Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus/Malware


  • This topic is locked This topic is locked
45 replies to this topic

#1 Tashin32

Tashin32

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:38 AM

Posted 08 November 2014 - 11:02 PM

Hello,

 

I am currently having an issue with an unknown virus/malware that began by running several dllhost.exe processes on my computer that took up all available CPU time and RAM. Reading up on this on several threads here, I determined that it was very likely the Poweliks problem a lot of people have been running into (after stumbling onto another user having literally the exact same issues). I ran the tool provided, Powelikscleaner (by ESET), and according to the tool this virus was found and removed. Everything was quiet on my PC for about 5 minutes, then all resources were cut once more. Upon looking in the Task Manager, I found that in place of the dllhost.exe file, a large number of processes were being spoofed (such as IE, TaskKill, Spotify Help,....and on) even though none of them were currently running. I am able to stop them, but it is only a temporary fix as they begin reappearing within a minute or two. Whatever this is made it past Trend Micro Titanium, AVG Free (which it destroyed), Spybot, and Malware Bytes. I get occasional hits with these programs, although a different threat is present next time they are ran. This goes the same when booting in diagnostic start up using msconfig options, however the problem with multiple spoofed processes does not occur in diagnostic mode. Below is the log file created when I ran DDS, and I made sure to do so at the peak of these issues. Any help is greatly appreciated, thank you.

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.17116  BrowserJavaVersion: 10.67.2
Run by Bejita at 22:47:47 on 2014-11-08
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.6142.2036 [GMT -5:00]
.
AV: Trend Micro Titanium *Enabled/Updated* {B7599298-8445-728A-A5C7-A26A082C8BDA}
SP: Trend Micro Titanium *Enabled/Updated* {0C38737C-A27F-7D04-9F77-991873ABC167}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Trend Micro\AMSP\AMSP_LogServer.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
G:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
G:\Program Files (x86)\Steam\bin\steamwebhelper.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\system32\Macromed\Flash\FlashUtil64_14_0_0_145_ActiveX.exe
C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\ProgramData\Windows Genuine Advantage\{848D5CD0-B195-46D6-88AF-B15979BC7EF9}\msiexec.exe
C:\Windows\explorer.exe
C:\Users\Bejita\AppData\Roaming\FrameworkUpdate7\GoogleUpdate.exe
C:\Users\Bejita\AppData\Roaming\FrameworkUpdate7\GoogleUpdate.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskkill.exe
C:\Windows\system32\taskkill.exe
C:\Windows\system32\taskmgr.exe
C:\Users\Bejita\AppData\Roaming\Spotify\spotify.exe
C:\Users\Bejita\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\Users\Bejita\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\Users\Bejita\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\Users\Bejita\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\Users\Bejita\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\Users\Bejita\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
C:\Windows\system32\taskkill.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\sdiagnhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\System32\sdiagnhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
mWinlogon: Userinit = userinit.exe,
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\2.5.1331\6.8.1094\TmIEPlg32.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
BHO: ArcPluginIEBHO Class: {84BFE29A-8139-402a-B2A4-C23AE9E1A75F} - E:\Program Files (x86)\Perfect World Entertainment\Arc\plugins\ArcPluginIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\7.5.1137\7.5.1137\TmBpIe32.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
uRun: [Steam] "G:\Program Files (x86)\Steam\steam.exe" -silent
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
mRun: [emsisoft anti-malware] "C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe" /d=60
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab
TCP: NameServer = 10.10.10.1
TCP: Interfaces\{29C6F6D6-2A7E-45E8-86C4-3F8411CD25E4} : DHCPNameServer = 10.10.10.1
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.5.1137\7.5.1137\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.5.1331\6.8.1094\TmIEPlg32.dll
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-mStart Page = about:blank
x64-BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\module\20004\2.5.1331\6.8.1094\TmIEPlg.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\module\20002\7.5.1137\7.5.1137\TmBpIe64.dll
x64-Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
x64-Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL ""
x64-RunOnce: [DCERegBootClean64] C:\Windows\RegBootClean64.exe
.
INFO: x64-HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
x64-Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.5.1137\7.5.1137\TmBpIe64.dll
x64-Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.5.1331\6.8.1094\TmIEPlg.dll
x64-Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 TMEBC;TMEBC;C:\Windows\System32\drivers\TMEBC64.sys [2013-9-18 46392]
R1 A2DDA;A2 Direct Disk Access Support Driver;C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [2014-11-8 26176]
R1 tmevtmgr;tmevtmgr;C:\Windows\System32\drivers\tmevtmgr.sys [2013-9-18 77184]
R2 a2AntiMalware;Emsisoft Protection Service;C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [2014-11-8 4816568]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2014-8-11 239616]
R2 AMD FUEL Service;AMD FUEL Service;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [2014-4-17 344064]
R2 Amsp;Trend Micro Solution Platform;C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe [2013-9-18 310952]
R2 AODDriver4.3;AODDriver4.3;C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\aoddriver2.sys [2014-2-11 59616]
R2 Garmin Core Update Service;Garmin Core Update Service;C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [2014-8-7 438616]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2014-6-21 94720]
R3 cleanhlp;cleanhlp;C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [2014-11-8 57024]
R3 tmeevw;tmeevw;C:\Windows\System32\drivers\tmeevw.sys [2013-9-18 94520]
R3 tmnciesc;tmnciesc;C:\Windows\System32\drivers\tmnciesc.sys [2013-9-18 210232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2014-4-3 315008]
S3 a2acc;a2acc;C:\Program Files (x86)\Emsisoft Anti-Malware\a2accx64.sys [2014-11-8 71472]
S3 ArcService;Arc Service;E:\Program Files (x86)\Perfect World Entertainment\Arc\ArcService.exe [2014-8-12 88400]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2013-9-18 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2013-9-17 79360]
S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;C:\Windows\System32\drivers\MijXfilt.sys [2014-3-16 121416]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-11-6 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-11-6 56832]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2013-9-18 1255736]
S4 EasyAntiCheat;EasyAntiCheat;C:\Windows\System32\EasyAntiCheat.exe --> C:\Windows\System32\EasyAntiCheat.exe [?]
.
=============== File Associations ===============
.
ShellExec: SC2Editor.exe: open="D:/Star Craft/StarCraft II/Support/SC2Editor.exe" "%1"
ShellExec: SC2Switcher.exe: open="D:/Star Craft/StarCraft II/Support/SC2Switcher.exe" "%1"
.
=============== Created Last 30 ================
.
2014-11-09 03:32:08 -------- d-----w- C:\ProgramData\MigiQdoy
2014-11-09 03:31:59 -------- d-----w- C:\ProgramData\ZuwarBokno
2014-11-09 03:25:12 -------- d-----w- C:\ProgramData\Emsisoft
2014-11-09 02:45:15 -------- d-----w- C:\Users\Bejita\AppData\Roaming\FrameworkUpdate7
2014-11-09 02:44:56 -------- d-----w- C:\ProgramData\ZudbObqu
2014-11-09 02:44:54 -------- d-----w- C:\ProgramData\ZiyoSegli
2014-11-09 02:44:33 23552 ----a-w- C:\Users\Bejita\AppData\Local\acillao.dll
2014-11-08 22:57:54 -------- d-----w- C:\FRST
2014-11-08 22:52:27 -------- d-----w- C:\Program Files (x86)\Emsisoft Anti-Malware
2014-11-08 20:42:01 129752 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-11-08 20:41:44 93400 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-11-08 20:41:44 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-11-08 20:41:44 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-11-08 20:40:53 -------- d-----w- C:\Users\Bejita\AppData\Roaming\Malwarebytes
2014-11-08 20:17:46 -------- d-----w- C:\ProgramData\Malwarebytes
2014-11-08 20:17:44 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-11-08 06:50:48 600064 ----a-w- C:\Windows\System32\vbscript.dll
2014-11-08 06:50:48 523776 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-11-08 00:11:05 3179520 ----a-w- C:\Windows\System32\rdpcorets.dll
2014-11-08 00:11:05 16384 ----a-w- C:\Windows\System32\RdpGroupPolicyExtension.dll
2014-11-08 00:11:00 5703168 ----a-w- C:\Windows\SysWow64\mstscax.dll
2014-11-07 00:24:42 44544 ----a-w- C:\Windows\System32\TsUsbGDCoInstaller.dll
2014-11-04 05:34:40 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2014-11-04 05:34:40 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2014-10-17 00:13:25 3241472 ----a-w- C:\Windows\System32\msi.dll
.
==================== Find3M  ====================
.
2014-11-09 03:30:45 238128 ----a-w- C:\Windows\RegBootClean64.exe
2014-10-10 02:05:59 276480 ----a-w- C:\Windows\System32\generaltel.dll
2014-10-10 02:05:42 507392 ----a-w- C:\Windows\System32\aepdu.dll
2014-10-10 02:00:38 424448 ----a-w- C:\Windows\System32\aeinv.dll
2014-09-29 00:58:48 3198976 ----a-w- C:\Windows\System32\win32k.sys
2014-09-25 02:08:38 371712 ----a-w- C:\Windows\System32\qdvd.dll
2014-09-25 01:40:50 519680 ----a-w- C:\Windows\SysWow64\qdvd.dll
2014-09-20 05:17:42 2236928 ----a-w- C:\Windows\System32\wininet.dll
2014-09-20 05:16:11 3959296 ----a-w- C:\Windows\System32\jscript9.dll
2014-09-20 05:16:07 67072 ----a-w- C:\Windows\System32\iesetup.dll
2014-09-20 05:16:07 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2014-09-20 05:15:22 1508864 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-09-20 03:57:57 1762816 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-09-20 03:57:04 2861568 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-09-20 03:57:01 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-09-20 03:57:01 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2014-09-20 03:56:33 1440768 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-09-20 03:38:36 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2014-09-20 03:33:44 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-09-20 02:43:32 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2014-09-20 02:35:33 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2014-09-18 01:32:52 2363904 ----a-w- C:\Windows\SysWow64\msi.dll
2014-09-13 05:43:01 98216 ----a-w- C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-09-13 01:58:18 77312 ----a-w- C:\Windows\System32\packager.dll
2014-09-13 01:40:05 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2014-09-09 22:11:04 2048 ----a-w- C:\Windows\System32\tzres.dll
2014-09-09 21:47:10 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2014-09-05 02:11:09 6584320 ----a-w- C:\Windows\System32\mstscax.dll
2014-09-04 22:31:49 175136 ----a-w- C:\Windows\SysWow64\EasyAntiCheat.exe
2014-09-04 05:23:20 424448 ----a-w- C:\Windows\System32\rastls.dll
2014-09-04 05:04:15 372736 ----a-w- C:\Windows\SysWow64\rastls.dll
2014-08-23 02:07:00 404480 ----a-w- C:\Windows\System32\gdi32.dll
2014-08-23 01:45:55 311808 ----a-w- C:\Windows\SysWow64\gdi32.dll
2014-08-12 01:43:28 826368 ----a-w- C:\Windows\System32\coinst_14.20.dll
.
============= FINISH: 22:48:18.95 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Tashin32

Tashin32
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:38 AM

Posted 08 November 2014 - 11:06 PM

I also went ahead and ran FRST as well. I understand I jumped the gun, but I was trying to compare my log files to the other posts so I could eliminate these problems myself.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 08-11-2014 01
Ran by Bejita (administrator) on SHINOBI on 08-11-2014 22:50:27
Running from C:\Users\Bejita\Desktop
Loaded Profile: Bejita (Available profiles: Bejita)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\AMSP_LogServer.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Garmin Ltd or its subsidiaries) C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe
(Valve Corporation) G:\Program Files (x86)\Steam\Steam.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Valve Corporation) G:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_14_0_0_145_ActiveX.exe
(Emsisoft GmbH) C:\Program Files (x86)\Emsisoft Anti-Malware\A2SERVICE.EXE.old
() C:\ProgramData\Windows Genuine Advantage\{848D5CD0-B195-46D6-88AF-B15979BC7EF9}\msiexec.exe
() C:\Users\Bejita\AppData\Roaming\FrameworkUpdate7\GoogleUpdate.exe
() C:\Users\Bejita\AppData\Roaming\FrameworkUpdate7\GoogleUpdate.exe
(Microsoft Corporation) C:\Windows\System32\taskkill.exe
(Microsoft Corporation) C:\Windows\System32\taskkill.exe
(Spotify Ltd) C:\Users\Bejita\AppData\Roaming\Spotify\spotify.exe
() C:\Users\Bejita\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
() C:\Users\Bejita\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
() C:\Users\Bejita\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
() C:\Users\Bejita\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
() C:\Users\Bejita\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
() C:\Users\Bejita\AppData\Roaming\Spotify\Data\SpotifyHelper.exe
(Microsoft Corporation) C:\Windows\System32\taskkill.exe
(Microsoft Corporation) C:\Windows\System32\sdiagnhost.exe
(Microsoft Corporation) C:\Windows\System32\sdiagnhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\sdiagnhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [216928 2013-08-29] (Trend Micro Inc.)
HKLM\...\Run: [Trend Micro Titanium] => C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe [1382568 2013-09-16] (Trend Micro Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767200 2014-04-17] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [emsisoft anti-malware] => C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe [4873248 2014-11-08] (Emsisoft GmbH)
HKLM\...\RunOnce: [DCERegBootClean64] => C:\Windows\RegBootClean64.exe [238128 2014-11-08] ()
HKU\S-1-5-21-1200494228-1057997902-151371316-1000\...\Run: [Steam] => G:\Program Files (x86)\Steam\steam.exe [1938624 2014-10-21] (Valve Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x5C7FB37C2DB4CE01
HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg.dll (Trend Micro Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\TmBpIe64.dll (Trend Micro Inc.)
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg32.dll (Trend Micro Inc.)
BHO-x32: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: ArcPluginIEBHO Class -> {84BFE29A-8139-402a-B2A4-C23AE9E1A75F} -> E:\Program Files (x86)\Perfect World Entertainment\Arc\Plugins\ArcPluginIE.dll (Perfect World Entertainment Inc)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\TmBpIe32.dll (Trend Micro Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {D4B68B83-8710-488B-A692-D74B50BA558E} http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\TmBpIe64.dll (Trend Micro Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg.dll (Trend Micro Inc.)
Handler: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} -  No File
Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\TmBpIe32.dll (Trend Micro Inc.)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg32.dll (Trend Micro Inc.)
Handler-x32: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 10.10.10.1

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> E:\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @perfectworld.com/npArcPlayNowPlugin -> E:\Program Files (x86)\Perfect World Entertainment\Arc\Plugins\npArcPluginFF.dll (Perfect World Entertainment Inc)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [tmbepff-7.5@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\firefoxextension
FF Extension: Trend Micro BEP Firefox Extension - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\firefoxextension [2013-10-08]
FF HKLM-x32\...\Firefox\Extensions: [tmbepff-7.5@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\firefoxextension
FF HKLM-x32\...\Firefox\Extensions: [{22181a4d-af90-4ca3-a569-faed9118d6bc}] - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension
FF Extension: Trend Micro Toolbar - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension [2013-09-18]
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension
FF Extension: Trend Micro NSC Firefox Extension - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension [2013-10-08]

Chrome:
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\pdf.dll ()
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Trend Micro Titanium) - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension\components\npToolbarChrome.dll (Trend Micro Inc.)
CHR Profile: C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-09-26]
CHR Extension: (Google Drive) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-09-26]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-24]
CHR Extension: (YouTube) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-09-26]
CHR Extension: (Google Search) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-09-26]
CHR Extension: (Google Wallet) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-26]
CHR Extension: (Gmail) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-09-26]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [4816568 2014-11-08] (Emsisoft GmbH)
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-04-17] (Advanced Micro Devices, Inc.) [File not signed]
S3 ArcService; E:\Program Files (x86)\Perfect World Entertainment\Arc\ArcService.exe [88400 2014-08-12] (Perfect World Entertainment Inc)
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2013-09-18] (Creative Labs) [File not signed]
S3 Creative Audio Engine Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2013-09-17] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [307200 2008-11-18] (Creative Technology Ltd) [File not signed]
S4 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [175136 2014-09-04] (EasyAntiCheat Ltd)
R2 Garmin Core Update Service; C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [438616 2014-08-07] (Garmin Ltd or its subsidiaries)
R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 a2acc; C:\PROGRAM FILES (X86)\EMSISOFT ANTI-MALWARE\a2accx64.sys [71472 2014-05-12] (Emsisoft GmbH)
R1 A2DDA; C:\Program Files (x86)\Emsisoft Anti-Malware\a2ddax64.sys [26176 2013-03-28] (Emsisoft GmbH)
R2 AODDriver4.3; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
R3 cleanhlp; C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [57024 2013-12-04] (Emsisoft GmbH)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
R1 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [109072 2013-09-04] (Trend Micro Inc.)
R0 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [175528 2013-09-04] (Trend Micro Inc.)
R0 TMEBC; C:\Windows\System32\DRIVERS\TMEBC64.sys [46392 2012-08-24] (Trend Micro Inc.)
R3 tmeevw; C:\Windows\System32\DRIVERS\tmeevw.sys [94520 2012-12-07] (Trend Micro Inc.)
R1 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [77184 2013-09-04] (Trend Micro Inc.)
R3 tmnciesc; C:\Windows\System32\DRIVERS\tmnciesc.sys [210232 2012-07-05] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105744 2012-05-02] (Trend Micro Inc.)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-08 22:50 - 2014-11-08 22:52 - 00016267 _____ () C:\Users\Bejita\Desktop\FRST.txt
2014-11-08 22:50 - 2014-11-08 22:50 - 02115584 _____ (Farbar) C:\Users\Bejita\Desktop\FRST64.exe
2014-11-08 22:48 - 2014-11-08 22:48 - 00016899 _____ () C:\Users\Bejita\Desktop\dds.txt
2014-11-08 22:48 - 2014-11-08 22:48 - 00007387 _____ () C:\Users\Bejita\Desktop\attach.txt
2014-11-08 22:46 - 2014-11-08 22:46 - 00601150 _____ () C:\Users\Bejita\Desktop\ESETPoweliksCleaner.exe_20141108.224627.4048.log
2014-11-08 22:32 - 2014-11-08 22:32 - 00000000 ____D () C:\ProgramData\MigiQdoy
2014-11-08 22:31 - 2014-11-08 22:31 - 00000000 ____D () C:\ProgramData\ZuwarBokno
2014-11-08 22:25 - 2014-11-08 22:25 - 00000000 ____D () C:\ProgramData\Emsisoft
2014-11-08 22:24 - 2014-11-08 22:24 - 00688992 ____R (Swearware) C:\Users\Bejita\Desktop\dds.com
2014-11-08 21:46 - 2014-11-08 21:46 - 00000424 _____ () C:\ProgramData\@system.temp
2014-11-08 21:46 - 2014-11-08 21:46 - 00000160 ____H () C:\ProgramData\@system3.att
2014-11-08 21:45 - 2014-11-08 21:45 - 00000448 ____H () C:\Users\Bejita\AppData\Roaming\麽鎒駓覜
2014-11-08 21:45 - 2014-11-08 21:45 - 00000000 ____D () C:\Users\Bejita\AppData\Roaming\FrameworkUpdate7
2014-11-08 21:44 - 2014-11-08 21:44 - 00023552 _____ () C:\Users\Bejita\AppData\Local\acillao.dll
2014-11-08 21:44 - 2014-11-08 21:44 - 00000000 ____D () C:\ProgramData\ZudbObqu
2014-11-08 21:44 - 2014-11-08 21:44 - 00000000 ____D () C:\ProgramData\ZiyoSegli
2014-11-08 19:22 - 2014-11-08 22:30 - 00003084 _____ () C:\Windows\RegBootClean64.CFG
2014-11-08 17:57 - 2014-11-08 22:50 - 00000000 ____D () C:\FRST
2014-11-08 17:53 - 2014-11-08 17:53 - 00001091 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2014-11-08 17:53 - 2014-11-08 17:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2014-11-08 17:52 - 2014-11-08 22:25 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware
2014-11-08 15:42 - 2014-11-08 15:57 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-08 15:41 - 2014-11-08 15:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-08 15:41 - 2014-11-08 15:41 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-11-08 15:41 - 2014-10-01 11:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-11-08 15:41 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-11-08 15:40 - 2014-11-08 15:41 - 00000000 ____D () C:\Users\Bejita\AppData\Roaming\Malwarebytes
2014-11-08 15:17 - 2014-11-08 15:41 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-11-08 15:17 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-11-08 01:50 - 2013-12-21 04:39 - 00600064 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-11-08 01:50 - 2013-12-21 02:56 - 00523776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-11-07 19:11 - 2014-09-04 20:52 - 05703168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2014-11-07 19:11 - 2014-08-28 21:07 - 03179520 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-11-07 19:11 - 2014-05-08 04:32 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\RdpGroupPolicyExtension.dll
2014-11-07 19:10 - 2014-09-20 00:18 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-07 19:10 - 2014-09-20 00:17 - 02236928 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-07 19:10 - 2014-09-20 00:17 - 01407488 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 19280896 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 15399424 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 02655232 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-07 19:10 - 2014-09-20 00:16 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-07 19:10 - 2014-09-20 00:15 - 01508864 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-07 19:10 - 2014-09-20 00:15 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-07 19:10 - 2014-09-20 00:15 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 14368768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 13757952 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 02861568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 02055168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 01762816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 01180672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-11-07 19:10 - 2014-09-19 22:57 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-11-07 19:10 - 2014-09-19 22:56 - 01440768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-11-07 19:10 - 2014-09-19 22:56 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-11-07 19:10 - 2014-09-19 22:56 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-11-07 19:10 - 2014-09-19 22:38 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-07 19:10 - 2014-09-19 22:33 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-11-07 19:10 - 2014-09-19 21:43 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2014-11-07 19:10 - 2014-09-19 21:35 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2014-11-07 19:10 - 2014-09-04 21:11 - 06584320 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-11-06 19:24 - 2013-10-01 21:22 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys
2014-11-06 19:24 - 2013-10-01 21:11 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-11-06 19:24 - 2013-10-01 21:08 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-11-06 19:24 - 2013-10-01 20:48 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll
2014-11-06 19:24 - 2013-10-01 20:48 - 00018944 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll
2014-11-06 19:24 - 2013-10-01 20:29 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll
2014-11-06 19:24 - 2013-10-01 20:10 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll
2014-11-06 19:24 - 2013-10-01 19:15 - 01057280 _____ (Microsoft Corporation) C:\Windows\system32\rdvidcrl.dll
2014-11-06 19:24 - 2013-10-01 19:14 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MsRdpWebAccess.dll
2014-11-06 19:24 - 2013-10-01 19:14 - 00017920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wksprtPS.dll
2014-11-06 19:24 - 2013-10-01 19:08 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2014-11-06 19:24 - 2013-10-01 19:01 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe
2014-11-06 19:24 - 2013-10-01 18:58 - 00053248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2014-11-06 19:24 - 2013-10-01 18:31 - 01147392 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2014-11-06 19:24 - 2013-10-01 18:08 - 00855552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdvidcrl.dll
2014-11-06 19:24 - 2013-10-01 17:34 - 01068544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe
2014-11-06 19:24 - 2012-08-23 09:13 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2014-11-06 19:24 - 2012-08-23 09:10 - 00019456 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpvideominiport.sys
2014-11-06 19:24 - 2012-08-23 06:12 - 00192000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdpendp_winip.dll
2014-11-06 19:24 - 2012-08-23 05:51 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\rdpendp_winip.dll
2014-11-05 00:04 - 2014-11-05 00:04 - 00004046 _____ () C:\Windows\System32\Tasks\{2E5B73FF-E392-E947-DA1A-7D9FDBBE338A}
2014-11-04 01:20 - 2009-06-10 16:00 - 00000824 _____ () C:\Windows\system32\Drivers\etc\hosts.20141104-012020.backup
2014-11-04 00:34 - 2014-11-04 01:18 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-11-04 00:34 - 2014-11-04 00:59 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy
2014-11-04 00:34 - 2014-11-04 00:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
2014-11-03 23:50 - 2014-11-08 22:32 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-10-30 22:22 - 2014-10-30 22:22 - 00000697 _____ () C:\Users\Public\Desktop\Nexus Mod Manager.lnk
2014-10-30 22:22 - 2014-10-30 22:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nexus Mod Manager
2014-10-16 19:14 - 2014-10-09 21:05 - 00507392 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-10-16 19:14 - 2014-10-09 21:05 - 00276480 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-10-16 19:14 - 2014-10-09 21:00 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-10-16 19:14 - 2014-09-28 19:58 - 03198976 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-10-16 19:14 - 2014-07-08 21:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDYAK.DLL
2014-10-16 19:14 - 2014-07-08 21:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDTAT.DLL
2014-10-16 19:14 - 2014-07-08 21:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU1.DLL
2014-10-16 19:14 - 2014-07-08 21:03 - 00007168 _____ (Microsoft Corporation) C:\Windows\system32\KBDBASH.DLL
2014-10-16 19:14 - 2014-07-08 21:03 - 00006656 _____ (Microsoft Corporation) C:\Windows\system32\KBDRU.DLL
2014-10-16 19:14 - 2014-07-08 20:31 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDYAK.DLL
2014-10-16 19:14 - 2014-07-08 20:31 - 00007168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDTAT.DLL
2014-10-16 19:14 - 2014-07-08 20:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDRU1.DLL
2014-10-16 19:14 - 2014-07-08 20:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDRU.DLL
2014-10-16 19:14 - 2014-07-08 20:31 - 00006656 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KBDBASH.DLL
2014-10-16 19:14 - 2014-07-08 17:38 - 00419992 _____ () C:\Windows\system32\locale.nls
2014-10-16 19:14 - 2014-07-08 17:30 - 00419992 _____ () C:\Windows\SysWOW64\locale.nls
2014-10-16 19:14 - 2014-06-18 17:23 - 01943696 _____ (Microsoft Corporation) C:\Windows\system32\dfshim.dll
2014-10-16 19:14 - 2014-06-18 17:23 - 01131664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dfshim.dll
2014-10-16 19:14 - 2014-06-18 17:23 - 00156824 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscorier.dll
2014-10-16 19:14 - 2014-06-18 17:23 - 00156312 _____ (Microsoft Corporation) C:\Windows\system32\mscorier.dll
2014-10-16 19:14 - 2014-06-18 17:23 - 00081560 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mscories.dll
2014-10-16 19:14 - 2014-06-18 17:23 - 00073880 _____ (Microsoft Corporation) C:\Windows\system32\mscories.dll
2014-10-16 19:13 - 2014-09-17 21:00 - 03241472 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-10-16 19:13 - 2014-09-17 20:32 - 02363904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-10-16 19:13 - 2014-09-12 20:58 - 00077312 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-10-16 19:13 - 2014-09-12 20:40 - 00067072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-10-16 19:13 - 2014-09-04 00:23 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\rastls.dll
2014-10-16 19:13 - 2014-09-04 00:04 - 00372736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rastls.dll
2014-10-16 19:13 - 2014-07-16 21:07 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-10-16 19:13 - 2014-07-16 21:07 - 00455168 _____ (Microsoft Corporation) C:\Windows\system32\winlogon.exe
2014-10-16 19:13 - 2014-07-16 21:07 - 00235520 _____ (Microsoft Corporation) C:\Windows\system32\winsta.dll
2014-10-16 19:13 - 2014-07-16 21:07 - 00150528 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorekmts.dll
2014-10-16 19:13 - 2014-07-16 21:07 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-10-16 19:13 - 2014-07-16 21:07 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-10-16 19:13 - 2014-07-16 20:40 - 00157696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\winsta.dll
2014-10-16 19:13 - 2014-07-16 20:39 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-10-16 19:13 - 2014-07-16 20:39 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-10-16 19:13 - 2014-07-16 20:21 - 00212480 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpwd.sys
2014-10-16 19:13 - 2014-07-16 20:21 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\tssecsrv.sys

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-08 22:42 - 2009-07-13 23:45 - 00026016 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-08 22:42 - 2009-07-13 23:45 - 00026016 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-08 22:36 - 2013-12-24 00:52 - 00000000 ____D () C:\Users\Bejita\AppData\Roaming\Spotify
2014-11-08 22:30 - 2014-03-18 22:18 - 00238128 _____ () C:\Windows\RegBootClean64.exe
2014-11-08 22:03 - 2013-09-26 00:17 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-08 19:01 - 2013-09-22 14:45 - 00000000 ____D () C:\Users\Bejita\Documents\Nexus Mod Manager
2014-11-08 17:42 - 2009-07-14 00:13 - 00782010 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-08 17:39 - 2013-09-17 22:51 - 01293788 _____ () C:\Windows\WindowsUpdate.log
2014-11-08 17:35 - 2013-09-26 00:17 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-08 17:35 - 2013-09-18 00:06 - 00120284 _____ () C:\Windows\PFRO.log
2014-11-08 17:35 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-08 17:35 - 2009-07-13 23:51 - 00057623 _____ () C:\Windows\setupact.log
2014-11-08 15:54 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\Branding
2014-11-08 10:41 - 2009-07-14 00:08 - 00032626 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-11-07 07:28 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2014-11-06 21:35 - 2013-12-24 00:52 - 00000000 ____D () C:\Users\Bejita\AppData\Local\Spotify
2014-11-06 21:33 - 2013-09-18 21:08 - 00000410 __RSH () C:\ProgramData\ntuser.pol
2014-11-06 19:35 - 2009-07-13 22:20 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2014-11-06 19:34 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-11-06 19:32 - 2013-12-02 23:47 - 00011051 _____ () C:\Windows\IE11_main.log
2014-11-04 01:20 - 2009-07-13 21:34 - 00450716 ____R () C:\Windows\system32\Drivers\etc\hosts.20141108-114608.backup
2014-11-04 00:41 - 2013-09-17 22:51 - 00000000 ____D () C:\Users\Bejita\AppData\Local\VirtualStore
2014-10-30 22:22 - 2013-09-22 14:45 - 00000000 ____D () C:\Users\Bejita\AppData\Local\Black_Tree_Gaming
2014-10-30 22:02 - 2014-02-08 15:12 - 00000000 ____D () C:\Users\Bejita\AppData\Local\Windows Live
2014-10-29 02:04 - 2013-09-26 00:17 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-10-22 21:58 - 2013-09-26 00:17 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-22 21:58 - 2013-09-26 00:17 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-10-17 01:03 - 2009-07-13 23:45 - 00267672 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-10-17 01:02 - 2014-05-06 00:19 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-10-16 23:00 - 2013-09-17 23:46 - 00000000 ____D () C:\Windows\system32\MRT
2014-10-16 22:58 - 2013-09-17 23:46 - 103265616 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

Some content of TEMP:
====================
C:\Users\Bejita\AppData\Local\Temp\14975549.exe
C:\Users\Bejita\AppData\Local\Temp\15595607.exe
C:\Users\Bejita\AppData\Local\Temp\15872852.exe
C:\Users\Bejita\AppData\Local\Temp\cou.dll
C:\Users\Bejita\AppData\Local\Temp\djc.dll
C:\Users\Bejita\AppData\Local\Temp\ixm.dll
C:\Users\Bejita\AppData\Local\Temp\lpm.dll
C:\Users\Bejita\AppData\Local\Temp\lvo.dll
C:\Users\Bejita\AppData\Local\Temp\scc.dll
C:\Users\Bejita\AppData\Local\Temp\vhf.dll
C:\Users\Bejita\AppData\Local\Temp\wno.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-11-07 07:21

==================== End Of Log ============================



#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,549 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:38 AM

Posted 13 November 2014 - 11:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/555331 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:38 PM

Posted 17 November 2014 - 03:48 PM

Greetings Tashin32 and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that. :thumbup2:

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. While I review our situation I would like you to run a fresh FRST report making sure the Addition.txt box is checked.

===================================================

Farbar Recovery Scan Tool (FRST)

--------------------
  • Download Farbar Recover Scan Tool for either 32 bit or 64 bit systems and save it to your desktop <<< Important
  • If you are unsure if you have 32 bit or 64 bit simply download and try one. If that doesn't run properly the other one should
  • Double click the icon
  • Click Yes to the disclaimer
  • Make sure the Addition.txt box is checked
  • Click Scan and allow the program to run
  • Click OK on the Scan complete screen, then OK on the Addition.txt pop up screen
  • 2 Notepad documents should now be open on your desktop.
  • Please copy and paste the contents of both in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • FRST results
  • Addition log
  • System Summary Information

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Tashin32

Tashin32
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:38 AM

Posted 17 November 2014 - 08:32 PM

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 17-11-2014
Ran by Bejita (administrator) on SHINOBI on 17-11-2014 20:23:13
Running from C:\Users\Bejita\Desktop
Loaded Profile: Bejita (Available profiles: Bejita)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiWatchDog.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
(Trend Micro Inc.) C:\Program Files\Trend Micro\AMSP\AMSP_LogServer.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Garmin Ltd or its subsidiaries) C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Trend Micro Inc.) C:\Program Files\Trend Micro\UniClient\UiFrmwrk\uiSeAgnt.exe
(Valve Corporation) G:\Program Files (x86)\Steam\Steam.exe
(Garmin Ltd or its subsidiaries) C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Apple Inc.) E:\iTunes\iTunesHelper.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Valve Corporation) G:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Trend Micro Client Framework] => C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe [216928 2013-08-29] (Trend Micro Inc.)
HKLM\...\Run: [Trend Micro Titanium] => C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe [1382568 2013-09-16] (Trend Micro Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767200 2014-04-17] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [iTunesHelper] => E:\iTunes\iTunesHelper.exe [152392 2014-02-21] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959176 2014-08-21] (Adobe Systems Incorporated)
HKU\S-1-5-21-1200494228-1057997902-151371316-1000\...\Run: [Steam] => G:\Program Files (x86)\Steam\steam.exe [1940160 2014-11-11] (Valve Corporation)
HKU\S-1-5-21-1200494228-1057997902-151371316-1000\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [688984 2014-08-07] (Garmin Ltd or its subsidiaries)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1200494228-1057997902-151371316-1000\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-1200494228-1057997902-151371316-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
HKU\S-1-5-21-1200494228-1057997902-151371316-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x5C7FB37C2DB4CE01
HKU\S-1-5-21-1200494228-1057997902-151371316-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
BHO: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg.dll (Trend Micro Inc.)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\TmBpIe64.dll (Trend Micro Inc.)
BHO-x32: TmIEPlugInBHO Class -> {1CA1377B-DC1D-4A52-9585-6E06050FAC53} -> C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg32.dll (Trend Micro Inc.)
BHO-x32: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO-x32: ArcPluginIEBHO Class -> {84BFE29A-8139-402a-B2A4-C23AE9E1A75F} -> E:\Program Files (x86)\Perfect World Entertainment\Arc\Plugins\ArcPluginIE.dll (Perfect World Entertainment Inc)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\TmBpIe32.dll (Trend Micro Inc.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
DPF: HKLM-x32 {D4B68B83-8710-488B-A692-D74B50BA558E} http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\TmBpIe64.dll (Trend Micro Inc.)
Handler-x32: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\TmBpIe32.dll (Trend Micro Inc.)
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg.dll (Trend Micro Inc.)
Handler-x32: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.5.1331\6.8.1094\TmIEPlg32.dll (Trend Micro Inc.)
Handler-x32: tmtbim - {0B37915C-8B98-4B9E-80D4-464D2C830D10} - C:\Program Files\Trend Micro\Titanium\UIFramework\ProToolbarIMRatingActiveX.dll (Trend Micro Inc.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 10.10.10.1

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> E:\iTunes\Mozilla Plugins\npitunes.dll ()
FF Plugin-x32: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3508.0205 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @perfectworld.com/npArcPlayNowPlugin -> E:\Program Files (x86)\Perfect World Entertainment\Arc\Plugins\npArcPluginFF.dll (Perfect World Entertainment Inc)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM\...\Firefox\Extensions: [tmbepff-7.5@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\firefoxextension
FF Extension: Trend Micro BEP Firefox Extension - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\firefoxextension [2013-10-08]
FF HKLM-x32\...\Firefox\Extensions: [tmbepff-7.5@trendmicro.com] - C:\Program Files\Trend Micro\AMSP\Module\20002\7.5.1137\7.5.1137\firefoxextension
FF HKLM-x32\...\Firefox\Extensions: [{22181a4d-af90-4ca3-a569-faed9118d6bc}] - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension
FF Extension: Trend Micro Toolbar - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension [2013-09-18]
FF HKLM-x32\...\Firefox\Extensions: [{22C7F6C6-8D67-4534-92B5-529A0EC09405}] - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension
FF Extension: Trend Micro NSC Firefox Extension - C:\Program Files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension [2013-10-08]

Chrome:
=======
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\pdf.dll ()
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll No File
CHR Plugin: (Trend Micro Titanium) - C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension\components\npToolbarChrome.dll (Trend Micro Inc.)
CHR Profile: C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-09-26]
CHR Extension: (Google Drive) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-09-26]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-24]
CHR Extension: (YouTube) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2013-09-26]
CHR Extension: (Google Search) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2013-09-26]
CHR Extension: (Google Wallet) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-26]
CHR Extension: (Gmail) - C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2013-09-26]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-04-17] (Advanced Micro Devices, Inc.) [File not signed]
S3 ArcService; E:\Program Files (x86)\Perfect World Entertainment\Arc\ArcService.exe [88400 2014-08-12] (Perfect World Entertainment Inc)
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2013-09-18] (Creative Labs) [File not signed]
S3 Creative Audio Engine Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2013-09-17] (Creative Labs) [File not signed]
R2 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [307200 2008-11-18] (Creative Technology Ltd) [File not signed]
S4 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [175136 2014-09-04] (EasyAntiCheat Ltd)
R2 Garmin Core Update Service; C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [438616 2014-08-07] (Garmin Ltd or its subsidiaries)
R2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.3; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [8192 2005-03-29] ()
R1 tmactmon; C:\Windows\System32\DRIVERS\tmactmon.sys [109072 2013-09-04] (Trend Micro Inc.)
R0 tmcomm; C:\Windows\System32\DRIVERS\tmcomm.sys [175528 2013-09-04] (Trend Micro Inc.)
R0 TMEBC; C:\Windows\System32\DRIVERS\TMEBC64.sys [46392 2012-08-24] (Trend Micro Inc.)
R3 tmeevw; C:\Windows\System32\DRIVERS\tmeevw.sys [94520 2012-12-07] (Trend Micro Inc.)
R1 tmevtmgr; C:\Windows\System32\DRIVERS\tmevtmgr.sys [77184 2013-09-04] (Trend Micro Inc.)
R3 tmnciesc; C:\Windows\System32\DRIVERS\tmnciesc.sys [210232 2012-07-05] (Trend Micro Inc.)
R1 tmtdi; C:\Windows\System32\DRIVERS\tmtdi.sys [105744 2012-05-02] (Trend Micro Inc.)
S3 cleanhlp; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-17 20:19 - 2014-11-17 20:19 - 00000000 ____D () C:\Users\Bejita\Desktop\FRST-OlderVersion
2014-11-12 01:56 - 2014-11-05 12:56 - 00304640 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll
2014-11-12 01:56 - 2014-11-05 12:56 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\aepdu.dll
2014-11-12 01:56 - 2014-11-05 12:52 - 00424448 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll
2014-11-12 01:56 - 2014-10-25 20:56 - 02237952 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll
2014-11-12 01:56 - 2014-10-25 20:56 - 01409536 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll
2014-11-12 01:56 - 2014-10-25 20:55 - 19284480 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll
2014-11-12 01:56 - 2014-10-25 20:55 - 00603136 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll
2014-11-12 01:56 - 2014-10-25 20:54 - 15399424 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll
2014-11-12 01:56 - 2014-10-25 20:54 - 02655232 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll
2014-11-12 01:56 - 2014-10-25 20:54 - 00136704 _____ (Microsoft Corporation) C:\Windows\system32\iesysprep.dll
2014-11-12 01:56 - 2014-10-25 20:53 - 01509376 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl
2014-11-12 01:56 - 2014-10-25 19:36 - 01762816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2014-11-12 01:56 - 2014-10-25 19:35 - 14368768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2014-11-12 01:56 - 2014-10-25 19:35 - 01181696 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2014-11-12 01:56 - 2014-10-25 19:35 - 00493056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2014-11-12 01:56 - 2014-10-25 19:34 - 13758464 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2014-11-12 01:56 - 2014-10-25 19:34 - 02861568 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2014-11-12 01:56 - 2014-10-25 19:34 - 02055168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2014-11-12 01:56 - 2014-10-25 19:34 - 01441280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2014-11-12 01:56 - 2014-10-25 19:34 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2014-11-12 01:56 - 2014-10-25 19:34 - 00109056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2014-11-12 01:56 - 2014-10-24 20:57 - 00077824 _____ (Microsoft Corporation) C:\Windows\system32\packager.dll
2014-11-12 01:56 - 2014-10-24 20:32 - 00067584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\packager.dll
2014-11-12 01:56 - 2014-10-17 21:05 - 00861696 _____ (Microsoft Corporation) C:\Windows\system32\oleaut32.dll
2014-11-12 01:56 - 2014-10-17 20:33 - 00571904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\oleaut32.dll
2014-11-12 01:56 - 2014-10-13 21:16 - 00155064 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys
2014-11-12 01:56 - 2014-10-13 21:13 - 03241984 _____ (Microsoft Corporation) C:\Windows\system32\msi.dll
2014-11-12 01:56 - 2014-10-13 21:13 - 00683520 _____ (Microsoft Corporation) C:\Windows\system32\termsrv.dll
2014-11-12 01:56 - 2014-10-13 21:12 - 01460736 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll
2014-11-12 01:56 - 2014-10-13 21:09 - 00146432 _____ (Microsoft Corporation) C:\Windows\system32\msaudite.dll
2014-11-12 01:56 - 2014-10-13 21:07 - 00681984 _____ (Microsoft Corporation) C:\Windows\system32\adtschema.dll
2014-11-12 01:56 - 2014-10-13 20:50 - 02363904 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msi.dll
2014-11-12 01:56 - 2014-10-13 20:50 - 00022016 _____ (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2014-11-12 01:56 - 2014-10-13 20:49 - 00096768 _____ (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2014-11-12 01:56 - 2014-10-13 20:47 - 00146432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msaudite.dll
2014-11-12 01:56 - 2014-10-13 20:46 - 00681984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\adtschema.dll
2014-11-12 01:56 - 2014-10-09 19:57 - 03198976 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys
2014-11-12 01:56 - 2014-10-02 21:12 - 00500224 _____ (Microsoft Corporation) C:\Windows\system32\AUDIOKSE.dll
2014-11-12 01:56 - 2014-10-02 21:11 - 00680960 _____ (Microsoft Corporation) C:\Windows\system32\audiosrv.dll
2014-11-12 01:56 - 2014-10-02 21:11 - 00440832 _____ (Microsoft Corporation) C:\Windows\system32\AudioEng.dll
2014-11-12 01:56 - 2014-10-02 21:11 - 00296448 _____ (Microsoft Corporation) C:\Windows\system32\AudioSes.dll
2014-11-12 01:56 - 2014-10-02 21:11 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\EncDump.dll
2014-11-12 01:56 - 2014-10-02 20:44 - 00442880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AUDIOKSE.dll
2014-11-12 01:56 - 2014-10-02 20:44 - 00374784 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioEng.dll
2014-11-12 01:56 - 2014-10-02 20:44 - 00195584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AudioSes.dll
2014-11-12 01:56 - 2014-09-19 04:42 - 00728064 _____ (Microsoft Corporation) C:\Windows\system32\kerberos.dll
2014-11-12 01:56 - 2014-09-19 04:42 - 00342016 _____ (Microsoft Corporation) C:\Windows\system32\schannel.dll
2014-11-12 01:56 - 2014-09-19 04:42 - 00314880 _____ (Microsoft Corporation) C:\Windows\system32\msv1_0.dll
2014-11-12 01:56 - 2014-09-19 04:42 - 00309760 _____ (Microsoft Corporation) C:\Windows\system32\ncrypt.dll
2014-11-12 01:56 - 2014-09-19 04:42 - 00210944 _____ (Microsoft Corporation) C:\Windows\system32\wdigest.dll
2014-11-12 01:56 - 2014-09-19 04:42 - 00086528 _____ (Microsoft Corporation) C:\Windows\system32\TSpkg.dll
2014-11-12 01:56 - 2014-09-19 04:42 - 00022016 _____ (Microsoft Corporation) C:\Windows\system32\credssp.dll
2014-11-12 01:56 - 2014-09-19 04:23 - 00550912 _____ (Microsoft Corporation) C:\Windows\SysWOW64\kerberos.dll
2014-11-12 01:56 - 2014-09-19 04:23 - 00259584 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msv1_0.dll
2014-11-12 01:56 - 2014-09-19 04:23 - 00248832 _____ (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2014-11-12 01:56 - 2014-09-19 04:23 - 00221184 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2014-11-12 01:56 - 2014-09-19 04:23 - 00172032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wdigest.dll
2014-11-12 01:56 - 2014-09-19 04:23 - 00065536 _____ (Microsoft Corporation) C:\Windows\SysWOW64\TSpkg.dll
2014-11-12 01:56 - 2014-09-19 04:23 - 00017408 _____ (Microsoft Corporation) C:\Windows\SysWOW64\credssp.dll
2014-11-12 01:56 - 2014-08-21 01:43 - 01882624 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll
2014-11-12 01:56 - 2014-08-21 01:40 - 00002048 _____ (Microsoft Corporation) C:\Windows\system32\msxml3r.dll
2014-11-12 01:56 - 2014-08-21 01:26 - 01237504 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2014-11-12 01:56 - 2014-08-21 01:23 - 00002048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2014-11-12 01:56 - 2014-08-11 21:02 - 00878080 _____ (Microsoft Corporation) C:\Windows\system32\IMJP10K.DLL
2014-11-12 01:56 - 2014-08-11 20:36 - 00701440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\IMJP10K.DLL
2014-11-12 01:55 - 2014-10-25 20:56 - 00600064 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll
2014-11-12 01:55 - 2014-10-25 20:56 - 00051712 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe
2014-11-12 01:55 - 2014-10-25 20:55 - 00197120 _____ (Microsoft Corporation) C:\Windows\system32\msrating.dll
2014-11-12 01:55 - 2014-10-25 20:55 - 00097280 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll
2014-11-12 01:55 - 2014-10-25 20:54 - 03959296 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll
2014-11-12 01:55 - 2014-10-25 20:54 - 00855552 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll
2014-11-12 01:55 - 2014-10-25 20:54 - 00526336 _____ (Microsoft Corporation) C:\Windows\system32\ieui.dll
2014-11-12 01:55 - 2014-10-25 20:54 - 00451584 _____ (Microsoft Corporation) C:\Windows\system32\dxtmsft.dll
2014-11-12 01:55 - 2014-10-25 20:54 - 00281600 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll
2014-11-12 01:55 - 2014-10-25 20:54 - 00255488 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll
2014-11-12 01:55 - 2014-10-25 20:54 - 00067072 _____ (Microsoft Corporation) C:\Windows\system32\iesetup.dll
2014-11-12 01:55 - 2014-10-25 20:54 - 00053760 _____ (Microsoft Corporation) C:\Windows\system32\jsproxy.dll
2014-11-12 01:55 - 2014-10-25 20:54 - 00039936 _____ (Microsoft Corporation) C:\Windows\system32\iernonce.dll
2014-11-12 01:55 - 2014-10-25 19:35 - 00523776 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2014-11-12 01:55 - 2014-10-25 19:35 - 00163840 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2014-11-12 01:55 - 2014-10-25 19:35 - 00080384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2014-11-12 01:55 - 2014-10-25 19:34 - 00690688 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2014-11-12 01:55 - 2014-10-25 19:34 - 00391168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2014-11-12 01:55 - 2014-10-25 19:34 - 00357888 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2014-11-12 01:55 - 2014-10-25 19:34 - 00226816 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2014-11-12 01:55 - 2014-10-25 19:34 - 00061440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2014-11-12 01:55 - 2014-10-25 19:34 - 00039936 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2014-11-12 01:55 - 2014-10-25 19:34 - 00033280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2014-11-12 01:55 - 2014-10-25 19:19 - 02706432 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.tlb
2014-11-12 01:55 - 2014-10-25 19:13 - 02706432 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2014-11-12 01:55 - 2014-10-25 18:22 - 00089600 _____ (Microsoft Corporation) C:\Windows\system32\RegisterIEPKEYs.exe
2014-11-12 01:55 - 2014-10-25 18:17 - 00071680 _____ (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2014-11-08 22:50 - 2014-11-17 20:23 - 00014646 _____ () C:\Users\Bejita\Desktop\FRST.txt
2014-11-08 22:50 - 2014-11-17 20:19 - 02117120 _____ (Farbar) C:\Users\Bejita\Desktop\FRST64.exe
2014-11-08 22:46 - 2014-11-08 22:46 - 00601150 _____ () C:\Users\Bejita\Desktop\ESETPoweliksCleaner.exe_20141108.224627.4048.log
2014-11-08 22:32 - 2014-11-08 22:32 - 00000000 ____D () C:\ProgramData\MigiQdoy
2014-11-08 22:31 - 2014-11-08 22:31 - 00000000 ____D () C:\ProgramData\ZuwarBokno
2014-11-08 22:25 - 2014-11-08 22:25 - 00000000 ____D () C:\ProgramData\Emsisoft
2014-11-08 22:24 - 2014-11-08 22:24 - 00688992 ____R (Swearware) C:\Users\Bejita\Desktop\dds.com
2014-11-08 21:46 - 2014-11-08 22:58 - 00000160 ____H () C:\ProgramData\@system3.att
2014-11-08 21:46 - 2014-11-08 22:57 - 00000424 _____ () C:\ProgramData\@system.temp
2014-11-08 21:45 - 2014-11-08 21:45 - 00000448 ____H () C:\Users\Bejita\AppData\Roaming\麽鎒駓覜
2014-11-08 21:45 - 2014-11-08 21:45 - 00000000 ____D () C:\Users\Bejita\AppData\Roaming\FrameworkUpdate7
2014-11-08 21:44 - 2014-11-08 21:44 - 00000000 ____D () C:\ProgramData\ZudbObqu
2014-11-08 21:44 - 2014-11-08 21:44 - 00000000 ____D () C:\ProgramData\ZiyoSegli
2014-11-08 17:57 - 2014-11-17 20:23 - 00000000 ____D () C:\FRST
2014-11-08 17:52 - 2014-11-09 19:58 - 00000000 ____D () C:\Program Files (x86)\Emsisoft Anti-Malware
2014-11-08 15:42 - 2014-11-08 15:57 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2014-11-08 15:41 - 2014-11-08 15:41 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-08 15:41 - 2014-11-08 15:41 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-11-08 15:41 - 2014-10-01 11:11 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2014-11-08 15:41 - 2014-10-01 11:11 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2014-11-08 15:40 - 2014-11-08 15:41 - 00000000 ____D () C:\Users\Bejita\AppData\Roaming\Malwarebytes
2014-11-08 15:17 - 2014-11-08 15:41 - 00000000 ____D () C:\ProgramData\Malwarebytes
2014-11-08 15:17 - 2014-10-01 11:11 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2014-11-07 19:11 - 2014-09-04 20:52 - 05703168 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2014-11-07 19:11 - 2014-08-28 21:07 - 03179520 _____ (Microsoft Corporation) C:\Windows\system32\rdpcorets.dll
2014-11-07 19:11 - 2014-05-08 04:32 - 00016384 _____ (Microsoft Corporation) C:\Windows\system32\RdpGroupPolicyExtension.dll
2014-11-07 19:10 - 2014-09-04 21:11 - 06584320 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2014-11-06 19:24 - 2013-10-01 21:22 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys
2014-11-06 19:24 - 2013-10-01 21:11 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2014-11-06 19:24 - 2013-10-01 21:08 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2014-11-06 19:24 - 2013-10-01 20:48 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll
2014-11-06 19:24 - 2013-10-01 20:48 - 00018944 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll
2014-11-06 19:24 - 2013-10-01 20:29 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll
2014-11-06 19:24 - 2013-10-01 20:10 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll
2014-11-06 19:24 - 2013-10-01 19:15 - 01057280 _____ (Microsoft Corporation) C:\Windows\system32\rdvidcrl.dll
2014-11-06 19:24 - 2013-10-01 19:14 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MsRdpWebAccess.dll
2014-11-06 19:24 - 2013-10-01 19:14 - 00017920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wksprtPS.dll
2014-11-06 19:24 - 2013-10-01 19:08 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2014-11-06 19:24 - 2013-10-01 19:01 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe
2014-11-06 19:24 - 2013-10-01 18:58 - 00053248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2014-11-06 19:24 - 2013-10-01 18:31 - 01147392 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2014-11-06 19:24 - 2013-10-01 18:08 - 00855552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdvidcrl.dll
2014-11-06 19:24 - 2013-10-01 17:34 - 01068544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe
2014-11-06 19:24 - 2012-08-23 09:13 - 00243200 _____ (Microsoft Corporation) C:\Windows\system32\rdpudd.dll
2014-11-06 19:24 - 2012-08-23 09:10 - 00019456 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rdpvideominiport.sys
2014-11-06 19:24 - 2012-08-23 06:12 - 00192000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdpendp_winip.dll
2014-11-06 19:24 - 2012-08-23 05:51 - 00228864 _____ (Microsoft Corporation) C:\Windows\system32\rdpendp_winip.dll
2014-11-05 00:04 - 2014-11-05 00:04 - 00004046 _____ () C:\Windows\System32\Tasks\{2E5B73FF-E392-E947-DA1A-7D9FDBBE338A}
2014-11-04 01:20 - 2009-06-10 16:00 - 00000824 _____ () C:\Windows\system32\Drivers\etc\hosts.20141104-012020.backup
2014-11-04 00:34 - 2014-11-04 01:18 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2014-11-04 00:34 - 2014-11-04 00:59 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy
2014-11-04 00:34 - 2014-11-04 00:34 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy
2014-11-03 23:50 - 2014-11-08 22:32 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2014-10-30 22:22 - 2014-10-30 22:22 - 00000697 _____ () C:\Users\Public\Desktop\Nexus Mod Manager.lnk
2014-10-30 22:22 - 2014-10-30 22:22 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nexus Mod Manager

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-17 20:15 - 2009-07-13 23:45 - 00026016 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-11-17 20:15 - 2009-07-13 23:45 - 00026016 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-11-17 20:14 - 2009-07-14 00:13 - 00782010 _____ () C:\Windows\system32\PerfStringBackup.INI
2014-11-17 20:11 - 2013-09-17 22:51 - 01676959 _____ () C:\Windows\WindowsUpdate.log
2014-11-17 20:08 - 2013-09-26 00:17 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-17 20:08 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-11-17 20:08 - 2009-07-13 23:51 - 00058295 _____ () C:\Windows\setupact.log
2014-11-12 21:03 - 2013-09-26 00:17 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-12 03:24 - 2009-07-13 23:45 - 00267672 _____ () C:\Windows\system32\FNTCACHE.DAT
2014-11-12 03:22 - 2014-05-06 00:19 - 00000000 ___SD () C:\Windows\system32\CompatTel
2014-11-12 03:05 - 2013-09-17 23:46 - 00000000 ____D () C:\Windows\system32\MRT
2014-11-12 03:03 - 2013-09-17 23:46 - 103374192 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2014-11-09 21:38 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2014-11-09 20:58 - 2013-09-22 14:45 - 00000000 ____D () C:\Users\Bejita\Documents\Nexus Mod Manager
2014-11-09 19:58 - 2013-09-18 00:06 - 00120622 _____ () C:\Windows\PFRO.log
2014-11-09 04:28 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\rescache
2014-11-08 22:36 - 2013-12-24 00:52 - 00000000 ____D () C:\Users\Bejita\AppData\Roaming\Spotify
2014-11-08 22:30 - 2014-03-18 22:18 - 00238128 _____ () C:\Windows\RegBootClean64.exe
2014-11-08 15:54 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\Branding
2014-11-08 10:41 - 2009-07-14 00:08 - 00032626 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2014-11-06 21:35 - 2013-12-24 00:52 - 00000000 ____D () C:\Users\Bejita\AppData\Local\Spotify
2014-11-06 21:33 - 2013-09-18 21:08 - 00000410 __RSH () C:\ProgramData\ntuser.pol
2014-11-06 19:35 - 2009-07-13 22:20 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2014-11-06 19:34 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\PolicyDefinitions
2014-11-06 19:32 - 2013-12-02 23:47 - 00011051 _____ () C:\Windows\IE11_main.log
2014-11-04 01:20 - 2009-07-13 21:34 - 00450716 ____R () C:\Windows\system32\Drivers\etc\hosts.20141108-114608.backup
2014-11-04 00:41 - 2013-09-17 22:51 - 00000000 ____D () C:\Users\Bejita\AppData\Local\VirtualStore
2014-10-30 22:22 - 2013-09-22 14:45 - 00000000 ____D () C:\Users\Bejita\AppData\Local\Black_Tree_Gaming
2014-10-30 22:02 - 2014-02-08 15:12 - 00000000 ____D () C:\Users\Bejita\AppData\Local\Windows Live
2014-10-29 02:04 - 2013-09-26 00:17 - 00002183 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-10-22 21:58 - 2013-09-26 00:17 - 00003894 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-10-22 21:58 - 2013-09-26 00:17 - 00003642 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore

Some content of TEMP:
====================
C:\Users\Bejita\AppData\Local\Temp\14975549.exe
C:\Users\Bejita\AppData\Local\Temp\15595607.exe
C:\Users\Bejita\AppData\Local\Temp\15872852.exe
C:\Users\Bejita\AppData\Local\Temp\cou.dll
C:\Users\Bejita\AppData\Local\Temp\djc.dll
C:\Users\Bejita\AppData\Local\Temp\ixm.dll
C:\Users\Bejita\AppData\Local\Temp\lpm.dll
C:\Users\Bejita\AppData\Local\Temp\lvo.dll
C:\Users\Bejita\AppData\Local\Temp\scc.dll
C:\Users\Bejita\AppData\Local\Temp\vhf.dll
C:\Users\Bejita\AppData\Local\Temp\wno.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-11-07 07:21

==================== End Of Log ============================

 

 

_______________________________________________________________________________________________________

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 17-11-2014
Ran by Bejita at 2014-11-17 20:23:42
Running from C:\Users\Bejita\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Trend Micro Titanium (Enabled - Up to date) {B7599298-8445-728A-A5C7-A26A082C8BDA}
AS: Trend Micro Titanium (Enabled - Up to date) {0C38737C-A27F-7D04-9F77-991873ABC167}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

7 Days to Die (HKLM-x32\...\Steam App 251570) (Version:  - The Fun Pimps)
Adobe Flash Player 14 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 14.0.0.145 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.09) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.09 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{6119B3A6-3603-9695-0398-CDF2AF0A13F8}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
ANT Drivers Installer x64 (Version: 2.3.4 - Garmin Ltd or its subsidiaries) Hidden
Apple Application Support (HKLM-x32\...\{AAC5D43E-816D-4C2D-8E51-55FFF35BE301}) (Version: 3.0.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{787136D2-F0F8-4625-AA3F-72D7795AC842}) (Version: 7.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Arc (HKLM-x32\...\{CED8E25B-122A-4E80-B612-7F99B93284B3}) (Version: 1.0.0.5510 - Perfect World Entertainment)
BitTorrent (HKU\S-1-5-21-1200494228-1057997902-151371316-1000\...\BitTorrent) (Version: 7.8.2.30571 - BitTorrent Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Counter-Strike Nexon: Zombies (HKLM-x32\...\Steam App 273110) (Version:  - Nexon)
Creative ALchemy (HKLM-x32\...\ALchemy) (Version: 1.43 - Creative Technology Limited)
Creative Audio Control Panel (HKLM-x32\...\AudioCS) (Version: 2.56 - Creative Technology Limited)
Creative MediaSource 5 (HKLM-x32\...\{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}) (Version: 5.26 - Creative Technology Limited)
Creative Software AutoUpdate (HKLM-x32\...\Creative Software AutoUpdate) (Version: 1.40 - Creative Technology Limited)
Creative Sound Blaster Properties x64 Edition (HKLM-x32\...\Creative Sound Blaster Properties x64 Edition) (Version:  - )
Creative WaveStudio 7 (HKLM-x32\...\WaveStudio 7) (Version: 7.14 - Creative Technology Limited)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Elevated Installer (x32 Version: 3.2.17.0 - Garmin Ltd or its subsidiaries) Hidden
F.E.A.R. 2: Project Origin (HKLM-x32\...\Steam App 16450) (Version:  - Monolith)
F.E.A.R. 3 (HKLM-x32\...\Steam App 21100) (Version:  - Day 1 Studios)
FINAL FANTASY XIV - A Realm Reborn (HKLM-x32\...\{2B41E132-07DF-4925-A3D3-F2D1765CCDFE}) (Version: 1.0.0000 - SQUARE ENIX CO., LTD.)
Free Sound Recorder v10.0.3 (HKLM-x32\...\Free Sound Recorder_is1) (Version:  - Copyright© 2005-2014 FreeSoundRecorder Technologies, Inc.)
Garmin Express (HKLM-x32\...\{b43ffffb-1adc-4bcb-b277-7844ebff94da}) (Version: 3.2.17.0 - Garmin Ltd or its subsidiaries)
Garmin Express (x32 Version: 3.2.17.0 - Garmin Ltd or its subsidiaries) Hidden
Garmin Express Tray (x32 Version: 3.2.17.0 - Garmin Ltd or its subsidiaries) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 38.0.2125.111 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.5 - Google Inc.) Hidden
Grand Theft Auto IV (HKLM-x32\...\Steam App 12210) (Version:  - Rockstar North)
iTunes (HKLM\...\{B8BA155B-1E75-405F-9CB4-8A99615D09DC}) (Version: 11.1.5.5 - Apple Inc.)
Java 7 Update 67 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217067FF}) (Version: 7.0.670 - Oracle)
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Max Payne 3 (HKLM-x32\...\Steam App 204100) (Version:  - Rockstar Studios)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Games for Windows - LIVE (HKLM-x32\...\{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}) (Version: 3.1.186.0 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{42AA4CA8-DCD8-4308-BCAB-0B6D75856A9D}) (Version: 3.5.95.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.50727 (HKLM-x32\...\{15134cb0-b767-4960-a911-f2d16ae54797}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
MotioninJoy Gamepad tool 0.7.1001 (HKLM\...\{330DAC67-5B62-452A-A0E4-6B4A5923940F}_is1) (Version: 0.7.1001 - www.motioninjoy.com)
Movie Maker (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
MSVCRT110_amd64 (Version: 16.4.1109.0912 - Microsoft) Hidden
Nexus Mod Manager (HKLM\...\6af12c54-643b-4752-87d0-8335503010de_is1) (Version: 0.52.3 - Black Tree Gaming)
Photo Common (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Photo Gallery (x32 Version: 16.4.3508.0205 - Microsoft Corporation) Hidden
Raptr (HKLM-x32\...\Raptr) (Version:  - )
Saints Row IV (HKLM-x32\...\Steam App 206420) (Version:  - Deep Silver Volition)
SCHOOLDAYS HQ (HKLM-x32\...\SCHOOLDAYS HQ) (Version:  - )
Sid Meier's Civilization V (HKLM-x32\...\steam app 8930) (Version:  - 2K Games, Inc.)
Skype™ 6.20 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.20.104 - Skype Technologies S.A.)
Space Engineers (HKLM-x32\...\Steam App 244850) (Version:  - )
Spotify (HKU\S-1-5-21-1200494228-1057997902-151371316-1000\...\Spotify) (Version: 0.9.14.13.gba5645ad - Spotify AB)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
StarCraft II (HKLM-x32\...\StarCraft II) (Version:  - Blizzard Entertainment)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
Trend Micro Titanium (HKLM\...\{ABBD4BA8-6703-40D2-AB1E-5BB1F7DB49A4}) (Version: 6.0 - Trend Micro Inc.)
Trend Micro Titanium (Version: 6.00 - Trend Micro Inc.) Hidden
Windows Driver Package - Dynastream Innovations, Inc. ANT LibUSB Drivers (04/11/2012 1.2.40.201) (HKLM\...\F9D2A789F9CFF8CEC36B544F53877C80F1F73C46) (Version: 04/11/2012 1.2.40.201 - Dynastream Innovations, Inc.)
Windows Driver Package - Silicon Labs Software (DSI_SiUSBXp_3_1) USB  (02/06/2007 3.1) (HKLM\...\D1506E0025B5A3F9EB8270FE81C1EEDD9388B8A2) (Version: 02/06/2007 3.1 - Silicon Labs Software)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3508.0205 - Microsoft Corporation)
WinRAR 5.00 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.00.0 - win.rar GmbH)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points  =========================

08-11-2014 06:49:11 Windows Update
12-11-2014 08:00:19 Windows Update

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2014-11-08 11:46 - 00450716 ____R C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 1000gratisproben.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 10sek.com
127.0.0.1 www.10sek.com
127.0.0.1 www.1-2005-search.com
127.0.0.1 1-2005-search.com
127.0.0.1 123fporn.info
127.0.0.1 www.123fporn.info
127.0.0.1 123haustiereundmehr.com
127.0.0.1 www.123haustiereundmehr.com
127.0.0.1 123moviedownload.com

There are 1000 more lines.

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {17664CDA-5399-4D28-811F-AB36F8D370C4} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-09-26] (Google Inc.)
Task: {447576B4-B55B-4562-BB9A-375349157AB1} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-09-26] (Google Inc.)
Task: {78233B3C-86FC-4010-B549-525836408A1E} - System32\Tasks\{2E5B73FF-E392-E947-DA1A-7D9FDBBE338A} => C:\Users\Bejita\AppData\Roaming\ksmazie.dll/s "C:\Users\Bejita\AppData\Roaming\ksmazie.dll" <==== ATTENTION
Task: {7F7A282E-43A6-4947-A707-AF333AE1C5A6} - System32\Tasks\GarminUpdaterTask => C:\Program Files (x86)\Garmin\Express Self Updater\ExpressSelfUpdater.exe [2014-08-07] ()
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

2013-09-18 21:07 - 2012-05-02 14:27 - 00049664 _____ () C:\Program Files\Trend Micro\AMSP\boost_date_time-vc80-mt-1_49.dll
2013-09-18 21:07 - 2012-05-02 14:24 - 00731136 _____ () C:\Program Files\Trend Micro\AMSP\sqlite3.dll
2013-09-18 21:07 - 2012-05-02 14:24 - 00064512 _____ () C:\Program Files\Trend Micro\AMSP\boost_thread-vc80-mt-1_49.dll
2013-09-18 21:07 - 2012-05-02 14:25 - 01719808 _____ () C:\Program Files\Trend Micro\AMSP\libprotobuf.dll
2013-09-18 21:07 - 2012-05-02 14:25 - 00016896 _____ () C:\Program Files\Trend Micro\AMSP\boost_system-vc80-mt-1_49.dll
2013-09-18 00:11 - 2012-07-25 10:53 - 00289088 _____ () C:\Program Files\Trend Micro\UniClient\plugins\LUADLL.dll
2014-04-17 21:29 - 2014-04-17 21:29 - 00102400 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Proxy.Native.dll
2014-02-12 19:58 - 2014-02-12 19:58 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-02-12 19:58 - 2014-02-12 19:58 - 01044808 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2014-08-28 20:01 - 2014-11-11 13:48 - 01171456 _____ () G:\Program Files (x86)\Steam\libavcodec-56.dll
2014-08-28 20:01 - 2014-11-11 13:48 - 00442368 _____ () G:\Program Files (x86)\Steam\libavutil-54.dll
2014-08-28 20:01 - 2014-11-11 13:48 - 00332800 _____ () G:\Program Files (x86)\Steam\libavresample-2.dll
2013-03-12 16:10 - 2014-11-11 13:47 - 00774656 _____ () G:\Program Files (x86)\Steam\SDL2.dll
2014-05-21 21:44 - 2014-11-11 20:04 - 02227904 _____ () G:\Program Files (x86)\Steam\video.dll
2014-08-28 20:01 - 2014-11-11 13:48 - 00403968 _____ () G:\Program Files (x86)\Steam\libavformat-56.dll
2014-08-28 20:01 - 2014-11-11 13:48 - 00485888 _____ () G:\Program Files (x86)\Steam\libswscale-3.dll
2013-09-18 21:34 - 2014-11-11 20:04 - 00690880 _____ () G:\Program Files (x86)\Steam\bin\chromehtml.DLL
2013-09-18 21:34 - 2014-11-11 13:48 - 34589888 _____ () G:\Program Files (x86)\Steam\bin\libcef.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-1200494228-1057997902-151371316-500 - Administrator - Disabled)
Bejita (S-1-5-21-1200494228-1057997902-151371316-1000 - Administrator - Enabled) => C:\Users\Bejita
Guest (S-1-5-21-1200494228-1057997902-151371316-501 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (11/08/2014 11:46:55 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: FalloutNV.exe, version: 1.4.0.525, time stamp: 0x4e0d50ed
Faulting module name: FalloutNV.exe, version: 1.4.0.525, time stamp: 0x4e0d50ed
Exception code: 0xc0000005
Fault offset: 0x006615de
Faulting process id: 0x1408
Faulting application start time: 0xFalloutNV.exe0
Faulting application path: FalloutNV.exe1
Faulting module path: FalloutNV.exe2
Report Id: FalloutNV.exe3

Error: (11/08/2014 10:32:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: msiexec.exe, version: 1.2.0.0, time stamp: 0x545e2d69
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x002384c2
Faulting process id: 0x2394
Faulting application start time: 0xmsiexec.exe0
Faulting application path: msiexec.exe1
Faulting module path: msiexec.exe2
Report Id: msiexec.exe3

Error: (11/08/2014 10:32:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: msiexec.exe, version: 1.2.0.0, time stamp: 0x545e2d69
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x002c84c2
Faulting process id: 0x17c0
Faulting application start time: 0xmsiexec.exe0
Faulting application path: msiexec.exe1
Faulting module path: msiexec.exe2
Report Id: msiexec.exe3

Error: (11/08/2014 10:32:13 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file  for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program ISCT and IFFS Driver because of this error.

Program: ISCT and IFFS Driver
File:

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
 - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
 - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

Additional Data
Error value: 00000000
Disk type: 0

Error: (11/08/2014 10:32:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: msiexec.exe, version: 1.0.0.1002, time stamp: 0x545e6a4d
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc000001d
Fault offset: 0x000209e1
Faulting process id: 0x317c
Faulting application start time: 0xmsiexec.exe0
Faulting application path: msiexec.exe1
Faulting module path: msiexec.exe2
Report Id: msiexec.exe3

Error: (11/08/2014 10:32:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: msiexec.exe, version: 0.0.0.0, time stamp: 0x544e61f4
Faulting module name: msiexec.exe, version: 0.0.0.0, time stamp: 0x544e61f4
Exception code: 0x80000003
Fault offset: 0x00002fed
Faulting process id: 0x3980
Faulting application start time: 0xmsiexec.exe0
Faulting application path: msiexec.exe1
Faulting module path: msiexec.exe2
Report Id: msiexec.exe3

Error: (11/08/2014 10:32:07 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: Windows cannot access the file  for one of the following reasons:
there is a problem with the network connection, the disk that the file is stored on, or the storage
drivers installed on this computer; or the disk is missing.
Windows closed the program ISCT and IFFS Driver because of this error.

Program: ISCT and IFFS Driver
File:

The error value is listed in the Additional Data section.
User Action
1. Open the file again.
This situation might be a temporary problem that corrects itself when the program runs again.
2.
If the file still cannot be accessed and
 - It is on the network,
your network administrator should verify that there is not a problem with the network and that the server can be contacted.
 - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for
further assistance.

Additional Data
Error value: 00000000
Disk type: 0

Error: (11/08/2014 10:32:07 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: msiexec.exe, version: 1.0.0.1002, time stamp: 0x545e6a4d
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc000001d
Fault offset: 0x000209e1
Faulting process id: 0xd30
Faulting application start time: 0xmsiexec.exe0
Faulting application path: msiexec.exe1
Faulting module path: msiexec.exe2
Report Id: msiexec.exe3

Error: (11/08/2014 10:32:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: msiexec.exe, version: 0.0.0.0, time stamp: 0x544e61f4
Faulting module name: msiexec.exe, version: 0.0.0.0, time stamp: 0x544e61f4
Exception code: 0x80000003
Fault offset: 0x00002fed
Faulting process id: 0x1bc4
Faulting application start time: 0xmsiexec.exe0
Faulting application path: msiexec.exe1
Faulting module path: msiexec.exe2
Report Id: msiexec.exe3

Error: (11/08/2014 10:31:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iexplore.exe, version: 10.0.9200.17116, time stamp: 0x4a5bc6b7
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x06dbc020
Faulting process id: 0x9b0
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

System errors:
=============
Error: (11/17/2014 08:08:12 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (11/12/2014 07:58:24 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Steam Client Service service failed to start due to the following error:
%%1053

Error: (11/12/2014 07:58:24 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.

Error: (11/12/2014 07:56:23 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (11/12/2014 07:56:23 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Garmin Core Update Service service failed to start due to the following error:
%%1053

Error: (11/12/2014 07:56:23 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Garmin Core Update Service service to connect.

Error: (11/12/2014 04:23:03 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (11/12/2014 04:22:34 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: The following fatal alert was received: 20.

Error: (11/12/2014 03:24:19 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Error: (11/12/2014 01:48:38 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom

Microsoft Office Sessions:
=========================
Error: (11/08/2014 11:46:55 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: FalloutNV.exe1.4.0.5254e0d50edFalloutNV.exe1.4.0.5254e0d50edc0000005006615de140801cffbd4b7792df6g:\program files (x86)\steam\steamapps\common\Fallout New Vegas\FalloutNV.exeg:\program files (x86)\steam\steamapps\common\Fallout New Vegas\FalloutNV.exe6dceaf4b-67cb-11e4-a1e0-bcaec51da594

Error: (11/08/2014 10:32:30 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: msiexec.exe1.2.0.0545e2d69unknown0.0.0.000000000c0000005002384c2239401cffbcdbcbaea87C:\ProgramData\Windows Genuine Advantage\{BBE7764F-DA56-49DE-BCF4-00669D61C1E0}\msiexec.exeunknown08222007-67c1-11e4-9ce4-bcaec51da594

Error: (11/08/2014 10:32:21 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: msiexec.exe1.2.0.0545e2d69unknown0.0.0.000000000c0000005002c84c217c001cffbcdb6fca5d0C:\ProgramData\Windows Genuine Advantage\{9907EB5C-A86E-41C2-A5BE-5978AEE597A1}\msiexec.exeunknown02c361d5-67c1-11e4-9ce4-bcaec51da594

Error: (11/08/2014 10:32:13 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: ISCT and IFFS Driver000000000

Error: (11/08/2014 10:32:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: msiexec.exe1.0.0.1002545e6a4dunknown0.0.0.000000000c000001d000209e1317c01cffbcdbf3e1c62C:\ProgramData\Windows Genuine Advantage\{45185B09-BFBB-4A80-B71B-083A34F46FBA}\msiexec.exeunknownfe30a931-67c0-11e4-9ce4-bcaec51da594

Error: (11/08/2014 10:32:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: msiexec.exe0.0.0.0544e61f4msiexec.exe0.0.0.0544e61f48000000300002fed398001cffbcdbbb92e31C:\ProgramData\Windows Genuine Advantage\{F728FC40-5B4A-453C-B882-A12D9E385C54}\msiexec.exeC:\ProgramData\Windows Genuine Advantage\{F728FC40-5B4A-453C-B882-A12D9E385C54}\msiexec.exefb7db413-67c0-11e4-9ce4-bcaec51da594

Error: (11/08/2014 10:32:07 PM) (Source: Application Error) (EventID: 1005) (User: )
Description: ISCT and IFFS Driver000000000

Error: (11/08/2014 10:32:07 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: msiexec.exe1.0.0.1002545e6a4dunknown0.0.0.000000000c000001d000209e1d3001cffbcdba8a6dc2C:\ProgramData\Windows Genuine Advantage\{9B7D776D-3FA3-46FA-8F76-B91C08BC21AB}\msiexec.exeunknownfa9c5176-67c0-11e4-9ce4-bcaec51da594

Error: (11/08/2014 10:32:00 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: msiexec.exe0.0.0.0544e61f4msiexec.exe0.0.0.0544e61f48000000300002fed1bc401cffbcdb607baeaC:\ProgramData\Windows Genuine Advantage\{31294C82-2017-4F10-9142-C4F1D3D38874}\msiexec.exeC:\ProgramData\Windows Genuine Advantage\{31294C82-2017-4F10-9142-C4F1D3D38874}\msiexec.exef6408820-67c0-11e4-9ce4-bcaec51da594

Error: (11/08/2014 10:31:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iexplore.exe10.0.9200.171164a5bc6b7unknown0.0.0.000000000c000000506dbc0209b001cffbcd70ba8ac4C:\Program Files\Internet Explorer\iexplore.exeunknownd370bc92-67c0-11e4-9ce4-bcaec51da594

==================== Memory info ===========================

Processor: AMD Athlon™ II X4 635 Processor
Percentage of memory in use: 28%
Total physical RAM: 6142.18 MB
Available physical RAM: 4379.34 MB
Total Pagefile: 12282.54 MB
Available Pagefile: 10389.49 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.79 GB) (Free:55.05 GB) NTFS
Drive d: (Stuff) (Fixed) (Total:62.9 GB) (Free:45.8 GB) NTFS
Drive e: (Games and Stuff) (Fixed) (Total:402.76 GB) (Free:88.04 GB) NTFS
Drive g: (Steam) (Fixed) (Total:465.63 GB) (Free:123.72 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: AEB04D9B)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=62.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=402.8 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 465.8 GB) (Disk ID: F9A87FD8)

Partition: GPT Partition Type.

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: 7AE75770)
Partition 1: (Not Active) - (Size=111.8 GB) - (Type=07 NTFS)

==================== End Of Log ============================

 

 

Attached Files



#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:38 PM

Posted 18 November 2014 - 11:03 AM

Thank you for the information. Please do these things for me.

===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, click Run, then select I agree if it appears
  • Click Scan
  • Once the scan has completed click on Clean
  • Confirm the cleaning and rebooting of your computer by clicking OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can also find the logfile at C:\AdwCleaner\AdwCleaner.txt
===================================================

Junkware Removal Tool by thisisu

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
S3 cleanhlp; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [X]
2014-11-08 22:32 - 2014-11-08 22:32 - 00000000 ____D () C:\ProgramData\MigiQdoy
2014-11-08 22:31 - 2014-11-08 22:31 - 00000000 ____D () C:\ProgramData\ZuwarBokno
2014-11-08 21:46 - 2014-11-08 22:58 - 00000160 ____H () C:\ProgramData\@system3.att
2014-11-08 21:46 - 2014-11-08 22:57 - 00000424 _____ () C:\ProgramData\@system.temp
2014-11-08 21:45 - 2014-11-08 21:45 - 00000448 ____H () C:\Users\Bejita\AppData\Roaming\麽鎒駓覜
2014-11-08 21:45 - 2014-11-08 21:45 - 00000000 ____D () C:\Users\Bejita\AppData\Roaming\FrameworkUpdate7
2014-11-08 21:44 - 2014-11-08 21:44 - 00000000 ____D () C:\ProgramData\ZudbObqu
2014-11-08 21:44 - 2014-11-08 21:44 - 00000000 ____D () C:\ProgramData\ZiyoSegli
C:\Users\Bejita\AppData\Local\Temp\14975549.exe
C:\Users\Bejita\AppData\Local\Temp\15595607.exe
C:\Users\Bejita\AppData\Local\Temp\15872852.exe
C:\Users\Bejita\AppData\Local\Temp\cou.dll
C:\Users\Bejita\AppData\Local\Temp\djc.dll
C:\Users\Bejita\AppData\Local\Temp\ixm.dll
C:\Users\Bejita\AppData\Local\Temp\lpm.dll
C:\Users\Bejita\AppData\Local\Temp\lvo.dll
C:\Users\Bejita\AppData\Local\Temp\scc.dll
C:\Users\Bejita\AppData\Local\Temp\vhf.dll
C:\Users\Bejita\AppData\Local\Temp\wno.dll
Task: {78233B3C-86FC-4010-B549-525836408A1E} - System32\Tasks\{2E5B73FF-E392-E947-DA1A-7D9FDBBE338A} => C:\Users\Bejita\AppData\Roaming\ksmazie.dll/s "C:\Users\Bejita\AppData\Roaming\ksmazie.dll" <==== ATTENTION
C:\Users\Bejita\AppData\Roaming\ksmazie.dll
EmptyTemp:
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • AdwCleaner log
  • Junkware log
  • Fixlog
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Tashin32

Tashin32
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:38 AM

Posted 18 November 2014 - 11:44 AM

# AdwCleaner v4.101 - Report created 18/11/2014 at 11:13:21
# Updated 09/11/2014 by Xplode
# Database : 2014-11-16.1 [Live]
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Bejita - SHINOBI
# Running from : C:\Users\Bejita\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.17148

-\\ Google Chrome v38.0.2125.111

[C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Bejita\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.midwayusa.com/find?userSearchQuery={searchTerms}

*************************

AdwCleaner[R0].txt - [2632 octets] - [18/11/2014 11:11:32]
AdwCleaner[S0].txt - [2569 octets] - [18/11/2014 11:13:21]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2629 octets] ##########

 

_____________________________________________________________________________________________________

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.9 (11.15.2014:2)
OS: Windows 7 Professional x64
Ran by Bejita on Tue 11/18/2014 at 11:18:43.36
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

~~~ Services

 

~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL

 

~~~ Registry Keys

 

~~~ Files

 

~~~ Folders

 

~~~ Event Viewer Logs were cleared

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 11/18/2014 at 11:21:14.94
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

________________________________________________________________________________________________________

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-11-2014
Ran by Bejita at 2014-11-18 11:26:07 Run:1
Running from C:\Users\Bejita\Desktop
Loaded Profile: Bejita (Available profiles: Bejita)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
S3 cleanhlp; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [X]
2014-11-08 22:32 - 2014-11-08 22:32 - 00000000 ____D () C:\ProgramData\MigiQdoy
2014-11-08 22:31 - 2014-11-08 22:31 - 00000000 ____D () C:\ProgramData\ZuwarBokno
2014-11-08 21:46 - 2014-11-08 22:58 - 00000160 ____H () C:\ProgramData\@system3.att
2014-11-08 21:46 - 2014-11-08 22:57 - 00000424 _____ () C:\ProgramData\@system.temp
2014-11-08 21:45 - 2014-11-08 21:45 - 00000448 ____H () C:\Users\Bejita\AppData\Roaming\????
2014-11-08 21:45 - 2014-11-08 21:45 - 00000000 ____D () C:\Users\Bejita\AppData\Roaming\FrameworkUpdate7
2014-11-08 21:44 - 2014-11-08 21:44 - 00000000 ____D () C:\ProgramData\ZudbObqu
2014-11-08 21:44 - 2014-11-08 21:44 - 00000000 ____D () C:\ProgramData\ZiyoSegli
C:\Users\Bejita\AppData\Local\Temp\14975549.exe
C:\Users\Bejita\AppData\Local\Temp\15595607.exe
C:\Users\Bejita\AppData\Local\Temp\15872852.exe
C:\Users\Bejita\AppData\Local\Temp\cou.dll
C:\Users\Bejita\AppData\Local\Temp\djc.dll
C:\Users\Bejita\AppData\Local\Temp\ixm.dll
C:\Users\Bejita\AppData\Local\Temp\lpm.dll
C:\Users\Bejita\AppData\Local\Temp\lvo.dll
C:\Users\Bejita\AppData\Local\Temp\scc.dll
C:\Users\Bejita\AppData\Local\Temp\vhf.dll
C:\Users\Bejita\AppData\Local\Temp\wno.dll
Task: {78233B3C-86FC-4010-B549-525836408A1E} - System32\Tasks\{2E5B73FF-E392-E947-DA1A-7D9FDBBE338A} => C:\Users\Bejita\AppData\Roaming\ksmazie.dll/s "C:\Users\Bejita\AppData\Roaming\ksmazie.dll" <==== ATTENTION
C:\Users\Bejita\AppData\Roaming\ksmazie.dll
EmptyTemp:
*****************

cleanhlp => Service deleted successfully.
C:\ProgramData\MigiQdoy => Moved successfully.
C:\ProgramData\ZuwarBokno => Moved successfully.
C:\ProgramData\@system3.att => Moved successfully.
C:\ProgramData\@system.temp => Moved successfully.

"C:\Users\Bejita\AppData\Roaming\????" directory move:

Could not move "C:\Users\Bejita\AppData\Roaming\????" directory. => Scheduled to move on reboot.

C:\Users\Bejita\AppData\Roaming\FrameworkUpdate7 => Moved successfully.
C:\ProgramData\ZudbObqu => Moved successfully.
C:\ProgramData\ZiyoSegli => Moved successfully.
C:\Users\Bejita\AppData\Local\Temp\14975549.exe => Moved successfully.
C:\Users\Bejita\AppData\Local\Temp\15595607.exe => Moved successfully.
C:\Users\Bejita\AppData\Local\Temp\15872852.exe => Moved successfully.
C:\Users\Bejita\AppData\Local\Temp\cou.dll => Moved successfully.
C:\Users\Bejita\AppData\Local\Temp\djc.dll => Moved successfully.
C:\Users\Bejita\AppData\Local\Temp\ixm.dll => Moved successfully.
C:\Users\Bejita\AppData\Local\Temp\lpm.dll => Moved successfully.
C:\Users\Bejita\AppData\Local\Temp\lvo.dll => Moved successfully.
C:\Users\Bejita\AppData\Local\Temp\scc.dll => Moved successfully.
C:\Users\Bejita\AppData\Local\Temp\vhf.dll => Moved successfully.
C:\Users\Bejita\AppData\Local\Temp\wno.dll => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{78233B3C-86FC-4010-B549-525836408A1E}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{78233B3C-86FC-4010-B549-525836408A1E}" => Key deleted successfully.
C:\Windows\System32\Tasks\{2E5B73FF-E392-E947-DA1A-7D9FDBBE338A} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{2E5B73FF-E392-E947-DA1A-7D9FDBBE338A}" => Key deleted successfully.
"C:\Users\Bejita\AppData\Roaming\ksmazie.dll" => File/Directory not found.
EmptyTemp: => Removed 6 GB temporary data.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-11-18 11:30:59)<=

"C:\Users\Bejita\AppData\Roaming\????" => Directory could not move.

==== End of Fixlog ====

 

________________________________________________________________________________________________________

 

Things seem to be running ok, but it always take a little while to build up steam after a reboot until things are lagging like crazy with ANY internet browser showing multiple processes running with only one tab open, or running up wards of 1 GB of memory with only a single process. As I am typing this, I have two tabs open in IE, my email and this forum. Currently that since process of iexplore.exe is taking 378,136 K of memory and slowly fluctuating. I'll only know for sure after a short while. As far as Google Chrome or Firefox are concerned, if I open a single window and let it sit on my home page I see 5 processes appear in Task Manger for the single tab. By the end of this paragraph, the memory usage on my single iexplore.exe process has increased to 409,236 K without me changing anything.



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:38 PM

Posted 18 November 2014 - 11:55 AM

Thanks,

Memory usage will always fluctuate so that may or may not be an issue. I need you to manually delete a folder since the folder contains strange characters and FRST can't handle it. Using Windows Explorer please navigate to the following location and delete the folder.

C:\Users\Bejita\AppData\Roaming\麽鎒駓覜

Following that please do this.

===================================================

RogueKiller by Tigzy

--------------------
  • Download RogueKiller and save it to your desktop
  • Close all running programs
  • For Windows 8/7/Vista users right click on the icon and select Run as Administrator
  • For Windows XP simply double click on the icon
  • When prompted, Click Scan
  • A report should open and a copy of the report will be placed on your desktop
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If it really won't run, rename it winlogon.exe (or winlogon.com) and try again
  • Copy and paste the contents of the report in your reply
===================================================

Run Combofix in Vista/7

--------------------

Combofix is a very powerful tool and special attention must be taken to allow it to work properly. Please pay careful attention to the following instructions.
  • Please download ComboFix from one of these locations:

BleepingComputer
ForoSpyware

  • Save Combofix.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.
Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

If Combofix fails to run properly using the above instructions please attempt the following:
  • Right click on the Combofix icon on your desktop and select Delete
  • Download a new copy but rename it to freshcopy.exe first, then save it to your desktop
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Right click on RKill (or iExplore) and select Run as Administrator. If you are using Windows XP simply double click the icon
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
  • Double click the freshcopy.exe icon (renamed Combofix file)
  • When finished, it will produce a log. Please copy and paste the C:\Combofix.txt log information in your next reply
  • If you disabled your antivirus please enable it again. If you uninstalled it please wait for instructions to reinstall it
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Were you able to delete the folder?
  • RogueKiller log
  • Combofix log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 Tashin32

Tashin32
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:38 AM

Posted 18 November 2014 - 01:55 PM

I was able to delete the folder and empty the recycling bin without issues.

 

________________________________________________________________________________________________________

 

RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Bejita [Administrator]
Mode : Scan -- Date : 11/18/2014  13:40:32

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 14 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1200494228-1057997902-151371316-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://mail.google.com/mail/u/0/#inbox  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1200494228-1057997902-151371316-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://mail.google.com/mail/u/0/#inbox  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 10.10.10.1 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 10.10.10.1 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 10.10.10.1 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{29C6F6D6-2A7E-45E8-86C4-3F8411CD25E4} | DhcpNameServer : 10.10.10.1 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{29C6F6D6-2A7E-45E8-86C4-3F8411CD25E4} | DhcpNameServer : 10.10.10.1 [(Private Address) (XX)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{29C6F6D6-2A7E-45E8-86C4-3F8411CD25E4} | DhcpNameServer : 10.10.10.1 [(Private Address) (XX)]  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1200494228-1057997902-151371316-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1200494228-1057997902-151371316-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AADS-00S9B0 ATA Device +++++
--- User ---
[MBR] fe9622160da30bcdc6275701bcf2aa14
[BSP] 4204c03ba7dfef932c06c4e79481ba07 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 64410 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 132120576 | Size: 412426 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WDC WD5000AAKX-001CA0 ATA Device +++++
--- User ---
[MBR] a1ee7f7d4da6a82de4a3503e1fec083e
[BSP] 68556d27eb09b635bfae09c6567af25e : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: Samsung SSD 840 Series ATA Device +++++
--- User ---
[MBR] 20f0b5e24d79519b481be93c6d76256a
[BSP] 4b90529ee20d4c5efb29f21da691e1a7 : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 114471 MB
User = LL1 ... OK
User = LL2 ... OK

 

________________________________________________________________________________________________________

 

ComboFix 14-11-17.01 - Bejita 11/18/2014  13:47:34.1.4 - x64
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.6142.4608 [GMT -5:00]
Running from: c:\users\Bejita\Desktop\ComboFix.exe
AV: Trend Micro Titanium *Disabled/Updated* {B7599298-8445-728A-A5C7-A26A082C8BDA}
SP: Trend Micro Titanium *Disabled/Updated* {0C38737C-A27F-7D04-9F77-991873ABC167}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.pol
E:\setup.exe
.
.
(((((((((((((((((((((((((   Files Created from 2014-10-18 to 2014-11-18  )))))))))))))))))))))))))))))))
.
.
2014-11-18 18:51 . 2014-11-18 18:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-11-18 17:01 . 2014-11-18 17:37 34808 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2014-11-18 17:01 . 2014-11-18 17:01 -------- d-----w- c:\programdata\RogueKiller
2014-11-18 16:18 . 2014-11-18 16:18 -------- d-----w- c:\windows\ERUNT
2014-11-18 16:11 . 2014-11-18 16:13 -------- d-----w- C:\AdwCleaner
2014-11-12 06:55 . 2014-10-26 01:54 3959296 ----a-w- c:\windows\system32\jscript9.dll
2014-11-09 03:25 . 2014-11-09 03:25 -------- d-----w- c:\programdata\Emsisoft
2014-11-08 22:57 . 2014-11-18 16:30 -------- d-----w- C:\FRST
2014-11-08 22:52 . 2014-11-10 00:58 -------- d-----w- c:\program files (x86)\Emsisoft Anti-Malware
2014-11-08 20:42 . 2014-11-08 20:57 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-11-08 20:41 . 2014-11-08 20:41 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-11-08 20:41 . 2014-10-01 16:11 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-08 20:41 . 2014-10-01 16:11 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-08 20:40 . 2014-11-08 20:41 -------- d-----w- c:\users\Bejita\AppData\Roaming\Malwarebytes
2014-11-08 20:17 . 2014-11-08 20:41 -------- d-----w- c:\programdata\Malwarebytes
2014-11-08 20:17 . 2014-10-01 16:11 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-08 00:11 . 2014-08-29 02:07 3179520 ----a-w- c:\windows\system32\rdpcorets.dll
2014-11-08 00:11 . 2014-05-08 09:32 16384 ----a-w- c:\windows\system32\RdpGroupPolicyExtension.dll
2014-11-08 00:11 . 2014-09-05 01:52 5703168 ----a-w- c:\windows\SysWow64\mstscax.dll
2014-11-08 00:10 . 2014-09-05 02:11 6584320 ----a-w- c:\windows\system32\mstscax.dll
2014-11-04 05:34 . 2014-11-04 06:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2014-11-04 05:34 . 2014-11-04 05:59 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-11-12 08:03 . 2013-09-18 04:46 103374192 ----a-w- c:\windows\system32\MRT.exe
2014-11-09 03:30 . 2014-03-19 03:18 238128 ----a-w- c:\windows\RegBootClean64.exe
2014-09-25 02:08 . 2014-10-01 01:50 371712 ----a-w- c:\windows\system32\qdvd.dll
2014-09-25 01:40 . 2014-10-01 01:50 519680 ----a-w- c:\windows\SysWow64\qdvd.dll
2014-09-13 05:43 . 2014-09-13 05:43 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-09-09 22:11 . 2014-09-23 23:55 2048 ----a-w- c:\windows\system32\tzres.dll
2014-09-09 21:47 . 2014-09-23 23:55 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-09-04 22:31 . 2014-09-06 20:39 175136 ----a-w- c:\windows\SysWow64\EasyAntiCheat.exe
2014-09-04 05:23 . 2014-10-17 00:13 424448 ----a-w- c:\windows\system32\rastls.dll
2014-09-04 05:04 . 2014-10-17 00:13 372736 ----a-w- c:\windows\SysWow64\rastls.dll
2014-08-23 02:07 . 2014-08-28 01:23 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-08-23 01:45 . 2014-08-28 01:23 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="g:\program files (x86)\Steam\steam.exe" [2014-11-12 1940160]
"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2014-08-07 688984]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" [2014-04-18 767200]
"iTunesHelper"="e:\itunes\iTunesHelper.exe" [2014-02-21 152392]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-08-21 959176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe;c:\program files (x86)\Skype\Updater\Updater.exe [x]
R3 ArcService;Arc Service;e:\program files (x86)\Perfect World Entertainment\Arc\ArcService.exe;e:\program files (x86)\Perfect World Entertainment\Arc\ArcService.exe [x]
R3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [x]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]
R3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\DRIVERS\MijXfilt.sys;c:\windows\SYSNATIVE\DRIVERS\MijXfilt.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 EasyAntiCheat;EasyAntiCheat;c:\windows\system32\EasyAntiCheat.exe;c:\windows\SYSNATIVE\EasyAntiCheat.exe [x]
S0 TMEBC;TMEBC;c:\windows\system32\DRIVERS\TMEBC64.sys;c:\windows\SYSNATIVE\DRIVERS\TMEBC64.sys [x]
S1 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys;c:\windows\SYSNATIVE\DRIVERS\tmevtmgr.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 AODDriver4.3;AODDriver4.3;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys;c:\program files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [x]
S2 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
S3 tmeevw;tmeevw;c:\windows\system32\DRIVERS\tmeevw.sys;c:\windows\SYSNATIVE\DRIVERS\tmeevw.sys [x]
S3 tmnciesc;tmnciesc;c:\windows\system32\DRIVERS\tmnciesc.sys;c:\windows\SYSNATIVE\DRIVERS\tmnciesc.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2014-10-29 07:03 1089352 ----a-w- c:\program files (x86)\Google\Chrome\Application\38.0.2125.111\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2014-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-26 05:17]
.
2014-11-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2013-09-26 05:17]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2013-08-29 216928]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2013-09-16 1382568]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = https://mail.google.com/mail/u/0/#inbox
mStart Page = about:blank
mLocal Page = c:\windows\SYSTEM32\blank.htm
mDefault_Page_URL = hxxp://www.google.com
TCP: DhcpNameServer = 10.10.10.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-CleanHlp
SafeBoot-CleanHlp.sys
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1200494228-1057997902-151371316-1000\Software\SecuROM\License information*]
"datasecu"=hex:1e,86,6f,a6,6d,bc,23,fd,d3,4f,e4,50,79,43,7c,fd,71,d2,cd,ca,cf,
   1a,77,5c,43,2b,f8,39,c9,4c,8d,0c,b0,e7,98,1d,b2,a5,d9,4e,e0,0f,2c,82,92,42,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_14_0_0_145_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.14"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_14_0_0_145.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-11-18  13:53:05
ComboFix-quarantined-files.txt  2014-11-18 18:53
.
Pre-Run: 67,946,622,976 bytes free
Post-Run: 67,145,957,376 bytes free
.
- - End Of File - - 37F383F95B8102BEAE1861A9A8507882
A36C5E4F47E84449FF07ED3517B43A31
 



#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:38 PM

Posted 18 November 2014 - 06:53 PM

Setting aside the fluctuating memory usage and multiple browser tabs how is your computer behaving?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 Tashin32

Tashin32
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:38 AM

Posted 18 November 2014 - 07:23 PM

Aside from those two, it runs pretty good now. At least until either of the browser issues cause too much memory to be used up and everything starts lagging. Either that or occasionally any website I am on will lock up citing a "long running script" as being a problem and presenting me with a stop script button. Once I've done that, it is alright for a short time until I get the exact same message again.



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:38 PM

Posted 18 November 2014 - 07:32 PM

Are you getting the script notification only while using Internet Explorer?
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Tashin32

Tashin32
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:38 AM

Posted 18 November 2014 - 08:31 PM

It seems so. Chrome appears fine other than it always having at least 6 processes associated with the single tab. Any tabs created after 4 adds an additional process, equaling the amount of tabs present plus 2 with memory usage ranging from 382,300 to 22,180.



#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 35,540 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:10:38 PM

Posted 18 November 2014 - 08:48 PM

Thank you.

The behavior of Chrome is typical. Please do this to address the scripting errors.

===================================================

Resolving Internet Explorer Long Running Script Error

--------------------
  • Launch Internet Explorer
  • Click Tools, then Internet Options
  • Click the Advanced tab
  • Under Settings scroll down to Browsing and if necessary modify the following to the indicated settings:

Check Disable script debugging (Internet Explorer)
Check Disable script debugging (other)
Uncheck Display a notification about every script error

  • Click Apply, then OK
  • Close then relaunch Internet Explorer and check for the script error message
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Results?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Tashin32

Tashin32
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:38 AM

Posted 18 November 2014 - 09:37 PM

Completed these changes in IE, however the only one that wasn't already set the way you instructed was Check Disable script debugging (other). I am no longer prompted, however now I just experience very long lock ups with no message on certain web sites.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users