Jump to content

Zero Access Blocking My PC


Recommended Posts

I had windows popping up galore this a.m. and could not run Malwarebytes.  I ran Rogue Killer and here is the results of the scan:

 

RogueKiller V8.6.11 [sep 11 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : rallen [Admin rights]
Mode : Scan -- Date : 09/12/2013 11:47:09
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 1 ¤¤¤
[Rogue.AntiSpy-SP] mrprotection.exe -- C:\Users\Renee\AppData\Roaming\mrprotection.exe[-] -> KILLED [TermProc]
[ZeroAccess][sERVICE] ???etadpug -- "C:\Program Files\Google\Desktop\Install\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\   \...\???ﯹ๛\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\GoogleUpdate.exe" < [x] -> STOPPED
 
¤¤¤ Registry Entries : 16 ¤¤¤
[RUN][ZeroAccess] HKCU\[...]\Run : Google Update ("C:\Users\Renee\AppData\Local\Google\Desktop\Install\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\?��?��?��\?��?��?��\???ﯹ๛\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\GoogleUpdate.exe" >) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : Internet Security (C:\Users\Renee\AppData\Roaming\mrprotection.exe [-]) -> FOUND
[RUN][ZeroAccess] HKUS\S-1-5-21-4039794277-2676274190-3673003869-1109\[...]\Run : Google Update ("C:\Users\Renee\AppData\Local\Google\Desktop\Install\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\?��?��?��\?��?��?��\???ﯹ๛\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\GoogleUpdate.exe" >) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-4039794277-2676274190-3673003869-1109\[...]\Run : Internet Security (C:\Users\Renee\AppData\Roaming\mrprotection.exe [-]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CCSet\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\   \...\???ﯹ๛\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS001\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\   \...\???ﯹ๛\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\GoogleUpdate.exe" < [x]) -> FOUND
[sERVICE][ZeroAccess] HKLM\[...]\CS002\[...]\Services : ???etadpug ("C:\Program Files\Google\Desktop\Install\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\   \...\???ﯹ๛\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\GoogleUpdate.exe" < [x]) -> FOUND
[DNS] HKLM\[...]\CCSet\[...]\{84B64075-BED6-4583-90F0-D89C78119598} : NameServer (10.0.0.10) -> FOUND
[DNS] HKLM\[...]\CS001\[...]\{84B64075-BED6-4583-90F0-D89C78119598} : NameServer (10.0.0.10) -> FOUND
[DNS] HKLM\[...]\CS002\[...]\{84B64075-BED6-4583-90F0-D89C78119598} : NameServer (10.0.0.10) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CCSet\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS001\[...]\Services : . e () -> FOUND
[HID SVC][Hidden from API] HKLM\[...]\CS002\[...]\Services : . e () -> FOUND
 
¤¤¤ Scheduled tasks : 2 ¤¤¤
[V1][sUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\Windows\TEMP\{F50BA88E-4A76-42D9-883F-9F352AE4B9F0}.exe - --uninstall=1 [x] -> FOUND
[V2][sUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv : C:\Windows\TEMP\{F50BA88E-4A76-42D9-883F-9F352AE4B9F0}.exe - --uninstall=1 [x] -> FOUND
 
¤¤¤ Startup Entries : 0 ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][File] Desktop.ini : C:\Windows\assembly\GAC\Desktop.ini [-] --> FOUND
[ZeroAccess][Junction] en-US : C:\Program Files\Windows Defender\en-US >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpAsDesc.dll : C:\Program Files\Windows Defender\MpAsDesc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpClient.dll : C:\Program Files\Windows Defender\MpClient.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCmdRun.exe : C:\Program Files\Windows Defender\MpCmdRun.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpCommu.dll : C:\Program Files\Windows Defender\MpCommu.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpEvMsg.dll : C:\Program Files\Windows Defender\MpEvMsg.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpOAV.dll : C:\Program Files\Windows Defender\MpOAV.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpRTP.dll : C:\Program Files\Windows Defender\MpRTP.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MpSvc.dll : C:\Program Files\Windows Defender\MpSvc.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MSASCui.exe : C:\Program Files\Windows Defender\MSASCui.exe >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpLics.dll : C:\Program Files\Windows Defender\MsMpLics.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Junction] MsMpRes.dll : C:\Program Files\Windows Defender\MsMpRes.dll >> \systemroot\system32\config [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Users\Renee\AppData\Local\Google\Desktop\Install [-] --> FOUND
[ZeroAccess][Folder] Install : C:\Program Files\Google\Desktop\Install [-] --> FOUND
 
¤¤¤ Driver : [LOADED] ¤¤¤
[Address] IRP[iRP_MJ_CREATE] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B61A8CC)
[Address] IRP[iRP_MJ_CLOSE] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B61A8CC)
[Address] IRP[iRP_MJ_DEVICE_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B60647C)
[Address] IRP[iRP_MJ_INTERNAL_DEVICE_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B60644E)
[Address] IRP[iRP_MJ_POWER] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B6064AA)
[Address] IRP[iRP_MJ_SYSTEM_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B615DB2)
[Address] IRP[iRP_MJ_PNP] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B615D7E)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection : ZeroAccess|Rogue.AntiSpy-SP ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST500DM002-1BD142 ATA Device +++++
--- User ---
[MBR] 4c735f837396d4f13b1b716b50bff6bf
[bSP] 774466be9f0a0c9de895e17126667ee8 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 13568 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 27869184 | Size: 463328 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
+++++ PhysicalDrive1: ST500DM002-1BD142 ATA Device +++++
--- User ---
[MBR] c101098de7e98413ce2941d5c0ebefa8
[bSP] ef3177ea6997481f5647d45aa222b26f : Empty MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 982 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
 
Finished : << RKreport[0]_S_09122013_114709.txt >>
 
 
 
Please let me know what I need to do to remove this and also - did I get this from going to a certain website or what?
 
Thanks
Link to post
Share on other sites

Hello! Welcome to Malwarebytes Forums! welcome.gif
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

 

Regards,
Georgi

Link to post
Share on other sites

Here are the two files:

 

FRST.txt

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 09-09-2013 02
Ran by rallen (administrator) on RALLEN on 12-09-2013 15:29:22
Running from C:\Users\Renee\Desktop
Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Normal
 
==================== Processes (Whitelisted) ===================
 
(AMD) C:\Windows\system32\atiesrxx.exe
(AMD) C:\Windows\system32\atieclxx.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgfws.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgwdsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft\BingBar\SeaPort.EXE
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel Corporation) C:\Program Files\Intel\Services\IPT\jhi_service.exe
(AVG Secure Search) C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
() C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\loggingserver.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgam.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgemcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgchsvx.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.21.153\GoogleCrashHandler.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgtray.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG10\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG10\avgcsrvx.exe
() E:\RogueKiller.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [startCCC] - c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [336384 2011-02-18] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [RemoteControl9] - C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe [87336 2010-10-01] (CyberLink Corp.)
HKLM\...\Run: [PDVD9LanguageShortcut] - C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe [50472 2010-09-17] (CyberLink Corp.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-01-03] (Adobe Systems Incorporated)
HKLM\...\Run: [] - [x]
HKLM\...\Run: [Adobe Acrobat Speed Launcher] - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrobat_sl.exe [36760 2012-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [Acrobat Assistant 8.0] - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe [815512 2012-04-04] (Adobe Systems Inc.)
HKLM\...\Run: [RoxWatchTray] - C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe [240112 2010-11-25] (Sonic Solutions)
HKLM\...\Run: [Desktop Disc Tool] - C:\Program Files\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe [514544 2010-11-17] ()
HKLM\...\Run: [AVG_TRAY] - C:\Program Files\AVG\AVG10\avgtray.exe [2345592 2012-08-01] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [DBRMTray] - C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe [227328 2011-03-08] (Dell Computer Corporation)
HKLM\...\Run: [vProt] - C:\Program Files\AVG Secure Search\vprot.exe [2314416 2013-08-14] ()
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] - C:\Windows\KHALMNPR.EXE [55824 2009-06-17] (Logitech, Inc.)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [252296 2012-01-17] (Sun Microsystems, Inc.)
HKLM\...\Run: [ApnUpdater] - C:\Program Files\Ask.com\Updater\Updater.exe [1561768 2012-05-04] (Ask)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM\...\RunOnce: [DBRMTray] - C:\Dell\DBRM\Reminder\TrayApp.exe [7168 2010-02-04] (Microsoft)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [X]
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Run: [internet Security] - C:\Users\Renee\AppData\Roaming\mrprotection.exe [846848 2013-09-12] (Eastern Digital Coproration                                 )
Startup: C:\Users\Renee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Amazon Cloud Drive.lnk
ShortcutTarget: Amazon Cloud Drive.lnk -> C:\Users\Renee\AppData\Local\Apps\2.0\Q2LRA7HG.QON\Y7J271QH.PDY\amaz..tion_f2fa081ea2183235_0002.0001_cb34a912a946f839\AmazonCloudDrive.exe (Amazon Digital Services, LLC.)
BootExecute: autocheck autochk * C:\PROGRA~1\AVG\AVG10\avgrsx.exe /sync /restart
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USREL/1
URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
URLSearchHook: (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} -  No File
SearchScopes: HKLM - DefaultScope {6570E86A-B7AD-4EE6-B74D-085AC17297DE} URL = http://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM - {6570E86A-B7AD-4EE6-B74D-085AC17297DE} URL = http://www.bing.com/search?q={searchTerms}&form=DLRDF8&pc=MDDR&src=IE-SearchBox
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {020E39AF-4467-40A6-A22A-EB7495BB9C09} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=157758C2-71C9-484F-AA41-9E8014603FA9&apn_sauid=41606CCA-1678-4082-9253-4F2BEAD1D386
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=109935&tt=280612_8_&babsrc=SP_ss&mntrId=12f00e20000000000000d4bed9d78a0c
SearchScopes: HKCU - {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={54D43BEB-D7FC-46C4-8E8F-AE42F7D28BEB}&mid=ed93da7990cc47d08a1505f79f3363ff-855b6ae1b49a1ab7559fae4e7739a5daddb190a3〈=us&ds=AVG&pr=pa&d=2012-05-15 14:01:22&v=15.3.0.11&pid=avg&sg=0&sap=dsp&q={searchTerms}
BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO: Babylon toolbar helper - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)
BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll (AVG Technologies CZ, s.r.o.)
BHO: AOL Toolbar Loader - {3ef64538-8b54-4573-b48f-4d34b0238ab2} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc.)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\15.5.0.2\AVG Secure Search_toolbar.dll (AVG Secure Search)
BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
BHO: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
Toolbar: HKLM - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\15.5.0.2\AVG Secure Search_toolbar.dll (AVG Secure Search)
Toolbar: HKLM - Babylon Toolbar - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)
Toolbar: HKLM - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKLM - AOL Toolbar - {ba00b7b1-0351-477a-b948-23e3ee5a73d4} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc.)
Toolbar: HKCU -Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU -Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKCU -AOL Toolbar - {BA00B7B1-0351-477A-B948-23E3EE5A73D4} - C:\Program Files\AOL Toolbar\aoltb.dll (AOL Inc.)
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/_layouts/ClientBin/ieawsdc32.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll (AVG Technologies CZ, s.r.o.)
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\15.5.0\ViProtocol.dll (AVG Secure Search)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 09 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog9 11 mswsock.dll File Not found ()
Winsock: Catalog9 12 mswsock.dll File Not found ()
Winsock: Catalog9 13 mswsock.dll File Not found ()
Winsock: Catalog9 14 mswsock.dll File Not found ()
Winsock: Catalog9 15 mswsock.dll File Not found ()
Winsock: Catalog9 16 mswsock.dll File Not found ()
Winsock: Catalog9 17 mswsock.dll File Not found ()
Winsock: Catalog9 18 mswsock.dll File Not found ()
Winsock: Catalog9 19 mswsock.dll File Not found ()
Winsock: Catalog9 20 mswsock.dll File Not found ()
Tcpip\Parameters: [DhcpNameServer] 10.0.0.10 8.8.8.8
Tcpip\..\Interfaces\{84B64075-BED6-4583-90F0-D89C78119598}: [NameServer]10.0.0.10
 
FireFox:
========
FF ProfilePath: C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default
FF user.js: detected! => C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\user.js
FF DefaultSearchEngine: Ask.com
FF SearchEngineOrder.1: Ask.com
FF SelectedSearchEngine: Ask.com
FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin - C:\Program Files\Common Files\AVG Secure Search\SiteSafetyInstaller\15.5.0\\npsitesafety.dll (AVG Technologies)
FF Plugin: @Google.com/GoogleEarthPlugin - C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.38 - C:\Program Files\Intel\Services\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin: @intel-webapi.intel.com/Intel WebAPI updater - C:\Program Files\Intel\Services\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin: @java.com/DTPlugin,version=10.5.1 - C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.5.1 - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE - disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - c:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 - C:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3502.0922 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @microsoft.com/WLPG,version=15.4.3508.1109 - C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Acrobat - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\searchplugins\askcom.xml
FF SearchPlugin: C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\searchplugins\CouponAlert_2p.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\avg-secure-search.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\browser\searchplugins\avg-secure-search.xml
FF Extension: Ask Toolbar - C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\Extensions\toolbar@ask.com
FF Extension: Yahoo! Toolbar - C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF HKLM\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF HKLM\...\Firefox\Extensions: [avg@toolbar] - C:\ProgramData\AVG Secure Search\FireFoxExt\15.5.0.2
FF Extension: AVG Security Toolbar - C:\ProgramData\AVG Secure Search\FireFoxExt\15.5.0.2
FF HKLM\...\Firefox\Extensions: [{1E73965B-8B48-48be-9C8D-68B920ABC1C4}] - C:\Program Files\AVG\AVG10\Firefox4\
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG10\Firefox4\
 
Chrome: 
=======
CHR RestoreOnStartup: "sync":{"suppress_start":true},"sync_promo":{"startup_count":4,"view_count"
CHR Extension: (Docs) - C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0
CHR Extension: (Google Drive) - C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.2_0
CHR Extension: (YouTube) - C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0
CHR Extension: (Google Search) - C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0
CHR Extension: (Babylon Toolbar) - C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.7_0
CHR Extension: (AVG Safe Search) - C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1409_0
CHR Extension: (AVG Security Toolbar) - C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof\14.2.0.1_0
CHR Extension: (Gmail) - C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0
CHR HKLM\...\Chrome\Extension: [dhkplhfnhceodhffomolpfigojocbpcb] - C:\Users\Renee\AppData\Roaming\BabylonToolbar\CR\BabylonChrome1.crx
CHR HKLM\...\Chrome\Extension: [jmfkcklnlgedgbglfkkgedjfmejoahla] - C:\Program Files\AVG\AVG10\Chrome\safesearch.crx
CHR HKLM\...\Chrome\Extension: [ndibdjnfmopecpmkdieinmbadjfpblof] - C:\ProgramData\AVG Secure Search\ChromeExt\15.5.0.2\avg.crx
 
========================== Services (Whitelisted) =================
 
S3 AVG Security Toolbar Service; C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [167264 2011-11-10] ()
R2 avgfws; C:\Program Files\AVG\AVG10\avgfws.exe [2708024 2011-03-09] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [7391072 2012-01-31] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG10\avgwdsvc.exe [269520 2011-02-08] (AVG Technologies CZ, s.r.o.)
R2 jhi_service; C:\Program Files\Intel\Services\IPT\jhi_service.exe [212984 2012-05-21] (Intel Corporation)
S3 RoxMediaDB12OEM; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [1116656 2010-11-25] (Sonic Solutions)
S2 RoxWatch12; C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [219632 2010-11-25] (Sonic Solutions)
R2 vToolbarUpdater15.5.0; C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.5.0\ToolbarUpdater.exe [1643184 2013-08-14] (AVG Secure Search)
S2 avgagent; avgagent.exe /srvfsys [x]
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\   \...\???\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
 
==================== Drivers (Whitelisted) ====================
 
R1 Avgfwfd; C:\Windows\System32\DRIVERS\avgfwd6x.sys [54112 2010-07-12] (AVG Technologies CZ, s.r.o.)
R3 AVGIDSDriver; C:\Windows\System32\DRIVERS\AVGIDSDriver.Sys [134480 2011-05-27] (AVG Technologies CZ, s.r.o. )
R0 AVGIDSEH; C:\Windows\System32\DRIVERS\AVGIDSEH.Sys [22992 2011-02-22] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSFilter; C:\Windows\System32\DRIVERS\AVGIDSFilter.Sys [24144 2011-02-10] (AVG Technologies CZ, s.r.o. )
R3 AVGIDSShim; C:\Windows\System32\DRIVERS\AVGIDSShim.Sys [21968 2011-02-10] (AVG Technologies CZ, s.r.o. )
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [255968 2012-11-12] (AVG Technologies CZ, s.r.o.)
R1 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [34896 2011-03-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [32592 2011-03-16] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [297168 2011-04-05] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx86.sys [37664 2013-08-14] (AVG Technologies)
R0 CLFS; C:\Windows\System32\CLFS.sys [249408 2009-07-13] (Microsoft Corporation)
R3 LEqdUsb; C:\Windows\System32\Drivers\LEqdUsb.Sys [40720 2009-06-17] (Logitech, Inc.)
R3 LHidEqd; C:\Windows\System32\Drivers\LHidEqd.Sys [10384 2009-06-17] (Logitech, Inc.)
R3 MEI; C:\Windows\System32\DRIVERS\HECI.sys [41216 2011-09-22] (Intel Corporation)
S3 netvsc; C:\Windows\System32\DRIVERS\netvsc60.sys [126464 2010-11-20] (Microsoft Corporation)
S3 SynthVid; C:\Windows\System32\DRIVERS\VMBusVideoM.sys [19456 2010-11-20] (Microsoft Corporation)
U3 TrueSight; C:\Windows\system32\TrueSight.sys [26624 2013-09-12] ()
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-09-12 15:29 - 2013-09-12 11:52 - 01082587 _____ (Farbar) C:\Users\Renee\Desktop\FRST.exe
2013-09-12 11:47 - 2013-09-12 11:47 - 00007512 _____ C:\Users\Renee\Desktop\RKreport[0]_S_09122013_114709.txt
2013-09-12 11:45 - 2013-09-12 11:24 - 00000000 ____D C:\Users\Renee\Desktop\RK_Quarantine
2013-09-12 11:26 - 2013-09-12 11:26 - 00007545 _____ C:\Users\Renee\Desktop\RKreport[0]_S_09122013_112636.txt
2013-09-12 11:24 - 2013-09-12 11:24 - 00026624 _____ C:\Windows\system32\TrueSight.sys
2013-09-12 11:05 - 2013-09-12 11:05 - 00867840 _____ (Eastern Digital Corporation                                 ) C:\Users\Renee\cflljignsv1.exe
2013-09-12 11:05 - 2013-09-12 11:05 - 00867840 _____ (Eastern Digital Corporation                                 ) C:\Users\Renee\cflljignsv0.exe
2013-09-12 11:05 - 2013-09-12 11:05 - 00847360 _____ (Eastern Digital Coproration                                 ) C:\Users\Renee\AppData\Roaming\11AD.tmp
2013-09-12 11:05 - 2013-09-12 11:05 - 00846848 _____ (Eastern Digital Coproration                                 ) C:\Users\Renee\AppData\Roaming\mrprotection.exe
2013-09-12 11:05 - 2013-09-12 11:05 - 00000768 _____ C:\Users\Renee\Desktop\Internet Security 2013.lnk
2013-09-11 17:00 - 2013-08-09 23:59 - 01767936 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-09-11 17:00 - 2013-08-09 23:59 - 01141248 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-09-11 17:00 - 2013-08-09 23:59 - 00042496 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2013-09-11 17:00 - 2013-08-09 23:58 - 14332928 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-09-11 17:00 - 2013-08-09 23:58 - 13761024 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-09-11 17:00 - 2013-08-09 23:58 - 02876928 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-09-11 17:00 - 2013-08-09 23:58 - 02048000 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-09-11 17:00 - 2013-08-09 23:58 - 00690688 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-09-11 17:00 - 2013-08-09 23:58 - 00493056 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-09-11 17:00 - 2013-08-09 23:58 - 00391168 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-09-11 17:00 - 2013-08-09 23:58 - 00109056 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2013-09-11 17:00 - 2013-08-09 23:58 - 00061440 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2013-09-11 17:00 - 2013-08-09 23:58 - 00039424 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-09-11 17:00 - 2013-08-09 23:58 - 00033280 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2013-09-11 17:00 - 2013-08-09 23:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-09-11 17:00 - 2013-08-09 22:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2013-09-11 17:00 - 2013-08-07 21:03 - 02348544 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2013-09-11 17:00 - 2013-07-25 21:55 - 12872704 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll
2013-09-11 17:00 - 2013-07-25 21:55 - 00180224 _____ (Microsoft Corporation) C:\Windows\system32\shdocvw.dll
2013-09-11 16:59 - 2013-08-01 21:50 - 00169984 _____ (Microsoft Corporation) C:\Windows\system32\winsrv.dll
2013-09-11 16:59 - 2013-08-01 21:49 - 00868352 _____ (Microsoft Corporation) C:\Windows\system32\kernel32.dll
2013-09-11 16:59 - 2013-08-01 21:49 - 00293376 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00005120 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00004096 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 21:48 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 20:52 - 00271360 _____ (Microsoft Corporation) C:\Windows\system32\conhost.exe
2013-09-11 16:59 - 2013-08-01 20:43 - 00006144 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 20:43 - 00004608 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 20:43 - 00003584 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-09-11 16:59 - 2013-08-01 20:43 - 00003072 ____H (Microsoft Corporation) C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-09-06 08:42 - 2013-09-06 08:42 - 00224769 _____ C:\Users\Renee\Downloads\1547 Crestlawn_waiver.jpeg
2013-09-06 08:42 - 2013-09-06 08:42 - 00000000 ____D C:\Users\Renee\AppData\Local\{CE580A15-C3DC-41C3-8554-1868918EEC8A}
 
==================== One Month Modified Files and Folders =======
 
2013-09-12 15:27 - 2013-02-21 10:07 - 00000884 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-09-12 14:45 - 2013-07-19 15:26 - 00000144 _____ C:\Windows\system32\config\netlogon.ftl
2013-09-12 14:37 - 2012-05-04 19:52 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-09-12 12:13 - 2009-07-14 00:34 - 00021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-09-12 12:13 - 2009-07-14 00:34 - 00021312 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-09-12 12:06 - 2013-07-26 14:14 - 11112184 _____ C:\Windows\avgagent.log
2013-09-12 12:06 - 2013-05-31 12:42 - 00000350 _____ C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
2013-09-12 12:06 - 2013-02-21 10:07 - 00000880 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-09-12 12:06 - 2013-01-15 09:27 - 00000342 _____ C:\Windows\Tasks\ROC_JAN2013_TB_rmv.job
2013-09-12 12:05 - 2009-07-14 00:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-09-12 12:05 - 2009-07-14 00:39 - 00043423 _____ C:\Windows\setupact.log
2013-09-12 11:52 - 2013-09-12 15:29 - 01082587 _____ (Farbar) C:\Users\Renee\Desktop\FRST.exe
2013-09-12 11:47 - 2013-09-12 11:47 - 00007512 _____ C:\Users\Renee\Desktop\RKreport[0]_S_09122013_114709.txt
2013-09-12 11:26 - 2013-09-12 11:26 - 00007545 _____ C:\Users\Renee\Desktop\RKreport[0]_S_09122013_112636.txt
2013-09-12 11:26 - 2010-11-20 17:01 - 00778470 _____ C:\Windows\system32\PerfStringBackup.INI
2013-09-12 11:24 - 2013-09-12 11:45 - 00000000 ____D C:\Users\Renee\Desktop\RK_Quarantine
2013-09-12 11:24 - 2013-09-12 11:24 - 00026624 _____ C:\Windows\system32\TrueSight.sys
2013-09-12 11:05 - 2013-09-12 11:05 - 00867840 _____ (Eastern Digital Corporation                                 ) C:\Users\Renee\cflljignsv1.exe
2013-09-12 11:05 - 2013-09-12 11:05 - 00867840 _____ (Eastern Digital Corporation                                 ) C:\Users\Renee\cflljignsv0.exe
2013-09-12 11:05 - 2013-09-12 11:05 - 00847360 _____ (Eastern Digital Coproration                                 ) C:\Users\Renee\AppData\Roaming\11AD.tmp
2013-09-12 11:05 - 2013-09-12 11:05 - 00846848 _____ (Eastern Digital Coproration                                 ) C:\Users\Renee\AppData\Roaming\mrprotection.exe
2013-09-12 11:05 - 2013-09-12 11:05 - 00000768 _____ C:\Users\Renee\Desktop\Internet Security 2013.lnk
2013-09-12 11:05 - 2012-05-15 11:13 - 00000000 ____D C:\Users\Renee
2013-09-12 08:39 - 2009-07-14 00:33 - 00481664 _____ C:\Windows\system32\FNTCACHE.DAT
2013-09-11 17:03 - 2012-05-15 14:01 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-09-11 17:03 - 2012-05-04 19:49 - 01791988 _____ C:\Windows\WindowsUpdate.log
2013-09-10 13:14 - 2013-02-21 10:07 - 00000000 ____D C:\Program Files\Google
2013-09-09 04:37 - 2012-05-15 13:44 - 00000000 ____D C:\Windows\system32\Drivers\AVG
2013-09-06 13:28 - 2013-02-21 10:08 - 00002131 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2013-09-06 08:42 - 2013-09-06 08:42 - 00224769 _____ C:\Users\Renee\Downloads\1547 Crestlawn_waiver.jpeg
2013-09-06 08:42 - 2013-09-06 08:42 - 00000000 ____D C:\Users\Renee\AppData\Local\{CE580A15-C3DC-41C3-8554-1868918EEC8A}
2013-08-30 08:29 - 2012-05-15 13:44 - 00000000 ____D C:\ProgramData\AVG10
2013-08-14 11:35 - 2012-11-08 09:29 - 00037664 _____ (AVG Technologies) C:\Windows\system32\Drivers\avgtpx86.sys
2013-08-14 11:35 - 2012-05-15 14:02 - 00000000 ____D C:\Program Files\AVG Secure Search
2013-08-14 10:16 - 2013-02-21 10:07 - 00000000 ____D C:\Users\Renee\AppData\Local\Google
 
ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini
 
Files to move or delete:
====================
ZeroAccess:
C:\Users\Renee\AppData\Local\Google\Desktop\Install\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}
ZeroAccess:
C:\Program Files\Google\Desktop\Install\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}
C:\ProgramData\UserProfileMigrationService.exe
C:\Users\Renee\cflljignsv0.exe
C:\Users\Renee\cflljignsv1.exe
C:\Users\Renee\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Renee\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe
C:\Users\Renee\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\Renee\AppData\Local\Temp\nswBC12.tmp.tbFLV_.dll
C:\Users\Renee\AppData\Local\Temp\sqlite-3.7.2-sqlitejdbc.dll
 
==================== Bamital & volsnap Check =================
 
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
C:\Program Files\Windows Defender\mpsvc.dll => ATTENTION: ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
 
 
LastRegBack: 2013-09-03 10:07
 
==================== End Of Log ============================
 
Addition.txt below
 
 
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 09-09-2013 02
Ran by rallen at 2013-09-12 15:29:45
Running from C:\Users\Renee\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Installed Programs =======================
 
32 Bit HP CIO Components Installer (Version: 8.1.4)
Adobe Acrobat X Standard - English, Français, Deutsch (Version: 10.1.3)
Adobe AIR (Version: 3.5.0.600)
Adobe Flash Player 11 ActiveX (Version: 11.2.202.222)
Amazon Cloud Drive (HKCU Version: 2.1.2013.1340)
AnswerWorks Runtime
AOL Toolbar
Apple Application Support (Version: 2.3.4)
Apple Mobile Device Support (Version: 6.1.0.13)
Apple Software Update (Version: 2.1.3.127)
Ask Toolbar (Version: 1.15.2.0)
Ask Toolbar Updater (HKCU Version: 1.2.1.23037)
AVG 2011 (Version: 10.0.1432)
AVG 2011 (Version: 10.0.3222)
AVG Security Toolbar (Version: 15.5.0.2)
Babylon toolbar on IE
BabylonObjectInstaller (Version: 2.0.0.2)
BATES Single 2006
Bing Bar (Version: 7.0.765.0)
Bonjour (Version: 3.0.0.10)
Catalyst Control Center - Branding (Version: 1.00.0000)
Catalyst Control Center (Version: 1.00.0000)
Catalyst Control Center (Version: 2011.0218.1838.33398)
Catalyst Control Center Graphics Previews Common (Version: 2011.0218.1838.33398)
Catalyst Control Center InstallProxy (Version: 2011.0218.1838.33398)
Catalyst Control Center Localization All (Version: 2011.0218.1838.33398)
Catalyst Control Center Profiles Desktop (Version: 2011.0218.1838.33398)
CCC Help Chinese Standard (Version: 2011.0218.1837.33398)
CCC Help Chinese Traditional (Version: 2011.0218.1837.33398)
CCC Help Czech (Version: 2011.0218.1837.33398)
CCC Help Danish (Version: 2011.0218.1837.33398)
CCC Help Dutch (Version: 2011.0218.1837.33398)
CCC Help English (Version: 2011.0218.1837.33398)
CCC Help Finnish (Version: 2011.0218.1837.33398)
CCC Help French (Version: 2011.0218.1837.33398)
CCC Help German (Version: 2011.0218.1837.33398)
CCC Help Greek (Version: 2011.0218.1837.33398)
CCC Help Hungarian (Version: 2011.0218.1837.33398)
CCC Help Italian (Version: 2011.0218.1837.33398)
CCC Help Japanese (Version: 2011.0218.1837.33398)
CCC Help Korean (Version: 2011.0218.1837.33398)
CCC Help Norwegian (Version: 2011.0218.1837.33398)
CCC Help Polish (Version: 2011.0218.1837.33398)
CCC Help Portuguese (Version: 2011.0218.1837.33398)
CCC Help Russian (Version: 2011.0218.1837.33398)
CCC Help Spanish (Version: 2011.0218.1837.33398)
CCC Help Swedish (Version: 2011.0218.1837.33398)
CCC Help Thai (Version: 2011.0218.1837.33398)
CCC Help Turkish (Version: 2011.0218.1837.33398)
ccc-utility (Version: 2011.0218.1838.33398)
CDDRV_Installer (Version: 4.60)
Conexant HD Audio (Version: 8.50.4.0)
Corel Applications
CyberLink PowerDVD 9.5 (Version: 9.5.1.4822)
D3DX10 (Version: 15.4.2368.0902)
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Dell Backup and Recovery Manager (Version: 1.3.1)
Dell Client System Update (Version: 1.3.0)
Dell Edoc Viewer (Version: 1.0.0)
DirectX 9 Runtime (Version: 1.00.0000)
Download Updater (AOL Inc.)
erLT (Version: 1.20.0137)
Google Chrome (Version: 29.0.1547.66)
Google Earth (Version: 7.1.1.1888)
Google Update Helper (Version: 1.3.21.153)
Intel® Control Center (Version: 1.2.1.1007)
Intel® Identity Protection Technology 1.2.27.0 (Version: 1.2.27.0)
Intel® Management Engine Components (Version: 7.1.50.1172)
iTunes (Version: 11.0.4.4)
Java Auto Updater (Version: 2.1.6.0)
Java 7 Update 5 (Version: 7.0.50)
JavaFX 2.1.1 (Version: 2.1.1)
Junk Mail filter update (Version: 15.4.3502.0922)
KhalInstallWrapper (Version: 2.00.0000)
Logitech SetPoint (Version: 4.80)
Mesh Runtime (Version: 15.4.5722.2)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Home and Business 2010 (Version: 14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (French) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (Version: 14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Office Single Image 2010 (Version: 14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (Version: 14.0.6029.1000)
Microsoft Silverlight (Version: 5.1.20513.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft VC9 runtime libraries (Version: 2.0.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
MozBackup 1.5.1
Mozilla Firefox 14.0.1 (x86 en-US) (Version: 14.0.1)
Mozilla Maintenance Service (Version: 17.0.8)
Mozilla Thunderbird 17.0.8 (x86 en-US) (Version: 17.0.8)
MSVCRT (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
PDF Reader
PDFCreator (Version: 1.3.2)
PhotoShowExpress (Version: 2.0.063)
Realtek Ethernet Controller All-In-One Windows Driver (Version: 1.12.0019)
Roxio Activation Module (Version: 1.0)
Roxio BackOnTrack (Version: 1.3.3)
Roxio Burn (Version: 1.8)
Roxio Creator Starter (Version: 1.0.439)
Roxio Creator Starter (Version: 12.1.77.0)
Roxio Creator Starter (Version: 5.0.0)
Roxio Express Labeler 3 (Version: 3.2.2)
Roxio File Backup (Version: 1.3.2)
Sonic CinePlayer Decoder Pack (Version: 4.3.0)
Tabs3/PracticeMaster Local Installation (Version: 16)
TValue 5
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2600217) (Version: 1)
Update for Microsoft .NET Framework 4 Extended (KB2836939) (Version: 1)
Update for Microsoft Access 2010 (KB2553446) 32-Bit Edition
Update for Microsoft Filter Pack 2.0 (KB2810071) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553157) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2589298) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589370) 32-Bit Edition
Update for Microsoft Office 2010 (KB2589375) 32-Bit Edition
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2598242) 32-Bit Edition
Update for Microsoft Office 2010 (KB2687503) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760598) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760631) 32-Bit Edition
Update for Microsoft Office 2010 (KB2760758) 32-Bit Edition
Update for Microsoft Office 2010 (KB2767886) 32-Bit Edition
Update for Microsoft Office 2010 (KB2794737) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2810072) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2687623) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
Update for Microsoft PowerPoint 2010 (KB2553145) 32-Bit Edition
Update for Microsoft Visio Viewer 2010 (KB2810066) 32-Bit Edition
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3508.1109)
Windows Live ID Sign-in Assistant (Version: 7.250.4225.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Mesh ActiveX Control for Remote Connections (Version: 15.4.5722.2)
Windows Live Messenger (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
 
==================== Restore Points  =========================
 
12-08-2013 19:37:29 Scheduled Checkpoint
20-08-2013 04:00:01 Scheduled Checkpoint
27-08-2013 19:55:24 Scheduled Checkpoint
04-09-2013 16:35:15 Scheduled Checkpoint
11-09-2013 17:25:23 Scheduled Checkpoint
11-09-2013 20:59:05 Windows Update
 
==================== Hosts content: ==========================
 
2009-07-13 22:04 - 2009-06-10 17:39 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
Task: {0D9B5D92-3A22-486D-A887-3AA21597CF27} - System32\Tasks\Microsoft\Windows\Time Synchronization\SynchronizeTime => Sc.exe start w32time task_started
Task: {1404A401-95D6-4320-AFE3-D6A5DBA59977} - System32\Tasks\Dell\Client System Update => C:\Program Files\Dell\ClientSystemUpdate\DellClientSystemUpdate.exe [2012-10-11] (Dell Inc.)
Task: {33B510D6-C32F-4AF3-AC29-0CD856AD7AE5} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-02-21] (Google Inc.)
Task: {5EC53DB2-6D77-46AF-9595-7FD97C69B53C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-02-21] (Google Inc.)
Task: {7421064F-10A3-4987-9A20-4D02CDB40AD1} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files\Ask.com\UpdateTask.exe [2012-05-04] ()
Task: {8EFDA13D-F23D-4520-9B87-3C8AF4BD9ACC} - System32\Tasks\ROC_JAN2013_TB_rmv => C:\Program Files\AVG Secure Search\PostInstall\ROC.exe [2013-01-31] ()
Task: {9D5F7820-3E3E-4777-9BB3-206E77A73D49} - System32\Tasks\WPD\SqmUpload_S-1-5-21-4039794277-2676274190-3673003869-1109 => C:\Windows\System32\portabledeviceapi.dll [2010-11-20] (Microsoft Corporation)
Task: {B735A986-A8CF-4E45-9E45-7DC33B44FB89} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {BA06FF12-F2EF-4E1E-9ED0-942CE342C47D} - System32\Tasks\Microsoft\Windows Live\SOXE\Extractor Definitions Update Task
Task: {BBE74FDA-2CA5-4F83-B48D-396E5A26ED95} - System32\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv => C:\Windows\TEMP\{F50BA88E-4A76-42D9-883F-9F352AE4B9F0}.exe
Task: {EA7353F0-68AA-406F-8E2C-0DEA6A1F960C} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-04] (Adobe Systems Incorporated)
Task: {FEF3596B-5AB7-4637-A37D-BC5A66305210} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{F50BA88E-4A76-42D9-883F-9F352AE4B9F0}.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\ROC_JAN2013_TB_rmv.job => C:\Program Files\AVG Secure Search\PostInstall\ROC.exe
 
==================== Loaded Modules (whitelisted) =============
 
2009-07-13 20:07 - 2009-07-13 21:14 - 00064000 _____ (Fraunhofer Institut Integrierte Schaltungen IIS) C:\Windows\System32\l3codeca.acm
2009-07-13 20:03 - 2009-07-13 21:14 - 00017920 _____ (Microsoft Corporation) C:\Windows\system32\imaadp32.acm
2009-07-13 20:03 - 2009-07-13 21:14 - 00012288 _____ (Microsoft Corporation) C:\Windows\system32\msg711.acm
2009-07-13 20:03 - 2009-07-13 21:14 - 00023552 _____ (Microsoft Corporation) C:\Windows\system32\msgsm32.acm
2009-07-13 20:03 - 2009-07-13 21:14 - 00018432 _____ (Microsoft Corporation) C:\Windows\system32\msadp32.acm
2012-05-15 16:29 - 2000-03-12 23:47 - 00131072 ____N (Corel Corporation Limited) C:\Windows\system32\shellwp.dll
2010-11-17 11:36 - 2010-11-17 11:36 - 00145904 _____ (TODO: <Company name>) C:\Program Files\Roxio\OEM\Roxio Burn\RB_ContextMenu.dll
2010-11-20 17:29 - 2010-11-20 17:29 - 00232448 _____ () C:\Windows\system32\mswsock.dll
2010-11-20 17:29 - 2010-11-20 17:29 - 00232448 _____ (Microsoft Corporation) \\.\globalroot\systemroot\system32\mswsock.dll
 
==================== Alternate Data Streams (whitelisted) ==========
 
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (09/12/2013 11:34:48 AM) (Source: Microsoft Office 14) (User: )
Description: Microsoft Word: Accepted Safe Mode action : Word failed to start correctly last time.  Starting Word in safe mode will help you correct or isolate a startup problem in order to successfully start the program.  Some functionality may be disabled in this mode.
 
Do you want to start Word in safe mode?.
Accepted Safe Mode action : Microsoft Word.
 
Error: (09/12/2013 00:14:58 PM) (Source: Application Error) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: mshtml.dll, version: 10.0.9200.16686, time stamp: 0x5205a143
Exception code: 0xc0000005
Fault offset: 0x00279711
Faulting process id: 0xf04
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3
 
Error: (09/12/2013 00:07:39 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (09/12/2013 08:40:20 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (09/11/2013 04:59:06 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
 
Details:
AddWin32ServiceFiles: Unable to back up image of service Windows Defender since QueryServiceConfig API failed
 
System Error:
The system cannot find the file specified.
.
 
Error: (09/11/2013 01:25:26 PM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
 
Details:
AddWin32ServiceFiles: Unable to back up image of service Windows Defender since QueryServiceConfig API failed
 
System Error:
The system cannot find the file specified.
.
 
Error: (09/10/2013 05:59:07 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5070
 
Error: (09/10/2013 05:59:07 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5070
 
Error: (09/10/2013 05:59:07 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (09/10/2013 05:59:06 PM) (Source: Bonjour Service) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4071
 
 
System errors:
=============
Error: (09/12/2013 01:31:20 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 107.
 
Error: (09/12/2013 01:31:20 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
 
Error: (09/12/2013 01:30:36 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 107.
 
Error: (09/12/2013 01:30:36 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
 
Error: (09/12/2013 01:29:48 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 107.
 
Error: (09/12/2013 01:29:48 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
 
Error: (09/12/2013 01:29:06 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 107.
 
Error: (09/12/2013 01:29:06 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
 
Error: (09/12/2013 01:28:24 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 107.
 
Error: (09/12/2013 01:28:24 PM) (Source: Schannel) (User: NT AUTHORITY)
Description: An SSL 3.0 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
 
 
Microsoft Office Sessions:
=========================
Error: (09/12/2013 11:34:48 AM) (Source: Microsoft Office 14)(User: )
Description: Microsoft WordWord failed to start correctly last time.  Starting Word in safe mode will help you correct or isolate a startup problem in order to successfully start the program.  Some functionality may be disabled in this mode.
 
Do you want to start Word in safe mode?
 
Error: (09/12/2013 00:14:58 PM) (Source: Application Error)(User: )
Description: svchost.exe6.1.7600.163854a5bc100mshtml.dll10.0.9200.166865205a143c000000500279711f0401ceafd2c3f3a57eC:\Windows\System32\svchost.exeC:\Windows\System32\mshtml.dll779318cc-1bc6-11e3-9e53-d4bed9d78a0c
 
Error: (09/12/2013 00:07:39 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (09/12/2013 08:40:20 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (09/11/2013 04:59:06 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: 
Details:
AddWin32ServiceFiles: Unable to back up image of service Windows Defender since QueryServiceConfig API failed
 
System Error:
The system cannot find the file specified.
 
Error: (09/11/2013 01:25:26 PM) (Source: Microsoft-Windows-CAPI2)(User: )
Description: 
Details:
AddWin32ServiceFiles: Unable to back up image of service Windows Defender since QueryServiceConfig API failed
 
System Error:
The system cannot find the file specified.
 
Error: (09/10/2013 05:59:07 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 5070
 
Error: (09/10/2013 05:59:07 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledEvent 5070
 
Error: (09/10/2013 05:59:07 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: Continuously busy for more than a second
 
Error: (09/10/2013 05:59:06 PM) (Source: Bonjour Service)(User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4071
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 36%
Total physical RAM: 3317.06 MB
Available physical RAM: 2096.69 MB
Total Pagefile: 6632.41 MB
Available Pagefile: 5308.71 MB
Total Virtual: 2047.88 MB
Available Virtual: 1886.02 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:452.47 GB) (Free:395.97 GB) NTFS
Drive e: () (Removable) (Total:0.96 GB) (Free:0.72 GB) FAT32
Drive f: (Data) (Network) (Total:1761.96 GB) (Free:1698.74 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 466 GB) (Disk ID: 503AA27D)
Partition 1: (Not Active) - (Size=39 MB) - (Type=DE)
Partition 2: (Active) - (Size=13 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=452 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 983 MB) (Disk ID: 00000000)
Partition 1: (Not Active) - (Size=983 MB) - (Type=0B)
 
==================== End Of Log ============================
 
Link to post
Share on other sites

Hi,

 

 

Now please download the following file => fixlist.txt and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Regards,

Georgi

Link to post
Share on other sites

Fixlog is as follows:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-09-2013 02
Ran by rallen at 2013-09-12 16:05:47 Run:1
Running from C:\Users\Renee\Desktop
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
start
HKLM\...\Run: [] - [x]
HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKCU\...\Run: [internet Security] - C:\Users\Renee\AppData\Roaming\mrprotection.exe [846848 2013-09-12] (Eastern Digital Coproration                                 )
C:\Users\Renee\AppData\Roaming\mrprotection.exe
URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
URLSearchHook: (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} -  No File
SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=109935&tt=280612_8_&babsrc=SP_ss&mntrId=12f00e20000000000000d4bed9d78a0c
BHO: Babylon toolbar helper - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)
C:\Program Files\BabylonToolbar
BHO: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
C:\Program Files\Ask.com
Toolbar: HKLM - Babylon Toolbar - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)
Toolbar: HKLM - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Toolbar: HKCU -Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
cmd: netsh winsock reset
cmd: ipconfig /flushdns
FF DefaultSearchEngine: Ask.com
FF SearchEngineOrder.1: Ask.com
FF SelectedSearchEngine: Ask.com
FF SearchPlugin: C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\searchplugins\askcom.xml
FF SearchPlugin: C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\searchplugins\CouponAlert_2p.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml
FF Extension: Ask Toolbar - C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\Extensions\toolbar@ask.com
CHR Extension: (Babylon Toolbar) - C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.7_0
CHR HKLM\...\Chrome\Extension: [dhkplhfnhceodhffomolpfigojocbpcb] - C:\Users\Renee\AppData\Roaming\BabylonToolbar\CR\BabylonChrome1.crx
U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\   \...\???\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
2013-09-12 11:05 - 2013-09-12 11:05 - 00867840 _____ (Eastern Digital Corporation                                 ) C:\Users\Renee\cflljignsv1.exe
2013-09-12 11:05 - 2013-09-12 11:05 - 00867840 _____ (Eastern Digital Corporation                                 ) C:\Users\Renee\cflljignsv0.exe
2013-09-12 11:05 - 2013-09-12 11:05 - 00847360 _____ (Eastern Digital Coproration                                 ) C:\Users\Renee\AppData\Roaming\11AD.tmp
2013-09-12 11:05 - 2013-09-12 11:05 - 00846848 _____ (Eastern Digital Coproration                                 ) C:\Users\Renee\AppData\Roaming\mrprotection.exe
2013-09-12 11:05 - 2013-09-12 11:05 - 00000768 _____ C:\Users\Renee\Desktop\Internet Security 2013.lnk
2013-09-06 08:42 - 2013-09-06 08:42 - 00000000 ____D C:\Users\Renee\AppData\Local\{CE580A15-C3DC-41C3-8554-1868918EEC8A}
C:\Windows\assembly\GAC\Desktop.ini
C:\Users\Renee\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
File: C:\ProgramData\UserProfileMigrationService.exe
C:\Users\Renee\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Renee\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe
C:\Users\Renee\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\Renee\AppData\Local\Temp\nswBC12.tmp.tbFLV_.dll
C:\Users\Renee\AppData\Local\Temp\sqlite-3.7.2-sqlitejdbc.dll
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
Task: {7421064F-10A3-4987-9A20-4D02CDB40AD1} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files\Ask.com\UpdateTask.exe [2012-05-04] ()
end
*****************
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Internet Security => Value not found.
C:\Users\Renee\AppData\Roaming\mrprotection.exe => Moved successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00000000-6E41-4FD3-8538-502F5495E5FC} => Value deleted successfully.
HKCR\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC} => Key deleted successfully.
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} => Value deleted successfully.
HKCR\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{020E39AF-4467-40A6-A22A-EB7495BB9C09} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{020E39AF-4467-40A6-A22A-EB7495BB9C09} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} => Key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B} => Key deleted successfully.
HKCR\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B} => Key deleted successfully.
C:\Program Files\BabylonToolbar => Moved successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key deleted successfully.
HKCR\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key deleted successfully.
C:\Program Files\Ask.com => Moved successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{98889811-442D-49dd-99D7-DC866BE87DBC} => Value deleted successfully.
HKCR\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC} => Key deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} => Value deleted successfully.
HKCR\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key not found.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} => Value deleted successfully.
HKCR\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000005\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll
 
=========  netsh winsock reset =========
 
The following helper DLL cannot be loaded: WSHELPER.DLL.
The following command was not found: winsock reset.
 
========= End of CMD: =========
 
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
Firefox DefaultSearchEngine deleted successfully.
Firefox SearchEngineOrder.1 deleted successfully.
Firefox SelectedSearchEngine deleted successfully.
C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\searchplugins\askcom.xml => Moved successfully.
C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\searchplugins\CouponAlert_2p.xml => Moved successfully.
C:\Program Files\mozilla firefox\searchplugins\babylon.xml => Moved successfully.
C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\Extensions\toolbar@ask.com => Moved successfully.
C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb => Moved successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb => Key deleted successfully.
C:\Users\Renee\AppData\Roaming\BabylonToolbar\CR\BabylonChrome1.crx => Moved successfully.
*etadpug => Service deleted successfully.
C:\Users\Renee\cflljignsv1.exe => Moved successfully.
C:\Users\Renee\cflljignsv0.exe => Moved successfully.
C:\Users\Renee\AppData\Roaming\11AD.tmp => Moved successfully.
"C:\Users\Renee\AppData\Roaming\mrprotection.exe" => File/Directory not found.
C:\Users\Renee\Desktop\Internet Security 2013.lnk => Moved successfully.
C:\Users\Renee\AppData\Local\{CE580A15-C3DC-41C3-8554-1868918EEC8A} => Moved successfully.
C:\Windows\assembly\GAC\Desktop.ini => Moved successfully.
C:\Users\Renee\AppData\Local\Google\Desktop\Install => Moved successfully.
 
"C:\Program Files\Google\Desktop\Install" directory move:
 
Could not move "C:\Program Files\Google\Desktop\Install" directory. => Scheduled to move on reboot.
 
 
========================= File: C:\ProgramData\UserProfileMigrationService.exe ========================
 
MD5: A7F075A6A389D89757EDEB1000767049
Creation and modification date: 2013-07-19 15:24 - 2013-07-19 15:24
Size: 0425256
Attributes: ----A
Company Name: ForensiT Limited
Internal Name: User Profile Migration Service
Original Name: User Profile Migration Service.exe
Product Name: User Profile Wizard
Description: ForensiT User Profile Migration Service
File Version: 3.8.1186.0
Product Version: 3.8.1186.0
Copyright: Copyright © ForensiT 2002-2013
 
====== End Of File: ======
 
C:\Users\Renee\AppData\Local\Temp\InstallFlashPlayer.exe => Moved successfully.
C:\Users\Renee\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe => Moved successfully.
C:\Users\Renee\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe => Moved successfully.
C:\Users\Renee\AppData\Local\Temp\nswBC12.tmp.tbFLV_.dll => Moved successfully.
C:\Users\Renee\AppData\Local\Temp\sqlite-3.7.2-sqlitejdbc.dll => Moved successfully.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
 
 
By the way - at the top of FRST when it was showing that the fix was in progress - that window did not close after the log file posted - and now it is saying "Not Responding"  Is it OK to close FRST?
 
Thanks
Link to post
Share on other sites

Georgi:

Is this all of it?

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-09-2013 02

Ran by rallen at 2013-09-12 16:05:47 Run:1

Running from C:\Users\Renee\Desktop

Boot Mode: Normal

==============================================

Content of fixlist:

*****************

start

HKLM\...\Run: [] - [x]

HKCU\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)

HKCU\...\Run: [internet Security] - C:\Users\Renee\AppData\Roaming\mrprotection.exe [846848 2013-09-12] (Eastern Digital Coproration )

C:\Users\Renee\AppData\Roaming\mrprotection.exe

URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

URLSearchHook: (No Name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - No File

SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKCU - {020E39AF-4467-40A6-A22A-EB7495BB9C09} URL = http://websearch.ask...00031&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=157758C2-71C9-484F-AA41-9E8014603FA9&apn_sauid=41606CCA-1678-4082-9253-4F2BEAD1D386

SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=109935&tt=280612_8_&babsrc=SP_ss&mntrId=12f00e20000000000000d4bed9d78a0c

BHO: Babylon toolbar helper - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)

C:\Program Files\BabylonToolbar

BHO: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

C:\Program Files\Ask.com

Toolbar: HKLM - Babylon Toolbar - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)

Toolbar: HKLM - Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

Toolbar: HKCU -Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask)

Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"

Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"

cmd: netsh winsock reset

cmd: ipconfig /flushdns

FF DefaultSearchEngine: Ask.com

FF SearchEngineOrder.1: Ask.com

FF SelectedSearchEngine: Ask.com

FF SearchPlugin: C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\searchplugins\askcom.xml

FF SearchPlugin: C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\searchplugins\CouponAlert_2p.xml

FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\babylon.xml

FF Extension: Ask Toolbar - C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\Extensions\toolbar@ask.com

CHR Extension: (Babylon Toolbar) - C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.7_0

CHR HKLM\...\Chrome\Extension: [dhkplhfnhceodhffomolpfigojocbpcb] - C:\Users\Renee\AppData\Roaming\BabylonToolbar\CR\BabylonChrome1.crx

U2 *etadpug; "C:\Program Files\Google\Desktop\Install\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\ \...\???\{6171dc86-dd0a-a3e6-a4f9-492f24b239ed}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

2013-09-12 11:05 - 2013-09-12 11:05 - 00867840 _____ (Eastern Digital Corporation ) C:\Users\Renee\cflljignsv1.exe

2013-09-12 11:05 - 2013-09-12 11:05 - 00867840 _____ (Eastern Digital Corporation ) C:\Users\Renee\cflljignsv0.exe

2013-09-12 11:05 - 2013-09-12 11:05 - 00847360 _____ (Eastern Digital Coproration ) C:\Users\Renee\AppData\Roaming\11AD.tmp

2013-09-12 11:05 - 2013-09-12 11:05 - 00846848 _____ (Eastern Digital Coproration ) C:\Users\Renee\AppData\Roaming\mrprotection.exe

2013-09-12 11:05 - 2013-09-12 11:05 - 00000768 _____ C:\Users\Renee\Desktop\Internet Security 2013.lnk

2013-09-06 08:42 - 2013-09-06 08:42 - 00000000 ____D C:\Users\Renee\AppData\Local\{CE580A15-C3DC-41C3-8554-1868918EEC8A}

C:\Windows\assembly\GAC\Desktop.ini

C:\Users\Renee\AppData\Local\Google\Desktop\Install

C:\Program Files\Google\Desktop\Install

File: C:\ProgramData\UserProfileMigrationService.exe

C:\Users\Renee\AppData\Local\Temp\InstallFlashPlayer.exe

C:\Users\Renee\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe

C:\Users\Renee\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe

C:\Users\Renee\AppData\Local\Temp\nswBC12.tmp.tbFLV_.dll

C:\Users\Renee\AppData\Local\Temp\sqlite-3.7.2-sqlitejdbc.dll

DeleteJunctionsIndirectory: C:\Program Files\Windows Defender

Task: {7421064F-10A3-4987-9A20-4D02CDB40AD1} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files\Ask.com\UpdateTask.exe [2012-05-04] ()

end

*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => Value deleted successfully.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\Internet Security => Value not found.

C:\Users\Renee\AppData\Roaming\mrprotection.exe => Moved successfully.

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{00000000-6E41-4FD3-8538-502F5495E5FC} => Value deleted successfully.

HKCR\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC} => Key deleted successfully.

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\\{A3BC75A2-1F87-4686-AA43-5347D756017C} => Value deleted successfully.

HKCR\CLSID\{A3BC75A2-1F87-4686-AA43-5347D756017C} => Key not found.

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{020E39AF-4467-40A6-A22A-EB7495BB9C09} => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{020E39AF-4467-40A6-A22A-EB7495BB9C09} => Key not found.

HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} => Key not found.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2EECD738-5844-4a99-B4B6-146BF802613B} => Key deleted successfully.

HKCR\CLSID\{2EECD738-5844-4a99-B4B6-146BF802613B} => Key deleted successfully.

C:\Program Files\BabylonToolbar => Moved successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key deleted successfully.

HKCR\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key deleted successfully.

C:\Program Files\Ask.com => Moved successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{98889811-442D-49dd-99D7-DC866BE87DBC} => Value deleted successfully.

HKCR\CLSID\{98889811-442D-49dd-99D7-DC866BE87DBC} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{D4027C7F-154A-4066-A1AD-4243D8127440} => Value deleted successfully.

HKCR\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key not found.

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} => Value deleted successfully.

HKCR\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440} => Key not found.

Winsock: Catalog5 entry 000000000001\\LibraryPath was set successfully to %SystemRoot%\system32\NLAapi.dll

Winsock: Catalog5 entry 000000000005\\LibraryPath was set successfully to %SystemRoot%\System32\mswsock.dll

========= netsh winsock reset =========

The following helper DLL cannot be loaded: WSHELPER.DLL.

The following command was not found: winsock reset.

========= End of CMD: =========

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

Firefox DefaultSearchEngine deleted successfully.

Firefox SearchEngineOrder.1 deleted successfully.

Firefox SelectedSearchEngine deleted successfully.

C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\searchplugins\askcom.xml => Moved successfully.

C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\searchplugins\CouponAlert_2p.xml => Moved successfully.

C:\Program Files\mozilla firefox\searchplugins\babylon.xml => Moved successfully.

C:\Users\Renee\AppData\Roaming\Mozilla\Firefox\Profiles\81i6aum8.default\Extensions\toolbar@ask.com => Moved successfully.

C:\Users\Renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb => Moved successfully.

HKLM\SOFTWARE\Google\Chrome\Extensions\dhkplhfnhceodhffomolpfigojocbpcb => Key deleted successfully.

C:\Users\Renee\AppData\Roaming\BabylonToolbar\CR\BabylonChrome1.crx => Moved successfully.

*etadpug => Service deleted successfully.

C:\Users\Renee\cflljignsv1.exe => Moved successfully.

C:\Users\Renee\cflljignsv0.exe => Moved successfully.

C:\Users\Renee\AppData\Roaming\11AD.tmp => Moved successfully.

"C:\Users\Renee\AppData\Roaming\mrprotection.exe" => File/Directory not found.

C:\Users\Renee\Desktop\Internet Security 2013.lnk => Moved successfully.

C:\Users\Renee\AppData\Local\{CE580A15-C3DC-41C3-8554-1868918EEC8A} => Moved successfully.

C:\Windows\assembly\GAC\Desktop.ini => Moved successfully.

C:\Users\Renee\AppData\Local\Google\Desktop\Install => Moved successfully.

"C:\Program Files\Google\Desktop\Install" directory move:

Could not move "C:\Program Files\Google\Desktop\Install" directory. => Scheduled to move on reboot.

========================= File: C:\ProgramData\UserProfileMigrationService.exe ========================

MD5: A7F075A6A389D89757EDEB1000767049

Creation and modification date: 2013-07-19 15:24 - 2013-07-19 15:24

Size: 0425256

Attributes: ----A

Company Name: ForensiT Limited

Internal Name: User Profile Migration Service

Original Name: User Profile Migration Service.exe

Product Name: User Profile Wizard

Description: ForensiT User Profile Migration Service

File Version: 3.8.1186.0

Product Version: 3.8.1186.0

Copyright: Copyright © ForensiT 2002-2013

====== End Of File: ======

C:\Users\Renee\AppData\Local\Temp\InstallFlashPlayer.exe => Moved successfully.

C:\Users\Renee\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe => Moved successfully.

C:\Users\Renee\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe => Moved successfully.

C:\Users\Renee\AppData\Local\Temp\nswBC12.tmp.tbFLV_.dll => Moved successfully.

C:\Users\Renee\AppData\Local\Temp\sqlite-3.7.2-sqlitejdbc.dll => Moved successfully.

"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.

"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.

"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.

"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.

"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.

"C:\Program Files\Windows Defender\MpCommu.dll" => Deleting reparse point and unlocking done.

"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.

"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.

"C:\Program Files\Windows Defender\MpRTP.dll" => Deleting reparse point and unlocking done.

"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.

"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.

"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.

"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.

"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7421064F-10A3-4987-9A20-4D02CDB40AD1} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7421064F-10A3-4987-9A20-4D02CDB40AD1} => Key deleted successfully.

C:\Windows\System32\Tasks\Scheduled Update for Ask Toolbar => Moved successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar => Key deleted successfully.

=========== Result of Scheduled Files to move ===========

C:\Program Files\Google\Desktop\Install => Moved successfully.

==== End of Fixlog ====

Link to post
Share on other sites

Hi,

 

 

Yes - this is the complete report. Thank you! I guess that FRST is no longer "Not responding" and if so you can close it.

 

Now let's check for leftovers.

The most of them should take no more than 5 minutes each.

You can run these scans at night when you are not there and the computer is idle.

Also we need to repair some of the Windows services like Windows Update, Windows Firewall, Security Center etc. which are probably broken by the rootkit.

And then I'll give you my final recommendations:



STEP 1

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
     
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please attach the results to your next reply.



STEP 2




  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please attach the results to your next reply.



STEP 3



Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please attach the results to your next reply.



STEP 4




  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and attach the results to your next reply.


 

STEP 5



Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please attach the results to your next reply.

 

 

 

STEP 6

 

 

 

  • Please download MiniToolBox.exe by Farbar save it to your desktop and run it.
  • Checkmark all boxes.
  • Click Go and attach the result (Result.txt) to your next reply. A copy of Result.txt will be saved in the same directory the tool is run.

 

 

STEP 7



Please download AdwCleaner by Xplode and save to your Desktop.


  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

STEP 8
 

 

  1. Please download OTL from the link below:
  2. Save it to your desktop/
  3. Double click on the otlDesktopIcon.png icon on your desktop.
  4. OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  5. Copy and Paste the following code into the customFix.png textbox.
  6. Don't copy the word "quote"
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %USERPROFILE%\*.*
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Local\*.
    %USERPROFILE%\AppData\Local\temp\*.exe
    %USERPROFILE%\AppData\Roaming\*.*
    %USERPROFILE%\AppData\Roaming\*.
    %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Templates\*.*
    %USERPROFILE%\AppData\Local\Microsoft\*.*
    %USERPROFILE%\AppData\Local\Microsoft\*.
    %USERPROFILE%\AppData\Roaming\Microsoft\*.*
    %USERPROFILE%\AppData\Roaming\Microsoft\*.
    %windir%\AppPatch\*.*
    %windir%\AppPatch\*.
    %Public%\Documents\*.*
    %Public%\Documents\*.
    %ProgramData%\*.*
    %ProgramData%\*.
    %CommonProgramFiles%\*.*
    %CommonProgramFiles%\*.
    %CommonProgramFiles%\ComObjects\*.exe
    %ProgramFiles%\*.*
    %ProgramFiles%\*.
    %programdata%\Microsoft\Windows\DRM\*.tmp
    %programdata%\Microsoft\DRM\*.tmp
    %systemroot%\system32\config\systemprofile\AppData\Local\*.*
    %systemroot%\system32\config\systemprofile\AppData\Local\*.
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.*
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.
    %windir%\SysWOW64\config\systemprofile\AppData\Local\*.*
    %windir%\SysWOW64\config\systemprofile\AppData\Local\*.
    %windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.*
    %windir%\SysWOW64\config\systemprofile\AppData\Roaming\*.
    %windir%\ServiceProfiles\LocalService\AppData\Local\Temp\*.tlb
    %windir%\ServiceProfiles\NetworkService\AppData\Local\Temp\*.tlb
    %windir%\temp\*.exe
    %windir%\*.
    %windir%\ShellNew\*.*
    %windir%\installer\*.
    %windir%\system32\*.
    %windir%\sysnative\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\syswow64\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /90
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\syswow64\drivers\*.sys /90
    %systemroot%\syswow64\drivers\*.sys /lockedfiles
    %SYSTEMDRIVE%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BED3C-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{212B3DCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{A12BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188F} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188B} /s
    HKEY_CLASSES_ROOT\Directory\shellex\CopyHookHandlers /s
    HKEY_CURRENT_USER\Software\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    type C:\WINDOWS\system.ini >> test.txt /c
    bcdedit /enum all /v >C:\boot.txt /c
    >C:\commands.txt echo list vol /raw /hide /c
    /wait
    >C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
    /wait
    type c:\diskreport.txt /c
    /wait
    erase c:\commands.txt /hide /c
    /wait
    erase c:\diskreport.txt /hide /c
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    consrv.dll
    services.exe
    explorer.exe
    lsass.exe
    svchost.exe
    wininit.exe
    winlogon.exe
    userinit.exe
    imapi.sys
    fastfat.sys
    atapi.sys
    iaStor.sys
    serial.sys
    volsnap.sys
    disk.sys
    redbook.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    csc.sys
    tcpip.sys
    kbdclass.sys
    kbdhid.sys
    mouclass.sys
    mouhid.sys
    spldr.sys
    dfsc.sys
    hlp.dat
    str.sys
    CREXVX.OCX
    crexv.ocx
    msseedir.dll
    msdr.dll
    lmbd.dll
    wsse.dll
    /md5stop

     

  7. Push the runscanbutton.png button.
  8. Two reports will open, attach the logs to your next reply.
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

 

 

Regards,

Georgi

Link to post
Share on other sites

I'm 100% sure it's running to completion, but when I click on the Report button - it appears that is it looking at the U: drive, which is the home drive for the report. I've looked under C: to see if there is a subfolder for adwcleaner, but there isn't. The actual file is saved to the desktop. Any suggestions, or do you still want me to skip that step.

Link to post
Share on other sites

Here are the reports you requested.

rkill.log

Rkill 2.6.1 by Lawrence Abrams (Grinler)

http://www.bleepingcomputer.com/

Copyright 2008-2013 BleepingComputer.com

More Information about Rkill can be found at this link:

http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/12/2013 06:12:18 PM in x86 mode.

Windows Version: Windows 7 Professional Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* Windows Firewall Authorization Driver (mpsdrv) is not Running.

Startup Type set to: Manual

* BFE [Missing Service]

* BITS [Missing Service]

* iphlpsvc [Missing Service]

* MpsSvc [Missing Service]

* PcaSvc [Missing Service]

* PolicyAgent [Missing Service]

* RemoteAccess [Missing Service]

* WinDefend [Missing Service]

* wscsvc [Missing Service]

* wuauserv [Missing Service]

* SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 09/12/2013 06:15:32 PM

Execution time: 0 hours(s), 3 minute(s), and 14 seconds(s)

Link to post
Share on other sites

RKReport

RogueKiller V8.6.11 [sep 11 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.adlice.com/forum/

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version

Started in : Normal mode

User : rallen [Admin rights]

Mode : Scan -- Date : 09/12/2013 18:18:29

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 6 ¤¤¤

[DNS] HKLM\[...]\CCSet\[...]\{84B64075-BED6-4583-90F0-D89C78119598} : NameServer (10.0.0.10) -> FOUND

[DNS] HKLM\[...]\CS001\[...]\{84B64075-BED6-4583-90F0-D89C78119598} : NameServer (10.0.0.10) -> FOUND

[DNS] HKLM\[...]\CS002\[...]\{84B64075-BED6-4583-90F0-D89C78119598} : NameServer (10.0.0.10) -> FOUND

[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 2 ¤¤¤

[V1][sUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv.job : C:\Windows\TEMP\{F50BA88E-4A76-42D9-883F-9F352AE4B9F0}.exe - --uninstall=1 [x] -> FOUND

[V2][sUSP PATH] AVG-Secure-Search-Update_JUNE2013_TB_rmv : C:\Windows\TEMP\{F50BA88E-4A76-42D9-883F-9F352AE4B9F0}.exe - --uninstall=1 [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

[Address] IRP[iRP_MJ_CREATE] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B61A8CC)

[Address] IRP[iRP_MJ_CLOSE] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B61A8CC)

[Address] IRP[iRP_MJ_DEVICE_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B60647C)

[Address] IRP[iRP_MJ_INTERNAL_DEVICE_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B60644E)

[Address] IRP[iRP_MJ_POWER] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B6064AA)

[Address] IRP[iRP_MJ_SYSTEM_CONTROL] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B615DB2)

[Address] IRP[iRP_MJ_PNP] : C:\Windows\System32\drivers\mountmgr.sys -> HOOKED ([Address] C:\Windows\system32\drivers\ataport.SYS @ 0x8B615D7E)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST500DM002-1BD142 ATA Device +++++

--- User ---

[MBR] 4c735f837396d4f13b1b716b50bff6bf

[bSP] 774466be9f0a0c9de895e17126667ee8 : Windows Vista MBR Code

Partition table:

0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo

1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 13568 Mo

2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 27869184 | Size: 463328 Mo

User = LL1 ... OK!

User = LL2 ... OK!

+++++ PhysicalDrive1: ST500DM002-1BD142 ATA Device +++++

--- User ---

[MBR] c101098de7e98413ce2941d5c0ebefa8

[bSP] ef3177ea6997481f5647d45aa222b26f : Empty MBR Code

Partition table:

0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 32 | Size: 982 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[0]_S_09122013_181829.txt >>

RKreport[0]_S_09122013_112636.txt;RKreport[0]_S_09122013_114709.txt

Link to post
Share on other sites

Hi Jenny,

 

 

Next let's try to fix the broken services.


Backup Your Registry



 

Now download the following files and save them to your desktop:

mpsdrv.reg

 

BFE.reg

 

BITS.reg

 

iphlpsvc.reg

 

MpsSvc.reg

 

PcaSvc.reg

 

PolicyAgent.reg

 

RemoteAccess.reg

 

WinDefend.reg

 

wscsvc.reg

 

wuauserv.reg

 

SharedAccess.reg

Now double click on each of them one by one. An information box will pop up asking if you want to merge the information in the file into the registry, click YES.

 

  • Next please download the ESET ServicesRepair utility and save it to your Desktop.
  • Double-click ServicesRepair.exe to run the ESET ServicesRepair utility.
  • If you are using User Access Control, click Run when prompted and then click Yes when asked to allow changes.
  • Reboot the computer and then please attach fresh logs from the following 2 tools - RKILL and Farbar Service Scanner.

 

 

Regards,

Georgi

Link to post
Share on other sites

Btw also:

 

 

We Need to Run a Registry Script
 

  • Press the Windows Logo in the lower left corner of your screen.
  • In the 10-16-2011%204-33-46%20PM.png box, enter notepad and press Enter.
  • Highlight the contents of the following codebox, and copy and paste that text into notepad.
    Windows Registry Editor Version 5.00
     
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}]
    "AutoStart"=""

     

  • Select File -> Save.
  • Press the Desktop button on the left side of the save dialog.
  • In the 10-16-2011%204-37-58%20PM.png box, type in Fix.reg.
  • Press 10-16-2011%204-36-39%20PM.png.
  • Close Notepad.
  • Double click 10-16-2011%204-34-48%20PM.png on your desktop.
  • Press Yes if prompted by User Account Control.
  • Press Yes, and then Ok, when prompted.
  • Right click on 10-16-2011%204-34-48%20PM.png and choose Delete.
  • Press Yes.

 

Regards,

Georgi

Link to post
Share on other sites

I ran Tweaking.com-Registry Backup. Downloaded the .reg files as directed.

Attached are the two reports - RKIL and FSS.

Wen I tried to double click on the fix.reg file - I got the following error:

Cannot import c:\users\renee\desktop\fix.reg. The specified file is not a registry file. You can import only registry files.

Thanks and please let me know what else I need to do.

Rkill.txt

FSS.txt

Link to post
Share on other sites

Hi,

 

You probably forgot to add "Windows Registry Editor Version 5.00" at the start of file.

 

Anyway please download and run the the following registry file.

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.

 

Reboot the computer and please post fresh log from FSS only.

 

 

 

Regards,

Georgi

Link to post
Share on other sites

Hi Jen,

 

We have an improvement but the log still doesn't look the way I wanted it.

 

 

Please do the following:
 

  • Press windows key + R windows-r.jpg on your keyboard at the same time.
  • Type regedit and press Enter
  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc
  • Right-Click wscsvc and select Permissions
  • Click Advanced.
  • Under Owner tab select the entry starting with you user name, example: B-boy-PC
  • Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
  • Under Security click Add, enter “Everyone” and click Check names and click OK.
  • Now click on Everyone in the list at the top, and check the “Allow Full Control” checkbox below.
  • Click Apply and OK and close the registry editor.
  • Now click on the start menu, then type cmd into the search box and when cmd.exe populates in the window above => right click it and choose "Run as Administrator"
  • Type: net start wscsvc and hit Enter.
     
  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv
  • Right-Click wuauserv and select Permissions
  • Click Advanced.
  • Under Owner tab select the entry starting with you user name, example: B-boy-PC
  • Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
  • Under Security click Add, enter “Everyone” and click Check names and click OK.
  • Now click on Everyone in the list at the top, and check the “Allow Full Control” checkbox below.
  • Click Apply and OK and close the registry editor.
  • Type cmd into the start box and when cmd.exe populates in the window above => right click it and choose "Run as Administrator"
  • Type: net start wuauserv and hit Enter.
     
  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend
  • Right-Click WinDefend and select Permissions
  • Click Advanced.
  • Under Owner tab select the entry starting with you user name, example: B-boy-PC
  • Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
  • Under Security click Add, enter “Everyone” and click Check names and click OK.
  • Now click on Everyone in the list at the top, and check the “Allow Full Control” checkbox below.
  • Click Apply and OK and close the registry editor.
  • Type cmd into the start box and when cmd.exe populates in the window above > right click it and choose "Run as Administrator"
  • Type: net start WinDefend and hit Enter.
     
  • Reboot the computer.
  • Attach a new log from FSS in your next reply.

 

 

Regards,

Georgi

Link to post
Share on other sites

Here is the scoop:

I did the first change with wscsvc - when I entered the net start wscsvc, it said the service had already started.

I did the 2nd change with wuauserv - and when I entered the net start wuauserv, it said the service had already started.

I did the 3rd change with windefend - and when I entered the net start command it was unable to restart WinDend.

the FSS log file is attached :(

Thanks,

Jennifer

FSS.txt

Link to post
Share on other sites

Hi Jenny,

 

 

Please download Windows Repair (all in one) from here

Install the program then go to step 4 and create a new system restore point and new registry backup.

step-4-tab.jpg

On the the Start Repairs tab => Click the Start

start-repairs-tab.jpg

Click on the Select All button and then click on Start

7fthj.png

DON'T use the computer while each scan is in progress.

Restart may be needed to finish the repair procedure.

Post new Farbar Service Scanner log.

 

Thanks! :)

 

 

Regards,

Georgi

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.