Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Potential Trojan and pop up of "Registry Console [Solved]


  • This topic is locked This topic is locked

#1
thecollectore

thecollectore

    Member

  • Member
  • PipPip
  • 62 posts

Hi,

 

I have some issues with my latop. Malwarebytes discovered some sort of Trojan a couple of days ago, removed it, but I keep getting a pop up saying

"Do you want to allow the following program to make changes to this computer?"

Program name: Registry Console Tool

Verified publisher: MicroSoft Windows. 

 

This pop up does not start before I try to open Explorer, then after 30 seconds the pop up starts... Clicking No only starts the pop up again.

 

I'm only able to work in Safe mode.

 

Please help! :upset:

 

Best regards, Rolf.


  • 0

Advertisements


#2
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts
Hi thecollectore,

Welcome to Geeks to Go. My name is dbreeze and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:
  • Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
  • All of the assistants and staff at Geeks to Go are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date. That being said, please notice the following Geeks to Go rule:
  • Posts that are not replied to in four (4) days will result in the topic being closed. We have not forgotten you; this is just an effort to keep the boards organized and flowing. To continue on your closed topic, please PM me or any Moderator to have the topic reactivated. If, at any time during our working together, I have not responded to you in 2 days (48 hours), then please PM me.
  • Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
  • If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
  • While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
  • Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
  • Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.


- Save ALL Tools to your Desktop-


All the tools that I will have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
and the click the "Select Folder" button. Click OK to get out of the Options menu.
IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
 

Quoted from and used by permission of BrianDrab. Thank you.


Let's get started....

If you need to boot into Safe Mode with Networking to download the following programs. You did not say what type of OS you have (32 or 64 bit), so try both of the following files. Only one of these will run on your system; you can delete the other file.

Please download Farbar Recovery Scan Tool 32bit and save it to your Desktop.

Please download Farbar Recovery Scan Tool 64bit and save it to your Desktop.
  • Right click the FRST file on your desktop and select "Run as Administrator..." (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • If an update is available, the program will inform you and download the update. Allow it do this please.
  • Once the tool shows "The tool is ready to use." message, please press the Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

  • 0

#3
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts

Hi dbreeze! Thank you for helping out!

 

I'm running 64 bit, sorry for not informing you.

 

Here's the log files:

 

FRST:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 23-04-2015 02
Ran by Rolf (administrator) on ROLF-TOSH on 24-04-2015 17:47:19
Running from C:\Users\Rolf\Desktop
Loaded Profiles: Rolf (Available profiles: Rolf & Caroline)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Safe Mode (with Networking)
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Toshiba TEMPRO] => C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe [1546720 2011-02-10] (Toshiba Europe GmbH)
HKLM\...\Run: [TosNC] => C:\Program Files\Toshiba\BulletinBoard\TosNcCore.exe [597928 2011-03-03] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] => C:\Program Files\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38304 2010-12-14] (TOSHIBA Corporation)
HKLM\...\Run: [TPwrMain] => C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE [566696 2011-03-02] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] => C:\Program Files\TOSHIBA\TBS\HSON.exe [296824 2010-09-25] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] => C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe [973176 2010-12-15] (TOSHIBA Corporation)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SAIICpl.exe [316032 2010-12-14] (Conexant systems, Inc.)
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2679592 2011-02-03] (Synaptics Incorporated)
HKLM\...\Run: [Teco] => C:\Program Files\TOSHIBA\TECO\Teco.exe [1520552 2011-03-02] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] => C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710040 2010-12-08] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] => C:\Program Files\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-07-01] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] => C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [Toshiba Registration] => C:\Program Files\TOSHIBA\Registration\ToshibaReminder.exe [150992 2011-08-03] (Toshiba Europe GmbH)
HKLM-x32\...\Run: [NBAgent] => c:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe [1409424 2011-06-29] (Nero AG)
HKLM-x32\...\Run: [ITSecMng] => C:\Program Files (x86)\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe [83336 2009-07-22] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [ToshibaServiceStation] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe [1294712 2010-11-29] (TOSHIBA Corporation)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2013\avgui.exe [4411952 2014-11-04] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Secure Search\vprot.exe [2503704 2015-03-05] ()
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-03-12] (Hewlett-Packard)
HKLM-x32\...\Run: [Bing Bar] => C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1449.0\mswinext.exe [243544 2010-04-27] (Microsoft Corp.)
HKLM-x32\...\Run: [Microsoft Default Manager] => C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe [288088 2009-11-11] (Microsoft Corporation)
HKLM-x32\...\Run: [ApnTBMon] => C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [2005896 2015-04-06] (APN)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM-x32\...\Run: [THGuard] => C:\Program Files (x86)\TrojanHunter 5.6\THGuard.exe [1082832 2014-08-20] (Mischel Internet Security)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\...\Run: [TOPI.EXE] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe [846936 2011-05-16] (TOSHIBA)
HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [6581488 2013-08-18] (SUPERAntiSpyware)
HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2012-05-26] (Google Inc.)
HKU\S-1-5-18\...\Run: [TOPI.EXE] => C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe [846936 2011-05-16] (TOSHIBA)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Toshiba Places Icon Utility.lnk [2011-08-03]
ShortcutTarget: Toshiba Places Icon Utility.lnk -> C:\Program Files\TOSHIBA\TOSHIBA Places Icon Utility\TosDIMonitor.exe (Toshiba)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk [2011-08-03]
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk [2011-08-03]
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Rolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D5A00E92F.lnk [2015-04-03]
ShortcutTarget: D5A00E92F.lnk -> C:\ProgramData\F29E00A5D.cpp ()
Startup: C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk [2013-11-09]
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\TEMP.Rolf-TOSH\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk [2014-07-14]
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...d=ie&ar=msnhome
HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.n...DADA&gws_rd=ssl
SearchScopes: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001 -> DefaultScope {24F5112A-BA6F-4128-9AC4-EFAFDC2B9582} URL = https://www.google.c...?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001 -> {24F5112A-BA6F-4128-9AC4-EFAFDC2B9582} URL = https://www.google.c...?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001 -> {718D1279-5551-4431-9D31-25209CBFE6D3} URL = http://www.search.as...rms}&psv=&pt=tb
SearchScopes: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001 -> {73F77DB3-D799-4D8A-BEBC-BFD5B8964DA3} URL = http://www.ant.com/s...&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.c...fr&d=2013-01-15 19:22:58&v=15.3.0.11&pid=avg&sg=0&sap=dsp&q={searchTerms}
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-03] (Google Inc.)
BHO-x32: Ant.com browser helper (video detector) -> {346FDE31-DFF9-418A-90C8-BA31DC9FF2EF} -> C:\Program Files (x86)\Ant.com\IE add-on\Download.dll [2013-01-30] (Ant.com)
BHO-x32: Search Helper -> {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} -> C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll [2010-01-14] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll [2014-10-15] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: AVG Security Toolbar -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG Secure Search\18.3.0.885\AVG Secure Search_toolbar.dll [2015-03-05] (AVG Secure Search)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-03] (Google Inc.)
BHO-x32: Bing Bar BHO -> {d2ce3e00-f94a-4740-988e-03dc2f38c34f} -> C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll [2010-04-27] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll [2014-10-15] (Oracle Corporation)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-03] (Google Inc.)
Toolbar: HKLM-x32 - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\18.3.0.885\AVG Secure Search_toolbar.dll [2015-03-05] (AVG Secure Search)
Toolbar: HKLM-x32 - Ant.com Video Downloader toolbar - {2E924F4F-67F0-4BD8-9560-49F468E843D2} - C:\Program Files (x86)\Ant.com\IE add-on\AntToolbar.dll [2013-01-30] (Ant.com)
Toolbar: HKLM-x32 - @C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll [2010-04-27] (Microsoft Corporation)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2015-03-03] (Google Inc.)
Toolbar: HKU\.DEFAULT -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-03] (Google Inc.)
Toolbar: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001 -> Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2015-03-03] (Google Inc.)
Toolbar: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001 -> No Name - {2E924F4F-67F0-4BD8-9560-49F468E843D2} -  No File
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab
DPF: HKLM-x32 {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoft...s/as2stubie.cab
DPF: HKLM-x32 {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadbl...ivex/sabspx.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2011-11-03] (Skype Technologies)
Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.3.0\ViProtocol.dll [2015-03-05] (AVG Secure Search)
Tcpip\Parameters: [DhcpNameServer] 192.168.43.1

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll [2013-05-13] ( Microsoft Corporation)
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\18.3.0\\npsitesafety.dll No File
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll [2014-10-15] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll [2014-10-15] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrl.dll [2013-05-13] ( Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpWinExt,version=5.0 -> C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll [2010-04-27] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @pandasecurity.com/activescan -> C:\Program Files (x86)\Panda Security\ActiveScan 2.0\npwrapper.dll [2010-07-27] (Panda Security, S.L.)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-05] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-05] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2012-03-17] (VideoLAN)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2010-12-08] ()
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2014-12-03] (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1449.0\Firefox
FF Extension: Bing Bar - C:\Program Files (x86)\MSN Toolbar\Platform\5.0.1449.0\Firefox [2014-09-01]
FF HKLM-x32\...\Firefox\Extensions: [{27182e60-b5f3-411c-b545-b44205977502}] - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension
FF Extension: Search Helper Extension - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension [2014-09-01]

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.google.com"
CHR Profile: C:\Users\Rolf\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Docs) - C:\Users\Rolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-05-23]
CHR Extension: (Google Wallet) - C:\Users\Rolf\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-02-10]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [140672 2012-09-12] (SUPERAntiSpyware.com) [File not signed]
S3 Ant App service; C:\Program Files (x86)\Ant.com\File1 Package Manager\AppService.exe [504816 2013-02-05] (Helios Technologies Ltd)
S2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [180632 2015-04-06] (APN LLC.)
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [4942384 2014-10-17] (AVG Technologies CZ, s.r.o.)
S2 avgwd; C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [283136 2013-11-20] (AVG Technologies CZ, s.r.o.)
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1021888 2012-10-10] (Enigma Software Group USA, LLC.)
S3 TemproMonitoringService; C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [112080 2011-02-10] (Toshiba Europe GmbH)
S2 vToolbarUpdater18.3.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.3.0\ToolbarUpdater.exe [1802776 2015-03-05] (AVG Secure Search)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 0258351358198765mcinstcleanup; C:\Users\Rolf\AppData\Local\Temp\025835~1.EXE -cleanup -nolog [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Apowersoft_AudioDevice; C:\Windows\System32\drivers\Apowersoft_AudioDevice.sys [29288 2010-12-24] (Wondershare)
U5 AppMgmt; C:\Windows\system32\svchost.exe [27648 2011-03-01] (Microsoft Corporation)
S1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [246072 2013-11-25] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [71480 2013-07-20] (AVG Technologies CZ, s.r.o.)
S1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [209720 2014-11-04] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [311608 2013-07-20] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [116536 2013-07-01] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [45880 2013-10-23] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [240952 2014-10-17] (AVG Technologies CZ, s.r.o.)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2012-06-22] ()
S0 pavboot; C:\Windows\System32\drivers\pavboot64.sys [33800 2009-06-30] (Panda Security, S.L.)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 Tosrfcom; No ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-24 17:47 - 2015-04-24 17:47 - 00020006 _____ () C:\Users\Rolf\Desktop\FRST.txt
2015-04-24 17:46 - 2015-04-24 17:47 - 00000000 ____D () C:\FRST
2015-04-24 17:46 - 2015-04-24 17:44 - 02099712 _____ (Farbar) C:\Users\Rolf\Desktop\FRST64.exe
2015-04-24 15:41 - 2015-04-24 15:41 - 00000000 _____ () C:\Users\Rolf\Desktop\BDPUARLauncher_exe.t1wg6ya.partial
2015-04-24 12:09 - 2015-04-24 12:09 - 00000000 _____ () C:\Users\Rolf\Desktop\Antivirus_Free_Edition_exe.m9tzebh.partial
2015-04-24 12:08 - 2015-04-24 12:08 - 00000000 _____ () C:\Users\Rolf\Desktop\Antivirus_Free_Edition_exe.h6pijex.partial
2015-04-24 12:06 - 2015-04-23 10:46 - 00162208 _____ () C:\Users\Rolf\Desktop\bitdefender Antivirus_Free_Edition.exe
2015-04-23 15:08 - 2015-04-23 15:08 - 00000000 ____D () C:\Users\Rolf\AppData\Roaming\TrojanHunter
2015-04-23 14:15 - 2015-04-23 14:15 - 00059392 ____R () C:\Windows\SysWOW64\streamhlp.dll
2015-04-23 14:15 - 2015-04-23 14:15 - 00001096 _____ () C:\Users\Rolf\Desktop\TrojanHunter.lnk
2015-04-23 14:15 - 2015-04-23 14:15 - 00000000 ____D () C:\ProgramData\TrojanHunter
2015-04-23 14:15 - 2015-04-23 14:15 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TrojanHunter
2015-04-23 14:15 - 2015-04-23 14:15 - 00000000 ____D () C:\Program Files (x86)\TrojanHunter 5.6
2015-04-23 14:14 - 2015-04-23 10:47 - 04334200 _____ (Bytelayer AB ) C:\Users\Rolf\Desktop\TrojanHunterSetup.exe
2015-04-22 23:07 - 2015-04-24 15:54 - 00073153 _____ () C:\Windows\WindowsUpdate.log
2015-04-22 23:04 - 2015-04-24 15:50 - 00000280 _____ () C:\Windows\setupact.log
2015-04-22 23:04 - 2015-04-22 23:04 - 00000000 _____ () C:\Windows\setuperr.log
2015-04-22 14:05 - 2015-04-22 14:05 - 00010368 ____N () C:\bootsqm.dat
2015-04-22 13:58 - 2015-04-22 13:58 - 00000000 __SHD () C:\found.000
2015-04-20 15:15 - 2015-04-20 15:15 - 00176128 _____ () C:\ProgramData\F29E00A5D.cpp
2015-04-03 22:05 - 2015-04-22 21:38 - 00155579 _____ () C:\Users\Rolf\Desktop\avgrep.txt
2015-04-03 20:16 - 2015-04-05 00:07 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-04-24 17:47 - 2009-07-14 07:13 - 00005396 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-24 15:57 - 2009-07-14 06:45 - 00025120 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-24 15:57 - 2009-07-14 06:45 - 00025120 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-24 15:50 - 2011-08-03 12:00 - 00000988 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-24 15:50 - 2009-07-14 07:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-24 15:35 - 2013-01-14 19:52 - 00000000 ____D () C:\ProgramData\MFAData
2015-04-23 21:40 - 2015-02-14 08:00 - 00000000 ____D () C:\Users\Rolf\Desktop\BEST PHOTO
2015-04-23 21:28 - 2012-05-20 21:57 - 00000000 ____D () C:\Users\Rolf\AppData\Roaming\vlc
2015-04-23 18:16 - 2014-03-16 09:01 - 00000000 ____D () C:\Users\Rolf\Desktop\sendt
2015-04-23 18:09 - 2012-08-10 22:53 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-04-22 18:08 - 2013-01-14 23:21 - 00000000 ____D () C:\Qoobox
2015-04-22 18:02 - 2013-11-16 10:17 - 00081504 _____ () C:\Users\Rolf\Desktop\OTL.Txt
2015-04-22 14:49 - 2014-08-29 23:13 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-04-20 15:47 - 2013-01-14 21:04 - 00000000 ____D () C:\Windows\83B952C7F8F34CA3B4C533C85B24E478.TMP
2015-04-20 07:41 - 2011-08-03 12:00 - 00000992 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-19 11:39 - 2012-01-22 21:22 - 00000000 ____D () C:\Users\Caroline
2015-04-19 02:43 - 2012-08-10 22:54 - 00002190 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-04-18 22:09 - 2013-12-11 00:16 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-04-18 22:09 - 2012-08-10 22:53 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-04-18 22:09 - 2012-07-02 23:49 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-04-05 01:10 - 2009-07-14 06:45 - 00000000 ____D () C:\Windows\Setup
2015-04-03 22:51 - 2012-04-30 11:23 - 00002026 _____ () C:\Users\Public\Desktop\Adobe Reader X.lnk
2015-04-03 22:51 - 2011-08-03 11:42 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
2015-04-03 22:05 - 2013-01-14 19:52 - 00000000 ____D () C:\Users\Rolf\AppData\Local\Avg2013
2015-04-03 21:03 - 2011-10-26 09:54 - 00000000 ____D () C:\Windows\OemDrv
2015-04-03 20:29 - 2009-07-14 05:20 - 00000000 ____D () C:\Windows\Help

==================== Files in the root of some directories =======

2013-05-22 20:54 - 2013-05-22 20:54 - 0000077 _____ () C:\Users\Rolf\AppData\Roaming\Camdata.ini
2013-05-22 20:54 - 2013-05-22 20:54 - 0000408 _____ () C:\Users\Rolf\AppData\Roaming\CamLayout.ini
2013-05-22 20:54 - 2013-05-22 20:54 - 0000408 _____ () C:\Users\Rolf\AppData\Roaming\CamShapes.ini
2013-05-22 20:54 - 2013-05-22 20:54 - 0004510 _____ () C:\Users\Rolf\AppData\Roaming\CamStudio.cfg
2015-04-20 15:15 - 2015-04-20 15:15 - 0176128 _____ () C:\ProgramData\F29E00A5D.cpp

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-04-18 22:43

==================== End Of Log ============================

 

 

Addition:

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 23-04-2015 02
Ran by Rolf at 2015-04-24 17:48:08
Running from C:\Users\Rolf\Desktop
Boot Mode: Safe Mode (with Networking)
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1450934602-1502259422-2229682122-500 - Administrator - Disabled)
Caroline (S-1-5-21-1450934602-1502259422-2229682122-1003 - Limited - Enabled) => C:\Users\Caroline
Guest (S-1-5-21-1450934602-1502259422-2229682122-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1450934602-1502259422-2229682122-1002 - Limited - Enabled)
Rolf (S-1-5-21-1450934602-1502259422-2229682122-1001 - Administrator - Enabled) => C:\Users\Rolf

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG AntiVirus Free Edition 2013 (Disabled - Out of date) {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: AVG AntiVirus Free Edition 2013 (Disabled - Out of date) {B5F5C120-2089-702E-0001-553BB0D5A664}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Flash Player 17 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 17.0.0.169 - Adobe Systems Incorporated)
Adobe Reader X (10.1.13) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.13 - Adobe Systems Incorporated)
Ant.com IE add-on (HKLM-x32\...\{B795F380-D3D6-4EA4-A4BB-27FC2FB0F8B2}) (Version: 2.2.3.1074 - Ant.com)
Atheros Bluetooth Filter Driver Package (HKLM\...\{65486209-5C54-439C-8383-8AC9BBE25932}) (Version: 1.00.007 - Atheros Communications)
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver (HKLM-x32\...\{3108C217-BE83-42E4-AE9E-A56A2A92E549}) (Version: 1.0.0.36 - Atheros Communications Inc.)
Atheros Driver Installation Program (HKLM-x32\...\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}) (Version: 9.2 - Atheros)
AVG 2013 (HKLM\...\AVG) (Version: 2013.0.3495 - AVG Technologies)
AVG 2013 (Version: 13.0.3495 - AVG Technologies) Hidden
AVG 2013 (Version: 13.0.4311 - AVG Technologies) Hidden
AVG Security Toolbar (HKLM-x32\...\AVG Secure Search) (Version: 18.3.0.885 - AVG Technologies)
Bejeweled 2 Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Bejeweled 3 (x32 Version: 2.2.0.97 - WildTangent) Hidden
Bing Bar (HKLM-x32\...\{08234a0d-cf39-4dca-99f0-0c5cb496da81}) (Version: 5.0.1449.0 - Microsoft Corporation)
Bing Bar Platform (x32 Version: 5.0.1449.0 - Microsoft Corporation) Hidden
Bluetooth Stack for Windows by Toshiba (HKLM\...\{CEBB6BFB-D708-4F99-A633-BC2600E01EF6}) (Version: v8.00.04(T) - TOSHIBA CORPORATION)
CCleaner (HKLM\...\CCleaner) (Version: 3.26 - Piriform)
Chicken Invaders 3 - Revenge of the Yolk (x32 Version: 2.2.0.95 - WildTangent) Hidden
Chuzzle Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
Conexant HD Audio (HKLM\...\CNXT_AUDIO_HDA) (Version: 8.51.1.0 - Conexant)
Coupon Printer for Windows (HKLM-x32\...\Coupon Printer for Windows5.0.0.0) (Version: 5.0.0.0 - Coupons.com Incorporated)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Diner Dash 2 Restaurant Rescue (x32 Version: 2.2.0.95 - WildTangent) Hidden
FATE (x32 Version: 2.2.0.97 - WildTangent) Hidden
File1 Package Manager (HKLM-x32\...\{8A50D93C-79EE-425C-9464-3550978F4E56}) (Version: 0.1.2.75 - Helios Technologies)
Final Drive: Nitro (x32 Version: 2.2.0.95 - WildTangent) Hidden
FM Screen Capture Codec (Remove Only) (HKLM-x32\...\FMCODEC) (Version:  - )
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 42.0.2311.90 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM-x32\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.6227.252 - Google Inc.)
Google Toolbar for Internet Explorer (x32 Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
High-Definition Video Playback (x32 Version: 7.3.10900.8.0 - Nero AG) Hidden
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.3341 - HP Photo Creations Powered by RocketLife)
HP Photosmart Plus B210 series Basic Device Software (HKLM\...\{13AC9B67-96DE-4DF6-9FB8-974DD24A7AD6}) (Version: 22.0.334.0 - Hewlett-Packard Co.)
HP Photosmart Plus B210 series Help (HKLM-x32\...\{7F5FDEA1-D0AC-4D80-9D95-59775FCCFA40}) (Version: 140.0.54.54 - Hewlett Packard)
HP Photosmart Plus B210 series Product Improvement Study (HKLM\...\{664AE3A4-2B08-401F-9D54-471C1844838B}) (Version: 22.0.334.0 - Hewlett-Packard Co.)
HP Update (HKLM-x32\...\{787D1A33-A97B-4245-87C0-7174609A540C}) (Version: 5.002.005.003 - Hewlett-Packard)
Insaniquarium Deluxe (x32 Version: 2.2.0.97 - WildTangent) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2353 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.2.1004 - Intel Corporation)
Java 8 Update 25 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218025F0}) (Version: 8.0.250 - Oracle Corporation)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30319 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Click-to-Run 2010 (HKLM-x32\...\Office14.Click2Run) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Office Starter 2010 - English (HKLM-x32\...\{90140011-0066-0409-0000-0000000FF1CE}) (Version: 14.0.5131.5000 - Microsoft Corporation)
Microsoft Primary Interoperability Assemblies 2005 (HKLM-x32\...\{2C303EE0-A595-3543-A71A-931C7AC40EDE}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20513.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
Nero BackItUp 10 (HKLM-x32\...\{68AB6930-5BFF-4FF6-923B-516A91984FE6}) (Version: 5.8.10900.8.100 - Nero AG)
Nero BurnRights 10 (HKLM-x32\...\{943CFD7D-5336-47AF-9418-E02473A5A517}) (Version: 4.4.10400.2.100 - Nero AG)
Nero Express 10 (HKLM-x32\...\{70550193-1C22-445C-8FA4-564E155DB1A7}) (Version: 10.6.10700.5.100 - Nero AG)
Nero InfoTool 10 (HKLM-x32\...\{F412B4AF-388C-4FF5-9B2F-33DB1C536953}) (Version: 7.4.10300.1.100 - Nero AG)
Nero Kwik Media (HKLM-x32\...\{1F7D9F37-C39C-486C-BDF8-8F440FFB3352}) (Version: 1.6.15100.59.100 - Nero AG)
Nero Multimedia Suite 10 Essentials (HKLM-x32\...\{2063D199-D79F-471A-9019-9E647296394D}) (Version: 10.6.10300 - Nero AG)
Nero RescueAgent 10 (HKLM-x32\...\{E337E787-CF61-4B7B-B84F-509202A54023}) (Version: 3.6.10500.3.100 - Nero AG)
Nero StartSmart 10 (HKLM-x32\...\{F61D489E-6C44-49AC-AD02-7DA8ACA73A65}) (Version: 10.6.10500.3.100 - Nero AG)
Nero Update (HKLM-x32\...\{65BB0407-4CC8-4DC7-952E-3EEFDF05602A}) (Version: 1.0.10900.31.0 - Nero AG)
Panda ActiveScan 2.0 (HKLM-x32\...\ActiveScan 2.0) (Version: 01.04.01.0014 - Panda Security)
Penguins! (x32 Version: 2.2.0.95 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (x32 Version: 2.2.0.95 - WildTangent) Hidden
PlayReady PC Runtime amd64 (HKLM\...\{BCA9334F-B6C9-4F65-9A73-AC5A329A4D04}) (Version: 1.3.0 - Microsoft Corporation)
Polar Bowler (x32 Version: 2.2.0.97 - WildTangent) Hidden
Realtek USB 2.0 Reader Driver (HKLM-x32\...\{62BBB2F0-E220-4821-A564-730807D2C34D}) (Version: 1.0.0.15 - Realtek Semiconductor Corp.)
Revo Uninstaller 1.94 (HKLM-x32\...\Revo Uninstaller) (Version: 1.94 - VS Revo Group)
ScreenVirtuoso PRO 4.61, Non-Commercial Edition (HKLM-x32\...\ScreenVirtuoso PRO_is1) (Version:  - )
Search App by Ask (HKLM-x32\...\{4F524A2D-5350-4500-76A7-A758B70C1B00}) (Version: 12.27.0.141 - APN, LLC) <==== ATTENTION
Skype™ 5.10 (HKLM-x32\...\{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}) (Version: 5.10.116 - Skype Technologies S.A.)
Slingo Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden
SpyHunter (HKLM\...\{83B952C7-F8F3-4CA3-B4C5-33C85B24E478}) (Version: 4.11.10.4138 - Enigma Software Group USA, LLC)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.0.1150 - SUPERAntiSpyware.com)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 15.2.11.1 - Synaptics Incorporated)
TOSHIBA Assist (HKLM-x32\...\{C2A276E3-154E-44DC-AAF1-FFDD7FD30E35}) (Version: 4.02.02 - TOSHIBA CORPORATION)
TOSHIBA Bulletin Board (HKLM-x32\...\InstallShield_{43DBC64B-3DD1-47E2-8788-D3C3B110C574}) (Version: 2.1.10.64 - TOSHIBA Corporation)
TOSHIBA ConfigFree (HKLM-x32\...\{D5AEEAA2-184E-4A2A-BAA3-6225EA4B9516}) (Version: 8.0.37 - TOSHIBA CORPORATION)
TOSHIBA Disc Creator (HKLM\...\{5DA0E02F-970B-424B-BF41-513A5018E4C0}) (Version: 2.1.0.6 for x64 - TOSHIBA Corporation)
TOSHIBA eco Utility (HKLM\...\{B3FF1CD9-B2F0-4D71-BB55-5F580401C48E}) (Version: 1.2.25.64 - TOSHIBA Corporation)
TOSHIBA Face Recognition (HKLM-x32\...\InstallShield_{F67FA545-D8E5-4209-86B1-AEE045D1003F}) (Version: 3.1.8.64 - TOSHIBA Corporation)
TOSHIBA Hardware Setup (HKLM-x32\...\InstallShield_{C4FFA951-9678-4D51-84B4-AFD15D3C45AD}) (Version: 4.08.06.00 - )
TOSHIBA HDD/SSD Alert (HKLM-x32\...\InstallShield_{D4322448-B6AF-4316-B859-D8A0E84DCB38}) (Version: 3.1.64.7 - TOSHIBA Corporation)
Toshiba Manuals (HKLM-x32\...\{90FF4432-21B7-4AF6-BA6E-FB8C1FED9173}) (Version: 10.02 - TOSHIBA)
TOSHIBA Online Product Information (HKLM-x32\...\{2290A680-4083-410A-ADCC-7092C67FC052}) (Version: 4.01.0000 - TOSHIBA)
TOSHIBA PC Health Monitor (HKLM\...\{9DECD0F9-D3E8-48B0-A390-1CF09F54E3A4}) (Version: 1.7.9.64M - TOSHIBA Corporation)
TOSHIBA Places Icon Utility (HKLM-x32\...\{461F6F0D-7173-4902-9604-AB1A29108AF2}) (Version: 1.0.2.4 - TOSHIBA)
TOSHIBA Recovery Media Creator (HKLM-x32\...\{B65BBB06-1F8E-48F5-8A54-B024A9E15FDF}) (Version: 2.1.3.10010 - TOSHIBA CORPORATION)
TOSHIBA Recovery Media Creator Reminder (HKLM-x32\...\InstallShield_{773970F1-5EBA-4474-ADEE-1EA3B0A59492}) (Version: 1.00.0019 - TOSHIBA)
TOSHIBA ReelTime (HKLM-x32\...\InstallShield_{24811C12-F4A9-4D0F-8494-A7B8FE46123C}) (Version: 1.7.17.64 - TOSHIBA Corporation)
TOSHIBA Service Station (HKLM-x32\...\{AC6569FA-6919-442A-8552-073BE69E247A}) (Version: 2.1.52 - TOSHIBA)
TOSHIBA Sleep Utility (HKLM-x32\...\{654F7484-88C5-46DC-AB32-C66BCB0E2102}) (Version: 1.4.2.7 - TOSHIBA Corporation)
TOSHIBA Supervisor Password (HKLM-x32\...\InstallShield_{CBD6B23D-41D5-4A46-8019-6208516C9712}) (Version: 4.08.06.00 - )
TOSHIBA TEMPRO (HKLM-x32\...\{F082CB11-4794-4259-99A1-D91BA762AD15}) (Version: 3.35 - Toshiba Europe GmbH)
TOSHIBA Value Added Package (HKLM-x32\...\InstallShield_{066CFFF8-12BF-4390-A673-75F95EFF188E}) (Version: 1.5.4.64 - TOSHIBA Corporation)
TOSHIBA Web Camera Application (HKLM-x32\...\InstallShield_{6F3C8901-EBD3-470D-87F8-AC210F6E5E02}) (Version: 2.0.0.19 - TOSHIBA Corporation)
TOSHIBA Wireless LAN Indicator (HKLM-x32\...\{CDADE9BC-612C-42B8-B929-5C6A823E7FF9}) (Version: 1.0.3 - TOSHIBA CORPORATION)
TrojanHunter 5.6 (HKLM-x32\...\TrojanHunter_is1) (Version: 5.6 - Bytelayer AB)
TRORMCLauncher (HKLM-x32\...\InstallShield_{E65C7D8E-186D-484B-BEA8-DEF0331CE600}) (Version:  - )
TRORMCLauncher (Version: 1.0.0.10 - TOSHIBA) Hidden
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
VLC media player 2.0.1 (HKLM-x32\...\VLC media player) (Version: 2.0.1 - VideoLAN)
Wedding Dash 2 - Rings Around the World (x32 Version: 2.2.0.95 - WildTangent) Hidden
WildTangent Games (HKLM-x32\...\WildTangent toshiba Master Uninstall) (Version: 1.0.2.5 - WildTangent)
WildTangent Games App (Toshiba Games) (x32 Version: 4.0.5.5 - WildTangent) Hidden
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Mesh ActiveX-kontroll for eksterne tilkoblinger (HKLM-x32\...\{09B7C7EB-3140-4B5E-842F-9C79A7137139}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Mesh ActiveX-objekt til fjernforbindelser (HKLM-x32\...\{57220148-3B2B-412A-A2E0-82B9DF423696}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Meshin etäyhteyksien ActiveX-komponentti (HKLM-x32\...\{4CF6F287-5121-483C-A5A2-07BDE19D8B4E}) (Version: 15.4.5722.2 - Microsoft Corporation)
WinRAR 4.10 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 4.10.0 - win.rar GmbH)
Zuma Deluxe (x32 Version: 2.2.0.95 - WildTangent) Hidden

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\vss_ps.dll No File

==================== Restore Points  =========================

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2013-11-16 09:49 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {042A2687-8629-451A-A2B8-0B1DE94AD7B8} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files (x86)\Ask.com\UpdateTask.exe <==== ATTENTION
Task: {09A953CA-0C9D-4723-9431-D81263BD8900} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-04-18] (Adobe Systems Incorporated)
Task: {36ABA318-4A3D-4EE5-B58F-34C1E8B6B297} - System32\Tasks\ConfigFree Startup Programs => C:\Program Files (x86)\TOSHIBA\ConfigFree\NDSTray.exe [2010-12-03] (TOSHIBA CORPORATION)
Task: {4DCD7AD4-3295-421B-A3CF-309FF41FE5E8} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2012-12-19] (Piriform Ltd)
Task: {62D258F6-16FB-4FB8-98D2-A97C0040863A} - System32\Tasks\HPCustParticipation HP Photosmart Plus B210 series => C:\Program Files\HP\HP Photosmart Plus B210 series\Bin\HPCustPartic.exe [2010-06-14] (Hewlett-Packard Co.)
Task: {6A18F084-75BA-4536-926C-3F04B242E1A2} - \Advanced-System Protector_startup No Task File <==== ATTENTION
Task: {6D1F6CF0-F2AB-4D41-AD39-7C8540004AE6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-18] (Google Inc.)
Task: {6D715F29-2282-43FA-8A69-19F6B029419E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-10-18] (Google Inc.)
Task: {72312FBD-33D0-4C1B-8BD5-5E6734EBB335} - System32\Tasks\OfficeSoftwareProtectionPlatform\SvcRestartTask => Sc.exe start osppsvc
Task: {9485F9F2-44CB-45AF-96FC-FC30776DBFE6} - \RegClean Pro No Task File <==== ATTENTION
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) ==============

2012-01-21 01:29 - 2012-01-09 20:44 - 00193536 _____ () C:\Program Files (x86)\WinRAR\rarext64.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\Users\Caroline\Downloads\Navn og tlf liste til foreldre.eml:OECustomProperty

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MSIServer => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2"

==================== EXE Association (whitelisted) ===============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, the associated entry will be removed from the registry.)

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Rolf\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.43.1

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== Faulty Device Manager Devices =============

Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: SBRE
Description: SBRE
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: SBRE
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (04/24/2015 05:47:00 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (04/24/2015 05:47:00 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (04/24/2015 05:38:36 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (04/24/2015 05:38:36 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (04/24/2015 05:35:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/24/2015 03:55:08 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

Error: (04/24/2015 03:55:08 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.

Error: (04/24/2015 03:51:09 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/24/2015 03:39:30 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/24/2015 03:34:42 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.

System errors:
=============
Error: (04/24/2015 05:34:23 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}

Error: (04/24/2015 05:34:23 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (04/24/2015 05:34:16 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084EventSystem{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (04/24/2015 05:34:10 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084ShellHWDetection{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (04/24/2015 05:34:05 PM) (Source: Microsoft-Windows-WLAN-AutoConfig) (EventID: 10000) (User: NT AUTHORITY)
Description: WLAN Extensibility Module has failed to start.

Module Path: C:\Windows\system32\athihvs.dll
Error Code: 21

Error: (04/24/2015 05:33:47 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AVGIDSDriver
Avgldx64
discache
pavboot
SASDIFSV
SASKUTIL
SBRE
spldr
Wanarpv6

Error: (04/24/2015 05:33:46 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Client Virtualization Handler service depends on the Application Virtualization Client service which failed to start because of the following error:
%%1068

Error: (04/24/2015 05:33:46 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The AVGIDSAgent service depends on the AVGIDSDriver service which failed to start because of the following error:
%%31

Error: (04/24/2015 05:33:43 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 15:58:03 on ‎24.‎04.‎2015 was unexpected.

Error: (04/24/2015 03:50:37 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
Avgldx64
SBRE

Microsoft Office Sessions:
=========================
Error: (04/24/2015 05:47:00 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (04/24/2015 05:47:00 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: Performance1637070000000000000000000009030000

Error: (04/24/2015 05:38:36 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (04/24/2015 05:38:36 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: Performance1637070000000000000000000009030000

Error: (04/24/2015 05:35:11 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/24/2015 03:55:08 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

Error: (04/24/2015 03:55:08 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: Performance1637070000000000000000000009030000

Error: (04/24/2015 03:51:09 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/24/2015 03:39:30 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (04/24/2015 03:34:42 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: WmiApRplWmiApRpl8F20300004D070000

CodeIntegrity Errors:
===================================
  Date: 2013-11-16 08:45:08.796
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-11-16 08:45:08.703
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-11-16 08:45:08.609
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-11-16 08:45:08.515
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-01-14 23:23:49.634
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-01-14 23:23:49.602
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-01-14 23:23:49.571
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-01-14 23:23:49.540
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-01-14 22:34:03.016
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2013-01-14 22:34:02.985
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel® Core™ i3-2330M CPU @ 2.20GHz
Percentage of memory in use: 14%
Total physical RAM: 6091.86 MB
Available physical RAM: 5220.26 MB
Total Pagefile: 12181.9 MB
Available Pagefile: 11223.46 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: (WINDOWS) (Fixed) (Total:297.45 GB) (Free:3.31 GB) NTFS
Drive d: (Data) (Fixed) (Total:298.33 GB) (Free:4.75 GB) NTFS
Drive f: () (Removable) (Total:1.87 GB) (Free:0.12 GB) FAT

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 596.2 GB) (Disk ID: 36578230)
Partition 1: (Active) - (Size=399 MB) - (Type=27)
Partition 2: (Not Active) - (Size=297.5 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=298.3 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 1.9 GB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=1.9 GB) - (Type=06)

==================== End Of Log ============================


  • 0

#4
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

No problem about the 64 bit; it got handled by you very nicely. Run the steps below and when the system reboots after the FRST script, let it start into normal mode (not Safe Modes) and then tell me how the system is acting.

First, some Uninstalls >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

Coupon Printer for Windows
Panda ActiveScan 2.0
Search App by Ask
SpyHunter
TrojanHunter 5.6


To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


Second, run a FRST script >>>>


Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt
 

Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [ApnTBMon] => C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [2005896 2015-04-06] (APN)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk [2011-08-03]
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk [2011-08-03]
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Rolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D5A00E92F.lnk [2015-04-03]
ShortcutTarget: D5A00E92F.lnk -> C:\ProgramData\F29E00A5D.cpp ()
Startup: C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk [2013-11-09]
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001 -> {718D1279-5551-4431-9D31-25209CBFE6D3} URL = http://www.search.as...rms}&psv=&pt=tb
Toolbar: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001 -> No Name - {2E924F4F-67F0-4BD8-9560-49F468E843D2} - No File
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab
DPF: HKLM-x32 {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoft...s/as2stubie.cab
DPF: HKLM-x32 {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadbl...ivex/sabspx.cab
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @pandasecurity.com/activescan -> C:\Program Files (x86)\Panda Security\ActiveScan 2.0\npwrapper.dll [2010-07-27] (Panda Security, S.L.)
S2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [180632 2015-04-06] (APN LLC.)
S2 0258351358198765mcinstcleanup; C:\Users\Rolf\AppData\Local\Temp\025835~1.EXE -cleanup -nolog [X]
S0 pavboot; C:\Windows\System32\drivers\pavboot64.sys [33800 2009-06-30] (Panda Security, S.L.)
S3 Tosrfcom; No ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [X]
2015-04-24 15:41 - 2015-04-24 15:41 - 00000000 _____ () C:\Users\Rolf\Desktop\BDPUARLauncher_exe.t1wg6ya.partial
2015-04-24 12:09 - 2015-04-24 12:09 - 00000000 _____ () C:\Users\Rolf\Desktop\Antivirus_Free_Edition_exe.m9tzebh.partial
2015-04-24 12:08 - 2015-04-24 12:08 - 00000000 _____ () C:\Users\Rolf\Desktop\Antivirus_Free_Edition_exe.h6pijex.partial
2015-04-24 12:06 - 2015-04-23 10:46 - 00162208 _____ () C:\Users\Rolf\Desktop\bitdefender Antivirus_Free_Edition.exe
2015-04-20 15:15 - 2015-04-20 15:15 - 00176128 _____ () C:\ProgramData\F29E00A5D.cpp
CustomCLSID: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\vss_ps.dll No File
C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\vss_ps.dll
C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
Task: {042A2687-8629-451A-A2B8-0B1DE94AD7B8} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files (x86)\Ask.com\UpdateTask.exe <==== ATTENTION
C:\Program Files (x86)\Ask.com
Task: {6A18F084-75BA-4536-926C-3F04B242E1A2} - \Advanced-System Protector_startup No Task File <==== ATTENTION
Task: {9485F9F2-44CB-45AF-96FC-FC30776DBFE6} - \RegClean Pro No Task File <==== ATTENTION
AlternateDataStreams: C:\Users\Caroline\Downloads\Navn og tlf liste til foreldre.eml:OECustomProperty
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
RemoveProxy:
Reboot:
end


NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..". The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your next reply.


  • 0

#5
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts

Hi dbreeze,

 

After running the fix, the pop up is gone :D

 

Here's the Fix log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 23-04-2015 02
Ran by Rolf at 2015-04-25 07:27:15 Run:1
Running from C:\Users\Rolf\Desktop
Loaded Profiles: Rolf (Available profiles: Rolf & Caroline)
Boot Mode: Safe Mode (with Networking)
==============================================

Content of fixlist:
*****************
Start
 CreateRestorePoint:
 CloseProcesses:
 HKLM-x32\...\Run: [] => [X]
 HKLM-x32\...\Run: [ApnTBMon] => C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [2005896 2015-04-06] (APN)
 Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk [2011-08-03]
 ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
 Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk [2011-08-03]
 ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
 Startup: C:\Users\Rolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D5A00E92F.lnk [2015-04-03]
 ShortcutTarget: D5A00E92F.lnk -> C:\ProgramData\F29E00A5D.cpp ()
 Startup: C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk [2013-11-09]
 ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
 HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
 HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
 SearchScopes: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001 -> {718D1279-5551-4431-9D31-25209CBFE6D3} URL = http://www.search.as...rms}&psv=&pt=tb
 Toolbar: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001 -> No Name - {2E924F4F-67F0-4BD8-9560-49F468E843D2} - No File
 DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab
 DPF: HKLM-x32 {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoft...s/as2stubie.cab
 DPF: HKLM-x32 {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadbl...ivex/sabspx.cab
 FF Plugin: @microsoft.com/GENUINE -> disabled No File
 FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
 FF Plugin-x32: @pandasecurity.com/activescan -> C:\Program Files (x86)\Panda Security\ActiveScan 2.0\npwrapper.dll [2010-07-27] (Panda Security, S.L.)
 S2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [180632 2015-04-06] (APN LLC.)
 S2 0258351358198765mcinstcleanup; C:\Users\Rolf\AppData\Local\Temp\025835~1.EXE -cleanup -nolog [X]
 S0 pavboot; C:\Windows\System32\drivers\pavboot64.sys [33800 2009-06-30] (Panda Security, S.L.)
 S3 Tosrfcom; No ImagePath
 S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 S1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [X]
 2015-04-24 15:41 - 2015-04-24 15:41 - 00000000 _____ () C:\Users\Rolf\Desktop\BDPUARLauncher_exe.t1wg6ya.partial
 2015-04-24 12:09 - 2015-04-24 12:09 - 00000000 _____ () C:\Users\Rolf\Desktop\Antivirus_Free_Edition_exe.m9tzebh.partial
 2015-04-24 12:08 - 2015-04-24 12:08 - 00000000 _____ () C:\Users\Rolf\Desktop\Antivirus_Free_Edition_exe.h6pijex.partial
 2015-04-24 12:06 - 2015-04-23 10:46 - 00162208 _____ () C:\Users\Rolf\Desktop\bitdefender Antivirus_Free_Edition.exe
 2015-04-20 15:15 - 2015-04-20 15:15 - 00176128 _____ () C:\ProgramData\F29E00A5D.cpp
 CustomCLSID: HKU\S-1-5-21-1450934602-1502259422-2229682122-1001_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\InprocServer32 -> C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\vss_ps.dll No File
 C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\vss_ps.dll
 C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
 Task: {042A2687-8629-451A-A2B8-0B1DE94AD7B8} - System32\Tasks\Scheduled Update for Ask Toolbar => C:\Program Files (x86)\Ask.com\UpdateTask.exe <==== ATTENTION
 C:\Program Files (x86)\Ask.com
 Task: {6A18F084-75BA-4536-926C-3F04B242E1A2} - \Advanced-System Protector_startup No Task File <==== ATTENTION
 Task: {9485F9F2-44CB-45AF-96FC-FC30776DBFE6} - \RegClean Pro No Task File <==== ATTENTION
 AlternateDataStreams: C:\Users\Caroline\Downloads\Navn og tlf liste til foreldre.eml:OECustomProperty
 cmd: ipconfig /flushdns
 cmd: netsh advfirewall reset
 cmd: netsh advfirewall set allprofiles state on
 RemoveProxy:
 Reboot:
 end
*****************

Error: Restore point can only be created in normal mode.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ApnTBMon => Value not found.
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk => Moved successfully.
C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe => Moved successfully.
C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk not found.
C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe not found.
C:\Users\Rolf\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D5A00E92F.lnk => Moved successfully.
C:\ProgramData\F29E00A5D.cpp => Moved successfully.
C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk => Moved successfully.
C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{718D1279-5551-4431-9D31-25209CBFE6D3}" => Key deleted successfully.
HKCR\CLSID\{718D1279-5551-4431-9D31-25209CBFE6D3} => Key not found.
HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2E924F4F-67F0-4BD8-9560-49F468E843D2} => value deleted successfully.
HKCR\CLSID\{2E924F4F-67F0-4BD8-9560-49F468E843D2} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{7530BFB8-7293-4D34-9923-61A11451AFC5}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{7530BFB8-7293-4D34-9923-61A11451AFC5} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{9191F686-7F0A-441D-8A98-2FE3AC1BD913} => Key not found.
HKCR\Wow6432Node\CLSID\{9191F686-7F0A-441D-8A98-2FE3AC1BD913} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{B1E2B96C-12FE-45E2-BEF1-44A219113CDD}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{B1E2B96C-12FE-45E2-BEF1-44A219113CDD}" => Key deleted successfully.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => Key deleted successfully.
HKLM\Software\Wow6432Node\MozillaPlugins\@pandasecurity.com/activescan => Key not found.
C:\Program Files (x86)\Panda Security\ActiveScan 2.0\npwrapper.dll not found.
APNMCP => Service not found.
0258351358198765mcinstcleanup => Service deleted successfully.
pavboot => Service not found.
Tosrfcom => Service deleted successfully.
catchme => Service deleted successfully.
SBRE => Service deleted successfully.
"C:\Users\Rolf\Desktop\BDPUARLauncher_exe.t1wg6ya.partial" => File/Directory not found.
"C:\Users\Rolf\Desktop\Antivirus_Free_Edition_exe.m9tzebh.partial" => File/Directory not found.
"C:\Users\Rolf\Desktop\Antivirus_Free_Edition_exe.h6pijex.partial" => File/Directory not found.
C:\Users\Rolf\Desktop\bitdefender Antivirus_Free_Edition.exe => Moved successfully.
"C:\ProgramData\F29E00A5D.cpp" => File/Directory not found.
"HKU\S-1-5-21-1450934602-1502259422-2229682122-1001_Classes\CLSID\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}" => Key deleted successfully.
"C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\vss_ps.dll" => File/Directory not found.
"C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{042A2687-8629-451A-A2B8-0B1DE94AD7B8}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{042A2687-8629-451A-A2B8-0B1DE94AD7B8}" => Key deleted successfully.
C:\Windows\System32\Tasks\Scheduled Update for Ask Toolbar => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Scheduled Update for Ask Toolbar" => Key deleted successfully.
"C:\Program Files (x86)\Ask.com" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6A18F084-75BA-4536-926C-3F04B242E1A2}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6A18F084-75BA-4536-926C-3F04B242E1A2}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Advanced-System Protector_startup" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{9485F9F2-44CB-45AF-96FC-FC30776DBFE6}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9485F9F2-44CB-45AF-96FC-FC30776DBFE6}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\RegClean Pro" => Key deleted successfully.
C:\Users\Caroline\Downloads\Navn og tlf liste til foreldre.eml => ":OECustomProperty" ADS removed successfully.

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========  netsh advfirewall reset =========

Ok.

========= End of CMD: =========

=========  netsh advfirewall set allprofiles state on =========

Ok.

========= End of CMD: =========

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully.
HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value deleted successfully.
HKU\S-1-5-21-1450934602-1502259422-2229682122-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value deleted successfully.

========= End of RemoveProxy: =========

 

The system needed a reboot.

==== End of Fixlog 07:27:18 ====


  • 0

#6
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

Glad to hear that!!
 
First, scan with JRT >>>

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.


Second, scan with AdwCleaner >>>>


AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

    AdwCleaner_v4111_zpsn56hzjza.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt
  • Optional:

    NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.



    Information to Reply with >>>>
    • The JRT.txt log file.
    • The AdwCleaner[S#].txt log file.

  • 0

#7
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts

Hi dbreeze!

 

For some reason I'm not able to download any of the files, when promted whether to Open, Save, Save As, Save and Open or Cancel - none of the option works. Nothing happens.. strange. So I download the files from another laptop, then to a memory stick, and then over to the desktop on the infected laptop. Don't know if this is a hint that there's still some infections somewhere? :upset:

 

Anyway, here's the log files;

 

The JRT.txt log file:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.6.3 (04.25.2015:1)
OS: Windows 7 Home Premium x64
Ran by Rolf on 25.04.2015 at 22:24:32,20
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Tasks

 

~~~ Registry Values

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}

 

~~~ Files

Successfully deleted: [File] C:\Windows\prefetch\GOOGLETOOLBARMANAGER_BA9226F4-3D073F18.pf
Successfully deleted: [File] C:\Windows\prefetch\GOOGLETOOLBARNOTIFIER.EXE-7AE0A20E.pf

 

~~~ Folders

Successfully deleted: [Empty Folder] C:\Users\Rolf\appdata\local\{191A5604-A578-41FF-AD20-BC54A72349A3}
Successfully deleted: [Empty Folder] C:\Users\Rolf\appdata\local\{984D9BDF-616A-4E2C-9D50-3D157D4DC588}
Successfully deleted: [Folder] C:\ProgramData\apn
Successfully deleted: [Folder] C:\ProgramData\systweak
Successfully deleted: [Folder] C:\Users\Rolf\AppData\Roaming\asp
Successfully deleted: [Folder] C:\Users\Rolf\AppData\Roaming\systweak
Successfully deleted: [Folder] C:\ProgramData\Chief Architect Premier X7

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 25.04.2015 at 22:27:11,06
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

The AdwCleaner[S#].txt log file:

 

# AdwCleaner v4.202 - Logfile created 25/04/2015 at 22:35:14
# Updated 23/04/2015 by Xplode
# Database : 2015-04-23.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Rolf - ROLF-TOSH
# Running from : C:\Users\Rolf\Desktop\adwcleaner_4.202.exe
# Option : Cleaning

***** [ Services ] *****

[#] Service Deleted : vToolbarUpdater18.3.0

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\Program Files (x86)\AVG Secure Search
Folder Deleted : C:\Program Files (x86)\AVG Security Toolbar
Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search
Folder Deleted : C:\Users\Caroline\AppData\Local\AVG Secure Search
Folder Deleted : C:\Users\Caroline\AppData\LocalLow\AVG Secure Search
Folder Deleted : C:\Users\Caroline\AppData\Roaming\Systweak
Folder Deleted : C:\Users\Rolf\AppData\Local\AVG Secure Search
Folder Deleted : C:\Users\Rolf\AppData\LocalLow\AVG Secure Search
File Deleted : C:\Windows\System32\roboot64.exe

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHelper.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ViProtocol.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.BrowserWndAPI.1
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj
Key Deleted : HKLM\SOFTWARE\Classes\AVG Secure Search.PugiObj.1
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\protocols\handler\viprotocol
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE
Key Deleted : HKLM\SOFTWARE\Classes\ViProtocol.ViProtocolOLE.1
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{1FDFF5A2-7BB1-48E1-8081-7236812B12B2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BB711CB0-C70B-482E-9852-EC05EBD71DBB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{408CFAD9-8F13-4747-8EC7-770A339C7237}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{933B95E2-E7B7-4AD9-B952-7AC336682AE3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{07CAC314-E962-4F78-89AB-DD002F2490EE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{74FB6AFD-DD77-4CEB-83BD-AB2B63E63C93}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2AC8A0E-E48E-484B-A71C-C7A937FAAB94}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C6FDD0C3-266A-4DC3-B459-28C697C44CDC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{95B7759C-8C7F-4BF1-B163-73684A933233}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E92DB5F-AAD9-49D3-8EAB-B40CBE5B1FF7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C401D2CE-DC27-45C7-BC0C-8E6EA7F085D6}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\AVG Secure Search
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\systweak
Key Deleted : HKLM\SOFTWARE\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\systweak
Key Deleted : HKU\.DEFAULT\Software\AskPartnerNetwork
Key Deleted : HKU\.DEFAULT\Software\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG Secure Search
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0E12F736682067FDE4D1158D5940A82E
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1A24B5BB8521B03E0C8D908F5ABC0AE6
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\261F213D1F55267499B1F87D0CC3BCF7
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2B0D56C4F4C46D844A57FFED6F0D2852
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\49D4375FE41653242AEA4C969E4E65E0
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6AA0923513360135B272E8289C5F13FA
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F7467AF8F29C134CBBAB394ECCFDE96
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\741B4ADF27276464790022C965AB6DA8
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7DE196B10195F5647A2B21B761F3DE01
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\922525DCC5199162F8935747CA3D8E59
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\9D4F5849367142E4685ED8C25E44C5ED
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5875B04372C19545BEB90D4D606C472
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A876D9E80B896EC44A8620248CC79296
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B66FFAB725B92594C986DE826A867888
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\BCDA179D619B91648538E3394CAC94CC
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D677B1A9671D4D4004F6F2A4469E86EA
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD1402A9DD4215A43ABDE169A41AFA0E
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E36E114A0EAD2AD46B381D23AD69CDDF
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF8E618DB3AEDFBB384561B5C548F65E
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9

***** [ Web browsers ] *****

-\\ Internet Explorer v10.0.9200.16660

-\\ Google Chrome v42.0.2311.90

*************************

AdwCleaner[R0].txt - [8738 bytes] - [25/04/2015 22:32:50]
AdwCleaner[S0].txt - [8607 bytes] - [25/04/2015 22:35:14]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [8666  bytes] ##########


  • 0

#8
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

First, Reset IE options >>>>

Please try resetting the Internet Options to see if that was the problem with the downloads.

Click on Start > Control Panel > Internet Options.

Click Advanced tab.

Click on the Reset... button on the bottom part of the page in the Reset Internet Explorer settings section.

Click Reset in the next window and follow the popups. Restart your system and see if the problem is solved now.


Second, a Malwarebytes' Antimalware scan >>>>

Malwarebytes' Anti-Malware
Please download the latest version of Malwarebytes' Anti-Malware from here .

Double Click on the mbam-setup.exe file to install the application.

Do not check on the Trial of Professional version. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link
Main%20Screen_zpsnnwza0ky.png

Once updated, please select Settings > Detection and Protection. Please ensure that "Scan for Rootkits" is selected along with Non-Malware Protection PUP and PUM are set to "Treat detections as malware"
Detection%20Settings_zpsaviydqil.png

Once the program has loaded and updated, select "Scan Now >>" to start the scan.
Main%20Screen_zpsnnwza0ky.png

The scan may take some time to finish, so please be patient.
mbam21-scaninprogress_zps38w26yvt.jpg

If any malware is found, you will be presented with a screen like the one below.
mbam21-removeselected_zpsg83p7wis.jpg

Make sure that everything is checked, and click Remove Selected. when the removal is completed, a summary screen will be presented.
mbam21-saveresults_zpszocfy4qr.jpg

At the bottom of this screen, click on Save Results and then on Text file (*.txt). Save the file to your desktop and click OK. Click Finish to return to the main screen and then close Malwarebytes.
mbam21-finish_zpshfl56bcn.jpg

Double click on log file you saved to your desktop; the log file will be opened in your default text file viewer (usually Notepad); select the whole text (Ctrl + A) and copy (Ctrl + c) it to paste here in a reply.

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


  • 0

#9
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts

Hi dbreeze!

 

Tried the Reset in the Advanced tab, but the issue remains the same. Not able to Open or Save anything.

 

So Malware was downloaded from another lap top, memorystick and then onto the infected lap top. Results were good - nothing found! :D

 

Here's the log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 26.04.2015
Scan Time: 23:49:40
Logfile: Malw results.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.04.26.05
Rootkit Database: v2015.04.21.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Rolf

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 498069
Time Elapsed: 48 min, 14 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

So seems only issue now is the Save functionality, or?

 

Best regards, thecollectore


  • 0

#10
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

Let's check on the services that are running (or not) on this system.  You can download this on a different system and transfer the files back and forth.
 

Please download Farbar Service Scanner to your desktop and double click on the file to run it.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

  • 0

Advertisements


#11
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts

Hi dbreeze,

 

Here's the log after running the Farbar Service Scanner as instructed;

 

Farbar Service Scanner Version: 17-01-2015
Ran by Rolf (administrator) on 27-04-2015 at 18:06:06
Running from "C:\Users\Rolf\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****


  • 0

#12
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

Please see if this will get Windows Defender running again:

 

  1. Open Windows Defender by clicking the Start button 4f6cbd09-148c-4dd8-b1f2-48f232a2fd33_818. In the search box, type Defender, and then, in the list of results, click Windows Defender.

  2. Click Tools, and then click Options.

  3. Click Administrator, select or clear the Use this program check box, and then click Save. 18abb370-ac1e-4b6b-b663-e028a75bf05b_48. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

(Further instructions and notes can be found here.)

 


  • 0

#13
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts

Hi dbreeze,

 

I did as instructed and also took all windows updates which apparantly took me up to Explorer 11. Now I am able to Save as again :yeah:

 

So am I clean and good to go?

 

Best regards, thecollectore


  • 0

#14
dbreeze

dbreeze

    Trusted Helper

  • Malware Removal
  • 2,213 posts

I would like to at least get a Malwarebytes' Antimalware scan done and then we will see where things stand.

 

Your version of Malwarebytes' Antimalware is out of date.  This will take care of that and get the scan done also.

 

Malwarebytes' Anti-Malware
Please download the latest version of Malwarebytes' Anti-Malware from here .

Double Click on the mbam-setup.exe file to install the application.

The install should see that you have the program installed and then make this an update to that program. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link
Main%20Screen_zpsnnwza0ky.png

Once updated, please select Settings > Detection and Protection. Please ensure that "Scan for Rootkits" is selected along with Non-Malware Protection PUP and PUM are set to "Treat detections as malware"
Detection%20Settings_zpsaviydqil.png

Once the settings have been configured, select the Dashboard tab to return to the Main screen and select "Scan Now >>" to start the scan.
Main%20Screen_zpsnnwza0ky.png

The scan may take some time to finish, so please be patient.
mbam21-scaninprogress_zps38w26yvt.jpg

If any malware is found, you will be presented with a screen like the one below.
mbam21-removeselected_zpsg83p7wis.jpg

Please click on the Save Results >> link / button and select the As text file from the dropdown list. I would suggest you save the file on your desktop (as we need the report attached here for review and it is easy to find on the desktop).

After you have saved the report file, return to the Potential Threats Detected page and click on Cancel. You can close MBAM after that.

Please attach the report file to a post here; I will review the file and script what needs to be removed.
 


  • 0

#15
thecollectore

thecollectore

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 30.04.2015
Scan Time: 08:03:33
Logfile: malw 3004.txt
Administrator: Yes

Version: 2.01.6.1022
Malware Database: v2015.04.30.02
Rootkit Database: v2015.04.21.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Rolf

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 500159
Time Elapsed: 36 min, 58 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP