ukash Infection

[MoonPig]

Hi - desperate for help

 

I have a laptop that has been infected with the ukash ransomware - I've run FRST and the log is below.

FYI - this was run in the recovery console.  Cannot boot in any other mode at the moment.

 

Thanks in advance for any help

MP

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-12-2013
Ran by SYSTEM on MINWINPC on 02-12-2013 21:02:43
Running from G:\
Windows Vista Home Premium Service Pack 1 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1348904 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [NDSTray.exe] - NDSTray.exe
HKLM\...\Run: [cfFncEnabler.exe] - cfFncEnabler.exe
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [6037504 2008-04-08] (Realtek Semiconductor)
HKLM\...\Run: [Camera Assistant Software] - C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe [417792 2008-09-26] (Chicony)
HKLM\...\Run: [AppleSyncNotifier] - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-01] (Apple Inc.)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [PRISMSVR.EXE] - C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.exe [295001 2004-07-02] (Conexant Systems, Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [997408 2010-11-30] ()
HKLM\...\Run: [ConnectionCenter] - C:\Program Files\Citrix\ICA Client\concentr.exe [300400 2010-03-10] (Citrix Systems, Inc.)
HKLM\...\Run: [NBAgent] - C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe [1406248 2011-03-22] (Nero AG)
HKLM\...\Run: [KiesTrayAgent] - C:\Program Files\Samsung\Kies\KiesTrayAgent.exe [311152 2013-09-04] (Samsung Electronics Co., Ltd.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-04-30] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-09-30] (Apple Inc.)
HKLM\...\Run: [Fitbit Connect] - C:\Program Files\Fitbit Connect\Fitbit Connect.exe [3264544 2013-10-02] (Fitbit, Inc.)
HKLM\...\Policies\Explorer\Run: [7734] - C:\ProgramData\msmwahop.exe [341740 2009-04-10] ( ())
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default\...\Run: [TOSCDSPD] - C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe [ 2008-04-24] (TOSHIBA)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [TOSCDSPD] - C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe [ 2008-04-24] (TOSHIBA)
HKU\Simon Wright\...\Run: [ehTray.exe] - C:\Windows\ehome\ehtray.exe [ 2008-01-20] (Microsoft Corporation)
HKU\Simon Wright\...\Run: [Google Update] - C:\Users\Simon Wright\AppData\Local\Google\Update\GoogleUpdate.exe [ 2010-03-17] (Google Inc.)
HKU\Simon Wright\...\Run: [] - C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [ 2013-09-04] (Samsung)
HKU\Simon Wright\...\Run: [swg] - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [ 2008-07-01] (Google Inc.)
HKU\Simon Wright\...\Run: [KiesPreload] - C:\Program Files\Samsung\Kies\Kies.exe [ 2013-09-04] (Samsung)
HKU\Simon Wright\...\Run: [KiesAirMessage] - C:\Program Files\Samsung\Kies\KiesAirMessage.exe -startup
HKU\Simon Wright\...\Run: [GoogleDriveSync] - C:\Program Files\Google\Drive\googledrivesync.exe [ 2013-09-25] (Google)
HKU\Simon Wright\...\Run: [Fitbit Connect] - C:\Program Files\Fitbit Connect\Fitbit Connect.exe [ 2013-10-02] (Fitbit, Inc.)
HKU\Simon Wright\...\Run: [WMPNSCFG] - C:\Program Files\Windows Media Player\wmpnscfg.exe [ 2008-01-20] (Microsoft Corporation)
HKU\Simon Wright\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files\Toshiba\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files\Toshiba\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3wd3l1.lnk
ShortcutTarget: 3wd3l1.lnk -> C:\ProgramData\1l3dw3.dss (Microsoft Corporation)
Startup: C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4bn1a4t.lnk
ShortcutTarget: 4bn1a4t.lnk -> C:\ProgramData\t4a1nb4.dss (Корпорация Майкрософт)
Startup: C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g228zlr.lnk
ShortcutTarget: g228zlr.lnk -> C:\ProgramData\rlz822g.dss (Microsoft Corporation)
Startup: C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iilf8zoq.lnk
ShortcutTarget: iilf8zoq.lnk -> C:\ProgramData\qoz8flii.dss (Microsoft Corporation)
Startup: C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j6flcjwodh.lnk
ShortcutTarget: j6flcjwodh.lnk -> C:\ProgramData\hdowjclf6j.dss (Microsoft Corporation)
Startup: C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lj6wewlr.lnk
ShortcutTarget: lj6wewlr.lnk -> C:\ProgramData\rlwew6jl.dss (Корпорация Майкрософт)

========================== Services (Whitelisted) =================

S2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
S2 BackupStack; C:\Program Files\MyPC Backup\BackupStack.exe [32808 2013-05-21] (Just Develop It)
S2 ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [40960 2008-04-16] (TOSHIBA CORPORATION)
S2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [615720 2009-08-12] (Juniper Networks)
S2 EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION)
S2 EpsonScanSvc; C:\Windows\system32\EscSvc.exe [122000 2011-12-11] (Seiko Epson Corporation)
S2 Fitbit Connect; C:\Program Files\Fitbit Connect\FitbitConnectService.exe [1384992 2013-10-02] (Fitbit, Inc.)
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-07-31] (Google)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
S2 NAUpdate; C:\Program Files\Nero\Update\NASvc.exe [572712 2011-01-14] (Nero AG)
S3 SmartFaceVWatchSrv; C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe [77824 2008-08-25] (Toshiba)
S2 TempoMonitoringService; C:\Program Files\Toshiba TEMPRO\TempoSVC.exe [99720 2008-04-24] (Toshiba Europe GmbH)
S2 TOSHIBA SMART Log Service; C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [126976 2007-12-03] (TOSHIBA Corporation)
S2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
S2 Winmgmt; C:\ProgramData\1l3dw3.dss [206848 2013-12-01] (Microsoft Corporation)
S2 MsMpSvc; "C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" [x]
S3 NisSrv; "C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [x]
S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{a2970bbd-8e17-1c0e-9f60-cafb5c3c4e4d}\   \...\???\{a2970bbd-8e17-1c0e-9f60-cafb5c3c4e4d}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)

==================== Drivers (Whitelisted) ====================

S3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdpt.sys [26624 2009-08-12] (Juniper Networks)
S3 grmnusb; C:\Windows\System32\drivers\grmnusb.sys [9344 2009-04-17] (GARMIN Corp.)
S2 MDC8021X; C:\Windows\System32\DRIVERS\mdc8021x.sys [15781 2009-04-13] (Meetinghouse Data Communications)
S1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [165264 2010-10-24] (Microsoft Corporation)
S3 MpNWMon; C:\Windows\System32\DRIVERS\MpNWMon.sys [43392 2010-10-24] (Microsoft Corporation)
S1 StarOpen; C:\Windows\System32\Drivers\StarOpen.sys [5632 2009-09-05] ()
S3 UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [17960 2008-07-15] (Chicony Electronics Co., Ltd.)
S2 BTWSp50; System32\Drivers\BTWSp50.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 Tosrfcom; No ImagePath
S3 ZTEusbmdm6k; system32\DRIVERS\ZTEusbmdm6k.sys [x]
S3 ZTEusbnmea; system32\DRIVERS\ZTEusbnmea.sys [x]
S3 ZTEusbser6k; system32\DRIVERS\ZTEusbser6k.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-12-02 20:44 - 2013-12-02 20:44 - 00000000 ____D C:\FRST
2013-12-02 12:11 - 2013-12-02 12:12 - 95025368 ____T C:\ProgramData\4bn1a4t.bxx
2013-12-02 12:11 - 2013-12-02 12:11 - 00207872 _____ (Корпорация Майкрософт) C:\ProgramData\t4a1nb4.dss
2013-12-02 12:11 - 2013-12-02 12:11 - 00000000 _____ C:\ProgramData\4bn1a4t.fvv
2013-12-02 12:01 - 2013-12-02 12:10 - 95025368 ____T C:\ProgramData\lj6wewlr.bxx
2013-12-02 12:01 - 2013-12-02 12:10 - 00000000 _____ C:\ProgramData\lj6wewlr.fvv
2013-12-02 12:01 - 2013-12-02 12:01 - 00204288 _____ (Корпорация Майкрософт) C:\ProgramData\rlwew6jl.dss
2013-12-02 10:38 - 2013-12-02 12:11 - 95025368 ____T C:\ProgramData\j6flcjwodh.bxx
2013-12-02 10:38 - 2013-12-02 12:10 - 00000000 _____ C:\ProgramData\j6flcjwodh.fvv
2013-12-02 10:38 - 2013-12-02 10:38 - 00204800 _____ (Microsoft Corporation) C:\ProgramData\hdowjclf6j.dss
2013-12-02 08:34 - 2013-12-02 12:12 - 95025368 ____T C:\ProgramData\iilf8zoq.bxx
2013-12-02 08:34 - 2013-12-02 12:10 - 00000000 _____ C:\ProgramData\iilf8zoq.fvv
2013-12-02 08:34 - 2013-12-02 08:34 - 00206336 _____ (Microsoft Corporation) C:\ProgramData\qoz8flii.dss
2013-12-02 08:28 - 2013-12-02 12:12 - 95025368 ____T C:\ProgramData\g228zlr.bxx
2013-12-02 08:28 - 2013-12-02 12:10 - 00000000 _____ C:\ProgramData\g228zlr.fvv
2013-12-02 08:28 - 2013-12-02 08:28 - 00206336 _____ (Microsoft Corporation) C:\ProgramData\rlz822g.dss
2013-12-02 08:28 - 2013-12-02 08:28 - 00000273 _____ C:\ProgramData\3wd3l1.reg
2013-12-01 23:03 - 2013-12-01 23:03 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2013-12-01 22:57 - 2013-12-02 12:13 - 95025368 ____T C:\ProgramData\3wd3l1.bxx
2013-12-01 22:57 - 2013-12-02 12:09 - 00000000 _____ C:\ProgramData\3wd3l1.fvv
2013-12-01 22:57 - 2013-12-01 22:57 - 00206848 _____ (Microsoft Corporation) C:\ProgramData\1l3dw3.dss
2013-12-01 07:27 - 2013-12-01 07:27 - 00038400 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk13-011213.xls
2013-11-30 07:54 - 2013-11-30 07:54 - 00002631 _____ C:\Users\Simon Wright\Downloads\report.csv
2013-11-29 10:42 - 2013-11-29 10:42 - 00022528 _____ C:\Users\Simon Wright\Downloads\Completed Inquests.xls
2013-11-28 08:01 - 2013-11-28 08:01 - 00000199 ____H C:\Users\Simon Wright\Downloads\.picasa.ini
2013-11-25 12:04 - 2013-11-25 12:04 - 00028056 _____ C:\Users\Simon Wright\Downloads\RugbyTeam&EntryTimes 23-11-2013.xlsx
2013-11-24 13:50 - 2013-11-24 13:50 - 00088064 _____ C:\Users\Simon Wright\Downloads\Schools Gala Results 2013.xls
2013-11-24 13:50 - 2013-11-24 13:50 - 00088064 _____ C:\Users\Simon Wright\Downloads\Schools Gala Results 2013 (1).xls
2013-11-24 05:01 - 2013-11-24 05:01 - 00039424 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk12-241113.xls
2013-11-24 02:03 - 2013-11-24 02:04 - 00017184 _____ C:\Users\Simon Wright\Downloads\Programmes for 2014.xlsx
2013-11-23 05:47 - 2013-11-23 05:47 - 00035840 _____ C:\Users\Simon Wright\Downloads\House Oct 13 (2).xls
2013-11-23 05:23 - 2013-11-23 05:23 - 00030972 _____ C:\Users\Simon Wright\Downloads\Round 1.xlsx
2013-11-20 11:11 - 2013-11-20 11:11 - 00071168 _____ C:\Users\Simon Wright\Downloads\Wednesday-Black-wk12-201113.xls
2013-11-20 09:16 - 2013-11-20 09:16 - 00011034 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 6.xlsx
2013-11-19 08:12 - 2013-11-19 08:12 - 00028160 _____ C:\Users\Simon Wright\Downloads\Woodside fixtures 2013-14NEW (8).xls
2013-11-17 07:40 - 2013-11-17 07:40 - 00011363 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5 (2).xlsx
2013-11-17 07:37 - 2013-11-17 07:37 - 00036864 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk11-171113.xls
2013-11-15 04:34 - 2013-11-15 04:34 - 00033792 _____ C:\Users\Simon Wright\Downloads\Just Hoods Basic Specs.xls
2013-11-13 23:14 - 2013-10-13 02:42 - 12344832 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-11-13 23:14 - 2013-10-13 02:08 - 09739264 _____ (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-11-13 23:14 - 2013-10-13 01:48 - 01806848 _____ (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-11-13 23:14 - 2013-10-13 01:37 - 01104896 _____ (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-11-13 23:14 - 2013-10-13 01:35 - 01427968 _____ (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-11-13 23:14 - 2013-10-13 01:35 - 01129472 _____ (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-11-13 23:14 - 2013-10-13 01:33 - 00231936 _____ (Microsoft Corporation) C:\Windows\System32\url.dll
2013-11-13 23:14 - 2013-10-13 01:32 - 00065024 _____ (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-11-13 23:14 - 2013-10-13 01:30 - 00717824 _____ (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-11-13 23:14 - 2013-10-13 01:30 - 00142848 _____ (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-11-13 23:14 - 2013-10-13 01:29 - 00420864 _____ (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-11-13 23:14 - 2013-10-13 01:27 - 01796096 _____ (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-11-13 23:14 - 2013-10-13 01:27 - 00607744 _____ (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-11-13 23:14 - 2013-10-13 01:26 - 00073216 _____ (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-11-13 23:14 - 2013-10-13 01:25 - 02382848 _____ (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-11-13 23:14 - 2013-10-13 01:20 - 00176640 _____ (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-11-13 11:01 - 2013-11-13 11:01 - 00071168 _____ C:\Users\Simon Wright\Downloads\Wednesday-Black-wk11-131113.xls
2013-11-12 23:24 - 2013-10-10 18:08 - 00444928 _____ (Microsoft Corporation) C:\Windows\System32\IKEEXT.DLL
2013-11-12 23:24 - 2013-10-10 18:07 - 00596480 _____ (Microsoft Corporation) C:\Windows\System32\FWPUCLNT.DLL
2013-11-12 23:24 - 2013-10-10 16:39 - 00218228 _____ C:\Windows\System32\WFP.TMF
2013-11-12 23:24 - 2013-10-03 04:45 - 00993792 _____ (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2013-11-12 23:24 - 2013-10-03 04:45 - 00297984 _____ (Microsoft Corporation) C:\Windows\System32\gdi32.dll
2013-11-12 23:19 - 2013-11-12 23:19 - 00011301 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5 & 6.xlsx
2013-11-08 11:54 - 2013-11-08 11:54 - 00465408 _____ C:\Users\Simon Wright\Downloads\Ocado powerpoint template 2013 (2).ppt
2013-11-08 06:29 - 2013-11-08 06:29 - 04971481 _____ C:\Users\Simon Wright\Downloads\Video (1).MOV
2013-11-08 06:28 - 2013-11-08 06:28 - 04971481 _____ C:\Users\Simon Wright\Downloads\Video.MOV
2013-11-07 12:00 - 2013-11-07 12:00 - 00377344 _____ C:\Users\Simon Wright\Downloads\Ocado powerpoint template 2013 (1).ppt
2013-11-07 09:35 - 2013-11-07 09:35 - 00027648 _____ C:\Users\Simon Wright\Downloads\Woodside fixtures 2013-14NEW (7).xls
2013-11-06 08:06 - 2013-11-06 08:06 - 00071168 _____ C:\Users\Simon Wright\Downloads\Wednesday-Black-wk10-061113.xls
2013-11-05 08:17 - 2013-11-05 08:17 - 00001639 _____ C:\Users\Simon Wright\Downloads\launch.ica
2013-11-05 08:16 - 2013-11-05 08:16 - 00001639 _____ C:\Users\Simon Wright\Downloads\launch (2).ica
2013-11-05 08:15 - 2013-11-05 08:15 - 00001638 _____ C:\Users\Simon Wright\Downloads\launch (1).ica
2013-11-04 14:03 - 2013-11-04 14:03 - 00011363 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5 (1).xlsx
2013-11-04 13:05 - 2013-11-04 13:05 - 01693774 _____ C:\Users\Simon Wright\Downloads\Key Reports for Supplier Meetings.pptx
2013-11-04 13:05 - 2013-11-04 13:05 - 00713678 _____ C:\Users\Simon Wright\Downloads\20130501 Ocado Segment Summary.pptx
2013-11-04 13:03 - 2013-11-04 13:03 - 00493696 _____ C:\Users\Simon Wright\Downloads\welcometoshoppercentreperformance.zip
2013-11-04 09:28 - 2013-11-04 09:28 - 00365056 _____ C:\Users\Simon Wright\Downloads\Ocado powerpoint template 2013.ppt
2013-11-04 01:58 - 2013-11-04 01:58 - 00011363 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5.xlsx
2013-11-04 01:47 - 2013-11-04 01:47 - 00027648 _____ C:\Users\Simon Wright\Downloads\Woodside Rovers U12 Schedule Sept-Dec 2013 (as 12.10.13).xls
2013-11-04 01:47 - 2013-11-04 01:47 - 00027648 _____ C:\Users\Simon Wright\Downloads\Woodside Rovers U12 Schedule Sept-Dec 2013 (as 12.10.13) (1).xls
2013-11-03 04:49 - 2013-11-03 04:49 - 00048128 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk9-031113.xls
2013-11-02 12:01 - 2013-11-02 12:01 - 00001875 _____ C:\Users\Simon Wright\Desktop\Fitbit Connect.lnk

==================== One Month Modified Files and Folders =======

2013-12-02 20:44 - 2013-12-02 20:44 - 00000000 ____D C:\FRST
2013-12-02 12:13 - 2013-12-01 22:57 - 95025368 ____T C:\ProgramData\3wd3l1.bxx
2013-12-02 12:12 - 2013-12-02 12:11 - 95025368 ____T C:\ProgramData\4bn1a4t.bxx
2013-12-02 12:12 - 2013-12-02 08:34 - 95025368 ____T C:\ProgramData\iilf8zoq.bxx
2013-12-02 12:12 - 2013-12-02 08:28 - 95025368 ____T C:\ProgramData\g228zlr.bxx
2013-12-02 12:11 - 2013-12-02 12:11 - 00207872 _____ (Корпорация Майкрософт) C:\ProgramData\t4a1nb4.dss
2013-12-02 12:11 - 2013-12-02 12:11 - 00000000 _____ C:\ProgramData\4bn1a4t.fvv
2013-12-02 12:11 - 2013-12-02 10:38 - 95025368 ____T C:\ProgramData\j6flcjwodh.bxx
2013-12-02 12:11 - 2013-06-07 23:19 - 00000000 ___RD C:\Users\Simon Wright\Google Drive
2013-12-02 12:10 - 2013-12-02 12:01 - 95025368 ____T C:\ProgramData\lj6wewlr.bxx
2013-12-02 12:10 - 2013-12-02 12:01 - 00000000 _____ C:\ProgramData\lj6wewlr.fvv
2013-12-02 12:10 - 2013-12-02 10:38 - 00000000 _____ C:\ProgramData\j6flcjwodh.fvv
2013-12-02 12:10 - 2013-12-02 08:34 - 00000000 _____ C:\ProgramData\iilf8zoq.fvv
2013-12-02 12:10 - 2013-12-02 08:28 - 00000000 _____ C:\ProgramData\g228zlr.fvv
2013-12-02 12:09 - 2013-12-01 22:57 - 00000000 _____ C:\ProgramData\3wd3l1.fvv
2013-12-02 12:08 - 2006-11-02 04:47 - 00003216 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-12-02 12:08 - 2006-11-02 04:47 - 00003216 ____H C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-12-02 12:01 - 2013-12-02 12:01 - 00204288 _____ (Корпорация Майкрософт) C:\ProgramData\rlwew6jl.dss
2013-12-02 10:38 - 2013-12-02 10:38 - 00204800 _____ (Microsoft Corporation) C:\ProgramData\hdowjclf6j.dss
2013-12-02 08:34 - 2013-12-02 08:34 - 00206336 _____ (Microsoft Corporation) C:\ProgramData\qoz8flii.dss
2013-12-02 08:28 - 2013-12-02 08:28 - 00206336 _____ (Microsoft Corporation) C:\ProgramData\rlz822g.dss
2013-12-02 08:28 - 2013-12-02 08:28 - 00000273 _____ C:\ProgramData\3wd3l1.reg
2013-12-02 08:28 - 2011-02-02 11:36 - 00000000 ____D C:\Users\Simon Wright\AppData\Local\CrashDumps
2013-12-01 23:03 - 2013-12-01 23:03 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2013-12-01 22:59 - 2009-05-07 07:17 - 00000000 ____D C:\Users\Simon Wright\Documents\Susan
2013-12-01 22:57 - 2013-12-01 22:57 - 00206848 _____ (Microsoft Corporation) C:\ProgramData\1l3dw3.dss
2013-12-01 22:57 - 2009-04-13 07:16 - 00000000 ____D C:\Users\Simon Wright\AppData\Local\Google
2013-12-01 22:57 - 2008-07-01 07:13 - 00000000 ____D C:\Program Files\Google
2013-12-01 22:55 - 2013-05-04 04:38 - 01234677 _____ C:\Windows\WindowsUpdate.log
2013-12-01 22:54 - 2006-11-02 02:33 - 00706952 _____ C:\Windows\System32\PerfStringBackup.INI
2013-12-01 08:42 - 2011-11-06 03:29 - 00000000 ____D C:\Users\Simon Wright\Documents\Kids Homework
2013-12-01 07:27 - 2013-12-01 07:27 - 00038400 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk13-011213.xls
2013-11-30 07:54 - 2013-11-30 07:54 - 00002631 _____ C:\Users\Simon Wright\Downloads\report.csv
2013-11-29 10:42 - 2013-11-29 10:42 - 00022528 _____ C:\Users\Simon Wright\Downloads\Completed Inquests.xls
2013-11-28 08:01 - 2013-11-28 08:01 - 00000199 ____H C:\Users\Simon Wright\Downloads\.picasa.ini
2013-11-27 08:19 - 2013-04-10 07:50 - 00000000 ____D C:\Users\Simon Wright\Documents\Crusaders Fixtures
2013-11-25 12:04 - 2013-11-25 12:04 - 00028056 _____ C:\Users\Simon Wright\Downloads\RugbyTeam&EntryTimes 23-11-2013.xlsx
2013-11-24 13:50 - 2013-11-24 13:50 - 00088064 _____ C:\Users\Simon Wright\Downloads\Schools Gala Results 2013.xls
2013-11-24 13:50 - 2013-11-24 13:50 - 00088064 _____ C:\Users\Simon Wright\Downloads\Schools Gala Results 2013 (1).xls
2013-11-24 13:50 - 2013-09-19 08:19 - 00000000 ____D C:\Users\Simon Wright\Documents\Middle School Gala 2013
2013-11-24 05:01 - 2013-11-24 05:01 - 00039424 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk12-241113.xls
2013-11-24 03:24 - 2013-02-03 06:55 - 00000000 ____D C:\Windows\Minidump
2013-11-24 02:04 - 2013-11-24 02:03 - 00017184 _____ C:\Users\Simon Wright\Downloads\Programmes for 2014.xlsx
2013-11-23 05:47 - 2013-11-23 05:47 - 00035840 _____ C:\Users\Simon Wright\Downloads\House Oct 13 (2).xls
2013-11-23 05:23 - 2013-11-23 05:23 - 00030972 _____ C:\Users\Simon Wright\Downloads\Round 1.xlsx
2013-11-21 10:15 - 2013-05-20 07:20 - 00000000 ____D C:\Users\Simon Wright\Documents\Woodside Football Club
2013-11-20 11:11 - 2013-11-20 11:11 - 00071168 _____ C:\Users\Simon Wright\Downloads\Wednesday-Black-wk12-201113.xls
2013-11-20 09:16 - 2013-11-20 09:16 - 00011034 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 6.xlsx
2013-11-19 08:12 - 2013-11-19 08:12 - 00028160 _____ C:\Users\Simon Wright\Downloads\Woodside fixtures 2013-14NEW (8).xls
2013-11-19 05:06 - 2011-05-21 02:28 - 00006648 _____ C:\Users\Simon Wright\AppData\Local\d3d9caps.dat
2013-11-19 02:21 - 2013-01-06 09:55 - 00230048 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2013-11-17 07:40 - 2013-11-17 07:40 - 00011363 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5 (2).xlsx
2013-11-17 07:37 - 2013-11-17 07:37 - 00036864 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk11-171113.xls
2013-11-15 04:34 - 2013-11-15 04:34 - 00033792 _____ C:\Users\Simon Wright\Downloads\Just Hoods Basic Specs.xls
2013-11-15 04:25 - 2010-09-10 12:34 - 00002141 _____ C:\Users\Simon Wright\Desktop\Google Chrome.lnk
2013-11-14 08:58 - 2013-09-17 07:51 - 00001924 _____ C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2013-11-14 08:57 - 2013-09-17 07:51 - 00000000 ____D C:\Program Files\McAfee Security Scan
2013-11-14 00:34 - 2006-11-02 03:18 - 00000000 ____D C:\Windows\rescache
2013-11-13 23:16 - 2008-07-01 07:16 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-11-13 23:11 - 2013-07-25 21:20 - 00000000 ____D C:\Windows\System32\MRT
2013-11-13 23:03 - 2006-11-02 02:24 - 80340640 _____ (Microsoft Corporation) C:\Windows\System32\mrt.exe
2013-11-13 11:01 - 2013-11-13 11:01 - 00071168 _____ C:\Users\Simon Wright\Downloads\Wednesday-Black-wk11-131113.xls
2013-11-12 23:19 - 2013-11-12 23:19 - 00011301 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5 & 6.xlsx
2013-11-10 15:35 - 2009-04-13 12:43 - 00000000 ____D C:\Users\Simon Wright\Documents\Simon
2013-11-08 11:54 - 2013-11-08 11:54 - 00465408 _____ C:\Users\Simon Wright\Downloads\Ocado powerpoint template 2013 (2).ppt
2013-11-08 06:29 - 2013-11-08 06:29 - 04971481 _____ C:\Users\Simon Wright\Downloads\Video (1).MOV
2013-11-08 06:28 - 2013-11-08 06:28 - 04971481 _____ C:\Users\Simon Wright\Downloads\Video.MOV
2013-11-07 12:00 - 2013-11-07 12:00 - 00377344 _____ C:\Users\Simon Wright\Downloads\Ocado powerpoint template 2013 (1).ppt
2013-11-07 09:35 - 2013-11-07 09:35 - 00027648 _____ C:\Users\Simon Wright\Downloads\Woodside fixtures 2013-14NEW (7).xls
2013-11-06 08:06 - 2013-11-06 08:06 - 00071168 _____ C:\Users\Simon Wright\Downloads\Wednesday-Black-wk10-061113.xls
2013-11-05 08:17 - 2013-11-05 08:17 - 00001639 _____ C:\Users\Simon Wright\Downloads\launch.ica
2013-11-05 08:16 - 2013-11-05 08:16 - 00001639 _____ C:\Users\Simon Wright\Downloads\launch (2).ica
2013-11-05 08:15 - 2013-11-05 08:15 - 00001638 _____ C:\Users\Simon Wright\Downloads\launch (1).ica
2013-11-04 14:03 - 2013-11-04 14:03 - 00011363 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5 (1).xlsx
2013-11-04 13:05 - 2013-11-04 13:05 - 01693774 _____ C:\Users\Simon Wright\Downloads\Key Reports for Supplier Meetings.pptx
2013-11-04 13:05 - 2013-11-04 13:05 - 00713678 _____ C:\Users\Simon Wright\Downloads\20130501 Ocado Segment Summary.pptx
2013-11-04 13:03 - 2013-11-04 13:03 - 00493696 _____ C:\Users\Simon Wright\Downloads\welcometoshoppercentreperformance.zip
2013-11-04 09:28 - 2013-11-04 09:28 - 00365056 _____ C:\Users\Simon Wright\Downloads\Ocado powerpoint template 2013.ppt
2013-11-04 01:58 - 2013-11-04 01:58 - 00011363 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5.xlsx
2013-11-04 01:47 - 2013-11-04 01:47 - 00027648 _____ C:\Users\Simon Wright\Downloads\Woodside Rovers U12 Schedule Sept-Dec 2013 (as 12.10.13).xls
2013-11-04 01:47 - 2013-11-04 01:47 - 00027648 _____ C:\Users\Simon Wright\Downloads\Woodside Rovers U12 Schedule Sept-Dec 2013 (as 12.10.13) (1).xls
2013-11-03 04:49 - 2013-11-03 04:49 - 00048128 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk9-031113.xls
2013-11-02 12:01 - 2013-11-02 12:01 - 00001875 _____ C:\Users\Simon Wright\Desktop\Fitbit Connect.lnk
2013-11-02 04:50 - 2013-01-14 09:34 - 00000000 ____D C:\Users\Simon Wright\Documents\Swim Week 2013
ZeroAccess:
C:\Users\Simon Wright\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

ZeroAccess:
C:\Windows\assembly\GAC\Desktop.ini

Files to move or delete:
====================
C:\Users\Simon Wright\AppData\Roaming\desktop.ini
C:\ProgramData\1l3dw3.dss
C:\ProgramData\3wd3l1.bxx
C:\ProgramData\3wd3l1.fvv
C:\ProgramData\3wd3l1.reg
C:\ProgramData\4bn1a4t.bxx
C:\ProgramData\4bn1a4t.fvv
C:\ProgramData\g228zlr.bxx
C:\ProgramData\g228zlr.fvv
C:\ProgramData\hdowjclf6j.dss
C:\ProgramData\iilf8zoq.bxx
C:\ProgramData\iilf8zoq.fvv
C:\ProgramData\j6flcjwodh.bxx
C:\ProgramData\j6flcjwodh.fvv
C:\ProgramData\lj6wewlr.bxx
C:\ProgramData\lj6wewlr.fvv
C:\ProgramData\ms5046818E.dat
C:\ProgramData\ms504D839B.dat
C:\ProgramData\ms504D9357.dat
C:\ProgramData\ms504DBD01.dat
C:\ProgramData\ms504DC32D.dat
C:\ProgramData\ms504DFD81.dat
C:\ProgramData\msmwahop.exe
C:\ProgramData\PKP_DLdu.DAT
C:\ProgramData\PKP_DLdw.DAT
C:\ProgramData\qoz8flii.dss
C:\ProgramData\rlwew6jl.dss
C:\ProgramData\rlz822g.dss
C:\ProgramData\t4a1nb4.dss

Some content of TEMP:
====================
C:\Users\Simon Wright\AppData\Local\Temp\1346793773.exe
C:\Users\Simon Wright\AppData\Local\Temp\pn.exe

==================== Known DLLs (Whitelisted) ============

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points  =========================

11
Restore point made on: 2013-11-06 13:57:16
Restore point made on: 2013-11-07 11:53:54
Restore point made on: 2013-11-10 01:03:31
Restore point made on: 2013-11-13 08:09:10
Restore point made on: 2013-11-13 23:01:43
Restore point made on: 2013-11-14 13:03:43
Restore point made on: 2013-11-17 10:53:00
Restore point made on: 2013-11-20 12:20:31
Restore point made on: 2013-11-24 01:30:16
Restore point made on: 2013-11-27 08:18:22
Restore point made on: 2013-11-30 14:38:51

==================== Memory info ===========================

Percentage of memory in use: 14%
Total physical RAM: 3963.06 MB
Available physical RAM: 3377.7 MB
Total Pagefile: 3632.18 MB
Available Pagefile: 3461.31 MB
Total Virtual: 2047.88 MB
Available Virtual: 1964.46 MB

==================== Drives ================================

Drive c: (Vista) (Fixed) (Total:148.89 GB) (Free:49.8 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Data) (Fixed) (Total:147.73 GB) (Free:92.16 GB) NTFS
Drive f: (WinRE) (Fixed) (Total:1.46 GB) (Free:1.23 GB) NTFS
Drive g: () (Removable) (Total:0.24 GB) (Free:0.06 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298 GB) (Disk ID: 4BCB0FB6)
Partition 1: (Not Active) - (Size=1 GB) - (Type=27)
Partition 2: (Active) - (Size=149 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=148 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 250 MB) (Disk ID: 5C55BD79)
Partition 1: (Active) - (Size=250 MB) - (Type=06)

LastRegBack: 2013-12-02 10:42

==================== End Of Log ============================

[kevinf80]

Having a look, back shortly...

[MoonPig]

Thanks ...

[kevinf80]

Save the attached file fixlist.txt to your flash drive, same place as FRST.

 

Now please enter System Recovery Options as you did to get the log.

 

Run FRST and press the Fix button just once and wait.

 

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

 

Next,

 

See if your system will boot to Normal mode, if so run Malwarebytes:

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced logs in next reply...

 

Kevin

fixlist.txt

[MoonPig]

Thanks Kevin

 

Fix log below.

 

Putting Malwarebytes on flash disk now to run in normal mode if it boots - will reply soon...

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 01-12-2013
Ran by SYSTEM at 2013-12-02 21:37:57 Run:1
Running from G:\
Boot Mode: Recovery

==============================================

Content of fixlist:
*****************
Start
HKLM\...\Policies\Explorer\Run: [7734] - C:\ProgramData\msmwahop.exe [341740 2009-04-10] ( ())
C:\ProgramData\msmwahop.exe
HKU\Simon Wright\...\Run: [Google Update*] - [x] <===== ATTENTION (ZeroAccess rootkit hidden path)
Startup: C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3wd3l1.lnk
ShortcutTarget: 3wd3l1.lnk -> C:\ProgramData\1l3dw3.dss (Microsoft Corporation)
C:\ProgramData\1l3dw3.dss
Startup: C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4bn1a4t.lnk
ShortcutTarget: 4bn1a4t.lnk -> C:\ProgramData\t4a1nb4.dss (?????????? ??????????)
C:\ProgramData\t4a1nb4.dss
Startup: C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g228zlr.lnk
ShortcutTarget: g228zlr.lnk -> C:\ProgramData\rlz822g.dss (Microsoft Corporation)
C:\ProgramData\rlz822g.dss
Startup: C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iilf8zoq.lnk
ShortcutTarget: iilf8zoq.lnk -> C:\ProgramData\qoz8flii.dss (Microsoft Corporation)
C:\ProgramData\qoz8flii.dss
Startup: C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j6flcjwodh.lnk
ShortcutTarget: j6flcjwodh.lnk -> C:\ProgramData\hdowjclf6j.dss (Microsoft Corporation)
C:\ProgramData\hdowjclf6j.dss
Startup: C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lj6wewlr.lnk
ShortcutTarget: lj6wewlr.lnk -> C:\ProgramData\rlwew6jl.dss (?????????? ??????????)
C:\ProgramData\rlwew6jl.dss
S2 *etadpug; "C:\Program Files\Google\Desktop\Install\{a2970bbd-8e17-1c0e-9f60-cafb5c3c4e4d}\   \...\???\{a2970bbd-8e17-1c0e-9f60-cafb5c3c4e4d}\GoogleUpdate.exe" < <==== ATTENTION (ZeroAccess)
C:\Users\Simon Wright\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
C:\Windows\assembly\GAC\Desktop.ini
C:\Users\Simon Wright\AppData\Roaming\desktop.ini
C:\ProgramData\1l3dw3.dss
C:\ProgramData\3wd3l1.bxx
C:\ProgramData\3wd3l1.fvv
C:\ProgramData\3wd3l1.reg
C:\ProgramData\4bn1a4t.bxx
C:\ProgramData\4bn1a4t.fvv
C:\ProgramData\g228zlr.bxx
C:\ProgramData\g228zlr.fvv
C:\ProgramData\hdowjclf6j.dss
C:\ProgramData\iilf8zoq.bxx
C:\ProgramData\iilf8zoq.fvv
C:\ProgramData\j6flcjwodh.bxx
C:\ProgramData\j6flcjwodh.fvv
C:\ProgramData\lj6wewlr.bxx
C:\ProgramData\lj6wewlr.fvv
C:\ProgramData\ms5046818E.dat
C:\ProgramData\ms504D839B.dat
C:\ProgramData\ms504D9357.dat
C:\ProgramData\ms504DBD01.dat
C:\ProgramData\ms504DC32D.dat
C:\ProgramData\ms504DFD81.dat
C:\ProgramData\msmwahop.exe
C:\ProgramData\PKP_DLdu.DAT
C:\ProgramData\PKP_DLdw.DAT
C:\ProgramData\qoz8flii.dss
C:\ProgramData\rlwew6jl.dss
C:\ProgramData\rlz822g.dss
C:\ProgramData\t4a1nb4.dss
C:\Users\Simon Wright\AppData\Local\Temp\1346793773.exe
C:\Users\Simon Wright\AppData\Local\Temp\pn.exe
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
End

 

*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\7734 => Value deleted successfully.
C:\ProgramData\msmwahop.exe => Moved successfully.
HKU\Simon Wright\Software\Microsoft\Windows\CurrentVersion\Run\\Google Update* => Value deleted successfully.
C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3wd3l1.lnk => Moved successfully.
C:\ProgramData\1l3dw3.dss => Moved successfully.
"C:\ProgramData\1l3dw3.dss" => File/Directory not found.
C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4bn1a4t.lnk => Moved successfully.
C:\ProgramData\t4a1nb4.dss => Moved successfully.
"C:\ProgramData\t4a1nb4.dss" => File/Directory not found.
C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g228zlr.lnk => Moved successfully.
C:\ProgramData\rlz822g.dss => Moved successfully.
"C:\ProgramData\rlz822g.dss" => File/Directory not found.
C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iilf8zoq.lnk => Moved successfully.
C:\ProgramData\qoz8flii.dss => Moved successfully.
"C:\ProgramData\qoz8flii.dss" => File/Directory not found.
C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\j6flcjwodh.lnk => Moved successfully.
C:\ProgramData\hdowjclf6j.dss => Moved successfully.
"C:\ProgramData\hdowjclf6j.dss" => File/Directory not found.
C:\Users\Simon Wright\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lj6wewlr.lnk => Moved successfully.
C:\ProgramData\rlwew6jl.dss => Moved successfully.
"C:\ProgramData\rlwew6jl.dss" => File/Directory not found.
*etadpug => Service deleted successfully.
"C:\Users\Simon Wright\AppData\Local\Google\Desktop\Install" => Could not move.
"C:\Program Files\Google\Desktop\Install" => Could not move.
C:\Windows\assembly\GAC\Desktop.ini => Moved successfully.
C:\Users\Simon Wright\AppData\Roaming\desktop.ini => Moved successfully.
"C:\ProgramData\1l3dw3.dss" => File/Directory not found.
C:\ProgramData\3wd3l1.bxx => Moved successfully.
C:\ProgramData\3wd3l1.fvv => Moved successfully.
C:\ProgramData\3wd3l1.reg => Moved successfully.
C:\ProgramData\4bn1a4t.bxx => Moved successfully.
C:\ProgramData\4bn1a4t.fvv => Moved successfully.
C:\ProgramData\g228zlr.bxx => Moved successfully.
C:\ProgramData\g228zlr.fvv => Moved successfully.
"C:\ProgramData\hdowjclf6j.dss" => File/Directory not found.
C:\ProgramData\iilf8zoq.bxx => Moved successfully.
C:\ProgramData\iilf8zoq.fvv => Moved successfully.
C:\ProgramData\j6flcjwodh.bxx => Moved successfully.
C:\ProgramData\j6flcjwodh.fvv => Moved successfully.
C:\ProgramData\lj6wewlr.bxx => Moved successfully.
C:\ProgramData\lj6wewlr.fvv => Moved successfully.
C:\ProgramData\ms5046818E.dat => Moved successfully.
C:\ProgramData\ms504D839B.dat => Moved successfully.
C:\ProgramData\ms504D9357.dat => Moved successfully.
C:\ProgramData\ms504DBD01.dat => Moved successfully.
C:\ProgramData\ms504DC32D.dat => Moved successfully.
C:\ProgramData\ms504DFD81.dat => Moved successfully.
"C:\ProgramData\msmwahop.exe" => File/Directory not found.
C:\ProgramData\PKP_DLdu.DAT => Moved successfully.
C:\ProgramData\PKP_DLdw.DAT => Moved successfully.
"C:\ProgramData\qoz8flii.dss" => File/Directory not found.
"C:\ProgramData\rlwew6jl.dss" => File/Directory not found.
"C:\ProgramData\rlz822g.dss" => File/Directory not found.
"C:\ProgramData\t4a1nb4.dss" => File/Directory not found.
C:\Users\Simon Wright\AppData\Local\Temp\1346793773.exe => Moved successfully.
C:\Users\Simon Wright\AppData\Local\Temp\pn.exe => Moved successfully.
Error: DeleteJunctionsIndirectory: C:\Program Files\Windows Defender => entry should be fixed outside recovery mode.
Error: DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client => entry should be fixed outside recovery mode.

==== End of Fixlog ====

[kevinf80]

Let me know if Normal mode boots OK, if so stop there, do not run Malwarebytes.. We need to run FRST one more time but from within Windows...

[MoonPig]

Normal mode booted OK.  Was just running BM scan but have stopped it now.  Do I run FRST again and click "Fix" or do I need a new TXT file first?

Thanks

[kevinf80]

No leave all as is and follow new instruction for FRST, apology for change, did not realize junction fix for security MSE has to be done from within windows, best to run new scan first in case we miss anything..

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

 

Kevin

[MoonPig]

that scan took a bit longer....

 

It did not seem to create "addition.txt" file - other log is below

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 02-12-2013
Ran by Simon Wright (administrator) on SIMONWRIGHT-PC on 02-12-2013 22:20:25
Running from C:\Users\Simon Wright\Desktop
Windows Vista Home Premium Service Pack 2 (X86) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Normal

==================== Could not list processes ===============

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [synTPEnh] - C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1348904 2008-08-14] (Synaptics, Inc.)
HKLM\...\Run: [NDSTray.exe] - NDSTray.exe
HKLM\...\Run: [cfFncEnabler.exe] - cfFncEnabler.exe
HKLM\...\Run: [RtHDVCpl] - C:\Windows\RtHDVCpl.exe [6037504 2008-04-08] (Realtek Semiconductor)
HKLM\...\Run: [Camera Assistant Software] - C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe [417792 2008-09-26] (Chicony)
HKLM\...\Run: [AppleSyncNotifier] - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM\...\Run: [HotKeysCmds] - C:\Windows\system32\hkcmd.exe [ ] ()
HKLM\...\Run: [PRISMSVR.EXE] - C:\Program Files\Thomson SpeedTouch\SpeedTouch 121g Wireless USB Monitor\PRISMSVR.exe [295001 2004-07-02] (Conexant Systems, Inc.)
HKLM\...\Run: [Adobe ARM] - C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM\...\Run: [APSDaemon] - C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [997408 2010-11-30] ()
HKLM\...\Run: [ConnectionCenter] - C:\Program Files\Citrix\ICA Client\concentr.exe [300400 2010-03-11] (Citrix Systems, Inc.)
HKLM\...\Run: [NBAgent] - C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe [1406248 2011-03-22] (Nero AG)
HKLM\...\Run: [KiesTrayAgent] - C:\Program Files\Samsung\Kies\KiesTrayAgent.exe [311152 2013-09-04] (Samsung Electronics Co., Ltd.)
HKLM\...\Run: [QuickTime Task] - C:\Program Files\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM\...\Run: [iTunesHelper] - C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-10-01] (Apple Inc.)
HKLM\...\Run: [Fitbit Connect] - C:\Program Files\Fitbit Connect\Fitbit Connect.exe [3264544 2013-10-02] (Fitbit, Inc.)
HKLM\...\RunOnce: [Malwarebytes Anti-Malware] - C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKCU\...\Policies\Explorer: [TaskbarNoNotification] 1
HKCU\...\Policies\Explorer: [HideSCAHealth] 1
MountPoints2: {27c17321-5ecb-11e0-9639-001e33a5e78d} - D:\autorun.exe
HKU\Default\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default\...\Run: [TOSCDSPD] - C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe [ 2008-04-24] (TOSHIBA)
HKU\Default User\...\Run: [WindowsWelcomeCenter] - rundll32.exe oobefldr.dll,ShowWelcomeCenter
HKU\Default User\...\Run: [TOSCDSPD] - C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe [ 2008-04-24] (TOSHIBA)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files\Toshiba\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files\Toshiba\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)

==================== Internet (Whitelisted) ====================

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA;
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/redirectdomain?brand=TSEA&bmod=TSEA;
HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
URLSearchHook: HKCU - (No Name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} -  No File
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=287&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=9574336305714136&q={searchTerms}
SearchScopes: HKLM - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
SearchScopes: HKCU - DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www2.delta-search.com/?q={searchTerms}&affID=120518&babsrc=SP_ss&mntrId=540900FF18E76190
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www2.delta-search.com/?q={searchTerms}&affID=120518&babsrc=SP_ss&mntrId=540900FF18E76190
SearchScopes: HKCU - {107E8020-3347-4917-A3E6-893DE3E4F458} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=U3&apn_dtid=OSJ000YYGB&apn_uid=0C507988-2D67-416F-AD3F-A119B3BD51C0&apn_sauid=1C3DCF36-5B3F-4912-9664-D795A875D737
SearchScopes: HKCU - {483830EE-A4CD-4b71-B0A3-3D82E62A6909} URL =
SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:4664/search&s=Jg1bmakTNdAC60R02mle25Sovco?q={searchTerms}
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-results.com/sr?src=ieb&gct=ds&appid=287&systemid=406&apn_dtid=BND406&apn_ptnrs=AG6&o=APN10645&apn_uid=9574336305714136&q={searchTerms}
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www.ask.com/web?&o=101881&l=dis&q={SEARCHTERMS}
SearchScopes: HKCU - {C04B7D22-5AEC-4561-8F49-27F6269208F6} URL = http://toolbar.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80269&lng=en
BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO: No Name - {11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5} - C:\Program Files\SiteRanker\SiteRank.dll (Crawler, LLC)
BHO: AppGraffiti - {6F6A5334-78E9-4D9B-8182-8B41EA8C39EF} - C:\Program Files\AppGraffiti\AppGraffiti.dll (Omega Partners Ltd)
BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION)
BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Office Document Cache Handler - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll (SEIKO EPSON CORPORATION)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKCU - No Name - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} -  No File
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} http://www.tescophoto.com/wpp/tesco/app/ImageUploader5.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://mydesktop.ocado.com/dana-cached/sc/JuniperSetupClient.cab
Handler: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Winsock: Catalog9 01 mswsock.dll File Not found ()
Winsock: Catalog9 02 mswsock.dll File Not found ()
Winsock: Catalog9 03 mswsock.dll File Not found ()
Winsock: Catalog9 04 mswsock.dll File Not found ()
Winsock: Catalog9 05 mswsock.dll File Not found ()
Winsock: Catalog9 06 mswsock.dll File Not found ()
Winsock: Catalog9 07 mswsock.dll File Not found ()
Winsock: Catalog9 08 mswsock.dll File Not found ()
Winsock: Catalog9 09 mswsock.dll File Not found ()
Winsock: Catalog9 10 mswsock.dll File Not found ()
Winsock: Catalog9 11 mswsock.dll File Not found ()
Winsock: Catalog9 12 mswsock.dll File Not found ()
Winsock: Catalog9 13 mswsock.dll File Not found ()
Winsock: Catalog9 14 mswsock.dll File Not found ()
Winsock: Catalog9 15 mswsock.dll File Not found ()
Winsock: Catalog9 16 mswsock.dll File Not found ()
Winsock: Catalog9 17 mswsock.dll File Not found ()
Winsock: Catalog9 18 mswsock.dll File Not found ()
Winsock: Catalog9 19 mswsock.dll File Not found ()
Winsock: Catalog9 20 mswsock.dll File Not found ()
Winsock: Catalog9 21 mswsock.dll File Not found ()
Winsock: Catalog9 22 mswsock.dll File Not found ()
Winsock: Catalog9 23 mswsock.dll File Not found ()
Winsock: Catalog9 24 mswsock.dll File Not found ()
Winsock: Catalog9 25 mswsock.dll File Not found ()
Winsock: Catalog9 26 mswsock.dll File Not found ()
Winsock: Catalog9 27 mswsock.dll File Not found ()
Winsock: Catalog9 28 mswsock.dll File Not found ()
Winsock: Catalog9 29 mswsock.dll File Not found ()
Winsock: Catalog9 30 mswsock.dll File Not found ()
Winsock: Catalog9 31 mswsock.dll File Not found ()
Winsock: Catalog9 32 mswsock.dll File Not found ()
Winsock: Catalog9 33 mswsock.dll File Not found ()
Winsock: Catalog9 34 mswsock.dll File Not found ()
Tcpip\Parameters: [DhcpNameServer] 194.168.4.100 194.168.8.100

Chrome:
=======


CHR Plugin: (Shockwave Flash) - C:\Users\Simon Wright\AppData\Local\Google\Chrome\Application\31.0.1650.57\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Simon Wright\AppData\Local\Google\Chrome\Application\31.0.1650.57\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Simon Wright\AppData\Local\Google\Chrome\Application\31.0.1650.57\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin2.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin3.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin4.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin5.dll (Apple Inc.)
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin6.dll No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\QuickTime\plugins\npqtplugin7.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~1\MICROS~2\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Garmin Communicator Plug-In) - C:\Program Files\Garmin GPS Plugin\npGarmin.dll (GARMIN Corp.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll No File
CHR Plugin: (Java Platform SE 6 U38) - C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll No File
CHR Plugin: (Picasa) - C:\Program Files\Picasa2\npPicasa3.dll (Google, Inc.)
CHR Plugin: (iTunes Application Detector) - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Facebook Video Calling Plugin) - C:\Users\Simon Wright\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll (Skype Limited)
CHR Plugin: (Windows Presentation Foundation) - C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
CHR Plugin: (Java Deployment Toolkit 6.0.380.5) - C:\Windows\system32\npdeployJava1.dll (Oracle Corporation)
CHR Extension: (AppGraffiti) - C:\Users\SIMONW~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\angobeimajilfhlcpeiccndaifchnppl\1.0.1.1_0
CHR Extension: (Google Drive) - C:\Users\SIMONW~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_0
CHR Extension: (YouTube) - C:\Users\SIMONW~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.6_0
CHR Extension: (Google Search) - C:\Users\SIMONW~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_0
CHR Extension: (Google Wallet) - C:\Users\SIMONW~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0
CHR Extension: (Gmail) - C:\Users\SIMONW~1\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1
CHR HKLM\...\Chrome\Extension: [angobeimajilfhlcpeiccndaifchnppl] - C:\Program Files\AppGraffiti\Chrome\graff_chr.crx
CHR StartMenuInternet: Google Chrome - C:\Users\Simon Wright\AppData\Local\Google\Chrome\Application\chrome.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

========================== Services (Whitelisted) =================

R2 ABBYY.Licensing.FineReader.Sprint.9.0; C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [759048 2009-05-14] (ABBYY)
R2 BackupStack; C:\Program Files\MyPC Backup\BackupStack.exe [32808 2013-05-21] (Just Develop It)
R2 ConfigFree Service; C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [40960 2008-04-16] (TOSHIBA CORPORATION)
R2 dsNcService; C:\Program Files\Juniper Networks\Common Files\dsNcService.exe [615720 2009-08-12] (Juniper Networks)
R2 EpsonBidirectionalService; C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe [94208 2006-12-19] (SEIKO EPSON CORPORATION)
R2 EpsonScanSvc; C:\Windows\system32\EscSvc.exe [122000 2011-12-12] (Seiko Epson Corporation)
R2 Fitbit Connect; C:\Program Files\Fitbit Connect\FitbitConnectService.exe [1384992 2013-10-02] (Fitbit, Inc.)
S3 GoogleDesktopManager-051210-111108; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [30192 2010-07-31] (Google)
S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [235216 2013-09-06] (McAfee, Inc.)
R2 NAUpdate; C:\Program Files\Nero\Update\NASvc.exe [572712 2011-01-14] (Nero AG)
R3 SmartFaceVWatchSrv; C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe [77824 2008-08-25] (Toshiba)
R2 TempoMonitoringService; C:\Program Files\Toshiba TEMPRO\TempoSVC.exe [99720 2008-04-24] (Toshiba Europe GmbH)
R2 TOSHIBA SMART Log Service; C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [126976 2007-12-03] (TOSHIBA Corporation)
R2 UleadBurningHelper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [49152 2006-08-23] (Ulead Systems, Inc.)
S2 MsMpSvc; "C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" [x]
S3 NisSrv; "C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [x]
S2 Winmgmt; C:\PROGRA~2\1l3dw3.dss [x]

==================== Drivers (Whitelisted) ====================

R3 dsNcAdpt; C:\Windows\System32\DRIVERS\dsNcAdpt.sys [26624 2009-08-12] (Juniper Networks)
S3 grmnusb; C:\Windows\System32\drivers\grmnusb.sys [9344 2009-04-17] (GARMIN Corp.)
R2 MDC8021X; C:\Windows\System32\DRIVERS\mdc8021x.sys [15781 2009-04-13] (Meetinghouse Data Communications)
R1 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [165264 2010-10-24] (Microsoft Corporation)
S3 MpNWMon; C:\Windows\System32\DRIVERS\MpNWMon.sys [43392 2010-10-24] (Microsoft Corporation)
R1 StarOpen; C:\Windows\System32\Drivers\StarOpen.sys [5632 2009-09-05] ()
R3 UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [17960 2008-07-15] (Chicony Electronics Co., Ltd.)
S2 BTWSp50; System32\Drivers\BTWSp50.sys [x]
S3 IpInIp; system32\DRIVERS\ipinip.sys [x]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [x]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [x]
S3 Tosrfcom; No ImagePath
S3 ZTEusbmdm6k; system32\DRIVERS\ZTEusbmdm6k.sys [x]
S3 ZTEusbnmea; system32\DRIVERS\ZTEusbnmea.sys [x]
S3 ZTEusbser6k; system32\DRIVERS\ZTEusbser6k.sys [x]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2013-12-03 04:44 - 2013-12-03 04:44 - 00000000 ____D C:\FRST
2013-12-02 22:20 - 2013-12-02 22:20 - 00019279 _____ C:\Users\Simon Wright\Desktop\FRST.txt
2013-12-02 22:20 - 2013-12-02 22:19 - 01092389 _____ (Farbar) C:\Users\Simon Wright\Desktop\FRST.exe
2013-12-02 21:53 - 2013-12-02 21:53 - 00000000 ____D C:\Users\Simon Wright\AppData\Roaming\Malwarebytes
2013-12-02 21:51 - 2013-12-02 21:51 - 00000911 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-12-02 21:51 - 2013-12-02 21:51 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-12-02 21:51 - 2013-12-02 21:51 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-12-02 21:51 - 2013-04-04 14:50 - 00022856 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2013-12-02 21:50 - 2013-12-02 21:50 - 00000795 _____ C:\Windows\setupact.log
2013-12-02 21:50 - 2013-12-02 21:50 - 00000000 _____ C:\Windows\setuperr.log
2013-12-02 07:03 - 2013-12-02 07:03 - 00000000 __SHD C:\Windows\system32\%APPDATA%
2013-12-01 15:27 - 2013-12-01 15:27 - 00038400 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk13-011213.xls
2013-11-30 15:54 - 2013-11-30 15:54 - 00002631 _____ C:\Users\Simon Wright\Downloads\report.csv
2013-11-29 18:42 - 2013-11-29 18:42 - 00022528 _____ C:\Users\Simon Wright\Downloads\Completed Inquests.xls
2013-11-28 16:01 - 2013-11-28 16:01 - 00000199 ____H C:\Users\Simon Wright\Downloads\.picasa.ini
2013-11-25 20:04 - 2013-11-25 20:04 - 00028056 _____ C:\Users\Simon Wright\Downloads\RugbyTeam&EntryTimes 23-11-2013.xlsx
2013-11-24 21:50 - 2013-11-24 21:50 - 00088064 _____ C:\Users\Simon Wright\Downloads\Schools Gala Results 2013.xls
2013-11-24 21:50 - 2013-11-24 21:50 - 00088064 _____ C:\Users\Simon Wright\Downloads\Schools Gala Results 2013 (1).xls
2013-11-24 13:01 - 2013-11-24 13:01 - 00039424 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk12-241113.xls
2013-11-24 10:03 - 2013-11-24 10:04 - 00017184 _____ C:\Users\Simon Wright\Downloads\Programmes for 2014.xlsx
2013-11-23 13:47 - 2013-11-23 13:47 - 00035840 _____ C:\Users\Simon Wright\Downloads\House Oct 13 (2).xls
2013-11-23 13:23 - 2013-11-23 13:23 - 00030972 _____ C:\Users\Simon Wright\Downloads\Round 1.xlsx
2013-11-20 19:11 - 2013-11-20 19:11 - 00071168 _____ C:\Users\Simon Wright\Downloads\Wednesday-Black-wk12-201113.xls
2013-11-20 17:16 - 2013-11-20 17:16 - 00011034 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 6.xlsx
2013-11-19 16:12 - 2013-11-19 16:12 - 00028160 _____ C:\Users\Simon Wright\Downloads\Woodside fixtures 2013-14NEW (8).xls
2013-11-17 15:40 - 2013-11-17 15:40 - 00011363 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5 (2).xlsx
2013-11-17 15:37 - 2013-11-17 15:37 - 00036864 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk11-171113.xls
2013-11-15 12:34 - 2013-11-15 12:34 - 00033792 _____ C:\Users\Simon Wright\Downloads\Just Hoods Basic Specs.xls
2013-11-14 07:14 - 2013-10-13 10:42 - 12344832 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2013-11-14 07:14 - 2013-10-13 10:08 - 09739264 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2013-11-14 07:14 - 2013-10-13 09:48 - 01806848 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2013-11-14 07:14 - 2013-10-13 09:37 - 01104896 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2013-11-14 07:14 - 2013-10-13 09:35 - 01427968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2013-11-14 07:14 - 2013-10-13 09:35 - 01129472 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2013-11-14 07:14 - 2013-10-13 09:33 - 00231936 _____ (Microsoft Corporation) C:\Windows\system32\url.dll
2013-11-14 07:14 - 2013-10-13 09:32 - 00065024 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2013-11-14 07:14 - 2013-10-13 09:30 - 00717824 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2013-11-14 07:14 - 2013-10-13 09:30 - 00142848 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2013-11-14 07:14 - 2013-10-13 09:29 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2013-11-14 07:14 - 2013-10-13 09:27 - 01796096 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2013-11-14 07:14 - 2013-10-13 09:27 - 00607744 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2013-11-14 07:14 - 2013-10-13 09:26 - 00073216 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2013-11-14 07:14 - 2013-10-13 09:25 - 02382848 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2013-11-14 07:14 - 2013-10-13 09:20 - 00176640 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2013-11-13 19:01 - 2013-11-13 19:01 - 00071168 _____ C:\Users\Simon Wright\Downloads\Wednesday-Black-wk11-131113.xls
2013-11-13 07:24 - 2013-10-11 02:08 - 00444928 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2013-11-13 07:24 - 2013-10-11 02:07 - 00596480 _____ (Microsoft Corporation) C:\Windows\system32\FWPUCLNT.DLL
2013-11-13 07:24 - 2013-10-11 00:39 - 00218228 _____ C:\Windows\system32\WFP.TMF
2013-11-13 07:24 - 2013-10-03 12:45 - 00993792 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2013-11-13 07:24 - 2013-10-03 12:45 - 00297984 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2013-11-13 07:19 - 2013-11-13 07:19 - 00011301 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5 & 6.xlsx
2013-11-08 19:54 - 2013-11-08 19:54 - 00465408 _____ C:\Users\Simon Wright\Downloads\Ocado powerpoint template 2013 (2).ppt
2013-11-08 14:29 - 2013-11-08 14:29 - 04971481 _____ C:\Users\Simon Wright\Downloads\Video (1).MOV
2013-11-08 14:28 - 2013-11-08 14:28 - 04971481 _____ C:\Users\Simon Wright\Downloads\Video.MOV
2013-11-07 20:00 - 2013-11-07 20:00 - 00377344 _____ C:\Users\Simon Wright\Downloads\Ocado powerpoint template 2013 (1).ppt
2013-11-07 17:35 - 2013-11-07 17:35 - 00027648 _____ C:\Users\Simon Wright\Downloads\Woodside fixtures 2013-14NEW (7).xls
2013-11-06 16:06 - 2013-11-06 16:06 - 00071168 _____ C:\Users\Simon Wright\Downloads\Wednesday-Black-wk10-061113.xls
2013-11-05 16:17 - 2013-11-05 16:17 - 00001639 _____ C:\Users\Simon Wright\Downloads\launch.ica
2013-11-05 16:16 - 2013-11-05 16:16 - 00001639 _____ C:\Users\Simon Wright\Downloads\launch (2).ica
2013-11-05 16:15 - 2013-11-05 16:15 - 00001638 _____ C:\Users\Simon Wright\Downloads\launch (1).ica
2013-11-04 22:03 - 2013-11-04 22:03 - 00011363 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5 (1).xlsx
2013-11-04 21:05 - 2013-11-04 21:05 - 01693774 _____ C:\Users\Simon Wright\Downloads\Key Reports for Supplier Meetings.pptx
2013-11-04 21:05 - 2013-11-04 21:05 - 00713678 _____ C:\Users\Simon Wright\Downloads\20130501 Ocado Segment Summary.pptx
2013-11-04 21:03 - 2013-11-04 21:03 - 00493696 _____ C:\Users\Simon Wright\Downloads\welcometoshoppercentreperformance.zip
2013-11-04 17:28 - 2013-11-04 17:28 - 00365056 _____ C:\Users\Simon Wright\Downloads\Ocado powerpoint template 2013.ppt
2013-11-04 09:58 - 2013-11-04 09:58 - 00011363 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5.xlsx
2013-11-04 09:47 - 2013-11-04 09:47 - 00027648 _____ C:\Users\Simon Wright\Downloads\Woodside Rovers U12 Schedule Sept-Dec 2013 (as 12.10.13).xls
2013-11-04 09:47 - 2013-11-04 09:47 - 00027648 _____ C:\Users\Simon Wright\Downloads\Woodside Rovers U12 Schedule Sept-Dec 2013 (as 12.10.13) (1).xls
2013-11-03 12:49 - 2013-11-03 12:49 - 00048128 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk9-031113.xls
2013-11-02 20:01 - 2013-11-02 20:01 - 00001875 _____ C:\Users\Simon Wright\Desktop\Fitbit Connect.lnk
2013-11-02 07:57 - 2013-11-02 07:57 - 00000000 ____D C:\ProgramData\FitbitConnect
2013-11-02 07:57 - 2013-11-02 07:57 - 00000000 ____D C:\Program Files\Fitbit Connect
2013-11-02 07:55 - 2013-11-02 07:55 - 05572008 _____ (Fitbit Inc.) C:\Users\Simon Wright\Downloads\FitbitConnect_Win_20131007_1.0.0.4065.exe

==================== One Month Modified Files and Folders =======

2013-12-03 04:44 - 2013-12-03 04:44 - 00000000 ____D C:\FRST
2013-12-02 22:29 - 2013-12-02 22:20 - 00019279 _____ C:\Users\Simon Wright\Desktop\FRST.txt
2013-12-02 22:19 - 2013-12-02 22:20 - 01092389 _____ (Farbar) C:\Users\Simon Wright\Desktop\FRST.exe
2013-12-02 22:15 - 2010-01-30 10:33 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-12-02 21:53 - 2013-12-02 21:53 - 00000000 ____D C:\Users\Simon Wright\AppData\Roaming\Malwarebytes
2013-12-02 21:51 - 2013-12-02 21:51 - 00000911 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-12-02 21:51 - 2013-12-02 21:51 - 00000000 ____D C:\ProgramData\Malwarebytes
2013-12-02 21:51 - 2013-12-02 21:51 - 00000000 ____D C:\Program Files\Malwarebytes' Anti-Malware
2013-12-02 21:50 - 2013-12-02 21:50 - 00000795 _____ C:\Windows\setupact.log
2013-12-02 21:50 - 2013-12-02 21:50 - 00000000 _____ C:\Windows\setuperr.log
2013-12-02 21:47 - 2010-01-30 10:33 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-12-02 21:44 - 2006-11-02 13:01 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2013-12-02 21:44 - 2006-11-02 12:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2013-12-02 21:44 - 2006-11-02 12:47 - 00003216 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2013-12-02 20:13 - 2006-11-02 13:01 - 00032644 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2013-12-02 20:11 - 2013-06-08 07:19 - 00000000 ___RD C:\Users\Simon Wright\Google Drive
2013-12-02 19:54 - 2013-01-06 17:28 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-12-02 19:54 - 2010-09-10 20:32 - 00000936 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1589440685-286437405-3900244374-1000UA.job
2013-12-02 18:31 - 2010-09-10 20:32 - 00000884 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1589440685-286437405-3900244374-1000Core.job
2013-12-02 18:17 - 2011-09-11 19:32 - 00000954 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1589440685-286437405-3900244374-1000UA.job
2013-12-02 18:16 - 2011-09-11 19:32 - 00000932 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1589440685-286437405-3900244374-1000Core.job
2013-12-02 16:28 - 2011-02-02 19:36 - 00000000 ____D C:\Users\Simon Wright\AppData\Local\CrashDumps
2013-12-02 07:03 - 2013-12-02 07:03 - 00000000 __SHD C:\Windows\system32\%APPDATA%
2013-12-02 06:59 - 2009-05-07 15:17 - 00000000 ____D C:\Users\Simon Wright\Documents\Susan
2013-12-02 06:57 - 2009-04-13 15:16 - 00000000 ____D C:\Users\Simon Wright\AppData\Local\Google
2013-12-02 06:57 - 2008-07-01 15:13 - 00000000 ____D C:\Program Files\Google
2013-12-02 06:55 - 2013-05-04 12:38 - 01234677 _____ C:\Windows\WindowsUpdate.log
2013-12-02 06:54 - 2006-11-02 10:33 - 00706952 _____ C:\Windows\system32\PerfStringBackup.INI
2013-12-01 16:42 - 2011-11-06 11:29 - 00000000 ____D C:\Users\Simon Wright\Documents\Kids Homework
2013-12-01 15:27 - 2013-12-01 15:27 - 00038400 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk13-011213.xls
2013-11-30 15:54 - 2013-11-30 15:54 - 00002631 _____ C:\Users\Simon Wright\Downloads\report.csv
2013-11-29 18:42 - 2013-11-29 18:42 - 00022528 _____ C:\Users\Simon Wright\Downloads\Completed Inquests.xls
2013-11-28 16:01 - 2013-11-28 16:01 - 00000199 ____H C:\Users\Simon Wright\Downloads\.picasa.ini
2013-11-27 16:19 - 2013-04-10 15:50 - 00000000 ____D C:\Users\Simon Wright\Documents\Crusaders Fixtures
2013-11-25 20:04 - 2013-11-25 20:04 - 00028056 _____ C:\Users\Simon Wright\Downloads\RugbyTeam&EntryTimes 23-11-2013.xlsx
2013-11-24 21:50 - 2013-11-24 21:50 - 00088064 _____ C:\Users\Simon Wright\Downloads\Schools Gala Results 2013.xls
2013-11-24 21:50 - 2013-11-24 21:50 - 00088064 _____ C:\Users\Simon Wright\Downloads\Schools Gala Results 2013 (1).xls
2013-11-24 21:50 - 2013-09-19 16:19 - 00000000 ____D C:\Users\Simon Wright\Documents\Middle School Gala 2013
2013-11-24 13:01 - 2013-11-24 13:01 - 00039424 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk12-241113.xls
2013-11-24 11:24 - 2013-02-03 14:55 - 00000000 ____D C:\Windows\Minidump
2013-11-24 10:04 - 2013-11-24 10:03 - 00017184 _____ C:\Users\Simon Wright\Downloads\Programmes for 2014.xlsx
2013-11-23 13:47 - 2013-11-23 13:47 - 00035840 _____ C:\Users\Simon Wright\Downloads\House Oct 13 (2).xls
2013-11-23 13:23 - 2013-11-23 13:23 - 00030972 _____ C:\Users\Simon Wright\Downloads\Round 1.xlsx
2013-11-21 18:15 - 2013-05-20 15:20 - 00000000 ____D C:\Users\Simon Wright\Documents\Woodside Football Club
2013-11-20 19:11 - 2013-11-20 19:11 - 00071168 _____ C:\Users\Simon Wright\Downloads\Wednesday-Black-wk12-201113.xls
2013-11-20 17:16 - 2013-11-20 17:16 - 00011034 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 6.xlsx
2013-11-19 16:12 - 2013-11-19 16:12 - 00028160 _____ C:\Users\Simon Wright\Downloads\Woodside fixtures 2013-14NEW (8).xls
2013-11-19 13:06 - 2011-05-21 10:28 - 00006648 _____ C:\Users\Simon Wright\AppData\Local\d3d9caps.dat
2013-11-19 10:21 - 2013-01-06 17:55 - 00230048 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2013-11-17 15:40 - 2013-11-17 15:40 - 00011363 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5 (2).xlsx
2013-11-17 15:37 - 2013-11-17 15:37 - 00036864 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk11-171113.xls
2013-11-15 12:34 - 2013-11-15 12:34 - 00033792 _____ C:\Users\Simon Wright\Downloads\Just Hoods Basic Specs.xls
2013-11-15 12:25 - 2010-09-10 20:34 - 00002141 _____ C:\Users\Simon Wright\Desktop\Google Chrome.lnk
2013-11-14 16:58 - 2013-09-17 15:51 - 00001924 _____ C:\Users\Public\Desktop\McAfee Security Scan Plus.lnk
2013-11-14 16:57 - 2013-09-17 15:51 - 00000000 ____D C:\Program Files\McAfee Security Scan
2013-11-14 08:34 - 2006-11-02 11:18 - 00000000 ____D C:\Windows\rescache
2013-11-14 07:16 - 2008-07-01 15:16 - 00000000 ____D C:\ProgramData\Microsoft Help
2013-11-14 07:11 - 2013-07-26 05:20 - 00000000 ____D C:\Windows\system32\MRT
2013-11-14 07:03 - 2006-11-02 10:24 - 80340640 _____ (Microsoft Corporation) C:\Windows\system32\mrt.exe
2013-11-13 19:01 - 2013-11-13 19:01 - 00071168 _____ C:\Users\Simon Wright\Downloads\Wednesday-Black-wk11-131113.xls
2013-11-13 07:19 - 2013-11-13 07:19 - 00011301 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5 & 6.xlsx
2013-11-10 23:35 - 2009-04-13 20:43 - 00000000 ____D C:\Users\Simon Wright\Documents\Simon
2013-11-08 19:54 - 2013-11-08 19:54 - 00465408 _____ C:\Users\Simon Wright\Downloads\Ocado powerpoint template 2013 (2).ppt
2013-11-08 14:29 - 2013-11-08 14:29 - 04971481 _____ C:\Users\Simon Wright\Downloads\Video (1).MOV
2013-11-08 14:28 - 2013-11-08 14:28 - 04971481 _____ C:\Users\Simon Wright\Downloads\Video.MOV
2013-11-07 20:00 - 2013-11-07 20:00 - 00377344 _____ C:\Users\Simon Wright\Downloads\Ocado powerpoint template 2013 (1).ppt
2013-11-07 17:35 - 2013-11-07 17:35 - 00027648 _____ C:\Users\Simon Wright\Downloads\Woodside fixtures 2013-14NEW (7).xls
2013-11-06 16:06 - 2013-11-06 16:06 - 00071168 _____ C:\Users\Simon Wright\Downloads\Wednesday-Black-wk10-061113.xls
2013-11-05 16:17 - 2013-11-05 16:17 - 00001639 _____ C:\Users\Simon Wright\Downloads\launch.ica
2013-11-05 16:16 - 2013-11-05 16:16 - 00001639 _____ C:\Users\Simon Wright\Downloads\launch (2).ica
2013-11-05 16:15 - 2013-11-05 16:15 - 00001638 _____ C:\Users\Simon Wright\Downloads\launch (1).ica
2013-11-04 22:03 - 2013-11-04 22:03 - 00011363 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5 (1).xlsx
2013-11-04 21:05 - 2013-11-04 21:05 - 01693774 _____ C:\Users\Simon Wright\Downloads\Key Reports for Supplier Meetings.pptx
2013-11-04 21:05 - 2013-11-04 21:05 - 00713678 _____ C:\Users\Simon Wright\Downloads\20130501 Ocado Segment Summary.pptx
2013-11-04 21:03 - 2013-11-04 21:03 - 00493696 _____ C:\Users\Simon Wright\Downloads\welcometoshoppercentreperformance.zip
2013-11-04 17:28 - 2013-11-04 17:28 - 00365056 _____ C:\Users\Simon Wright\Downloads\Ocado powerpoint template 2013.ppt
2013-11-04 09:58 - 2013-11-04 09:58 - 00011363 _____ C:\Users\Simon Wright\Downloads\Club Champ 2013 gala 5.xlsx
2013-11-04 09:47 - 2013-11-04 09:47 - 00027648 _____ C:\Users\Simon Wright\Downloads\Woodside Rovers U12 Schedule Sept-Dec 2013 (as 12.10.13).xls
2013-11-04 09:47 - 2013-11-04 09:47 - 00027648 _____ C:\Users\Simon Wright\Downloads\Woodside Rovers U12 Schedule Sept-Dec 2013 (as 12.10.13) (1).xls
2013-11-03 12:49 - 2013-11-03 12:49 - 00048128 _____ C:\Users\Simon Wright\Downloads\Sunday-Black-wk9-031113.xls
2013-11-02 20:01 - 2013-11-02 20:01 - 00001875 _____ C:\Users\Simon Wright\Desktop\Fitbit Connect.lnk
2013-11-02 12:50 - 2013-01-14 17:34 - 00000000 ____D C:\Users\Simon Wright\Documents\Swim Week 2013
2013-11-02 07:57 - 2013-11-02 07:57 - 00000000 ____D C:\ProgramData\FitbitConnect
2013-11-02 07:57 - 2013-11-02 07:57 - 00000000 ____D C:\Program Files\Fitbit Connect
2013-11-02 07:55 - 2013-11-02 07:55 - 05572008 _____ (Fitbit Inc.) C:\Users\Simon Wright\Downloads\FitbitConnect_Win_20131007_1.0.0.4065.exe
ZeroAccess:
C:\Users\Simon Wright\AppData\Local\Google\Desktop\Install
ZeroAccess:
C:\Program Files\Google\Desktop\Install

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
ATTENTION: ====> ZeroAccess. Use DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client

LastRegBack: 2013-12-02 21:56

==================== End Of Log ============================

[kevinf80]

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick Scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced logs...

 

 

 

fixlist.txt

[MoonPig]

Scan / fix is running now but taking ages and it's getting late - I'll have check progress in the morning - thanks again for your help Kevin

[kevinf80]

What time are you on, UK?

[MoonPig]

yep - somewhat south of you though :-)

[kevinf80]

Ok thanks, i`m usually back online about 8:00 am tmoz....

[MoonPig]

OK - still up and first scan / fix finished - log below (bit big)...

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 02-12-2013
Ran by Simon Wright at 2013-12-02 22:50:24 Run:2
Running from C:\Users\Simon Wright\Desktop
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
Start
HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox...tb_id&%language
SearchScopes: HKLM - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-re...&q={searchTerms}
SearchScopes: HKLM - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://www2.delta-se...40900FF18E76190
SearchScopes: HKCU - {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://www2.delta-se...40900FF18E76190
SearchScopes: HKCU - {107E8020-3347-4917-A3E6-893DE3E4F458} URL = http://websearch.ask...64-D795A875D737
SearchScopes: HKCU - {483830EE-A4CD-4b71-B0A3-3D82E62A6909} URL =
SearchScopes: HKCU - {70D46D94-BF1E-45ED-B567-48701376298E} URL = http://127.0.0.1:466...?q={searchTerms}
SearchScopes: HKCU - {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = http://dts.search-re...&q={searchTerms}
SearchScopes: HKCU - {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = http://toolbar.inbox...id=80269&lng=en
Winsock: Catalog5 01 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll File Not found () ATTENTION: The LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
cmd: netsh winsock reset
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
S2 Winmgmt; C:\PROGRA~2\1l3dw3.dss [x]
C:\PROGRA~2\1l3dw3.dss
C:\Windows\system32\%APPDATA%
C:\Users\Simon Wright\AppData\Local\Google\Desktop\Install
C:\Program Files\Google\Desktop\Install
DeleteJunctionsIndirectory: C:\Program Files\Windows Defender
DeleteJunctionsIndirectory: C:\Program Files\Microsoft Security Client
End

 

*****************

HKCU\Software\Microsoft\Internet Explorer\Main\\Search Bar => Value deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{107E8020-3347-4917-A3E6-893DE3E4F458} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{107E8020-3347-4917-A3E6-893DE3E4F458} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{483830EE-A4CD-4b71-B0A3-3D82E62A6909} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{483830EE-A4CD-4b71-B0A3-3D82E62A6909} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{70D46D94-BF1E-45ED-B567-48701376298E} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{C04B7D22-5AEC-4561-8F49-27F6269208F6} => Key not found.
Winsock: Catalog5 entry 000000000001\\LibraryPath  was set successfully to %SystemRoot%\system32\NLAapi.dll
Winsock: Catalog5 entry 000000000005\\LibraryPath  was set successfully to %SystemRoot%\System32\mswsock.dll

=========  netsh winsock reset =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
Winmgmt => Service restored successfully.
"C:\PROGRA~2\1l3dw3.dss" => File/Directory not found.
C:\Windows\system32\%APPDATA% => Moved successfully.

"C:\Users\Simon Wright\AppData\Local\Google\Desktop\Install" directory move:

Could not move "C:\Users\Simon Wright\AppData\Local\Google\Desktop\Install" directory. => Scheduled to move on reboot.

"C:\Program Files\Google\Desktop\Install" directory move:

Could not move "C:\Program Files\Google\Desktop\Install" directory. => Scheduled to move on reboot.

"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking started.
"C:\Program Files\Windows Defender\en-US" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpAsDesc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpClient.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpCmdRun.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpEvMsg.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpOAV.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRtMon.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpRtPlug.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSigDwn.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSoftEx.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MpSvc.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MSASCui.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpCom.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpLics.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Windows Defender" => Deleting reparse point and unlocking completed.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking started.
"C:\Program Files\Microsoft Security Client\Antimalware" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\Backup" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\CleanUpPolicy.xml" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\ConfigSecurityPolicy.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\en-us" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\eppmanifest.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsMpRes.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\msseces.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\MsseWat.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\setup.exe" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\setupres.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\shellext.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client\sqmapi.dll" => Deleting reparse point and unlocking done.
"C:\Program Files\Microsoft Security Client" => Deleting reparse point and unlocking completed.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2013-12-02 23:28:24)<=

C:\Users\Simon Wright\AppData\Local\Google\Desktop\Install => Is moved successfully.
C:\Program Files\Google\Desktop\Install => Is moved successfully.

==== End of Fixlog ====

[kevinf80]

Did you re-boot on completion for winsock repair to complete?

[MoonPig]

Hi Kevin

 

I hadn't re-booted.  Did though and re-set MalwareBytes to do a full scan overnight - at work now but will post the logs created here later

 

Thanks

[kevinf80]

Ok, thanks for the update.

[MoonPig]

Hi

 

got somewhat confused with which log is whish for MBAM - I've pasted below the one I think is the full scan where I clicked "fix".  I've attached the other log files I have from MBAM in case these help.

Since doing this I've done another full scan and nothing was found.

Computer does seem to be running OK now but haven't done any browsing or anything on it yet (posting this from another PC)

 

Ta

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.02.11

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Simon Wright :: SIMONWRIGHT-PC [administrator]

03/12/2013 00:15:17
MBAM-log-2013-12-03 (07-53-19).txt

Scan type: Full scan (C:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 449825
Time elapsed: 3 hour(s), 29 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6F6A5334-78E9-4D9B-8182-8B41EA8C39EF}_is1 (PUP.Optional.AppGraffiti.A) -> No action taken.
HKCU\SOFTWARE\BabylonToolbar (PUP.Optional.BabylonToolBar.A) -> No action taken.
HKCU\SOFTWARE\DataMngr_Toolbar (PUP.Optional.DataMngr.A) -> No action taken.
HKCU\Software\Datamngr (PUP.Optional.DataMngr.A) -> No action taken.
HKCU\SOFTWARE\INSTALLCORE (PUP.Optional.InstallCore.A) -> No action taken.
HKLM\SOFTWARE\DomaIQ (PUP.Optional.DomaIQ.A) -> No action taken.

Registry Values Detected: 1
HKCU\Software\InstallCore|tb (PUP.Optional.InstallCore.A) -> Data: 0Z1N1J -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 5
C:\Users\Simon Wright\AppData\Roaming\Babylon (PUP.Optional.Babylon.A) -> No action taken.
C:\Program Files\AppGraffiti (PUP.Optional.AppGraffiti.A) -> No action taken.
C:\Program Files\AppGraffiti\Chrome (PUP.Optional.AppGraffiti.A) -> No action taken.
C:\Program Files\AppGraffiti\Update (PUP.Optional.AppGraffiti.A) -> No action taken.
C:\ProgramData\57833834 (Rogue.Multiple) -> No action taken.

Files Detected: 18
C:\FRST\Quarantine\1l3dw3.dss (Trojan.FakeMS) -> No action taken.
C:\FRST\Quarantine\hdowjclf6j.dss (Trojan.FakeMS) -> No action taken.
C:\FRST\Quarantine\ms5046818E.dat (Trojan.FakeMS) -> No action taken.
C:\FRST\Quarantine\ms504D839B.dat (Trojan.FakeMS) -> No action taken.
C:\FRST\Quarantine\ms504DBD01.dat (Trojan.FakeMS) -> No action taken.
C:\FRST\Quarantine\ms504DFD81.dat (Trojan.FakeMS) -> No action taken.
C:\FRST\Quarantine\qoz8flii.dss (Trojan.FakeMS) -> No action taken.
C:\FRST\Quarantine\rlz822g.dss (Trojan.FakeMS) -> No action taken.
C:\Users\Simon Wright\Downloads\Setup.exe (PUP.Optional.Conduit.A) -> No action taken.
C:\Users\Simon Wright\AppData\Roaming\Babylon\log_file.txt (PUP.Optional.Babylon.A) -> No action taken.
C:\Program Files\AppGraffiti\unins000.dat (PUP.Optional.AppGraffiti.A) -> No action taken.
C:\Program Files\AppGraffiti\AppGraffiti.exe (PUP.Optional.AppGraffiti.A) -> No action taken.
C:\Program Files\AppGraffiti\AppGraffiti._dll (PUP.Optional.AppGraffiti.A) -> No action taken.
C:\Program Files\AppGraffiti\AppGraffiti._exe (PUP.Optional.AppGraffiti.A) -> No action taken.
C:\Program Files\AppGraffiti\AppGraffiti64.dll (PUP.Optional.AppGraffiti.A) -> No action taken.
C:\Program Files\AppGraffiti\unins000.exe (PUP.Optional.AppGraffiti.A) -> No action taken.
C:\Program Files\AppGraffiti\Chrome\graff_chr.crx (PUP.Optional.AppGraffiti.A) -> No action taken.
C:\Program Files\AppGraffiti\Chrome\graff_chr.ver (PUP.Optional.AppGraffiti.A) -> No action taken.

(end)

mbam-log-2013-12-02 (23-42-38).txt

mbam-log-2013-12-02 (23-43-11).txt

mbam-log-2013-12-03 (00-15-17).txt

MBAM-log-2013-12-03 (07-53-19).txt

mbam-log-2013-12-03 (08-07-59).txt

[kevinf80]

We need to run an online AV scan to ensure there are no remnants of any infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the Run ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  Click Start
  
• When asked, allow the add/on to be installed
  Click Start
  
• Make sure that the option Remove found threats is unticked
  
• Click on Advanced Settings, ensure the options
  
• Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  Click Scan
  
• wait for the virus definitions to be downloaded
  
• Wait for the scan to finish
  

 

When the scan is complete

 

• If no threats were found
  
• put a checkmark in "Uninstall application on close"
  
• close program
  
• report to me that nothing was found
  

 

If threats were found

 

• click on "list of threats found"
  
• click on "export to text file" and save it as ESET SCAN and save to the desktop
  
• Click on back
  
• put a checkmark in "Uninstall application on close"
  
• click on finish
  

 

close program

 

copy and paste the report to next reply

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)

Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Post both logs to next reply, also let me know if there are any remaining issues or concerns...

 

Thanks,

 

Kevin

[MoonPig]

Scan is under way - already found some threats so will post those when it's finished.

 

Windows update seems to be disabled at the moment too - tried to see what was available before your reply came in and it just tells me windows update cannot be started.

 

MP

[kevinf80]

Yep we can look at Windows Updates when we know your system is clean for sure.. ESET scan may take a few hours....

[MoonPig]

All done - logs below...

 

ESET Log....

 

C:\FRST\Quarantine\1346793773.exe Win32/PSW.Fareit.A trojan
C:\FRST\Quarantine\ms504D9357.dat a variant of Win32/Kryptik.BQEU trojan
C:\FRST\Quarantine\ms504DC32D.dat a variant of Win32/Kryptik.BQEU trojan
C:\FRST\Quarantine\msmwahop.exe Win32/TrojanDownloader.Wauchos.X trojan
C:\FRST\Quarantine\pn.exe Win32/PSW.Fareit.A trojan
C:\FRST\Quarantine\rlwew6jl.dss a variant of Win32/Kryptik.BQEU trojan
C:\FRST\Quarantine\t4a1nb4.dss a variant of Win32/Kryptik.BQEU trojan
C:\Users\Simon Wright\AppData\Local\Temp\rlwew6jl.dss a variant of Win32/Kryptik.BQEU trojan
C:\Users\Simon Wright\AppData\Local\Temp\t4a1nb4.dss a variant of Win32/Kryptik.BQEU Trojan

 

 

SCREEN317 log below

 

 Results of screen317's Security Check version 0.99.77 
 Windows Vista Service Pack 2 x86 (UAC is disabled!) 
 Internet Explorer 9 
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
Microsoft Security Essentials  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner    
 Adobe Reader 10.1.8 Adobe Reader out of Date! 
 Google Chrome 30.0.1599.101 
 Google Chrome 31.0.1650.57 
````````Process Check: objlist.exe by Laurent```````` 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 2 % Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

 

[kevinf80]

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

 

http://oldtimer.geekstogo.com/OTM.exe.

http://www.itxassociates.com/OT-Tools/OTM.com

http://www.itxassociates.com/OT-Tools/OTM.exe 

 

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...

• Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Filles
   

  :FilesC:\Users\Simon Wright\AppData\Local\Temp\rlwew6jl.dssC:\Users\Simon Wright\AppData\Local\Temp\t4a1nb4.dss:Commands[EmptyTemp]

   
  
• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTM
  

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

If the machine reboots, the Results log can be found here:

 

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

 

Where mmddyyyy_hhmmss is the date of the tool run.

 

Next,

 

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.

Make sure the following options are checked:

 

• 
  

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender

 

• 
  

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

 

Post produced logs...

[MoonPig]

OTM ran - looks like it moved 2 .DSS files but it crashed.  I left it overnight again as it was taking ages and come monrning it had crashed.

2 files moved were rlwew6jl.dss and t4a1nb4.dss

 

Going to run the farbar part now...