16 18:53 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-11 15:01 - 2013-05-16 18:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-11 15:01 - 2013-05-16 18:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-11 15:01 - 2013-05-16 18:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-11 15:01 - 2013-05-16 15:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-11 15:01 - 2013-05-16 14:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-11 15:01 - 2013-05-16 14:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-11 15:01 - 2013-05-16 14:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-11 15:01 - 2013-05-16 14:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-11 15:01 - 2013-05-16 14:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-06-11 15:01 - 2013-05-16 14:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-06-11 15:01 - 2013-05-16 14:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-11 15:01 - 2013-05-16 14:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-11 15:01 - 2013-05-16 14:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-06-11 15:01 - 2013-05-16 14:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-06-11 15:01 - 2013-05-16 14:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-11 15:01 - 2013-05-16 14:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-11 15:01 - 2013-05-16 14:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-06-11 15:01 - 2013-05-16 14:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-11 15:01 - 2013-05-16 14:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-11 14:45 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-11 14:45 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-11 14:45 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-11 14:45 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-11 14:45 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-11 14:45 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-11 14:45 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-11 14:45 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-11 14:45 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-11 14:45 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-11 14:44 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-11 14:44 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-11 14:44 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-11 14:44 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-11 14:44 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-11 14:44 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-06-11 14:44 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-06-11 14:44 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-11 14:44 - 2013-03-31 14:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll
2013-06-08 03:18 - 2013-07-08 04:42 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job

==================== One Month Modified Files and Folders =======

2013-07-08 04:46 - 2011-05-17 16:23 - 01058728 ____A C:\Windows\WindowsUpdate.log
2013-07-08 04:46 - 2009-07-13 20:45 - 00015408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-08 04:46 - 2009-07-13 20:45 - 00015408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-08 04:43 - 2011-05-20 16:20 - 00000437 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2013-07-08 04:42 - 2013-06-28 17:08 - 00001960 ____A C:\Windows\setupact.log
2013-07-08 04:42 - 2013-06-08 03:18 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job
2013-07-08 04:42 - 2013-06-03 00:06 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-07-08 04:42 - 2011-12-10 18:10 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-08 04:42 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-08 04:17 - 2012-06-11 07:29 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-08 04:10 - 2011-12-10 18:10 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-08 04:08 - 2011-06-07 23:02 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Skype
2013-07-08 03:30 - 2013-07-08 03:29 - 00009212 ____A C:\Users\Jim\Documents\Offshore.ods
2013-07-07 23:59 - 2011-05-18 02:24 - 00000000 ____D C:\ProgramData\MFAData
2013-07-07 21:25 - 2013-06-24 21:38 - 00019412 ____A C:\Users\Jim\Documents\Blood Pressure.ods
2013-07-06 23:20 - 2009-07-13 21:13 - 00738832 ____A C:\Windows\System32\PerfStringBackup.INI
2013-07-06 22:05 - 2012-02-18 13:08 - 00000000 ____D C:\Windows\pss
2013-07-06 14:26 - 2013-07-06 14:26 - 00000000 ____D C:\FRST
2013-07-06 02:19 - 2011-07-03 00:58 - 00000000 ____D C:\ProgramData\opencpn
2013-07-05 18:10 - 2013-07-05 18:10 - 00002549 ____A C:\Users\Jim\Desktop\Remnants from Ransom Removal - Malware Removal Help - Malwarebytes Forum.url
2013-07-05 15:08 - 2013-06-19 01:56 - 00013969 ____A C:\Users\Jim\Documents\Forecast Data 3 days.ods
2013-07-04 20:10 - 2013-07-04 20:09 - 00006866 ____A C:\Users\Jim\Documents\cc_20130705_140944.reg
2013-07-04 19:57 - 2013-07-04 19:57 - 00001274 ____A C:\Windows\PFRO.log
2013-07-04 19:49 - 2013-07-04 19:49 - 00000000 ____D C:\Users\Jim\AppData\Roaming\OpenCandy
2013-07-04 19:35 - 2013-07-04 19:33 - 03469871 ____A (LIGHTNING UK!) C:\Users\Jim\Downloads\SetupImgBurn_2.5.8.0.exe
2013-07-04 19:23 - 2013-07-04 19:23 - 00043456 ____A C:\Users\Jim\Downloads\base_file_2.5.8.0.zip
2013-07-03 19:57 - 2013-01-06 19:33 - 00000000 ____D C:\Program Files (x86)\SupportAppCB
2013-07-03 14:02 - 2011-05-19 05:21 - 00000272 ____A C:\Users\Jim\Documents\spider.sav
2013-06-30 22:11 - 2012-09-05 22:45 - 00000000 ____D C:\Users\Jim\AppData\Local\Avg2013
2013-06-30 21:23 - 2012-09-05 23:10 - 00000000 ____D C:\Program Files (x86)\Java
2013-06-30 21:15 - 2013-06-30 21:16 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-06-30 21:15 - 2012-09-05 23:11 - 00867240 ____A (Oracle Corporation) C:\Windows\SysWOW64\npdeployJava1.dll
2013-06-30 21:15 - 2011-05-20 20:43 - 00789416 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-06-28 17:09 - 2013-06-28 17:09 - 00064768 ____A C:\Users\Jim\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-28 17:08 - 2013-06-28 17:08 - 00297656 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-28 17:08 - 2013-06-28 17:08 - 00000000 ____A C:\Windows\setuperr.log
2013-06-28 15:56 - 2011-07-15 17:10 - 00000000 ____D C:\Users\Jim\AppData\Roaming\uTorrent
2013-06-27 20:50 - 2012-09-05 22:55 - 00000000 ____D C:\ProgramData\AVG Secure Search
2013-06-26 23:27 - 2012-09-05 22:54 - 00045856 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2013-06-26 23:27 - 2012-09-05 22:54 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2013-06-25 19:17 - 2013-06-25 18:18 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-06-25 15:18 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-06-25 04:55 - 2013-06-25 04:55 - 00000000 ____D C:\Program Files (x86)\Auslogics
2013-06-21 04:29 - 2011-08-01 01:31 - 00000000 ____D C:\Users\Jim\AppData\Local\Mirillis
2013-06-20 01:21 - 2011-07-15 17:12 - 00000000 ____D C:\Program Files (x86)\uTorrent
2013-06-18 02:38 - 2013-06-01 15:05 - 00013451 ____A C:\Users\Jim\Documents\Forecast Data.ods
2013-06-17 21:42 - 2013-06-17 21:42 - 00000308 ____A C:\Users\Jim\Desktop\Home Oasis Kitchen & Bath Checkout.url
2013-06-16 04:57 - 2013-06-16 04:57 - 00051646 ____A C:\Users\Jim\Documents\cc_20130616_225704.reg
2013-06-15 05:20 - 2011-05-20 19:50 - 00000000 ____D C:\Program Files\CCleaner
2013-06-14 14:28 - 2009-07-13 21:08 - 00032562 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-13 14:24 - 2011-06-07 23:01 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-06-13 14:24 - 2011-06-07 23:01 - 00000000 ____D C:\ProgramData\Skype
2013-06-11 20:29 - 2012-04-02 04:21 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-11 20:29 - 2011-05-27 18:10 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-11 20:28 - 2013-06-11 19:19 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-06-11 14:56 - 2011-05-17 03:58 - 75825640 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 4095.24 MB
Available physical RAM: 3450.04 MB
Total Pagefile: 4093.39 MB
Available Pagefile: 3436.92 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: (WIN7) (Fixed) (Total:80 GB) (Free:32.75 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:203.05 GB) (Free:188.26 GB) NTFS (Disk=0 Partition=3)
Drive f: (CD_ROM) (CDROM) (Total:0.19 GB) (Free:0 GB) CDFS
Drive g: () (Removable) (Total:0.1 GB) (Free:0.1 GB) FAT (Disk=2 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 05DA1A21)
Partition 1: (Not Active) - (Size=15 GB) - (Type=1B)
Partition 2: (Active) - (Size=80 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=203 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=39 MB) - (Type=EF)

========================================================
Disk: 2 (Size: 100 MB) (Disk ID: CD37E914)
Partition 1: (Active) - (Size=100 MB) - (Type=06)

LastRegBack: 2013-05-03 22:36

==================== End Of Log ============================

Thanks Maniac

Link to post
Share on other sites

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\q6zniri.dat (No File)

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites

Maniac, the error message still appears on normal booting: 

Rundll

There was a problem starting c:\PROGRA~3\q6zniri.dat

The specified module could not be found

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-07-2013
Ran by SYSTEM at 2013-07-09 08:43:52 Run:2
Running from F:\
Boot Mode: Recovery
==============================================

C:\PROGRA~3\q6zniri.dat not found.

==== End of Fixlog ====

Link to post
Share on other sites

The new one Maniac:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 04-07-2013
Ran by SYSTEM on 09-07-2013 22:45:56
Running from F:\
Windows 7 Professional (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe" [390720 2011-02-01] (Acronis)
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-04-27] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [ASUS Easy Update] C:\Program Files (x86)\ASUS\ASUS Easy Update\ALU.exe [195200 2009-12-30] (ASUSTeK Computer Inc.)
HKLM-x32\...\Run: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup [30192 2013-03-15] (Google)
HKLM-x32\...\Run: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe" [5550984 2011-09-22] (Acronis)
HKLM-x32\...\Run: [sAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe [2536760 2011-09-21] (Acronis)
HKLM-x32\...\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY [4408368 2013-04-28] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe" [2236080 2013-06-26] ()
HKLM-x32\...\Run: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.143.296\AsusWSPanel.exe /S [740736 2012-08-03] (ASUS Cloud Corporation)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
AppInit_DLLs-x32: c:\progra~3\browse~1\25976~1.107\{c16c1~1\mngr.dll c:\progra~2\google\google~1\go36f4~1.dll [123392 2013-03-15] (Google)
Startup: C:\ProgramData\Start Menu\Programs\Startup\LaunchMate.lnk
ShortcutTarget: LaunchMate.lnk -> C:\Program Files (x86)\LaunchMate\LnchMate.exe (TDRWare)
Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk
ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\q6zniri.dat (No File)

==================== Services (Whitelisted) =================

S3 ASOVPNHelper; C:\Program Files (x86)\Astrill\ASOvpnSvc.exe [434928 2012-05-25] (Astrill)
S3 ASProxy; C:\Program Files (x86)\Astrill\ASProxy.exe [1918888 2013-02-18] (Astrill)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4937264 2013-05-13] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-04-17] (AVG Technologies CZ, s.r.o.)
S3 GoogleDesktopManager-051210-111108; C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe [30192 2013-03-15] (Google)
S2 HWDeviceService64.exe; C:\ProgramData\DatacardService\HWDeviceService64.exe [346976 2011-03-14] ()
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-03] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-03] (Malwarebytes Corporation)
S2 SCM_Service; C:\Windows\SysWOW64\WinService.exe [180224 2007-07-16] ()
S2 vToolbarUpdater15.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe [1598128 2013-06-26] (AVG Secure Search)

==================== Drivers (Whitelisted) ====================

S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] ()
S2 ASInsHelp; C:\Windows\SysWow64\drivers\AsInsHelp64.sys [11832 2008-01-04] ()
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-04] ()
S1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2009-08-04] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-06] ()
S1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [13368 2009-07-06] ()
S3 asvpndrv; C:\Windows\System32\DRIVERS\asvpndrv.sys [31744 2012-02-29] (Astrill)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-03-28] (AVG Technologies CZ, s.r.o.)
S0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-02-07] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [206136 2013-02-07] (AVG Technologies CZ, s.r.o.)
S0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311096 2013-02-07] (AVG Technologies CZ, s.r.o.)
S0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-02-07] (AVG Technologies CZ, s.r.o.)
S0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-02-07] (AVG Technologies CZ, s.r.o.)
S1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2013-03-20] (AVG Technologies CZ, s.r.o.)
S1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [45856 2013-06-26] (AVG Technologies)
S3 EST_BusEnum; C:\Windows\System32\DRIVERS\GenBus.sys [29696 2009-10-05] ( )
S3 EST_Server; C:\Windows\System32\DRIVERS\GenHC.sys [199168 2009-10-05] ( )
S3 IT9135BDA; C:\Windows\System32\Drivers\IT9135BDA.sys [164736 2012-09-30] (ITE                      )
S3 ITECIRfilter; C:\Windows\System32\DRIVERS\ITECIRfilter.sys [28264 2011-03-21] (ITE Tech. Inc. )
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [33096 2012-05-08] ()
S3 mbamchameleon; C:\Windows\system32\drivers\mbamchameleon.sys [33096 2012-05-08] ()
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-03] (Malwarebytes Corporation)
S3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-03] (Malwarebytes Corporation)
S3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [15416 2009-07-21] ()
S3 NUS_Bus; C:\Windows\System32\DRIVERS\NUS_Bus.sys [30208 2010-01-27] (Elite Silicon Technology Inc.)
S3 RTL8187; C:\Windows\System32\DRIVERS\wg111v2.sys [340992 2007-12-25] (NETGEAR Inc.)
S3 ewusbnet; system32\DRIVERS\ewusbnet.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-07-08 03:29 - 2013-07-09 01:44 - 00009911 ____A C:\Users\Jim\Documents\Offshore.ods
2013-07-06 14:26 - 2013-07-06 14:26 - 00000000 ____D C:\FRST
2013-07-05 18:10 - 2013-07-05 18:10 - 00002549 ____A C:\Users\Jim\Desktop\Remnants from Ransom Removal - Malware Removal Help - Malwarebytes Forum.url
2013-07-04 20:09 - 2013-07-04 20:10 - 00006866 ____A C:\Users\Jim\Documents\cc_20130705_140944.reg
2013-07-04 19:57 - 2013-07-04 19:57 - 00001274 ____A C:\Windows\PFRO.log
2013-07-04 19:49 - 2013-07-04 19:49 - 00000000 ____D C:\Users\Jim\AppData\Roaming\OpenCandy
2013-07-04 19:33 - 2013-07-04 19:35 - 03469871 ____A (LIGHTNING UK!) C:\Users\Jim\Downloads\SetupImgBurn_2.5.8.0.exe
2013-07-04 19:23 - 2013-07-04 19:23 - 00043456 ____A C:\Users\Jim\Downloads\base_file_2.5.8.0.zip
2013-06-30 21:16 - 2013-06-30 21:15 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-06-28 17:09 - 2013-06-28 17:09 - 00064768 ____A C:\Users\Jim\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-28 17:08 - 2013-07-08 14:45 - 00002184 ____A C:\Windows\setupact.log
2013-06-28 17:08 - 2013-06-28 17:08 - 00297656 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-28 17:08 - 2013-06-28 17:08 - 00000000 ____A C:\Windows\setuperr.log
2013-06-25 18:18 - 2013-06-25 19:17 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-06-25 04:55 - 2013-06-25 04:55 - 00000000 ____D C:\Program Files (x86)\Auslogics
2013-06-24 21:38 - 2013-07-08 15:00 - 00019607 ____A C:\Users\Jim\Documents\Blood Pressure.ods
2013-06-19 01:56 - 2013-07-05 15:08 - 00013969 ____A C:\Users\Jim\Documents\Forecast Data 3 days.ods
2013-06-17 21:42 - 2013-06-17 21:42 - 00000308 ____A C:\Users\Jim\Desktop\Home Oasis Kitchen & Bath Checkout.url
2013-06-16 04:57 - 2013-06-16 04:57 - 00051646 ____A C:\Users\Jim\Documents\cc_20130616_225704.reg
2013-06-11 19:19 - 2013-06-11 20:28 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-06-11 15:01 - 2013-05-16 20:05 - 17824768 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-06-11 15:01 - 2013-05-16 19:27 - 10926080 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-06-11 15:01 - 2013-05-16 19:09 - 02312704 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-06-11 15:01 - 2013-05-16 19:02 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-06-11 15:01 - 2013-05-16 19:02 - 01346560 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-06-11 15:01 - 2013-05-16 19:01 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-06-11 15:01 - 2013-05-16 19:00 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-06-11 15:01 - 2013-05-16 18:58 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-06-11 15:01 - 2013-05-16 18:56 - 00599040 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-06-11 15:01 - 2013-05-16 18:56 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-06-11 15:01 - 2013-05-16 18:55 - 00816640 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-06-11 15:01 - 2013-05-16 18:54 - 00729088 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-06-11 15:01 - 2013-05-16 18:53 - 02147840 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-06-11 15:01 - 2013-05-16 18:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-06-11 15:01 - 2013-05-16 18:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-06-11 15:01 - 2013-05-16 18:46 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-06-11 15:01 - 2013-05-16 15:08 - 12329984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-06-11 15:01 - 2013-05-16 14:49 - 09738752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-06-11 15:01 - 2013-05-16 14:39 - 01800704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-06-11 15:01 - 2013-05-16 14:28 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-06-11 15:01 - 2013-05-16 14:28 - 01104384 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-06-11 15:01 - 2013-05-16 14:27 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-06-11 15:01 - 2013-05-16 14:26 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-06-11 15:01 - 2013-05-16 14:23 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-06-11 15:01 - 2013-05-16 14:21 - 00717824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-06-11 15:01 - 2013-05-16 14:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-06-11 15:01 - 2013-05-16 14:20 - 00420864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-06-11 15:01 - 2013-05-16 14:19 - 00607744 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-06-11 15:01 - 2013-05-16 14:17 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-06-11 15:01 - 2013-05-16 14:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-06-11 15:01 - 2013-05-16 14:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-06-11 15:01 - 2013-05-16 14:12 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-06-11 14:45 - 2013-05-12 21:51 - 01464320 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-06-11 14:45 - 2013-05-12 21:51 - 00184320 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2013-06-11 14:45 - 2013-05-12 21:51 - 00139776 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2013-06-11 14:45 - 2013-05-12 21:50 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\certenc.dll
2013-06-11 14:45 - 2013-05-12 20:45 - 01160192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2013-06-11 14:45 - 2013-05-12 20:45 - 00140288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2013-06-11 14:45 - 2013-05-12 20:45 - 00103936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2013-06-11 14:45 - 2013-05-12 19:43 - 01192448 ____A (Microsoft Corporation) C:\Windows\System32\certutil.exe
2013-06-11 14:45 - 2013-05-12 19:08 - 00903168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certutil.exe
2013-06-11 14:45 - 2013-05-12 19:08 - 00043008 ____A (Microsoft Corporation) C:\Windows\SysWOW64\certenc.dll
2013-06-11 14:44 - 2013-05-09 21:49 - 00030720 ____A (Microsoft Corporation) C:\Windows\System32\cryptdlg.dll
2013-06-11 14:44 - 2013-05-09 19:20 - 00024576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptdlg.dll
2013-06-11 14:44 - 2013-05-07 22:39 - 01910632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2013-06-11 14:44 - 2013-04-25 21:51 - 00751104 ____A (Microsoft Corporation) C:\Windows\System32\win32spl.dll
2013-06-11 14:44 - 2013-04-25 20:55 - 00492544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\win32spl.dll
2013-06-11 14:44 - 2013-04-25 15:30 - 01505280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\d3d11.dll
2013-06-11 14:44 - 2013-04-16 23:02 - 01230336 ____A (Microsoft Corporation) C:\Windows\SysWOW64\WindowsCodecs.dll
2013-06-11 14:44 - 2013-04-16 22:24 - 01424384 ____A (Microsoft Corporation) C:\Windows\System32\WindowsCodecs.dll
2013-06-11 14:44 - 2013-03-31 14:52 - 01887232 ____A (Microsoft Corporation) C:\Windows\System32\d3d11.dll

==================== One Month Modified Files and Folders =======

2013-07-09 04:35 - 2011-05-17 16:23 - 01079074 ____A C:\Windows\WindowsUpdate.log
2013-07-09 04:17 - 2012-06-11 07:29 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-07-09 04:10 - 2011-12-10 18:10 - 00000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-07-09 01:44 - 2013-07-08 03:29 - 00009911 ____A C:\Users\Jim\Documents\Offshore.ods
2013-07-09 00:12 - 2011-05-18 02:24 - 00000000 ____D C:\ProgramData\MFAData
2013-07-08 22:10 - 2011-12-10 18:10 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-07-08 17:02 - 2011-07-03 00:58 - 00000000 ____D C:\ProgramData\opencpn
2013-07-08 15:00 - 2013-06-24 21:38 - 00019607 ____A C:\Users\Jim\Documents\Blood Pressure.ods
2013-07-08 14:53 - 2009-07-13 20:45 - 00015408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-07-08 14:53 - 2009-07-13 20:45 - 00015408 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-07-08 14:46 - 2011-05-20 16:20 - 00000437 ____A C:\Windows\System32\Drivers\etc\hosts.ics
2013-07-08 14:45 - 2013-06-28 17:08 - 00002184 ____A C:\Windows\setupact.log
2013-07-08 14:45 - 2013-06-08 03:18 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_HP_rmv.job
2013-07-08 14:45 - 2013-06-03 00:06 - 00000350 ____A C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-07-08 14:45 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-07-08 05:03 - 2009-07-13 21:13 - 00738832 ____A C:\Windows\System32\PerfStringBackup.INI
2013-07-08 04:08 - 2011-06-07 23:02 - 00000000 ____D C:\Users\Jim\AppData\Roaming\Skype
2013-07-06 22:05 - 2012-02-18 13:08 - 00000000 ____D C:\Windows\pss
2013-07-06 14:26 - 2013-07-06 14:26 - 00000000 ____D C:\FRST
2013-07-05 18:10 - 2013-07-05 18:10 - 00002549 ____A C:\Users\Jim\Desktop\Remnants from Ransom Removal - Malware Removal Help - Malwarebytes Forum.url
2013-07-05 15:08 - 2013-06-19 01:56 - 00013969 ____A C:\Users\Jim\Documents\Forecast Data 3 days.ods
2013-07-04 20:10 - 2013-07-04 20:09 - 00006866 ____A C:\Users\Jim\Documents\cc_20130705_140944.reg
2013-07-04 19:57 - 2013-07-04 19:57 - 00001274 ____A C:\Windows\PFRO.log
2013-07-04 19:49 - 2013-07-04 19:49 - 00000000 ____D C:\Users\Jim\AppData\Roaming\OpenCandy
2013-07-04 19:35 - 2013-07-04 19:33 - 03469871 ____A (LIGHTNING UK!) C:\Users\Jim\Downloads\SetupImgBurn_2.5.8.0.exe
2013-07-04 19:23 - 2013-07-04 19:23 - 00043456 ____A C:\Users\Jim\Downloads\base_file_2.5.8.0.zip
2013-07-03 19:57 - 2013-01-06 19:33 - 00000000 ____D C:\Program Files (x86)\SupportAppCB
2013-07-03 14:02 - 2011-05-19 05:21 - 00000272 ____A C:\Users\Jim\Documents\spider.sav
2013-06-30 22:11 - 2012-09-05 22:45 - 00000000 ____D C:\Users\Jim\AppData\Local\Avg2013
2013-06-30 21:23 - 2012-09-05 23:10 - 00000000 ____D C:\Program Files (x86)\Java
2013-06-30 21:15 - 2013-06-30 21:16 - 00263592 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00175016 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-06-30 21:15 - 2013-06-30 21:15 - 00096168 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-06-30 21:15 - 2012-09-05 23:11 - 00867240 ____A (Oracle Corporation) C:\Windows\SysWOW64\npdeployJava1.dll
2013-06-30 21:15 - 2011-05-20 20:43 - 00789416 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-06-28 17:09 - 2013-06-28 17:09 - 00064768 ____A C:\Users\Jim\AppData\Local\GDIPFONTCACHEV1.DAT
2013-06-28 17:08 - 2013-06-28 17:08 - 00297656 ____A C:\Windows\System32\FNTCACHE.DAT
2013-06-28 17:08 - 2013-06-28 17:08 - 00000000 ____A C:\Windows\setuperr.log
2013-06-28 15:56 - 2011-07-15 17:10 - 00000000 ____D C:\Users\Jim\AppData\Roaming\uTorrent
2013-06-27 20:50 - 2012-09-05 22:55 - 00000000 ____D C:\ProgramData\AVG Secure Search
2013-06-26 23:27 - 2012-09-05 22:54 - 00045856 ____A (AVG Technologies) C:\Windows\System32\Drivers\avgtpx64.sys
2013-06-26 23:27 - 2012-09-05 22:54 - 00000000 ____D C:\Program Files (x86)\AVG Secure Search
2013-06-25 19:17 - 2013-06-25 18:18 - 00000000 ____D C:\Program Files (x86)\Mozilla Thunderbird
2013-06-25 15:18 - 2009-07-13 23:44 - 00000000 ___RD C:\Users\Public\Recorded TV
2013-06-25 04:55 - 2013-06-25 04:55 - 00000000 ____D C:\Program Files (x86)\Auslogics
2013-06-21 04:29 - 2011-08-01 01:31 - 00000000 ____D C:\Users\Jim\AppData\Local\Mirillis
2013-06-20 01:21 - 2011-07-15 17:12 - 00000000 ____D C:\Program Files (x86)\uTorrent
2013-06-18 02:38 - 2013-06-01 15:05 - 00013451 ____A C:\Users\Jim\Documents\Forecast Data.ods
2013-06-17 21:42 - 2013-06-17 21:42 - 00000308 ____A C:\Users\Jim\Desktop\Home Oasis Kitchen & Bath Checkout.url
2013-06-16 04:57 - 2013-06-16 04:57 - 00051646 ____A C:\Users\Jim\Documents\cc_20130616_225704.reg
2013-06-15 05:20 - 2011-05-20 19:50 - 00000000 ____D C:\Program Files\CCleaner
2013-06-14 14:28 - 2009-07-13 21:08 - 00032562 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-06-13 14:24 - 2011-06-07 23:01 - 00000000 ___RD C:\Program Files (x86)\Skype
2013-06-13 14:24 - 2011-06-07 23:01 - 00000000 ____D C:\ProgramData\Skype
2013-06-11 20:29 - 2012-04-02 04:21 - 00692104 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2013-06-11 20:29 - 2011-05-27 18:10 - 00071048 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2013-06-11 20:28 - 2013-06-11 19:19 - 09089416 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2013-06-11 14:56 - 2011-05-17 03:58 - 75825640 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 4095.24 MB
Available physical RAM: 3450.07 MB
Total Pagefile: 4093.39 MB
Available Pagefile: 3444.22 MB
Total Virtual: 8192 MB
Available Virtual: 8191.86 MB

==================== Drives ================================

Drive c: (WIN7) (Fixed) (Total:80 GB) (Free:32.21 GB) NTFS (Disk=0 Partition=2) ==>[Drive with boot components (obtained from BCD)]
Drive d: (DATA) (Fixed) (Total:203.05 GB) (Free:188.26 GB) NTFS (Disk=0 Partition=3)
Drive f: () (Removable) (Total:0.1 GB) (Free:0.1 GB) FAT (Disk=2 Partition=1)
Drive g: (CD_ROM) (CDROM) (Total:0.19 GB) (Free:0 GB) CDFS
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298 GB) (Disk ID: 05DA1A21)
Partition 1: (Not Active) - (Size=15 GB) - (Type=1B)
Partition 2: (Active) - (Size=80 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=203 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=39 MB) - (Type=EF)

========================================================
Disk: 2 (Size: 100 MB) (Disk ID: CD37E914)
Partition 1: (Active) - (Size=100 MB) - (Type=06)

LastRegBack: 2013-05-03 22:36

==================== End Of Log ============================

 

 

 

Cheers, Jim

Link to post
Share on other sites

Sorry Jim, it is my fault, I miss something.

Open Notepad (Start => All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open Notepad and select Paste). Save it on the flashdrive as fixlist.txt

Startup: C:\Users\Jim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regmonstd.lnk

ShortcutTarget: regmonstd.lnk -> C:\PROGRA~3\q6zniri.dat (No File)

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.

Link to post
Share on other sites

More to come:

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.09.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Jim :: NAVIGATION [administrator]

Protection: Enabled

10/07/2013 8:58:38 PM
mbam-log-2013-07-10 (20-58-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 222625
Time elapsed: 18 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Link to post
Share on other sites

Attach.txt:

 

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 17/05/2011 7:32:25 PM
System Uptime: 10/07/2013 9:34:12 AM (12 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | EB1501P
Processor: Intel® Atom CPU D525   @ 1.80GHz | BGA 473 | 1795/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 80 GiB total, 32.657 GiB free.
D: is FIXED (NTFS) - 203 GiB total, 188.257 GiB free.
G: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: HP Color LaserJet 2600n
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: Hewlett-Packard
Name: HP Color LaserJet 2600n
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Deskjet D5500 series
Device ID: ROOT\MULTIFUNCTION\0001
Manufacturer: HP
Name: Deskjet D5500 series
PNP Device ID: ROOT\MULTIFUNCTION\0001
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
64 Bit HP CIO Components Installer
Acronis True Image Home 2011
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader XI (11.0.03)
Adobe Shockwave Player 12.0
Amazon Kindle
Any Video Converter 3.5.7
Astrill
ASUS WebStorage
Atheros Client Installation Program
µTorrent
Aura Software Manager 1.0.3
Aura Video Converter 1.3.1
Auslogics Disk Defrag
AVG 2013
AVG Security Toolbar
AXIS Media Control Embedded
BlazeDTV 6.0
Bungee 6.5
Canon MP Navigator EX 4.0
CanoScan LiDE 110 Scanner Driver
CCleaner
CruzPro MaxVu110
CruzPro MaxVu110 (C:\Program Files (x86)\CruzPro MaxVu110\)
CruzPro PC Fishfinder
CruzPro PC Fishfinder (C:\Program Files (x86)\PC Fishfinder\)
CutePDF Writer 2.8
DJ_SF_06_D5500_SW_Min
EasyBCD 2.1.2
findit_pi 1.0
FleetMon Explorer
FREE Thailand 2010_R9 MAR 2010
Garmin MapSource
Garmin nRoute
Garmin USB Drivers
Garmin WorldMap v4
Google Desktop
Google Earth
Google Update Helper
GPSBabel 1.4.4
HD Youtube Downloader Free
HP Deskjet D5500 Printer Driver 14.0 Rel. 6
ImgBurn
Intel® Matrix Storage Manager
IrfanView (remove only)
ITE Infrared Transceiver
Java 7 Update 25
Java Auto Updater
Junk Mail filter update
LaunchMate
Lizard Safeguard - PDF Viewer 2.6.25
logbookkonni_pi 1.1
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Search Enhancement Pack
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x64 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Mobile Hotspot
Mozilla Thunderbird 17.0.7 (x86 en-US)
MSVCRT
MSXML 4.0 SP3 Parser (KB2721691)
MSXML 4.0 SP3 Parser (KB2758694)
MSXML 4.0 SP3 Parser (KB973685)
Navi Weather (64bit) 2.03
NETGEAR WG111v2 wireless USB 2.0 adapter
Network64
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA HD Audio Driver 1.3.18.0
NVIDIA Install Application
OpenCPN 3.2.0
OpenOffice.org 3.4.1
Optus Mini WiFi Modem
Optus Mobile Broadband
OSM-PH Garmin maps latest
PeaZip 3.8
PL-2303 USB-to-Serial
PlayReady PC Runtime amd64
PolarCOM
PolarView NS
Realtek Ethernet Controller Driver For Windows 7
Realtek High Definition Audio Driver
Remove Empty Directories version 2.2
Renesas Electronics USB 3.0 Host Controller Driver
Revo Uninstaller Pro 2.5.8
Sailing Directions (Planning Guide) - Pub 120 -- Pacific Ocean and Southeast Asia (8th Ed) 2011
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Silicon Laboratories CP210x USB to UART Bridge (Driver Removal)
Silicon Laboratories CP210x VCP Drivers for Windows XP/2003 Server/Vista/7
Skype Click to Call
Skype™ 6.5
Splash Lite
swMSM
Toolbox
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939)
USB Server
Visual Passage Planner 2
Visual Studio 2008 x64 Redistributables
Visual Studio 2010 x64 Redistributables
Windows Automated Installation Kit
Windows Driver Package - Garmin (grmnusb) GARMIN Devices  (06/03/2009 2.3.0.0)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
WinHTTrack Website Copier 3.44-1 (x64)
WinRAR 4.01 (32-bit)
Yahoo! Detect
.
==== Event Viewer Messages From Past Week ========
.
10/07/2013 9:35:02 PM, Error: Service Control Manager [7031]  - The Windows Media Center Receiver Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.
10/07/2013 8:22:01 AM, Error: Service Control Manager [7006]  - The ScRegSetValueExW call failed for FailureActions with the following error:  Access is denied.
09/07/2013 8:46:50 AM, Error: Microsoft-Windows-SharedAccess_NAT [31004]  - The DNS proxy agent was unable to allocate 0 bytes of memory. This may indicate that the system is low on virtual memory, or that the memory manager has encountered an internal error.
09/07/2013 10:33:28 PM, Error: Microsoft-Windows-BitLocker-Driver [24620]  - Encrypted volume check: Volume information on  cannot be read.
07/07/2013 5:47:22 PM, Error: volsnap [14]  - The shadow copies of volume C: were aborted because of an IO failure on volume C:.
07/07/2013 5:47:22 PM, Error: Disk [11]  - The driver detected a controller error on \Device\Harddisk0\DR0.
07/07/2013 12:56:51 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WwanSvc service.
05/07/2013 8:25:06 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the MBAMScheduler service.
04/07/2013 3:29:48 PM, Error: Schannel [36888]  - The following fatal alert was generated: 10. The internal error state is 10.
03/07/2013 5:11:21 PM, Error: Service Control Manager [7011]  - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
.
==== End Of File ===========================
 

Link to post
Share on other sites

DDS.txt:

 

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16490  BrowserJavaVersion: 10.25.2
Run by Jim at 21:36:52 on 2013-07-10
Microsoft Windows 7 Professional   6.1.7601.1.1252.61.1033.18.4095.1164 [GMT 10:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Windows\Explorer.EXE
C:\ProgramData\DatacardService\HWDeviceService64.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\SysWOW64\WinService.exe
C:\ProgramData\DatacardService\DCSHelper.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files (x86)\LaunchMate\LnchMate.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\WUDFHost.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\ASUS\ASUS Easy Update\ALU.exe
C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files (x86)\AVG Secure Search\vprot.exe
C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.143.296\AsusWSPanel.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\ehome\mcGlidHost.exe
C:\Program Files (x86)\LaunchMate\Folders\Games\freecell.exe
C:\Windows\system32\prevhost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.

uProxyOverride = <local>
mWinlogon: Userinit = userinit.exe,
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.3.0.11\AVG Secure Search_toolbar.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\15.3.0.11\AVG Secure Search_toolbar.dll
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [ASUS Easy Update] C:\Program Files (x86)\ASUS\ASUS Easy Update\ALU.exe
mRun: [Google Desktop Search] "C:\Program Files (x86)\Google\Google Desktop Search\GoogleDesktop.exe" /startup
mRun: [TrueImageMonitor.exe] "C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe"
mRun: [sAOB Monitor] C:\Program Files (x86)\Acronis\TrueImageHome\OnlineBackupStandalone\TrueImageMonitor.exe
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
mRun: [vProt] "C:\Program Files (x86)\AVG Secure Search\vprot.exe"
mRun: [ASUSWebStorage] C:\Program Files (x86)\ASUS\ASUS WebStorage\3.0.143.296\AsusWSPanel.exe /S
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
dRun: [Mobile Partner] C:\Program Files (x86)\Optus Mini WiFi\Optus Mini WiFi Modem
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\LAUNCH~1.LNK - C:\Program Files (x86)\LaunchMate\LnchMate.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: C:\Windows\System32\ASProxy.dll








TCP: NameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{78B716B8-73E0-43B1-8B09-FA6C48769121} : DHCPNameServer = 192.168.1.1 192.168.1.1
TCP: Interfaces\{78B716B8-73E0-43B1-8B09-FA6C48769121}\45548435F5236414445334 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{78B716B8-73E0-43B1-8B09-FA6C48769121}\C696E6B6379737 : DHCPNameServer = 192.168.0.1 8.8.8.8
TCP: Interfaces\{78B716B8-73E0-43B1-8B09-FA6C48769121}\D4646303F5249314345454 : DHCPNameServer = 192.168.0.1 192.168.0.1
TCP: Interfaces\{9C0C5852-68CF-4095-A45C-AF7D25B49B5B} : DHCPNameServer = 192.168.0.1 192.168.0.1
TCP: Interfaces\{C09B1532-53EE-473B-96F3-85E40F0BB221} : DHCPNameServer = 198.18.0.1
TCP: Interfaces\{F7263611-5FDC-408F-9ADA-D38BFFB83867}\C696E6B6379737 : DHCPNameServer = 192.168.0.1 8.8.8.8
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\15.3.0\ViProtocol.dll
AppInit_DLLs= c:\progra~3\browse~1\25976~1.107\{c16c1~1\mngr.dll c:\progra~2\google\google~1\go36f4~1.dll
SSODL: WebCheck - <orphaned>
x64-BHO: Windows Live Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
x64-BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-BHO: {BA3E58F7-60C6-485E-A775-0C1FD9C0E55E} - <orphaned>
x64-Run: [Acronis Scheduler2 Service] "C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe"
x64-IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - <orphaned>
x64-Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
x64-mASetup: {12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\Windows\System32\ieudinit.exe
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-2-8 71480]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-2-8 311096]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-2-8 116536]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-2-8 45880]
R0 SCMNdisP;General NDIS Protocol Driver;C:\Windows\System32\drivers\SCMNdisP.sys [2011-5-17 25312]
R0 tdrpman273;Acronis Try&Decide and Restore Points filter (build 273);C:\Windows\System32\drivers\tdrpm273.sys [2011-5-25 1263200]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-3-29 246072]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-2-8 206136]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-3-21 240952]
R1 avgtp;avgtp;C:\Windows\System32\drivers\avgtpx64.sys [2012-9-6 45856]
R2 afcdpsrv;Acronis Nonstop Backup Service;C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe [2012-5-7 3246040]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2013-5-14 4937264]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2013-4-18 283136]
R3 afcdp;afcdp;C:\Windows\System32\drivers\afcdp.sys [2012-5-7 285280]
R3 asvpndrv;Astrill SSL VPN Adapter;C:\Windows\System32\drivers\asvpndrv.sys [2012-9-27 31744]
R3 EST_BusEnum;Network USB Device Bus;C:\Windows\System32\drivers\GenBus.sys [2009-10-6 29696]
R3 huawei_enumerator;huawei_enumerator;C:\Windows\System32\drivers\ew_jubusenum.sys [2013-4-13 86016]
R3 ITECIRfilter;ITECIR Filter Driver;C:\Windows\System32\drivers\ITECIRfilter.sys [2011-3-22 28264]
R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2011-5-18 25928]
R3 NUS_Bus;Network USB Server Bus;C:\Windows\System32\drivers\NUS_Bus.sys [2010-1-28 30208]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\System32\drivers\nusb3hub.sys [2010-4-28 83080]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\System32\drivers\nusb3xhc.sys [2010-4-28 184968]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2011-6-10 539240]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 ASOVPNHelper;Astrill OpenVPN Service;C:\Program Files (x86)\Astrill\ASOvpnSvc.exe [2012-9-27 434928]
S3 ASProxy;ASProxy;C:\Program Files (x86)\Astrill\ASProxy.exe [2012-9-27 1918888]
S3 EST_Server;Network USB Device;C:\Windows\System32\drivers\GenHC.sys [2009-10-6 199168]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;C:\Windows\System32\drivers\ew_hwusbdev.sys [2013-4-13 117248]
S3 ewusbmbb;HUAWEI USB-WWAN miniport;C:\Windows\System32\drivers\ewusbwwan.sys [2013-4-13 415744]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2011-5-17 61280]
S3 huawei_cdcacm;huawei_cdcacm;C:\Windows\System32\drivers\ew_jucdcacm.sys [2013-4-13 98816]
S3 huawei_cdcecm;huawei_cdcecm;C:\Windows\System32\drivers\ew_jucdcecm.sys [2013-4-13 69632]
S3 huawei_ext_ctrl;huawei_ext_ctrl;C:\Windows\System32\drivers\ew_juextctrl.sys [2013-4-13 28672]
S3 IT9135BDA;IT9135 BDA Devices;C:\Windows\System32\drivers\IT9135BDA.sys [2012-10-1 164736]
S3 mbamchameleon;mbamchameleon;C:\Windows\System32\drivers\mbamchameleon.sys [2012-5-8 33096]
S3 netr28x;Ralink 802.11n Wireless Driver for Windows Vista;C:\Windows\System32\drivers\netr28x.sys [2009-6-11 620544]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-1 19456]
S3 Revoflt;Revoflt;C:\Windows\System32\drivers\revoflt.sys [2011-5-18 31800]
S3 RTL8187;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter Vista Driver;C:\Windows\System32\drivers\wg111v2.sys [2011-5-17 340992]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2012-11-1 57856]
S3 ZTEusbnet;ZTE USB-NDIS miniport;C:\Windows\System32\drivers\ZTEusbnet.sys [2013-1-7 137728]
.
=============== Created Last 30 ================
.
2013-07-06 22:26:36 -------- d-----w- C:\FRST
2013-07-06 20:17:09 -------- d-----w- C:\Temp
2013-07-05 03:49:34 -------- d-----w- C:\Users\Jim\AppData\Roaming\OpenCandy
2013-07-01 05:15:36 96168 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2013-06-25 12:55:25 -------- d-----w- C:\Program Files (x86)\Auslogics
2013-06-12 03:19:17 9089416 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2013-06-11 22:45:22 903168 ----a-w- C:\Windows\SysWow64\certutil.exe
2013-06-11 22:45:22 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2013-06-11 22:45:22 1192448 ----a-w- C:\Windows\System32\certutil.exe
2013-06-11 22:45:21 52224 ----a-w- C:\Windows\System32\certenc.dll
2013-06-11 22:45:21 43008 ----a-w- C:\Windows\SysWow64\certenc.dll
2013-06-11 22:45:21 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-06-11 22:45:21 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-06-11 22:45:21 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-06-11 22:45:21 1160192 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-06-11 22:45:21 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-06-11 22:44:58 30720 ----a-w- C:\Windows\System32\cryptdlg.dll
2013-06-11 22:44:57 24576 ----a-w- C:\Windows\SysWow64\cryptdlg.dll
2013-06-11 22:44:48 1887232 ----a-w- C:\Windows\System32\d3d11.dll
2013-06-11 22:44:48 1505280 ----a-w- C:\Windows\SysWow64\d3d11.dll
2013-06-11 22:44:43 1910632 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2013-06-11 22:44:33 751104 ----a-w- C:\Windows\System32\win32spl.dll
2013-06-11 22:44:33 492544 ----a-w- C:\Windows\SysWow64\win32spl.dll
2013-06-11 22:44:32 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2013-06-11 22:44:32 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
.
==================== Find3M  ====================
.
2013-07-01 05:15:16 867240 ----a-w- C:\Windows\SysWow64\npdeployJava1.dll
2013-07-01 05:15:16 789416 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2013-06-27 07:27:03 45856 ----a-w- C:\Windows\System32\drivers\avgtpx64.sys
2013-06-12 04:29:03 71048 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2013-06-12 04:29:03 692104 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2013-05-17 03:09:56 2312704 ----a-w- C:\Windows\System32\jscript9.dll
2013-05-17 03:02:29 1392128 ----a-w- C:\Windows\System32\wininet.dll
2013-05-17 03:01:13 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2013-05-17 02:56:09 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2013-05-17 02:56:00 599040 ----a-w- C:\Windows\System32\vbscript.dll
2013-05-17 02:51:27 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2013-05-16 22:39:39 1800704 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-05-16 22:28:26 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-05-16 22:27:30 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2013-05-16 22:21:37 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2013-05-16 22:20:30 420864 ----a-w- C:\Windows\SysWow64\vbscript.dll
2013-05-16 22:16:57 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-04-13 05:49:23 135168 ----a-w- C:\Windows\apppatch\AppPatch64\AcXtrnal.dll
2013-04-13 05:49:19 350208 ----a-w- C:\Windows\apppatch\AppPatch64\AcLayers.dll
2013-04-13 05:49:19 308736 ----a-w- C:\Windows\apppatch\AppPatch64\AcGenral.dll
2013-04-13 05:49:19 111104 ----a-w- C:\Windows\apppatch\AppPatch64\acspecfc.dll
2013-04-13 04:45:16 474624 ----a-w- C:\Windows\apppatch\AcSpecfc.dll
2013-04-13 04:45:15 2176512 ----a-w- C:\Windows\apppatch\AcGenral.dll
2013-04-12 14:45:08 1656680 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2003-07-30 04:12:32 473340 ----a-w- C:\Program Files (x86)\setup.exe
.
============= FINISH: 21:38:48.40 ===============
 

Link to post
Share on other sites

Step 1

Please uninstall this application: µTorrent

Step 2

Note: Please do not run this tool without special supervision and instructions of someone authorized to do so. Otherwise, you could end up with serious problems. For more details, read this article: ComboFix usage, Questions, Help? - Look here

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

Note: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.