[RESOLVED] Infected laptop

**HandsomeDevil** · October 31st, 2014, 06:22 AM

Updated MBAR and MBAM, and both are showing clean.

MBAR

Malwarebytes Anti-Rootkit BETA 1.07.0.1012
www.malwarebytes.org

Database version: v2014.10.31.03

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
presentation :: QHSE [administrator]

31/10/2014 09:07:01
mbar-log-2014-10-31 (09-07-01).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 296894
Time elapsed: 20 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)

MBAM

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 31/10/2014
Scan Time: 09:32:41
Logfile: mbam-complete2.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.31.03
Rootkit Database: v2014.10.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7
CPU: x86
File System: NTFS
User: presentation

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 295901
Time Elapsed: 40 min, 15 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

**Broni** · October 31st, 2014, 04:14 PM

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Never rename Combofix unless instructed.
Close any open browsers.
Very Important! Temporarily disable your anti-virus and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
If the connection is not there use restore point you created prior to running Combofix.
Double click on combofix.exe & follow the prompts.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error Illegal operation attempted on a registery key that has been marked for deletion, restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode

Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.

**HandsomeDevil** · October 31st, 2014, 05:22 PM

ComboFix

ComboFix 14-10-29.01 - presentation 31/10/2014 20:41:55.1.1 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.960.560 [GMT 0:00]
Running from: c:\users\presentation\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\presentation\AppData\Local\fnvbeaat.log
c:\users\presentation\AppData\Local\genhvbuc.log
c:\users\presentation\AppData\Local\hedwtixv.log
c:\users\presentation\AppData\Local\mtyhvtrp.log
c:\users\presentation\AppData\Local\omseirkq.log
c:\users\presentation\AppData\Local\rhumkfnu.log
c:\users\presentation\AppData\Local\sbitncvq.log
c:\users\presentation\AppData\Local\whxxkgvb.log
.
.
((((((((((((((((((((((((( Files Created from 2014-09-28 to 2014-10-31 )))))))))))))))))))))))))))))))
.
.
2014-10-31 20:56 . 2014-10-31 20:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-31 09:06 . 2014-10-31 09:30 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-10-30 23:18 . 2014-10-30 23:18 34808 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-10-30 23:17 . 2014-10-30 23:17 -------- d-----w- c:\programdata\RogueKiller
2014-10-30 09:08 . 2014-10-30 09:08 -------- d-----w- C:\TDSSKiller_Quarantine
2014-10-29 14:53 . 2014-10-29 14:53 -------- d--h--w- c:\windows\PIF
2014-10-29 10:09 . 2014-10-31 09:32 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-29 10:09 . 2014-10-31 09:01 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-29 10:09 . 2014-10-01 11:11 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-10-29 10:09 . 2014-10-01 11:11 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-10-24 13:43 . 2014-10-24 13:43 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
2014-10-23 15:34 . 2014-10-29 10:09 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-10-23 15:25 . 2014-10-29 10:02 -------- d-----w- c:\users\presentation\AppData\Roaming\Malwarebytes
2014-10-23 15:25 . 2014-10-29 10:02 -------- d-----w- c:\programdata\Malwarebytes
2014-10-23 15:24 . 2014-10-23 15:24 -------- d-----w- c:\users\presentation\AppData\Local\Programs
2014-10-23 13:37 . 2014-10-23 13:37 -------- d-----w- c:\users\presentation\AppData\Roaming\AVG2015
2014-10-23 13:33 . 2014-10-23 13:33 -------- d-----w- c:\users\presentation\AppData\Roaming\TuneUp Software
2014-10-23 13:06 . 2014-10-29 13:06 -------- d-----w- C:\$AVG
2014-10-23 13:06 . 2014-10-29 13:54 -------- d-----w- c:\programdata\AVG2015
2014-10-23 12:57 . 2014-10-23 13:49 -------- d-----w- c:\users\presentation\AppData\Local\Avg2015
2014-10-23 12:57 . 2014-10-23 12:57 -------- d--h--w- c:\programdata\Common Files
2014-10-23 12:57 . 2014-10-29 13:54 -------- d-----w- c:\programdata\MFAData
2014-10-23 12:57 . 2014-10-23 12:57 -------- d-----w- c:\users\presentation\AppData\Local\MFAData
2014-10-23 11:56 . 2014-10-23 11:56 -------- d-----w- C:\%APPDATA%
2014-10-23 11:49 . 2014-10-23 11:49 -------- d-----w- c:\program files\ImgBurn
2014-10-23 11:17 . 2014-10-23 11:17 -------- d-sh--w- c:\windows\system32\%APPDATA%
2014-10-22 10:56 . 2014-10-23 15:12 -------- d-----w- c:\users\presentation\AppData\Roaming\Loqanea
2014-10-22 09:20 . 2014-10-23 15:12 -------- d-----w- c:\users\presentation\AppData\Roaming\Ykynpib
2014-10-22 05:55 . 2014-10-23 15:15 -------- d-----w- c:\users\presentation\AppData\Roaming\Yhluy
2014-10-22 05:55 . 2014-10-22 07:33 -------- d-----w- c:\users\presentation\AppData\Roaming\Usufr
2014-10-21 17:17 . 2014-10-23 15:19 -------- d-----w- c:\users\presentation\AppData\Local\dkmeuwbp
2014-10-16 11:36 . 2014-10-23 13:45 -------- d-----w- c:\users\presentation\AppData\Roaming\Neenal
2014-10-16 11:08 . 2014-10-23 15:12 -------- d-----w- c:\users\presentation\AppData\Roaming\Ihgaxy
2014-10-11 07:57 . 2014-10-23 15:12 -------- d-----w- c:\users\presentation\AppData\Roaming\Idqulav
2014-10-08 09:55 . 2014-10-08 09:55 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-10-08 09:55 . 2014-10-08 09:55 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-10-08 09:48 . 2014-10-23 15:15 -------- d-----w- c:\programdata\ZoxedEnxag
2014-10-08 09:45 . 2014-10-23 14:03 -------- d-----w- c:\programdata\GoziVfoxe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mobile Partner"="c:\program files\3MobileWiFi\3MobileWiFi" [X]
"Akamai NetSession Interface"="c:\users\presentation\AppData\Local\Akamai\netsession_win.exe" [2014-04-17 4672920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"lxecmon.exe"="c:\program files\Lexmark Pro800-Pro900 Series\lxecmon.exe" [2010-05-17 770728]
"EzPrint"="c:\program files\Lexmark Pro800-Pro900 Series\ezprint.exe" [2010-05-17 148280]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
TP-LINK Wireless Configuration Utility.lnk - c:\program files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe -nogui [2013-11-20 841728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
"HideSCAHealth"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-06-22 112128]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-07-24 101248]
R3 RTL8192cu;TP-LINK 300Mbps Mini Wireless N USB Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys [2011-04-08 801896]
S2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe [2010-04-14 598696]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-10-21 19:10 1089352 ----a-w- c:\program files\Google\Chrome\Application\38.0.2125.104\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-10-08 09:55]
.
2014-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-07 14:01]
.
2014-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-07 14:01]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.40.200 192.168.40.1
.
.
------- File Associations -------
.
.scr=AutoCADLTScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-06779437.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\windows\system32\slmdmsr.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\SOUNDMAN.EXE
c:\windows\system32\sppsvc.exe
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2014-10-31 21:08:01 - machine was rebooted
ComboFix-quarantined-files.txt 2014-10-31 21:08
.
Pre-Run: 6,812,549,120 bytes free
Post-Run: 6,755,999,744 bytes free
.
- - End Of File - - A42EF81159FD91FFD8978E3F1CD09FFB
A36C5E4F47E84449FF07ED3517B43A31

**Broni** · October 31st, 2014, 06:00 PM

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::

Folder::
c:\programdata\GoziVfoxe
c:\programdata\ZoxedEnxag
c:\users\presentation\AppData\Roaming\Idqulav
c:\users\presentation\AppData\Roaming\Ihgaxy
c:\users\presentation\AppData\Roaming\Neenal
c:\users\presentation\AppData\Local\dkmeuwbp
c:\users\presentation\AppData\Roaming\Usufr
c:\users\presentation\AppData\Roaming\Yhluy
c:\users\presentation\AppData\Roaming\Ykynpib
c:\users\presentation\AppData\Roaming\Loqanea

Driver::

Registry::

ClearJavaCache::

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

**HandsomeDevil** · October 31st, 2014, 07:04 PM

ComboFix

ComboFix 14-10-29.01 - presentation 31/10/2014 22:45:24.2.1 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.44.1033.18.960.546 [GMT 0:00]
Running from: c:\users\presentation\Desktop\ComboFix.exe
Command switches used :: c:\users\presentation\Desktop\CFScript.txt.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\GoziVfoxe
c:\programdata\ZoxedEnxag
c:\users\presentation\AppData\Local\dkmeuwbp
c:\users\presentation\AppData\Roaming\Idqulav
c:\users\presentation\AppData\Roaming\Ihgaxy
c:\users\presentation\AppData\Roaming\Loqanea
c:\users\presentation\AppData\Roaming\Neenal
c:\users\presentation\AppData\Roaming\Usufr
c:\users\presentation\AppData\Roaming\Yhluy
c:\users\presentation\AppData\Roaming\Ykynpib
.
.
((((((((((((((((((((((((( Files Created from 2014-09-28 to 2014-10-31 )))))))))))))))))))))))))))))))
.
.
2014-10-31 22:55 . 2014-10-31 22:55 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-10-31 09:06 . 2014-10-31 09:30 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2014-10-30 23:18 . 2014-10-30 23:18 34808 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-10-30 23:17 . 2014-10-30 23:17 -------- d-----w- c:\programdata\RogueKiller
2014-10-30 09:08 . 2014-10-30 09:08 -------- d-----w- C:\TDSSKiller_Quarantine
2014-10-29 14:53 . 2014-10-29 14:53 -------- d--h--w- c:\windows\PIF
2014-10-29 10:09 . 2014-10-31 09:32 114904 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-10-29 10:09 . 2014-10-31 09:01 75480 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-10-29 10:09 . 2014-10-01 11:11 51928 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-10-29 10:09 . 2014-10-01 11:11 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-10-24 13:43 . 2014-10-24 13:43 -------- d-----w- c:\windows\system32\%LOCALAPPDATA%
2014-10-23 15:34 . 2014-10-29 10:09 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-10-23 15:25 . 2014-10-29 10:02 -------- d-----w- c:\users\presentation\AppData\Roaming\Malwarebytes
2014-10-23 15:25 . 2014-10-29 10:02 -------- d-----w- c:\programdata\Malwarebytes
2014-10-23 15:24 . 2014-10-23 15:24 -------- d-----w- c:\users\presentation\AppData\Local\Programs
2014-10-23 13:37 . 2014-10-23 13:37 -------- d-----w- c:\users\presentation\AppData\Roaming\AVG2015
2014-10-23 13:33 . 2014-10-23 13:33 -------- d-----w- c:\users\presentation\AppData\Roaming\TuneUp Software
2014-10-23 13:06 . 2014-10-29 13:06 -------- d-----w- C:\$AVG
2014-10-23 13:06 . 2014-10-29 13:54 -------- d-----w- c:\programdata\AVG2015
2014-10-23 12:57 . 2014-10-23 13:49 -------- d-----w- c:\users\presentation\AppData\Local\Avg2015
2014-10-23 12:57 . 2014-10-23 12:57 -------- d--h--w- c:\programdata\Common Files
2014-10-23 12:57 . 2014-10-29 13:54 -------- d-----w- c:\programdata\MFAData
2014-10-23 12:57 . 2014-10-23 12:57 -------- d-----w- c:\users\presentation\AppData\Local\MFAData
2014-10-23 11:56 . 2014-10-23 11:56 -------- d-----w- C:\%APPDATA%
2014-10-23 11:49 . 2014-10-23 11:49 -------- d-----w- c:\program files\ImgBurn
2014-10-23 11:17 . 2014-10-23 11:17 -------- d-sh--w- c:\windows\system32\%APPDATA%
2014-10-08 09:55 . 2014-10-08 09:55 701104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-10-08 09:55 . 2014-10-08 09:55 71344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mobile Partner"="c:\program files\3MobileWiFi\3MobileWiFi" [X]
"Akamai NetSession Interface"="c:\users\presentation\AppData\Local\Akamai\netsession_win.exe" [2014-04-17 4672920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SoundMan"="SOUNDMAN.EXE" [2009-04-14 604704]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
"lxecmon.exe"="c:\program files\Lexmark Pro800-Pro900 Series\lxecmon.exe" [2010-05-17 770728]
"EzPrint"="c:\program files\Lexmark Pro800-Pro900 Series\ezprint.exe" [2010-05-17 148280]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2013-05-30 96056]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
TP-LINK Wireless Configuration Utility.lnk - c:\program files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe -nogui [2013-11-20 841728]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
"HideSCAHealth"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-06-22 112128]
R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-07-24 101248]
R3 RTL8192cu;TP-LINK 300Mbps Mini Wireless N USB Adapter;c:\windows\system32\DRIVERS\RTL8192cu.sys [2011-04-08 801896]
S2 lxec_device;lxec_device;c:\windows\system32\lxeccoms.exe [2010-04-14 598696]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-10-21 19:10 1089352 ----a-w- c:\program files\Google\Chrome\Application\38.0.2125.104\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-10-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-10-08 09:55]
.
2014-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-07 14:01]
.
2014-10-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-07 14:01]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_15_0_0_167_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-10-31 22:59:21
ComboFix-quarantined-files.txt 2014-10-31 22:59
ComboFix2.txt 2014-10-31 21:08
.
Pre-Run: 6,654,779,392 bytes free
Post-Run: 7,931,117,568 bytes free
.
- - End Of File - - AD6A8E239435A86B5C5E115A95562F48
A36C5E4F47E84449FF07ED3517B43A31

**Broni** · October 31st, 2014, 07:19 PM

Good

Please download AdwCleaner by Xplode onto your desktop.

Close all open programs and internet browsers.
Double click on adwcleaner.exe to run the tool.
Click on Scan button.
When the scan has finished click on Clean button.
Your computer will be rebooted automatically. A text file will open after the restart.
Please post the contents of that logfile with your next reply.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please copy and paste it to your reply.

**HandsomeDevil** · October 31st, 2014, 07:30 PM

AdwCleaner

# AdwCleaner v3.311 - Report created 31/10/2014 at 23:25:00
# Updated 30/09/2014 by Xplode
# Operating System : Windows 7 Ultimate (32 bits)
# Username : presentation - QHSE
# Running from : C:\Users\presentation\Desktop\adwcleaner_3.311.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.7600.16385

-\\ Google Chrome v38.0.2125.104

[ File : C:\Users\presentation\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************

AdwCleaner[R0].txt - [928 octets] - [31/10/2014 23:23:14]
AdwCleaner[S0].txt - [854 octets] - [31/10/2014 23:25:00]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [913 octets] ##########

JRT

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.21.2014:1)
OS: Windows 7 Ultimate x86
Ran by presentation on 31/10/2014 at 23:33:12.68
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\taskeng_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\taskeng_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\taskhost_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\taskhost_RASMANCS

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 31/10/2014 at 23:36:23.12
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FRST - FRST

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 30-10-2014 01
Ran by presentation (administrator) on QHSE on 31-10-2014 23:42:00
Running from C:\Users\presentation\Desktop
Loaded Profile: presentation (Available profiles: presentation)
Platform: Microsoft Windows 7 Ultimate (X86) OS Language: English (United States)
Internet Explorer Version 8
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

( ) C:\Windows\System32\lxeccoms.exe
( ) C:\Windows\System32\slmdmsr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
(Realtek Semiconductor Corp.) C:\Windows\SOUNDMAN.EXE
() C:\Program Files\Lexmark Pro800-Pro900 Series\lxecmon.exe
() C:\Program Files\Lexmark Pro800-Pro900 Series\ezprint.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
(Akamai Technologies, Inc.) C:\Users\presentation\AppData\Local\Akamai\netsession_win.exe
(Akamai Technologies, Inc.) C:\Users\presentation\AppData\Local\Akamai\netsession_win.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31016 2006-10-27] (Microsoft Corporation)
HKLM\...\Run: [SoundMan] => C:\Windows\SOUNDMAN.EXE [604704 2009-04-14] (Realtek Semiconductor Corp.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKLM\...\Run: [lxecmon.exe] => C:\Program Files\Lexmark Pro800-Pro900 Series\lxecmon.exe [770728 2010-05-17] ()
HKLM\...\Run: [EzPrint] => C:\Program Files\Lexmark Pro800-Pro900 Series\ezprint.exe [148280 2010-05-17] ()
HKLM\...\Run: [HP Software Update] => C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM Group Policy restriction on software: <====== ATTENTION
HKLM Group Policy restriction on software: <====== ATTENTION
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 0
HKLM\...\Policies\Explorer: [HideSCAHealth] 0
HKU\S-1-5-21-2352433161-3608982554-448722011-1000\...\Run: [Mobile Partner] => C:\Program Files\3MobileWiFi\3MobileWiFi
HKU\S-1-5-21-2352433161-3608982554-448722011-1000\...\Run: [Akamai NetSession Interface] => C:\Users\presentation\AppData\Local\Akamai\netsession_win.exe [4672920 2014-04-17] (Akamai Technologies, Inc.)
HKU\S-1-5-21-2352433161-3608982554-448722011-1000\...\Policies\Explorer: [TaskbarNoNotification] 0
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
ShortcutTarget: AutoCAD Startup Accelerator.lnk -> C:\Program Files\Common Files\Autodesk Shared\acstart16.exe (Autodesk, Inc)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TP-LINK Wireless Configuration Utility.lnk
ShortcutTarget: TP-LINK Wireless Configuration Utility.lnk -> C:\Program Files\TP-LINK\TP-LINK Wireless Configuration Utility\TWCU.exe ()
ShellIconOverlayIdentifiers: [AutoCAD Digital Signatures Icon Overlay Handler] -> {36A21736-36C2-4C11-8ACB-D4136F2B57BD} => C:\Windows\system32\AcSignIcon.dll (Autodesk, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x9F44847E62ECCF01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-gb
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO: Lexmark Toolbar -> {1017A80C-6F09-4548-A84D-EDD6AC9525F0} -> C:\Program Files\Lexmark Toolbar\toolband.dll ()
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> C:\Program Files\Google\GoogleToolbarNotifier\5.7.9012.1008\swg.dll (Google Inc.)
BHO: Lexmark Printable Web -> {D2C5E510-BE6D-42CC-9F61-E4F939078474} -> C:\Program Files\Lexmark Printable Web\bho.dll ()
Toolbar: HKLM - Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Google Toolbar - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
Toolbar: HKCU - Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

Chrome:
=======
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\38.0.2125.104\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\38.0.2125.104\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\38.0.2125.104\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll No File
CHR Profile: C:\Users\presentation\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\presentation\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-04-10]
CHR Extension: (Google Drive) - C:\Users\presentation\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-04-10]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\presentation\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-29]
CHR Extension: (YouTube) - C:\Users\presentation\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-04-10]
CHR Extension: (Google Search) - C:\Users\presentation\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-04-10]
CHR Extension: (HP Smart Print) - C:\Users\presentation\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmpaiomihcebnclahoknbodeiaiohcdi [2014-04-10]
CHR Extension: (Google Wallet) - C:\Users\presentation\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-14]
CHR Extension: (Gmail) - C:\Users\presentation\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-04-10]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 lxec_device; C:\Windows\system32\lxeccoms.exe [598696 2010-04-14] ( )
R2 SLService; C:\Windows\system32\slmdmsr.exe [61440 2005-05-10] ( )

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 ALCXWDM; C:\Windows\System32\drivers\RTKVAC.SYS [4172832 2009-06-18] (Realtek Semiconductor Corp.)
R3 FETNDIS; C:\Windows\System32\DRIVERS\fetnd6.sys [44032 2009-07-13] (VIA Technologies, Inc. )
R3 Mtlmnt5; C:\Windows\System32\DRIVERS\SLDRV\Mtlmnt5.sys [237616 2005-05-10] ( )
S3 Mtlstrm; C:\Windows\System32\DRIVERS\SLDRV\Mtlstrm.sys [1464912 2005-06-21] ( )
R0 RecAgent; C:\Windows\System32\DRIVERS\SLDRV\RecAgent.sys [14680 2005-05-10] ( )
S3 RTL8192cu; C:\Windows\System32\DRIVERS\RTL8192cu.sys [801896 2011-04-08] (Realtek Semiconductor Corporation )
R3 Slntamr; C:\Windows\System32\DRIVERS\SLDRV\slntamr.sys [698848 2005-05-10] ( )
S3 SlNtHal; C:\Windows\System32\DRIVERS\SLDRV\Slnthal.sys [101512 2005-10-19] ( )
R3 SlWdmSup; C:\Windows\System32\DRIVERS\SLDRV\SlWdmSup.sys [13248 2005-05-10] ( )
S3 catchme; \??\C:\Users\PRESEN~1\AppData\Local\Temp\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-31 23:42 - 2014-10-31 23:42 - 00009850 _____ () C:\Users\presentation\Desktop\FRST.txt
2014-10-31 23:41 - 2014-10-31 23:42 - 00000000 ____D () C:\FRST
2014-10-31 23:39 - 2014-10-31 23:39 - 01105408 _____ (Farbar) C:\Users\presentation\Desktop\FRST.exe
2014-10-31 23:36 - 2014-10-31 23:36 - 00001036 _____ () C:\Users\presentation\Desktop\JRT.txt
2014-10-31 23:33 - 2014-10-31 23:33 - 00000000 ____D () C:\Windows\ERUNT
2014-10-31 23:30 - 2014-10-31 23:30 - 01706144 _____ (Thisisu) C:\Users\presentation\Desktop\JRT.exe
2014-10-31 23:23 - 2014-10-31 23:25 - 00000000 ____D () C:\AdwCleaner
2014-10-31 23:22 - 2014-10-31 23:22 - 01375089 _____ () C:\Users\presentation\Desktop\adwcleaner_3.311.exe
2014-10-31 22:59 - 2014-10-31 22:59 - 00008742 _____ () C:\ComboFix.txt
2014-10-31 20:39 - 2014-10-31 22:59 - 00000000 ____D () C:\Qoobox
2014-10-31 20:39 - 2011-06-26 06:45 - 00256000 _____ () C:\Windows\PEV.exe
2014-10-31 20:39 - 2010-11-07 17:20 - 00208896 _____ () C:\Windows\MBR.exe
2014-10-31 20:39 - 2009-04-20 04:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2014-10-31 20:39 - 2000-08-31 00:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2014-10-31 20:39 - 2000-08-31 00:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2014-10-31 20:39 - 2000-08-31 00:00 - 00098816 _____ () C:\Windows\sed.exe
2014-10-31 20:39 - 2000-08-31 00:00 - 00080412 _____ () C:\Windows\grep.exe
2014-10-31 20:39 - 2000-08-31 00:00 - 00068096 _____ () C:\Windows\zip.exe
2014-10-31 20:38 - 2014-10-31 21:04 - 00000000 ____D () C:\Windows\erdnt
2014-10-31 20:38 - 2014-10-31 20:32 - 05591672 ____R (Swearware) C:\Users\presentation\Desktop\ComboFix.exe
2014-10-31 10:13 - 2014-10-31 10:13 - 00001055 _____ () C:\Users\presentation\Desktop\mbam-complete2.txt
2014-10-31 09:06 - 2014-10-31 09:30 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2014-10-30 23:37 - 2014-10-31 09:30 - 00000000 ____D () C:\Users\presentation\Desktop\mbar
2014-10-30 23:31 - 2014-10-30 23:27 - 14349744 _____ (Malwarebytes Corp.) C:\Users\presentation\Desktop\mbar-1.07.0.1012.exe
2014-10-30 23:29 - 2014-10-30 23:29 - 00003429 _____ () C:\Users\presentation\Desktop\RKreport_DEL_10302014_232831.log
2014-10-30 23:18 - 2014-10-30 23:18 - 00034808 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-10-30 23:17 - 2014-10-30 23:17 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-10-30 23:16 - 2014-10-30 23:12 - 14670424 _____ () C:\Users\presentation\Desktop\RogueKiller.exe
2014-10-30 23:13 - 2014-10-30 23:13 - 00009514 _____ () C:\Users\presentation\Desktop\dds.txt
2014-10-30 09:08 - 2014-10-30 09:08 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-10-30 09:06 - 2014-10-30 08:54 - 04184008 _____ (Kaspersky Lab ZAO) C:\Users\presentation\Desktop\tdsskiller.exe
2014-10-29 16:03 - 2014-10-29 16:03 - 00001586 _____ () C:\Users\presentation\Desktop\mbam2.txt
2014-10-29 14:53 - 2014-10-29 14:53 - 00000000 ___HD () C:\Windows\PIF
2014-10-29 11:42 - 2014-10-30 23:13 - 00008173 _____ () C:\Users\presentation\Desktop\attach.txt
2014-10-29 11:04 - 2014-10-29 09:45 - 00688992 ____R (Swearware) C:\Users\presentation\Desktop\dds.com
2014-10-29 11:02 - 2014-10-29 11:02 - 00001306 _____ () C:\Users\presentation\Desktop\mbam-complete.txt
2014-10-29 11:01 - 2014-10-29 11:01 - 00001286 _____ () C:\Users\presentation\Desktop\mbam.txt
2014-10-29 10:09 - 2014-10-31 09:32 - 00114904 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-29 10:09 - 2014-10-31 09:01 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-29 10:09 - 2014-10-29 10:09 - 00001063 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-29 10:09 - 2014-10-29 10:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-29 10:09 - 2014-10-01 11:11 - 00051928 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-10-29 10:09 - 2014-10-01 11:11 - 00023256 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-10-29 10:00 - 2014-10-29 09:50 - 19828376 _____ (Malwarebytes Corporation ) C:\Users\presentation\Desktop\mbam-setup-2.0.3.1025.exe
2014-10-29 09:26 - 2014-10-29 09:27 - 00000000 ____D () C:\Users\presentation\Desktop\Printer
2014-10-28 15:52 - 2014-10-06 08:10 - 10113336 _____ (Malwarebytes Corporation ) C:\Users\presentation\Desktop\mbam-rules.exe
2014-10-28 15:50 - 2014-10-28 15:40 - 07747104 _____ (Malwarebytes Corporation ) C:\Users\presentation\Desktop\mbam-rules3.exe
2014-10-27 14:27 - 2014-10-27 13:22 - 94494994 _____ () C:\Users\presentation\Desktop\u15iavi8462il.bin
2014-10-27 10:46 - 2014-10-24 14:59 - 2692162560 _____ () C:\Users\presentation\Desktop\backup.pst
2014-10-27 10:33 - 2014-10-28 16:54 - 00000000 ____D () C:\Users\presentation\Desktop\New folder
2014-10-24 13:43 - 2014-10-24 13:43 - 00000000 ____D () C:\Windows\system32\%LOCALAPPDATA%
2014-10-24 11:42 - 2014-10-23 11:01 - 2389197824 _____ () C:\Users\presentation\Desktop\Outlook.pst
2014-10-24 08:48 - 2014-10-29 14:58 - 00000000 ____D () C:\Windows\pss
2014-10-23 15:34 - 2014-10-29 10:09 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-10-23 15:25 - 2014-10-29 10:02 - 00000000 ____D () C:\Users\presentation\AppData\Roaming\Malwarebytes
2014-10-23 15:25 - 2014-10-29 10:02 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-10-23 13:37 - 2014-10-23 13:37 - 00000000 ____D () C:\Users\presentation\AppData\Roaming\AVG2015
2014-10-23 13:33 - 2014-10-23 13:33 - 00000000 ____D () C:\Users\presentation\AppData\Roaming\TuneUp Software
2014-10-23 13:06 - 2014-10-29 13:54 - 00000000 ____D () C:\ProgramData\AVG2015
2014-10-23 13:06 - 2014-10-29 13:06 - 00000000 ____D () C:\$AVG
2014-10-23 12:57 - 2014-10-29 13:54 - 00000000 ____D () C:\ProgramData\MFAData
2014-10-23 12:57 - 2014-10-23 13:49 - 00000000 ____D () C:\Users\presentation\AppData\Local\Avg2015
2014-10-23 12:57 - 2014-10-23 12:57 - 00000000 ____D () C:\Users\presentation\AppData\Local\MFAData
2014-10-23 11:56 - 2014-10-23 11:56 - 00000000 ____D () C:\%APPDATA%
2014-10-23 11:49 - 2014-10-23 11:49 - 00001826 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ImgBurn.lnk
2014-10-23 11:49 - 2014-10-23 11:49 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ImgBurn
2014-10-23 11:49 - 2014-10-23 11:49 - 00000000 ____D () C:\Program Files\ImgBurn
2014-10-23 11:17 - 2014-10-23 11:17 - 00000000 __SHD () C:\Windows\system32\%APPDATA%
2014-10-22 09:11 - 2014-10-22 16:04 - 00078848 _____ () C:\Users\presentation\Documents\22-10-14.xls
2014-10-22 08:29 - 2014-10-22 08:29 - 00007605 _____ () C:\Users\presentation\AppData\Local\Resmon.ResmonCfg
2014-10-21 23:42 - 2014-10-23 07:29 - 00000000 _____ () C:\Users\presentation\AppData\Local\dfsmowas.log
2014-10-21 17:19 - 2014-10-21 17:19 - 00000000 _____ () C:\Users\presentation\AppData\Local\ijbvhmbg.log
2014-10-21 17:19 - 2014-10-21 17:19 - 00000000 _____ () C:\Users\presentation\AppData\Local\bqmsobwc.log
2014-10-21 17:18 - 2014-10-23 15:19 - 00000028 _____ () C:\Users\presentation\AppData\Local\fmxrcubc.log
2014-10-21 17:18 - 2014-10-21 17:18 - 00000064 _____ () C:\ProgramData\srroxsug.log
2014-10-20 11:07 - 2014-10-17 11:36 - 00078336 _____ () C:\Users\presentation\Documents\17-10-14 - Copy - Copy (2).xls
2014-10-20 11:06 - 2014-10-17 11:36 - 00078336 _____ () C:\Users\presentation\Documents\17-10-14 - Copy - Copy.xls
2014-10-17 07:42 - 2014-10-21 16:09 - 00081408 _____ () C:\Users\presentation\Documents\21-10-14 - Copy.xls
2014-10-15 08:01 - 2014-10-16 15:46 - 00078848 _____ () C:\Users\presentation\Documents\16-10-14.xls
2014-10-14 06:55 - 2014-10-14 06:55 - 00138824 _____ () C:\Windows\Minidump\101414-55265-01.dmp
2014-10-09 12:48 - 2014-10-09 12:48 - 00041129 _____ () C:\Users\presentation\Documents\BASL Proposed Revised Scope of Work as at 300614 - Progressed at 300914.zip
2014-10-08 09:55 - 2014-10-31 23:21 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-08 09:55 - 2014-10-08 09:55 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2014-10-08 09:55 - 2014-10-08 09:55 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2014-10-06 09:02 - 2014-10-06 09:02 - 10136960 _____ (Malwarebytes Corporation ) C:\Users\presentation\Desktop\mbam2-rules.exe
2014-10-02 11:15 - 2014-10-08 15:05 - 00045017 _____ () C:\Users\presentation\Documents\BASL Proposed Revised Scope of Work as at 300614 - Progressed at 300914.xlsx

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-31 23:33 - 2009-07-14 04:34 - 00014592 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-31 23:33 - 2009-07-14 04:34 - 00014592 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-31 23:29 - 2011-02-04 16:47 - 01111802 _____ () C:\Windows\WindowsUpdate.log
2014-10-31 23:26 - 2013-12-18 15:57 - 00035090 _____ () C:\ProgramData\lxecscan.log
2014-10-31 23:26 - 2011-02-07 08:00 - 00000882 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-31 23:26 - 2011-02-07 07:52 - 00020702 _____ () C:\Windows\PFRO.log
2014-10-31 23:26 - 2009-07-14 04:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-31 23:26 - 2009-07-14 04:39 - 00058042 _____ () C:\Windows\setupact.log
2014-10-31 23:10 - 2011-02-07 08:00 - 00000886 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-31 22:55 - 2009-07-14 02:04 - 00000215 _____ () C:\Windows\system.ini
2014-10-31 22:38 - 2009-07-14 02:37 - 00000000 ____D () C:\Windows\system32\NDF
2014-10-31 22:38 - 2009-07-14 02:37 - 00000000 ____D () C:\Windows\system32\LogFiles
2014-10-31 21:08 - 2009-07-14 02:37 - 00000000 __RHD () C:\Users\Default
2014-10-31 21:08 - 2009-07-14 02:37 - 00000000 ___RD () C:\Users\Public
2014-10-29 13:11 - 2011-02-04 09:21 - 00717892 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-23 14:19 - 2014-06-09 15:29 - 00000000 ____D () C:\Users\presentation\AppData\Roaming\Ufno
2014-10-23 11:13 - 2011-02-04 09:15 - 00000000 ____D () C:\Users\presentation
2014-10-14 08:04 - 2011-02-04 10:34 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-10-14 06:55 - 2014-01-03 16:43 - 00000000 ____D () C:\Windows\Minidump
2014-10-02 15:58 - 2013-11-11 15:15 - 00000000 ____D () C:\Users\presentation\Documents\CV

Some content of TEMP:
====================
C:\Users\presentation\AppData\Local\Temp\Quarantine.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-10-27 16:41

==================== End Of Log ============================

FRST - Addition

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 30-10-2014 01
Ran by presentation at 2014-10-31 23:43:11
Running from C:\Users\presentation\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

3MobileWiFi (HKLM\...\3MobileWiFi) (Version: 15.001.06.02.156 - Huawei Technologies Co.,Ltd)
ABBYY FineReader 6.0 Sprint (HKLM\...\{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}) (Version: 6.00.2146.41621 - ABBYY Software House)
Adobe AIR (HKLM\...\Adobe AIR) (Version: 2.5.1.17730 - Adobe Systems Inc.)
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Reader X (10.1.12) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AA1000000001}) (Version: 10.1.12 - Adobe Systems Incorporated)
Akamai NetSession Interface (HKCU\...\Akamai) (Version: - Akamai Technologies, Inc)
AutoCAD 2006 - English (HKLM\...\{5783F2D7-4001-0409-0002-0060B0CE6BBA}) (Version: 16.2.54.10 - Autodesk)
AutoCAD LT 2009 - English (HKLM\...\AutoCAD LT 2009 - English) (Version: 17.2.56.0 - Autodesk)
AutoCAD LT 2009 - English (Version: 17.2.56.0 - Autodesk) Hidden
Autodesk Design Review 2009 (HKLM\...\Autodesk Design Review 2009) (Version: 9.0.96 - Autodesk, Inc.)
Autodesk Design Review 2009 (Version: 9.0.96 - Autodesk, Inc.) Hidden
Autodesk DWF Viewer (HKLM\...\Autodesk DWF Viewer) (Version: 5.1 - Autodesk, Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 38.0.2125.104 - Google Inc.)
Google Toolbar for Internet Explorer (HKLM\...\{2318C2B1-4965-11d4-9B18-009027A5CD4F}) (Version: 7.5.5111.1712 - Google Inc.)
Google Toolbar for Internet Explorer (Version: 1.0.0 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.25.5 - Google Inc.) Hidden
HP Deskjet 2540 series Basic Device Software (HKLM\...\{575A25F9-3018-46F6-AB97-552B52770877}) (Version: 32.0.1180.44630 - Hewlett-Packard Co.)
HP Deskjet 2540 series Help (HKLM\...\{4539575D-C09D-4E71-B207-0F2D6BD74DA2}) (Version: 30.0.0 - Hewlett Packard)
HP Photo Creations (HKLM\...\HP Photo Creations) (Version: 1.0.0.7702 - HP)
HP Update (HKLM\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
Lexmark Printable Web (HKLM\...\{D2C5E510-BE6D-42CC-9F61-E4F939078474}) (Version: 1.0.0.0 - )
Lexmark Pro800-Pro900 Series (HKLM\...\Lexmark Pro800-Pro900 Series) (Version: - Lexmark International, Inc.)
Lexmark Toolbar (HKLM\...\{1017A80C-6F09-4548-A84D-EDD6AC9525F0}) (Version: 4.3.37.0 - )
Lexmark Tools for Office (HKLM\...\{10812DE7-2E57-4740-B226-6B3BE34AF9D7}) (Version: 1.29.0.0 - )
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Product Improvement Study for HP Deskjet 2540 series (HKLM\...\{A6E08AC3-F00A-42B4-AF87-A30832769B23}) (Version: 32.0.1180.44630 - Hewlett-Packard Co.)
Realtek AC'97 Audio (HKLM\...\{FB08F381-6533-4108-B7DD-039E11FBC27E}) (Version: - )
TP-LINK TL-WN823N Driver (HKLM\...\{852E893E-E4FD-45BB-8B17-72ADDF686974}) (Version: 1.2.1 - TP-LINK)
TP-LINK Wireless Configuration Utility (HKLM\...\{319D91C6-3D44-436C-9F79-36C0D22372DC}) (Version: 1.2.1 - TP-LINK)
Visual Studio 2012 x86 Redistributables (HKLM\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2352433161-3608982554-448722011-1000_Classes\CLSID\{1365A45F-0C8F-4806-A26A-6B22AD37EC66}\localserver32 -> C:\Program Files\AutoCAD 2006\acad.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-2352433161-3608982554-448722011-1000_Classes\CLSID\{74F5CC00-49A9-11CF-A2F9-444553540000}\InprocServer32 -> C:\Program Files\AutoCAD LT 2009\acadltficn.dll (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-2352433161-3608982554-448722011-1000_Classes\CLSID\{7AABBB95-79BE-4C0F-8024-EB6AF271231C}\localserver32 -> C:\Program Files\AutoCAD LT 2009\acadlt.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-2352433161-3608982554-448722011-1000_Classes\CLSID\{8E75D913-3D21-11D2-85C4-080009A0C626}\localserver32 -> C:\Program Files\AutoCAD 2006\acad.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-2352433161-3608982554-448722011-1000_Classes\CLSID\{E2C40589-DE61-11ce-BAE0-0020AF6D7005}\InprocServer32 -> C:\Program Files\AutoCAD 2006\acadficn.dll (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-2352433161-3608982554-448722011-1000_Classes\CLSID\{F131FB74-0E12-4533-8091-D71FE9CCD91D}\localserver32 -> C:\Program Files\AutoCAD 2006\acad.exe (Autodesk, Inc.)
CustomCLSID: HKU\S-1-5-21-2352433161-3608982554-448722011-1000_Classes\CLSID\{FC280999-88C6-4499-9622-3B795A8B4A5F}\localserver32 -> C:\Program Files\AutoCAD 2006\acad.exe (Autodesk, Inc.)

==================== Restore Points =========================

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 02:04 - 2014-10-31 21:02 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {3F4510C1-526F-4468-90C0-FA13C5BC618D} - System32\Tasks\HPCustParticipation HP Deskjet 2540 series => C:\Program Files\HP\HP Deskjet 2540 series\Bin\HPCustPartic.exe [2013-08-13] (Hewlett-Packard Co.)
Task: {B325F85A-9B32-4A0F-979F-7F04B8C0037F} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-15] (Google Inc.)
Task: {B64F1641-BD7A-49A7-AB88-C1C99C766F7D} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-10-08] (Adobe Systems Incorporated)
Task: {CF929ED8-1E53-4D04-B189-66F1B4885B29} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-15] (Google Inc.)
Task: {D03EFD5C-CEE7-465B-8C18-A92F691D829D} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-12-18 15:58 - 2009-11-04 13:14 - 00157696 _____ () C:\Windows\system32\spool\PRTPROCS\W32X86\lxecdrpp.dll
2013-12-18 15:54 - 2010-05-17 14:14 - 00770728 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\lxecmon.exe
2013-12-18 15:54 - 2010-04-01 17:23 - 00389120 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\lxecscw.dll
2013-12-18 15:57 - 2009-05-27 12:16 - 00192512 _____ () C:\Windows\system32\spool\drivers\w32x86\3\lxecdatr.dll
2013-12-18 15:54 - 2010-04-01 17:24 - 01159168 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\lxecDRS.dll
2013-12-18 15:54 - 2009-03-10 05:43 - 00155648 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\lxeccaps.dll
2013-12-18 15:53 - 2009-02-20 08:48 - 00299008 _____ () C:\Windows\system32\lxecsm.dll
2013-12-18 15:53 - 2009-02-20 08:48 - 00023552 _____ () C:\Windows\system32\lxecsmr.dll
2013-12-18 15:54 - 2010-05-17 14:14 - 00148280 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\ezprint.exe
2013-12-18 15:54 - 2010-04-05 10:56 - 00716954 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\Epwizard.DLL
2013-12-18 15:54 - 2010-04-05 10:55 - 00159890 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\customui.dll
2013-12-18 15:54 - 2010-04-05 10:54 - 00123033 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\Eputil.DLL
2013-12-18 15:54 - 2010-04-05 10:54 - 00143502 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\Imagutil.DLL
2013-12-18 15:54 - 2010-04-05 10:55 - 00061604 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\Epfunct.DLL
2013-12-18 15:54 - 2010-04-05 10:56 - 02203803 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\EPWizRes.dll
2013-12-18 15:54 - 2010-04-05 10:56 - 00045221 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\epstring.dll
2013-12-18 15:54 - 2010-04-05 10:56 - 00094359 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\EPOEMDll.dll
2013-12-18 15:54 - 2009-04-07 19:25 - 00409600 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\iptk.dll
2013-12-18 15:54 - 2009-03-02 14:25 - 00151552 _____ () C:\Program Files\Lexmark Pro800-Pro900 Series\lxecptp.dll
2008-05-22 02:27 - 2008-05-22 02:27 - 00372736 _____ () C:\Program Files\Lexmark Toolbar\toolband.dll
2008-05-22 02:28 - 2008-05-22 02:28 - 00389120 _____ () C:\Program Files\Lexmark Toolbar\resource.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-2352433161-3608982554-448722011-500 - Administrator - Disabled)
Guest (S-1-5-21-2352433161-3608982554-448722011-501 - Limited - Disabled)
presentation (S-1-5-21-2352433161-3608982554-448722011-1000 - Administrator - Enabled) => C:\Users\presentation

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================

System errors:
=============

Microsoft Office Sessions:
=========================
Error: (10/23/2014 10:30:54 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 158 seconds with 60 seconds of active time. This session ended with a crash.

Error: (10/23/2014 07:07:59 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 109 seconds with 0 seconds of active time. This session ended with a crash.

Error: (10/16/2014 08:40:10 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 60114 seconds with 1560 seconds of active time. This session ended with a crash.

Error: (08/26/2014 03:23:51 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 60 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/26/2014 03:22:05 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 15 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/26/2014 03:21:30 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 45 seconds with 0 seconds of active time. This session ended with a crash.

Error: (08/08/2014 11:56:29 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 2376 seconds with 1320 seconds of active time. This session ended with a crash.

Error: (08/08/2014 07:41:47 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 800 seconds with 780 seconds of active time. This session ended with a crash.

Error: (08/08/2014 07:27:33 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 1708 seconds with 600 seconds of active time. This session ended with a crash.

Error: (08/06/2014 02:17:38 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 21239 seconds with 3540 seconds of active time. This session ended with a crash.

CodeIntegrity Errors:
===================================
Date: 2014-10-27 14:27:54.937
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2015\avghookx.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-10-27 12:54:10.541
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2015\avghookx.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-10-27 12:40:41.288
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2015\avghookx.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-10-27 11:44:14.546
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2015\avghookx.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-10-27 10:42:54.309
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2015\avghookx.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-10-24 15:59:36.976
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2015\avghookx.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-10-24 15:32:17.778
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2015\avghookx.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-10-24 15:19:29.856
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2015\avghookx.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-10-24 14:21:32.311
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2015\avghookx.dll because the set of per-page image hashes could not be found on the system.

Date: 2014-10-24 14:10:18.329
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\AVG\AVG2015\avghookx.dll because the set of per-page image hashes could not be found on the system.

==================== Memory info ===========================

Processor: Intel(R) Celeron(R) M processor 1.40GHz
Percentage of memory in use: 42%
Total physical RAM: 959.55 MB
Available physical RAM: 547.25 MB
Total Pagefile: 1983.55 MB
Available Pagefile: 1421.56 MB
Total Virtual: 2047.88 MB
Available Virtual: 1894.95 MB

==================== Drives ================================

Drive c: (HDD) (Fixed) (Total:42.57 GB) (Free:7.36 GB) NTFS ==>[Drive with boot components (obtained from BCD)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 46.6 GB) (Disk ID: ACE22E9E)
Partition 1: (Not Active) - (Size=4 GB) - (Type=1B)
Partition 2: (Active) - (Size=42.6 GB) - (Type=07 NTFS)

==================== End Of Log ============================

**HandsomeDevil** · October 31st, 2014, 07:50 PM

All posted, ta.

**Broni** · October 31st, 2014, 08:30 PM

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST(FRST64) and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Also, reinstall AVG as soon as possible.

**HandsomeDevil** · October 31st, 2014, 08:52 PM

FRST - Fixlog

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 30-10-2014 01
Ran by presentation at 2014-11-01 00:47:11 Run:1
Running from C:\Users\presentation\Desktop
Loaded Profile: presentation (Available profiles: presentation)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
HKLM Group Policy restriction on software: <====== ATTENTION
HKLM Group Policy restriction on software: <====== ATTENTION
SearchScopes: HKCU - {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
HR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\38.0.2125.104\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll No File
S3 catchme; \??\C:\Users\PRESEN~1\AppData\Local\Temp\catchme.sys [X]
C:\Users\presentation\AppData\Local\Temp\Quarantine.exe

*****************

HKLM => Group Policy Restriction on software restored successfully.
HKLM => Group Policy Restriction on software restored successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key deleted successfully.
"HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key not found.
HR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\38.0.2125.104\ppGoogleNaClPluginChrome.dll No File => Error: No automatic fix found for this entry.
C:\Program Files\Google\Update\1.3.23.9\npGoogleUpdate3.dll not found.
catchme => Service deleted successfully.
C:\Users\presentation\AppData\Local\Temp\Quarantine.exe => Moved successfully.

==== End of Fixlog ====

I'll re-install AVG now.

**Broni** · October 31st, 2014, 09:19 PM

How is computer doing?

Last scans...

Download Security Check from here or here and save it to your Desktop.

Double-click SecurityCheck.exe
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

Make sure the following options are checked:
- Internet Services
- Windows Firewall
- System Restore
- Security Center
- Windows Update
- Windows Defender
- Other Services
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe

Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

Please run a free online scan with the ESET Online Scanner

Disable your antivirus program
Internet Explorer users - Click on this link to open ESET OnlineScan.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on ESET Smart Installer to download the ESET Smart Installer. Save it to your desktop.
- Double click on the [img=http://www.bleepstatic.com/fhost/uploads/0/esetsmartinstaller_enu.png] icon on your desktop.
Check "YES, I accept the Terms of Use."
Click the Start button.
Accept any security warnings from your browser.
Check "Enable detection of potentially unwanted applications".
Click Advanced settings and make sure all 4 boxes are checkmarked (two of them are already checkmarked by default).
Do NOT checkmark "Use custom proxy settings"
Click the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Click the Back button.
Click the Finish button.

**HandsomeDevil** · October 31st, 2014, 10:37 PM

Seems a lot more responsive than the situation I described in the OP, with none of the unresponsive dialogues appearing. Although I can't say I've really used it yet - other than to install and run the recommended apps - not wanting to risk interfering or undermining the cleaning effort.

Security Check

Results of screen317's Security Check version 0.99.89
Windows 7 x86 (UAC is disabled!)
Out of date service pack!!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Firewall Disabled!
AVG AntiVirus Free Edition 2015
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Adobe Reader 10.1.12 Adobe Reader out of Date!
Google Chrome 38.0.2125.104
Google Chrome 38.0.2125.111
````````Process Check: objlist.exe by Laurent````````
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````

FSS

Farbar Service Scanner Version: 21-07-2014
Ran by presentation (administrator) on 01-11-2014 at 02:39:15
Running from "C:\Users\presentation\Desktop"
Microsoft Windows 7 Ultimate (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\system32\nsisvc.dll => File is digitally signed
C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed
C:\Windows\system32\dhcpcore.dll => File is digitally signed
C:\Windows\system32\Drivers\afd.sys => File is digitally signed
C:\Windows\system32\Drivers\tdx.sys => File is digitally signed
C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\system32\dnsrslvr.dll => File is digitally signed
C:\Windows\system32\mpssvc.dll => File is digitally signed
C:\Windows\system32\bfe.dll => File is digitally signed
C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed
C:\Windows\system32\SDRSVC.dll => File is digitally signed
C:\Windows\system32\vssvc.exe => File is digitally signed
C:\Windows\system32\wscsvc.dll => File is digitally signed
C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\system32\wuaueng.dll => File is digitally signed
C:\Windows\system32\qmgr.dll => File is digitally signed
C:\Windows\system32\es.dll => File is digitally signed
C:\Windows\system32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\system32\ipnathlp.dll => File is digitally signed
C:\Windows\system32\iphlpsvc.dll => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed

**** End of log ****

I'll get on with the rest...

**HandsomeDevil** · November 1st, 2014, 01:34 AM

I've successfully ran TFC & ESET, with the latter not showing any threats and no option to export to a log.

**Broni** · November 1st, 2014, 08:16 PM

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions (if present).
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

===================================

Your computer is clean

1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download

DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

Activate UAC (optional; some users prefer to keep it off)
Remove disinfection tools
Create registry backup
Purge System Restore
Reset system settings

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.

2. Make sure Windows Updates are current (Service Pack 1!!!).

3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Launch a quick scan now" link)

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly (you need to redownload these tools since they were removed by DelFix).

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

11. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tuto...r-safe-online/
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/foru.../#entry3187642

12. Please, let me know, how your computer is doing.

**HandsomeDevil** · November 5th, 2014, 10:02 AM

Hi Broni

Sorry about the delay, been carrying out #2 for the past few days (hundreds of updates to download and install) and had a hiccup at the end: I tried updating the wifi adapter with an updated driver on their website, however it caused the system to go into a blue-screen/restart loop until I system repair>system restored it (I'd made a restore point beforehand). I've noticed the system is really slow, and seems to have gotten worse since the SP1/all the updates? It took 5 hours to restore the system and trying to view the Event Viewer today is sluggish to the point of unusable (which I don't remember it being a week ago, even though it was infected). I've checked, and whilst it's only got 1GB RAM that's the system requirement for 32-bit Windows 7, and yet even when I don't have any applications open, task manager regularly shows 70-90% of physical memory being utilised. I do have AVG free installed now, but even still, that only takes 10 mins at most to update, and there's no let-up even after it's shown to have updated.

I could've sworn one time I spotted a form1.exe in Task Manager Applications for a split second before it disappeared, and having Googled, it appears to be an infection - however I haven't been able to replicate it since, so I can't be certain of its existence. Would you like me to run any more scans/post any more logs?

Thread: [RESOLVED] Infected laptop

Thread Tools

Search Thread

Display

Thread Information

Users Browsing this Thread

Posting Permissions