Infected by moneypak Department of Justice virus. Malware bytes cannot detect

sacredmelon · June 30, 2014

This morning I got infected with the moneypak virus. I have dealt with this before, but this time its different. No version of safe mode will work. Safe mode with command prompt still launches with the virus. I can however log into an admin account with normal start-up if I log into my personal account, press CRTL+ALT+DELT, and switch users. The virus will start up in any mode except this admin account Malwarebytes starts up fine and scans but cannot detect. I have system restored but the virus is still present. What am I doing wrong? This is very scary please help!

Things I have tried:

1)System restore.

2)Malware scan.

3)Safe mode.

I also seem to have a problem with my admin account but that is irrelevant for now. I have attached a photo if it helps.

sacredmelon · June 30, 2014

Another thing. My AVG is reporting the user32.dll file as a high level risk infection. Is this the cause of the moneypak virus?

MrCharlie · June 30, 2014

Welcome to the forum.

On a clean machine, please download Farbar Recovery Scan Tool and save it to a flash drive.
Note: You need to run the version compatible with your system.
Plug the flashdrive into the infected PC.
If you are using Windows 8 consult How to use the Windows 8 System Recovery Environment Command Prompt to enter System Recovery Command prompt.
If you are using Vista or Windows 7 enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
- Restart the computer.
- As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
- Use the arrow keys to select the Repair your computer menu item.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account an click Next.
Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html
To enter System Recovery Options by using Windows installation disc:
- Insert the installation disc.
- Restart your computer.
- If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
- Click Repair your computer.
- Select US as the keyboard language settings, and then click Next.
- Select the operating system you want to repair, and then click Next.
- Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
Select Command Prompt
Once in the Command Prompt:
- In the command window type in notepad and press Enter.
- The notepad opens. Under File menu select Open.
- Select "Computer" and find your flash drive letter and close the notepad.
- In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
- The tool will start to run.
- When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.
MrC

sacredmelon · June 30, 2014

I for some reason cannot move the FRST.exe to the flash drive. I also cannot go into system recovery for now because I dont have a disk. Here is the log though

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:28-06-2014 02

Ran by Administrator (administrator) on MRLI-PC on 30-06-2014 18:17:39

Running from C:\Program Files\Google\Chrome\Application\33.0.1750.154

Platform: Microsoft Windows 7 Professional (X86) OS Language: English (United States)

Internet Explorer Version 9

Boot Mode: Normal

The only official download link for FRST:

Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Download link from any site other than Bleeping Computer is unpermitted or outdated.

See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe

(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgwdsvc.exe

(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe

() C:\Windows\System32\PnkBstrA.exe

(Razer Inc.) C:\Program Files\Razer\Razer Game Booster\RzKLService.exe

(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe

(VMware, Inc.) C:\Program Files\VMware\VMware Horizon View Client\wsnm.exe

(VMware, Inc.) C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

(VMware, Inc.) C:\Program Files\VMware\VMware Horizon View Client\bin\vmware-view-usbd.exe

(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe

(Aeria Games & Entertainment) C:\Program Files\Aeria Games\Ignite\aeriaignite.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgui.exe

(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe

(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe

(Informer Technologies, Inc.) C:\Program Files\Software Informer\softinfo.exe

(Akamai Technologies, Inc.) C:\Users\Mr.Li\AppData\Local\Akamai\netsession_win.exe

(PPStream Inc.) D:\PPS.tv\PPStream\PPSKernel.exe

(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe

(Akamai Technologies, Inc.) C:\Users\Mr.Li\AppData\Local\Akamai\netsession_win.exe

(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe

(Aeria Games & Entertainment) C:\Program Files\Aeria Games\Ignite\aeriaignite.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgui.exe

(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe

(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe

(McAfee, Inc.) C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe

(Microsoft Corporation) C:\Windows\System32\cmd.exe

(Valve Corporation) C:\Program Files\Steam\Steam.exe

(Valve Corporation) C:\Program Files\Common Files\Steam\SteamService.exe

(Malwarebytes Corporation) C:\Program Files\Malwarebytes Anti-Malware\mbam.exe

(Microsoft Corporation) C:\Windows\System32\taskmgr.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Microsoft Corporation) C:\Windows\regedit.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Microsoft Corporation) C:\Windows\System32\msiexec.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [soundMAXPnP] => C:\Program Files\Analog Devices\Core\smax4pnp.exe [1314816 2009-04-23] (Analog Devices, Inc.)

HKLM\...\Run: [nwiz] => C:\Program Files\NVIDIA Corporation\nview\nwiz.exe [2562848 2013-04-19] ()

HKLM\...\Run: [Aeria Ignite] => C:\Program Files\Aeria Games\Ignite\aeriaignite.exe [1925656 2013-06-06] (Aeria Games & Entertainment)

HKLM\...\Run: [APSDaemon] => C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)

HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2014\avgui.exe [5181456 2014-05-13] (AVG Technologies CZ, s.r.o.)

HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [152392 2013-11-02] (Apple Inc.)

HKLM\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [3774312 2014-04-02] (AVAST Software)

HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)

HKLM\...\Run: [DivXMediaServer] => C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe

Winlogon\Notify\oljoire: C:\Users\Mr.Li\AppData\Local\oljoire.dll [X]

HKU\.DEFAULT\...\Winlogon: [shell]

HKU\S-1-5-21-1522354521-3173218659-3440494766-1000\...\Run: [steam] => C:\Program Files\Steam\Steam.exe [1754816 2014-05-29] (Valve Corporation)

HKU\S-1-5-21-1522354521-3173218659-3440494766-1000\...\Run: [software Informer] => C:\Program Files\Software Informer\softinfo.exe [2920517 2011-10-27] (Informer Technologies, Inc.)

HKU\S-1-5-21-1522354521-3173218659-3440494766-1000\...\Run: [Akamai NetSession Interface] => C:\Users\Mr.Li\AppData\Local\Akamai\netsession_win.exe [4672920 2014-04-17] (Akamai Technologies, Inc.)

HKU\S-1-5-21-1522354521-3173218659-3440494766-1000\...\Run: [PPS Accelerator] => D:\PPS.tv\PPStream\PPSKernel.exe [4154232 2013-09-16] (PPStream Inc.)

HKU\S-1-5-21-1522354521-3173218659-3440494766-1000\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1

HKU\S-1-5-21-1522354521-3173218659-3440494766-1000\...\MountPoints2: E - E:\FalloutLauncher.exe

HKU\S-1-5-21-1522354521-3173218659-3440494766-1000\...\Winlogon: [shell]

HKLM\...\AppCertDlls: [wyzxpvj] -> C:\ProgramData\wyzxpvj.dat

ShellIconOverlayIdentifiers: 00avast -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShell.dll (AVAST Software)

==================== Internet (Whitelisted) ====================

SearchScopes: HKLM - Backup.Old.DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990}

SearchScopes: HKLM - {3EFB0E43-80C4-AB2D-3334-2EB74051F29C} URL =

BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: MSS+ Identifier - {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} - C:\Program Files\McAfee Security Scan\3.8.141\McAfeeMSS_IE.dll (McAfee, Inc.)

BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO: Skype Browser Helper - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

BHO: No Name - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File

Toolbar: HKLM - No Name - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)

Filter: application/octet-stream - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll No File

Filter: application/x-complus - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll No File

Filter: application/x-msdownload - {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - mscoree.dll No File

Winsock: Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)

Tcpip\Parameters: [DhcpNameServer] 167.206.13.180 167.206.13.181 192.168.1.1

FireFox:

========

FF Plugin: @3gstudios.com/webmediaclient,version=1.0 - C:\Program Files\3G Studios\Web Media Client\npWebMediaClient.dll No File

FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_13_0_0_206.dll ()

FF Plugin: @Apple.com/iTunes,version=1.0 - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()

FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 - C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll No File

FF Plugin: @divx.com/DivX Web Player Plug-In,version=1.0.0 - C:\Program Files\DivX\DivX Web Player\npdivx32.dll No File

FF Plugin: @java.com/DTPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin: @mcafee.com/McAfeeMssPlugin - C:\Program Files\McAfee Security Scan\3.8.141\npMcAfeeMss.dll (McAfee, Inc.)

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll ( Microsoft Corporation)

FF Plugin: @nexon.net/NxGame - C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)

FF Plugin: @pandonetworks.com/PandoWebPlugin - C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF Plugin: @pps.tv/nppps - D:\PPS.tv\PPStream\nppps.dll ()

FF Plugin: @qq.com/npqscall - C:\Program Files\Common Files\Tencent\NPQSCALL\npqscall.dll (Tencent)

FF Plugin: @qq.com/QQlive - C:\Program Files\Tencent\QQLive\LiveOcx\npQQLive.dll (Tencent)

FF Plugin: @qq.com/QQPhotoDrawEx - C:\Program Files\Tencent\Qzone\npQQPhotoDrawEx.dll ()

FF Plugin: @qq.com/QzoneMusic - C:\Program Files\Tencent\QQMusic\QzoneMusic\npQzoneMusic.dll (Tencent)

FF Plugin: @qq.com/TXSSO - C:\Program Files\Common Files\Tencent\TXSSO\1.2.1.41\Bin\npSSOAxCtrlForPTLogin.dll (Tencent)

FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: Adobe Reader - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)

FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-03-31]

FF Extension: Skype Click to Call - C:\Program Files\Mozilla Firefox\browser\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-03-31]

FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF

FF Extension: avast! Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-02-16]

Chrome:

=======

CHR Extension: (Google Docs) - C:\Windows\System32\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-05-27]

CHR Extension: (Google Drive) - C:\Windows\System32\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-05-27]

CHR Extension: (YouTube) - C:\Windows\System32\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-05-27]

CHR Extension: (Google Search) - C:\Windows\System32\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-05-27]

CHR Extension: (avast! Online Security) - C:\Windows\System32\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-05-27]

CHR Extension: (Skype Click to Call) - C:\Windows\System32\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2014-05-27]

CHR Extension: (Google Wallet) - C:\Windows\System32\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-05-27]

CHR Extension: (Gmail) - C:\Windows\System32\config\systemprofile\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-05-27]

CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-02-16]

CHR HKLM\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2013-10-09]

CHR HKLM\...\Chrome\Extension: [mhgkogmomehdgfcheknganbgdaaoemop] - C:\Program Files\3G Studios\Web Media Client\WebMediaClient.crx [2013-10-09]

========================== Services (Whitelisted) =================

R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-02-16] (AVAST Software)

R2 avast! Firewall; C:\Program Files\AVAST Software\Avast\afwServ.exe [113704 2014-02-16] (AVAST Software)

S2 AVGIDSAgent; C:\Program Files\AVG\AVG2014\avgidsagent.exe [3644432 2014-05-13] (AVG Technologies CZ, s.r.o.)

R2 avgwd; C:\Program Files\AVG\AVG2014\avgwdsvc.exe [292424 2014-05-13] (AVG Technologies CZ, s.r.o.)

S3 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.141\McCHSvc.exe [235696 2014-01-15] (McAfee, Inc.)

R4 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76888 2013-05-04] ()

R2 RzKLService; C:\Program Files\Razer\Razer Game Booster\RzKLService.exe [105448 2014-02-25] (Razer Inc.)

R2 Skype C2C Service; C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe [3064000 2012-10-02] (Skype Technologies S.A.)

R2 VMUSBArbService; C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe [725208 2013-12-09] (VMware, Inc.)

R2 vmware-view-usbd; C:\Program Files\VMware\VMware Horizon View Client\bin\vmware-view-usbd.exe [2509016 2013-12-10] (VMware, Inc.)

R2 wsnm; C:\Program Files\VMware\VMware Horizon View Client\wsnm.exe [486104 2014-01-21] (VMware, Inc.)

R3 WinHttpAutoProxySvc; winhttp.dll [X]

==================== Drivers (Whitelisted) ====================

S3 apf003; C:\Windows\system32\apf003.sys [13232 2014-01-31] () [File not signed]

R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [26136 2014-02-16] (AVAST Software)

R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [67824 2014-02-16] (AVAST Software)

R1 aswNdisFlt; C:\Windows\System32\DRIVERS\aswNdisFlt.sys [265072 2014-02-23] (AVAST Software)

R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [79720 2014-02-16] (AVAST Software)

R0 aswRvrt; C:\Windows\system32\Drivers\aswRvrt.sys [49944 2014-02-16] ()

R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [775952 2014-02-16] (AVAST Software)

R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [410784 2014-02-16] (AVAST Software)

S3 aswStm; C:\Windows\system32\drivers\aswStm.sys [64168 2014-02-16] (AVAST Software)

R0 aswVmm; C:\Windows\system32\Drivers\aswVmm.sys [180248 2014-02-16] ()

R1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [122136 2014-05-13] (AVG Technologies CZ, s.r.o.)

R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [198936 2014-05-13] (AVG Technologies CZ, s.r.o.)

R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [149784 2014-05-13] (AVG Technologies CZ, s.r.o.)

R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [21272 2014-05-13] (AVG Technologies CZ, s.r.o.)

R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [192280 2014-05-13] (AVG Technologies CZ, s.r.o.)

R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [237848 2014-05-13] (AVG Technologies CZ, s.r.o.)

R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [107288 2014-05-13] (AVG Technologies CZ, s.r.o.)

R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27416 2014-05-13] (AVG Technologies CZ, s.r.o.)

R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [210200 2014-05-13] (AVG Technologies CZ, s.r.o.)

R2 hcmon; C:\Windows\system32\drivers\hcmon.sys [43736 2013-12-09] (VMware, Inc.)

R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [110296 2014-06-30] (Malwarebytes Corporation)

S3 ptun0901; C:\Windows\System32\DRIVERS\ptun0901.sys [35288 2014-03-10] (The OpenVPN Project)

R1 SCDEmu; C:\Windows\system32\Drivers\SCDEmu.sys [114408 2014-03-11] (Power Software Ltd)

S3 vmusb; C:\Windows\System32\Drivers\vmusb.sys [31280 2013-12-09] (VMware, Inc.)

S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]

S3 vtany; \??\C:\Windows\vtany.sys [X]

S3 WinRing0_1_2_0; \??\C:\Program Files\Razer\Razer Game Booster\Driver\WinRing0.sys [X]

S3 XDva401; \??\C:\Windows\system32\XDva401.sys [X]

S3 XDva409; \??\C:\Windows\system32\XDva409.sys [X]

S3 XDva410; \??\C:\Windows\system32\XDva410.sys [X]

U3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-06-30 18:17 - 2014-06-30 18:17 - 00000000 ____D () C:\FRST

2014-06-30 16:58 - 2014-06-30 16:59 - 00003147 _____ () C:\Windows\WindowsUpdate.log

2014-06-30 16:55 - 2014-06-30 16:55 - 00000056 _____ () C:\Windows\setupact.log

2014-06-30 16:55 - 2014-06-30 16:55 - 00000000 _____ () C:\Windows\setuperr.log

2014-06-30 16:51 - 2014-06-30 16:51 - 00000000 ____H () C:\Windows\system32\Default.rdp

2014-06-30 15:51 - 2014-06-30 16:16 - 00000000 ____D () C:\Windows\system32\MpEngineStore

2014-06-30 15:49 - 2014-06-01 17:18 - 92708840 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

2014-06-21 22:59 - 2014-06-21 23:16 - 00000000 ____D () C:\Program Files\AudioSurf

2014-06-20 13:32 - 2014-06-21 18:27 - 00000000 ____D () C:\CFLog

2014-06-19 21:49 - 2014-06-19 21:49 - 00000000 ____D () C:\Program Files\Z8Games

2014-06-10 19:59 - 2014-06-10 19:59 - 00000000 ____D () C:\Program Files\Common Files\Skype

2014-06-07 12:31 - 2014-06-07 12:31 - 00000000 ____D () C:\Program Files\Common Files\InstallShield

2014-06-05 20:00 - 2014-06-05 20:00 - 00000000 _____ () C:\dfu.log

==================== One Month Modified Files and Folders =======

2014-06-30 18:17 - 2014-06-30 18:17 - 00000000 ____D () C:\FRST

2014-06-30 18:16 - 2014-05-27 00:08 - 00000026 _____ () C:\Windows\Zone.Identifier

2014-06-30 18:16 - 2014-02-16 01:55 - 00780436 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-06-30 18:03 - 2014-03-26 16:12 - 00110296 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-06-30 17:56 - 2009-07-14 00:34 - 00033664 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-06-30 17:56 - 2009-07-14 00:34 - 00033664 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-06-30 17:31 - 2014-05-20 19:08 - 00074456 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-06-30 16:59 - 2014-06-30 16:58 - 00003147 _____ () C:\Windows\WindowsUpdate.log

2014-06-30 16:58 - 2012-06-28 16:03 - 00000000 ____D () C:\Program Files\Steam

2014-06-30 16:56 - 2014-03-02 20:01 - 00000000 ____D () C:\Windows\System32\config\systemprofile\AppData\Roaming\VMware

2014-06-30 16:55 - 2014-06-30 16:55 - 00000056 _____ () C:\Windows\setupact.log

2014-06-30 16:55 - 2014-06-30 16:55 - 00000000 _____ () C:\Windows\setuperr.log

2014-06-30 16:55 - 2009-07-14 00:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-06-30 16:52 - 2012-07-19 14:32 - 00000000 ____D () C:\Windows\Minidump

2014-06-30 16:52 - 2012-06-11 20:16 - 00000000 ____D () C:\Windows\Panther

2014-06-30 16:51 - 2014-06-30 16:51 - 00000000 ____H () C:\Windows\system32\Default.rdp

2014-06-30 16:16 - 2014-06-30 15:51 - 00000000 ____D () C:\Windows\system32\MpEngineStore

2014-06-30 16:16 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\registration

2014-06-30 16:07 - 2009-07-13 22:37 - 00000000 ____D () C:\Windows\system32\wfp

2014-06-30 14:10 - 2009-07-14 00:52 - 00000000 ____D () C:\Windows\Offline Web Pages

2014-06-30 13:30 - 2014-04-05 21:12 - 00000002 _____ () C:\Windows\system32\Drivers\etc\hosts.ics

2014-06-29 01:13 - 2012-06-11 19:20 - 00638976 _____ () C:\Windows\System32\config\RegBack\DEFAULT

2014-06-29 01:13 - 2012-06-11 19:20 - 00028672 _____ () C:\Windows\System32\config\RegBack\SAM

2014-06-29 01:12 - 2012-06-11 19:20 - 42999808 _____ () C:\Windows\System32\config\RegBack\SOFTWARE

2014-06-29 01:12 - 2012-06-11 19:20 - 21135360 _____ () C:\Windows\System32\config\RegBack\SYSTEM

2014-06-29 01:12 - 2012-06-11 19:20 - 00024576 _____ () C:\Windows\System32\config\RegBack\SECURITY

2014-06-21 23:16 - 2014-06-21 22:59 - 00000000 ____D () C:\Program Files\AudioSurf

2014-06-21 18:27 - 2014-06-20 13:32 - 00000000 ____D () C:\CFLog

2014-06-19 21:49 - 2014-06-19 21:49 - 00000000 ____D () C:\Program Files\Z8Games

2014-06-19 20:35 - 2013-12-20 18:54 - 00003382 _____ () C:\console.log

2014-06-19 17:02 - 2014-03-25 17:23 - 00000000 ____D () C:\Program Files\Common Files\DivX Shared

2014-06-10 19:59 - 2014-06-10 19:59 - 00000000 ____D () C:\Program Files\Common Files\Skype

2014-06-10 19:59 - 2012-08-07 10:46 - 00000000 ___RD () C:\Program Files\Skype

2014-06-07 20:59 - 2013-06-29 16:33 - 00000000 ____D () C:\Windows\system32\directx

2014-06-07 20:58 - 2013-06-29 16:33 - 00000000 ___HD () C:\Windows\msdownld.tmp

2014-06-07 12:35 - 2013-08-23 01:56 - 00000000 ____D () C:\Program Files\Bethesda Softworks

2014-06-07 12:35 - 2012-06-13 12:27 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information

2014-06-07 12:31 - 2014-06-07 12:31 - 00000000 ____D () C:\Program Files\Common Files\InstallShield

2014-06-05 20:00 - 2014-06-05 20:00 - 00000000 _____ () C:\dfu.log

2014-06-05 18:49 - 2013-06-29 16:26 - 00000000 __SHD () C:\Windows\system32\AI_RecycleBin

2014-06-01 17:18 - 2014-06-30 15:49 - 92708840 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll

[2009-07-13 19:24] - [2013-01-04 00:46] - 0850944 ____A (Microsoft Corporation) 18121C87401C0214AD9D4FAF1CDC8BC8

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-06-29 01:12

==================== End Of Log ============================

MrCharlie · June 30, 2014

Using FRST again:

Type the following in the edit box after "Search:".

User32.dll

It then should look like:

Search: User32.dll

Click Search button and post the log (Search.txt) it makes to your reply.

MrC

sacredmelon · July 1, 2014

Here it is:

Farbar Recovery Scan Tool (x86) Version:28-06-2014 02

Ran by Administrator at 2014-06-30 20:01:51

Running from C:\Program Files\Google\Chrome\Application\33.0.1750.154

Boot Mode: Normal

================== Search: "Search: User32.dll" ===================

=== End Of Search ===

BTW if you can help me out with this I would love to donate. This is my uncles computer and he might end me if I give it a virus.

sacredmelon · July 1, 2014

Here is another version of it if I did it wrong:

Farbar Recovery Scan Tool (x86) Version:28-06-2014 02

Ran by Administrator at 2014-06-30 20:06:35

Running from C:\Program Files\Google\Chrome\Application\33.0.1750.154

Boot Mode: Normal

================== Search: "User32.dll" ===================

C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll

[2009-07-13 19:24][2009-07-13 21:16] 0811520 ____A (Microsoft Corporation) 34B7E222E81FAFA885F0C5F2CFA56861 [File is signed]

C:\Windows\System32\user32.dll

[2009-07-13 19:24][2013-01-04 00:46] 0850944 ____A (Microsoft Corporation) 18121C87401C0214AD9D4FAF1CDC8BC8

=== End Of Search ===

MrCharlie · July 1, 2014

Something isn't right, the scan came up with no hits.
There's at least one User32.dll on the system, the infected one:

C:\Windows\system32\User32.dll
[2009-07-13 19:24] - [2013-01-04 00:46] - 0850944 ____A (Microsoft Corporation) 18121C87401C0214AD9D4FAF1CDC8BC8

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:filefind User32.dll
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

sacredmelon · July 1, 2014

Didn't the seconds scan come up with 2 results? Maybe of them is the virus. I would like to add I have checked lots of folders that were modified today and none of them seem to contain the virus.

Here is the systemlook scan:

SystemLook 30.07.11 by jpshortstuff

Log created at 20:18 on 30/06/2014 by SYSTEM

Administrator - Elevation successful

========== filefind ==========

Searching for "User32.dll"

C:\Windows\System32\user32.dll --a---- 850944 bytes [23:24 13/07/2009] [04:46 04/01/2013] 18121C87401C0214AD9D4FAF1CDC8BC8

C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll --a---- 811520 bytes [23:24 13/07/2009] [01:16 14/07/2009] 34B7E222E81FAFA885F0C5F2CFA56861

-= EOF =-

MrCharlie · July 1, 2014

Download attached fixlist.txt file and save it to the same place as FRST

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

MrC

sacredmelon · July 1, 2014

Here it is:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:28-06-2014 02

Ran by Administrator at 2014-06-30 20:32:24 Run:1

Running from C:\Program Files\Google\Chrome\Application\33.0.1750.154

Boot Mode: Normal

==============================================

Content of fixlist:

*****************

Winlogon\Notify\oljoire: C:\Users\Mr.Li\AppData\Local\oljoire.dll [X]

HKU\.DEFAULT\...\Winlogon: [shell]

HKLM\...\AppCertDlls: [wyzxpvj] -> C:\ProgramData\wyzxpvj.dat

SearchScopes: HKLM - Backup.Old.DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990}

SearchScopes: HKLM - {3EFB0E43-80C4-AB2D-3334-2EB74051F29C} URL =

BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: No Name - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File

Toolbar: HKLM - No Name - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

C:\Users\Mr.Li\AppData\Local\oljoire.dll

C:\ProgramData\wyzxpvj.dat

Replace: C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll C:\Windows\System32\user32.dll

*****************

'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\oljoire' => Key deleted successfully.

HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value deleted successfully.

HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls\\wyzxpvj => value deleted successfully.

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\Backup.Old.DefaultScope => value deleted successfully.

'HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3EFB0E43-80C4-AB2D-3334-2EB74051F29C}' => Key deleted successfully.

'HKCR\Wow6432Node\CLSID\{3EFB0E43-80C4-AB2D-3334-2EB74051F29C}'=> Key not found.

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}' => Key deleted successfully.

'HKCR\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}'=> Key not found.

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}' => Key deleted successfully.

'HKCR\CLSID\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}'=> Key not found.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => value deleted successfully.

'HKCR\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}'=> Key not found.

"C:\Users\Mr.Li\AppData\Local\oljoire.dll" => File/Directory not found.

"C:\ProgramData\wyzxpvj.dat" => File/Directory not found.

C:\Windows\System32\user32.dll => Moved successfully.

C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll copied successfully to C:\Windows\System32\user32.dll

==== End of Fixlog ====

MrCharlie · July 1, 2014

How is it??? MrC

sacredmelon · July 1, 2014

It didn't seem to work, unfortunately. It might have helped a little as the virus didnt start up as fast as it did before. The virus closed and relaunched 3 times before it went into full effect.

sacredmelon · July 1, 2014

AVG is still saying user32.dll is a high level risk virus. Did I do something wrong?

MrCharlie · July 1, 2014

Run another scan with FRST.

MrC

sacredmelon · July 1, 2014

This is the result of the fixlist:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version:28-06-2014 02

Ran by Administrator at 2014-06-30 21:24:51 Run:3

Running from C:\Program Files\Google\Chrome\Application\33.0.1750.154

Boot Mode: Normal

==============================================

Content of fixlist:

*****************

Winlogon\Notify\oljoire: C:\Users\Mr.Li\AppData\Local\oljoire.dll [X]

HKU\.DEFAULT\...\Winlogon: [shell]

HKLM\...\AppCertDlls: [wyzxpvj] -> C:\ProgramData\wyzxpvj.dat

SearchScopes: HKLM - Backup.Old.DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990}

SearchScopes: HKLM - {3EFB0E43-80C4-AB2D-3334-2EB74051F29C} URL =

BHO: No Name - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: No Name - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - No File

Toolbar: HKLM - No Name - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

C:\Users\Mr.Li\AppData\Local\oljoire.dll

C:\ProgramData\wyzxpvj.dat

Replace: C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll C:\Windows\System32\user32.dll

*****************

'HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\oljoire'=> Key not found.

HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value not found.

HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls\\wyzxpvj => Value not found.

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\Backup.Old.DefaultScope => Value not found.

'HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3EFB0E43-80C4-AB2D-3334-2EB74051F29C}'=> Key not found.

'HKCR\Wow6432Node\CLSID\{3EFB0E43-80C4-AB2D-3334-2EB74051F29C}'=> Key not found.

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}'=> Key not found.

'HKCR\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}'=> Key not found.

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}'=> Key not found.

'HKCR\CLSID\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}'=> Key not found.

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} => Value not found.

'HKCR\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}'=> Key not found.

"C:\Users\Mr.Li\AppData\Local\oljoire.dll" => File/Directory not found.

"C:\ProgramData\wyzxpvj.dat" => File/Directory not found.

"C:\Windows\System32\user32.dll" => Could not move.

C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_cd0ec264ceb014a3\user32.dll copied successfully to C:\Windows\System32\user32.dll

==== End of Fixlog ====

MrCharlie · July 1, 2014

Not the fix but another scan with FRST as you did initially , MrC

sacredmelon · July 1, 2014

Ok here it is. I want to also add that I can only switch users in "repair windows mode" when I start up I press F8. If I log in to one user first, and then CTRL+ALT+DELT, I can switch users to access the other account without problems. I dont want to restart and risk it not working so please try your best:

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:28-06-2014 02

Ran by Mr.Li (administrator) on MRLI-PC on 30-06-2014 21:44:23

Running from C:\Program Files\Google\Chrome\Application\33.0.1750.154

Platform: Microsoft Windows 7 Professional (X86) OS Language: English (United States)

Internet Explorer Version 9

Boot Mode: Normal

The only official download link for FRST:

Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

Download link from any site other than Bleeping Computer is unpermitted or outdated.

See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(Microsoft Corporation) C:\Windows\System32\audiodg.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\afwServ.exe

(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgwdsvc.exe

(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe

(Razer Inc.) C:\Program Files\Razer\Razer Game Booster\RzKLService.exe

(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe

(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe

(Skype Technologies S.A.) C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe

(TeamViewer GmbH) C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe

(VMware, Inc.) C:\Program Files\VMware\VMware Horizon View Client\wsnm.exe

(VMware, Inc.) C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe

(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe

(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe

(VMware, Inc.) C:\Program Files\VMware\VMware Horizon View Client\bin\vmware-view-usbd.exe

(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe

(Aeria Games & Entertainment) C:\Program Files\Aeria Games\Ignite\aeriaignite.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgui.exe

(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe

(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe

(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe

(Valve Corporation) C:\Program Files\Steam\Steam.exe

(Informer Technologies, Inc.) C:\Program Files\Software Informer\softinfo.exe

(Analog Devices, Inc.) C:\Program Files\Analog Devices\Core\smax4pnp.exe

(Akamai Technologies, Inc.) C:\Users\Mr.Li\AppData\Local\Akamai\netsession_win.exe

(Aeria Games & Entertainment) C:\Program Files\Aeria Games\Ignite\aeriaignite.exe

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2014\avgui.exe

(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe

(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe

(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe

(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe

(PPStream Inc.) D:\PPS.tv\PPStream\PPSKernel.exe

(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe

(Akamai Technologies, Inc.) C:\Users\Mr.Li\AppData\Local\Akamai\netsession_win.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Valve Corporation) C:\Program Files\Common Files\Steam\SteamService.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Microsoft Corporation) C:\Windows\System32\taskmgr.exe

(Farbar) C:\Program Files\Google\Chrome\Application\33.0.1750.154\FRST (3).exe