Can't boot normally after virus removal...safe mode only

[dpinning]

Computer: Dell e1505 (6400)

OS: Vista Service Pack 2

 

I am not super computer savy, but will do my best. I tried downloading and running DDS in safe mode, but failed. I am not sure how much help I can be/what we can do from safe mode, but will attempt anything requested of me. My goal is to get back up and running in normal rode and then put in place a better system of problem avoidence and backup. I don't have many of the install disks for software I am running as I purchased and downloaded them online. If a clean install is finally the last option I will perform, but I would like to avoid if possible as recreating the additional software and files (other than system) seems daunting.

 

The problem. I have been using the free version of Malwarebytes. I performed my weekly update and scanned and it found 1 infection. trojan.medfos.dll. I followed directions for either quarantine or removal and then was prompted to restart to finish the process. Also, I believe on this same normal start up, I removed Java and updated Adobe Flash, prior to the malware scan. When I restarted I got the BSOD and  I was  unable to boot normally into windows. I tried 10 times with the same result. Sometimes safemode would even fail. Here is what I have done since first experiencing this problem. 

 

1) In Safe Mode I ran Malwarebytes again and it found no infections.

2) With my Vista disk I ran Repair and it stated it couldn't repair the problem that was preventing me from booting normally.

3) I ran chkdsk and it came up with (Dell) error code 2000-0142. I contacted Dell and they said that indicated a failing hard drive.

4) I backed up my user data files to a USB hard drive, but because I don't have reinstall disks for much of the software I purchased and downloaded online, I decided to image the internal hard drive to the USB hard drive and then recover the image to a newly installed hard drive. During the imaging process the software detected 2 bad sectors that I ignored.

5) I booted up the laptop with the new hard drive and was still unable to boot normally, but I can now consistently boot to safe mode.

6) I rebuilt the BCD

7) I ran fixmbr

8) I ran fixboot

9) I turned off all services and startup items with msconfig and still could not boot normally.

10) I attempted repair again with Vista disk. It failed but this time said, " unknown bugcheck: bugcheck 7e parameters  = 0xc0000005, 0x8d8c3ef4, 0x803996c0, ox903993bc repair action:system files integrity check and repair. result: failed  error code = 0x490

11) The details under the popup "Windows has recovered from an unexpected problem" states: problem siganture:  - event name: Blue Screen - os version: 6.0.6002.2.2.0.768.3  -local id: 1033      Additional information about problem:  bd code: 1000007e    bcp1: c0000005   bcp2: 8d8fbef4    bcp3: 803996co   bcp4: 803993bc   os version: 6_0_6002   service pack:  2_0  Product: 768_1      Files that help describe this problem:  c:\Windows\minidump\mini100813-01.dmp       c:\users\David\appdata\local\temp\wer-57907-0.sysdata.xml    c:\users\david\appdata\local\temp\wer840D.tmp.version.txt;

12) When I look up the data from the Malewarebytes scan from the trojan it last found it says: "memory module detected   c:\users\david\appdata\roaming\comsil.dll (trojan.medfos.dll)  delete on reboot.

 

Is the fact that numbers 11 and 12 have similar paths...c:\users\david\appdata   significant? Since the problem signature is in the same vicinity of where Malewarebytes identified the trojan and attempted or removed it, and then I had problems right after the removal process, I chose to post here.

 

Hopefully someone can help me. I don't want to do too much more on my own at this point.

Thank you in advance!!!

 

 

 

[kevinf80]

Zip up and attach this file:   C:\Windows\minidump\mini100813-01.dmp

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop. In safe mode with Networking...

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

 

Kevin...

[dpinning]

Mini100813-01.zip

 

Hi Kevin,

 

Thank you for the prompt reply. Forgot to mention my system was 32 bit. : ( Sorry.

 

I zipped the mini100813-01.dmp file and hopefully have successfully attached it.

 

I also successfully downloaded the Farbar Recovery Scan Tool and saved to my desktop, but after running and beginning the scan, it got into it for about a minute and then gave me the following pop up dialog box.

 

Autolt Error

 

X   line 17539 (File"C:\Users\David\Desktop\frst.exe"):

 

Error: Error in expression

 

After I closed the dialog box, FRST quit.

 

Best,

David

[kevinf80]

Delete the version of FRST that you d/l, Download and run once more, see if any change....

[dpinning]

Hey Kevin,

 

Same outcome, although this time I watched to see what step it froze at. It froze at:

 

Listing Files and Folders: SCHEDLGU.txt

[kevinf80]

Is your version of Avast free? if so do the following:

 

Go here http://www.avast.com/index Download and save the installer for Avast to your Desktop or a folder of your choice...

 

Next,

 

Go here  http://www.avast.com/uninstall-utility follow the instructions to run the Avast uninstaller, reboot. Can you now boot to normal mode? if so Install Avast from the installer you d/l earlier. On completion run a full scan, let me know what happens....

[dpinning]

Yes, free Avast.

 

Did what you requested and....was able to boot in normal mode!!!!!! Yipeee!

 

The newly download version of Avast ran a start up scan that didn't find anything. It is now 45% into a full scan and shows 8 infected files and counting. Not sure if this will complete before I go to bed(and if you are in the UK you are probably asleep by now). Should I report back what Avast finds before doing what it suggests to do with them (e.g. quarantine, repair...whatever)?

 

BTW, three Run DLL popups came up on startup.  

 

1) Error loading c:\User\David\appdata\local\applecomputer\apple\wtzvdsv.dll  the specified module could not be found

2) Error loading c:\User\David\appdata\roaming\winsil.dll  the specified module could not be found

3) Error loading c:\User\David\appdata\roaming\winvin.dll  the specified module could not be found

 

You are a deity...thank you! Will report back when Avast is finished the full scan.

D

[dpinning]

Getting ready for bed and Avast just finished the scan. 12 infected files found. I clicked results and it shows me more detail and wants to "move to chest." Interestingly, 10 of them have to do with Java that I told you I had removed with add/remove programs just before the problems. Not sure how to copy the results (prior to any action) if that is what you would like me to do. I await your direction.

 

D

[kevinf80]

Allow Avast to move any malicious entries to its chest, when that completes run FRST and post the two logs...

[dpinning]

Moved all to chest. Avast is now running boot time scan on restart, which it requested. Will run FRST and post the two logs when complete.

[kevinf80]

OK, thanks for the update..

[dpinning]

^{You're welcome}

 

^{The Avast found another Java malware on the start up scan, which seems to be full again. It's a preboot scan so, white text on black background. Anyway, this time, instead of just suggesting move to chest, it is giving me 8 options. Delete, delete all, move to chest, move all to chest, repair, repair all, ignore, ignore all. Which should I choose?}

[dpinning]

Kevin,

 

Hadn't heard back from you (not sure how often or how exactly you work on this forum)?

 

I did some research and chose to manually "move to chest" the java:agent infections so that I could apply a different action if the scan came across a critical system file. After moving more than 50 java files to chest the scanning has resumed...only at 5% of hard drive now. Hopefully it will finish and I will be able to run FRST and send you the request logs.

[kevinf80]

OK, post the logs when you`re ready,

[dpinning]

FRST once again failed to run after Avast performed it's boot scan and I got back to the desktop. Deleted the FRST.exe and download again, and ran with same result...line 17539 (File"C:Users\David\Desktop\frst.exe")      error: error in expression

 

Now what?

[kevinf80]

Please download RogueKiller from here:

 

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe  <- 32 bit version

 

http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe  <- 64 bit version

                                     

• Make sure to get the correct version for your system.
  
• Quit all running programs
  
• Please disconnect any USB or external drives from the computer before you run this scan!
  
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  
• Wait until Prescan has finished...
  
• The following EULA will appear, please select accept
   
  
   
  
• Ensure MBR scan, Check faked and AntiRootkit are checked
  
• Select Scan
   
  
   
  
• When the scan completes select Report, copy and paste that to your reply.
   
  
   
  
• The log should be found in RKreport[?].txt on your Desktop
  
• Exit/Close RogueKiller
  
  

[dpinning]

RogueKiller V8.7.2 [Oct  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User : David [Admin rights]
Mode : Scan -- Date : 10/10/2013 16:04:45
| ARK || FAK || MBR |

¤¤¤ Bad processes : 2 ¤¤¤
[sUSP PATH] PCShowServerPMWrapper.exe -- C:\Users\David\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe [7] -> KILLED [TermProc]
[sUSP PATH] NDSPCShowServer.exe -- C:\Users\David\AppData\Local\DIRECTV Player\NDSPCShowServer.exe [7] -> KILLED [TermThr]

¤¤¤ Registry Entries : 16 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : PCShowServer ("C:\Users\David\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe" [7]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : DellSystemDetect (C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dell\Dell System Detect.appref-ms [-]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : Apple (rundll32.exe "C:\Users\David\AppData\Local\Apple Computer\Apple\wtzvdsv.dll",DllRegisterServer [x][x][x]) -> FOUND
[RUN][sUSP PATH] HKLM\[...]\Run : wmuin ("C:\Windows\System32\rundll32.exe" "C:\Users\David\AppData\Roaming\wmuin.dll",_Clear [7][x][x]) -> FOUND
[RUN][sUSP PATH] HKLM\[...]\Run : wmsil ("C:\Windows\System32\rundll32.exe" "C:\Users\David\AppData\Roaming\wmsil.dll",get_sPLT [7][x][x]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-3700406598-1639912827-112258768-1001\[...]\Run : PCShowServer ("C:\Users\David\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe" [7]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-3700406598-1639912827-112258768-1001\[...]\Run : DellSystemDetect (C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dell\Dell System Detect.appref-ms [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-3700406598-1639912827-112258768-1001\[...]\Run : Apple (rundll32.exe "C:\Users\David\AppData\Local\Apple Computer\Apple\wtzvdsv.dll",DllRegisterServer [x][x][x]) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\$Recycle.Bin\S-1-5-21-3700406598-1639912827-112258768-1001\$d76728a16439ce40ec9bb5b2a13c705f\n. [x]) -> FOUND
[HJ DLL][sUSP PATH] HKLM\[...]\CCSet\[...]\Parameters : ServiceDll (C:\PROGRA~2\ktutkemrgwgxybopmbg.bfg [x]) -> FOUND
[HJ DLL][sUSP PATH] HKLM\[...]\CS001\[...]\Parameters : ServiceDll (C:\PROGRA~2\ktutkemrgwgxybopmbg.bfg [x]) -> FOUND
[HJ DLL][sUSP PATH] HKLM\[...]\CS003\[...]\Parameters : ServiceDll (C:\PROGRA~2\ktutkemrgwgxybopmbg.bfg [x]) -> FOUND
[bROK VAL] HKCR\[...]\command :  () -> MISSING

¤¤¤ Scheduled tasks : 3 ¤¤¤
[V1][sUSP PATH] MySearchDial.job : C:\Users\David\AppData\Roaming\MYSEAR~1\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND
[V2][ROGUE ST] 4669 : wscript.exe - C:\Users\David\AppData\Local\Temp\launchie.vbs //B -> FOUND
[V2][sUSP PATH] MySearchDial : C:\Users\David\AppData\Roaming\MYSEAR~1\UPDATE~1\UPDATE~1.EXE - /Check [x] -> FOUND

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[inline] IAT @explorer.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x721A15A0)
[inline] IAT @explorer.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x721A1400)
[inline] EAT @explorer.exe (LdrLoadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x7219A520)
[inline] EAT @explorer.exe (LdrUnloadDll) : ntdll.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x7219A630)
[inline] EAT @explorer.exe (ChangeServiceConfig2A) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x7219C370)
[inline] EAT @explorer.exe (ChangeServiceConfig2W) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x7219C5C0)
[inline] EAT @explorer.exe (ChangeServiceConfigA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x7219BB20)
[inline] EAT @explorer.exe (ChangeServiceConfigW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x7219BF90)
[inline] EAT @explorer.exe (CreateServiceA) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x7219ACD0)
[inline] EAT @explorer.exe (CreateServiceW) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x7219B1A0)
[inline] EAT @explorer.exe (DeleteService) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x7219B8B0)
[inline] EAT @explorer.exe (SetServiceObjectSecurity) : ADVAPI32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x7219E980)
[inline] EAT @explorer.exe (SetWinEventHook) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x721A1400)
[inline] EAT @explorer.exe (SetWindowsHookExA) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x721A16D0)
[inline] EAT @explorer.exe (SetWindowsHookExW) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x721A18A0)
[inline] EAT @explorer.exe (UnhookWinEvent) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x721A15A0)
[inline] EAT @explorer.exe (UnhookWindowsHookEx) : USER32.dll -> HOOKED (C:\Program Files\AVAST Software\Avast\snxhk.dll @ 0x721A1A70)
[inline] EAT @explorer.exe (FwDoNothingOnObject) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36BB7266)
[inline] EAT @explorer.exe (FwEnableMemTracing) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36BB7266)
[inline] EAT @explorer.exe (FwSetMemLeakPolicy) : FirewallAPI.dll -> HOOKED (Unknown @ 0x36BB7266)

¤¤¤ External Hives: ¤¤¤
-> D:\windows\system32\config\SYSTEM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\SOFTWARE | DRVINFO [Drv - D:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\SECURITY | DRVINFO [Drv - D:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\SAM | DRVINFO [Drv - D:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\windows\system32\config\DEFAULT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]
-> D:\Users\Default\NTUSER.DAT | DRVINFO [Drv - D:] | SYSTEMINFO [sys - D:] [sys32 - FOUND] | USERINFO [startup - NOT_FOUND]

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

127.0.0.1       localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ( @ )  -  +++++
--- User ---
[MBR] 0d3a3ca9e81432aff44bca92cb385b43
[bSP] cb96dfa00f188250b5f4e01fecd4dba3 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 47 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 96390 | Size: 10244 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 21077280 | Size: 102139 Mo
3 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 230259645 | Size: 192813 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_10102013_160445.txt >>

 

 

[kevinf80]

OK, want you to run FRST from the recovery environment,

 

Please download Farbar Recovery Scan Tool from here:                                                                  

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit

 

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 

Plug the flash drive into the infected PC.

 

If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt Here: http://www.bleepingcomputer.com/tutorials/windows-8-recovery-environment-command-prompt/ to enter System Recovery Command prompt.

 

If you are using Vista or Windows 7 enter System Recovery Options.

 

Plug the flashdrive into the infected PC.

 

Enter System Recovery Options I give two methods, use whichever is convenient for you.

 

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  
• Use the arrow keys to select the Repair your computer menu item.
  
• Select Your Country as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account an click Next.
  

 

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
  
• Restart your computer.
  
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  
• Click Repair your computer.
  
• Select Your Country as the keyboard language settings, and then click Next.
  
• Select the operating system you want to repair, and then click Next.
  
• Select your user account and click Next.
  

 

On the System Recovery Options menu you will get the following options:

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

 

• Select Command Prompt
  
• In the command window type in notepad and press Enter.
  
• The notepad opens. Under File menu select Open.
  
• Select "Computer" and find your flash drive letter and close the notepad.
  
• In the command window type  e:\frst64 or e:\frst depending on your version. Press Enter
  Note: Replace letter e with the drive letter of your flash drive.
  
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
  

 

Kevin

[dpinning]

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 03-10-2013
Ran by SYSTEM on MINWINPC on 10-10-2013 17:24:44
Running from F:\
Windows Vista Home Premium Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [] - [x]
HKLM\...\Run: [wmuin] - "C:\Windows\System32\rundll32.exe" "C:\Users\David\AppData\Roaming\wmuin.dll",_Clear <===== ATTENTION
HKLM\...\Run: [wmsil] - "C:\Windows\System32\rundll32.exe" "C:\Users\David\AppData\Roaming\wmsil.dll",get_sPLT <===== ATTENTION
HKLM\...\Run: [Windows Defender] - C:\Program Files\Windows Defender\MSASCui.exe [1008184 2008-01-18] (Microsoft Corporation)
HKLM\...\Run: [VERIZONDM] - "C:\Program Files\VERIZONDM\bin\sprtcmd.exe" /P VERIZONDM
HKLM\...\Run: [TkBellExe] - C:\Program Files\Real\realplayer\update\realsched.exe [295072 2013-01-23] (RealNetworks, Inc.)
HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [815104 2006-11-17] (Synaptics, Inc.)
HKLM\...\Run: [symantec PIF AlertEng] - "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
HKLM\...\Run: [sunJavaUpdateSched] - C:\Program Files\Common Files\Java\Java Update\jusched.exe [249064 2010-10-29] (Sun Microsystems, Inc.)
HKLM\...\Run: [sigmatelSysTrayApp] - C:\Windows\sttray.exe [303104 2006-12-01] (SigmaTel, Inc.)
HKLM\...\Run: [RKS Fax Print Controller] - "C:\Program Files\RKS Fax\rksfax_control.exe"
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [417792 2009-09-04] (Apple Inc.)
HKLM\...\Run: [PCMService] - C:\Program Files\Dell\MediaDirect\PCMService.exe [184320 2006-10-13] (CyberLink Corp.)
HKLM\...\Run: [osCheck] - "C:\Program Files\Norton Internet Security\osCheck.exe"
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [305440 2009-09-21] (Apple Inc.)
HKLM\...\Run: [iSUSScheduler] - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [81920 2006-10-03] (Macrovision Corporation)
HKLM\...\Run: [iSUSPM Startup] - C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [221184 2006-10-03] (Macrovision Corporation)
HKLM\...\Run: [iJNetworkScanUtility] - C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe [140640 2009-09-28] (CANON INC.)
HKLM\...\Run: [ECenter] - c:\dell\E-Center\EULALauncher.exe [17920 2006-11-17] ( )
HKLM\...\Run: [DivXUpdate] - C:\Program Files\DivX\DivX Update\DivXUpdate.exe [1144104 2010-06-02] ()
HKLM\...\Run: [ccApp] - C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKLM\...\Run: [CanonSolutionMenu] - C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe [767312 2009-09-03] (CANON INC.)
HKLM\...\Run: [CanonMyPrinter] - C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2508104 2009-11-01] (CANON INC.)
HKLM\...\Run: [brStsMon00] - C:\Program Files\Browny02\Brother\BrStMonW.exe [2621440 2010-06-10] (Brother Industries, Ltd.)
HKLM\...\Run: [ApnTBMon] - C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1558480 2013-07-25] (APN)
HKLM\...\Run: [ALUAlert] - C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
HKLM\...\Run: [Adobe Reader Speed Launcher] - C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [40368 2011-08-30] (Adobe Systems Incorporated)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-03-29] (Adobe Systems Incorporated)
HKLM\...\Run: [avast] - C:\Program Files\AVAST Software\Avast\avastUI.exe [4858968 2013-08-29] (AVAST Software)
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKLM\...\Policies\Explorer: [MaxRecentDocs] 48
HKU\Administrator\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\David\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\WMPNSCFG.exe [ 2008-01-18] (Microsoft Corporation)
HKU\David\...\Run: [updateMgr] - "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
HKU\David\...\Run: [startCCC] - C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [ 2006-11-10] ()
HKU\David\...\Run: [PxDotNetLoader] - C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe [ 2013-01-16] (Fidelity Investments)
HKU\David\...\Run: [PCShowServer] - C:\Users\David\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe [ 2012-08-16] (NDS Technologies)
HKU\David\...\Run: [F.lux] - "C:\Users\David\Local Settings\Apps\F.lux\flux.exe" /noshow
HKU\David\...\Run: [ehTray.exe] - C:\Windows\ehome\ehTray.exe [ 2008-01-18] (Microsoft Corporation)
HKU\David\...\Run: [DellSystemDetect] - C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dell\Dell System Detect.appref-ms [ 2013-08-29] ()
HKU\David\...\Run: [Apple] - rundll32.exe "C:\Users\David\AppData\Local\Apple Computer\Apple\wtzvdsv.dll",DllRegisterServer <===== ATTENTION
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
Startup: C:\Users\David\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CCC.lnk
ShortcutTarget: CCC.lnk -> C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (ATI Technologies Inc.)
BootExecute: autocheck autochk * sdnclean.exe
AlternateShell: C:\Users\David\AppData\Roaming\Microsoft\Windows\Templates\DisplaySwitch.exe

========================== Services (Whitelisted) =================

S2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [168400 2013-07-25] (APN LLC.)
S2 Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [144672 2009-08-28] (Apple Inc.)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [46808 2013-08-29] (AVAST Software)
S3 BrYNSvc; C:\Program Files\Browny02\BrYNSvc.exe [245760 2010-01-25] (Brother Industries, Ltd.)
S2 dlbu_device; C:\Windows\system32\dlbucoms.exe [538096 2007-02-28] ( )
S2 RealNetworks Downloader Resolver Service; C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe [38608 2012-11-29] ()
S2 sprtsvc_verizondm; C:\Program Files\VERIZONDM\bin\sprtsvc.exe [206120 2010-09-02] (SupportSoft, Inc.)
S2 tgsrvc_verizondm; C:\Program Files\VERIZONDM\bin\tgsrvc.exe [185640 2010-09-02] (SupportSoft, Inc.)
S2 HitmanPro37CrusaderBoot; "F:\HitmanPro.exe" /crusader:boot [x]
S2 Winmgmt; C:\PROGRA~2\ktutkemrgwgxybopmbg.bfg [x]

==================== Drivers (Whitelisted) ====================

S2 aswFsBlk; C:\Windows\System32\Drivers\aswFsBlk.sys [29816 2013-08-29] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [66336 2013-08-29] (AVAST Software)
S1 AswRdr; C:\Windows\System32\Drivers\AswRdr.sys [49760 2013-08-29] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [49376 2013-08-29] ()
S1 aswSnx; C:\Windows\System32\Drivers\aswSnx.sys [770344 2013-08-29] (AVAST Software)
S1 aswSP; C:\Windows\System32\Drivers\aswSP.sys [369584 2013-08-29] (AVAST Software)
S1 aswTdi; C:\Windows\System32\Drivers\aswTdi.sys [56080 2013-08-29] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [177864 2013-08-29] ()
S3 BVRPMPR5; C:\Windows\system32\drivers\BVRPMPR5.SYS [49904 2010-03-21] (Avanquest Software)
S3 chdrvr01; C:\Windows\System32\DRIVERS\chdrvr01.sys [207104 2007-06-20] (CH Products)
S3 chdrvr02; C:\Windows\System32\DRIVERS\chdrvr02.sys [4992 2007-06-20] (CH Products)
S3 chdrvr03; C:\Windows\System32\DRIVERS\chdrvr03.sys [9856 2007-06-20] (CH Products)
S3 CHORUS2; C:\Windows\System32\Drivers\chorus2usb.sys [18944 2008-07-22] (Windows ® Codename Longhorn DDK provider)
S0 CLFS; C:\Windows\System32\CLFS.sys [245736 2009-04-10] (Microsoft Corporation)
S3 cpudrv; C:\Program Files\SystemRequirementsLab\cpudrv.sys [11336 2009-12-18] ()
S3 libusb0; C:\Windows\System32\DRIVERS\libusb0.sys [28160 2009-07-07] (http://libusb-win32.sourceforge.net)
S2 npf; C:\Windows\System32\drivers\npf.sys [50704 2009-11-16] (CACE Technologies, Inc.)
S3 STHDA; C:\Windows\System32\drivers\stwrt.sys [647680 2006-12-01] (SigmaTel, Inc.)
S3 USB28xxBGA; C:\Windows\System32\DRIVERS\emBDA.sys [479232 2007-06-22] (eMPIA Technology, Inc.)
S3 USB28xxOEM; C:\Windows\System32\DRIVERS\emOEM.sys [28288 2007-02-06] (eMPIA Technology, Inc.)
S5 AppMgmt; C:\Windows\system32\svchost.exe [21504 2008-01-18] (Microsoft Corporation)
S3 catchme; \??\C:\Users\David\AppData\Local\Temp\catchme.sys [x]
S0 fjwuxyju; System32\drivers\hawcf.sys [x]
S0 hkxffe; System32\drivers\sqfhqgr.sys [x]
S1 SASDIFSV; \??\C:\Users\David\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS [x]
S1 SASKUTIL; \??\C:\Users\David\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS [x]
S0 snfjvayo; System32\drivers\fyhimx.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-10-10 13:04 - 2013-10-10 13:04 - 00007614 _____ C:\Users\David\Desktop\RKreport[0]_S_10102013_160445.txt
2013-10-10 12:59 - 2013-10-10 14:02 - 00000000 ____D C:\Users\David\Desktop\RK_Quarantine
2013-10-10 12:57 - 2013-10-10 12:57 - 00951296 _____ C:\Users\David\Desktop\RogueKiller.exe
2013-10-10 12:41 - 2013-10-10 12:41 - 01087213 _____ (Farbar) C:\Users\David\Desktop\FRST.exe
2013-10-09 16:56 - 2013-10-09 16:56 - 00001831 _____ C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2013-10-09 16:56 - 2013-08-29 23:48 - 00770344 _____ (AVAST Software) C:\Windows\System32\Drivers\aswSnx.sys
2013-10-09 16:56 - 2013-08-29 23:48 - 00369584 _____ (AVAST Software) C:\Windows\System32\Drivers\aswSP.sys
2013-10-09 16:56 - 2013-08-29 23:48 - 00177864 _____ C:\Windows\System32\Drivers\aswVmm.sys
2013-10-09 16:56 - 2013-08-29 23:48 - 00056080 _____ (AVAST Software) C:\Windows\System32\Drivers\aswTdi.sys
2013-10-09 16:56 - 2013-08-29 23:48 - 00049760 _____ (AVAST Software) C:\Windows\System32\Drivers\aswRdr.sys
2013-10-09 16:56 - 2013-08-29 23:48 - 00049376 _____ C:\Windows\System32\Drivers\aswRvrt.sys
2013-10-09 16:56 - 2013-08-29 23:48 - 00029816 _____ (AVAST Software) C:\Windows\System32\Drivers\aswFsBlk.sys
2013-10-09 16:55 - 2013-08-29 23:48 - 00066336 _____ (AVAST Software) C:\Windows\System32\Drivers\aswMonFlt.sys
2013-10-09 16:55 - 2013-08-29 23:47 - 00229648 _____ (AVAST Software) C:\Windows\System32\aswBoot.exe
2013-10-09 16:54 - 2013-08-29 23:47 - 00041664 _____ (AVAST Software) C:\Windows\avastSS.scr
2013-10-09 16:30 - 2013-10-09 16:33 - 131918888 _____ C:\Users\David\Desktop\avast_free_antivirus_setup.exe
2013-10-09 14:11 - 2013-10-09 14:11 - 00017336 _____ C:\Users\David\Desktop\Mini100813-01.zip
2013-10-09 14:05 - 2013-10-10 12:45 - 00000304 _____ C:\Users\David\Desktop\Addition.txt
2013-10-09 14:03 - 2013-10-09 14:03 - 00000000 ____D C:\FRST
2013-10-08 06:32 - 2013-10-08 06:32 - 00133536 _____ C:\Windows\Minidump\Mini100813-02.dmp
2013-10-08 05:42 - 2013-10-08 05:42 - 00133536 _____ C:\Windows\Minidump\Mini100813-01.dmp
2013-10-07 10:06 - 2013-10-07 10:07 - 00133536 _____ C:\Windows\Minidump\Mini100713-03.dmp
2013-10-07 09:51 - 2013-10-07 09:51 - 00133536 _____ C:\Windows\Minidump\Mini100713-02.dmp
2013-10-06 23:11 - 2013-10-06 23:11 - 00028672 _____ C:\bcd_backup
2013-10-06 23:11 - 2013-10-06 23:11 - 00025600 ____H C:\bcd_backup.LOG
2013-10-06 22:23 - 2013-10-06 22:23 - 00133536 _____ C:\Windows\Minidump\Mini100713-01.dmp
2013-10-06 20:59 - 2013-10-06 20:59 - 00133536 _____ C:\Windows\Minidump\Mini100613-03.dmp
2013-10-06 20:51 - 2013-10-06 20:51 - 00133536 _____ C:\Windows\Minidump\Mini100613-02.dmp
2013-10-06 20:43 - 2013-10-06 20:44 - 00133536 _____ C:\Windows\Minidump\Mini100613-01.dmp
2013-09-22 13:58 - 2013-10-01 04:54 - 00000000 ____D C:\Users\David\Desktop\Desktop Files
2013-09-10 07:59 - 2013-09-10 08:00 - 00133536 _____ C:\Windows\Minidump\Mini091013-02.dmp
2013-09-10 07:10 - 2013-09-10 07:10 - 00133536 _____ C:\Windows\Minidump\Mini091013-01.dmp

==================== One Month Modified Files and Folders =======

2013-10-10 14:14 - 2007-01-29 13:33 - 00000012 _____ C:\Windows\bthservsdp.dat
2013-10-10 14:13 - 2006-11-02 04:47 - 00003568 _____ C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-10-10 14:13 - 2006-11-02 04:47 - 00003568 _____ C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-10-10 14:02 - 2013-10-10 12:59 - 00000000 ____D C:\Users\David\Desktop\RK_Quarantine
2013-10-10 13:04 - 2013-10-10 13:04 - 00007614 _____ C:\Users\David\Desktop\RKreport[0]_S_10102013_160445.txt
2013-10-10 12:57 - 2013-10-10 12:57 - 00951296 _____ C:\Users\David\Desktop\RogueKiller.exe
2013-10-10 12:45 - 2013-10-09 14:05 - 00000304 _____ C:\Users\David\Desktop\Addition.txt
2013-10-10 12:41 - 2013-10-10 12:41 - 01087213 _____ (Farbar) C:\Users\David\Desktop\FRST.exe
2013-10-10 11:38 - 2012-07-18 04:24 - 00025516 _____ C:\Windows\PFRO.log
2013-10-09 16:56 - 2013-10-09 16:56 - 00001831 _____ C:\Users\Public\Desktop\avast! Free Antivirus.lnk
2013-10-09 16:55 - 2006-11-02 02:23 - 00002577 _____ C:\Windows\System32\config.nt
2013-10-09 16:53 - 2013-03-20 05:36 - 00000000 ____D C:\ProgramData\AVAST Software
2013-10-09 16:42 - 2007-02-03 09:28 - 00000000 ____D C:\Users\David\AppData\Local\MediaDirect
2013-10-09 16:33 - 2013-10-09 16:30 - 131918888 _____ C:\Users\David\Desktop\avast_free_antivirus_setup.exe
2013-10-09 14:11 - 2013-10-09 14:11 - 00017336 _____ C:\Users\David\Desktop\Mini100813-01.zip
2013-10-09 14:03 - 2013-10-09 14:03 - 00000000 ____D C:\FRST
2013-10-08 06:32 - 2013-10-08 06:32 - 00133536 _____ C:\Windows\Minidump\Mini100813-02.dmp
2013-10-08 06:32 - 2013-09-08 20:10 - 129894810 _____ C:\Windows\MEMORY.DMP
2013-10-08 06:32 - 2007-06-12 18:14 - 00000000 ____D C:\Windows\Minidump
2013-10-08 06:30 - 2013-08-25 11:16 - 00012872 _____ (SurfRight B.V.) C:\Windows\System32\bootdelete.exe
2013-10-08 05:42 - 2013-10-08 05:42 - 00133536 _____ C:\Windows\Minidump\Mini100813-01.dmp
2013-10-07 10:14 - 2007-01-29 13:33 - 01487950 _____ C:\Windows\WindowsUpdate.log
2013-10-07 10:07 - 2013-10-07 10:06 - 00133536 _____ C:\Windows\Minidump\Mini100713-03.dmp
2013-10-07 09:51 - 2013-10-07 09:51 - 00133536 _____ C:\Windows\Minidump\Mini100713-02.dmp
2013-10-06 23:11 - 2013-10-06 23:11 - 00028672 _____ C:\bcd_backup
2013-10-06 23:11 - 2013-10-06 23:11 - 00025600 ____H C:\bcd_backup.LOG
2013-10-06 22:26 - 2007-04-14 05:04 - 00001356 _____ C:\Users\David\AppData\Local\d3d9caps.dat
2013-10-06 22:23 - 2013-10-06 22:23 - 00133536 _____ C:\Windows\Minidump\Mini100713-01.dmp
2013-10-06 21:04 - 2007-02-03 10:31 - 00000000 ____D C:\Windows\pss
2013-10-06 20:59 - 2013-10-06 20:59 - 00133536 _____ C:\Windows\Minidump\Mini100613-03.dmp
2013-10-06 20:51 - 2013-10-06 20:51 - 00133536 _____ C:\Windows\Minidump\Mini100613-02.dmp
2013-10-06 20:44 - 2013-10-06 20:43 - 00133536 _____ C:\Windows\Minidump\Mini100613-01.dmp
2013-10-01 04:54 - 2013-09-22 13:58 - 00000000 ____D C:\Users\David\Desktop\Desktop Files
2013-09-10 08:00 - 2013-09-10 07:59 - 00133536 _____ C:\Windows\Minidump\Mini091013-02.dmp
2013-09-10 07:10 - 2013-09-10 07:10 - 00133536 _____ C:\Windows\Minidump\Mini091013-01.dmp

ZeroAccess:
C:\$Recycle.Bin\S-1-5-21-3700406598-1639912827-112258768-1001\$d76728a16439ce40ec9bb5b2a13c705f

ZeroAccess:
C:\$Recycle.Bin\S-1-5-18\$d76728a16439ce40ec9bb5b2a13c705f

Files to move or delete:
====================
C:\Users\David\1858607.exe
C:\Users\David\GoToAssist_phone__317_en.exe

Some content of TEMP:
====================
C:\Users\David\AppData\Local\Temp\AdobeUpdater12345.exe
C:\Users\David\AppData\Local\Temp\ntdll_dump.dll

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

1
Restore point made on: 2013-10-09 16:53:21

==================== Memory info ===========================

Percentage of memory in use: 27%
Total physical RAM: 2045.71 MB
Available physical RAM: 1479.36 MB
Total Pagefile: 1777.04 MB
Available Pagefile: 1590.43 MB
Total Virtual: 2047.88 MB
Available Virtual: 1956.75 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:99.74 GB) (Free:6.77 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (RECOVERY) (Fixed) (Total:10 GB) (Free:2.87 GB) NTFS
Drive e: (VISTA_SP1_HOMEPREMIUM) (CDROM) (Total:5.4 GB) (Free:0 GB) UDF
Drive f: (HITMANPRO) (Removable) (Total:7.45 GB) (Free:7.45 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: 28000000)
Partition 1: (Not Active) - (Size=47 MB) - (Type=DE)
Partition 2: (Not Active) - (Size=10 GB) - (Type=07 NTFS)
Partition 3: (Active) - (Size=100 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=188 GB) - (Type=05)

========================================================
Disk: 1 (Size: 7 GB) (Disk ID: B2656C3B)
Partition 1: (Active) - (Size=7 GB) - (Type=0B)

LastRegBack: 2013-10-10 11:43

==================== End Of Log ============================

[kevinf80]

Save the attached file fixlist.txt to your flash drive, same place as FRST.

Now please enter System Recovery Options as you did to get the log.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

Boot back to normal mode, run Mlawarebytes quick scan and post its log...

 

Kevin

fixlist.txt

[dpinning]

Fixlog.txt below...running Malwarebytes quick scan now

 

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 03-10-2013
Ran by SYSTEM at 2013-10-10 18:07:51 Run:1
Running from F:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
Start
HKLM\...\Run: [wmuin] - "C:\Windows\System32\rundll32.exe" "C:\Users\David\AppData\Roaming\wmuin.dll",_Clear <===== ATTENTION
HKLM\...\Run: [wmsil] - "C:\Windows\System32\rundll32.exe" "C:\Users\David\AppData\Roaming\wmsil.dll",get_sPLT <===== ATTENTION
C:\Users\David\AppData\Roaming\wmuin.dll
C:\Users\David\AppData\Roaming\wmsil.dll
HKLM\...\Run: [ApnTBMon] - C:\Program Files\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1558480 2013-07-25] (APN)
C:\Program Files\AskPartnerNetwork
HKLM\...D6A79037F57F\InprocServer32: [Default-fastprox] fastprox.dll ATTENTION! ====> ZeroAccess?
HKU\David\...\Run: [Apple] - rundll32.exe "C:\Users\David\AppData\Local\Apple Computer\Apple\wtzvdsv.dll",DllRegisterServer <===== ATTENTION
C:\Users\David\AppData\Local\Apple Computer
S2 APNMCP; C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe [168400 2013-07-25] (APN LLC.)
S0 fjwuxyju; System32\drivers\hawcf.sys [x]
S0 hkxffe; System32\drivers\sqfhqgr.sys [x]
S0 snfjvayo; System32\drivers\fyhimx.sys [x]
C:\$Recycle.Bin\S-1-5-21-3700406598-1639912827-112258768-1001\$d76728a16439ce40ec9bb5b2a13c705f
C:\$Recycle.Bin\S-1-5-18\$d76728a16439ce40ec9bb5b2a13c705f
C:\Users\David\1858607.exe
C:\Users\David\GoToAssist_phone__317_en.exe
C:\Users\David\AppData\Local\Temp\AdobeUpdater12345.exe
C:\Users\David\AppData\Local\Temp\ntdll_dump.dll
HKLM\...\.exe: <===== ATTENTION!
End

*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\wmuin => Value deleted successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\wmsil => Value deleted successfully.
"C:\Users\David\AppData\Roaming\wmuin.dll" => File/Directory not found.
"C:\Users\David\AppData\Roaming\wmsil.dll" => File/Directory not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ApnTBMon => Value deleted successfully.
C:\Program Files\AskPartnerNetwork => Moved successfully.
HKLM\Software\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32\\Default => Value was restored successfully.
HKU\David\Software\Microsoft\Windows\CurrentVersion\Run\\Apple => Value deleted successfully.
C:\Users\David\AppData\Local\Apple Computer => Moved successfully.
APNMCP => Service deleted successfully.
fjwuxyju => Service deleted successfully.
hkxffe => Service deleted successfully.
snfjvayo => Service deleted successfully.
C:\$Recycle.Bin\S-1-5-21-3700406598-1639912827-112258768-1001\$d76728a16439ce40ec9bb5b2a13c705f => Directory moved successfully.
C:\$Recycle.Bin\S-1-5-18\$d76728a16439ce40ec9bb5b2a13c705f => Deleted successfully.
C:\Users\David\1858607.exe => Moved successfully.
C:\Users\David\GoToAssist_phone__317_en.exe => Moved successfully.
C:\Users\David\AppData\Local\Temp\AdobeUpdater12345.exe => Moved successfully.
C:\Users\David\AppData\Local\Temp\ntdll_dump.dll => Moved successfully.
HKLM\Software\Classes\.exe\\Default => Value was restored successfully.

==== End of Fixlog ====

[kevinf80]

Looking good....

[dpinning]

^{While Malwarebytes quick scan is running, I wanted to let you know that the computer booted up and no run.dll windows popped up! : )}

[kevinf80]

RunDLL32.exe is a legitimate Windows file that executes/loads .dll (Dynamic Link Library) modules which too can be legitimate or sometimes malware related. A RunDLL "Error loading..." or "specific module could not be found" message usually occurs when the .dll file(s) that was set to run at startup in the registry has been deleted. Windows is trying to load this file(s) but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry still remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

[dpinning]

Thanks for that explanation Kevin. I DO want to know that kind of thing. Even though I don't aspire to the kind of knowledge you have (we only have so much time to be good at so many things!) I do like to have a general understanding. So I am assuming your fix.txt removed those orphaned entries?

 

Do you want me to do anything with the 2 objects malwarebytes detected or just paste the log?