Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Username.exe worm removal


  • This topic is locked This topic is locked
13 replies to this topic

#1 Ghost117

Ghost117

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 17 October 2014 - 10:30 AM

Hi guys, 

 

I can't copy/paste into this forum from my Chrome browser, so I've attached both the DDS outputs.

 

Both the username.exe worms are in my C Drive Users/Username/AppData/Roaming folder. 

 

One has called itself "VASSAL.exe" and the other is called "GHOST-117.exe", both are encrypted files

 

 

I've got Windows 7 64bit, Comodo 7.x firewall, MalwareBytes (which didnt detect this worm).

 

I installed Panda and it removed something called "amde.exe" but it made Windows unstable (wouldn't boot). I had to force safe mode and restore it before Panda's installation.

 

The amde.exe is gone, but the 2 username.exe files are still there, but blocked in Firewall and no longer show in my taskmanager or TCPView, so they have been isolated as far as I know.

 

Just need to figure out how to actually clean them without destroying my OS... and I think I'll have to do this manually

 

 

p.s. neither of the username.exe files show in these two DDS logs if I search for them, so I'm curious as to how you guys spot the hooks of this worm from these logs?

Attached Files


Edited by Ghost117, 17 October 2014 - 10:55 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:10 PM

Posted 20 October 2014 - 09:32 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop For 32bit system or For 64bit system
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#3 Ghost117

Ghost117
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 20 October 2014 - 10:05 AM

Hi Nasdaq, I can't seem to paste anything on this forum, is this a problem with Chrome? I tried the paste button as well but nothing happens. 

 

Before I run these steps, just want to clarify this issue so I don't have to attach the logs if you don't want me to. 

 

 

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:10 PM

Posted 20 October 2014 - 12:29 PM

No problem. Attach the logs for my review.

#5 Ghost117

Ghost117
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 20 October 2014 - 06:16 PM

Hi Nasdaq,
 
The 3 logs are attached. I've also attached a screenshot of the 2 encrypted username.exe files, they're still there.

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 20-10-2014
Ran by VASSAL (administrator) on GHOST-117 on 20-10-2014 18:52:48
Running from E:\Downloads\Username.exe cleaning
Loaded Profile: VASSAL (Available profiles: VASSAL)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
() C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsusFanControlService\1.01.10\AsusFanControlService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome Remote Desktop\38.0.2125.9\remoting_host.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome Remote Desktop\38.0.2125.9\remoting_host.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe
() C:\Windows\System32\PnkBstrA.exe
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\DIGI+ VRM\PowerControlHelp.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Space Sciences Laboratory) E:\POST-MIGRATION PROGRAM FILES\BOINC\boinctray.exe
(Space Sciences Laboratory) E:\POST-MIGRATION PROGRAM FILES\BOINC\boincmgr.exe
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\CisTray.exe
(Microsoft Corporation) C:\Windows\System32\StikyNot.exe
(BitTorrent Inc.) C:\Users\VASSAL\AppData\Roaming\uTorrent\uTorrent.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(ROCCAT GmbH Co., Ltd.) C:\Program Files (x86)\ROCCAT\Ryos Keyboard\Ryos MK Monitor.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.5\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Space Sciences Laboratory) E:\POST-MIGRATION PROGRAM FILES\BOINC\boinc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Samsung Electronics.) E:\POST-MIGRATION PROGRAM FILES\Samsung Magician\Samsung Magician.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.5\GoogleCrashHandler64.exe
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Mionix) C:\Program Files (x86)\Mionix\NAOS 5000 Laser Gaming Mouse\NAOS_Monitor.EXE
(Western Digital Technologies, Inc.) C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\TurboV EVO\TurboVHelp.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\USB 3.0 Boost\U3BoostSvr64.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\EPU\EPUHelp.exe
() E:\POST-MIGRATION PROGRAM FILES\BOINC DATA\projects\www.worldcommunitygrid.org\wcgrid_mcm1_7.35_windows_x86_64
() E:\POST-MIGRATION PROGRAM FILES\BOINC DATA\projects\www.worldcommunitygrid.org\wcgrid_ugm1_7.22_windows_x86_64
(COMODO) C:\Program Files\COMODO\COMODO Internet Security\cis.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\AI Suite II.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\Sensor\AlertHelper\AlertHelper.exe
() E:\POST-MIGRATION PROGRAM FILES\BOINC DATA\projects\www.worldcommunitygrid.org\wcgrid_ugm1_7.22_windows_x86_64


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6548112 2012-06-12] (Realtek Semiconductor)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2463552 2014-10-04] (NVIDIA Corporation)
HKLM\...\Run: [boinctray] => E:\POST-MIGRATION PROGRAM FILES\BOINC\boinctray.exe [73360 2014-02-27] (Space Sciences Laboratory)
HKLM\...\Run: [boincmgr] => E:\POST-MIGRATION PROGRAM FILES\BOINC\boincmgr.exe [5885072 2014-02-27] (Space Sciences Laboratory)
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1275608 2014-03-25] (COMODO)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-04-26] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [Mionix NAOS 5000] => C:\Program Files (x86)\Mionix\NAOS 5000 Laser Gaming Mouse\NAOS_Monitor.EXE [184320 2010-01-05] (Mionix)
HKLM-x32\...\Run: [WD Quick View] => C:\Program Files (x86)\Western Digital\WD Quick View\WDDMStatus.exe [5562736 2014-07-22] (Western Digital Technologies, Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
HKU\S-1-5-21-915549161-1220755475-2392921047-1000\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
HKU\S-1-5-21-915549161-1220755475-2392921047-1000\...\Run: [uTorrent] => C:\Users\VASSAL\AppData\Roaming\uTorrent\uTorrent.exe [1385808 2014-10-07] (BitTorrent Inc.)
HKU\S-1-5-21-915549161-1220755475-2392921047-1000\...\Run: [GoogleChromeAutoLaunch_1562965236ABD1D17052F6235D6566FD] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [854344 2014-10-09] (Google Inc.)
HKU\S-1-5-21-915549161-1220755475-2392921047-1000\...\Run: [Google Update] => C:\Users\VASSAL\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2014-08-09] (Google Inc.)
HKU\S-1-5-21-915549161-1220755475-2392921047-1000\...\MountPoints2: D - D:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-915549161-1220755475-2392921047-1000\...\MountPoints2: {0b6802c8-acaf-11e2-b88f-1c6f65d33604} - K:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-915549161-1220755475-2392921047-1000\...\MountPoints2: {258d1b45-d22a-11e2-9453-60a44c5e8c12} - J:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-915549161-1220755475-2392921047-1000\...\MountPoints2: {2e654185-d4f5-11e2-b4b0-60a44c5e8c12} - J:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-915549161-1220755475-2392921047-1000\...\MountPoints2: {791c2e25-0527-11e3-9ec5-60a44c5e8c12} - J:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-915549161-1220755475-2392921047-1000\...\MountPoints2: {791c2f84-0527-11e3-9ec5-60a44c5e8c12} - J:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-915549161-1220755475-2392921047-1000\...\MountPoints2: {791c2f85-0527-11e3-9ec5-60a44c5e8c12} - J:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-915549161-1220755475-2392921047-1000\...\MountPoints2: {87bf2a35-4c7e-11e4-baee-60a44c5e8c12} - D:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-915549161-1220755475-2392921047-1000\...\MountPoints2: {daf33e50-aa29-11e3-900d-60a44c5e8c12} - J:\Setup.exe
AppInit_DLLs-x32: => "" File Not Found
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Ryos Driver.lnk
ShortcutTarget: Ryos Driver.lnk -> C:\Program Files (x86)\ROCCAT\Ryos Keyboard\Ryos MK Monitor.exe (ROCCAT GmbH Co., Ltd.)
Startup: C:\Users\VASSAL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\foobar2000.exe - Shortcut.lnk
ShortcutTarget: foobar2000.exe - Shortcut.lnk -> C:\Program Files (x86)\foobar2000\foobar2000.exe (Piotr Pawlowski)
Startup: C:\Users\VASSAL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Samsung Magician.lnk
ShortcutTarget: Samsung Magician.lnk -> C:\Windows\System32\schtasks.exe (Microsoft Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\VASSAL\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\VASSAL\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\VASSAL\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\VASSAL\AppData\Roaming\Dropbox\bin\DropboxExt64.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\VASSAL\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\VASSAL\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\VASSAL\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\VASSAL\AppData\Roaming\Dropbox\bin\DropboxExt.22.dll (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://ca.yahoo.com/?fr=hp-avast&type=avastbcl
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Bar = https://ca.yahoo.com/?fr=hp-avast&type=avastbcl
SearchScopes: HKLM-x32 - DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://ca.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM-x32 - {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://ca.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
SearchScopes: HKCU - DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://ca.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBDSV
SearchScopes: HKCU - {4594BA02-D2C4-463a-8F65-DB5A8151F108} URL = http://www.google.com/custom?client=pub-3794288947762788&forid=1&channel=4183257091&ie=UTF-8&oe=UTF-8&safe=active&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A1&hl=en&q={searchTerms}
SearchScopes: HKCU - {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://ca.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3268494&CUI=UN28892651122689246
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> E:\POST-MIGRATION PROGRAM FILES\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Adobe PDF Conversion Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: SmartSelect Class -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
DPF: HKLM-x32 {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} http://download.gigabyte.com.tw/object/Dldrv.ocx
Handler-x32: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\POST-MIGRATION PROGRAM FILES\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt

FireFox:
========
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin: @esn/npbattlelog,version=2.5.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.0\npbattlelogx64.dll (EA Digital Illusions CE AB)
FF Plugin: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelogx64.dll (EA Digital Illusions CE AB)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> E:\POST-M~1\Office14\NPAUTHZ.DLL No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF Plugin-x32: @divx.com/DivX Web Player Plug-In,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll (DivX, LLC)
FF Plugin-x32: @esn/npbattlelog,version=2.5.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.0\npbattlelog.dll (EA Digital Illusions CE AB)
FF Plugin-x32: @esn/npbattlelog,version=2.5.1 -> C:\Program Files (x86)\Battlelog Web Plugins\2.5.1\npbattlelog.dll (EA Digital Illusions CE AB)
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin-x32: @wolfram.com/Mathematica -> C:\Program Files (x86)\Common Files\Wolfram Research\Browser\9.0.1.4092550\npmathplugin.dll (Wolfram Research, Inc.)
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKCU: @talk.google.com/GoogleTalkPlugin -> C:\Users\VASSAL\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin HKCU: @talk.google.com/O1DPlugin -> C:\Users\VASSAL\AppData\Roaming\Mozilla\plugins\npo1d.dll (Google)
FF Plugin HKCU: @tools.google.com/Google Update;version=3 -> C:\Users\VASSAL\AppData\Local\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @tools.google.com/Google Update;version=9 -> C:\Users\VASSAL\AppData\Local\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKCU: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\VASSAL\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF Plugin ProgramFiles/Appdata: C:\Users\VASSAL\AppData\Roaming\mozilla\plugins\npgoogletalk.dll (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\VASSAL\AppData\Roaming\mozilla\plugins\npo1d.dll (Google)
FF HKLM-x32\...\Firefox\Extensions: [web2pdfextension@web2pdf.adobedotcom] - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\Browser\WCFirefoxExtn [2012-10-23]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3330789&octid=EB_ORIGINAL_CTID&ISID=MC2D6ED49-02F2-43E0-9473-FC94709C7F7B&SearchSource=55&CUI=&UM=6&UP=SP2F502AB3-9B84-4CB6-AD58-77F40C20EEC4&SSPV=
CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3330789&octid=EB_ORIGINAL_CTID&ISID=MC2D6ED49-02F2-43E0-9473-FC94709C7F7B&SearchSource=55&CUI=&UM=6&UP=SP2F502AB3-9B84-4CB6-AD58-77F40C20EEC4&SSPV="
CHR DefaultSearchKeyword: Default -> google.com_
CHR DefaultSearchURL: Default -> http://www.google.com/search?q={searchTerms}&ie=utf-8&oe=utf-8&aq=t
CHR DefaultSuggestURL: Default -> http://suggestqueries.google.com/complete/search?q={searchTerms}
CHR Profile: C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Angry Birds) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj [2012-10-21]
CHR Extension: (Media Hint) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\anepbdekljkmmimmhbniglnnanmmkoja [2013-03-01]
CHR Extension: (Google Drive) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-08-07]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-25]
CHR Extension: (Turn Off the Lights) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\bfbmjmiodbnnpllbbbfblcplfjjepjdn [2012-10-21]
CHR Extension: (YouTube) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-10-21]
CHR Extension: (Slinky Elegant) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmanlajnpdncmhfkiccmbgeocgbncfln [2013-08-09]
CHR Extension: (Adblock Plus) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-10-13]
CHR Extension: (Google Search) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-10-21]
CHR Extension: (Block site) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\eiimnmioipafcokbfikbljfdeojpcgbh [2014-05-04]
CHR Extension: (Disconnect Search) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmobfennjmjnkdbklhcnnfbhfibedgkk [2014-10-13]
CHR Extension: (Referer Control) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\hnkcfpcejkafcihlgbojoidoihckciin [2014-10-14]
CHR Extension: (The Weather Channel for Chrome) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\iflpcokdamgefbghpdipcibmhlkdopop [2012-10-21]
CHR Extension: (Disconnect) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\jeoacafpbcihiomhlakheieifhpjdfeo [2014-10-13]
CHR Extension: (Use HTTPS) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbkgnojednemejclpggpnhlhlhkmfidi [2012-10-21]
CHR Extension: (FVD Downloader) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfmhcpmkbdkbgbmkjoiopeeegenkdikp [2013-07-29]
CHR Extension: (Ghostery) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2012-10-21]
CHR Extension: (Google Wallet) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-24]
CHR Extension: (Better Pop Up Blocker) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmpeeekfhbmikbdhlpjbfmnpgcbeggic [2012-10-21]
CHR Extension: (Lookout) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\oeiefnfaafnkeiojgkpephegakjpplke [2013-08-09]
CHR Extension: (ScriptSafe) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\oiigbmnaadbkfbmpbfijlflahbdbdgdf [2014-09-26]
CHR Extension: (Gmail) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-10-21]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 AppleChargerSrv; C:\Windows\System32\AppleChargerSrv.exe [31272 2010-04-06] ()
R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [920736 2012-06-01] ()
R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [951936 2012-06-01] (ASUSTeK Computer Inc.)
R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [149120 2012-02-17] (ASUSTeK Computer Inc.)
R2 AsusFanControlService; C:\Program Files (x86)\ASUS\AsusFanControlService\1.01.10\AsusFanControlService.exe [1475744 2012-05-25] (ASUSTeK Computer Inc.)
R2 chromoting; C:\Program Files (x86)\Google\Chrome Remote Desktop\38.0.2125.9\remoting_host.exe [51016 2014-08-21] (Google Inc.)
R2 CmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [6817544 2014-04-16] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2264280 2014-03-25] (COMODO)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1149760 2014-10-04] (NVIDIA Corporation)
S4 HDDHealth; C:\Program Files (x86)\HDD Health\HDDHealthService.exe [72640 2012-06-07] () [File not signed]
R3 ICCS; C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe [160768 2011-05-27] (Intel Corporation) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
S3 iumsvc; C:\Program Files (x86)\Intel\Intel® Update Manager\bin\iumsvc.exe [174368 2014-02-28] ()
S3 Microsoft Office Groove Audit Service; E:\POST-MIGRATION PROGRAM FILES\Microsoft Office\Office12\GrooveAuditService.exe [64856 2009-02-26] (Microsoft Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1796928 2014-10-04] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19440960 2014-10-04] (NVIDIA Corporation)
R2 PassThru Service; C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe [167424 2012-12-07] () [File not signed]
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76152 2014-07-25] ()
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-07-20] ()
S4 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
S4 uvnc_service_gs; C:\Program Files (x86)\Gbridge LLC\Gbridge\gbwinvnc.exe [1587536 2010-06-12] (UltraVNC)
R2 WDBackup; C:\Program Files (x86)\Western Digital\WD SmartWare\WDBackupEngine.exe [1042808 2014-07-22] (Western Digital Technologies, Inc.)
R2 WDDriveService; C:\Program Files (x86)\Western Digital\WD Drive Manager\WDDriveService.exe [296312 2014-06-02] (Western Digital Technologies, Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R3 AiChargerPlus; C:\Windows\SysWow64\drivers\AiChargerPlus.sys [14848 2012-04-19] (ASUSTek Computer Inc.)
S1 AppleCharger; C:\Windows\System32\DRIVERS\AppleCharger.sys [21544 2010-04-27] ()
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2012-08-22] ()
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-03] ()
R3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2011-09-20] (MCCI Corporation)
S3 asusgsb; C:\Windows\System32\drivers\asusgsb.sys [17792 2009-02-17] (ASUSTeK Computer Inc.) [File not signed]
S3 busenum; C:\Windows\System32\DRIVERS\SteelBus64.sys [134656 2013-06-25] (SteelSeries Corporation) [File not signed]
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [23168 2014-04-16] (COMODO)
R1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [738472 2014-04-16] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [48360 2014-04-16] (COMODO)
S3 cpudrv64; C:\Program Files (x86)\SystemRequirementsLab\cpudrv64.sys [17864 2011-06-02] ()
S3 DIRECTIO; C:\Program Files\PerformanceTest\DirectIo64.sys [25704 2012-08-13] ()
R3 gbridge; C:\Windows\System32\DRIVERS\gbridge64.sys [48192 2009-10-13] (Gbridge LLC)
S3 GPCIDrv; C:\Program Files (x86)\GIGABYTE\GIGABYTE OC_GURU II\GPCIDrv64.sys [14376 2010-02-04] ()
S3 GVTDrv64; C:\Windows\GVTDrv64.sys [30528 2012-10-21] ()
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [105552 2014-04-16] (COMODO)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [20288 2014-10-04] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [38048 2014-09-04] (NVIDIA Corporation)
R1 Serial; C:\Windows\System32\DRIVERS\serial.sys [94208 2009-07-13] (Brother Industries Ltd.)
S3 VLAN; C:\Windows\System32\DRIVERS\RtVLAN60.sys [24064 2007-12-02] (Windows ® Codename Longhorn DDK provider)
R2 WinI2C-DDC; C:\Windows\system32\drivers\DDCDrv.sys [20832 2014-01-15] (Nicomsoft Ltd.)
S1 EIO64; system32\DRIVERS\EIO64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-20 18:52 - 2014-10-20 18:52 - 00000000 ____D () C:\FRST
2014-10-20 18:39 - 2014-10-20 18:39 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2014-10-20 18:39 - 2014-10-20 18:39 - 00000000 ____D () C:\ProgramData\RogueKiller
2014-10-19 13:42 - 2014-10-19 13:43 - 00012288 ____H () C:\Windows\SysWOW64\_.swm
2014-10-19 01:00 - 2014-10-20 18:38 - 00001130 _____ () C:\Windows\setupact.log
2014-10-19 01:00 - 2014-10-19 01:00 - 00000000 _____ () C:\Windows\setuperr.log
2014-10-17 11:11 - 2014-10-17 11:11 - 00028538 _____ () C:\Users\VASSAL\Desktop\dds.txt
2014-10-17 11:11 - 2014-10-17 11:11 - 00018620 _____ () C:\Users\VASSAL\Desktop\attach.txt
2014-10-17 10:43 - 2014-10-17 10:43 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\OpenOffice
2014-10-17 10:42 - 2014-10-17 10:43 - 00000000 ___SD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenOffice 4.1.1
2014-10-17 10:21 - 2014-10-17 10:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2014-10-17 10:21 - 2014-10-17 10:20 - 00272808 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2014-10-17 10:21 - 2014-10-17 10:20 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2014-10-17 10:21 - 2014-10-17 10:20 - 00175528 _____ (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2014-10-17 10:21 - 2014-10-17 10:20 - 00098216 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2014-10-17 10:20 - 2014-10-17 10:20 - 00000000 ____D () C:\Program Files (x86)\Java
2014-10-16 17:03 - 2014-10-16 17:03 - 00000000 ____D () C:\Program Files (x86)\Microsoft ASP.NET
2014-10-16 04:07 - 2014-10-06 22:54 - 00378552 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-10-16 04:07 - 2014-10-06 22:04 - 00331448 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-10-16 04:07 - 2014-09-28 20:58 - 03198976 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-10-16 04:07 - 2014-09-25 18:50 - 13619200 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-10-16 04:07 - 2014-09-25 18:46 - 00365056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-10-16 04:07 - 2014-09-25 18:46 - 00243200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-10-16 04:07 - 2014-09-25 18:46 - 00069632 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-10-16 04:07 - 2014-09-25 18:43 - 11807232 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-10-16 04:07 - 2014-09-25 18:32 - 02017280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-10-16 04:07 - 2014-09-25 18:31 - 02108416 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-10-16 04:07 - 2014-09-18 22:25 - 23631360 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-10-16 04:07 - 2014-09-18 21:56 - 02724864 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-10-16 04:07 - 2014-09-18 21:55 - 00004096 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollectorres.dll
2014-10-16 04:07 - 2014-09-18 21:44 - 17484800 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-10-16 04:07 - 2014-09-18 21:41 - 02796032 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-10-16 04:07 - 2014-09-18 21:40 - 00547328 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-10-16 04:07 - 2014-09-18 21:40 - 00066048 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-10-16 04:07 - 2014-09-18 21:39 - 00048640 _____ (Microsoft Corporation) C:\Windows\system32\ieetwproxystub.dll
2014-10-16 04:07 - 2014-09-18 21:38 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\MshtmlDac.dll
2014-10-16 04:07 - 2014-09-18 21:36 - 05829632 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-10-16 04:07 - 2014-09-18 21:31 - 00051200 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-10-16 04:07 - 2014-09-18 21:30 - 00033792 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-10-16 04:07 - 2014-09-18 21:27 - 00595968 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-10-16 04:07 - 2014-09-18 21:26 - 00139264 _____ (Microsoft Corporation) C:\Windows\system32\ieUnatt.exe
2014-10-16 04:07 - 2014-09-18 21:25 - 04201472 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-10-16 04:07 - 2014-09-18 21:25 - 00758272 _____ (Microsoft Corporation) C:\Windows\system32\jscript9diag.dll
2014-10-16 04:07 - 2014-09-18 21:25 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\ieetwcollector.exe
2014-10-16 04:07 - 2014-09-18 21:18 - 00940032 _____ (Microsoft Corporation) C:\Windows\system32\MsSpellCheckingFacility.exe
2014-10-16 04:07 - 2014-09-18 21:14 - 02724864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-10-16 04:07 - 2014-09-18 21:14 - 00446464 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-10-16 04:07 - 2014-09-18 21:06 - 00072704 _____ (Microsoft Corporation) C:\Windows\system32\JavaScriptCollectionAgent.dll
2014-10-16 04:07 - 2014-09-18 21:02 - 00454656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-10-16 04:07 - 2014-09-18 21:01 - 00195584 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-10-16 04:07 - 2014-09-18 21:01 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-10-16 04:07 - 2014-09-18 21:01 - 00051200 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieetwproxystub.dll
2014-10-16 04:07 - 2014-09-18 21:00 - 00085504 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-10-16 04:07 - 2014-09-18 20:59 - 00061952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MshtmlDac.dll
2014-10-16 04:07 - 2014-09-18 20:58 - 00289280 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-10-16 04:07 - 2014-09-18 20:55 - 02187264 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-10-16 04:07 - 2014-09-18 20:54 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-10-16 04:07 - 2014-09-18 20:53 - 00032768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-10-16 04:07 - 2014-09-18 20:51 - 00440320 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-10-16 04:07 - 2014-09-18 20:50 - 00112128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2014-10-16 04:07 - 2014-09-18 20:49 - 00597504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9diag.dll
2014-10-16 04:07 - 2014-09-18 20:42 - 00731136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-10-16 04:07 - 2014-09-18 20:42 - 00710656 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-10-16 04:07 - 2014-09-18 20:40 - 01249280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmlmedia.dll
2014-10-16 04:07 - 2014-09-18 20:36 - 00060416 _____ (Microsoft Corporation) C:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-10-16 04:07 - 2014-09-18 20:33 - 02309632 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-10-16 04:07 - 2014-09-18 20:32 - 00164864 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-10-16 04:07 - 2014-09-18 20:20 - 00607744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-10-16 04:07 - 2014-09-18 20:18 - 01068032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2014-10-16 04:07 - 2014-09-18 20:14 - 01447936 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-10-16 04:07 - 2014-09-18 19:59 - 01810944 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-10-16 04:07 - 2014-09-18 19:59 - 00775168 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll
2014-10-16 04:07 - 2014-09-18 19:53 - 01190400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-10-16 04:07 - 2014-09-18 19:52 - 00678400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2014-10-16 04:07 - 2014-09-12 21:58 - 00077312 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-10-16 04:07 - 2014-09-12 21:40 - 00067072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-10-16 04:07 - 2014-09-04 01:23 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2014-10-16 04:07 - 2014-09-04 01:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rastls.dll
2014-10-16 04:07 - 2014-08-29 22:10 - 06583296 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-10-16 04:07 - 2014-08-29 21:50 - 05702656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2014-10-16 04:07 - 2014-08-28 22:07 - 03179520 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-10-16 04:07 - 2014-07-16 22:07 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-10-16 04:07 - 2014-07-16 22:07 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-10-16 04:07 - 2014-07-16 22:07 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\winsta.dll
2014-10-16 04:07 - 2014-07-16 22:07 - 00150528 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorekmts.dll
2014-10-16 04:07 - 2014-07-16 22:07 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-10-16 04:07 - 2014-07-16 22:07 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-10-16 04:07 - 2014-07-16 21:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winsta.dll
2014-10-16 04:07 - 2014-07-16 21:39 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-10-16 04:07 - 2014-07-16 21:39 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-10-16 04:07 - 2014-07-16 21:21 - 00212480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2014-10-16 04:07 - 2014-07-16 21:21 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys
2014-10-16 04:07 - 2014-06-18 18:23 - 01943696 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2014-10-16 04:07 - 2014-06-18 18:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dfshim.dll
2014-10-16 04:07 - 2014-06-18 18:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscorier.dll
2014-10-16 04:07 - 2014-06-18 18:23 - 00156312 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2014-10-16 04:07 - 2014-06-18 18:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscories.dll
2014-10-16 04:07 - 2014-06-18 18:23 - 00073880 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2014-10-16 04:07 - 2014-05-30 04:08 - 00340992 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-10-16 04:07 - 2014-05-30 04:08 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-10-16 04:07 - 2014-05-30 04:08 - 00307200 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-10-16 04:07 - 2014-05-30 04:08 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-10-16 04:07 - 2014-05-30 03:52 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-10-16 04:07 - 2014-05-30 03:52 - 00247808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-10-16 04:07 - 2014-05-30 03:52 - 00220160 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-10-16 04:07 - 2014-05-30 03:52 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-10-14 18:33 - 2014-10-14 18:33 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\Comodo
2014-10-14 16:57 - 2014-10-14 18:23 - 00000000 ____D () C:\Program Files (x86)\Panda Security
2014-10-14 16:57 - 2014-10-14 16:57 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\Panda Security
2014-10-14 16:51 - 2014-10-14 16:57 - 00000000 ____D () C:\ProgramData\Panda Security
2014-10-14 15:57 - 2014-10-14 16:00 - 00011264 ___SH () C:\Users\VASSAL\AppData\Roaming\Thumbs.db
2014-10-14 00:27 - 2014-10-14 00:27 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\LavasoftStatistics
2014-10-13 23:30 - 2014-10-13 23:30 - 00000000 ____D () C:\ProgramData\Lavasoft
2014-10-13 23:30 - 2014-10-13 23:30 - 00000000 ____D () C:\Program Files\Common Files\Lavasoft
2014-10-12 22:06 - 2014-10-16 21:18 - 00008712 _____ () C:\Windows\system32\Drivers\fvstore.dat
2014-10-12 22:06 - 2014-10-12 22:06 - 00000000 ___HD () C:\VTRoot
2014-10-12 21:54 - 2014-10-12 21:54 - 00784124 _____ () C:\Users\VASSAL\AppData\Roaming\GHOST-117.exe
2014-10-12 21:54 - 2014-10-12 21:54 - 00437388 _____ () C:\Users\VASSAL\AppData\Roaming\VASSAL.exe
2014-10-12 21:54 - 2014-10-12 21:54 - 00000000 __SHD () C:\Users\VASSAL\AppData\Roaming\GHOST-117
2014-10-12 21:54 - 2014-10-12 21:54 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\VASSAL
2014-10-12 21:54 - 2014-10-12 17:07 - 03215311 ___SH () C:\Users\VASSAL\AppData\Roaming\amde.exe
2014-10-11 12:44 - 2014-10-11 12:50 - 00000000 _____ () C:\Windows\Path.idx
2014-10-11 12:03 - 2014-10-11 12:03 - 00001870 _____ () C:\Users\Public\Desktop\COMODO Firewall.lnk
2014-10-11 12:03 - 2014-10-11 12:03 - 00000000 ___SD () C:\ProgramData\Shared Space
2014-10-11 12:03 - 2014-10-11 12:03 - 00000000 ____D () C:\Windows\System32\Tasks\COMODO
2014-10-11 12:03 - 2014-10-11 12:03 - 00000000 ____D () C:\ProgramData\Comodo Downloader
2014-10-10 18:59 - 2014-10-10 18:59 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Oracle VM VirtualBox
2014-10-10 18:59 - 2014-09-09 17:29 - 00910920 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxDrv.sys
2014-10-10 18:59 - 2014-09-09 17:27 - 00129168 _____ (Oracle Corporation) C:\Windows\system32\Drivers\VBoxUSBMon.sys
2014-10-10 18:26 - 2014-10-10 20:11 - 00000000 ____D () C:\Users\VASSAL\VirtualBox VMs
2014-10-10 17:31 - 2014-10-17 19:53 - 00000000 ____D () C:\Users\VASSAL\.VirtualBox
2014-10-09 22:44 - 2014-10-09 22:44 - 00000000 ____D () C:\ProgramData\VS Revo Group
2014-10-09 22:44 - 2014-10-09 22:44 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
2014-10-09 22:44 - 2009-12-30 10:21 - 00031800 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys
2014-10-07 20:50 - 2014-10-07 20:50 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-10-07 20:50 - 2014-10-07 20:50 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\DropboxMaster
2014-10-07 20:50 - 2014-10-07 20:50 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\Dropbox
2014-10-07 20:27 - 2014-10-11 12:24 - 00000000 ____D () C:\ProgramData\AVAST Software
2014-10-05 07:46 - 2014-10-05 07:46 - 00000005 _____ () C:\Windows\SysWOW64\lMMLDeleteUserData42107612FX.tmp
2014-10-01 16:59 - 2014-10-01 16:59 - 00001602 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\VIDLE for VPython.lnk
2014-10-01 16:55 - 2014-10-12 10:24 - 00000000 ____D () C:\Python27
2014-10-01 16:55 - 2014-10-01 16:55 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Python 2.7
2014-09-28 16:24 - 2014-09-28 16:24 - 00001012 _____ () C:\Users\VASSAL\Desktop\Frontline Registry Cleaner.lnk
2014-09-28 16:24 - 2014-09-28 16:24 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Frontline Registry Cleaner
2014-09-28 16:13 - 2014-10-20 18:39 - 00008192 _____ () C:\Windows\SysWOW64\WDPABKP.dat
2014-09-28 15:57 - 2014-10-17 11:27 - 00122584 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-09-28 15:57 - 2014-09-28 15:57 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-09-28 15:57 - 2014-09-28 15:57 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-09-28 15:57 - 2014-09-28 15:57 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-09-28 15:57 - 2014-05-12 07:26 - 00091352 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-09-28 15:57 - 2014-05-12 07:26 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-09-28 15:57 - 2014-05-12 07:25 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-09-28 15:49 - 2014-09-28 15:51 - 00000000 ____D () C:\Program Files (x86)\Zone Alarm
2014-09-24 10:14 - 2014-09-26 07:55 - 00000000 ____D () C:\Users\VASSAL\.idlerc
2014-09-22 22:20 - 2014-09-22 22:22 - 00012288 ____H () C:\Windows\SysWOW64\_.swn
2014-09-22 22:20 - 2014-09-22 22:20 - 00012288 ____H () C:\Windows\SysWOW64\_.swo
2014-09-22 22:18 - 2014-10-19 14:05 - 00010645 ____H () C:\Users\VASSAL\_viminfo
2014-09-22 22:18 - 2014-09-22 22:19 - 00012288 ____H () C:\Windows\SysWOW64\_.swp
2014-09-22 22:17 - 2014-09-22 22:17 - 00000839 _____ () C:\Users\Public\Desktop\gVim Read only 7.4.lnk
2014-09-22 22:17 - 2014-09-22 22:17 - 00000839 _____ () C:\Users\Public\Desktop\gVim Easy 7.4.lnk
2014-09-22 22:17 - 2014-09-22 22:17 - 00000833 _____ () C:\Users\Public\Desktop\gVim 7.4.lnk
2014-09-22 22:17 - 2014-09-22 22:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Vim 7.4

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-20 18:48 - 2012-10-21 16:13 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\uTorrent
2014-10-20 18:45 - 2009-07-14 01:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-10-20 18:45 - 2009-07-14 00:45 - 00014848 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-20 18:45 - 2009-07-14 00:45 - 00014848 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-20 18:38 - 2013-06-06 18:41 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\foobar2000
2014-10-20 18:38 - 2013-06-05 06:47 - 00000000 ____D () C:\ProgramData\NVIDIA
2014-10-20 18:38 - 2012-10-21 16:02 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-10-20 18:38 - 2012-10-21 16:01 - 00000202 _____ () C:\Windows\Tasks\AutoKMS.job
2014-10-20 18:38 - 2009-07-14 01:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-10-20 18:37 - 2012-10-21 17:02 - 00000000 ____D () C:\ProgramData\Origin
2014-10-20 18:37 - 2012-10-06 09:26 - 01304883 _____ () C:\Windows\WindowsUpdate.log
2014-10-20 18:36 - 2014-08-09 16:23 - 00000912 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-915549161-1220755475-2392921047-1000UA.job
2014-10-20 18:21 - 2012-11-06 21:34 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-20 17:57 - 2012-10-21 16:02 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-10-20 17:46 - 2013-07-31 14:16 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\vlc
2014-10-20 15:35 - 2014-08-09 16:23 - 00000860 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-915549161-1220755475-2392921047-1000Core.job
2014-10-19 14:05 - 2012-10-06 09:26 - 00000000 ____D () C:\Users\VASSAL
2014-10-19 12:20 - 2009-07-14 00:45 - 05082632 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-19 03:00 - 2012-10-21 15:52 - 00000370 _____ () C:\Windows\Tasks\FrontLine Registry Cleaner Scheduled Scan - VASSAL.job
2014-10-17 15:30 - 2014-08-09 16:23 - 00003888 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-915549161-1220755475-2392921047-1000UA
2014-10-17 15:30 - 2014-08-09 16:23 - 00003492 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-915549161-1220755475-2392921047-1000Core
2014-10-17 12:44 - 2012-10-06 09:50 - 00130504 _____ () C:\Users\VASSAL\AppData\Local\GDIPFONTCACHEV1.DAT
2014-10-17 12:06 - 2013-02-28 18:19 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\dvdcss
2014-10-17 10:30 - 2013-10-03 05:00 - 00000000 ____D () C:\Users\VASSAL\AppData\Local\CrashDumps
2014-10-17 10:21 - 2013-09-21 17:29 - 00000000 ____D () C:\ProgramData\Oracle
2014-10-17 00:36 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\rescache
2014-10-16 17:04 - 2012-10-21 15:57 - 00000000 ____D () C:\ProgramData\Microsoft Help
2014-10-16 17:03 - 2013-08-14 17:01 - 00000000 ____D () C:\Windows\system32\MRT
2014-10-16 17:00 - 2012-10-21 21:24 - 103265616 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-10-16 08:34 - 2012-10-21 16:40 - 00000000 ____D () C:\Windows\pss
2014-10-14 18:23 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\registration
2014-10-14 18:23 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\AppCompat
2014-10-11 12:28 - 2013-06-05 06:44 - 04696672 _____ () C:\Windows\PE_Rom.dll
2014-10-11 12:03 - 2012-10-21 16:45 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Comodo
2014-10-11 12:03 - 2012-10-21 16:45 - 00000000 ____D () C:\ProgramData\Comodo
2014-10-11 12:03 - 2012-10-21 16:45 - 00000000 ____D () C:\Program Files\COMODO
2014-10-11 10:52 - 2012-10-21 16:02 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-11 10:52 - 2012-10-21 16:02 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-10-09 22:48 - 2013-06-26 05:52 - 00000000 ____D () C:\Program Files (x86)\Graphmatica
2014-10-09 16:30 - 2012-10-21 16:14 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\Mozilla
2014-10-07 20:52 - 2012-10-28 15:29 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2014-10-07 20:52 - 2012-10-28 15:29 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2014-10-07 20:52 - 2012-10-28 15:29 - 00000000 ____D () C:\Program Files\WinRAR
2014-10-07 20:26 - 2012-10-21 16:44 - 00000000 ____D () C:\Program Files (x86)\Comodo
2014-10-07 20:21 - 2014-04-22 16:08 - 00000000 ____D () C:\Users\dub_cm_auto
2014-10-05 07:46 - 2013-06-11 04:22 - 00000000 ____D () C:\Users\VASSAL\AppData\Roaming\HTC
2014-10-05 07:46 - 2013-06-11 04:19 - 00000000 ____D () C:\ProgramData\HTC
2014-10-05 07:46 - 2013-06-11 04:19 - 00000000 ____D () C:\Program Files (x86)\HTC
2014-10-04 02:42 - 2014-06-02 19:00 - 01291280 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspbridge.dll
2014-10-04 02:42 - 2013-10-29 04:58 - 02197680 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspcap.dll
2014-10-04 02:41 - 2014-06-02 19:00 - 01715224 _____ (NVIDIA Corporation) C:\Windows\system32\nvspbridge64.dll
2014-10-04 02:41 - 2013-10-29 04:58 - 02800296 _____ (NVIDIA Corporation) C:\Windows\system32\nvspcap64.dll
2014-10-03 13:04 - 2012-10-06 10:13 - 00025640 _____ (Windows ® Server 2003 DDK provider) C:\Windows\gdrv.sys
2014-10-02 14:21 - 2013-06-11 04:20 - 00000000 ____D () C:\Users\VASSAL\AppData\Local\Downloaded Installations
2014-10-01 18:58 - 2012-10-21 16:02 - 00000000 ____D () C:\Program Files (x86)\Google
2014-09-29 19:50 - 2012-10-21 18:35 - 00215416 _____ () C:\Windows\SysWOW64\PnkBstrB.exe
2014-09-28 16:11 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\Globalization
2014-09-28 16:04 - 2012-10-21 16:14 - 00000000 ____D () C:\Users\VASSAL\AppData\Local\CRE
2014-09-28 16:04 - 2012-10-21 16:14 - 00000000 ____D () C:\Users\VASSAL\AppData\Local\Conduit
2014-09-28 15:42 - 2009-07-13 23:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-09-28 15:26 - 2013-10-01 19:38 - 00000000 ____D () C:\Program Files\Common Files\Symantec Shared
2014-09-28 15:26 - 2012-10-21 23:05 - 00000000 ____D () C:\ProgramData\Norton
2014-09-23 16:33 - 2012-10-21 18:35 - 00215416 _____ () C:\Windows\SysWOW64\PnkBstrB.ex0
2014-09-22 19:07 - 2012-11-06 21:34 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-09-22 19:07 - 2012-11-06 21:34 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-09-22 19:07 - 2012-11-06 21:34 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater

Some content of TEMP:
====================
C:\Users\VASSAL\AppData\Local\Temp\dllnt_dump.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-10-16 01:00

==================== End Of Log ============================
 
I restarted the computer and everything is running fine, no broken OS :) and boot time was fast as ever.
 
The only new problem I noticed is that Trovi has hijacked my Chrome again (I blocked it with blocksite and have to figure out how to clean it),  but I'm sure it's not related to these scans I just ran.

Attached Files


Edited by nasdaq, 21 October 2014 - 09:09 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:10 PM

Posted 21 October 2014 - 09:28 AM

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

AppInit_DLLs-x32: => "" File Not Found
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => No File
SearchScopes: HKLM-x32 - DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://ca.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM-x32 - {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://ca.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKLM-x32 - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
SearchScopes: HKCU - DefaultScope {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://ca.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://search.yahoo.com/search?p={searchTerms}&fr=chr-devicevm&type=IEBDSV
SearchScopes: HKCU - {9CB96984-43C3-4D44-90EF-01466EFCF7BB} URL = https://ca.search.yahoo.com/yhs/search?type=avastbcl&hspart=avast&hsimp=yhs-001&p={searchTerms}
SearchScopes: HKCU - {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3268494&CUI=UN28892651122689246
Toolbar: HKCU - No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> E:\POST-M~1\Office14\NPAUTHZ.DLL No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3330789&octid=EB_ORIGINAL_CTID&ISID=MC2D6ED49-02F2-43E0-9473-FC94709C7F7B&SearchSource=55&CUI=&UM=6&UP=SP2F502AB3-9B84-4CB6-AD58-77F40C20EEC4&SSPV=
CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3330789&octid=EB_ORIGINAL_CTID&ISID=MC2D6ED49-02F2-43E0-9473-FC94709C7F7B&SearchSource=55&CUI=&UM=6&UP=SP2F502AB3-9B84-4CB6-AD58-77F40C20EEC4&SSPV="
CHR Extension: (Ghostery) - C:\Users\VASSAL\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2012-10-21]
S1 EIO64; system32\DRIVERS\EIO64.sys [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Delete the two unknow program files.
GHOST-117.EXE and
VASSAL.exe.

If you get a message that they are in use and you cannot delete them boot in Safe Mode and delete the files.

Restart the computer normally.

How is it now?

#7 Ghost117

Ghost117
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 21 October 2014 - 04:19 PM

I've attached the 3 logs created by AdwCleaner (it created two in that C: directory and also one in the "quarentine" folder)

 

Also attached the Fixlog created by FRST

 

I was also able to delete the two username.exe files without resorting to safemode =)

 

Computer is running great, Trovi hijacker is gone as well !

 

I'll save these two programs (FRST and Adwcleaner) as they are amazing!

 

Thanks a lot Nasdaq ur awesome =) 

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:10 PM

Posted 22 October 2014 - 10:05 AM

One last scan.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

#9 Ghost117

Ghost117
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 22 October 2014 - 10:17 AM

Roger that, I've attached the log.
 
It doesn't show malwarebytes because I have the free version I guess, and it's not realtime.

Results of screen317's Security Check version 0.99.89
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
HostsMan 4.1.96
Frontline Registry Cleaner
Java 7 Update 71
Java version out of Date!
Adobe Flash Player 15.0.0.152
Google Chrome 38.0.2125.101
Google Chrome 38.0.2125.104
````````Process Check: objlist.exe by Laurent````````
Comodo Firewall cmdagent.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 6%
````````````````````End of Log``````````````````````

Attached Files


Edited by nasdaq, 22 October 2014 - 10:26 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:10 PM

Posted 22 October 2014 - 10:27 AM

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Latest version is Java JRE 7u67.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882


If present remove the old version(s) of Java using the Add/Remove Programs applet.

Java 7 Update 71

===
If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#11 Ghost117

Ghost117
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 22 October 2014 - 10:31 AM

That's wierd, I just manually checked my Java version on that first link and it told me that my Java is up to date, Version 7 update 71

 

So all's good?



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:10 PM

Posted 23 October 2014 - 08:55 AM

Ignore it. I will check with the owner of the tool.

#13 Ghost117

Ghost117
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:10 PM

Posted 23 October 2014 - 12:44 PM

Thanks for all the help Nasdaq, much appreciated =)



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:10 PM

Posted 24 October 2014 - 07:17 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users