Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having a seemingly persistant adware problem...


  • This topic is locked This topic is locked
22 replies to this topic

#1 Vanguard89

Vanguard89

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:54 PM

Posted 10 February 2014 - 08:20 PM

Hello guys, I'm a new user on your site and I'm pretty impressed that I found some legit tools here to deal with my adware problems:)

   Anyway, yesterday my gf clicked a non - legit magnet link on monova when she tried to download a torrent file, and got my system pretty much instantly filled with some adwares, at first I updated malwarebytes (using it with avira), and simultaniously removed few new programs installed via control panel (amongst which - GrabRez, and something on letter 'W', can't remember, but I am sure it was malware).

   When I scaned with MWB it reported 43 malwares found I removed them and rebooted and cleared carantine after reboot, but, as I suspected, today the problem came back, same as yesterday night, with MWB finding about 15 or more PUP.Optional.Conduit  malwares, some had different names. I decided to download AdwCleaner and Hitmanpro 3.7.9 from your source and run a scan with both, I did with AdwCleaner and it found some registry traces that it reported as threats, first I wanted to do a little inquiry about all of them, cos some mentioned : 'HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASAPI32' and 'HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASMANCS', but I missclicked and deleted all and rebooted.

   Than I did a scan with Hitmanpro, it found about 1400 cookies most of them (or all) being some 'Mobogenie', Rocketfuel publisher.. it also reported that my FAHclient files are missing and suggested a repair, after I selected it, it switched to 'delete'. I deleted all of those cookies (mobogenie). After all that it seemed my computer is working fine, it's even faster, even tho I was worried I messed some registry up, I downloaded Autoruns to check what processes I have turned on at the moment, and found out that I have 'UtilGrabRez' turned in, tho it didn't funcion anywhere, or I've seen any program installed by the company's name, I run Autoruns as admin and managed to turn that process off from auto-runing.

   

Now tell me did I do something wrong, cos I'm not that much of a tech-guy, and how to completely remove GrabRez, and is my computer at risk of compromise? And do I need to do a scan with another program like ComboFix? I will attach a log files  that I have saved : of MWB (scaned yesterday) and also Adwcleaner and HitmanPro.

 

1. Malwarebytes log file :

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.02.09.05
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16750
Uros :: UROS-PC [administrator]
 
2/9/2014 8:03:08 PM
MBAM-log-2014-02-09 (21-14-10).txt
 
Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 504838
Time elapsed: 1 hour(s), 8 minute(s), 4 second(s)
 
Memory Processes Detected: 1
C:\Program Files (x86)\GrabRez\updateGrabRez.exe (PUP.Optional.GrabRez.A) -> 732 -> No action taken.
 
Memory Modules Detected: 1
C:\Users\Uros\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.
 
Registry Keys Detected: 10
HKLM\SYSTEM\CurrentControlSet\Services\Update GrabRez (PUP.Optional.GrabRez.A) -> No action taken.
HKCR\CLSID\{e1420d09-acc8-4efd-9965-e7ae3c5b977c} (PUP.Optional.GrabRez.A) -> No action taken.
HKCR\TypeLib\{a7a47a0b-0338-407a-88cc-04f303ae7bbc} (PUP.Optional.GrabRez.A) -> No action taken.
HKCR\Interface\{6C7BB828-4CF1-4C42-8028-7D15996DEA0E} (PUP.Optional.GrabRez.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1420D09-ACC8-4EFD-9965-E7AE3C5B977C} (PUP.Optional.GrabRez.A) -> No action taken.
HKCR\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23} (PUP.Optional.BrowseFox.A) -> No action taken.
HKCU\Software\1ClickDownload (PUP.Optional.1ClickDownload.A) -> No action taken.
HKCU\Software\GrabRez (PUP.Optional.GrabRez.A) -> No action taken.
HKCU\Software\AppDataLow\Software\Crossrider (PUP.Optional.CrossRider.A) -> No action taken.
HKLM\Software\GrabRez (PUP.Optional.GrabRez.A) -> No action taken.
 
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NextLive (PUP.Optional.NextLive.A) -> Data: C:\Windows\SysWOW64\rundll32.exe "C:\Users\Uros\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l -> No action taken.
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 5
C:\Program Files (x86)\GrabRez (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\plugins (PUP.Optional.GrabRez.A) -> No action taken.
C:\Users\Uros\AppData\Roaming\newnext.me (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\Uros\AppData\Roaming\newnext.me\cache (PUP.Optional.NextLive.A) -> No action taken.
 
Files Detected: 27
C:\Program Files (x86)\GrabRez\updateGrabRez.exe (PUP.Optional.GrabRez.A) -> No action taken.
C:\Users\Uros\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.
C:\Program Files (x86)\GrabRez\GrabRezBHO.dll (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\GrabRez.FirstRun.exe (PUP.Optional.Sambreel.A) -> No action taken.
C:\Users\Uros\AppData\Local\genienext\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\00\00000000 (PUP.Optional.OneClickDownloader.A) -> No action taken.
C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\00\00000002 (PUP.Optional.OneClickDownloader.A) -> No action taken.
C:\Users\Uros\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G9805ZGA\Setup[1].exe (PUP.Optional.GrabRez.A) -> No action taken.
C:\Users\Uros\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie2.2.0.zip (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\Uros\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\Uros\AppData\Local\Temp\setup_80.exe (PUP.Optional.NextLive.A) -> No action taken.
C:\Windows\Setup\scripts\faXcooL.exe (HackTool.Wpakill) -> No action taken.
D:\Downloaded Content\~Autodesk Maya 2013 SP2 + Crack + 32bit and 64bit\Autodesk Maya 64 bit\64bit\~Get Your Files Here\crack\xf-adsk2013_x64.exe (RiskWare.Tool.CK) -> No action taken.
D:\Downloads\SoftonicDownloader_for_siw.exe (PUP.Optional.Softonic.A) -> No action taken.
C:\Program Files (x86)\GrabRez\GrabRez.ico (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\7za.exe (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\GrabRezUninstall.exe (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\updateGrabRez.InstallState (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\GrabRez.BrowserFilter.Helper.dll (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\GrabRezBrowserFilter.exe (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\utilGrabRez.exe (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\utilGrabRez.InstallState (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\plugins\GrabRez.BrowserFilterG.dll (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\plugins\GrabRez.FFUpdate.dll (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\plugins\GrabRez.IEUpdate.dll (PUP.Optional.GrabRez.A) -> No action taken.
C:\Users\Uros\AppData\Roaming\newnext.me\nengine.cookie (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\Uros\AppData\Roaming\newnext.me\cache\spark.bin (PUP.Optional.NextLive.A) -> No action taken.
 
(end)
 
 
2. Adwcleaner log file :
 
# AdwCleaner v3.018 - Report created 10/02/2014 at 22:55:44
# Updated 28/01/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Uros - UROS-PC
# Running from : D:\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\Uros\AppData\Local\Conduit
Folder Deleted : C:\Users\Uros\AppData\LocalLow\Conduit
File Deleted : C:\END
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\smartbar
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16750
 
 
-\\ Google Chrome v32.0.1700.107
 
[ File : C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [1349 octets] - [10/02/2014 22:30:42]
AdwCleaner[S0].txt - [1249 octets] - [10/02/2014 22:55:44]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1309 octets] ##########
 
 
3. Hitmanpro :
 
Can't post it, it says the post is too long..

Edited by Vanguard89, 10 February 2014 - 08:23 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 AM

Posted 10 February 2014 - 09:35 PM





Hello Vanguard89,

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I would like you to run this program for me.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Vanguard89

Vanguard89
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:54 PM

Posted 10 February 2014 - 10:17 PM

Hey, thank you very much, I read your whole post throughly :) just to mentioned I had done a full scan with mwb again, nothing found, and internet browsing and downloading is working fast and well, task manager shows no processor stress (nor overused), memory is at 1,5 usage (have 4GB), only thing I noticed is that once when I minimised browser to desktop, the traces of black screen stayed on white background of browser when I came back, but when I moved mouse over them they dissapeared (possibly a malware messed with gpu drivers, but I doubt it, cos system works pretty normal). I did a scan with FRST as instructed and will attach and copy - over the results of scan  :)
 
This is the FRST log :
 
Processes (Whitelisted) =================
 
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\system32\nvvsvc.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
() C:\Windows\SysWOW64\XSrvSetup.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.22.3\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.22.3\GoogleCrashHandler64.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
() C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version8\TeamViewer_Service.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE
(Microsoft Corporation) C:\Windows\system32\AUDIODG.EXE
 
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [RtHDVCpl] - C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [10135584 2010-03-26] (Realtek Semiconductor)
HKLM\...\Run: [Nvtmru] - "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
HKLM\...\Run: [ShadowPlay] - C:\Windows\system32\nvspcap64.dll [1179576 2014-01-21] (NVIDIA Corporation)
HKLM\...\Run: [NvBackend] - C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2234144 2014-01-21] (NVIDIA Corporation)
HKLM-x32\...\Run: [JMB36X IDE Setup] - C:\Windows\RaidTool\xInsIDE.exe [43632 2010-01-19] ()
HKLM-x32\...\Run: [avgnt] - C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [684600 2013-12-17] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [UpdatePDRShortCut] - D:\Programs\Cyberlink power director\PowerDirector\MUITransfer\MUIStartMenu.exe [218408 2008-12-03] (CyberLink Corp.)
HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] - C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-05-01] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] - C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)
HKU\S-1-5-21-329362739-1829843065-2871296926-1000\...\Run: [Steam] - C:\Program Files (x86)\Steam\steam.exe [1813184 2014-02-08] (Valve Corporation)
 
==================== Internet (Whitelisted) ====================
 
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0xB6209ECC6FB9CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
BHO-x32: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM-x32 - Avira SearchFree Toolbar - {41564952-412D-5637-00A7-7A786E7484D7} - "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\AVIRA-V7\Passport.dll" No File
Toolbar: HKCU - No Name - {41564952-412D-5637-00A7-7A786E7484D7} -  No File
Handler-x32: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} -  No File
Tcpip\Parameters: [DhcpNameServer] 89.216.1.30 89.216.1.50
 
Chrome: 
=======
CHR HomePage: hxxp://www.google.rs/
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.107\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.107\ppGoogleNaClPluginChrome.dll ()
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\32.0.1700.107\pdf.dll ()
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Extension: (Entanglement Web App) - C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd [2013-09-24]
CHR Extension: (Google Drive) - C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-09-24]
CHR Extension: (YouTube) - C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-09-24]
CHR Extension: (Google Search) - C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-09-24]
CHR Extension: (Poppit) - C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi [2013-09-24]
CHR Extension: (Black Black Chrome Theme Dark Blue Highlight) - C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\Extensions\njpbabhpbnilgchdjbajcbgnnclkaida [2013-12-09]
CHR Extension: (Google Wallet) - C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-24]
CHR Extension: (Gmail) - C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-09-24]
CHR HKCU\...\Chrome\Extension: [cflheckfmhopnialghigdlggahiomebp] - C:\Users\Uros\AppData\Local\CRE\cflheckfmhopnialghigdlggahiomebp.crx [2014-02-10]
CHR HKLM-x32\...\Chrome\Extension: [aaaaacalgebmfelllfiaoknifldpngjh] - C:\ProgramData\AskPartnerNetwork\Toolbar\AVIRA-V7\CRX\ToolbarCR.crx [2013-09-24]
CHR HKLM-x32\...\Chrome\Extension: [cflheckfmhopnialghigdlggahiomebp] - C:\Users\Uros\AppData\Local\CRE\cflheckfmhopnialghigdlggahiomebp.crx [2014-02-10]
 
==================== Services (Whitelisted) =================
 
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [440376 2013-12-17] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [440376 2013-11-25] (Avira Operations GmbH & Co. KG)
R2 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [1011768 2013-12-17] (Avira Operations GmbH & Co. KG)
R2 JMB36X; C:\Windows\SysWOW64\XSrvSetup.exe [72304 2010-01-19] ()
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [418376 2013-04-04] (Malwarebytes Corporation)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [701512 2013-04-04] (Malwarebytes Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1593632 2014-01-21] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [16939296 2014-01-21] (NVIDIA Corporation)
R2 RichVideo; C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe [247152 2009-04-17] ()
S4 APNMCP; "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe" [X]
S4 Util GrabRez; "C:\Program Files (x86)\GrabRez\bin\utilGrabRez.exe" [X]
 
==================== Drivers (Whitelisted) ====================
 
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [108440 2013-12-17] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [131576 2013-12-17] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-11-25] (Avira Operations GmbH & Co. KG)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25928 2013-04-04] (Malwarebytes Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [39200 2013-12-27] (NVIDIA Corporation)
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2014-02-11 04:09 - 2014-02-11 04:09 - 00000673 _____ () C:\Users\Uros\Desktop\1.txt
2014-02-11 04:05 - 2014-02-11 04:09 - 00000000 ____D () C:\FRST
2014-02-11 04:04 - 2014-02-11 04:09 - 00000000 ____D () C:\Users\Uros\Desktop\analasys
2014-02-11 00:50 - 2014-02-11 00:55 - 02164956 _____ () C:\Users\Uros\Desktop\AutoRuns.arn
2014-02-10 23:32 - 2014-02-10 23:32 - 00321020 _____ () C:\Windows\system32\.crusader
2014-02-10 23:12 - 2014-02-10 23:12 - 00000000 ____D () C:\Program Files\HitmanPro
2014-02-10 23:11 - 2014-02-10 23:32 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-02-10 23:08 - 2014-02-10 23:11 - 10820032 _____ (SurfRight B.V.) C:\Users\Uros\Desktop\HitmanPro_x64.exe
2014-02-10 21:56 - 2014-02-10 21:56 - 00000000 ____D () C:\Users\Uros\AppData\Local\NativeMessaging
2014-02-10 21:56 - 2014-02-10 21:56 - 00000000 ____D () C:\Users\Uros\AppData\Local\CRE
2014-02-10 21:55 - 2014-02-10 21:55 - 01519696 _____ (BitTorrent Inc.) C:\Users\Uros\Desktop\uTorrent.exe
2014-02-10 19:26 - 2014-02-10 19:26 - 00001035 _____ () C:\Users\Public\Desktop\FXAA Tool.lnk
2014-02-10 19:07 - 2014-02-10 19:15 - 00000000 ____D () C:\Users\Uros\AppData\Local\Darksiders2
2014-02-09 19:41 - 2014-02-09 21:14 - 00000000 ____D () C:\Users\Uros\AppData\Local\genienext
2014-02-09 19:41 - 2014-02-09 19:44 - 00000000 ____D () C:\Users\Uros\AppData\Local\cache
2014-02-09 19:41 - 2014-02-09 19:42 - 00000000 ____D () C:\Users\Uros\.android
2014-02-09 19:41 - 2014-02-09 19:41 - 00000000 _____ () C:\Users\Uros\daemonprocess.txt
2014-02-07 22:14 - 2014-02-08 00:53 - 00000000 ____D () C:\Users\Uros\AppData\Roaming\Awesomium
2014-02-07 21:12 - 2014-02-07 21:12 - 00000000 ____D () C:\Users\Uros\Documents\Elder Scrolls Online
2014-02-07 21:12 - 2014-02-07 21:12 - 00000000 ____D () C:\ProgramData\Elder Scrolls Online
2014-01-23 17:06 - 2013-10-25 07:19 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-01-23 17:06 - 2013-10-25 07:17 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-01-23 17:06 - 2013-10-25 07:17 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-01-23 17:06 - 2013-10-25 07:17 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-01-23 17:06 - 2013-10-25 07:17 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-01-23 17:06 - 2013-10-25 05:43 - 02049024 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-01-23 17:06 - 2013-10-25 05:43 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-01-23 17:06 - 2013-10-25 05:43 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-01-23 17:06 - 2013-10-25 05:43 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-01-23 17:06 - 2013-10-25 05:43 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-01-23 17:06 - 2013-10-25 05:07 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-01-23 17:06 - 2013-10-25 04:41 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-01-23 17:06 - 2013-10-25 04:17 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2014-01-23 17:06 - 2013-10-25 03:49 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2014-01-23 17:05 - 2013-10-25 07:19 - 02241536 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-01-23 17:05 - 2013-10-25 07:19 - 01365504 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-01-23 17:05 - 2013-10-25 07:18 - 19271168 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-01-23 17:05 - 2013-10-25 07:18 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-01-23 17:05 - 2013-10-25 07:17 - 15404032 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-01-23 17:05 - 2013-10-25 07:17 - 03959808 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-01-23 17:05 - 2013-10-25 07:17 - 02648576 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-01-23 17:05 - 2013-10-25 07:17 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-01-23 17:05 - 2013-10-25 07:17 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-01-23 17:05 - 2013-10-25 05:45 - 01767936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-01-23 17:05 - 2013-10-25 05:44 - 14356992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-01-23 17:05 - 2013-10-25 05:44 - 01140736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-01-23 17:05 - 2013-10-25 05:43 - 13761536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-01-23 17:05 - 2013-10-25 05:43 - 02877952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-01-23 17:05 - 2013-10-25 05:43 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-01-23 17:05 - 2013-10-25 05:43 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-01-23 17:05 - 2013-10-25 05:43 - 00039424 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-01-23 16:41 - 2013-11-26 11:32 - 03156480 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-01-23 16:41 - 2013-11-12 03:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\tzres.dll
2014-01-23 16:41 - 2013-11-12 03:07 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tzres.dll
2014-01-23 16:41 - 2013-10-19 03:18 - 00081408 _____ (Microsoft Corporation) C:\Windows\system32\imagehlp.dll
2014-01-23 16:41 - 2013-10-19 02:36 - 00159232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2014-01-23 16:41 - 2013-10-05 21:25 - 01474048 _____ (Microsoft Corporation) C:\Windows\system32\crypt32.dll
2014-01-23 16:41 - 2013-10-05 20:57 - 01168384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2014-01-23 16:41 - 2013-10-04 03:16 - 00116736 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\drmk.sys
2014-01-23 16:41 - 2013-10-04 02:36 - 00230400 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\portcls.sys
2014-01-23 16:41 - 2013-10-03 03:23 - 00404480 _____ (Microsoft Corporation) C:\Windows\system32\gdi32.dll
2014-01-23 16:41 - 2013-10-03 03:00 - 00311808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\gdi32.dll
2014-01-23 16:41 - 2013-09-28 02:09 - 00497152 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\afd.sys
2014-01-23 16:41 - 2013-09-25 03:26 - 00154560 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-01-23 16:41 - 2013-09-25 03:26 - 00095680 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecdd.sys
2014-01-23 16:41 - 2013-09-25 03:23 - 00135680 _____ (Microsoft Corporation) C:\Windows\system32\sspicli.dll
2014-01-23 16:41 - 2013-09-25 03:23 - 00028672 _____ (Microsoft Corporation) C:\Windows\system32\sspisrv.dll
2014-01-23 16:41 - 2013-09-25 03:23 - 00028160 _____ (Microsoft Corporation) C:\Windows\system32\secur32.dll
2014-01-23 16:41 - 2013-09-25 03:22 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-01-23 16:41 - 2013-09-25 03:21 - 01447936 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-01-23 16:41 - 2013-09-25 03:21 - 00307200 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-01-23 16:41 - 2013-09-25 02:58 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-01-23 16:41 - 2013-09-25 02:57 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-01-23 16:41 - 2013-09-25 02:57 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-01-23 16:41 - 2013-09-25 02:56 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-01-23 16:41 - 2013-09-25 02:03 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\lsass.exe
2014-01-23 16:41 - 2013-07-04 13:50 - 00633856 _____ (Microsoft Corporation) C:\Windows\system32\comctl32.dll
2014-01-23 16:41 - 2013-07-04 13:18 - 00458712 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys
2014-01-23 16:41 - 2013-07-04 12:50 - 00530432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\comctl32.dll
2014-01-23 16:41 - 2013-06-25 23:55 - 00785624 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\Wdf01000.sys
2014-01-23 16:41 - 2013-06-06 06:50 - 00041472 _____ (Microsoft Corporation) C:\Windows\system32\lpk.dll
2014-01-23 16:41 - 2013-06-06 06:49 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\fontsub.dll
2014-01-23 16:41 - 2013-06-06 06:49 - 00014336 _____ (Microsoft Corporation) C:\Windows\system32\dciman32.dll
2014-01-23 16:41 - 2013-06-06 06:47 - 00046080 _____ (Adobe Systems) C:\Windows\system32\atmlib.dll
2014-01-23 16:41 - 2013-06-06 05:57 - 00025600 _____ (Microsoft Corporation) C:\Windows\SysWOW64\lpk.dll
2014-01-23 16:41 - 2013-06-06 05:51 - 00070656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\fontsub.dll
2014-01-23 16:41 - 2013-06-06 05:50 - 00010240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dciman32.dll
2014-01-23 16:41 - 2013-06-06 04:30 - 00368128 _____ (Adobe Systems Incorporated) C:\Windows\system32\atmfd.dll
2014-01-23 16:41 - 2013-06-06 04:01 - 00295424 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\atmfd.dll
2014-01-23 16:41 - 2013-06-06 04:01 - 00034304 _____ (Adobe Systems) C:\Windows\SysWOW64\atmlib.dll
2014-01-23 16:41 - 2012-11-28 23:56 - 00054376 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\WdfLdr.sys
2014-01-23 16:41 - 2012-11-28 23:56 - 00009728 _____ (Microsoft Corporation) C:\Windows\system32\Wdfres.dll
2014-01-23 16:41 - 2012-11-28 23:56 - 00000003 _____ () C:\Windows\system32\Drivers\MsftWdf_Kernel_01011_Inbox_Critical.Wdf
2014-01-23 16:39 - 2013-11-27 02:41 - 00343040 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbhub.sys
2014-01-23 16:39 - 2013-11-27 02:41 - 00325120 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbport.sys
2014-01-23 16:39 - 2013-11-27 02:41 - 00099840 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbccgp.sys
2014-01-23 16:39 - 2013-11-27 02:41 - 00053248 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbehci.sys
2014-01-23 16:39 - 2013-11-27 02:41 - 00030720 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbuhci.sys
2014-01-23 16:39 - 2013-11-27 02:41 - 00025600 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbohci.sys
2014-01-23 16:39 - 2013-11-27 02:41 - 00007808 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbd.sys
2014-01-23 16:39 - 2013-10-12 03:32 - 00150016 _____ (Microsoft Corporation) C:\Windows\system32\wshom.ocx
2014-01-23 16:39 - 2013-10-12 03:31 - 00202752 _____ (Microsoft Corporation) C:\Windows\system32\scrrun.dll
2014-01-23 16:39 - 2013-10-12 03:04 - 00121856 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wshom.ocx
2014-01-23 16:39 - 2013-10-12 03:03 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\scrrun.dll
2014-01-23 16:39 - 2013-10-12 02:33 - 00168960 _____ (Microsoft Corporation) C:\Windows\system32\wscript.exe
2014-01-23 16:39 - 2013-10-12 02:33 - 00156160 _____ (Microsoft Corporation) C:\Windows\system32\cscript.exe
2014-01-23 16:39 - 2013-10-12 02:15 - 00141824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wscript.exe
2014-01-23 16:39 - 2013-10-12 02:15 - 00126976 _____ (Microsoft Corporation) C:\Windows\SysWOW64\cscript.exe
2014-01-23 16:39 - 2013-07-20 11:33 - 00124112 _____ (Microsoft Corporation) C:\Windows\system32\PresentationCFFRasterizerNative_v0300.dll
2014-01-23 16:39 - 2013-07-20 11:33 - 00102608 _____ (Microsoft Corporation) C:\Windows\SysWOW64\PresentationCFFRasterizerNative_v0300.dll
2014-01-23 16:39 - 2013-07-12 11:41 - 00185344 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbvideo.sys
2014-01-23 16:39 - 2013-07-12 11:41 - 00100864 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\usbcir.sys
2014-01-23 16:39 - 2013-07-12 11:40 - 00109824 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\USBAUDIO.sys
2014-01-23 16:39 - 2013-07-03 05:05 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidclass.sys
2014-01-23 16:39 - 2013-07-03 05:05 - 00032896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\hidparse.sys
2014-01-23 16:38 - 2013-10-12 03:30 - 00830464 _____ (Microsoft Corporation) C:\Windows\system32\nshwfp.dll
2014-01-23 16:38 - 2013-10-12 03:29 - 00859648 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL
2014-01-23 16:38 - 2013-10-12 03:29 - 00324096 _____ (Microsoft Corporation) C:\Windows\system32\FWPUCLNT.DLL
2014-01-23 16:38 - 2013-10-12 03:03 - 00656896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nshwfp.dll
2014-01-23 16:38 - 2013-10-12 03:01 - 00216576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FWPUCLNT.DLL
2014-01-23 16:38 - 2013-08-01 13:09 - 00983488 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\dxgkrnl.sys
2014-01-23 16:34 - 2013-12-27 19:42 - 00039200 _____ (NVIDIA Corporation) C:\Windows\system32\Drivers\nvvad64v.sys
2014-01-23 16:34 - 2013-12-27 19:42 - 00033056 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvaudcap32v.dll
2014-01-20 02:29 - 2014-01-20 02:29 - 00000000 ____D () C:\Users\Uros\Documents\Game SS library
2014-01-19 18:39 - 2014-01-19 18:39 - 00005175 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_51-b13.log
2014-01-19 18:39 - 2013-12-18 21:09 - 00096168 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-01-19 18:39 - 2013-12-18 21:04 - 00264616 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-01-19 18:39 - 2013-12-18 21:04 - 00175016 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-01-19 18:39 - 2013-12-18 21:03 - 00174504 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-01-16 18:52 - 2014-01-16 18:56 - 00000000 ____D () C:\Users\Uros\AppData\Local\Darksiders
2014-01-16 18:51 - 2014-02-10 19:07 - 00000000 ____D () C:\Windows\SysWOW64\directx
2014-01-16 18:51 - 2014-01-16 18:51 - 00000000 ____D () C:\Program Files (x86)\THQ
 
==================== One Month Modified Files and Folders =======
 
2014-02-11 04:09 - 2014-02-11 04:09 - 00000673 _____ () C:\Users\Uros\Desktop\1.txt
2014-02-11 04:09 - 2014-02-11 04:05 - 00000000 ____D () C:\FRST
2014-02-11 04:09 - 2014-02-11 04:04 - 00000000 ____D () C:\Users\Uros\Desktop\analasys
2014-02-11 04:09 - 2013-09-25 00:21 - 00000000 ____D () C:\Program Files (x86)\Steam
2014-02-11 04:09 - 2013-09-24 22:53 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-02-11 03:13 - 2013-09-25 03:44 - 00000000 ____D () C:\Users\Uros\AppData\Roaming\uTorrent
2014-02-11 02:56 - 2013-09-24 22:39 - 01617762 _____ () C:\Windows\WindowsUpdate.log
2014-02-11 01:15 - 2013-12-02 10:23 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-02-11 01:15 - 2013-09-24 22:53 - 00000890 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-02-11 01:15 - 2010-11-21 04:47 - 00022866 _____ () C:\Windows\PFRO.log
2014-02-11 01:15 - 2009-07-14 06:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-02-11 01:15 - 2009-07-14 05:51 - 00083754 _____ () C:\Windows\setupact.log
2014-02-11 00:55 - 2014-02-11 00:50 - 02164956 _____ () C:\Users\Uros\Desktop\AutoRuns.arn
2014-02-11 00:03 - 2009-07-14 06:13 - 00779266 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-02-10 23:32 - 2014-02-10 23:32 - 00321020 _____ () C:\Windows\system32\.crusader
2014-02-10 23:32 - 2014-02-10 23:11 - 00000000 ____D () C:\ProgramData\HitmanPro
2014-02-10 23:32 - 2013-09-24 22:40 - 00000000 ___RD () C:\Users\Uros\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
2014-02-10 23:12 - 2014-02-10 23:12 - 00000000 ____D () C:\Program Files\HitmanPro
2014-02-10 23:11 - 2014-02-10 23:08 - 10820032 _____ (SurfRight B.V.) C:\Users\Uros\Desktop\HitmanPro_x64.exe
2014-02-10 21:56 - 2014-02-10 21:56 - 00000000 ____D () C:\Users\Uros\AppData\Local\NativeMessaging
2014-02-10 21:56 - 2014-02-10 21:56 - 00000000 ____D () C:\Users\Uros\AppData\Local\CRE
2014-02-10 21:55 - 2014-02-10 21:55 - 01519696 _____ (BitTorrent Inc.) C:\Users\Uros\Desktop\uTorrent.exe
2014-02-10 19:26 - 2014-02-10 19:26 - 00001035 _____ () C:\Users\Public\Desktop\FXAA Tool.lnk
2014-02-10 19:15 - 2014-02-10 19:07 - 00000000 ____D () C:\Users\Uros\AppData\Local\Darksiders2
2014-02-10 19:07 - 2014-01-16 18:51 - 00000000 ____D () C:\Windows\SysWOW64\directx
2014-02-10 19:07 - 2013-09-25 17:12 - 00000000 ____D () C:\Users\Uros\Documents\My Games
2014-02-10 16:52 - 2013-10-12 16:39 - 00000000 ____D () C:\Users\Uros\Documents\EA Games
2014-02-09 21:16 - 2009-07-14 06:08 - 00032592 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-02-09 21:14 - 2014-02-09 19:41 - 00000000 ____D () C:\Users\Uros\AppData\Local\genienext
2014-02-09 19:44 - 2014-02-09 19:41 - 00000000 ____D () C:\Users\Uros\AppData\Local\cache
2014-02-09 19:42 - 2014-02-09 19:41 - 00000000 ____D () C:\Users\Uros\.android
2014-02-09 19:41 - 2014-02-09 19:41 - 00000000 _____ () C:\Users\Uros\daemonprocess.txt
2014-02-09 19:41 - 2013-09-24 22:40 - 00000000 ____D () C:\Users\Uros
2014-02-09 04:31 - 2009-07-14 05:45 - 00020640 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-02-09 04:31 - 2009-07-14 05:45 - 00020640 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-02-09 04:29 - 2013-10-23 19:23 - 00000000 ____D () C:\Users\Uros\AppData\Roaming\Skype
2014-02-08 00:53 - 2014-02-07 22:14 - 00000000 ____D () C:\Users\Uros\AppData\Roaming\Awesomium
2014-02-07 21:12 - 2014-02-07 21:12 - 00000000 ____D () C:\Users\Uros\Documents\Elder Scrolls Online
2014-02-07 21:12 - 2014-02-07 21:12 - 00000000 ____D () C:\ProgramData\Elder Scrolls Online
2014-02-07 03:40 - 2013-09-26 00:49 - 00000000 ____D () C:\Users\Uros\Documents\Witcher 2
2014-01-31 00:41 - 2013-09-28 17:40 - 00004825 _____ () C:\Users\Uros\Documents\TombRaider.log
2014-01-24 18:44 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\rescache
2014-01-24 01:53 - 2013-09-24 22:53 - 00067784 _____ () C:\Users\Uros\AppData\Local\GDIPFONTCACHEV1.DAT
2014-01-23 17:16 - 2009-07-14 05:45 - 00297104 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-01-23 17:14 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\SysWOW64\sr-Latn-CS
2014-01-23 17:14 - 2009-07-14 04:20 - 00000000 ____D () C:\Windows\system32\sr-Latn-CS
2014-01-23 17:11 - 2013-09-24 23:10 - 00772646 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2014-01-23 16:43 - 2013-09-24 23:58 - 00000000 ____D () C:\Windows\system32\MRT
2014-01-23 16:34 - 2013-09-24 23:10 - 00000000 ____D () C:\Program Files (x86)\NVIDIA Corporation
2014-01-21 03:53 - 2013-12-09 10:00 - 01179576 _____ (NVIDIA Corporation) C:\Windows\system32\nvspcap64.dll
2014-01-21 03:53 - 2013-12-09 10:00 - 01048152 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspcap.dll
2014-01-20 02:29 - 2014-01-20 02:29 - 00000000 ____D () C:\Users\Uros\Documents\Game SS library
2014-01-19 18:51 - 2014-01-10 06:59 - 00000000 ____D () C:\ProgramData\Oracle
2014-01-19 18:39 - 2014-01-19 18:39 - 00005175 _____ () C:\Windows\SysWOW64\jupdate-1.7.0_51-b13.log
2014-01-19 18:39 - 2014-01-10 06:58 - 00000000 ____D () C:\Program Files (x86)\Java
2014-01-16 18:57 - 2013-11-01 19:56 - 00000000 ____D () C:\Users\Uros\AppData\Local\Adobe
2014-01-16 18:56 - 2014-01-16 18:52 - 00000000 ____D () C:\Users\Uros\AppData\Local\Darksiders
2014-01-16 18:51 - 2014-01-16 18:51 - 00000000 ____D () C:\Program Files (x86)\THQ
2014-01-16 18:51 - 2013-09-25 01:37 - 00533050 _____ () C:\Windows\DirectX.log
 
Files to move or delete:
====================
C:\Users\Uros\en_res.dll
C:\Users\Uros\es_res.dll
C:\Users\Uros\fr_res.dll
C:\Users\Uros\grm_res.dll
C:\Users\Uros\it_res.dll
C:\Users\Uros\jp_res.dll
C:\Users\Uros\mfc80u.dll
C:\Users\Uros\msvcr80.dll
C:\Users\Uros\PCPE Setup.exe
C:\Users\Uros\pt_res.dll
C:\Users\Uros\ResourceReader.dll
C:\Users\Uros\ru_res.dll
C:\Users\Uros\zh_res.dll
 
 
Some content of TEMP:
====================
C:\Users\Uros\AppData\Local\Temp\AcDeltree.exe
C:\Users\Uros\AppData\Local\Temp\avgnt.exe
C:\Users\Uros\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Uros\AppData\Local\Temp\msvcr80.dll
C:\Users\Uros\AppData\Local\Temp\nvSCPAPI.dll
C:\Users\Uros\AppData\Local\Temp\nvStInst.exe
C:\Users\Uros\AppData\Local\Temp\Quarantine.exe
C:\Users\Uros\AppData\Local\Temp\SimPack.exe
C:\Users\Uros\AppData\Local\Temp\zlib1.dll
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
 
LastRegBack: 2014-02-09 18:25
 
==================== End Of Log ============================

Attached Files


Edited by Vanguard89, 10 February 2014 - 10:19 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 AM

Posted 10 February 2014 - 10:56 PM



Hello Vanguard89,

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
When they are complete let me have the two reports and let me know how things are running.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Vanguard89

Vanguard89
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:54 PM

Posted 11 February 2014 - 10:56 AM

Hey hello Gringo :) Well the computer is working as intended, normally, no ads poping on browsing, no slow-downs, no screen freezes, I did all as you proposed and here are the results, I noticed when I run Adwcleaner, that he found 2 pup registries, but cleaned one when I performed a clean (the  [x64] HKCU\Software\Conduit was left uncleaned), I will put both of LOGs the one before clean and the one after, and JRT log after it (did find significant amount of adwares), respectively : 

 

1.

 

***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\Conduit
Key Found : [x64] HKCU\Software\Conduit
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16750
 
 
-\\ Google Chrome v32.0.1700.107
 
[ File : C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [714 octets] - [11/02/2014 16:00:18]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [773 octets] ##########
 
 
2.
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\Conduit
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16750
 
 
-\\ Google Chrome v32.0.1700.107
 
[ File : C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [856 octets] - [11/02/2014 16:00:18]
AdwCleaner[S0].txt - [739 octets] - [11/02/2014 16:01:32]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [798 octets] ##########
 
 
3. JRT log :
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{41564952-412D-5637-00A7-7A786E7484D7}
 
 
 
~~~ Files
 
Successfully deleted: [File] "C:\Users\Uros\appdata\local\google\chrome\user data\default\local storage\http_app.mam.conduit.com_0.localstorage"
Successfully deleted: [File] "C:\Users\Uros\appdata\local\google\chrome\user data\default\local storage\http_app.mam.conduit.com_0.localstorage-journal"
Successfully deleted: [File] "C:\Users\Uros\appdata\local\google\chrome\user data\default\local storage\http_storage.conduit.com_0.localstorage"
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\ProgramData\apn"
Successfully deleted: [Folder] "C:\Users\Uros\appdata\local\cre"
 
 
 
~~~ Chrome
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\aaaaacalgebmfelllfiaoknifldpngjh
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 02/11/2014 at 16:12:31.42
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Edited by Vanguard89, 11 February 2014 - 11:43 AM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 AM

Posted 11 February 2014 - 12:28 PM


Hello Vanguard89,

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Vanguard89

Vanguard89
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:54 PM

Posted 11 February 2014 - 01:28 PM

Hello there. First I downloaded ConboFix, then disabled Avira and MWB, but when I started ComboFix Avira prompted me registry access was blocked (tho I'm sure I turned all realtime protections and web protection) then ComboFix did a scan it said it's creating a restore point, then it started, there was no reboot and after 6-7 minutes or so, it was done, the computer is runing very well, I've seen no signs of corruption, tho I am unclear why it read up in 'Reg Loading Points' in log, HitmanPro37.sys files. Also on 'Registry loading points branch near end of log of ComboFix I noticed this line, when I searched for grabrez refference : 'R4 Util GrabRez;Util GrabRez;c:\program files (x86)\GrabRez\bin\utilGrabRez.exe;c:\program files (x86)\GrabRez\bin\utilGrabRez.exe [x]' I will bold it out in log, also there is that AskPartnerNetwork in my reg loading point, I will attach the log now :

 

 

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Uros\en_res.dll
c:\users\Uros\es_res.dll
c:\users\Uros\fr_res.dll
c:\users\Uros\grm_res.dll
c:\users\Uros\it_res.dll
c:\users\Uros\jp_res.dll
c:\users\Uros\mfc80u.dll
c:\users\Uros\msvcr80.dll
c:\users\Uros\PCPE Setup.exe
c:\users\Uros\pt_res.dll
c:\users\Uros\ResourceReader.dll
c:\users\Uros\ru_res.dll
c:\users\Uros\zh_res.dll
c:\windows\SysWow64\frapsvid.dll
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-11 to 2014-02-11  )))))))))))))))))))))))))))))))
.
.
2014-02-11 18:18 . 2014-02-11 18:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-02-11 15:06 . 2014-02-11 15:06 -------- d-----w- c:\windows\ERUNT
2014-02-11 15:00 . 2014-02-11 15:04 -------- d-----w- C:\AdwCleaner
2014-02-11 03:05 . 2014-02-11 03:10 -------- d-----w- C:\FRST
2014-02-10 22:12 . 2014-02-10 22:12 -------- d-----w- c:\program files\HitmanPro
2014-02-10 22:11 . 2014-02-10 22:32 -------- d-----w- c:\programdata\HitmanPro
2014-02-10 20:56 . 2014-02-10 20:56 -------- d-----w- c:\users\Uros\AppData\Local\NativeMessaging
2014-02-09 18:41 . 2014-02-09 18:42 -------- d-----w- c:\users\Uros\.android
2014-02-09 18:41 . 2014-02-09 18:44 -------- d-----w- c:\users\Uros\AppData\Local\cache
2014-02-09 18:41 . 2014-02-09 20:14 -------- d-----w- c:\users\Uros\AppData\Local\genienext
2014-02-07 21:14 . 2014-02-07 23:53 -------- d-----w- c:\users\Uros\AppData\Roaming\Awesomium
2014-02-07 20:12 . 2014-02-07 20:12 -------- d-----w- c:\programdata\Elder Scrolls Online
2014-01-23 16:05 . 2013-10-25 06:17 701952 ----a-w- c:\program files\Internet Explorer\ieproxy.dll
2014-01-23 15:41 . 2013-06-06 05:50 41472 ----a-w- c:\windows\system32\lpk.dll
2014-01-23 15:39 . 2013-07-20 10:33 102608 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2014-01-23 15:38 . 2013-08-01 12:09 983488 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2014-01-23 15:38 . 2013-10-12 02:30 830464 ----a-w- c:\windows\system32\nshwfp.dll
2014-01-23 15:38 . 2013-10-12 02:29 859648 ----a-w- c:\windows\system32\IKEEXT.DLL
2014-01-23 15:38 . 2013-10-12 02:29 324096 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2014-01-23 15:38 . 2013-10-12 02:03 656896 ----a-w- c:\windows\SysWow64\nshwfp.dll
2014-01-23 15:38 . 2013-10-12 02:01 216576 ----a-w- c:\windows\SysWow64\FWPUCLNT.DLL
2014-01-23 15:34 . 2013-12-27 18:42 39200 ----a-w- c:\windows\system32\drivers\nvvad64v.sys
2014-01-23 15:34 . 2013-12-27 18:42 33056 ----a-w- c:\windows\SysWow64\nvaudcap32v.dll
2014-01-19 17:39 . 2013-12-18 20:09 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-01-16 17:52 . 2014-01-16 17:56 -------- d-----w- c:\users\Uros\AppData\Local\Darksiders
2014-01-16 17:51 . 2014-01-16 17:51 -------- d-----w- c:\program files (x86)\THQ
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-21 02:53 . 2013-12-09 09:00 1048152 ----a-w- c:\windows\SysWow64\nvspcap.dll
2014-01-21 02:53 . 2013-12-09 09:00 1179576 ----a-w- c:\windows\system32\nvspcap64.dll
2014-01-06 15:20 . 2013-09-24 22:58 86054176 ----a-w- c:\windows\system32\MRT.exe
2013-12-27 18:42 . 2013-12-09 08:58 35104 ----a-w- c:\windows\system32\nvaudcap64v.dll
2013-12-19 20:33 . 2014-01-08 04:46 9700224 ----a-w- c:\windows\SysWow64\nvcuda.dll
2013-12-19 20:33 . 2014-01-08 04:46 9657464 ----a-w- c:\windows\SysWow64\nvopencl.dll
2013-12-19 20:33 . 2014-01-08 04:46 882464 ----a-w- c:\windows\system32\NvIFR64.dll
2013-12-19 20:33 . 2014-01-08 04:46 879392 ----a-w- c:\windows\system32\NvFBC64.dll
2013-12-19 20:33 . 2014-01-08 04:46 852768 ----a-w- c:\windows\SysWow64\NvIFR.dll
2013-12-19 20:33 . 2014-01-08 04:46 847648 ----a-w- c:\windows\SysWow64\NvFBC.dll
2013-12-19 20:33 . 2014-01-08 04:46 479520 ----a-w- c:\windows\system32\nvEncodeAPI64.dll
2013-12-19 20:33 . 2014-01-08 04:46 405280 ----a-w- c:\windows\SysWow64\nvEncodeAPI.dll
2013-12-19 20:33 . 2014-01-08 04:46 357152 ----a-w- c:\windows\system32\NvIFROpenGL.dll
2013-12-19 20:33 . 2014-01-08 04:46 317472 ----a-w- c:\windows\system32\nvoglshim64.dll
2013-12-19 20:33 . 2014-01-08 04:46 314656 ----a-w- c:\windows\SysWow64\NvIFROpenGL.dll
2013-12-19 20:33 . 2014-01-08 04:46 3132704 ----a-w- c:\windows\system32\nvcuvid.dll
2013-12-19 20:33 . 2014-01-08 04:46 3125024 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-12-19 20:33 . 2014-01-08 04:46 30372640 ----a-w- c:\windows\system32\nvoglv64.dll
2013-12-19 20:33 . 2014-01-08 04:46 2947872 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2013-12-19 20:33 . 2014-01-08 04:46 2747680 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2013-12-19 20:33 . 2014-01-08 04:46 266984 ----a-w- c:\windows\SysWow64\nvoglshim32.dll
2013-12-19 20:33 . 2014-01-08 04:46 25257248 ----a-w- c:\windows\system32\nvcompiler.dll
2013-12-19 20:33 . 2014-01-08 04:46 22960416 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2013-12-19 20:33 . 2014-01-08 04:46 1884448 ----a-w- c:\windows\system32\nvdispco6433221.dll
2013-12-19 20:33 . 2014-01-08 04:46 18222008 ----a-w- c:\windows\system32\nvd3dumx.dll
2013-12-19 20:33 . 2014-01-08 04:46 17560352 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2013-12-19 20:33 . 2014-01-08 04:46 168616 ----a-w- c:\windows\system32\nvinitx.dll
2013-12-19 20:33 . 2014-01-08 04:46 15877216 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2013-12-19 20:33 . 2014-01-08 04:46 1511712 ----a-w- c:\windows\system32\nvdispgenco6433221.dll
2013-12-19 20:33 . 2014-01-08 04:46 141336 ----a-w- c:\windows\SysWow64\nvinit.dll
2013-12-19 20:33 . 2014-01-08 04:46 12645664 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-12-19 20:33 . 2014-01-08 04:46 1242400 ----a-w- c:\windows\SysWow64\nvumdshim.dll
2013-12-19 20:33 . 2014-01-08 04:46 11605752 ----a-w- c:\windows\system32\nvcuda.dll
2013-12-19 20:33 . 2014-01-08 04:46 11554264 ----a-w- c:\windows\system32\nvopencl.dll
2013-12-19 20:33 . 2013-12-09 08:58 2698272 ----a-w- c:\windows\SysWow64\nvapi.dll
2013-12-19 20:33 . 2013-12-02 09:22 61216 ----a-w- c:\windows\system32\OpenCL.dll
2013-12-19 20:33 . 2013-12-02 09:22 53024 ----a-w- c:\windows\SysWow64\OpenCL.dll
2013-12-19 20:33 . 2013-10-27 08:12 18310112 ----a-w- c:\windows\system32\nvwgf2umx.dll
2013-12-19 20:33 . 2013-10-27 08:12 1436528 ----a-w- c:\windows\system32\nvumdshimx.dll
2013-12-19 20:33 . 2013-10-27 08:12 15230352 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2013-12-19 20:33 . 2013-10-27 08:12 3071656 ----a-w- c:\windows\system32\nvapi64.dll
2013-12-19 18:53 . 2013-12-02 09:22 6671648 ----a-w- c:\windows\system32\nvcpl.dll
2013-12-19 18:53 . 2013-12-02 09:22 3490080 ----a-w- c:\windows\system32\nvsvc64.dll
2013-12-19 18:53 . 2013-12-02 09:22 922912 ----a-w- c:\windows\system32\nvvsvc.exe
2013-12-19 18:53 . 2013-12-02 09:22 63776 ----a-w- c:\windows\system32\nvshext.dll
2013-12-19 18:53 . 2013-12-02 09:22 386336 ----a-w- c:\windows\system32\nvmctray.dll
2013-12-19 11:20 . 2013-12-19 11:20 590112 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2013-12-19 05:01 . 2013-12-02 09:22 3539040 ----a-w- c:\windows\system32\nvcoproc.bin
2013-12-19 02:07 . 2013-12-10 09:48 13338112 ----a-w- c:\users\Uros\PCPE_3.0.1.msi
2013-12-17 13:37 . 2013-09-25 11:41 84720 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2013-12-17 13:37 . 2013-09-24 21:54 131576 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-12-17 13:37 . 2013-09-24 21:54 108440 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-11-28 13:38 . 2014-01-08 04:46 31520 ----a-w- c:\windows\system32\nvhdap64.dll
2013-11-28 13:38 . 2014-01-08 04:46 197408 ----a-w- c:\windows\system32\drivers\nvhda64v.sys
2013-11-25 15:19 . 2013-09-24 21:54 28600 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-11-22 08:36 . 2014-01-08 04:46 1515296 ----a-w- c:\windows\system32\nvhdagenco6420103.dll
2013-11-14 11:55 . 2013-12-09 08:58 1884448 ----a-w- c:\windows\system32\nvdispco6433182.dll
2013-11-14 11:55 . 2013-12-09 08:58 1511712 ----a-w- c:\windows\system32\nvdispgenco6433182.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2013-09-24 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2013-09-24 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2014-02-08 1813184]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-12-17 684600]
"UpdatePDRShortCut"="d:\programs\Cyberlink power director\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys;c:\windows\SYSNATIVE\Drivers\ssadadb.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdm.sys [x]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys;c:\windows\SYSNATIVE\DRIVERS\ssadserd.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 APNMCP;Ask Update Service;c:\program files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe;c:\program files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [x]
R4 Util GrabRez;Util GrabRez;c:\program files (x86)\GrabRez\bin\utilGrabRez.exe;c:\program files (x86)\GrabRez\bin\utilGrabRez.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 AntiVirWebService;Avira Web Protection;c:\program files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE;c:\program files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [x]
S2 JMB36X;JMB36X;c:\windows\SysWOW64\XSrvSetup.exe;c:\windows\SysWOW64\XSrvSetup.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 NvNetworkService;NVIDIA Network Service;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]
S3 LVUVC64;Logitech Webcam C210(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-02-04 19:10 1211720 ----a-w- c:\program files (x86)\Google\Chrome\Application\32.0.1700.107\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-24 21:53]
.
2014-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-24 21:53]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-26 10135584]
"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2014-01-21 1179576]
"NvBackend"="c:\program files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe" [2014-01-21 2234144]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files (x86)\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 89.216.1.30 89.216.1.50
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{41564952-412D-5637-00A7-7A786E7484D7} - (no file)
WebBrowser-{41564952-412D-5637-00A7-7A786E7484D7} - (no file)
HKLM-Run-Nvtmru - c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-02-11  19:19:41
ComboFix-quarantined-files.txt  2014-02-11 18:19
.
Pre-Run: 59,266,125,824 bytes free
Post-Run: 60,371,451,904 bytes free
.
- - End Of File - - 27187DBC7E45BF67EE409D6C3B74B5E3
A36C5E4F47E84449FF07ED3517B43A31

Edited by Vanguard89, 11 February 2014 - 01:45 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 AM

Posted 11 February 2014 - 09:09 PM


Hello Vanguard89

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:

ClearJavaCache::


 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
    • let me know of any problems you may have had
    • How is the computer doing now after running the script?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Vanguard89

Vanguard89
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:54 PM

Posted 12 February 2014 - 10:25 PM

Ok this scan took longer it did it for sure 15-20 minutes and waited long at step 5 (and there was way more steps than the scan of ComboFix 2 days ago, which had like 10 steps), to be honest I didn't notice the system is working better, it was slower at some points, but again working pretty well and opening pages relatively fast and straight forward, no pop-ups or uncontrolled downloads of executables from internet (that hapened the first day I had cought malware/s) and when I read log now I see again there is GrabRez but I don't understand am I reading it right. Here is the log, I did all as instructed : 

 

AV: Avira Desktop *Disabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Disabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2014-01-13 to 2014-02-13  )))))))))))))))))))))))))))))))
.
.
2014-02-13 00:25 . 2014-02-13 00:25 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2014-02-13 00:25 . 2014-02-13 00:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-02-11 15:06 . 2014-02-11 15:06 -------- d-----w- c:\windows\ERUNT
2014-02-11 15:00 . 2014-02-11 15:04 -------- d-----w- C:\AdwCleaner
2014-02-11 03:05 . 2014-02-11 03:10 -------- d-----w- C:\FRST
2014-02-10 22:12 . 2014-02-10 22:12 -------- d-----w- c:\program files\HitmanPro
2014-02-10 22:11 . 2014-02-10 22:32 -------- d-----w- c:\programdata\HitmanPro
2014-02-10 20:56 . 2014-02-10 20:56 -------- d-----w- c:\users\Uros\AppData\Local\NativeMessaging
2014-02-09 18:41 . 2014-02-09 18:42 -------- d-----w- c:\users\Uros\.android
2014-02-09 18:41 . 2014-02-09 18:44 -------- d-----w- c:\users\Uros\AppData\Local\cache
2014-02-09 18:41 . 2014-02-09 20:14 -------- d-----w- c:\users\Uros\AppData\Local\genienext
2014-02-07 21:14 . 2014-02-07 23:53 -------- d-----w- c:\users\Uros\AppData\Roaming\Awesomium
2014-02-07 20:12 . 2014-02-07 20:12 -------- d-----w- c:\programdata\Elder Scrolls Online
2014-01-23 16:05 . 2013-10-25 06:17 701952 ----a-w- c:\program files\Internet Explorer\ieproxy.dll
2014-01-23 15:41 . 2013-06-06 05:50 41472 ----a-w- c:\windows\system32\lpk.dll
2014-01-23 15:39 . 2013-07-20 10:33 102608 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2014-01-23 15:38 . 2013-08-01 12:09 983488 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2014-01-23 15:38 . 2013-10-12 02:30 830464 ----a-w- c:\windows\system32\nshwfp.dll
2014-01-23 15:38 . 2013-10-12 02:29 859648 ----a-w- c:\windows\system32\IKEEXT.DLL
2014-01-23 15:38 . 2013-10-12 02:29 324096 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2014-01-23 15:38 . 2013-10-12 02:03 656896 ----a-w- c:\windows\SysWow64\nshwfp.dll
2014-01-23 15:38 . 2013-10-12 02:01 216576 ----a-w- c:\windows\SysWow64\FWPUCLNT.DLL
2014-01-23 15:34 . 2013-12-27 18:42 39200 ----a-w- c:\windows\system32\drivers\nvvad64v.sys
2014-01-23 15:34 . 2013-12-27 18:42 33056 ----a-w- c:\windows\SysWow64\nvaudcap32v.dll
2014-01-19 17:39 . 2013-12-18 20:09 96168 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-01-16 17:52 . 2014-01-16 17:56 -------- d-----w- c:\users\Uros\AppData\Local\Darksiders
2014-01-16 17:51 . 2014-01-16 17:51 -------- d-----w- c:\program files (x86)\THQ
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-01-21 02:53 . 2013-12-09 09:00 1048152 ----a-w- c:\windows\SysWow64\nvspcap.dll
2014-01-21 02:53 . 2013-12-09 09:00 1179576 ----a-w- c:\windows\system32\nvspcap64.dll
2014-01-06 15:20 . 2013-09-24 22:58 86054176 ----a-w- c:\windows\system32\MRT.exe
2013-12-27 18:42 . 2013-12-09 08:58 35104 ----a-w- c:\windows\system32\nvaudcap64v.dll
2013-12-19 20:33 . 2014-01-08 04:46 9700224 ----a-w- c:\windows\SysWow64\nvcuda.dll
2013-12-19 20:33 . 2014-01-08 04:46 9657464 ----a-w- c:\windows\SysWow64\nvopencl.dll
2013-12-19 20:33 . 2014-01-08 04:46 882464 ----a-w- c:\windows\system32\NvIFR64.dll
2013-12-19 20:33 . 2014-01-08 04:46 879392 ----a-w- c:\windows\system32\NvFBC64.dll
2013-12-19 20:33 . 2014-01-08 04:46 852768 ----a-w- c:\windows\SysWow64\NvIFR.dll
2013-12-19 20:33 . 2014-01-08 04:46 847648 ----a-w- c:\windows\SysWow64\NvFBC.dll
2013-12-19 20:33 . 2014-01-08 04:46 479520 ----a-w- c:\windows\system32\nvEncodeAPI64.dll
2013-12-19 20:33 . 2014-01-08 04:46 405280 ----a-w- c:\windows\SysWow64\nvEncodeAPI.dll
2013-12-19 20:33 . 2014-01-08 04:46 357152 ----a-w- c:\windows\system32\NvIFROpenGL.dll
2013-12-19 20:33 . 2014-01-08 04:46 317472 ----a-w- c:\windows\system32\nvoglshim64.dll
2013-12-19 20:33 . 2014-01-08 04:46 314656 ----a-w- c:\windows\SysWow64\NvIFROpenGL.dll
2013-12-19 20:33 . 2014-01-08 04:46 3132704 ----a-w- c:\windows\system32\nvcuvid.dll
2013-12-19 20:33 . 2014-01-08 04:46 3125024 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-12-19 20:33 . 2014-01-08 04:46 30372640 ----a-w- c:\windows\system32\nvoglv64.dll
2013-12-19 20:33 . 2014-01-08 04:46 2947872 ----a-w- c:\windows\SysWow64\nvcuvid.dll
2013-12-19 20:33 . 2014-01-08 04:46 2747680 ----a-w- c:\windows\SysWow64\nvcuvenc.dll
2013-12-19 20:33 . 2014-01-08 04:46 266984 ----a-w- c:\windows\SysWow64\nvoglshim32.dll
2013-12-19 20:33 . 2014-01-08 04:46 25257248 ----a-w- c:\windows\system32\nvcompiler.dll
2013-12-19 20:33 . 2014-01-08 04:46 22960416 ----a-w- c:\windows\SysWow64\nvoglv32.dll
2013-12-19 20:33 . 2014-01-08 04:46 1884448 ----a-w- c:\windows\system32\nvdispco6433221.dll
2013-12-19 20:33 . 2014-01-08 04:46 18222008 ----a-w- c:\windows\system32\nvd3dumx.dll
2013-12-19 20:33 . 2014-01-08 04:46 17560352 ----a-w- c:\windows\SysWow64\nvcompiler.dll
2013-12-19 20:33 . 2014-01-08 04:46 168616 ----a-w- c:\windows\system32\nvinitx.dll
2013-12-19 20:33 . 2014-01-08 04:46 15877216 ----a-w- c:\windows\SysWow64\nvwgf2um.dll
2013-12-19 20:33 . 2014-01-08 04:46 1511712 ----a-w- c:\windows\system32\nvdispgenco6433221.dll
2013-12-19 20:33 . 2014-01-08 04:46 141336 ----a-w- c:\windows\SysWow64\nvinit.dll
2013-12-19 20:33 . 2014-01-08 04:46 12645664 ----a-w- c:\windows\system32\drivers\nvlddmkm.sys
2013-12-19 20:33 . 2014-01-08 04:46 1242400 ----a-w- c:\windows\SysWow64\nvumdshim.dll
2013-12-19 20:33 . 2014-01-08 04:46 11605752 ----a-w- c:\windows\system32\nvcuda.dll
2013-12-19 20:33 . 2014-01-08 04:46 11554264 ----a-w- c:\windows\system32\nvopencl.dll
2013-12-19 20:33 . 2013-12-09 08:58 2698272 ----a-w- c:\windows\SysWow64\nvapi.dll
2013-12-19 20:33 . 2013-12-02 09:22 61216 ----a-w- c:\windows\system32\OpenCL.dll
2013-12-19 20:33 . 2013-12-02 09:22 53024 ----a-w- c:\windows\SysWow64\OpenCL.dll
2013-12-19 20:33 . 2013-10-27 08:12 18310112 ----a-w- c:\windows\system32\nvwgf2umx.dll
2013-12-19 20:33 . 2013-10-27 08:12 1436528 ----a-w- c:\windows\system32\nvumdshimx.dll
2013-12-19 20:33 . 2013-10-27 08:12 15230352 ----a-w- c:\windows\SysWow64\nvd3dum.dll
2013-12-19 20:33 . 2013-10-27 08:12 3071656 ----a-w- c:\windows\system32\nvapi64.dll
2013-12-19 18:53 . 2013-12-02 09:22 6671648 ----a-w- c:\windows\system32\nvcpl.dll
2013-12-19 18:53 . 2013-12-02 09:22 3490080 ----a-w- c:\windows\system32\nvsvc64.dll
2013-12-19 18:53 . 2013-12-02 09:22 922912 ----a-w- c:\windows\system32\nvvsvc.exe
2013-12-19 18:53 . 2013-12-02 09:22 63776 ----a-w- c:\windows\system32\nvshext.dll
2013-12-19 18:53 . 2013-12-02 09:22 386336 ----a-w- c:\windows\system32\nvmctray.dll
2013-12-19 11:20 . 2013-12-19 11:20 590112 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2013-12-19 05:01 . 2013-12-02 09:22 3539040 ----a-w- c:\windows\system32\nvcoproc.bin
2013-12-19 02:07 . 2013-12-10 09:48 13338112 ----a-w- c:\users\Uros\PCPE_3.0.1.msi
2013-12-17 13:37 . 2013-09-25 11:41 84720 ----a-w- c:\windows\system32\drivers\avnetflt.sys
2013-12-17 13:37 . 2013-09-24 21:54 131576 ----a-w- c:\windows\system32\drivers\avipbb.sys
2013-12-17 13:37 . 2013-09-24 21:54 108440 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2013-11-28 13:38 . 2014-01-08 04:46 31520 ----a-w- c:\windows\system32\nvhdap64.dll
2013-11-28 13:38 . 2014-01-08 04:46 197408 ----a-w- c:\windows\system32\drivers\nvhda64v.sys
2013-11-25 15:19 . 2013-09-24 21:54 28600 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2013-11-22 08:36 . 2014-01-08 04:46 1515296 ----a-w- c:\windows\system32\nvhdagenco6420103.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2013-09-24 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2013-09-24 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2014-02-11 1822400]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2010-01-19 43632]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2013-12-17 684600]
"UpdatePDRShortCut"="d:\programs\Cyberlink power director\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-03 218408]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-11-21 959904]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-21 59720]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="userinit.exe"
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\Drivers\ssadadb.sys;c:\windows\SYSNATIVE\Drivers\ssadadb.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\DRIVERS\ssadbus.sys;c:\windows\SYSNATIVE\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\DRIVERS\ssadmdfl.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\DRIVERS\ssadmdm.sys;c:\windows\SYSNATIVE\DRIVERS\ssadmdm.sys [x]
R3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\DRIVERS\ssadserd.sys;c:\windows\SYSNATIVE\DRIVERS\ssadserd.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 APNMCP;Ask Update Service;c:\program files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe;c:\program files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [x]
R4 Util GrabRez;Util GrabRez;c:\program files (x86)\GrabRez\bin\utilGrabRez.exe;c:\program files (x86)\GrabRez\bin\utilGrabRez.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys;c:\windows\SYSNATIVE\DRIVERS\avkmgr.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [x]
S2 AntiVirWebService;Avira Web Protection;c:\program files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE;c:\program files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [x]
S2 JMB36X;JMB36X;c:\windows\SysWOW64\XSrvSetup.exe;c:\windows\SysWOW64\XSrvSetup.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 NvNetworkService;NVIDIA Network Service;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S2 TeamViewer8;TeamViewer 8;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe;c:\program files (x86)\TeamViewer\Version8\TeamViewer_Service.exe [x]
S2 UMVPFSrv;UMVPFSrv;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe;c:\program files (x86)\Common Files\logishrd\LVMVFM\UMVPFSrv.exe [x]
S3 LVUVC64;Logitech Webcam C210(UVC);c:\windows\system32\DRIVERS\lvuvc64.sys;c:\windows\SYSNATIVE\DRIVERS\lvuvc64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-02-04 19:10 1211720 ----a-w- c:\program files (x86)\Google\Chrome\Application\32.0.1700.107\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-24 21:53]
.
2014-02-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-24 21:53]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-03-26 10135584]
"Nvtmru"="c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe" [BU]
"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2014-01-21 1179576]
"NvBackend"="c:\program files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe" [2014-01-21 2234144]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files (x86)\Avira\AntiVir Desktop\avsda.dll
TCP: DhcpNameServer = 89.216.1.30 89.216.1.50
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{41564952-412D-5637-00A7-7A786E7484D7} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-02-13  01:26:49
ComboFix-quarantined-files.txt  2014-02-13 00:26
ComboFix2.txt  2014-02-11 18:19
.
Pre-Run: 61,961,449,472 bytes free
Post-Run: 61,483,307,008 bytes free
.
- - End Of File - - A76266159AA6C424935FB80605A8753E
A36C5E4F47E84449FF07ED3517B43A31
 


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 AM

Posted 12 February 2014 - 10:56 PM


Hello Vanguard89

I would like to see a report that combofix makes.

extra combofix report
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok
copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Vanguard89

Vanguard89
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:54 PM

Posted 13 February 2014 - 10:01 AM

I must add that computer today is working quite fast and the browsing and opening of pages is really rather fast. Here's what I got if I did it well, pressed windows button with R, got run console and typed C:\Qoobox\Add-Remove Programs.txt in it and did press OK :

 

 

 
µTorrent
Adobe Reader XI (11.0.06)
Alan Wake
Alan Wake's American Nightmare
Apple Application Support
Apple Software Update
Autodesk Backburner 2013.0.0
Avira Free Antivirus
Avira SearchFree Toolbar
BS.Player PRO
Burnout Paradise: The Ultimate Box
CyberLink PowerDirector
Darksiders
Darksiders II
DarksidersInstaller
Disciples II: Gallean's Return
Dota 2
Fallout 3 - Game of the Year Edition
Fallout Mod Manager 0.12.6
Fallout: New Vegas
Fraps (remove only)
FXAA Post Process Injector
Gigabyte Raid Configurer
Google Chrome
Google Earth
Google Update Helper
Heroes of Might & Magic V: Hammers of Fate
Heroes of Might and Magic V
Heroes of Might and Magic V - Tribes of the East
Java 7 Update 51
Java Auto Updater
Killing Floor
Left 4 Dead 2
Magicka
Malwarebytes Anti-Malware version 1.75.0.1300
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft XNA Framework Redistributable 3.1
Mirror's Edge
Nero 11 Mini Repack
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
QuickTime
RaidCall
Realtek Ethernet Controller Driver For Windows 7
Realtek High Definition Audio Driver
Red Faction: Armageddon
RIFT™
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2)
Skype™ 6.11
Steam
TeamViewer 8
TechPowerUp GPU-Z
The Elder Scrolls Online Beta
The Guild II
The Witcher 2: Assassins of Kings Enhanced Edition
Tomb Raider
Trine 2
VLC media player 2.1.3
WinZip 15.0
X3: Albion Prelude

Edited by Vanguard89, 13 February 2014 - 10:05 AM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 AM

Posted 14 February 2014 - 10:11 AM


Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)
  • Programs to remove

    • µTorrent

  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here CCleaner
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
: Malwarebytes' Anti-Malware :


I see You have MBAM installed on the computer - that is great!! it is a very good program! I would like you to run a quick scan for me now
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Download HijackThis
  • Go Here to download HijackThis program
  • Save HijackThis to your desktop.
  • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
  • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
  • copy and paste hijackthis report into the topic
"information and logs"
  • In your next post I need the following
    • Log From MBAM
    • report from Hijackthis
    • let me know of any problems you may have had
    • How is the computer doing now?
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 AM

Posted 16 February 2014 - 11:06 PM



Hello

48 Hour bump

It has been more than 48 hours since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Vanguard89

Vanguard89
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:54 PM

Posted 17 February 2014 - 10:28 AM

Gringo, I haven't been at home for 2 days since last post, wanted to post that too but idk why I couldn't from phone, I read the instructions via phone, I will do all the proposed instructions and post results in few hours, sorry for the delay.


Edited by Vanguard89, 17 February 2014 - 10:34 AM.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:54 AM

Posted 17 February 2014 - 11:21 AM

No problem and I will be here when you are later


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users