Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

dllhost.exe *32 please help!


  • This topic is locked This topic is locked
22 replies to this topic

#1 wrxutec

wrxutec

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 29 October 2014 - 11:32 AM

With the masses, I watched some TV shows online and received a nice sticky virus!  I have this dllhost.exe *32 eating up all my memory.  It's pulilng up pages through IE  but I'm not able to see them.  I turned off IE but that didn't help.  I have ran malwarebytes, roguekiller, combo (something) etc..... and everytime I restart it pops back up. Please help me!  My work is suffering!



BC AdBot (Login to Remove)

 


#2 wrxutec

wrxutec
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 29 October 2014 - 11:42 AM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 29-10-2014 01
Ran by Adrock (administrator) on ADROCK-PC on 29-10-2014 12:39:27
Running from E:\Users\Adrock\Downloads
Loaded Profile: Adrock (Available profiles: Adrock)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) E:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) E:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) E:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) E:\Windows\System32\nvvsvc.exe
(Apple Inc.) E:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) E:\Program Files\Bonjour\mDNSResponder.exe
(cFos Software GmbH) E:\Program Files\ASRock\XFast LAN\spd.exe
(Symantec Corporation) E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe
(NVIDIA Corporation) E:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) E:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Razer, Inc.) E:\Program Files (x86)\Razer\Core\64bit\RzOvlMon.exe
(Microsoft Corp.) E:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) E:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(NVIDIA Corporation) E:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Intel Corporation) E:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Intel Corporation) E:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Symantec Corporation) E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe
(Intel Corporation) E:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) E:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) E:\Windows\System32\rundll32.exe
(NVIDIA Corporation) E:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Logitech Inc.) E:\Program Files\Logitech Gaming Software\LCore.exe
(cFos Software GmbH) E:\Program Files\ASRock\XFast LAN\cfosspeed.exe
(Overwolf LTD) E:\Program Files (x86)\Overwolf\Overwolf.exe
(GoPro) E:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe
(Creative Technology Ltd) E:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe
(Razer Inc.) E:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
(Adobe Systems Incorporated) E:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
(Apple Inc.) E:\Program Files (x86)\iTunes\iTunesHelper.exe
(NVIDIA Corporation) E:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Microsoft Corporation) E:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\svchost.exe
(Adobe Systems Incorporated) E:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
(NVIDIA Corporation) E:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Apple Inc.) E:\Program Files\iPod\bin\iPodService.exe
(Logitech Inc.) E:\Program Files\Logitech Gaming Software\Applets\LCDClock.exe
(Logitech Inc.) E:\Program Files\Logitech Gaming Software\Applets\LCDMedia.exe
(Logitech Inc.) E:\Program Files\Logitech Gaming Software\Applets\LCDPOP3.exe
(Logitech Inc.) E:\Program Files\Logitech Gaming Software\Applets\LCDRSS.exe
(Logitech Inc.) E:\Program Files\Logitech Gaming Software\Applets\LCDCountdown.exe
(Adobe Systems Incorporated) E:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
(Adobe Systems Incorporated) E:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
(Overwolf LTD) E:\Program Files (x86)\Common Files\Overwolf\0.81.34.0\OverwolfHelper.exe
(Overwolf LTD) E:\Program Files (x86)\Common Files\Overwolf\0.81.34.0\OverwolfHelper64.exe
() E:\Program Files (x86)\Overwolf\0.81.34.0\OverwolfBrowser.exe
(Microsoft Corporation) E:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) E:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Microsoft Corporation) E:\Windows\SysWOW64\svchost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\System32\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe
(Mozilla Corporation) E:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) E:\Windows\SysWOW64\dllhost.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => E:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11860072 2011-06-09] (Realtek Semiconductor)
HKLM\...\Run: [THXCfg64] => E:\Windows\system32\RunDLL32.exe E:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
HKLM\...\Run: [Nvtmru] => "E:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
HKLM\...\Run: [NvBackend] => E:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2352072 2014-05-29] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => E:\Windows\system32\rundll32.exe E:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [Launch LCore] => E:\Program Files\Logitech Gaming Software\LCore.exe [10396440 2014-04-14] (Logitech Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => E:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [XFast LAN] => E:\Program Files\ASRock\XFast LAN\cFosSpeed.exe [1441152 2011-07-04] (cFos Software GmbH)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => E:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [THX TruStudio NB Settings] => E:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe [909824 2011-05-19] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] => E:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Razer Synapse] => E:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [585560 2014-06-23] (Razer Inc.)
HKLM-x32\...\Run: [Adobe Creative Cloud] => E:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2694040 2014-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iTunesHelper] => E:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-09-01] (Apple Inc.)
Winlogon\Notify\igfxcui: E:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\...\Run: [Overwolf] => E:\Program Files (x86)\Overwolf\Overwolf.exe [39712 2014-10-22] (Overwolf LTD)
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\...\Run: [099bc3] => E:\099bc31\099bc31.exe [130048 2014-10-28] ()
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\...\Run: [099bc31] => E:\Users\Adrock\AppData\Roaming\099bc31.exe [130048 2014-10-29] ()
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
AppInit_DLLs: E:\PROGRA~1\LUCIDL~1\VIRTU\appinit_dll.dll => E:\Program Files\Lucidlogix Technologies\VIRTU\appinit_dll.dll [187488 2011-06-19] (Lucidlogix Inc.)
AppInit_DLLs:  E:\Windows\System32\nvinitx.dll => E:\Windows\System32\nvinitx.dll [168616 2013-09-12] (NVIDIA Corporation)
AppInit_DLLs-x32: E:\PROGRA~1\LUCIDL~1\VIRTU\x86\appinit_dll.dll => E:\Program Files\Lucidlogix Technologies\VIRTU\x86\appinit_dll.dll [157792 2011-06-19] (Lucidlogix Inc.)
AppInit_DLLs-x32:  E:\Windows\SysWOW64\nvinit.dll => E:\Windows\SysWOW64\nvinit.dll [141336 2013-09-12] (NVIDIA Corporation)
Startup: E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\099bc31.exe ()
Startup: E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GoPro Importer.lnk
ShortcutTarget: GoPro Importer.lnk -> E:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe (GoPro)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x6105FC7820F3CF01
StartMenuInternet: IEXPLORE.EXE - E:\Program Files (x86)\Internet Explorer\iexplore.exe
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> E:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> E:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> E:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> E:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> E:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Symantec NCO BHO -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll (Symantec Corporation)
BHO-x32: Symantec Intrusion Prevention -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> E:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> E:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> E:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll (Symantec Corporation)
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - E:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

FireFox:
========
FF ProfilePath: E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default
FF Plugin: @adobe.com/FlashPlayer -> E:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> E:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> E:\PROGRA~1\MICROS~3\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> E:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin: adobe.com/AdobeAAMDetect_x86_64 -> E:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> E:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> E:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> E:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> E:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> E:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> E:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> E:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> E:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> E:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll (Adobe Systems)
FF user.js: detected! => E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\user.js
FF Plugin ProgramFiles/Appdata: E:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll (Microsoft Corporation)
FF SearchPlugin: E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\searchplugins\Astromenda.xml
FF Extension: Astro New Tab - E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\Extensions\{f2548724-373f-45fe-be6a-3a85e87b7711}.xpi [2014-10-28]
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFF
FF Extension: Symantec Intrusion Prevention - E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFF [2014-05-24]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn_2011_7_13_2
FF Extension: Norton Toolbar - E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn_2011_7_13_2 [2014-10-29]
FF StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 cFosSpeedS; E:\Program Files\ASRock\XFast LAN\spd.exe [395136 2011-07-04] (cFos Software GmbH)
R2 NIS; E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [130008 2011-04-16] (Symantec Corporation)
R2 NvNetworkService; E:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1631008 2014-05-29] (NVIDIA Corporation)
R2 NvStreamSvc; E:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [21055432 2014-05-29] (NVIDIA Corporation)
S3 OverwolfUpdater; E:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [997664 2014-10-22] (Overwolf LTD)
R2 RzOvlMon; E:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe [32960 2014-04-18] (Razer, Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; E:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R1 avgtp; E:\Windows\system32\drivers\avgtpx64.sys [50976 2014-08-19] (AVG Technologies)
R1 BHDrvx64; E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20140718.001\BHDrvx64.sys [1530160 2014-05-10] (Symantec Corporation)
R1 eeCtrl; E:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [486192 2014-06-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; E:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142128 2014-06-11] (Symantec Corporation)
S3 hitmanpro37; E:\Windows\system32\drivers\hitmanpro37.sys [32512 2014-10-28] ()
R1 IDSVia64; E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20140722.001\IDSvia64.sys [525016 2014-05-23] (Symantec Corporation)
S3 MBAMSwissArmy; E:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-10-28] (Malwarebytes Corporation)
S3 NAVENG; E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20140723.001\ENG64.SYS [126040 2014-07-10] (Symantec Corporation)
S3 NAVEX15; E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20140723.001\EX64.SYS [2099288 2014-07-10] (Symantec Corporation)
R3 NvStreamKms; E:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [20256 2014-05-29] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; E:\Windows\System32\drivers\nvvad64v.sys [40392 2014-03-31] (NVIDIA Corporation)
R3 RzDxgk; E:\Windows\system32\drivers\RzDxgk.sys [129472 2014-04-18] (Razer, Inc.)
R3 rzendpt; E:\Windows\System32\DRIVERS\rzendpt.sys [39080 2014-05-19] (Razer Inc)
R1 RzFilter; E:\Windows\system32\drivers\RzFilter.sys [74432 2014-04-18] (Razer, Inc.)
R3 rzmpos; E:\Windows\System32\DRIVERS\rzmpos.sys [34984 2014-05-19] (Razer Inc)
S3 SRTSP; E:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
R1 SRTSPX; E:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
R0 SymDS; E:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-27] (Symantec Corporation)
R0 SymEFA; E:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
R3 SymEvent; E:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2014-05-24] (Symantec Corporation)
R1 SymIRON; E:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-27] (Symantec Corporation)
R1 SymNetS; E:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)
S3 catchme; \??\E:\ComboFix\catchme.sys [X]
S3 EagleX64; \??\E:\Windows\system32\drivers\EagleX64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-29 12:39 - 2014-10-29 12:39 - 00020820 _____ () E:\Users\Adrock\Downloads\FRST.txt
2014-10-29 12:39 - 2014-10-29 12:39 - 00000000 ____D () E:\FRST
2014-10-29 12:38 - 2014-10-29 12:39 - 02113536 _____ (Farbar) E:\Users\Adrock\Downloads\FRST64.exe
2014-10-29 07:31 - 2014-10-29 07:31 - 00130048 _____ () E:\Users\Adrock\AppData\Roaming\099bc31.exe
2014-10-28 23:26 - 2014-10-28 23:26 - 00030209 _____ () E:\ComboFix.txt
2014-10-28 23:17 - 2014-10-28 23:26 - 00000000 ____D () E:\Qoobox
2014-10-28 23:17 - 2014-10-28 23:26 - 00000000 ____D () E:\ComboFix
2014-10-28 23:17 - 2011-06-26 02:45 - 00256000 _____ () E:\Windows\PEV.exe
2014-10-28 23:17 - 2010-11-07 13:20 - 00208896 _____ () E:\Windows\MBR.exe
2014-10-28 23:17 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) E:\Windows\NIRCMD.exe
2014-10-28 23:17 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) E:\Windows\SWREG.exe
2014-10-28 23:17 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) E:\Windows\SWSC.exe
2014-10-28 23:17 - 2000-08-30 20:00 - 00098816 _____ () E:\Windows\sed.exe
2014-10-28 23:17 - 2000-08-30 20:00 - 00080412 _____ () E:\Windows\grep.exe
2014-10-28 23:17 - 2000-08-30 20:00 - 00068096 _____ () E:\Windows\zip.exe
2014-10-28 23:16 - 2014-10-28 23:25 - 00000000 ____D () E:\Windows\erdnt
2014-10-28 23:16 - 2014-10-28 23:16 - 05591695 ____R (Swearware) E:\Users\Adrock\Downloads\ComboFix.exe
2014-10-28 22:55 - 2014-10-28 23:00 - 00000000 ____D () E:\Users\Adrock\Desktop\RK_Quarantine
2014-10-28 22:29 - 2014-10-28 22:29 - 00032512 _____ () E:\Windows\system32\Drivers\hitmanpro37.sys
2014-10-28 22:27 - 2014-10-28 22:27 - 00000686 _____ () E:\Windows\system32\.crusader
2014-10-28 22:09 - 2014-10-28 22:28 - 00000000 ____D () E:\ProgramData\HitmanPro
2014-10-28 22:09 - 2014-10-28 22:09 - 00001907 _____ () E:\Users\Public\Desktop\HitmanPro.lnk
2014-10-28 22:09 - 2014-10-28 22:09 - 00000000 ____D () E:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2014-10-28 22:09 - 2014-10-28 22:09 - 00000000 ____D () E:\Program Files\HitmanPro
2014-10-28 21:54 - 2014-10-28 21:56 - 00000000 ____D () E:\AdwCleaner
2014-10-28 21:49 - 2014-10-28 21:49 - 00000000 ____D () E:\Windows\pss
2014-10-28 21:43 - 2014-10-28 21:49 - 00000000 ____D () E:\Windows\system32\MpEngineStore
2014-10-28 21:42 - 2014-10-28 21:42 - 00000000 ____D () E:\Windows\system32\MRT
2014-10-28 21:42 - 2014-10-03 10:02 - 103265616 _____ (Microsoft Corporation) E:\Windows\system32\MRT.exe
2014-10-28 21:18 - 2014-10-29 12:21 - 00003758 _____ () E:\Windows\System32\Tasks\AutoKMS
2014-10-28 20:25 - 2014-10-28 20:25 - 00008562 _____ () E:\Users\Adrock\Documents\DECRYPT_INSTRUCTION.HTML
2014-10-28 20:25 - 2014-10-28 20:25 - 00008562 _____ () E:\Users\Adrock\DECRYPT_INSTRUCTION.HTML
2014-10-28 20:25 - 2014-10-28 20:25 - 00004224 _____ () E:\Users\Adrock\Documents\DECRYPT_INSTRUCTION.TXT
2014-10-28 20:25 - 2014-10-28 20:25 - 00004224 _____ () E:\Users\Adrock\DECRYPT_INSTRUCTION.TXT
2014-10-28 20:25 - 2014-10-28 20:25 - 00000276 _____ () E:\Users\Adrock\INSTALL_TOR.URL
2014-10-28 20:25 - 2014-10-28 20:25 - 00000276 _____ () E:\Users\Adrock\Documents\INSTALL_TOR.URL
2014-10-28 20:22 - 2014-10-28 21:30 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\Wufiypel
2014-10-28 20:21 - 2014-10-28 21:47 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\Afylexp
2014-10-28 20:21 - 2014-10-28 20:21 - 00008562 _____ () E:\Users\Adrock\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-10-28 20:21 - 2014-10-28 20:21 - 00008562 _____ () E:\Users\Adrock\AppData\DECRYPT_INSTRUCTION.HTML
2014-10-28 20:21 - 2014-10-28 20:21 - 00004224 _____ () E:\Users\Adrock\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-10-28 20:21 - 2014-10-28 20:21 - 00004224 _____ () E:\Users\Adrock\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-28 20:21 - 2014-10-28 20:21 - 00000276 _____ () E:\Users\Adrock\AppData\Roaming\INSTALL_TOR.URL
2014-10-28 20:21 - 2014-10-28 20:21 - 00000276 _____ () E:\Users\Adrock\AppData\INSTALL_TOR.URL
2014-10-28 20:19 - 2014-10-28 20:19 - 00008562 _____ () E:\Users\Adrock\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-10-28 20:19 - 2014-10-28 20:19 - 00008562 _____ () E:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-10-28 20:19 - 2014-10-28 20:19 - 00004224 _____ () E:\Users\Adrock\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-10-28 20:19 - 2014-10-28 20:19 - 00004224 _____ () E:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-10-28 20:19 - 2014-10-28 20:19 - 00000276 _____ () E:\Users\Adrock\AppData\Local\INSTALL_TOR.URL
2014-10-28 20:19 - 2014-10-28 20:19 - 00000276 _____ () E:\ProgramData\INSTALL_TOR.URL
2014-10-28 20:17 - 2014-10-28 20:17 - 00000000 ___HD () E:\099bc31
2014-10-27 13:42 - 2014-10-27 13:55 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\Udtaessy
2014-10-27 13:38 - 2014-10-27 13:55 - 00000000 ____D () E:\ProgramData\VadiLqula
2014-10-27 13:37 - 2014-10-27 13:37 - 00003050 _____ () E:\Windows\System32\Tasks\{41231E14-1381-2BF7-572D-A21C6C393D14}
2014-10-27 13:37 - 2014-10-27 13:37 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\nTXfSemo
2014-10-26 23:24 - 2014-10-26 23:24 - 00000448 ____H () E:\Users\Adrock\AppData\Roaming\麽鎒駓覜
2014-10-26 23:22 - 2014-10-28 20:11 - 00000000 ____D () E:\ProgramData\Windows Genuine Advantage
2014-10-26 23:22 - 2014-10-26 23:22 - 00070656 _____ () E:\Windows\system32\uoslj.dll
2014-10-26 23:22 - 2014-10-26 23:22 - 00003856 _____ () E:\Windows\System32\Tasks\{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54}
2014-10-26 23:22 - 2014-10-26 23:22 - 00000000 _____ () E:\Windows\system32\aaurjv.dll
2014-10-25 15:54 - 2014-10-28 21:10 - 00009507 _____ () E:\Users\Adrock\Desktop\Stacked Graphics Hockey Team.xlsx
2014-10-24 13:05 - 2014-10-24 13:05 - 01592592 _____ () E:\Users\Adrock\Desktop\phil cover.psd
2014-10-23 19:45 - 2014-10-24 13:05 - 05328832 _____ () E:\Users\Adrock\Desktop\Phil Edwards Memorial Hockey Tournament.psd
2014-10-22 09:59 - 2014-10-28 20:19 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\GoPro
2014-10-22 09:59 - 2014-10-28 20:19 - 00000000 ____D () E:\Users\Adrock\AppData\Local\GoPro
2014-10-22 09:59 - 2014-10-22 10:02 - 00000000 ____D () E:\Users\Public\CineForm
2014-10-22 09:59 - 2014-10-22 09:59 - 00001122 _____ () E:\Users\Adrock\Desktop\GoPro Studio.lnk
2014-10-22 09:59 - 2014-10-22 09:59 - 00000000 ____D () E:\ProgramData\Microsoft\Windows\Start Menu\Programs\GoPro
2014-10-22 09:59 - 2014-10-22 09:59 - 00000000 ____D () E:\Program Files\DIFX
2014-10-22 09:59 - 2014-10-22 09:59 - 00000000 ____D () E:\Program Files (x86)\QuickTime
2014-10-22 09:59 - 2014-10-22 09:59 - 00000000 ____D () E:\Program Files (x86)\GoPro
2014-10-22 09:59 - 2014-10-22 09:59 - 00000000 ____D () E:\Program Files (x86)\CineForm
2014-10-22 09:53 - 2014-10-22 09:53 - 00000000 ____D () E:\Users\Adrock\Documents\Adobe
2014-10-15 23:22 - 2014-10-09 22:05 - 00507392 _____ (Microsoft Corporation) E:\Windows\system32\aepdu.dll
2014-10-15 23:22 - 2014-10-09 22:05 - 00276480 _____ (Microsoft Corporation) E:\Windows\system32\generaltel.dll
2014-10-15 23:22 - 2014-10-09 22:00 - 00424448 _____ (Microsoft Corporation) E:\Windows\system32\aeinv.dll
2014-10-15 23:22 - 2014-10-06 22:54 - 00378552 _____ (Microsoft Corporation) E:\Windows\system32\iedkcs32.dll
2014-10-15 23:22 - 2014-10-06 22:04 - 00331448 _____ (Microsoft Corporation) E:\Windows\SysWOW64\iedkcs32.dll
2014-10-15 23:22 - 2014-09-28 20:58 - 03198976 _____ (Microsoft Corporation) E:\Windows\system32\win32k.sys
2014-10-15 23:22 - 2014-09-25 18:50 - 13619200 _____ (Microsoft Corporation) E:\Windows\system32\ieframe.dll
2014-10-15 23:22 - 2014-09-25 18:46 - 00365056 _____ (Microsoft Corporation) E:\Windows\SysWOW64\dxtmsft.dll
2014-10-15 23:22 - 2014-09-25 18:46 - 00243200 _____ (Microsoft Corporation) E:\Windows\SysWOW64\dxtrans.dll
2014-10-15 23:22 - 2014-09-25 18:46 - 00069632 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mshtmled.dll
2014-10-15 23:22 - 2014-09-25 18:43 - 11807232 _____ (Microsoft Corporation) E:\Windows\SysWOW64\ieframe.dll
2014-10-15 23:22 - 2014-09-25 18:32 - 02017280 _____ (Microsoft Corporation) E:\Windows\SysWOW64\inetcpl.cpl
2014-10-15 23:22 - 2014-09-25 18:31 - 02108416 _____ (Microsoft Corporation) E:\Windows\system32\inetcpl.cpl
2014-10-15 23:22 - 2014-09-18 22:25 - 23631360 _____ (Microsoft Corporation) E:\Windows\system32\mshtml.dll
2014-10-15 23:22 - 2014-09-18 21:56 - 02724864 _____ (Microsoft Corporation) E:\Windows\system32\mshtml.tlb
2014-10-15 23:22 - 2014-09-18 21:55 - 00004096 _____ (Microsoft Corporation) E:\Windows\system32\ieetwcollectorres.dll
2014-10-15 23:22 - 2014-09-18 21:44 - 17484800 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mshtml.dll
2014-10-15 23:22 - 2014-09-18 21:41 - 02796032 _____ (Microsoft Corporation) E:\Windows\system32\iertutil.dll
2014-10-15 23:22 - 2014-09-18 21:40 - 00547328 _____ (Microsoft Corporation) E:\Windows\system32\vbscript.dll
2014-10-15 23:22 - 2014-09-18 21:40 - 00066048 _____ (Microsoft Corporation) E:\Windows\system32\iesetup.dll
2014-10-15 23:22 - 2014-09-18 21:39 - 00048640 _____ (Microsoft Corporation) E:\Windows\system32\ieetwproxystub.dll
2014-10-15 23:22 - 2014-09-18 21:38 - 00083968 _____ (Microsoft Corporation) E:\Windows\system32\MshtmlDac.dll
2014-10-15 23:22 - 2014-09-18 21:36 - 05829632 _____ (Microsoft Corporation) E:\Windows\system32\jscript9.dll
2014-10-15 23:22 - 2014-09-18 21:31 - 00051200 _____ (Microsoft Corporation) E:\Windows\system32\jsproxy.dll
2014-10-15 23:22 - 2014-09-18 21:30 - 00033792 _____ (Microsoft Corporation) E:\Windows\system32\iernonce.dll
2014-10-15 23:22 - 2014-09-18 21:27 - 00595968 _____ (Microsoft Corporation) E:\Windows\system32\ieui.dll
2014-10-15 23:22 - 2014-09-18 21:26 - 00139264 _____ (Microsoft Corporation) E:\Windows\system32\ieUnatt.exe
2014-10-15 23:22 - 2014-09-18 21:25 - 04201472 _____ (Microsoft Corporation) E:\Windows\SysWOW64\jscript9.dll
2014-10-15 23:22 - 2014-09-18 21:25 - 00758272 _____ (Microsoft Corporation) E:\Windows\system32\jscript9diag.dll
2014-10-15 23:22 - 2014-09-18 21:25 - 00111616 _____ (Microsoft Corporation) E:\Windows\system32\ieetwcollector.exe
2014-10-15 23:22 - 2014-09-18 21:18 - 00940032 _____ (Microsoft Corporation) E:\Windows\system32\MsSpellCheckingFacility.exe
2014-10-15 23:22 - 2014-09-18 21:14 - 02724864 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mshtml.tlb
2014-10-15 23:22 - 2014-09-18 21:14 - 00446464 _____ (Microsoft Corporation) E:\Windows\system32\dxtmsft.dll
2014-10-15 23:22 - 2014-09-18 21:06 - 00072704 _____ (Microsoft Corporation) E:\Windows\system32\JavaScriptCollectionAgent.dll
2014-10-15 23:22 - 2014-09-18 21:02 - 00454656 _____ (Microsoft Corporation) E:\Windows\SysWOW64\vbscript.dll
2014-10-15 23:22 - 2014-09-18 21:01 - 00195584 _____ (Microsoft Corporation) E:\Windows\system32\msrating.dll
2014-10-15 23:22 - 2014-09-18 21:01 - 00061952 _____ (Microsoft Corporation) E:\Windows\SysWOW64\iesetup.dll
2014-10-15 23:22 - 2014-09-18 21:01 - 00051200 _____ (Microsoft Corporation) E:\Windows\SysWOW64\ieetwproxystub.dll
2014-10-15 23:22 - 2014-09-18 21:00 - 00085504 _____ (Microsoft Corporation) E:\Windows\system32\mshtmled.dll
2014-10-15 23:22 - 2014-09-18 20:59 - 00061952 _____ (Microsoft Corporation) E:\Windows\SysWOW64\MshtmlDac.dll
2014-10-15 23:22 - 2014-09-18 20:58 - 00289280 _____ (Microsoft Corporation) E:\Windows\system32\dxtrans.dll
2014-10-15 23:22 - 2014-09-18 20:55 - 02187264 _____ (Microsoft Corporation) E:\Windows\SysWOW64\iertutil.dll
2014-10-15 23:22 - 2014-09-18 20:54 - 00043008 _____ (Microsoft Corporation) E:\Windows\SysWOW64\jsproxy.dll
2014-10-15 23:22 - 2014-09-18 20:53 - 00032768 _____ (Microsoft Corporation) E:\Windows\SysWOW64\iernonce.dll
2014-10-15 23:22 - 2014-09-18 20:51 - 00440320 _____ (Microsoft Corporation) E:\Windows\SysWOW64\ieui.dll
2014-10-15 23:22 - 2014-09-18 20:50 - 00112128 _____ (Microsoft Corporation) E:\Windows\SysWOW64\ieUnatt.exe
2014-10-15 23:22 - 2014-09-18 20:49 - 00597504 _____ (Microsoft Corporation) E:\Windows\SysWOW64\jscript9diag.dll
2014-10-15 23:22 - 2014-09-18 20:42 - 00731136 _____ (Microsoft Corporation) E:\Windows\system32\msfeeds.dll
2014-10-15 23:22 - 2014-09-18 20:42 - 00710656 _____ (Microsoft Corporation) E:\Windows\system32\ie4uinit.exe
2014-10-15 23:22 - 2014-09-18 20:40 - 01249280 _____ (Microsoft Corporation) E:\Windows\system32\mshtmlmedia.dll
2014-10-15 23:22 - 2014-09-18 20:36 - 00060416 _____ (Microsoft Corporation) E:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-10-15 23:22 - 2014-09-18 20:33 - 02309632 _____ (Microsoft Corporation) E:\Windows\system32\wininet.dll
2014-10-15 23:22 - 2014-09-18 20:32 - 00164864 _____ (Microsoft Corporation) E:\Windows\SysWOW64\msrating.dll
2014-10-15 23:22 - 2014-09-18 20:20 - 00607744 _____ (Microsoft Corporation) E:\Windows\SysWOW64\msfeeds.dll
2014-10-15 23:22 - 2014-09-18 20:18 - 01068032 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mshtmlmedia.dll
2014-10-15 23:22 - 2014-09-18 20:14 - 01447936 _____ (Microsoft Corporation) E:\Windows\system32\urlmon.dll
2014-10-15 23:22 - 2014-09-18 19:59 - 01810944 _____ (Microsoft Corporation) E:\Windows\SysWOW64\wininet.dll
2014-10-15 23:22 - 2014-09-18 19:59 - 00775168 _____ (Microsoft Corporation) E:\Windows\system32\ieapfltr.dll
2014-10-15 23:22 - 2014-09-18 19:53 - 01190400 _____ (Microsoft Corporation) E:\Windows\SysWOW64\urlmon.dll
2014-10-15 23:22 - 2014-09-18 19:52 - 00678400 _____ (Microsoft Corporation) E:\Windows\SysWOW64\ieapfltr.dll
2014-10-15 23:22 - 2014-06-18 18:23 - 01943696 _____ (Microsoft Corporation) E:\Windows\system32\dfshim.dll
2014-10-15 23:22 - 2014-06-18 18:23 - 01131664 _____ (Microsoft Corporation) E:\Windows\SysWOW64\dfshim.dll
2014-10-15 23:22 - 2014-06-18 18:23 - 00156824 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mscorier.dll
2014-10-15 23:22 - 2014-06-18 18:23 - 00156312 _____ (Microsoft Corporation) E:\Windows\system32\mscorier.dll
2014-10-15 23:22 - 2014-06-18 18:23 - 00081560 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mscories.dll
2014-10-15 23:22 - 2014-06-18 18:23 - 00073880 _____ (Microsoft Corporation) E:\Windows\system32\mscories.dll
2014-10-15 23:21 - 2014-09-17 22:00 - 03241472 _____ (Microsoft Corporation) E:\Windows\system32\msi.dll
2014-10-15 23:21 - 2014-09-17 21:32 - 02363904 _____ (Microsoft Corporation) E:\Windows\SysWOW64\msi.dll
2014-10-15 23:21 - 2014-09-12 21:58 - 00077312 _____ (Microsoft Corporation) E:\Windows\system32\packager.dll
2014-10-15 23:21 - 2014-09-12 21:40 - 00067072 _____ (Microsoft Corporation) E:\Windows\SysWOW64\packager.dll
2014-10-15 23:21 - 2014-09-04 01:23 - 00424448 _____ (Microsoft Corporation) E:\Windows\system32\rastls.dll
2014-10-15 23:21 - 2014-09-04 01:04 - 00372736 _____ (Microsoft Corporation) E:\Windows\SysWOW64\rastls.dll
2014-10-15 23:21 - 2014-07-16 22:07 - 03722240 _____ (Microsoft Corporation) E:\Windows\system32\mstscax.dll
2014-10-15 23:21 - 2014-07-16 22:07 - 01118720 _____ (Microsoft Corporation) E:\Windows\system32\mstsc.exe
2014-10-15 23:21 - 2014-07-16 22:07 - 00681984 _____ (Microsoft Corporation) E:\Windows\system32\termsrv.dll
2014-10-15 23:21 - 2014-07-16 22:07 - 00455168 _____ (Microsoft Corporation) E:\Windows\system32\winlogon.exe
2014-10-15 23:21 - 2014-07-16 22:07 - 00235520 _____ (Microsoft Corporation) E:\Windows\system32\winsta.dll
2014-10-15 23:21 - 2014-07-16 22:07 - 00150528 _____ (Microsoft Corporation) E:\Windows\system32\rdpcorekmts.dll
2014-10-15 23:21 - 2014-07-16 22:07 - 00086528 _____ (Microsoft Corporation) E:\Windows\system32\TSpkg.dll
2014-10-15 23:21 - 2014-07-16 22:07 - 00022016 _____ (Microsoft Corporation) E:\Windows\system32\credssp.dll
2014-10-15 23:21 - 2014-07-16 21:40 - 00157696 _____ (Microsoft Corporation) E:\Windows\SysWOW64\winsta.dll
2014-10-15 23:21 - 2014-07-16 21:39 - 03221504 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mstscax.dll
2014-10-15 23:21 - 2014-07-16 21:39 - 01051136 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mstsc.exe
2014-10-15 23:21 - 2014-07-16 21:39 - 00131584 _____ (Microsoft Corporation) E:\Windows\SysWOW64\aaclient.dll
2014-10-15 23:21 - 2014-07-16 21:39 - 00065536 _____ (Microsoft Corporation) E:\Windows\SysWOW64\TSpkg.dll
2014-10-15 23:21 - 2014-07-16 21:39 - 00017408 _____ (Microsoft Corporation) E:\Windows\SysWOW64\credssp.dll
2014-10-15 23:21 - 2014-07-16 21:21 - 00212480 _____ (Microsoft Corporation) E:\Windows\system32\Drivers\rdpwd.sys
2014-10-15 23:21 - 2014-07-16 21:21 - 00039936 _____ (Microsoft Corporation) E:\Windows\system32\Drivers\tssecsrv.sys
2014-10-09 12:52 - 2014-10-09 12:52 - 01462272 _____ (CineForm Inc.) E:\Windows\system32\CFHD.dll
2014-10-09 12:50 - 2014-10-09 12:50 - 01490944 _____ (CineForm Inc.) E:\Windows\SysWOW64\CFHD.dll
2014-09-30 14:06 - 2014-09-24 22:08 - 00371712 _____ (Microsoft Corporation) E:\Windows\system32\qdvd.dll
2014-09-30 14:06 - 2014-09-24 21:40 - 00519680 _____ (Microsoft Corporation) E:\Windows\SysWOW64\qdvd.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-29 12:35 - 2014-08-04 13:08 - 00000000 ____D () E:\Users\Adrock\AppData\Local\CrashDumps
2014-10-29 12:27 - 2014-05-23 21:50 - 00000000 ____D () E:\Program Files (x86)\Overwolf
2014-10-29 12:26 - 2009-07-14 00:45 - 00028144 ____H () E:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-29 12:26 - 2009-07-14 00:45 - 00028144 ____H () E:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-29 12:24 - 2009-07-14 01:13 - 00781790 _____ () E:\Windows\system32\PerfStringBackup.INI
2014-10-29 12:22 - 2014-05-23 21:48 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Overwolf
2014-10-29 12:22 - 2014-05-23 20:01 - 01317530 _____ () E:\Windows\WindowsUpdate.log
2014-10-29 12:18 - 2014-05-23 21:10 - 00000000 ____D () E:\ProgramData\NVIDIA
2014-10-29 12:18 - 2009-07-14 01:08 - 00000006 ____H () E:\Windows\Tasks\SA.DAT
2014-10-29 12:18 - 2009-07-14 00:51 - 00064300 _____ () E:\Windows\setupact.log
2014-10-29 07:41 - 2014-05-27 17:02 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Adobe
2014-10-29 07:30 - 2010-11-20 23:47 - 00206660 _____ () E:\Windows\PFRO.log
2014-10-28 23:26 - 2014-05-23 22:16 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Apps\2.0
2014-10-28 23:25 - 2014-05-23 20:01 - 00000000 ____D () E:\Users\Adrock
2014-10-28 23:25 - 2009-07-13 22:34 - 00000215 _____ () E:\Windows\system.ini
2014-10-28 23:11 - 2014-05-23 22:21 - 00000830 _____ () E:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-28 22:58 - 2014-05-24 11:21 - 00000000 ____D () E:\ProgramData\Package Cache
2014-10-28 22:34 - 2014-07-15 17:43 - 00129752 _____ (Malwarebytes Corporation) E:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-28 21:48 - 2014-05-23 23:07 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Deployment
2014-10-28 21:47 - 2014-08-18 14:59 - 00000000 ____D () E:\Windows\PCHEALTH
2014-10-28 20:25 - 2014-07-15 17:40 - 00000000 ____D () E:\Users\Adrock\Documents\BitLord
2014-10-28 20:25 - 2014-05-24 09:07 - 00000000 ____D () E:\Users\Adrock\Documents\NCSOFT
2014-10-28 20:22 - 2014-09-04 16:40 - 00000000 ____D () E:\Users\Adrock\Desktop\New folder
2014-10-28 20:21 - 2014-08-18 14:55 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\Philipp Winterberg
2014-10-28 20:21 - 2014-07-04 20:54 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\OBS
2014-10-28 20:21 - 2014-05-24 00:25 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\NCSOFT
2014-10-28 20:21 - 2014-05-23 21:48 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\TS3Client
2014-10-28 20:20 - 2014-05-23 22:02 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\Mozilla
2014-10-28 20:19 - 2014-09-21 15:55 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Apple Computer
2014-10-28 20:19 - 2014-06-19 19:33 - 00000000 ____D () E:\ProgramData\Razer
2014-10-28 20:19 - 2014-05-23 22:02 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Mozilla
2014-10-28 20:19 - 2014-05-23 21:23 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Blizzard Entertainment
2014-10-28 20:19 - 2014-05-23 21:23 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Battle.net
2014-10-28 20:19 - 2014-05-23 20:58 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\Adobe
2014-10-28 20:19 - 2014-05-23 20:57 - 00000000 ____D () E:\Users\Adrock\AppData\Local\cFos
2014-10-28 20:18 - 2014-09-16 16:25 - 00000000 ____D () E:\ArcheAge
2014-10-28 20:18 - 2014-05-24 11:22 - 00000000 ____D () E:\ProgramData\LogiShrd
2014-10-28 20:18 - 2014-05-23 21:22 - 00000000 ____D () E:\ProgramData\Battle.net
2014-10-26 23:31 - 2014-07-15 17:43 - 00001116 _____ () E:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-26 23:31 - 2014-07-15 17:43 - 00000000 ____D () E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-26 23:31 - 2014-07-15 17:43 - 00000000 ____D () E:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-26 23:22 - 2009-07-13 23:20 - 00000000 ____D () E:\Windows\system32\sysprep
2014-10-23 12:39 - 2014-07-15 17:40 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\BitLord
2014-10-22 10:00 - 2014-05-23 20:01 - 00000000 ____D () E:\Users\Adrock\AppData\Local\VirtualStore
2014-10-22 09:59 - 2014-06-19 19:34 - 00105108 _____ () E:\Windows\DPINST.LOG
2014-10-22 09:43 - 2014-09-04 16:57 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Windows Live
2014-10-20 00:14 - 2014-08-18 15:00 - 00000000 ___RD () E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2014-10-20 00:14 - 2014-08-18 14:57 - 00000000 ____D () E:\ProgramData\Microsoft Help
2014-10-16 18:41 - 2009-07-13 23:20 - 00000000 ____D () E:\Windows\rescache
2014-10-16 17:32 - 2014-05-23 20:58 - 00113920 _____ () E:\Users\Adrock\AppData\Local\GDIPFONTCACHEV1.DAT
2014-10-16 17:31 - 2009-07-14 00:45 - 00435208 _____ () E:\Windows\system32\FNTCACHE.DAT
2014-10-16 17:30 - 2014-05-25 18:45 - 00000000 ___SD () E:\Windows\system32\CompatTel
2014-10-16 00:01 - 2009-07-13 22:34 - 00000478 _____ () E:\Windows\win.ini
2014-10-02 15:53 - 2010-11-20 23:27 - 00278152 ____N (Microsoft Corporation) E:\Windows\system32\MpSigStub.exe
2014-10-01 20:22 - 2014-06-19 19:32 - 00000000 ____D () E:\Program Files (x86)\Razer
2014-10-01 11:11 - 2014-07-15 17:43 - 00093400 _____ (Malwarebytes Corporation) E:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-01 11:11 - 2014-07-15 17:43 - 00063704 _____ (Malwarebytes Corporation) E:\Windows\system32\Drivers\mwac.sys
2014-10-01 11:11 - 2014-07-15 17:43 - 00025816 _____ (Malwarebytes Corporation) E:\Windows\system32\Drivers\mbam.sys

Files to move or delete:
====================
E:\Users\Adrock\cbsidlm-cbsi212-RAR_File_Open_Knife__Free_Opener-SEO-10971016.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

E:\Windows\System32\winlogon.exe => File is digitally signed
E:\Windows\System32\wininit.exe => File is digitally signed
E:\Windows\SysWOW64\wininit.exe => File is digitally signed
E:\Windows\explorer.exe => File is digitally signed
E:\Windows\SysWOW64\explorer.exe => File is digitally signed
E:\Windows\System32\svchost.exe => File is digitally signed
E:\Windows\SysWOW64\svchost.exe => File is digitally signed
E:\Windows\System32\services.exe => File is digitally signed
E:\Windows\System32\User32.dll => File is digitally signed
E:\Windows\SysWOW64\User32.dll => File is digitally signed
E:\Windows\System32\userinit.exe => File is digitally signed
E:\Windows\SysWOW64\userinit.exe => File is digitally signed
E:\Windows\System32\rpcss.dll => File is digitally signed
E:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-10-16 18:34

==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 29-10-2014 01
Ran by Adrock at 2014-10-29 12:40:07
Running from E:\Users\Adrock\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Norton Internet Security (Disabled - Out of date) {63DF5164-9100-186D-2187-8DC619EFD8BF}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Internet Security (Disabled - Out of date) {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security (Disabled) {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acrobat.com (HKLM-x32\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1.377 - Adobe Systems Incorporated)
Acrobat.com (x32 Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 2.7.1.418 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Adobe Photoshop CC 2014 (HKLM-x32\...\{D7A4F897-B20A-42D0-862D-CB5F6DB7391D}) (Version: 15.0 - Adobe Systems Incorporated)
Adobe Reader 9 (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-A90000000001}) (Version: 9.0.0 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{78002155-F025-4070-85B3-7C0453561701}) (Version: 3.0.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{B678797F-DF38-4556-8A31-8B818E261868}) (Version: 8.0.0.23 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Archeage (HKLM-x32\...\Glyph Archeage) (Version:  - Trion Worlds, Inc.)
ASRock App Charger v1.0.4 (HKLM\...\ASRock App Charger_is1) (Version:  - ASRock Inc.)
ASRock eXtreme Tuner v0.1.98 (HKLM-x32\...\ASRock eXtreme Tuner_is1) (Version:  - )
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
BitLord 2.3 (HKLM-x32\...\BitLord) (Version: 2.3.2-255 - House of Life)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom Gigabit NetLink Controller (HKLM\...\{C91DCB72-F5BB-410D-A91A-314F5D1B4284}) (Version: 14.6.1.3 - Broadcom Corporation)
Curse Client (HKCU\...\101a9f93b8f0bb6f) (Version: 5.1.1.820 - Curse)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Etron USB3.0 Host Controller (HKLM-x32\...\InstallShield_{DFBB738C-71D8-4DC5-B8D2-D65C37680E27}) (Version: 0.96 - Etron Technology)
Etron USB3.0 Host Controller (x32 Version: 0.96 - Etron Technology) Hidden
Fraps (remove only) (HKLM-x32\...\Fraps) (Version:  - )
Glyph (HKLM-x32\...\Glyph) (Version:  - Trion Worlds, Inc.)
GoPro Studio 2.5.1 (HKLM-x32\...\GoPro Studio) (Version: 2.5.1 - GoPro, Inc.)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.225 - SurfRight B.V.)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2372 - Intel Corporation)
iTunes (HKLM\...\{F46AA0F1-E284-4878-A462-5F11B9166C0E}) (Version: 11.4.0.18 - Apple Inc.)
Junk Mail filter update (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Logitech Gaming Software 8.53 (HKLM\...\Logitech Gaming Software) (Version: 8.53.154 - Logitech Inc.)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
marvell 91xx driver (HKLM-x32\...\MagniDriver) (Version: 1.2.0.1003 - Marvell)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM\...\Office15.PROPLUS) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft OneDrive (HKCU\...\OneDriveSetup.exe) (Version: 17.3.1171.0714 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 32.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 32.0.3 (x86 en-US)) (Version: 32.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
MSVCRT110_amd64 (Version: 16.4.1109.0912 - Microsoft) Hidden
Norton Internet Security (HKLM-x32\...\NIS) (Version: 18.7.2.3 - Symantec Corporation)
NVIDIA 3D Vision Controller Driver 327.23 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 327.23 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 327.23 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 327.23 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.1 - NVIDIA Corporation)
NVIDIA Graphics Driver 327.23 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 327.23 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.26.4 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.26.4 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.0725 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.0725 - NVIDIA Corporation)
Open Broadcaster Software (HKLM-x32\...\Open Broadcaster Software) (Version:  - )
Outils de vérification linguistique 2013 de Microsoft Office - Français (Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
Overwolf (HKLM-x32\...\Overwolf) (Version: 0.81.34.0 - Overwolf Ltd.)
Overwolf.Setup.VC100CRTx64.Dist (HKLM\...\{EC9D5554-6852-4A55-81BB-AC02C7A8CFED}) (Version: 1.0.0 - Overwolf)
Overwolf.Setup.VC100CRTx86.Dist (x32 Version: 1.0.0 - Overwolf) Hidden
Photo Common (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Photo Gallery (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
RAR File Open Knife - Free Opener (HKLM-x32\...\RAR File Open Knife - Free Opener) (Version: 3.50 - Philipp Winterberg)
Razer Core (HKLM-x32\...\Razer Core) (Version: 1.0.1.66 - Razer Inc)
Razer Synapse 2.0 (HKLM-x32\...\{0D78BEE2-F8FF-4498-AF1A-3FF81CED8AC6}) (Version: 1.18.15.20888 - Razer Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6392 - Realtek Semiconductor Corp.)
Service Pack 1 for Microsoft Office 2013 (KB2850036) 64-Bit Edition (HKLM\...\{90150000-0011-0000-1000-0000000FF1CE}_Office15.PROPLUS_{D82063A8-7C8C-4C3B-A9BB-95138CA55D26}) (Version:  - Microsoft)
Service Pack 1 for Microsoft Office 2013 (KB2850036) 64-Bit Edition (Version:  - Microsoft) Hidden
SHIELD Streaming (Version: 2.1.214 - NVIDIA Corporation) Hidden
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.14 - TeamSpeak Systems GmbH)
THX TruStudio (HKLM-x32\...\{AFB907F5-C0E6-4753-8284-DE955EF86AC2}) (Version: 1.00.01 - Creative Technology Limited)
VIRTU 1.2.103 (HKLM\...\VIRTU_is1) (Version: 1.2.103 - Lucidlogix Technologies LTD)
WildStar (HKLM-x32\...\WildStar) (Version:  - NCSOFT)
Windows Driver Package - GoPro (WinUSB) Universal Serial Bus devices  (03/07/2012 ) (HKLM\...\0B624A43DD66DBF5CF3EDFA9741A364E688062A4) (Version: 03/07/2012  - GoPro)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
World of Warcraft (HKLM-x32\...\World of Warcraft) (Version:  - Blizzard Entertainment)
XFast LAN v6.61 (HKLM\...\XFast LAN) (Version: 6.61 - cFos Software GmbH, Bonn)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{4dc29fec-004b-4728-b4be-22186514ae1f}\InprocServer32 -> E:\Windows\system32\dfshim.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> E:\Users\Adrock\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> E:\Users\Adrock\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> E:\Users\Adrock\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> E:\Users\Adrock\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> E:\Users\Adrock\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\FileSyncApi64.dll (Microsoft Corporation)

==================== Restore Points  =========================

28-10-2014 22:20:43 Windows Update
29-10-2014 01:41:54 Windows Update
29-10-2014 02:27:18 Checkpoint by HitmanPro
29-10-2014 02:27:50 Checkpoint by HitmanPro
29-10-2014 02:40:01 Windows Modules Installer
29-10-2014 02:57:35 PerforMax Cleaner

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2014-10-28 23:25 - 00000027 ____A E:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {2ADAD3C5-A01D-414F-9019-9EDA54C38B7F} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => E:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe [2014-01-23] (Microsoft Corporation)
Task: {4874E7CD-BEA0-4C58-B4B5-85389FAF652A} - System32\Tasks\{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54} => E:\Windows\system32\uoslj.dll [2014-10-26] ()
Task: {635101A6-B367-4BB6-8C8C-45BA9EE4DCAA} - System32\Tasks\Symantec\Norton Error Processor 18.7.2.3 => E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\SymErr.exe [2012-06-07] (Symantec Corporation)
Task: {688281A8-1773-4871-9ACD-131E5B3D1876} - System32\Tasks\Adobe Flash Player Updater => E:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-24] (Adobe Systems Incorporated)
Task: {6BBFA251-87F1-4933-AA48-574AC9EB64F2} - System32\Tasks\AdobeAAMUpdater-1.0-Adrock-PC-Adrock => E:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2014-02-27] (Adobe Systems Incorporated)
Task: {6E286407-7FF3-45BC-9749-C712970CF9A1} - System32\Tasks\Optimum_LogOn => E:\Program Files (x86)\Optimum PC Boost\OptimumPCBoost.exe <==== ATTENTION
Task: {73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9} - System32\Tasks\Optimum_Daily => E:\Program Files (x86)\Optimum PC Boost\OptimumPCBoost.exe <==== ATTENTION
Task: {9B38182C-D6F0-4998-82F7-47C657B087C8} - System32\Tasks\Symantec\Norton Error Analyzer 18.7.2.3 => E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\SymErr.exe [2012-06-07] (Symantec Corporation)
Task: {9E071934-0DC3-43EC-85D1-BC751247C663} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => E:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)
Task: {C2FDD66F-9CE9-4ED5-A15D-087BA563CE05} - System32\Tasks\Overwolf Updater Task => E:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [2014-10-22] (Overwolf LTD)
Task: {CED663EB-9A47-4BAE-B130-617880570EED} - System32\Tasks\AutoKMS => E:\Windows\AutoKMS\AutoKMS.exe [2014-08-18] ()
Task: {E78CB3EF-2B8D-4FF3-B433-C2884F8699B9} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => E:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)
Task: {FDDC9E2F-8E38-42C3-A704-0438F556A757} - System32\Tasks\{41231E14-1381-2BF7-572D-A21C6C393D14} => E:\Users\Adrock\AppData\Roaming\nTXfSemo\eUpaEWUB\MyaXAClk\QUPqNnUAj.exe [2014-03-04] ()
Task: E:\Windows\Tasks\Adobe Flash Player Updater.job => E:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2014-05-23 21:10 - 2013-09-12 03:25 - 00097568 _____ () E:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2014-07-16 11:06 - 2014-07-16 11:06 - 00672416 _____ () E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
2014-09-16 13:52 - 2014-09-16 13:52 - 08896160 _____ () E:\Program Files\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2014-05-23 20:52 - 2011-04-14 22:16 - 00094208 _____ () E:\Windows\System32\IccLibDll_x64.dll
2014-05-23 20:59 - 2011-05-19 09:58 - 00246784 _____ () E:\Windows\SYSTEM32\APOMgr64.DLL
2014-02-11 14:21 - 2014-02-11 14:21 - 00860160 _____ () E:\Program Files\Logitech Gaming Software\libGLESv2.dll
2014-02-11 14:22 - 2014-02-11 14:22 - 01043968 _____ () E:\Program Files\Logitech Gaming Software\platforms\qwindows.dll
2014-02-11 14:21 - 2014-02-11 14:21 - 00052736 _____ () E:\Program Files\Logitech Gaming Software\libEGL.dll
2014-02-11 14:22 - 2014-02-11 14:22 - 00236032 _____ () E:\Program Files\Logitech Gaming Software\imageformats\qjpeg.dll
2014-10-22 05:25 - 2014-10-22 05:25 - 00077088 _____ () E:\Program Files (x86)\Overwolf\0.81.34.0\OverwolfBrowser.exe
2014-07-31 12:16 - 2014-07-31 12:16 - 00073544 _____ () E:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-07-31 12:16 - 2014-07-31 12:16 - 01044776 _____ () E:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-10-22 05:23 - 2014-10-22 05:23 - 00025600 _____ () E:\Program Files (x86)\Overwolf\0.81.34.0\CoreAudioApi.dll
2014-10-22 05:23 - 2014-10-22 05:23 - 38713856 _____ () E:\Program Files (x86)\Overwolf\0.81.34.0\libcef.DLL
2014-10-08 18:22 - 2014-10-08 18:22 - 01795584 _____ () E:\Program Files (x86)\GoPro\Tools\Importer\GPSDKAnalyticsNet.dll
2014-07-03 06:45 - 2014-07-03 06:45 - 32733056 _____ () E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CEF\libcef.dll
2014-07-03 06:45 - 2014-07-03 06:45 - 00742784 _____ () E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CEF\libglesv2.dll
2014-07-03 06:45 - 2014-07-03 06:45 - 00136576 _____ () E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CEF\libegl.dll
2014-10-22 05:23 - 2014-10-22 05:23 - 00514528 _____ () E:\Program Files (x86)\Overwolf\0.81.34.0\libglesv2.dll
2014-10-22 05:23 - 2014-10-22 05:23 - 00105952 _____ () E:\Program Files (x86)\Overwolf\0.81.34.0\libegl.dll
2014-09-24 17:21 - 2014-09-24 17:21 - 03715184 _____ () E:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2014-09-16 13:53 - 2014-09-16 13:53 - 08896160 _____ () E:\Program Files (x86)\Microsoft Office\Office15\1033\GrooveIntlResource.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: E:^Users^Adrock^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^099bc31.exe => E:\Windows\pss\099bc31.exe.Startup
MSCONFIG\startupfolder: E:^Users^Adrock^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip => E:\Windows\pss\CurseClientStartup.ccip.Startup
MSCONFIG\startupreg: Ehzozaubqu => E:\Users\Adrock\AppData\Roaming\Udtaessy\cailot.exe

========================= Accounts: ==========================

Administrator (S-1-5-21-2622789366-4104432293-3959885506-500 - Administrator - Disabled)
Adrock (S-1-5-21-2622789366-4104432293-3959885506-1000 - Administrator - Enabled) => E:\Users\Adrock
Guest (S-1-5-21-2622789366-4104432293-3959885506-501 - Limited - Disabled)

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (10/29/2014 00:35:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 32.0.3.5379, time stamp: 0x54224e6b
Faulting module name: mozalloc.dll, version: 32.0.3.5379, time stamp: 0x54221b67
Exception code: 0x80000003
Fault offset: 0x0000141b
Faulting process id: 0xbf8
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (10/29/2014 00:20:05 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/29/2014 07:31:19 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/29/2014 07:31:14 AM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (10/28/2014 11:26:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0000000002371183
Faulting process id: 0x4198
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (10/28/2014 11:07:51 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (10/29/2014 00:24:00 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (10/29/2014 00:24:00 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (10/29/2014 00:23:40 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (10/29/2014 00:23:40 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (10/29/2014 00:23:20 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (10/29/2014 00:23:20 PM) (Source: Schannel) (EventID: 4120) (User: NT AUTHORITY)
Description: The following fatal alert was generated: 10. The internal error state is 10.

Error: (10/29/2014 00:22:00 PM) (Source: DCOM) (EventID: 10016) (User: Adrock-PC)
Description: application-specificLocalActivation{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}{56BE716B-2F76-4DFA-8702-67AE10044F0B}Adrock-PCAdrockS-1-5-21-2622789366-4104432293-3959885506-1000LocalHost (Using LRPC)

Error: (10/29/2014 00:22:00 PM) (Source: DCOM) (EventID: 10016) (User: Adrock-PC)
Description: application-specificLocalActivation{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}{56BE716B-2F76-4DFA-8702-67AE10044F0B}Adrock-PCAdrockS-1-5-21-2622789366-4104432293-3959885506-1000LocalHost (Using LRPC)

Error: (10/29/2014 00:22:00 PM) (Source: DCOM) (EventID: 10016) (User: Adrock-PC)
Description: application-specificLocalActivation{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}{56BE716B-2F76-4DFA-8702-67AE10044F0B}Adrock-PCAdrockS-1-5-21-2622789366-4104432293-3959885506-1000LocalHost (Using LRPC)

Error: (10/29/2014 00:22:00 PM) (Source: DCOM) (EventID: 10016) (User: Adrock-PC)
Description: application-specificLocalActivation{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}{56BE716B-2F76-4DFA-8702-67AE10044F0B}Adrock-PCAdrockS-1-5-21-2622789366-4104432293-3959885506-1000LocalHost (Using LRPC)


Microsoft Office Sessions:
=========================
Error: (10/29/2014 00:35:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe32.0.3.537954224e6bmozalloc.dll32.0.3.537954221b67800000030000141bbf801cff3954e38dcf5E:\Program Files (x86)\Mozilla Firefox\plugin-container.exeE:\Program Files (x86)\Mozilla Firefox\mozalloc.dll8eee76b9-5f89-11e4-be74-002522fcd522

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}Coordinator0x80070005, Access is denied.

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}Coordinator0x80070005, Access is denied.

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}Coordinator0x80070005, Access is denied.

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}Coordinator0x80070005, Access is denied.

Error: (10/29/2014 00:20:05 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/29/2014 07:31:19 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/29/2014 07:31:14 AM) (Source: VSS) (EventID: 13) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}Coordinator0x80070005, Access is denied.

Error: (10/28/2014 11:26:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe6.1.7600.163854a5bc3c1unknown0.0.0.000000000c00000050000000002371183419801cff32793961d51E:\Windows\system32\svchost.exeunknown57441dda-5f1b-11e4-a9c4-002522fcd522

Error: (10/28/2014 11:07:51 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


CodeIntegrity Errors:
===================================
  Date: 2014-10-28 23:25:05.222
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-10-28 23:25:05.185
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Core™ i7-2600 CPU @ 3.40GHz
Percentage of memory in use: 36%
Total physical RAM: 16384 MB
Available physical RAM: 10381.1 MB
Total Pagefile: 32766.18 MB
Available Pagefile: 25539.22 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: (Storage) (Fixed) (Total:931.41 GB) (Free:366.02 GB) NTFS
Drive d: (SPORTY_S_IFR_VOLUME_1) (CDROM) (Total:1.88 GB) (Free:0 GB) UDF
Drive e: (New Volume) (Fixed) (Total:232.88 GB) (Free:80.34 GB) NTFS
Drive f: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: A4B553FB)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.4 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 52BAA78A)
Partition 1: (Not Active) - (Size=232.9 GB) - (Type=07 NTFS)

==================== End Of Log ============================


Edited by wrxutec, 29 October 2014 - 11:44 AM.


#3 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:26 AM

Posted 29 October 2014 - 12:32 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

Your computer is very badly infected with a multitude of viruses.

You also appear to be infected with cryptowall. Check the link below for more information:

CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

 

 

Please download the following file => [attachment=156926:fixlist.txt] and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#4 wrxutec

wrxutec
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 29 October 2014 - 12:37 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-10-2014 01
Ran by Adrock at 2014-10-29 13:36:26 Run:1
Running from E:\Users\Adrock\Downloads
Loaded Profile: Adrock (Available profiles: Adrock)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\...\Run: [099bc3] => E:\099bc31\099bc31.exe [130048 2014-10-28] ()
E:\099bc31
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\...\Run: [099bc31] => E:\Users\Adrock\AppData\Roaming\099bc31.exe [130048 2014-10-29] ()
E:\Users\Adrock\AppData\Roaming\099bc31.exe
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\099bc31.exe
Toolbar: HKCU - No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF SearchPlugin: E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\searchplugins\Astromenda.xml
FF Extension: Astro New Tab - E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\Extensions\{f2548724-373f-45fe-be6a-3a85e87b7711}.xpi [2014-10-28]
R1 avgtp; E:\Windows\system32\drivers\avgtpx64.sys [50976 2014-08-19] (AVG Technologies)
E:\Windows\system32\drivers\avgtpx64.sys
S3 catchme; \??\E:\ComboFix\catchme.sys [X]
2014-10-28 20:25 - 2014-10-28 20:25 - 00008562 _____ () E:\Users\Adrock\Documents\DECRYPT_INSTRUCTION.HTML
2014-10-28 20:25 - 2014-10-28 20:25 - 00008562 _____ () E:\Users\Adrock\DECRYPT_INSTRUCTION.HTML
2014-10-28 20:25 - 2014-10-28 20:25 - 00004224 _____ () E:\Users\Adrock\Documents\DECRYPT_INSTRUCTION.TXT
2014-10-28 20:25 - 2014-10-28 20:25 - 00004224 _____ () E:\Users\Adrock\DECRYPT_INSTRUCTION.TXT
2014-10-28 20:25 - 2014-10-28 20:25 - 00000276 _____ () E:\Users\Adrock\INSTALL_TOR.URL
2014-10-28 20:25 - 2014-10-28 20:25 - 00000276 _____ () E:\Users\Adrock\Documents\INSTALL_TOR.URL
2014-10-28 20:22 - 2014-10-28 21:30 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\Wufiypel
2014-10-28 20:21 - 2014-10-28 21:47 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\Afylexp
2014-10-28 20:21 - 2014-10-28 20:21 - 00008562 _____ () E:\Users\Adrock\AppData\Roaming\DECRYPT_INSTRUCTION.HTML
2014-10-28 20:21 - 2014-10-28 20:21 - 00008562 _____ () E:\Users\Adrock\AppData\DECRYPT_INSTRUCTION.HTML
2014-10-28 20:21 - 2014-10-28 20:21 - 00004224 _____ () E:\Users\Adrock\AppData\Roaming\DECRYPT_INSTRUCTION.TXT
2014-10-28 20:21 - 2014-10-28 20:21 - 00004224 _____ () E:\Users\Adrock\AppData\DECRYPT_INSTRUCTION.TXT
2014-10-28 20:21 - 2014-10-28 20:21 - 00000276 _____ () E:\Users\Adrock\AppData\Roaming\INSTALL_TOR.URL
2014-10-28 20:21 - 2014-10-28 20:21 - 00000276 _____ () E:\Users\Adrock\AppData\INSTALL_TOR.URL
2014-10-28 20:19 - 2014-10-28 20:19 - 00008562 _____ () E:\Users\Adrock\AppData\Local\DECRYPT_INSTRUCTION.HTML
2014-10-28 20:19 - 2014-10-28 20:19 - 00008562 _____ () E:\ProgramData\DECRYPT_INSTRUCTION.HTML
2014-10-28 20:19 - 2014-10-28 20:19 - 00004224 _____ () E:\Users\Adrock\AppData\Local\DECRYPT_INSTRUCTION.TXT
2014-10-28 20:19 - 2014-10-28 20:19 - 00004224 _____ () E:\ProgramData\DECRYPT_INSTRUCTION.TXT
2014-10-28 20:19 - 2014-10-28 20:19 - 00000276 _____ () E:\Users\Adrock\AppData\Local\INSTALL_TOR.URL
2014-10-28 20:19 - 2014-10-28 20:19 - 00000276 _____ () E:\ProgramData\INSTALL_TOR.URL
2014-10-28 20:17 - 2014-10-28 20:17 - 00000000 ___HD () E:\099bc31
2014-10-27 13:42 - 2014-10-27 13:55 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\Udtaessy
2014-10-27 13:38 - 2014-10-27 13:55 - 00000000 ____D () E:\ProgramData\VadiLqula
2014-10-27 13:37 - 2014-10-27 13:37 - 00003050 _____ () E:\Windows\System32\Tasks\{41231E14-1381-2BF7-572D-A21C6C393D14}
2014-10-27 13:37 - 2014-10-27 13:37 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\nTXfSemo
2014-10-26 23:24 - 2014-10-26 23:24 - 00000448 ____H () E:\Users\Adrock\AppData\Roaming\麽鎒駓覜
2014-10-26 23:22 - 2014-10-28 20:11 - 00000000 ____D () E:\ProgramData\Windows Genuine Advantage
2014-10-26 23:22 - 2014-10-26 23:22 - 00070656 _____ () E:\Windows\system32\uoslj.dll
2014-10-26 23:22 - 2014-10-26 23:22 - 00003856 _____ () E:\Windows\System32\Tasks\{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54}
2014-10-26 23:22 - 2014-10-26 23:22 - 00000000 _____ () E:\Windows\system32\aaurjv.dll
Task: {4874E7CD-BEA0-4C58-B4B5-85389FAF652A} - System32\Tasks\{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54} => E:\Windows\system32\uoslj.dll [2014-10-26] ()
Task: {6E286407-7FF3-45BC-9749-C712970CF9A1} - System32\Tasks\Optimum_LogOn => E:\Program Files (x86)\Optimum PC Boost\OptimumPCBoost.exe <==== ATTENTION
Task: {73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9} - System32\Tasks\Optimum_Daily => E:\Program Files (x86)\Optimum PC Boost\OptimumPCBoost.exe <==== ATTENTION
Task: {FDDC9E2F-8E38-42C3-A704-0438F556A757} - System32\Tasks\{41231E14-1381-2BF7-572D-A21C6C393D14} => E:\Users\Adrock\AppData\Roaming\nTXfSemo\eUpaEWUB\MyaXAClk\QUPqNnUAj.exe [2014-03-04] ()
E:\Program Files (x86)\Optimum PC Boost
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\E:^Users^Adrock^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^099bc31.exe" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Ehzozaubqu" /f
EmptyTemp:
end
*****************

Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Microsoft\Windows\CurrentVersion\Run\\099bc3 => value deleted successfully.
E:\099bc31 => Moved successfully.
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Microsoft\Windows\CurrentVersion\Run\\099bc31 => value deleted successfully.
E:\Users\Adrock\AppData\Roaming\099bc31.exe => Moved successfully.
"HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Error deleting key. The key could be protected.
"HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Error deleting key. The key could be protected.
E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\099bc31.exe => Moved successfully.
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
"HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => Key not found.
E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\searchplugins\Astromenda.xml => Moved successfully.
E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\Extensions\{f2548724-373f-45fe-be6a-3a85e87b7711}.xpi => Moved successfully.
avgtp => Service stopped successfully.
avgtp => Service deleted successfully.
E:\Windows\system32\drivers\avgtpx64.sys => Moved successfully.
catchme => Service deleted successfully.
E:\Users\Adrock\Documents\DECRYPT_INSTRUCTION.HTML => Moved successfully.
E:\Users\Adrock\DECRYPT_INSTRUCTION.HTML => Moved successfully.
E:\Users\Adrock\Documents\DECRYPT_INSTRUCTION.TXT => Moved successfully.
E:\Users\Adrock\DECRYPT_INSTRUCTION.TXT => Moved successfully.
E:\Users\Adrock\INSTALL_TOR.URL => Moved successfully.
E:\Users\Adrock\Documents\INSTALL_TOR.URL => Moved successfully.
E:\Users\Adrock\AppData\Roaming\Wufiypel => Moved successfully.
E:\Users\Adrock\AppData\Roaming\Afylexp => Moved successfully.
E:\Users\Adrock\AppData\Roaming\DECRYPT_INSTRUCTION.HTML => Moved successfully.
E:\Users\Adrock\AppData\DECRYPT_INSTRUCTION.HTML => Moved successfully.
E:\Users\Adrock\AppData\Roaming\DECRYPT_INSTRUCTION.TXT => Moved successfully.
E:\Users\Adrock\AppData\DECRYPT_INSTRUCTION.TXT => Moved successfully.
E:\Users\Adrock\AppData\Roaming\INSTALL_TOR.URL => Moved successfully.
E:\Users\Adrock\AppData\INSTALL_TOR.URL => Moved successfully.
E:\Users\Adrock\AppData\Local\DECRYPT_INSTRUCTION.HTML => Moved successfully.
E:\ProgramData\DECRYPT_INSTRUCTION.HTML => Moved successfully.
E:\Users\Adrock\AppData\Local\DECRYPT_INSTRUCTION.TXT => Moved successfully.
E:\ProgramData\DECRYPT_INSTRUCTION.TXT => Moved successfully.
E:\Users\Adrock\AppData\Local\INSTALL_TOR.URL => Moved successfully.
E:\ProgramData\INSTALL_TOR.URL => Moved successfully.
"E:\099bc31" => File/Directory not found.
E:\Users\Adrock\AppData\Roaming\Udtaessy => Moved successfully.
E:\ProgramData\VadiLqula => Moved successfully.
E:\Windows\System32\Tasks\{41231E14-1381-2BF7-572D-A21C6C393D14} => Moved successfully.
E:\Users\Adrock\AppData\Roaming\nTXfSemo => Moved successfully.
E:\Users\Adrock\AppData\Roaming\麽鎒駓覜 => Moved successfully.
E:\ProgramData\Windows Genuine Advantage => Moved successfully.
E:\Windows\system32\uoslj.dll => Moved successfully.
E:\Windows\System32\Tasks\{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54} => Moved successfully.
Could not move "E:\Windows\system32\aaurjv.dll" => Scheduled to move on reboot.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4874E7CD-BEA0-4C58-B4B5-85389FAF652A}" => Error deleting key. The key could be protected.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4874E7CD-BEA0-4C58-B4B5-85389FAF652A}" => Error deleting key. The key could be protected.
E:\Windows\System32\Tasks\{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54} not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54}" => Error deleting key. The key could be protected.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6E286407-7FF3-45BC-9749-C712970CF9A1}" => Error deleting key. The key could be protected.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6E286407-7FF3-45BC-9749-C712970CF9A1}" => Error deleting key. The key could be protected.
E:\Windows\System32\Tasks\Optimum_LogOn => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimum_LogOn" => Error deleting key. The key could be protected.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9}" => Error deleting key. The key could be protected.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9}" => Error deleting key. The key could be protected.
E:\Windows\System32\Tasks\Optimum_Daily => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimum_Daily" => Error deleting key. The key could be protected.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FDDC9E2F-8E38-42C3-A704-0438F556A757}" => Error deleting key. The key could be protected.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDDC9E2F-8E38-42C3-A704-0438F556A757}" => Error deleting key. The key could be protected.
E:\Windows\System32\Tasks\{41231E14-1381-2BF7-572D-A21C6C393D14} not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{41231E14-1381-2BF7-572D-A21C6C393D14}" => Error deleting key. The key could be protected.
"E:\Program Files (x86)\Optimum PC Boost" => File/Directory not found.

========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\E:^Users^Adrock^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^099bc31.exe" /f =========

The operation completed successfully.



========= End of Reg: =========


========= reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Ehzozaubqu" /f =========

The operation completed successfully.



========= End of Reg: =========


=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-10-29 13:37:21)<=

==> ATTENTION: System is not rebooted.
"E:\Windows\system32\aaurjv.dll" => File could not move.

==== End of Fixlog ====

 

A script error keeps popping up now


Edited by wrxutec, 29 October 2014 - 12:38 PM.


#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:26 AM

Posted 29 October 2014 - 12:43 PM

Hello,

 

Please restart your computer and re-run FRST. Make sure that Addition.txt is checked before you press the Scan button.

Post both files - FRST.txt and Addition.txt in your next reply.

 

 

Regards,

Georgi


cXfZ4wS.png


#6 wrxutec

wrxutec
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 29 October 2014 - 12:48 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 29-10-2014 01
Ran by Adrock (administrator) on ADROCK-PC on 29-10-2014 13:46:48
Running from E:\Users\Adrock\Downloads
Loaded Profile: Adrock (Available profiles: Adrock)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) E:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) E:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) E:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) E:\Windows\System32\nvvsvc.exe
(Apple Inc.) E:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) E:\Program Files\Bonjour\mDNSResponder.exe
(cFos Software GmbH) E:\Program Files\ASRock\XFast LAN\spd.exe
(Symantec Corporation) E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe
(NVIDIA Corporation) E:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) E:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Razer, Inc.) E:\Program Files (x86)\Razer\Core\64bit\RzOvlMon.exe
(Microsoft Corp.) E:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) E:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(NVIDIA Corporation) E:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Symantec Corporation) E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccsvchst.exe
(Intel Corporation) E:\Windows\System32\igfxpers.exe
(Realtek Semiconductor) E:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) E:\Windows\System32\rundll32.exe
(NVIDIA Corporation) E:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(NVIDIA Corporation) E:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Logitech Inc.) E:\Program Files\Logitech Gaming Software\LCore.exe
(cFos Software GmbH) E:\Program Files\ASRock\XFast LAN\cfosspeed.exe
(Overwolf LTD) E:\Program Files (x86)\Overwolf\Overwolf.exe
(GoPro) E:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe
(Adobe Systems Incorporated) E:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
(Creative Technology Ltd) E:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe
(Razer Inc.) E:\Program Files (x86)\Razer\Synapse\RzSynapse.exe
(Adobe Systems Incorporated) E:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe
(Apple Inc.) E:\Program Files (x86)\iTunes\iTunesHelper.exe
(NVIDIA Corporation) E:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Adobe Systems Incorporated) E:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\IPC\AdobeIPCBroker.exe
(Apple Inc.) E:\Program Files\iPod\bin\iPodService.exe
(Logitech Inc.) E:\Program Files\Logitech Gaming Software\Applets\LCDClock.exe
(Logitech Inc.) E:\Program Files\Logitech Gaming Software\Applets\LCDMedia.exe
(Logitech Inc.) E:\Program Files\Logitech Gaming Software\Applets\LCDPOP3.exe
(Logitech Inc.) E:\Program Files\Logitech Gaming Software\Applets\LCDRSS.exe
(Logitech Inc.) E:\Program Files\Logitech Gaming Software\Applets\LCDCountdown.exe
(Adobe Systems Incorporated) E:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
(Adobe Systems Incorporated) E:\Program Files (x86)\Adobe\Adobe Creative Cloud\HEX\Adobe CEF Helper.exe
(Mozilla Corporation) E:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Overwolf LTD) E:\Program Files (x86)\Common Files\Overwolf\0.81.34.0\OverwolfHelper.exe
(Overwolf LTD) E:\Program Files (x86)\Common Files\Overwolf\0.81.34.0\OverwolfHelper64.exe
(Microsoft Corporation) E:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
() E:\Program Files (x86)\Overwolf\0.81.34.0\OverwolfBrowser.exe
(Microsoft Corporation) E:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => E:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11860072 2011-06-09] (Realtek Semiconductor)
HKLM\...\Run: [THXCfg64] => E:\Windows\system32\RunDLL32.exe E:\Windows\system32\THXCfg64.dll,RunDLLEntry THXCfg64
HKLM\...\Run: [Nvtmru] => "E:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\nvtmru.exe"
HKLM\...\Run: [NvBackend] => E:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2352072 2014-05-29] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => E:\Windows\system32\rundll32.exe E:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [Launch LCore] => E:\Program Files\Logitech Gaming Software\LCore.exe [10396440 2014-04-14] (Logitech Inc.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => E:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [558496 2014-02-27] (Adobe Systems Incorporated)
HKLM\...\Run: [XFast LAN] => E:\Program Files\ASRock\XFast LAN\cFosSpeed.exe [1441152 2011-07-04] (cFos Software GmbH)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => E:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [34672 2008-06-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [THX TruStudio NB Settings] => E:\Program Files (x86)\Creative\THX TruStudio\THXNBSet\THXAudNB.exe [909824 2011-05-19] (Creative Technology Ltd)
HKLM-x32\...\Run: [UpdReg] => E:\Windows\UpdReg.EXE [90112 2000-05-11] (Creative Technology Ltd.)
HKLM-x32\...\Run: [Razer Synapse] => E:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [585560 2014-06-23] (Razer Inc.)
HKLM-x32\...\Run: [Adobe Creative Cloud] => E:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe [2694040 2014-07-22] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [iTunesHelper] => E:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2014-09-01] (Apple Inc.)
Winlogon\Notify\igfxcui: E:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\...\Run: [Overwolf] => E:\Program Files (x86)\Overwolf\Overwolf.exe [39712 2014-10-22] (Overwolf LTD)
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
AppInit_DLLs: E:\PROGRA~1\LUCIDL~1\VIRTU\appinit_dll.dll => E:\Program Files\Lucidlogix Technologies\VIRTU\appinit_dll.dll [187488 2011-06-19] (Lucidlogix Inc.)
AppInit_DLLs:  E:\Windows\System32\nvinitx.dll => E:\Windows\System32\nvinitx.dll [168616 2013-09-12] (NVIDIA Corporation)
AppInit_DLLs-x32: E:\PROGRA~1\LUCIDL~1\VIRTU\x86\appinit_dll.dll => E:\Program Files\Lucidlogix Technologies\VIRTU\x86\appinit_dll.dll [157792 2011-06-19] (Lucidlogix Inc.)
AppInit_DLLs-x32:  E:\Windows\SysWOW64\nvinit.dll => E:\Windows\SysWOW64\nvinit.dll [141336 2013-09-12] (NVIDIA Corporation)
Startup: E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GoPro Importer.lnk
ShortcutTarget: GoPro Importer.lnk -> E:\Program Files (x86)\GoPro\Tools\Importer\GoPro Importer.exe (GoPro)
ShellIconOverlayIdentifiers: [ AccExtIco1] -> {AB9CF9F8-8A96-4F9D-BF21-CE85714C3A47} => E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco2] -> {853B7E05-C47D-4985-909A-D0DC5C6D7303} => E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()
ShellIconOverlayIdentifiers: [ AccExtIco3] -> {42D38F2E-98E9-4382-B546-E24E4D6D04BB} => E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x6105FC7820F3CF01
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> E:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> E:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> E:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> E:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> E:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Symantec NCO BHO -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll (Symantec Corporation)
BHO-x32: Symantec Intrusion Prevention -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\IPS\IPSBHO.DLL (Symantec Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> E:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> E:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> E:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\coIEPlg.dll (Symantec Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - E:\Program Files\Microsoft Office\Office15\MSOSB.DLL (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62

FireFox:
========
FF ProfilePath: E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default
FF Plugin: @adobe.com/FlashPlayer -> E:\Windows\system32\Macromed\Flash\NPSWF64_15_0_0_152.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> E:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/SharePoint,version=14.0 -> E:\PROGRA~1\MICROS~3\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> E:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin: adobe.com/AdobeAAMDetect_x86_64 -> E:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> E:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> E:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> E:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> E:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> E:\PROGRA~2\MICROS~2\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> E:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> E:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> E:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> E:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll (Adobe Systems)
FF user.js: detected! => E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\user.js
FF Plugin ProgramFiles/Appdata: E:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll (Microsoft Corporation)
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFF
FF Extension: Symantec Intrusion Prevention - E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\IPSFF [2014-05-24]
FF HKLM-x32\...\Firefox\Extensions: [{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}] - E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn_2011_7_13_2
FF Extension: Norton Toolbar - E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\coFFPlgn_2011_7_13_2 [2014-10-29]
FF StartMenuInternet: FIREFOX.EXE - firefox.exe

Chrome:
=======

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 cFosSpeedS; E:\Program Files\ASRock\XFast LAN\spd.exe [395136 2011-07-04] (cFos Software GmbH)
R2 NIS; E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe [130008 2011-04-16] (Symantec Corporation)
R2 NvNetworkService; E:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1631008 2014-05-29] (NVIDIA Corporation)
R2 NvStreamSvc; E:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [21055432 2014-05-29] (NVIDIA Corporation)
S3 OverwolfUpdater; E:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [997664 2014-10-22] (Overwolf LTD)
R2 RzOvlMon; E:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe [32960 2014-04-18] (Razer, Inc.)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; E:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R1 BHDrvx64; E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\BASHDefs\20140718.001\BHDrvx64.sys [1530160 2014-05-10] (Symantec Corporation)
R1 eeCtrl; E:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [486192 2014-06-11] (Symantec Corporation)
R3 EraserUtilRebootDrv; E:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [142128 2014-06-11] (Symantec Corporation)
S3 hitmanpro37; E:\Windows\system32\drivers\hitmanpro37.sys [32512 2014-10-28] ()
R1 IDSVia64; E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\IPSDefs\20140722.001\IDSvia64.sys [525016 2014-05-23] (Symantec Corporation)
S3 MBAMSwissArmy; E:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2014-10-28] (Malwarebytes Corporation)
S3 NAVENG; E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20140723.001\ENG64.SYS [126040 2014-07-10] (Symantec Corporation)
S3 NAVEX15; E:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.1.0.37\Definitions\VirusDefs\20140723.001\EX64.SYS [2099288 2014-07-10] (Symantec Corporation)
R3 NvStreamKms; E:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [20256 2014-05-29] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; E:\Windows\System32\drivers\nvvad64v.sys [40392 2014-03-31] (NVIDIA Corporation)
R3 RzDxgk; E:\Windows\system32\drivers\RzDxgk.sys [129472 2014-04-18] (Razer, Inc.)
R3 rzendpt; E:\Windows\System32\DRIVERS\rzendpt.sys [39080 2014-05-19] (Razer Inc)
R1 RzFilter; E:\Windows\system32\drivers\RzFilter.sys [74432 2014-04-18] (Razer, Inc.)
R3 rzmpos; E:\Windows\System32\DRIVERS\rzmpos.sys [34984 2014-05-19] (Razer Inc)
S3 SRTSP; E:\Windows\System32\Drivers\NISx64\1207020.003\SRTSP64.SYS [744568 2011-03-30] (Symantec Corporation)
R1 SRTSPX; E:\Windows\system32\drivers\NISx64\1207020.003\SRTSPX64.SYS [40568 2011-03-30] (Symantec Corporation)
R0 SymDS; E:\Windows\System32\drivers\NISx64\1207020.003\SYMDS64.SYS [450680 2011-01-27] (Symantec Corporation)
R0 SymEFA; E:\Windows\System32\drivers\NISx64\1207020.003\SYMEFA64.SYS [912504 2011-03-14] (Symantec Corporation)
R3 SymEvent; E:\Windows\system32\Drivers\SYMEVENT64x86.SYS [174200 2014-05-24] (Symantec Corporation)
R1 SymIRON; E:\Windows\system32\drivers\NISx64\1207020.003\Ironx64.SYS [171128 2011-01-27] (Symantec Corporation)
R1 SymNetS; E:\Windows\System32\Drivers\NISx64\1207020.003\SYMNETS.SYS [386168 2011-04-20] (Symantec Corporation)
S3 EagleX64; \??\E:\Windows\system32\drivers\EagleX64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-29 13:46 - 2014-10-29 13:47 - 00018075 _____ () E:\Users\Adrock\Downloads\FRST.txt
2014-10-29 13:45 - 2014-10-29 13:45 - 00001427 _____ () E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2014-10-29 13:34 - 2014-10-29 13:34 - 00010500 _____ () E:\Users\Adrock\Downloads\fixlist.txt
2014-10-29 13:23 - 2014-10-29 13:23 - 04184008 _____ (Kaspersky Lab ZAO) E:\Users\Adrock\Downloads\tdsskiller.exe
2014-10-29 12:40 - 2014-10-29 12:40 - 00030299 _____ () E:\Users\Adrock\Downloads\Addition.txt
2014-10-29 12:39 - 2014-10-29 13:46 - 00000000 ____D () E:\FRST
2014-10-29 12:38 - 2014-10-29 12:39 - 02113536 _____ (Farbar) E:\Users\Adrock\Downloads\FRST64.exe
2014-10-28 23:26 - 2014-10-28 23:26 - 00030209 _____ () E:\ComboFix.txt
2014-10-28 23:17 - 2014-10-28 23:26 - 00000000 ____D () E:\Qoobox
2014-10-28 23:17 - 2014-10-28 23:26 - 00000000 ____D () E:\ComboFix
2014-10-28 23:17 - 2011-06-26 02:45 - 00256000 _____ () E:\Windows\PEV.exe
2014-10-28 23:17 - 2010-11-07 13:20 - 00208896 _____ () E:\Windows\MBR.exe
2014-10-28 23:17 - 2009-04-20 00:56 - 00060416 _____ (NirSoft) E:\Windows\NIRCMD.exe
2014-10-28 23:17 - 2000-08-30 20:00 - 00518144 _____ (SteelWerX) E:\Windows\SWREG.exe
2014-10-28 23:17 - 2000-08-30 20:00 - 00406528 _____ (SteelWerX) E:\Windows\SWSC.exe
2014-10-28 23:17 - 2000-08-30 20:00 - 00098816 _____ () E:\Windows\sed.exe
2014-10-28 23:17 - 2000-08-30 20:00 - 00080412 _____ () E:\Windows\grep.exe
2014-10-28 23:17 - 2000-08-30 20:00 - 00068096 _____ () E:\Windows\zip.exe
2014-10-28 23:16 - 2014-10-28 23:25 - 00000000 ____D () E:\Windows\erdnt
2014-10-28 23:16 - 2014-10-28 23:16 - 05591695 ____R (Swearware) E:\Users\Adrock\Downloads\ComboFix.exe
2014-10-28 22:55 - 2014-10-28 23:00 - 00000000 ____D () E:\Users\Adrock\Desktop\RK_Quarantine
2014-10-28 22:29 - 2014-10-28 22:29 - 00032512 _____ () E:\Windows\system32\Drivers\hitmanpro37.sys
2014-10-28 22:27 - 2014-10-28 22:27 - 00000686 _____ () E:\Windows\system32\.crusader
2014-10-28 22:09 - 2014-10-28 22:28 - 00000000 ____D () E:\ProgramData\HitmanPro
2014-10-28 22:09 - 2014-10-28 22:09 - 00001907 _____ () E:\Users\Public\Desktop\HitmanPro.lnk
2014-10-28 22:09 - 2014-10-28 22:09 - 00000000 ____D () E:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2014-10-28 22:09 - 2014-10-28 22:09 - 00000000 ____D () E:\Program Files\HitmanPro
2014-10-28 21:54 - 2014-10-28 21:56 - 00000000 ____D () E:\AdwCleaner
2014-10-28 21:49 - 2014-10-28 21:49 - 00000000 ____D () E:\Windows\pss
2014-10-28 21:43 - 2014-10-28 21:49 - 00000000 ____D () E:\Windows\system32\MpEngineStore
2014-10-28 21:42 - 2014-10-28 21:42 - 00000000 ____D () E:\Windows\system32\MRT
2014-10-28 21:42 - 2014-10-03 10:02 - 103265616 _____ (Microsoft Corporation) E:\Windows\system32\MRT.exe
2014-10-28 21:18 - 2014-10-29 13:46 - 00003758 _____ () E:\Windows\System32\Tasks\AutoKMS
2014-10-26 23:22 - 2014-10-26 23:22 - 00000000 _____ () E:\Windows\system32\aaurjv.dll
2014-10-25 15:54 - 2014-10-28 21:10 - 00009507 _____ () E:\Users\Adrock\Desktop\Stacked Graphics Hockey Team.xlsx
2014-10-24 13:05 - 2014-10-24 13:05 - 01592592 _____ () E:\Users\Adrock\Desktop\phil cover.psd
2014-10-23 19:45 - 2014-10-24 13:05 - 05328832 _____ () E:\Users\Adrock\Desktop\Phil Edwards Memorial Hockey Tournament.psd
2014-10-22 09:59 - 2014-10-28 20:19 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\GoPro
2014-10-22 09:59 - 2014-10-28 20:19 - 00000000 ____D () E:\Users\Adrock\AppData\Local\GoPro
2014-10-22 09:59 - 2014-10-22 10:02 - 00000000 ____D () E:\Users\Public\CineForm
2014-10-22 09:59 - 2014-10-22 09:59 - 00001122 _____ () E:\Users\Adrock\Desktop\GoPro Studio.lnk
2014-10-22 09:59 - 2014-10-22 09:59 - 00000000 ____D () E:\ProgramData\Microsoft\Windows\Start Menu\Programs\GoPro
2014-10-22 09:59 - 2014-10-22 09:59 - 00000000 ____D () E:\Program Files\DIFX
2014-10-22 09:59 - 2014-10-22 09:59 - 00000000 ____D () E:\Program Files (x86)\QuickTime
2014-10-22 09:59 - 2014-10-22 09:59 - 00000000 ____D () E:\Program Files (x86)\GoPro
2014-10-22 09:59 - 2014-10-22 09:59 - 00000000 ____D () E:\Program Files (x86)\CineForm
2014-10-22 09:53 - 2014-10-22 09:53 - 00000000 ____D () E:\Users\Adrock\Documents\Adobe
2014-10-15 23:22 - 2014-10-09 22:05 - 00507392 _____ (Microsoft Corporation) E:\Windows\system32\aepdu.dll
2014-10-15 23:22 - 2014-10-09 22:05 - 00276480 _____ (Microsoft Corporation) E:\Windows\system32\generaltel.dll
2014-10-15 23:22 - 2014-10-09 22:00 - 00424448 _____ (Microsoft Corporation) E:\Windows\system32\aeinv.dll
2014-10-15 23:22 - 2014-10-06 22:54 - 00378552 _____ (Microsoft Corporation) E:\Windows\system32\iedkcs32.dll
2014-10-15 23:22 - 2014-10-06 22:04 - 00331448 _____ (Microsoft Corporation) E:\Windows\SysWOW64\iedkcs32.dll
2014-10-15 23:22 - 2014-09-28 20:58 - 03198976 _____ (Microsoft Corporation) E:\Windows\system32\win32k.sys
2014-10-15 23:22 - 2014-09-25 18:50 - 13619200 _____ (Microsoft Corporation) E:\Windows\system32\ieframe.dll
2014-10-15 23:22 - 2014-09-25 18:46 - 00365056 _____ (Microsoft Corporation) E:\Windows\SysWOW64\dxtmsft.dll
2014-10-15 23:22 - 2014-09-25 18:46 - 00243200 _____ (Microsoft Corporation) E:\Windows\SysWOW64\dxtrans.dll
2014-10-15 23:22 - 2014-09-25 18:46 - 00069632 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mshtmled.dll
2014-10-15 23:22 - 2014-09-25 18:43 - 11807232 _____ (Microsoft Corporation) E:\Windows\SysWOW64\ieframe.dll
2014-10-15 23:22 - 2014-09-25 18:32 - 02017280 _____ (Microsoft Corporation) E:\Windows\SysWOW64\inetcpl.cpl
2014-10-15 23:22 - 2014-09-25 18:31 - 02108416 _____ (Microsoft Corporation) E:\Windows\system32\inetcpl.cpl
2014-10-15 23:22 - 2014-09-18 22:25 - 23631360 _____ (Microsoft Corporation) E:\Windows\system32\mshtml.dll
2014-10-15 23:22 - 2014-09-18 21:56 - 02724864 _____ (Microsoft Corporation) E:\Windows\system32\mshtml.tlb
2014-10-15 23:22 - 2014-09-18 21:55 - 00004096 _____ (Microsoft Corporation) E:\Windows\system32\ieetwcollectorres.dll
2014-10-15 23:22 - 2014-09-18 21:44 - 17484800 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mshtml.dll
2014-10-15 23:22 - 2014-09-18 21:41 - 02796032 _____ (Microsoft Corporation) E:\Windows\system32\iertutil.dll
2014-10-15 23:22 - 2014-09-18 21:40 - 00547328 _____ (Microsoft Corporation) E:\Windows\system32\vbscript.dll
2014-10-15 23:22 - 2014-09-18 21:40 - 00066048 _____ (Microsoft Corporation) E:\Windows\system32\iesetup.dll
2014-10-15 23:22 - 2014-09-18 21:39 - 00048640 _____ (Microsoft Corporation) E:\Windows\system32\ieetwproxystub.dll
2014-10-15 23:22 - 2014-09-18 21:38 - 00083968 _____ (Microsoft Corporation) E:\Windows\system32\MshtmlDac.dll
2014-10-15 23:22 - 2014-09-18 21:36 - 05829632 _____ (Microsoft Corporation) E:\Windows\system32\jscript9.dll
2014-10-15 23:22 - 2014-09-18 21:31 - 00051200 _____ (Microsoft Corporation) E:\Windows\system32\jsproxy.dll
2014-10-15 23:22 - 2014-09-18 21:30 - 00033792 _____ (Microsoft Corporation) E:\Windows\system32\iernonce.dll
2014-10-15 23:22 - 2014-09-18 21:27 - 00595968 _____ (Microsoft Corporation) E:\Windows\system32\ieui.dll
2014-10-15 23:22 - 2014-09-18 21:26 - 00139264 _____ (Microsoft Corporation) E:\Windows\system32\ieUnatt.exe
2014-10-15 23:22 - 2014-09-18 21:25 - 04201472 _____ (Microsoft Corporation) E:\Windows\SysWOW64\jscript9.dll
2014-10-15 23:22 - 2014-09-18 21:25 - 00758272 _____ (Microsoft Corporation) E:\Windows\system32\jscript9diag.dll
2014-10-15 23:22 - 2014-09-18 21:25 - 00111616 _____ (Microsoft Corporation) E:\Windows\system32\ieetwcollector.exe
2014-10-15 23:22 - 2014-09-18 21:18 - 00940032 _____ (Microsoft Corporation) E:\Windows\system32\MsSpellCheckingFacility.exe
2014-10-15 23:22 - 2014-09-18 21:14 - 02724864 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mshtml.tlb
2014-10-15 23:22 - 2014-09-18 21:14 - 00446464 _____ (Microsoft Corporation) E:\Windows\system32\dxtmsft.dll
2014-10-15 23:22 - 2014-09-18 21:06 - 00072704 _____ (Microsoft Corporation) E:\Windows\system32\JavaScriptCollectionAgent.dll
2014-10-15 23:22 - 2014-09-18 21:02 - 00454656 _____ (Microsoft Corporation) E:\Windows\SysWOW64\vbscript.dll
2014-10-15 23:22 - 2014-09-18 21:01 - 00195584 _____ (Microsoft Corporation) E:\Windows\system32\msrating.dll
2014-10-15 23:22 - 2014-09-18 21:01 - 00061952 _____ (Microsoft Corporation) E:\Windows\SysWOW64\iesetup.dll
2014-10-15 23:22 - 2014-09-18 21:01 - 00051200 _____ (Microsoft Corporation) E:\Windows\SysWOW64\ieetwproxystub.dll
2014-10-15 23:22 - 2014-09-18 21:00 - 00085504 _____ (Microsoft Corporation) E:\Windows\system32\mshtmled.dll
2014-10-15 23:22 - 2014-09-18 20:59 - 00061952 _____ (Microsoft Corporation) E:\Windows\SysWOW64\MshtmlDac.dll
2014-10-15 23:22 - 2014-09-18 20:58 - 00289280 _____ (Microsoft Corporation) E:\Windows\system32\dxtrans.dll
2014-10-15 23:22 - 2014-09-18 20:55 - 02187264 _____ (Microsoft Corporation) E:\Windows\SysWOW64\iertutil.dll
2014-10-15 23:22 - 2014-09-18 20:54 - 00043008 _____ (Microsoft Corporation) E:\Windows\SysWOW64\jsproxy.dll
2014-10-15 23:22 - 2014-09-18 20:53 - 00032768 _____ (Microsoft Corporation) E:\Windows\SysWOW64\iernonce.dll
2014-10-15 23:22 - 2014-09-18 20:51 - 00440320 _____ (Microsoft Corporation) E:\Windows\SysWOW64\ieui.dll
2014-10-15 23:22 - 2014-09-18 20:50 - 00112128 _____ (Microsoft Corporation) E:\Windows\SysWOW64\ieUnatt.exe
2014-10-15 23:22 - 2014-09-18 20:49 - 00597504 _____ (Microsoft Corporation) E:\Windows\SysWOW64\jscript9diag.dll
2014-10-15 23:22 - 2014-09-18 20:42 - 00731136 _____ (Microsoft Corporation) E:\Windows\system32\msfeeds.dll
2014-10-15 23:22 - 2014-09-18 20:42 - 00710656 _____ (Microsoft Corporation) E:\Windows\system32\ie4uinit.exe
2014-10-15 23:22 - 2014-09-18 20:40 - 01249280 _____ (Microsoft Corporation) E:\Windows\system32\mshtmlmedia.dll
2014-10-15 23:22 - 2014-09-18 20:36 - 00060416 _____ (Microsoft Corporation) E:\Windows\SysWOW64\JavaScriptCollectionAgent.dll
2014-10-15 23:22 - 2014-09-18 20:33 - 02309632 _____ (Microsoft Corporation) E:\Windows\system32\wininet.dll
2014-10-15 23:22 - 2014-09-18 20:32 - 00164864 _____ (Microsoft Corporation) E:\Windows\SysWOW64\msrating.dll
2014-10-15 23:22 - 2014-09-18 20:20 - 00607744 _____ (Microsoft Corporation) E:\Windows\SysWOW64\msfeeds.dll
2014-10-15 23:22 - 2014-09-18 20:18 - 01068032 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mshtmlmedia.dll
2014-10-15 23:22 - 2014-09-18 20:14 - 01447936 _____ (Microsoft Corporation) E:\Windows\system32\urlmon.dll
2014-10-15 23:22 - 2014-09-18 19:59 - 01810944 _____ (Microsoft Corporation) E:\Windows\SysWOW64\wininet.dll
2014-10-15 23:22 - 2014-09-18 19:59 - 00775168 _____ (Microsoft Corporation) E:\Windows\system32\ieapfltr.dll
2014-10-15 23:22 - 2014-09-18 19:53 - 01190400 _____ (Microsoft Corporation) E:\Windows\SysWOW64\urlmon.dll
2014-10-15 23:22 - 2014-09-18 19:52 - 00678400 _____ (Microsoft Corporation) E:\Windows\SysWOW64\ieapfltr.dll
2014-10-15 23:22 - 2014-06-18 18:23 - 01943696 _____ (Microsoft Corporation) E:\Windows\system32\dfshim.dll
2014-10-15 23:22 - 2014-06-18 18:23 - 01131664 _____ (Microsoft Corporation) E:\Windows\SysWOW64\dfshim.dll
2014-10-15 23:22 - 2014-06-18 18:23 - 00156824 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mscorier.dll
2014-10-15 23:22 - 2014-06-18 18:23 - 00156312 _____ (Microsoft Corporation) E:\Windows\system32\mscorier.dll
2014-10-15 23:22 - 2014-06-18 18:23 - 00081560 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mscories.dll
2014-10-15 23:22 - 2014-06-18 18:23 - 00073880 _____ (Microsoft Corporation) E:\Windows\system32\mscories.dll
2014-10-15 23:21 - 2014-09-17 22:00 - 03241472 _____ (Microsoft Corporation) E:\Windows\system32\msi.dll
2014-10-15 23:21 - 2014-09-17 21:32 - 02363904 _____ (Microsoft Corporation) E:\Windows\SysWOW64\msi.dll
2014-10-15 23:21 - 2014-09-12 21:58 - 00077312 _____ (Microsoft Corporation) E:\Windows\system32\packager.dll
2014-10-15 23:21 - 2014-09-12 21:40 - 00067072 _____ (Microsoft Corporation) E:\Windows\SysWOW64\packager.dll
2014-10-15 23:21 - 2014-09-04 01:23 - 00424448 _____ (Microsoft Corporation) E:\Windows\system32\rastls.dll
2014-10-15 23:21 - 2014-09-04 01:04 - 00372736 _____ (Microsoft Corporation) E:\Windows\SysWOW64\rastls.dll
2014-10-15 23:21 - 2014-07-16 22:07 - 03722240 _____ (Microsoft Corporation) E:\Windows\system32\mstscax.dll
2014-10-15 23:21 - 2014-07-16 22:07 - 01118720 _____ (Microsoft Corporation) E:\Windows\system32\mstsc.exe
2014-10-15 23:21 - 2014-07-16 22:07 - 00681984 _____ (Microsoft Corporation) E:\Windows\system32\termsrv.dll
2014-10-15 23:21 - 2014-07-16 22:07 - 00455168 _____ (Microsoft Corporation) E:\Windows\system32\winlogon.exe
2014-10-15 23:21 - 2014-07-16 22:07 - 00235520 _____ (Microsoft Corporation) E:\Windows\system32\winsta.dll
2014-10-15 23:21 - 2014-07-16 22:07 - 00150528 _____ (Microsoft Corporation) E:\Windows\system32\rdpcorekmts.dll
2014-10-15 23:21 - 2014-07-16 22:07 - 00086528 _____ (Microsoft Corporation) E:\Windows\system32\TSpkg.dll
2014-10-15 23:21 - 2014-07-16 22:07 - 00022016 _____ (Microsoft Corporation) E:\Windows\system32\credssp.dll
2014-10-15 23:21 - 2014-07-16 21:40 - 00157696 _____ (Microsoft Corporation) E:\Windows\SysWOW64\winsta.dll
2014-10-15 23:21 - 2014-07-16 21:39 - 03221504 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mstscax.dll
2014-10-15 23:21 - 2014-07-16 21:39 - 01051136 _____ (Microsoft Corporation) E:\Windows\SysWOW64\mstsc.exe
2014-10-15 23:21 - 2014-07-16 21:39 - 00131584 _____ (Microsoft Corporation) E:\Windows\SysWOW64\aaclient.dll
2014-10-15 23:21 - 2014-07-16 21:39 - 00065536 _____ (Microsoft Corporation) E:\Windows\SysWOW64\TSpkg.dll
2014-10-15 23:21 - 2014-07-16 21:39 - 00017408 _____ (Microsoft Corporation) E:\Windows\SysWOW64\credssp.dll
2014-10-15 23:21 - 2014-07-16 21:21 - 00212480 _____ (Microsoft Corporation) E:\Windows\system32\Drivers\rdpwd.sys
2014-10-15 23:21 - 2014-07-16 21:21 - 00039936 _____ (Microsoft Corporation) E:\Windows\system32\Drivers\tssecsrv.sys
2014-10-09 12:52 - 2014-10-09 12:52 - 01462272 _____ (CineForm Inc.) E:\Windows\system32\CFHD.dll
2014-10-09 12:50 - 2014-10-09 12:50 - 01490944 _____ (CineForm Inc.) E:\Windows\SysWOW64\CFHD.dll
2014-09-30 14:06 - 2014-09-24 22:08 - 00371712 _____ (Microsoft Corporation) E:\Windows\system32\qdvd.dll
2014-09-30 14:06 - 2014-09-24 21:40 - 00519680 _____ (Microsoft Corporation) E:\Windows\SysWOW64\qdvd.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-10-29 13:46 - 2009-07-14 00:45 - 00028144 ____H () E:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-10-29 13:46 - 2009-07-14 00:45 - 00028144 ____H () E:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-10-29 13:45 - 2014-05-23 21:48 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Overwolf
2014-10-29 13:45 - 2014-05-23 21:10 - 00000000 ____D () E:\ProgramData\NVIDIA
2014-10-29 13:45 - 2009-07-14 01:08 - 00000006 ____H () E:\Windows\Tasks\SA.DAT
2014-10-29 13:45 - 2009-07-14 00:51 - 00064468 _____ () E:\Windows\setupact.log
2014-10-29 13:44 - 2014-05-23 20:01 - 01318155 _____ () E:\Windows\WindowsUpdate.log
2014-10-29 13:37 - 2014-08-04 13:08 - 00000000 ____D () E:\Users\Adrock\AppData\Local\CrashDumps
2014-10-29 13:36 - 2014-05-23 20:01 - 00000000 ____D () E:\Users\Adrock
2014-10-29 13:11 - 2014-05-23 22:21 - 00000830 _____ () E:\Windows\Tasks\Adobe Flash Player Updater.job
2014-10-29 12:27 - 2014-05-23 21:50 - 00000000 ____D () E:\Program Files (x86)\Overwolf
2014-10-29 12:24 - 2009-07-14 01:13 - 00781790 _____ () E:\Windows\system32\PerfStringBackup.INI
2014-10-29 07:41 - 2014-05-27 17:02 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Adobe
2014-10-29 07:30 - 2010-11-20 23:47 - 00206660 _____ () E:\Windows\PFRO.log
2014-10-28 23:26 - 2014-05-23 22:16 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Apps\2.0
2014-10-28 23:25 - 2009-07-13 22:34 - 00000215 _____ () E:\Windows\system.ini
2014-10-28 22:58 - 2014-05-24 11:21 - 00000000 ____D () E:\ProgramData\Package Cache
2014-10-28 22:34 - 2014-07-15 17:43 - 00129752 _____ (Malwarebytes Corporation) E:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-10-28 21:48 - 2014-05-23 23:07 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Deployment
2014-10-28 21:47 - 2014-08-18 14:59 - 00000000 ____D () E:\Windows\PCHEALTH
2014-10-28 20:25 - 2014-07-15 17:40 - 00000000 ____D () E:\Users\Adrock\Documents\BitLord
2014-10-28 20:25 - 2014-05-24 09:07 - 00000000 ____D () E:\Users\Adrock\Documents\NCSOFT
2014-10-28 20:22 - 2014-09-04 16:40 - 00000000 ____D () E:\Users\Adrock\Desktop\New folder
2014-10-28 20:21 - 2014-08-18 14:55 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\Philipp Winterberg
2014-10-28 20:21 - 2014-07-04 20:54 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\OBS
2014-10-28 20:21 - 2014-05-24 00:25 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\NCSOFT
2014-10-28 20:21 - 2014-05-23 21:48 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\TS3Client
2014-10-28 20:20 - 2014-05-23 22:02 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\Mozilla
2014-10-28 20:19 - 2014-09-21 15:55 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Apple Computer
2014-10-28 20:19 - 2014-06-19 19:33 - 00000000 ____D () E:\ProgramData\Razer
2014-10-28 20:19 - 2014-05-23 22:02 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Mozilla
2014-10-28 20:19 - 2014-05-23 21:23 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Blizzard Entertainment
2014-10-28 20:19 - 2014-05-23 21:23 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Battle.net
2014-10-28 20:19 - 2014-05-23 20:58 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\Adobe
2014-10-28 20:19 - 2014-05-23 20:57 - 00000000 ____D () E:\Users\Adrock\AppData\Local\cFos
2014-10-28 20:18 - 2014-09-16 16:25 - 00000000 ____D () E:\ArcheAge
2014-10-28 20:18 - 2014-05-24 11:22 - 00000000 ____D () E:\ProgramData\LogiShrd
2014-10-28 20:18 - 2014-05-23 21:22 - 00000000 ____D () E:\ProgramData\Battle.net
2014-10-26 23:31 - 2014-07-15 17:43 - 00001116 _____ () E:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-10-26 23:31 - 2014-07-15 17:43 - 00000000 ____D () E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-10-26 23:31 - 2014-07-15 17:43 - 00000000 ____D () E:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-26 23:22 - 2009-07-13 23:20 - 00000000 ____D () E:\Windows\system32\sysprep
2014-10-23 12:39 - 2014-07-15 17:40 - 00000000 ____D () E:\Users\Adrock\AppData\Roaming\BitLord
2014-10-22 10:00 - 2014-05-23 20:01 - 00000000 ____D () E:\Users\Adrock\AppData\Local\VirtualStore
2014-10-22 09:59 - 2014-06-19 19:34 - 00105108 _____ () E:\Windows\DPINST.LOG
2014-10-22 09:43 - 2014-09-04 16:57 - 00000000 ____D () E:\Users\Adrock\AppData\Local\Windows Live
2014-10-20 00:14 - 2014-08-18 15:00 - 00000000 ___RD () E:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office 2013
2014-10-20 00:14 - 2014-08-18 14:57 - 00000000 ____D () E:\ProgramData\Microsoft Help
2014-10-16 18:41 - 2009-07-13 23:20 - 00000000 ____D () E:\Windows\rescache
2014-10-16 17:32 - 2014-05-23 20:58 - 00113920 _____ () E:\Users\Adrock\AppData\Local\GDIPFONTCACHEV1.DAT
2014-10-16 17:31 - 2009-07-14 00:45 - 00435208 _____ () E:\Windows\system32\FNTCACHE.DAT
2014-10-16 17:30 - 2014-05-25 18:45 - 00000000 ___SD () E:\Windows\system32\CompatTel
2014-10-16 00:01 - 2009-07-13 22:34 - 00000478 _____ () E:\Windows\win.ini
2014-10-02 15:53 - 2010-11-20 23:27 - 00278152 ____N (Microsoft Corporation) E:\Windows\system32\MpSigStub.exe
2014-10-01 20:22 - 2014-06-19 19:32 - 00000000 ____D () E:\Program Files (x86)\Razer
2014-10-01 11:11 - 2014-07-15 17:43 - 00093400 _____ (Malwarebytes Corporation) E:\Windows\system32\Drivers\mbamchameleon.sys
2014-10-01 11:11 - 2014-07-15 17:43 - 00063704 _____ (Malwarebytes Corporation) E:\Windows\system32\Drivers\mwac.sys
2014-10-01 11:11 - 2014-07-15 17:43 - 00025816 _____ (Malwarebytes Corporation) E:\Windows\system32\Drivers\mbam.sys

Files to move or delete:
====================
E:\Users\Adrock\cbsidlm-cbsi212-RAR_File_Open_Knife__Free_Opener-SEO-10971016.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

E:\Windows\System32\winlogon.exe => File is digitally signed
E:\Windows\System32\wininit.exe => File is digitally signed
E:\Windows\SysWOW64\wininit.exe => File is digitally signed
E:\Windows\explorer.exe => File is digitally signed
E:\Windows\SysWOW64\explorer.exe => File is digitally signed
E:\Windows\System32\svchost.exe => File is digitally signed
E:\Windows\SysWOW64\svchost.exe => File is digitally signed
E:\Windows\System32\services.exe => File is digitally signed
E:\Windows\System32\User32.dll => File is digitally signed
E:\Windows\SysWOW64\User32.dll => File is digitally signed
E:\Windows\System32\userinit.exe => File is digitally signed
E:\Windows\SysWOW64\userinit.exe => File is digitally signed
E:\Windows\System32\rpcss.dll => File is digitally signed
E:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2014-10-16 18:34

==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 29-10-2014 01
Ran by Adrock at 2014-10-29 13:47:15
Running from E:\Users\Adrock\Downloads
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Norton Internet Security (Disabled - Out of date) {63DF5164-9100-186D-2187-8DC619EFD8BF}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Norton Internet Security (Disabled - Out of date) {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security (Disabled) {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Acrobat.com (HKLM-x32\...\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1) (Version: 1.1.377 - Adobe Systems Incorporated)
Acrobat.com (x32 Version: 0.0.0 - Adobe Systems Incorporated) Hidden
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.0.4990 - Adobe Systems Inc.)
Adobe Creative Cloud (HKLM-x32\...\Adobe Creative Cloud) (Version: 2.7.1.418 - Adobe Systems Incorporated)
Adobe Flash Player 15 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 15.0.0.167 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 15.0.0.152 - Adobe Systems Incorporated)
Adobe Photoshop CC 2014 (HKLM-x32\...\{D7A4F897-B20A-42D0-862D-CB5F6DB7391D}) (Version: 15.0 - Adobe Systems Incorporated)
Adobe Reader 9 (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-A90000000001}) (Version: 9.0.0 - Adobe Systems Incorporated)
Apple Application Support (HKLM-x32\...\{78002155-F025-4070-85B3-7C0453561701}) (Version: 3.0.6 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{B678797F-DF38-4556-8A31-8B818E261868}) (Version: 8.0.0.23 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Archeage (HKLM-x32\...\Glyph Archeage) (Version:  - Trion Worlds, Inc.)
ASRock App Charger v1.0.4 (HKLM\...\ASRock App Charger_is1) (Version:  - ASRock Inc.)
ASRock eXtreme Tuner v0.1.98 (HKLM-x32\...\ASRock eXtreme Tuner_is1) (Version:  - )
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
BitLord 2.3 (HKLM-x32\...\BitLord) (Version: 2.3.2-255 - House of Life)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Broadcom Gigabit NetLink Controller (HKLM\...\{C91DCB72-F5BB-410D-A91A-314F5D1B4284}) (Version: 14.6.1.3 - Broadcom Corporation)
Curse Client (HKCU\...\101a9f93b8f0bb6f) (Version: 5.1.1.820 - Curse)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Etron USB3.0 Host Controller (HKLM-x32\...\InstallShield_{DFBB738C-71D8-4DC5-B8D2-D65C37680E27}) (Version: 0.96 - Etron Technology)
Etron USB3.0 Host Controller (x32 Version: 0.96 - Etron Technology) Hidden
Fraps (remove only) (HKLM-x32\...\Fraps) (Version:  - )
Glyph (HKLM-x32\...\Glyph) (Version:  - Trion Worlds, Inc.)
GoPro Studio 2.5.1 (HKLM-x32\...\GoPro Studio) (Version: 2.5.1 - GoPro, Inc.)
HitmanPro 3.7 (HKLM\...\HitmanPro37) (Version: 3.7.9.225 - SurfRight B.V.)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 7.0.0.1144 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2372 - Intel Corporation)
iTunes (HKLM\...\{F46AA0F1-E284-4878-A462-5F11B9166C0E}) (Version: 11.4.0.18 - Apple Inc.)
Junk Mail filter update (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Logitech Gaming Software 8.53 (HKLM\...\Logitech Gaming Software) (Version: 8.53.154 - Logitech Inc.)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
marvell 91xx driver (HKLM-x32\...\MagniDriver) (Version: 1.2.0.1003 - Marvell)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM\...\Office15.PROPLUS) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft OneDrive (HKCU\...\OneDriveSetup.exe) (Version: 17.3.1171.0714 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{071c9b48-7c32-4621-a0ac-3f809523288f}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 32.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 32.0.3 (x86 en-US)) (Version: 32.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
MSVCRT110_amd64 (Version: 16.4.1109.0912 - Microsoft) Hidden
Norton Internet Security (HKLM-x32\...\NIS) (Version: 18.7.2.3 - Symantec Corporation)
NVIDIA 3D Vision Controller Driver 327.23 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 327.23 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 327.23 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 327.23 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.1 - NVIDIA Corporation)
NVIDIA Graphics Driver 327.23 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 327.23 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.26.4 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.26.4 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.0725 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.0725 - NVIDIA Corporation)
Open Broadcaster Software (HKLM-x32\...\Open Broadcaster Software) (Version:  - )
Outils de vérification linguistique 2013 de Microsoft Office - Français (Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
Overwolf (HKLM-x32\...\Overwolf) (Version: 0.81.34.0 - Overwolf Ltd.)
Overwolf.Setup.VC100CRTx64.Dist (HKLM\...\{EC9D5554-6852-4A55-81BB-AC02C7A8CFED}) (Version: 1.0.0 - Overwolf)
Overwolf.Setup.VC100CRTx86.Dist (x32 Version: 1.0.0 - Overwolf) Hidden
Photo Common (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Photo Gallery (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
RAR File Open Knife - Free Opener (HKLM-x32\...\RAR File Open Knife - Free Opener) (Version: 3.50 - Philipp Winterberg)
Razer Core (HKLM-x32\...\Razer Core) (Version: 1.0.1.66 - Razer Inc)
Razer Synapse 2.0 (HKLM-x32\...\{0D78BEE2-F8FF-4498-AF1A-3FF81CED8AC6}) (Version: 1.18.15.20888 - Razer Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6392 - Realtek Semiconductor Corp.)
Service Pack 1 for Microsoft Office 2013 (KB2850036) 64-Bit Edition (HKLM\...\{90150000-0011-0000-1000-0000000FF1CE}_Office15.PROPLUS_{D82063A8-7C8C-4C3B-A9BB-95138CA55D26}) (Version:  - Microsoft)
Service Pack 1 for Microsoft Office 2013 (KB2850036) 64-Bit Edition (Version:  - Microsoft) Hidden
SHIELD Streaming (Version: 2.1.214 - NVIDIA Corporation) Hidden
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.14 - TeamSpeak Systems GmbH)
THX TruStudio (HKLM-x32\...\{AFB907F5-C0E6-4753-8284-DE955EF86AC2}) (Version: 1.00.01 - Creative Technology Limited)
VIRTU 1.2.103 (HKLM\...\VIRTU_is1) (Version: 1.2.103 - Lucidlogix Technologies LTD)
WildStar (HKLM-x32\...\WildStar) (Version:  - NCSOFT)
Windows Driver Package - GoPro (WinUSB) Universal Serial Bus devices  (03/07/2012 ) (HKLM\...\0B624A43DD66DBF5CF3EDFA9741A364E688062A4) (Version: 03/07/2012  - GoPro)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
World of Warcraft (HKLM-x32\...\World of Warcraft) (Version:  - Blizzard Entertainment)
XFast LAN v6.61 (HKLM\...\XFast LAN) (Version: 6.61 - cFos Software GmbH, Bonn)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{4dc29fec-004b-4728-b4be-22186514ae1f}\InprocServer32 -> E:\Windows\system32\dfshim.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> E:\Users\Adrock\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> E:\Users\Adrock\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> E:\Users\Adrock\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> E:\Users\Adrock\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\SkyDriveShell64.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> E:\Users\Adrock\AppData\Local\Microsoft\SkyDrive\17.3.1171.0714\amd64\FileSyncApi64.dll (Microsoft Corporation)

==================== Restore Points  =========================

29-10-2014 01:41:54 Windows Update
29-10-2014 02:27:18 Checkpoint by HitmanPro
29-10-2014 02:27:50 Checkpoint by HitmanPro
29-10-2014 02:40:01 Windows Modules Installer
29-10-2014 02:57:35 PerforMax Cleaner
29-10-2014 17:03:29 Windows Modules Installer

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2014-10-28 23:25 - 00000027 ____A E:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {0A3CF7C2-AE15-4A6C-B6BE-358DDA2D5248} - System32\Tasks\AutoKMS => E:\Windows\AutoKMS\AutoKMS.exe [2014-08-18] ()
Task: {2ADAD3C5-A01D-414F-9019-9EDA54C38B7F} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => E:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe [2014-01-23] (Microsoft Corporation)
Task: {4874E7CD-BEA0-4C58-B4B5-85389FAF652A} - \{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54} No Task File <==== ATTENTION
Task: {635101A6-B367-4BB6-8C8C-45BA9EE4DCAA} - System32\Tasks\Symantec\Norton Error Processor 18.7.2.3 => E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\SymErr.exe [2012-06-07] (Symantec Corporation)
Task: {688281A8-1773-4871-9ACD-131E5B3D1876} - System32\Tasks\Adobe Flash Player Updater => E:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2014-09-24] (Adobe Systems Incorporated)
Task: {6BBFA251-87F1-4933-AA48-574AC9EB64F2} - System32\Tasks\AdobeAAMUpdater-1.0-Adrock-PC-Adrock => E:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [2014-02-27] (Adobe Systems Incorporated)
Task: {6E286407-7FF3-45BC-9749-C712970CF9A1} - \Optimum_LogOn No Task File <==== ATTENTION
Task: {73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9} - \Optimum_Daily No Task File <==== ATTENTION
Task: {9B38182C-D6F0-4998-82F7-47C657B087C8} - System32\Tasks\Symantec\Norton Error Analyzer 18.7.2.3 => E:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\SymErr.exe [2012-06-07] (Symantec Corporation)
Task: {9E071934-0DC3-43EC-85D1-BC751247C663} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => E:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)
Task: {C2FDD66F-9CE9-4ED5-A15D-087BA563CE05} - System32\Tasks\Overwolf Updater Task => E:\Program Files (x86)\Overwolf\OverwolfUpdater.exe [2014-10-22] (Overwolf LTD)
Task: {E78CB3EF-2B8D-4FF3-B433-C2884F8699B9} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => E:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)
Task: {FDDC9E2F-8E38-42C3-A704-0438F556A757} - \{41231E14-1381-2BF7-572D-A21C6C393D14} No Task File <==== ATTENTION
Task: E:\Windows\Tasks\Adobe Flash Player Updater.job => E:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Loaded Modules (whitelisted) =============

2014-05-23 21:10 - 2013-09-12 03:25 - 00097568 _____ () E:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2014-07-16 11:06 - 2014-07-16 11:06 - 00672416 _____ () E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CoreSync\CoreSync_x64.dll
2014-09-16 13:52 - 2014-09-16 13:52 - 08896160 _____ () E:\Program Files\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2014-05-23 20:52 - 2011-04-14 22:16 - 00094208 _____ () E:\Windows\System32\IccLibDll_x64.dll
2014-05-23 20:59 - 2011-05-19 09:58 - 00246784 _____ () E:\Windows\SYSTEM32\APOMgr64.DLL
2014-02-11 14:21 - 2014-02-11 14:21 - 00860160 _____ () E:\Program Files\Logitech Gaming Software\libGLESv2.dll
2014-02-11 14:22 - 2014-02-11 14:22 - 01043968 _____ () E:\Program Files\Logitech Gaming Software\platforms\qwindows.dll
2014-02-11 14:21 - 2014-02-11 14:21 - 00052736 _____ () E:\Program Files\Logitech Gaming Software\libEGL.dll
2014-02-11 14:22 - 2014-02-11 14:22 - 00236032 _____ () E:\Program Files\Logitech Gaming Software\imageformats\qjpeg.dll
2014-10-22 05:25 - 2014-10-22 05:25 - 00077088 _____ () E:\Program Files (x86)\Overwolf\0.81.34.0\OverwolfBrowser.exe
2014-07-31 12:16 - 2014-07-31 12:16 - 00073544 _____ () E:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-07-31 12:16 - 2014-07-31 12:16 - 01044776 _____ () E:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-10-22 05:23 - 2014-10-22 05:23 - 00025600 _____ () E:\Program Files (x86)\Overwolf\0.81.34.0\CoreAudioApi.dll
2014-10-22 05:23 - 2014-10-22 05:23 - 38713856 _____ () E:\Program Files (x86)\Overwolf\0.81.34.0\libcef.DLL
2014-10-08 18:22 - 2014-10-08 18:22 - 01795584 _____ () E:\Program Files (x86)\GoPro\Tools\Importer\GPSDKAnalyticsNet.dll
2014-07-03 06:45 - 2014-07-03 06:45 - 32733056 _____ () E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CEF\libcef.dll
2014-07-03 06:45 - 2014-07-03 06:45 - 00742784 _____ () E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CEF\libglesv2.dll
2014-07-03 06:45 - 2014-07-03 06:45 - 00136576 _____ () E:\Program Files (x86)\Adobe\Adobe Creative Cloud\CEF\libegl.dll
2014-09-24 17:21 - 2014-09-24 17:21 - 03715184 _____ () E:\Program Files (x86)\Mozilla Firefox\mozjs.dll
2014-09-16 13:53 - 2014-09-16 13:53 - 08896160 _____ () E:\Program Files (x86)\Microsoft Office\Office15\1033\GrooveIntlResource.dll
2014-10-22 05:23 - 2014-10-22 05:23 - 00514528 _____ () E:\Program Files (x86)\Overwolf\0.81.34.0\libglesv2.dll
2014-10-22 05:23 - 2014-10-22 05:23 - 00105952 _____ () E:\Program Files (x86)\Overwolf\0.81.34.0\libegl.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)


==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: E:^Users^Adrock^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^CurseClientStartup.ccip => E:\Windows\pss\CurseClientStartup.ccip.Startup

========================= Accounts: ==========================

Administrator (S-1-5-21-2622789366-4104432293-3959885506-500 - Administrator - Disabled)
Adrock (S-1-5-21-2622789366-4104432293-3959885506-1000 - Administrator - Enabled) => E:\Users\Adrock
Guest (S-1-5-21-2622789366-4104432293-3959885506-501 - Limited - Disabled)

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (10/29/2014 01:45:53 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/29/2014 01:36:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: FRST64.exe, version: 29.10.2014.1, time stamp: 0x5450fbd1
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521eaf24
Exception code: 0xc00000fd
Fault offset: 0x0000000000057020
Faulting process id: 0x3528
Faulting application start time: 0xFRST64.exe0
Faulting application path: FRST64.exe1
Faulting module path: FRST64.exe2
Report Id: FRST64.exe3

Error: (10/29/2014 00:43:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc100
Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7
Exception code: 0xc0000374
Fault offset: 0x000ce753
Faulting process id: 0x10e4
Faulting application start time: 0xsvchost.exe0
Faulting application path: svchost.exe1
Faulting module path: svchost.exe2
Report Id: svchost.exe3

Error: (10/29/2014 00:35:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 32.0.3.5379, time stamp: 0x54224e6b
Faulting module name: mozalloc.dll, version: 32.0.3.5379, time stamp: 0x54221b67
Exception code: 0x80000003
Fault offset: 0x0000141b
Faulting process id: 0xbf8
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: Volume Shadow Copy Service information: The COM Server with CLSID {e579ab5f-1cc4-44b4-bed9-de0991ff0623} and name Coordinator cannot be started. [0x80070005, Access is denied.
]

Error: (10/29/2014 00:20:05 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/29/2014 07:31:19 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


System errors:
=============
Error: (10/29/2014 01:44:19 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {F9717507-6651-4EDB-BFF7-AE615179BCCF}

Error: (10/29/2014 01:36:56 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
%%1056

Error: (10/29/2014 01:36:26 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (10/29/2014 01:36:26 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The iPod Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/29/2014 01:36:26 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel® Management and Security Application User Notification Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/29/2014 01:36:26 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (10/29/2014 01:36:26 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Intel® Management and Security Application Local Management Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (10/29/2014 01:36:26 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Live ID Sign-in Assistant service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 10000 milliseconds: Restart the service.

Error: (10/29/2014 01:36:26 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Razer Overlay Subsystem Emergency Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (10/29/2014 01:36:26 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The NVIDIA Streamer Service service terminated unexpectedly.  It has done this 1 time(s).


Microsoft Office Sessions:
=========================
Error: (10/29/2014 01:45:53 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/29/2014 01:36:53 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: FRST64.exe29.10.2014.15450fbd1ntdll.dll6.1.7601.18247521eaf24c00000fd0000000000057020352801cff39edc0eb2c9E:\Users\Adrock\Downloads\FRST64.exeE:\Windows\SYSTEM32\ntdll.dll2b17ca13-5f92-11e4-be74-002522fcd522

Error: (10/29/2014 00:43:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: svchost.exe6.1.7600.163854a5bc100ntdll.dll6.1.7601.18247521ea8e7c0000374000ce75310e401cff394775a4677E:\Windows\syswow64\svchost.exeE:\Windows\SysWOW64\ntdll.dllc143163c-5f8a-11e4-be74-002522fcd522

Error: (10/29/2014 00:35:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: plugin-container.exe32.0.3.537954224e6bmozalloc.dll32.0.3.537954221b67800000030000141bbf801cff3954e38dcf5E:\Program Files (x86)\Mozilla Firefox\plugin-container.exeE:\Program Files (x86)\Mozilla Firefox\mozalloc.dll8eee76b9-5f89-11e4-be74-002522fcd522

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}Coordinator0x80070005, Access is denied.

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}Coordinator0x80070005, Access is denied.

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}Coordinator0x80070005, Access is denied.

Error: (10/29/2014 00:22:00 PM) (Source: VSS) (EventID: 13) (User: )
Description: {e579ab5f-1cc4-44b4-bed9-de0991ff0623}Coordinator0x80070005, Access is denied.

Error: (10/29/2014 00:20:05 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (10/29/2014 07:31:19 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003


CodeIntegrity Errors:
===================================
  Date: 2014-10-28 23:25:05.222
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2014-10-28 23:25:05.185
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Core™ i7-2600 CPU @ 3.40GHz
Percentage of memory in use: 15%
Total physical RAM: 16384 MB
Available physical RAM: 13866.9 MB
Total Pagefile: 32766.18 MB
Available Pagefile: 29938.8 MB
Total Virtual: 8192 MB
Available Virtual: 8191.83 MB

==================== Drives ================================

Drive c: (Storage) (Fixed) (Total:931.41 GB) (Free:366.03 GB) NTFS
Drive d: (SPORTY_S_IFR_VOLUME_1) (CDROM) (Total:1.88 GB) (Free:0 GB) UDF
Drive e: (New Volume) (Fixed) (Total:232.88 GB) (Free:81 GB) NTFS
Drive f: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 52BAA78A)
Partition 1: (Not Active) - (Size=232.9 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: A4B553FB)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931.4 GB) - (Type=07 NTFS)

==================== End Of Log ============================



#7 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:26 AM

Posted 29 October 2014 - 01:09 PM

Hi,

 

Ok, let's try again:

 

First please temporarily disable:

 

Norton Internet Security
Windows Defender
Malwarebytes Anti-Malware

 

Next please download the following file => [attachment=156929:fixlist.txt] and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Regards,

Georgi

 

 


cXfZ4wS.png


#8 wrxutec

wrxutec
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 29 October 2014 - 01:17 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-10-2014 01
Ran by Adrock at 2014-10-29 14:14:17 Run:2
Running from E:\Users\Adrock\Downloads
Loaded Profile: Adrock (Available profiles: Adrock)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
listpermissions: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software
listpermissions: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Classes\CLSID
listpermissions: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
deletekey: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32
deletekey: HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}
2014-10-26 23:22 - 2014-10-26 23:22 - 00000000 _____ () E:\Windows\system32\aaurjv.dll
ListPermissions: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4874E7CD-BEA0-4C58-B4B5-85389FAF652A}
ListPermissions: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4874E7CD-BEA0-4C58-B4B5-85389FAF652A}
ListPermissions: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54}
ListPermissions: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6E286407-7FF3-45BC-9749-C712970CF9A1}
ListPermissions: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6E286407-7FF3-45BC-9749-C712970CF9A1}
ListPermissions: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimum_LogOn
ListPermissions: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9}
ListPermissions: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9}
ListPermissions: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimum_Daily
ListPermissions: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FDDC9E2F-8E38-42C3-A704-0438F556A757}
ListPermissions: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDDC9E2F-8E38-42C3-A704-0438F556A757}
ListPermissions: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{41231E14-1381-2BF7-572D-A21C6C393D14}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4874E7CD-BEA0-4C58-B4B5-85389FAF652A}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4874E7CD-BEA0-4C58-B4B5-85389FAF652A}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6E286407-7FF3-45BC-9749-C712970CF9A1}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6E286407-7FF3-45BC-9749-C712970CF9A1}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimum_LogOn
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimum_Daily
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FDDC9E2F-8E38-42C3-A704-0438F556A757}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDDC9E2F-8E38-42C3-A704-0438F556A757}
Unlock: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{41231E14-1381-2BF7-572D-A21C6C393D14}
Task: {4874E7CD-BEA0-4C58-B4B5-85389FAF652A} - \{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54} No Task File <==== ATTENTION
Task: {6E286407-7FF3-45BC-9749-C712970CF9A1} - \Optimum_LogOn No Task File <==== ATTENTION
Task: {73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9} - \Optimum_Daily No Task File <==== ATTENTION
Task: {FDDC9E2F-8E38-42C3-A704-0438F556A757} - \{41231E14-1381-2BF7-572D-A21C6C393D14} No Task File <==== ATTENTION
Reboot:
end
*****************

===================================
Permissions for "HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software":

Owner: BUILTIN\Administrators

DACL(NP):

Adrock-PC\Adrock    ALLOW    FULL    (OI-CI-I)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI-I)
BUILTIN\Administrators    ALLOW    FULL    (OI-CI-I)
NT AUTHORITY\RESTRICTED    ALLOW    READ    (OI-CI-I)

===================================
===================================
Permissions for "HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Classes\CLSID":

Owner: BUILTIN\Administrators

DACL(PAI):

BUILTIN\Administrators    ALLOW    FULL    (NI)
BUILTIN\Administrators    ALLOW    FULL    (OI-CI-IO)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (NI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI-IO)
BUILTIN\Users    ALLOW    READ    (NI)
BUILTIN\Users    ALLOW    READ    (OI-CI-IO)

===================================
===================================
Permissions for "HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}":

Owner: BUILTIN\Administrators

DACL(PAI):

BUILTIN\Administrators    ALLOW    FULL    (NI)
BUILTIN\Administrators    ALLOW    FULL    (OI-CI-IO)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (NI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI-IO)
BUILTIN\Users    ALLOW    READ    (NI)
BUILTIN\Users    ALLOW    READ    (OI-CI-IO)

===================================
"HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 => Key not found.
HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found.
E:\Windows\system32\aaurjv.dll => Moved successfully.
===================================
Permissions for "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4874E7CD-BEA0-4C58-B4B5-85389FAF652A}":

Owner: NT AUTHORITY\SYSTEM

DACL(P):

BUILTIN\Administrators    ALLOW    QUERY+EnumSubKey+NOTIFY+DELETE+READ    (OI-CI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI)

===================================
===================================
Permissions for "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4874E7CD-BEA0-4C58-B4B5-85389FAF652A}":

Owner: NT AUTHORITY\SYSTEM

DACL(P):

BUILTIN\Administrators    ALLOW    QUERY+EnumSubKey+NOTIFY+DELETE+READ    (OI-CI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI)

===================================
===================================
Permissions for "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54}":

Owner: NT AUTHORITY\SYSTEM

DACL(P):

BUILTIN\Administrators    ALLOW    QUERY+EnumSubKey+NOTIFY+DELETE+READ    (OI-CI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI)

===================================
===================================
Permissions for "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6E286407-7FF3-45BC-9749-C712970CF9A1}":

Owner: NT AUTHORITY\SYSTEM

DACL(P):

BUILTIN\Administrators    ALLOW    QUERY+EnumSubKey+NOTIFY+DELETE+READ    (OI-CI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI)

===================================
===================================
Permissions for "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6E286407-7FF3-45BC-9749-C712970CF9A1}":

Owner: NT AUTHORITY\SYSTEM

DACL(P):

BUILTIN\Administrators    ALLOW    QUERY+EnumSubKey+NOTIFY+DELETE+READ    (OI-CI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI)

===================================
===================================
Permissions for "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimum_LogOn":

Owner: NT AUTHORITY\SYSTEM

DACL(P):

BUILTIN\Administrators    ALLOW    QUERY+EnumSubKey+NOTIFY+DELETE+READ    (OI-CI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI)

===================================
===================================
Permissions for "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9}":

Owner: NT AUTHORITY\SYSTEM

DACL(P):

BUILTIN\Administrators    ALLOW    QUERY+EnumSubKey+NOTIFY+DELETE+READ    (OI-CI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI)

===================================
===================================
Permissions for "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9}":

Owner: NT AUTHORITY\SYSTEM

DACL(P):

BUILTIN\Administrators    ALLOW    QUERY+EnumSubKey+NOTIFY+DELETE+READ    (OI-CI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI)

===================================
===================================
Permissions for "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimum_Daily":

Owner: NT AUTHORITY\SYSTEM

DACL(P):

BUILTIN\Administrators    ALLOW    QUERY+EnumSubKey+NOTIFY+DELETE+READ    (OI-CI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI)

===================================
===================================
Permissions for "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FDDC9E2F-8E38-42C3-A704-0438F556A757}":

Owner: NT AUTHORITY\SYSTEM

DACL(P):

BUILTIN\Administrators    ALLOW    QUERY+EnumSubKey+NOTIFY+DELETE+READ    (OI-CI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI)

===================================
===================================
Permissions for "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDDC9E2F-8E38-42C3-A704-0438F556A757}":

Owner: NT AUTHORITY\SYSTEM

DACL(P):

BUILTIN\Administrators    ALLOW    QUERY+EnumSubKey+NOTIFY+DELETE+READ    (OI-CI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI)

===================================
===================================
Permissions for "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{41231E14-1381-2BF7-572D-A21C6C393D14}":

Owner: NT AUTHORITY\SYSTEM

DACL(P):

BUILTIN\Administrators    ALLOW    QUERY+EnumSubKey+NOTIFY+DELETE+READ    (OI-CI)
NT AUTHORITY\SYSTEM    ALLOW    FULL    (OI-CI)

===================================
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4874E7CD-BEA0-4C58-B4B5-85389FAF652A}" => Key unlocked successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4874E7CD-BEA0-4C58-B4B5-85389FAF652A}" => Key unlocked successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54}" => Key unlocked successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6E286407-7FF3-45BC-9749-C712970CF9A1}" => Key unlocked successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6E286407-7FF3-45BC-9749-C712970CF9A1}" => Key unlocked successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimum_LogOn" => Key unlocked successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9}" => Key unlocked successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9}" => Key unlocked successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimum_Daily" => Key unlocked successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FDDC9E2F-8E38-42C3-A704-0438F556A757}" => Key unlocked successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDDC9E2F-8E38-42C3-A704-0438F556A757}" => Key unlocked successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{41231E14-1381-2BF7-572D-A21C6C393D14}" => Key unlocked successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4874E7CD-BEA0-4C58-B4B5-85389FAF652A}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4874E7CD-BEA0-4C58-B4B5-85389FAF652A}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{DE1C998D-C6AB-B86A-DFF7-9BFEC8AFDF54}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6E286407-7FF3-45BC-9749-C712970CF9A1}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6E286407-7FF3-45BC-9749-C712970CF9A1}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimum_LogOn" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73AFF5A1-6FE9-4DF4-A953-80E72AACDEF9}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Optimum_Daily" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FDDC9E2F-8E38-42C3-A704-0438F556A757}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FDDC9E2F-8E38-42C3-A704-0438F556A757}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{41231E14-1381-2BF7-572D-A21C6C393D14}" => Key deleted successfully.


The system needed a reboot.

==== End of Fixlog ====



#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:26 AM

Posted 29 October 2014 - 01:25 PM

Good,

 

The script worked as it should now.

 

Can you please temporary disable Norton, Windows Defender and MBAM real-time protection again. Check here how (if you don't know how to do it):

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Then go to C:\FRST\Quarantine and right click on the folder, select send to compressed(zip) folder that will make a zipped copy of this folder.

Then please upload it to http://www.bleepingcomputer.com/submit-malware.php?channel=122 so we can examine the files and submit to antivirus companies if needed.
After that please delete the zip file you just created and re-enable Norton and MBAM. (Windows Defender is pretty useless unfortunately and you can keep it disabled to save system resources and avoid conflicts)...

 

 

Next I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

  • Please download RogueKillerX64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
  • Click the Start Scan button.
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

Please download Malwarebytes Anti-Malware to your desktop.
 

  • Double-click mbam-setup-2.0.3.1025.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 5

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

That's it for now. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#10 wrxutec

wrxutec
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 29 October 2014 - 05:40 PM

1.) RKill: It wouldnt let me create a zip folder due to certain characters

 

Rkill 2.6.8 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/29/2014 06:27:38 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

2.) Roguekiller : http://pastebin.com/qYQWD91e

 

3.) TDSSKiller :  http://pastebin.com/4Qy6iQYi
 

4.) Malwarebytes Anti-Malware:

 

www.malwarebytes.org

Scan Date: 10/29/2014
Scan Time: 6:06:11 PM
Logfile:
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.29.08
Rootkit Database: v2014.10.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Adrock

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 333109
Time Elapsed: 6 min, 28 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.InstallCore.A, HKU\S-1-5-21-2622789366-4104432293-3959885506-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE\1I1T1Q1S, Quarantined, [f8c920f7275543f360d1d38bb053d42c],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-2622789366-4104432293-3959885506-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE, Quarantined, [f9c817007903e353cda880f435cfc23e],

Registry Values: 1
PUP.Optional.InstallCore.A, HKU\S-1-5-21-2622789366-4104432293-3959885506-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE|tb, 0K1J1I0F1H1D, Quarantined, [f9c817007903e353cda880f435cfc23e]

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],

Files: 37
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav-groups, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\favs##484b0977b27f4180be461716b3fd87b1, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\favs##a17ff6839bc4dbde901adc0cf162c0a7, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\favs##d27b77d96a875327ad2c2460c1aa60f8, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\9c2216e75d94ca44414b5dea6129e6cb, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\002d79e4fda9ad56245ddfd67f85b41c, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\039a114649c1921391e702edff23e39f, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\075de245d12dc1afd2c21da1608387fd, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\093582edda8686419c1aee1dfca59408, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\0c7f2c675c25cd6dd122955909cd1958, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\1cf7ecd24c253ee13a067e893d261554, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\1e95d9e96ba901d34e8bd0a4ad57f672, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\239dd24d7eb94903a7c40ef9f0baf7dc, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\66aba5cf99d6dd6aacbb0c452ff8ea1a, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\788e6873725298c993787bb21664e3f4, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\856ffaf288fbc983527f2153d0d53e55, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\8a7a7c9172972dd469777e3e0e489904, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\8a86a986c121a0c7cad91a916ea5c33d, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\8e50141e1f923b27123cca680a186592, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\965bebb178f1be09d673ff515f94ccb7, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\993cdea6ebad67103534c70858ad8885, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\b94a88b0b26c1965dc05b310df85d89a, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\bf2e61a815741bdc629671fdd1b574d3, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\ce0604e91afbfa883c70ef67fed6f9b0, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\d127f3210267436b33ee0dfc2d80cf3a, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\d1afa18c9d25e54c0b55387b3e44494d, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\d31cba545834ace51e93d4f92d08e161, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\e168471c45adb279b042b611db1e63a4, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\26ee82ed6fda2fa3a4f72cba558f2991, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\36917648614cbd4b65e22b3e0e6f05c7, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\3dd324c172a87ab5ae419d6fab056b20, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\434e2ba484704e892125a70eba2e0c9c, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\4932c11066f78e6a2a63e56a8ec9d3fa, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\533b0a93d55011c6454e564923897329, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\54f03e56807cfd5d5c7d93793114763c, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\61fefd3a2cad877c75174220c8833195, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],
PUP.Optional.Astromenda.A, E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\astrmndant\fav_thumbs\653d2cab2cbc6db5f6594c9f8c7fce38, Quarantined, [2f92b463c9b3d462cd9bd050976cad53],

Physical Sectors: 0
(No malicious items detected)


(end)

 

5.) Hitmanpro:

 

HitmanPro 3.7.9.232
www.hitmanpro.com

   Computer name . . . . : ADROCK-PC
   Windows . . . . . . . : 6.1.1.7601.X64/8
   User name . . . . . . : Adrock-PC\Adrock
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (30 days left)

   Scan date . . . . . . : 2014-10-29 18:19:55
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 2m 35s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 1
   Traces  . . . . . . . : 85

   Objects scanned . . . : 2,385,436
   Files scanned . . . . : 43,768
   Remnants scanned  . . : 1,146,839 files / 1,194,829 keys

Suspicious files ____________________________________________________________

   E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\msiexec.exe
      Size . . . . . . . : 549,888 bytes
      Age  . . . . . . . : 0.9 days (2014-10-28 20:11:34)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : 89C3BFC422CE75AD113EBBBA79513F772D5E0286A5C8FE55CA07F2CFF36ADF8F
      Fuzzy  . . . . . . : 28.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Program is impersonating a common Windows system file. This is typical for malware.
         The hidden file attribute bit is set. This is not common to most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\msiexec.exe
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\msiexec.exe
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\msiexec.exe
          0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{9E53F1DB-B893-4B63-B034-723A60BF2389}\
          0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{9E53F1DB-B893-4B63-B034-723A60BF2389}\
          0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5488318C-91EE-4190-927D-AFC033D57BF2}\
          0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5488318C-91EE-4190-927D-AFC033D57BF2}\msiexec.exe
          0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{E2B29430-14E9-462B-AE70-7D30EFCB3E13}\
          0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{E2B29430-14E9-462B-AE70-7D30EFCB3E13}\msiexec.exe
          0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{7EC8CAE9-171F-4865-98EA-D4ED79CDEFC3}\
          0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{7EC8CAE9-171F-4865-98EA-D4ED79CDEFC3}\msiexec.exe
          0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{23B75B09-2D6F-4378-9597-7FD587F08A17}\
          0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{23B75B09-2D6F-4378-9597-7FD587F08A17}\
          0.3s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{3915AA7C-3270-49C1-A90A-6D36F62F87CB}\
          0.3s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{3915AA7C-3270-49C1-A90A-6D36F62F87CB}\msiexec.exe

   E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{3915AA7C-3270-49C1-A90A-6D36F62F87CB}\msiexec.exe
      Size . . . . . . . : 217,048 bytes
      Age  . . . . . . . : 0.9 days (2014-10-28 20:11:34)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : B9E76CACA3C9E5DE13B6A1BDA8DD7285F8F22B4E8B9C1C39134F07083045D5C4
      Fuzzy  . . . . . . : 24.0
         Program is impersonating a common Windows system file. This is typical for malware.
         The hidden file attribute bit is set. This is not common to most programs.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -0.3s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\
         -0.3s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\
         -0.3s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\msiexec.exe
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\msiexec.exe
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\msiexec.exe
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{9E53F1DB-B893-4B63-B034-723A60BF2389}\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{9E53F1DB-B893-4B63-B034-723A60BF2389}\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5488318C-91EE-4190-927D-AFC033D57BF2}\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5488318C-91EE-4190-927D-AFC033D57BF2}\msiexec.exe
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{E2B29430-14E9-462B-AE70-7D30EFCB3E13}\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{E2B29430-14E9-462B-AE70-7D30EFCB3E13}\msiexec.exe
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{7EC8CAE9-171F-4865-98EA-D4ED79CDEFC3}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{7EC8CAE9-171F-4865-98EA-D4ED79CDEFC3}\msiexec.exe
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{23B75B09-2D6F-4378-9597-7FD587F08A17}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{23B75B09-2D6F-4378-9597-7FD587F08A17}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{3915AA7C-3270-49C1-A90A-6D36F62F87CB}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{3915AA7C-3270-49C1-A90A-6D36F62F87CB}\msiexec.exe

   E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5488318C-91EE-4190-927D-AFC033D57BF2}\msiexec.exe
      Size . . . . . . . : 217,048 bytes
      Age  . . . . . . . : 0.9 days (2014-10-28 20:11:34)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : B9E76CACA3C9E5DE13B6A1BDA8DD7285F8F22B4E8B9C1C39134F07083045D5C4
      Fuzzy  . . . . . . : 24.0
         Program is impersonating a common Windows system file. This is typical for malware.
         The hidden file attribute bit is set. This is not common to most programs.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\
         -0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\
         -0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\msiexec.exe
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\msiexec.exe
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\msiexec.exe
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{9E53F1DB-B893-4B63-B034-723A60BF2389}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{9E53F1DB-B893-4B63-B034-723A60BF2389}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5488318C-91EE-4190-927D-AFC033D57BF2}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5488318C-91EE-4190-927D-AFC033D57BF2}\msiexec.exe
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{E2B29430-14E9-462B-AE70-7D30EFCB3E13}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{E2B29430-14E9-462B-AE70-7D30EFCB3E13}\msiexec.exe
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{7EC8CAE9-171F-4865-98EA-D4ED79CDEFC3}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{7EC8CAE9-171F-4865-98EA-D4ED79CDEFC3}\msiexec.exe
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{23B75B09-2D6F-4378-9597-7FD587F08A17}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{23B75B09-2D6F-4378-9597-7FD587F08A17}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{3915AA7C-3270-49C1-A90A-6D36F62F87CB}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{3915AA7C-3270-49C1-A90A-6D36F62F87CB}\msiexec.exe

   E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\msiexec.exe
      Size . . . . . . . : 241,152 bytes
      Age  . . . . . . . : 0.9 days (2014-10-28 20:11:34)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : CB2135C373C2AA01ED6FD363143C9118C5C2905FB6BFC2FFE3D83710BB60D578
      Fuzzy  . . . . . . : 28.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Program is impersonating a common Windows system file. This is typical for malware.
         The hidden file attribute bit is set. This is not common to most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\msiexec.exe
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\msiexec.exe
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\msiexec.exe
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{9E53F1DB-B893-4B63-B034-723A60BF2389}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{9E53F1DB-B893-4B63-B034-723A60BF2389}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5488318C-91EE-4190-927D-AFC033D57BF2}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5488318C-91EE-4190-927D-AFC033D57BF2}\msiexec.exe
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{E2B29430-14E9-462B-AE70-7D30EFCB3E13}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{E2B29430-14E9-462B-AE70-7D30EFCB3E13}\msiexec.exe
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{7EC8CAE9-171F-4865-98EA-D4ED79CDEFC3}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{7EC8CAE9-171F-4865-98EA-D4ED79CDEFC3}\msiexec.exe
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{23B75B09-2D6F-4378-9597-7FD587F08A17}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{23B75B09-2D6F-4378-9597-7FD587F08A17}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{3915AA7C-3270-49C1-A90A-6D36F62F87CB}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{3915AA7C-3270-49C1-A90A-6D36F62F87CB}\msiexec.exe

   E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5D04FB7A-996B-4F07-8D2B-CFD7D174BD54}\msiexec.exe
      Size . . . . . . . : 250,368 bytes
      Age  . . . . . . . : 2.8 days (2014-10-26 23:22:24)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : 94CA3C721D209DCCC13423E548C367E83DDD4A3B1DDAB72BAACB2883AC467952
      Fuzzy  . . . . . . : 28.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Program is impersonating a common Windows system file. This is typical for malware.
         The hidden file attribute bit is set. This is not common to most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{D76C6806-D756-43BF-9B78-A003F5C48BA5}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5D04FB7A-996B-4F07-8D2B-CFD7D174BD54}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5D04FB7A-996B-4F07-8D2B-CFD7D174BD54}\msiexec.exe
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5D04FB7A-996B-4F07-8D2B-CFD7D174BD54}\msiexec.exe
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{21EA394B-11D3-451D-9489-71CFA7321DC2}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{21EA394B-11D3-451D-9489-71CFA7321DC2}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{EF7E8CC1-3926-4503-B7A0-057447CC9431}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{94DA92DC-472C-4FF2-AD55-62E3171B231A}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{94DA92DC-472C-4FF2-AD55-62E3171B231A}\msiexec.exe
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{BAFB43E8-B259-4CCA-88A4-EA96C1AA2B66}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{BAFB43E8-B259-4CCA-88A4-EA96C1AA2B66}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{BAFB43E8-B259-4CCA-88A4-EA96C1AA2B66}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{BAFB43E8-B259-4CCA-88A4-EA96C1AA2B66}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{BAFB43E8-B259-4CCA-88A4-EA96C1AA2B66}\

   E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{7EC8CAE9-171F-4865-98EA-D4ED79CDEFC3}\msiexec.exe
      Size . . . . . . . : 241,152 bytes
      Age  . . . . . . . : 0.9 days (2014-10-28 20:11:34)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : CB2135C373C2AA01ED6FD363143C9118C5C2905FB6BFC2FFE3D83710BB60D578
      Fuzzy  . . . . . . : 28.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Program is impersonating a common Windows system file. This is typical for malware.
         The hidden file attribute bit is set. This is not common to most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\
         -0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\
         -0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\msiexec.exe
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\msiexec.exe
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\msiexec.exe
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{9E53F1DB-B893-4B63-B034-723A60BF2389}\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{9E53F1DB-B893-4B63-B034-723A60BF2389}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5488318C-91EE-4190-927D-AFC033D57BF2}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5488318C-91EE-4190-927D-AFC033D57BF2}\msiexec.exe
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{E2B29430-14E9-462B-AE70-7D30EFCB3E13}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{E2B29430-14E9-462B-AE70-7D30EFCB3E13}\msiexec.exe
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{7EC8CAE9-171F-4865-98EA-D4ED79CDEFC3}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{7EC8CAE9-171F-4865-98EA-D4ED79CDEFC3}\msiexec.exe
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{23B75B09-2D6F-4378-9597-7FD587F08A17}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{23B75B09-2D6F-4378-9597-7FD587F08A17}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{3915AA7C-3270-49C1-A90A-6D36F62F87CB}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{3915AA7C-3270-49C1-A90A-6D36F62F87CB}\msiexec.exe

   E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{94DA92DC-472C-4FF2-AD55-62E3171B231A}\msiexec.exe
      Size . . . . . . . : 250,368 bytes
      Age  . . . . . . . : 2.8 days (2014-10-26 23:22:24)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : 94CA3C721D209DCCC13423E548C367E83DDD4A3B1DDAB72BAACB2883AC467952
      Fuzzy  . . . . . . : 28.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Program is impersonating a common Windows system file. This is typical for malware.
         The hidden file attribute bit is set. This is not common to most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\
         -0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{D76C6806-D756-43BF-9B78-A003F5C48BA5}\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5D04FB7A-996B-4F07-8D2B-CFD7D174BD54}\
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5D04FB7A-996B-4F07-8D2B-CFD7D174BD54}\msiexec.exe
         -0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5D04FB7A-996B-4F07-8D2B-CFD7D174BD54}\msiexec.exe
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{21EA394B-11D3-451D-9489-71CFA7321DC2}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{21EA394B-11D3-451D-9489-71CFA7321DC2}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{EF7E8CC1-3926-4503-B7A0-057447CC9431}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{94DA92DC-472C-4FF2-AD55-62E3171B231A}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{94DA92DC-472C-4FF2-AD55-62E3171B231A}\msiexec.exe
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{BAFB43E8-B259-4CCA-88A4-EA96C1AA2B66}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{BAFB43E8-B259-4CCA-88A4-EA96C1AA2B66}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{BAFB43E8-B259-4CCA-88A4-EA96C1AA2B66}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{BAFB43E8-B259-4CCA-88A4-EA96C1AA2B66}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{BAFB43E8-B259-4CCA-88A4-EA96C1AA2B66}\

   E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{E2B29430-14E9-462B-AE70-7D30EFCB3E13}\msiexec.exe
      Size . . . . . . . : 549,888 bytes
      Age  . . . . . . . : 0.9 days (2014-10-28 20:11:34)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : 89C3BFC422CE75AD113EBBBA79513F772D5E0286A5C8FE55CA07F2CFF36ADF8F
      Fuzzy  . . . . . . : 28.0
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Program is impersonating a common Windows system file. This is typical for malware.
         The hidden file attribute bit is set. This is not common to most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\
         -0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\
         -0.2s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{293F3DE0-D7AE-431C-9BE8-0F1FFFCFD16C}\msiexec.exe
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\msiexec.exe
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{552D1393-2CDF-4DB5-BF28-AE7DD27A75D0}\msiexec.exe
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{9E53F1DB-B893-4B63-B034-723A60BF2389}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{9E53F1DB-B893-4B63-B034-723A60BF2389}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5488318C-91EE-4190-927D-AFC033D57BF2}\
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{5488318C-91EE-4190-927D-AFC033D57BF2}\msiexec.exe
         -0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{E2B29430-14E9-462B-AE70-7D30EFCB3E13}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{E2B29430-14E9-462B-AE70-7D30EFCB3E13}\msiexec.exe
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{7EC8CAE9-171F-4865-98EA-D4ED79CDEFC3}\
          0.0s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{7EC8CAE9-171F-4865-98EA-D4ED79CDEFC3}\msiexec.exe
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{23B75B09-2D6F-4378-9597-7FD587F08A17}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{23B75B09-2D6F-4378-9597-7FD587F08A17}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{3915AA7C-3270-49C1-A90A-6D36F62F87CB}\
          0.1s E:\FRST\Quarantine\E\ProgramData\Windows Genuine Advantage\{3915AA7C-3270-49C1-A90A-6D36F62F87CB}\msiexec.exe

   E:\Users\Adrock\Downloads\FRST64.exe
      Size . . . . . . . : 2,113,536 bytes
      Age  . . . . . . . : 0.2 days (2014-10-29 12:38:30)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : 84B60C661DFE8CA3D7D94FB9F5915880788D870E30DB8EFFCE62DD32A8CC4C91
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      References
         HKU\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\E:\Users\Adrock\Downloads\FRST64.exe


Malware remnants ____________________________________________________________

   HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}\ (Jotzey)

Cookies _____________________________________________________________________

   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\2DXKNHIU.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\2H9B5Z9R.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\3D91OKZC.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\468401FR.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\4B85CSBD.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\5XGZKBG5.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\6S5P4YQ1.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\73WCICF3.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\7QUEMHPQ.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\849VIE18.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\C96PBI0D.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\CGE4S4J7.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\CKO4BYA6.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\CUAF2VNV.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\DAVCTO9X.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\EE9OY6D8.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\G274GSKU.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\GG5YBGKH.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\GZI633U9.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\I3X2YYKT.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\JBMDW2A3.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\KYA75HP2.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\LL50UVAY.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\M844NTVC.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\MCI49R9P.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\NKWHMS3Q.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\O0T6B850.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\PDFXW3YB.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\PQIU2OVX.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\Q0N61ZR2.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\Q8GJVALE.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\RYEJJ54G.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\SP9G6MDD.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\SZMWOLIB.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\TYUA5WHD.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\UKNVX1A7.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\VI11D8E8.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\WQKDAGPX.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\XKNQLDR4.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\XYW49E0X.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\Y3OXGDEE.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\ZCXSHQ74.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\ZG7L1OND.txt
   E:\Users\Adrock\AppData\Roaming\Microsoft\Windows\Cookies\ZUNB4Y5M.txt
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:ad.360yield.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:ad.mlnadvertising.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:ads.pointroll.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:ads.pubmatic.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:ads.servebom.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:ads.stickyadstv.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:ads.yahoo.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:adtechus.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:advertising.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:at.atwola.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:atdmt.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:bs.serving-sys.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:burstnet.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:casalemedia.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:collective-media.net
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:doubleclick.net
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:fastclick.net
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:media6degrees.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:mediaplex.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:nhl.112.2o7.net
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:questionmarket.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:revsci.net
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:ru4.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:serving-sys.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:smartadserver.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:tacoda.at.atwola.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:tribalfusion.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:www.burstnet.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:www.googleadservices.com
   E:\Users\Adrock\AppData\Roaming\Mozilla\Firefox\Profiles\6yygbg8j.default\cookies.sqlite:xiti.com
 

#11 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:26 AM

Posted 30 October 2014 - 10:19 AM

Hello,

 

 

STEP 1

 

 

Please re-run RogueKiller.
Wait until Prescan has finished.
Click on Scan.
Now click the Registry tab and locate this:

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_C_466C\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | {43434304-b932-dcd7-8b46-d7d2c0933d9b} : "C:\ProgramData\Microsoft\{43434304-b932-dcd7-8b46-d7d2c0933d9b}\{43434304-b932-dcd7-8b46-d7d2c0933d9b}.exe"  -> Found

[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_C_466C\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | {43434304-b932-dcd7-8b46-d7d2c0933d9b} : "C:\ProgramData\Microsoft\{43434304-b932-dcd7-8b46-d7d2c0933d9b}\{43434304-b932-dcd7-8b46-d7d2c0933d9b}.exe"  -> Found

[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_C_197E\ControlSet001\Services\CltMngSvc -> Found

[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_C_197E\ControlSet002\Services\CltMngSvc -> Found

[PUM.HomePage] (X64) HKEY_USERS\RK_Adam_ON_C_C743\Software\Microsoft\Internet Explorer\Main | Start Page :

[PUM.HomePage] (X86) HKEY_USERS\RK_Adam_ON_C_C743\Software\Microsoft\Internet Explorer\Main | Start Page :

Place a checkmark on them, leave the others unchecked.
Now press the Delete button.
If asked to restart the computer, please do so immediately.
When it is finished please post the new log in your next reply. The log can be found in C:\ProgramData\RogueKiller\Logs

Programdata is hidden by default so make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

 

 

 

STEP 2

 

 

Please download the following file => [attachment=156976:fixlist.txt] and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

 

STEP 3

 

 

 

  • Please download OTL from the link below:
  • Save it to your desktop/
  • Double click on the otlDesktopIcon.png icon on your desktop.
  • OTL should now start. Change the following settings:
    - Click on Scan All Users checkbox given at the top.
    - Under File Scans, change File age to 90
    - Change Standard Registry to All
    - Check the boxes beside LOP Check and Purity Check
  • Copy and Paste the following code into the customFix.png textbox.
  • Don't copy the word "quote"

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.*
    %SYSTEMDRIVE%\*.
    %USERPROFILE%\*.*
    %USERPROFILE%\*.
    %USERPROFILE%\*.exe /s
    %USERPROFILE%\Documents\*.*
    %USERPROFILE%\Downloads\*.*
    %USERPROFILE%\AppData\Local\*.*
    %USERPROFILE%\AppData\Local\*.
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\*.*
    %USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\*.
    %USERPROFILE%\AppData\Roaming\*.*
    %USERPROFILE%\AppData\Roaming\*.
    %ProgramData%\*.*
    %ProgramData%\*.
    %programdata%\Microsoft\Windows\DRM\*.tmp
    %programdata%\Microsoft\DRM\*.tmp
    C:\Users\All Users\*.exe /s
    C:\Users\Default\*.exe /s
    C:\Users\Public\*.exe /s
    %CommonProgramFiles%\*.*
    %CommonProgramFiles%\*.
    %CommonProgramFiles%\ComObjects\*.*
    %ProgramFiles%\*.*
    %ProgramFiles%\*.
    %Public%\Documents\*.*
    %Public%\Documents\*.
    %Public%\Downloads\*.*
    %Public%\Downloads\*.
    %systemroot%\System32\config\systemprofile\*.exe /s
    %systemroot%\System32\config\systemprofile\*.*
    %systemroot%\System32\config\systemprofile\*.
    %systemroot%\system32\config\systemprofile\AppData\Local\*.*
    %systemroot%\system32\config\systemprofile\AppData\Local\*.
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.*
    %systemroot%\system32\config\systemprofile\AppData\Roaming\*.
    %systemroot%\SysWow64\config\systemprofile\*.exe /s
    %systemroot%\SysWow64\config\systemprofile\*.*
    %systemroot%\SysWow64\config\systemprofile\*.
    %systemroot%\SysWOW64\config\systemprofile\AppData\Local\*.*
    %systemroot%\SysWOW64\config\systemprofile\AppData\Local\*.
    %systemroot%\SysWOW64\config\systemprofile\AppData\Roaming\*.*
    %systemroot%\SysWOW64\config\systemprofile\AppData\Roaming\*.
    %systemroot%\ServiceProfiles\*.exe /s
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\*.*
    %systemroot%\ServiceProfiles\LocalService\AppData\Local\*.
    %systemroot%\ServiceProfiles\LocalService\AppData\Roaming\*.*
    %systemroot%\ServiceProfiles\LocalService\AppData\Roaming\*.
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\*.*
    %systemroot%\ServiceProfiles\NetworkService\AppData\Local\*.
    %systemroot%\ServiceProfiles\NetworkService\AppData\Roaming\*.*
    %systemroot%\ServiceProfiles\NetworkService\AppData\Roaming\*.
    %windir%\temp\*.*
    %windir%\temp\*.
    %windir%\*.
    %windir%\AppPatch\*.exe /s
    %windir%\ShellNew\*.*
    %windir%\installer\*.
    %windir%\system32\*.
    %windir%\sysnative\*.
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\syswow64\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\Tasks\*.job /60
    %systemroot%\system32\drivers\*.sys /60
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\syswow64\drivers\*.sys /60
    %systemroot%\syswow64\drivers\*.sys /lockedfiles
    %SYSTEMDRIVE%\*. /rp /s
    %systemroot%\assembly\tmp\*.* /S /MD5
    %systemroot%\assembly\temp\*.* /S /MD5
    %systemroot%\assembly\GAC\*.ini
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    %SystemRoot%\assembly\GAC_MSIL\*.ini
    wsSystemRoot|l,n,u,@;True;False;True;$,{ /fn
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    HKEY_CLASSES_ROOT\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4} /s
    HKEY_CLASSES_ROOT\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s
    HKEY_CLASSES_ROOT\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CLASSES_ROOT\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F} /s
    HKEY_CURRENT_USER\Software\Microsoft\Command Processor /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor /s
    HKCU\Software\Classes\CLSID\{ECD4FC4D-521C-11D0-B792-00A0C90312E1}\InprocServer32 /s
    HKLM\Software\Classes\CLSID\{E6BB64BE-0618-4353-9193-0AFE606D6F0C}\InprocServer32 /s
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\scsimap /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BED3C-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{F12BE2CC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{212B3DCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{A12BEDCC-A901-4203-B4F2-ADCB957D1887} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188F} /s
    HKEY_CLASSES_ROOT\CLSID\{118BEDCA-A901-4203-B4F2-ADCB957D188B} /s
    HKEY_CLASSES_ROOT\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3543619C-D563-43f7-95EA-4DA7E1CC396A} /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3543619C-D563-43f7-95EA-4DA7E1CC396A} /s
    HKEY_CURRENT_USER\Software\MSOLoad /s
    type C:\WINDOWS\system.ini >> test.txt /c
    /md5start
    consrv.dll
    services.exe
    explorer.exe
    lsass.exe
    svchost.exe
    wininit.exe
    winlogon.exe
    userinit.exe
    smss.exe
    fastfat.sys
    atapi.sys
    serial.sys
    volsnap.sys
    disk.sys
    i8042prt.sys
    afd.sys
    netbt.sys
    csc.sys
    tcpip.sys
    kbdclass.sys
    kbdhid.sys
    mouclass.sys
    mouhid.sys
    spldr.sys
    dfsc.sys
    hlp.dat
    str.sys
    cerxvx.ocx
    crexv.ocx
    msseedir.dll
    msdr.dll
    lmbd.dll
    wsse.dll
    intel.exe
    WService.dll
    /md5stop

  • Push the runscanbutton.png button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

 

 

It wouldnt let me create a zip folder due to certain characters

 

If you are inexperienced user then please skip the steps below.

 

Then please open the folder C:\FRST\Quarantine and press Ctrl + F. Type in aaurjv.dll and then please upload it to http://www.bleepingcomputer.com/submit-malware.php?channel=122 so I can examine the files and submit to antivirus companies if needed.

 

Please include the following files and folders in the archive: (but don't start them)

 

uoslj.dll
099bc31.exe
Wufiypel
Afylexp
Udtaessy
VadiLqula
nTXfSemo
Windows Genuine Advantage

Then delete the zip file you just created but don't delete the C:\FRST\Quarantine folder yet. We will delete it at the end of the cleaning process.

 

 

Regards,

Georgi


cXfZ4wS.png


#12 wrxutec

wrxutec
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 30 October 2014 - 05:32 PM

Step 1:
RogueKiller V10.0.4.0 (x64) [Oct 29 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Adrock [Administrator]
Mode : Delete -- Date : 10/30/2014  18:30:53

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 36 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_C_8773\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | {43434304-b932-dcd7-8b46-d7d2c0933d9b} : "C:\ProgramData\Microsoft\{43434304-b932-dcd7-8b46-d7d2c0933d9b}\{43434304-b932-dcd7-8b46-d7d2c0933d9b}.exe" [x] -> Deleted
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_C_8773\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | {43434304-b932-dcd7-8b46-d7d2c0933d9b} : "C:\ProgramData\Microsoft\{43434304-b932-dcd7-8b46-d7d2c0933d9b}\{43434304-b932-dcd7-8b46-d7d2c0933d9b}.exe"  -> ERROR [2]
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_C_3280\ControlSet001\Services\CltMngSvc -> Deleted
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_C_3280\ControlSet002\Services\CltMngSvc -> Deleted
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X64) HKEY_USERS\RK_Adam_ON_C_7CA4\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X86) HKEY_USERS\RK_Adam_ON_C_7CA4\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.SearchPage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page :
[PUM.SearchPage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Search Page :
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Microsoft\Internet Explorer\Main | Search Page :
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Microsoft\Internet Explorer\Main | Search Page :
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page :
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Search Page :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 209.18.47.61 209.18.47.62 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 209.18.47.61 209.18.47.62 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 209.18.47.61 209.18.47.62 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4FADB798-4048-4794-80B3-060282232966} | DhcpNameServer : 209.18.47.61 209.18.47.62 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4FADB798-4048-4794-80B3-060282232966} | DhcpNameServer : 209.18.47.61 209.18.47.62 [UNITED STATES (US)]  -> Not selected
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{4FADB798-4048-4794-80B3-060282232966} | DhcpNameServer : 209.18.47.61 209.18.47.62 [UNITED STATES (US)]  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_C_8773\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_C_8773\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_C_8773\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_C_8773\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X64) HKEY_USERS\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Not selected
[PUM.DesktopIcons] (X86) HKEY_USERS\S-1-5-21-2622789366-4104432293-3959885506-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031A47-3F72-44A7-89C5-5595FE6B30EE} : 1  -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[Hj.Name][File] Monitor Ink Alerts - HP Deskjet 3510 series.lnk -- C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3510 series.lnk [LNK@] E:\Windows\System32\RunDll32.exe "C:\Program Files\HP\HP Deskjet 3510 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN35R1NNR505Y7;CONNECTION=USB;MONITOR=1; -> Deleted

¤¤¤ Hosts File : 1 ¤¤¤
[E:\Windows\System32\drivers\etc\hosts] 127.0.0.1       localhost

¤¤¤ Antirootkit : 1 (Driver: Loaded) ¤¤¤
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\System32\Drivers\EtronXHCI.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST31000528AS ATA Device +++++
--- User ---
[MBR] 2818df2e40ed55671db5836bb4d11e0d
[BSP] 4b40a654f2eed2a0d58b436bdcfdf384 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 953767 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Samsung SSD 840 EVO 250GB ATA Device +++++
--- User ---
[MBR] a2d3c2b420296ce71d277f154e53f6d7
[BSP] 655542efa96fe804c29ec51e01a5462d : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 238473 MB
User = LL1 ... OK
User = LL2 ... OK


============================================
RKreport_SCN_10292014_174752.log - RKreport_SCN_10302014_182742.log

Step 2:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 29-10-2014 01
Ran by Adrock at 2014-10-30 18:33:19 Run:3
Running from E:\Users\Adrock\Downloads
Loaded Profile: Adrock (Available profiles: Adrock)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
DeleteKey: HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
cmd: dir /a/s "%temp%"
end

*****************

HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} => Key Deleted successfully.

=========  dir /a/s "%temp%" =========

 Volume in drive E is New Volume
 Volume Serial Number is 58E5-86F1

 Directory of E:\Users\Adrock\AppData\Local\Temp

10/30/2014  06:33 PM    <DIR>          .
10/30/2014  06:33 PM    <DIR>          ..
10/29/2014  11:16 PM             1,714 00E009C2-01D1-4174-9931-E9F9235BAD69.dat
10/29/2014  11:17 PM             1,714 1082C298-6C96-4C1B-A1C6-43BE27040393.dat
10/29/2014  11:16 PM             1,714 18DCDE5A-15D7-4D31-A36E-709FB515872B.dat
10/29/2014  11:17 PM             1,714 22655BB6-3875-4B28-89F4-FAFE26FBF22D.dat
10/29/2014  11:17 PM             1,714 2399BF34-8DA1-483E-9249-9D344B4ED129.dat
10/29/2014  11:17 PM             1,714 23DAB70E-CA31-4F9A-A7B9-11AA61751B38.dat
10/29/2014  11:17 PM             1,714 25A66EE1-4537-4E42-BACD-C1A63F08B6A2.dat
10/29/2014  01:36 PM    <DIR>          3a44
10/29/2014  11:17 PM             1,714 478888EB-DEC6-43AD-BF63-F030E1DF4BDD.dat
10/29/2014  11:17 PM             1,714 5A572403-04C8-45DE-B591-2A065ABC91B4.dat
10/29/2014  11:17 PM             1,714 6DEAFDE9-F2AC-4F10-AC30-A204E83EA5D5.dat
10/29/2014  11:17 PM             1,714 97622531-14B8-4555-B72B-E5D90281256F.dat
10/29/2014  11:17 PM           797,766 ACC.log
10/30/2014  06:31 PM    <DIR>          acro_rd_dir
10/29/2014  01:45 PM    <DIR>          AdobeDownload
10/30/2014  07:33 AM                 0 AdobeIPCBroker.log
10/29/2014  11:17 PM             1,714 AF780BBE-06BE-427F-A2C3-279F45A9B42B.dat
10/29/2014  11:17 PM             1,714 B45826DF-A015-4CE7-9305-7409C2F7A74A.dat
10/29/2014  11:17 PM             1,714 D4178E50-66F5-4FCA-BBBD-512D2EAC7D54.dat
10/29/2014  11:17 PM             1,714 D587C3DE-7038-4031-AD64-06F2D83A9920.dat
10/29/2014  01:40 PM             3,092 datB5D9.tmp
08/28/2013  10:16 PM         1,732,032 dllnt_dump.dll
10/29/2014  11:17 PM             1,714 E8DFC84C-89EE-4B2E-8B86-B3C60B07B001.dat
10/30/2014  07:34 AM                 0 etilqs_9a7xgF893PRFriy
10/30/2014  07:34 AM                 0 etilqs_WWmaajbWovgjEPy
05/23/2014  08:01 PM                 0 FXSAPIDebugLogFile.txt
10/29/2014  01:45 PM    <DIR>          Low
10/30/2014  07:43 AM         1,270,294 oobelib.log
10/30/2014  07:43 AM         4,688,976 PDApp.log
10/29/2014  02:03 PM    <DIR>          plugtmp
10/29/2014  05:51 PM    <DIR>          plugtmp-1
10/29/2014  06:04 PM    <DIR>          plugtmp-2
10/29/2014  06:24 PM    <DIR>          plugtmp-3
10/30/2014  06:31 PM    <DIR>          plugtmp-4
10/29/2014  06:18 PM    <DIR>          scoped_dir3796_23074
10/30/2014  07:34 AM    <DIR>          scoped_dir4164_15031
10/29/2014  02:16 PM    <DIR>          scoped_dir4260_8282
10/29/2014  01:45 PM    <DIR>          scoped_dir4464_2355
10/29/2014  05:56 PM    <DIR>          scoped_dir4724_18655
10/29/2014  06:32 PM    <DIR>          scoped_dir4868_25709
10/29/2014  09:14 PM               447 StructuredQuery.log
10/30/2014  07:34 AM    <DIR>          WPDNSE
10/30/2014  07:34 AM         1,295,098 {3E96158A-80D0-4789-992E-8D1A2A3AEE36}
10/29/2014  07:31 AM         1,295,098 {45453214-84F6-4026-876E-5F0623D53E1D}
10/29/2014  12:22 PM         1,295,098 {636F536A-3696-4E10-945A-A34828B1D0D4}
10/29/2014  01:45 PM         1,295,098 {71CEF81A-2845-4FB0-8A6F-13202A4D7E55}
10/29/2014  06:18 PM         1,295,098 {99DCA649-C5C9-4EC8-8FC3-3AC0B94CC727}
10/29/2014  02:16 PM         1,295,098 {C79F345A-E8DE-4A9A-A260-3C82E35C1DD4}
10/29/2014  06:32 PM         1,295,098 {CA5F61B4-F6A3-410E-8735-E7624592CDC7}
10/29/2014  05:56 PM         1,295,098 {DE4AE9BF-E9FD-45AA-BF64-C5C5B07A00B9}
10/30/2014  07:34 AM            16,384 ~DF05D3D3FD32B01037.TMP
10/29/2014  06:32 PM            16,384 ~DF287586B14B7D1535.TMP
10/29/2014  05:56 PM            16,384 ~DF37B07A80A9ED42BE.TMP
10/29/2014  07:31 AM            16,384 ~DF3C62364164921903.TMP
10/29/2014  01:45 PM            16,384 ~DF50B9760CCC3CA54B.TMP
10/29/2014  12:22 PM            16,384 ~DF8B2DCA537455827D.TMP
10/29/2014  02:16 PM            16,384 ~DFCB5F1F44927D160E.TMP
10/28/2014  11:07 PM            16,384 ~DFD667351F083ECDA5.TMP
10/29/2014  06:18 PM            16,384 ~DFE95602A3F9D58918.TMP
              43 File(s)     19,028,271 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\acro_rd_dir

10/30/2014  06:31 PM    <DIR>          .
10/30/2014  06:31 PM    <DIR>          ..
               0 File(s)              0 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\AdobeDownload

10/29/2014  01:45 PM    <DIR>          .
10/29/2014  01:45 PM    <DIR>          ..
10/30/2014  07:43 AM             3,652 DLM.log
               1 File(s)          3,652 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\Low

10/29/2014  01:45 PM    <DIR>          .
10/29/2014  01:45 PM    <DIR>          ..
               0 File(s)              0 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\plugtmp

10/29/2014  02:03 PM    <DIR>          .
10/29/2014  02:03 PM    <DIR>          ..
               0 File(s)              0 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\plugtmp-1

10/29/2014  05:51 PM    <DIR>          .
10/29/2014  05:51 PM    <DIR>          ..
               0 File(s)              0 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\plugtmp-2

10/29/2014  06:04 PM    <DIR>          .
10/29/2014  06:04 PM    <DIR>          ..
               0 File(s)              0 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\plugtmp-3

10/29/2014  06:24 PM    <DIR>          .
10/29/2014  06:24 PM    <DIR>          ..
               0 File(s)              0 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\plugtmp-4

10/30/2014  06:31 PM    <DIR>          .
10/30/2014  06:31 PM    <DIR>          ..
               0 File(s)              0 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\scoped_dir3796_23074

10/29/2014  06:18 PM    <DIR>          .
10/29/2014  06:18 PM    <DIR>          ..
10/29/2014  06:19 PM             6,144 Cookies
10/29/2014  06:19 PM             4,640 Cookies-journal
10/29/2014  06:30 PM            45,056 data_0
10/29/2014  06:30 PM           270,336 data_1
10/29/2014  06:30 PM         1,056,768 data_2
10/29/2014  06:30 PM         4,202,496 data_3
10/29/2014  06:18 PM            79,334 f_000001
10/29/2014  06:18 PM           524,656 index
               8 File(s)      6,189,430 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\scoped_dir4164_15031

10/30/2014  07:34 AM    <DIR>          .
10/30/2014  07:34 AM    <DIR>          ..
10/30/2014  07:34 AM             6,144 Cookies
10/30/2014  07:34 AM             4,640 Cookies-journal
10/30/2014  07:34 AM            45,056 data_0
10/30/2014  07:34 AM           270,336 data_1
10/30/2014  07:34 AM         1,056,768 data_2
10/30/2014  07:34 AM         4,202,496 data_3
10/30/2014  07:34 AM            79,334 f_000001
10/30/2014  07:34 AM           524,656 index
               8 File(s)      6,189,430 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\scoped_dir4260_8282

10/29/2014  02:16 PM    <DIR>          .
10/29/2014  02:16 PM    <DIR>          ..
10/29/2014  02:16 PM             6,144 Cookies
10/29/2014  02:16 PM             4,640 Cookies-journal
10/29/2014  05:54 PM            45,056 data_0
10/29/2014  05:54 PM           270,336 data_1
10/29/2014  05:54 PM         1,056,768 data_2
10/29/2014  05:54 PM         4,202,496 data_3
10/29/2014  02:16 PM            79,334 f_000001
10/29/2014  02:16 PM           524,656 index
               8 File(s)      6,189,430 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\scoped_dir4464_2355

10/29/2014  01:45 PM    <DIR>          .
10/29/2014  01:45 PM    <DIR>          ..
10/29/2014  01:46 PM             6,144 Cookies
10/29/2014  01:46 PM             4,640 Cookies-journal
10/29/2014  02:14 PM            45,056 data_0
10/29/2014  02:14 PM           270,336 data_1
10/29/2014  02:14 PM         1,056,768 data_2
10/29/2014  02:14 PM         4,202,496 data_3
10/29/2014  01:45 PM            79,334 f_000001
10/29/2014  01:45 PM           524,656 index
               8 File(s)      6,189,430 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\scoped_dir4724_18655

10/29/2014  05:56 PM    <DIR>          .
10/29/2014  05:56 PM    <DIR>          ..
10/29/2014  05:56 PM             6,144 Cookies
10/29/2014  05:56 PM             4,640 Cookies-journal
10/29/2014  06:13 PM            45,056 data_0
10/29/2014  06:13 PM           270,336 data_1
10/29/2014  06:13 PM         1,056,768 data_2
10/29/2014  06:13 PM         4,202,496 data_3
10/29/2014  05:56 PM            79,334 f_000001
10/29/2014  05:56 PM           524,656 index
               8 File(s)      6,189,430 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\scoped_dir4868_25709

10/29/2014  06:32 PM    <DIR>          .
10/29/2014  06:32 PM    <DIR>          ..
10/29/2014  06:32 PM             6,144 Cookies
10/29/2014  06:32 PM             4,640 Cookies-journal
10/29/2014  11:17 PM            45,056 data_0
10/29/2014  11:17 PM           270,336 data_1
10/29/2014  11:17 PM         1,056,768 data_2
10/29/2014  11:17 PM         4,202,496 data_3
10/29/2014  06:32 PM            79,334 f_000001
10/29/2014  06:32 PM           524,656 index
               8 File(s)      6,189,430 bytes

 Directory of E:\Users\Adrock\AppData\Local\Temp\WPDNSE

10/30/2014  07:34 AM    <DIR>          .
10/30/2014  07:34 AM    <DIR>          ..
               0 File(s)              0 bytes

     Total Files Listed:
              92 File(s)     56,168,503 bytes
              48 Dir(s)  87,562,526,720 bytes free

========= End of CMD: =========


==== End of Fixlog ====
 

Step 3:

 

OTL Log: http://pastebin.com/g2HgqMVU
 

 

OTL Extra: http://pastebin.com/9gU0G7ep


Edited by wrxutec, 30 October 2014 - 05:59 PM.


#13 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:10:26 AM

Posted 30 October 2014 - 07:48 PM

Hi,

 

You deleted something you shouldn't have.

 

[Hj.Name][File] Monitor Ink Alerts - HP Deskjet 3510 series.lnk -- C:\Users\Adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Deskjet 3510 series.lnk [LNK@] E:\Windows\System32\RunDll32.exe "C:\Program Files\HP\HP Deskjet 3510 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN35R1NNR505Y7;CONNECTION=USB;MONITOR=1; -> Deleted

 

We can try to restore the shortcut from the E:\Programdata\RogueKiller\Quarantine (but the file is probably encrypted and should be decrypted first). Maybe it will be easy if you reinstall the driver instead. I'll have to check this with the developer and will keep you posted.

 

Is this a dual boot system since the deleted file is in C:\Users\Adam\AppData...and not in E:\Users\Adrock\AppData...?

 

 

 

Also you can run Disk Cleanup to remove the old Windows installation (to save disk space):

 

[2014/05/23 23:53:55 | 000,000,000 | ---D | M] -- E:\Windows.old

 

How to remove the Windows.old folder

 

 

 

No wonder your computer was so severly infected. You use a lot of cracks. This is playing with fire though.

 

Go ahead and uninstall and delete the following applications from your computer:

 

E:\Users\Adrock\Documents\BitLord\Adobe Photoshop CC 2014 (64 bit) (Crack) [ChingLiu]\Adobe CC 2014\Set-up.exe
E:\Users\Adrock\Documents\BitLord\Microsoft Office 2013 Professional Plus
E:\Users\Adrock\Documents\BitLord\Microsoft Office 2013 Professional Plus\# Crack\Microsoft Toolkit.exe
E:\Windows\AutoKMS

Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications like LibreOffice or LightWorks

Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems.

So my advice is - stay away from them!

 

 

 

I suggest you to uninstall BitLord as well.

Your log(s) show that you are using so called peer-to-peer or file-sharing programs (in your case BitLord). These programs allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Libre Office or GIMP."


Also, please take a look here:

How cyber criminals infect victims via P2P with pirated software

 

 

 

We need to run an OTL Fix


 

  • Please reopen otlDesktopIcon.png on your desktop.
  • Copy and Paste the following code into the customFix.png textbox. Do not include the word "Code"

    :OTL
    SafeBootMin:64bit: 14505821.sys - Driver
    SafeBootMin:64bit: 49090312.sys - Driver
    SafeBootMin: 14505821.sys - Driver
    SafeBootMin: 49090312.sys - Driver
    SafeBootNet:64bit: 14505821.sys - Driver
    SafeBootNet:64bit: 49090312.sys - Driver
    SafeBootNet: 14505821.sys - Driver
    SafeBootNet: 49090312.sys - Driver
    :files
    E:\Users\Adrock\AppData\Roaming\OptimumPcBoost
    E:\ProgramData\Avg_Update_0814tb
    C:\Users\All Users\Conduit
    :commands
    [emptytemp]

  • Push runFixbutton.png
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click btnOK.png.
  • A report will open. Copy and Paste that report in your next reply.
  • If a report is not shown please navigate to the E:\_OTL\MovedFiles folder, and open the newest .log file present.
  • Copy/paste the content of the log back here in your next post.

 

 

Let me know how are things in your next reply.

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 30 October 2014 - 09:11 PM.
typo.

cXfZ4wS.png


#14 wrxutec

wrxutec
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 30 October 2014 - 07:54 PM

I recently installed an SSD drive and boot my computer from that... I don't know how to delete the boot process from my old drive without losing all of my data.  Every time I boot my computer it gives me 2 options but for some reason I'm not able to select one with my G510 keyboard so I have to wait until the time runs out.  It's very annoying! Ill run OTL and post the log in my next reply.



#15 wrxutec

wrxutec
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 30 October 2014 - 08:00 PM

Here's the log and I deleted Bitlord

All processes killed
========== OTL ==========
64bit-Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SafeBootMin 14505821.sys\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SafeBootMin 49090312.sys\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\14505821.sys\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\49090312.sys\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SafeBootNet 14505821.sys\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SafeBootNet 49090312.sys\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\14505821.sys\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\49090312.sys\ deleted successfully.
========== FILES ==========
E:\Users\Adrock\AppData\Roaming\OptimumPcBoost\Backup folder moved successfully.
E:\Users\Adrock\AppData\Roaming\OptimumPcBoost folder moved successfully.
E:\ProgramData\Avg_Update_0814tb folder moved successfully.
C:\Users\All Users\Conduit\Multi\CT3314880 folder moved successfully.
C:\Users\All Users\Conduit\Multi folder moved successfully.
C:\Users\All Users\Conduit folder moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: Adrock
->Temp folder emptied: 56861361 bytes
->Temporary Internet Files folder emptied: 151829262 bytes
->FireFox cache emptied: 379178824 bytes
->Flash cache emptied: 2254 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
->Temp folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 300 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
RecycleBin emptied: 78504 bytes
 
Total Files Cleaned = 561.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 10302014_205602

Files\Folders moved on Reboot...
E:\Users\Adrock\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
E:\Users\Adrock\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users