Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AdwCleaner can't remove "cwmf service"


  • This topic is locked This topic is locked
38 replies to this topic

#1 Phil Schwarz

Phil Schwarz

  • Members
  • 484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 17 January 2015 - 10:12 PM

Original topic: http://www.bleepingcomputer.com/forums/t/563564/adwcleaner-cant-remove-cwmf-service/

 

Chrome, FF, IE all displaying unwanted bogus ad tabs on link clicks; AdwCleaner finds and removes browser plugin/extension/add-on adware,scheduled tasks, etc, and detects "cwmf service" that it cannot remove.

Registry keys starting cwmf.sys and cwmr.sys in c:\windows\system32\drivers are in safe-mode as well as normal control sets in HKLM\System and *cannot be removed by regedit*.

 

DDS.txt and zipped Attach.txt from prep step 6 in this first post; will follow with prep steps 7 & 8 in subsequent posts because of limited browser stability on the affected machine.

 

Attached File  Attach.zip   2.32KB   2 downloads

 

DDS.txt:

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.17496
Run by Jeremy at 21:38:50 on 2015-01-17
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.3991.1896 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\AEADISRV.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Intel\AMT\LMS.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe
C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE
C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe
C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Program Files (x86)\Google\Drive\googledrivesync.exe
C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin64\rpsystray.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\explorer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.google.com
mStart Page = www.google.com
uProxyOverride = <-loopback>
mWinlogon: Userinit = userinit.exe,
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll
uRun: [GoogleDriveSync] "C:\Program Files (x86)\Google\Drive\googledrivesync.exe" /autostart
mRun: [SoundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe"  -osboot
mRun: [RealDownloader] C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\MICROS~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\REALPL~1.LNK - C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin64\rpsystray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SYMANT~1.LNK - C:\Program Files (x86)\Microsoft Office\Office\1033\OLFSNT40.EXE
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
LSP: C:\Windows\System32\ColorMedia.dll
TCP: NameServer = 208.59.247.45 208.59.247.46
TCP: Interfaces\{FF8F0333-8E63-45C1-9CF8-AB1A67EF8058} : DHCPNameServer = 208.59.247.45 208.59.247.46
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin64.dll
x64-Run: [picon] "C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [MFNetworkScanUtility] C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE
x64-Run: [WrtMon.exe] C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
x64-Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
x64-Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
x64-Run: [Persistence] C:\Windows\System32\igfxpers.exe
x64-Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - <orphaned>
x64-Notify: igfxcui - igfxdev.dll
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\5fs2p5jk.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrlui.dll
FF - plugin: c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll
FF - plugin: C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_280.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2014-7-17 269008]
R1 cherimoya;cherimoya;C:\Windows\System32\drivers\cherimoya.sys [2015-1-16 60376]
R1 cmwf;cmwf service;\??\C:\Windows\System32\Drivers\cmwf.sys --> C:\Windows\System32\Drivers\cmwf.sys [?]
R1 cmwr;cmwr service;\??\C:\Windows\System32\Drivers\cmwr.sys --> C:\Windows\System32\Drivers\cmwr.sys [?]
R2 hmpalert;HitmanPro.Alert Support Driver;C:\Windows\System32\drivers\hmpalert.sys [2014-7-21 93144]
R2 hmpalertsvc;HitmanPro.Alert Service;C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [2014-7-21 1876816]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2014-3-11 125584]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [2014-9-26 39568]
R2 RealPlayer Cloud Service;RealPlayer Cloud Service;C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe [2014-10-19 1141848]
R2 RealPlayerUpdateSvc;RealPlayer Update Service;C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [2014-9-26 31344]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2013-10-3 2066968]
R2 webinstrNHKT;webinstrNHKT;C:\Windows\System32\drivers\webinstrNHKT.sys [2015-1-16 56432]
R3 e1kexpress;Intel® Network Connections Driver K;C:\Windows\System32\drivers\e1k62x64.sys [2013-12-20 497424]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\System32\drivers\HECIx64.sys [2009-7-24 56344]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2014-8-22 368624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 dkab_device;dkab_device;C:\Windows\System32\DKabcoms.exe -service --> C:\Windows\System32\DKabcoms.exe -service [?]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-12-9 114688]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2014-7-4 19456]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-7-4 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2014-7-4 30208]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2014-7-4 1255736]
.
=============== Created Last 30 ================
.
2078-05-14 16:33:58 2404352 ----a-w- C:\Program Files (x86)\Microsoft Games\Halo Custom Edition\haloce.exe
2078-05-14 16:33:58 1835008 ----a-w- C:\Program Files (x86)\Microsoft Games\Halo Custom Edition\haloceded.exe
2015-01-17 18:58:00 -------- d-----w- C:\FRST
2015-01-17 18:12:03 1188440 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CFF97E9B-48F7-42D9-8BEA-2EFC10012D55}\gapaengine.dll
2015-01-17 18:11:32 11870360 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{CB9146DF-2F79-4092-AB9F-56C5E765E0B7}\mpengine.dll
2015-01-17 18:04:49 -------- d-----w- C:\Program Files (x86)\no$gba
2015-01-16 22:31:44 21976 ----a-w- C:\Windows\System32\drivers\SPPD.sys
2015-01-16 21:45:27 56432 ----a-w- C:\Windows\System32\drivers\webinstrNHKT.sys
2015-01-16 21:45:12 324776 ----a-w- C:\Windows\SysWow64\ColorMedia.dll
2015-01-16 21:45:06 370688 ----a-w- C:\Windows\System32\ColorMedia64.dll
2015-01-16 21:44:55 60376 ----a-w- C:\Windows\System32\drivers\cherimoya.sys
2015-01-16 21:17:53 -------- d-----w- C:\Users\Jeremy\AppData\Local\Pro_PC_Cleaner
2015-01-16 01:59:53 11870360 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2015-01-13 21:13:29 210432 ----a-w- C:\Windows\System32\profsvc.dll
2015-01-13 21:13:28 52224 ----a-w- C:\Windows\SysWow64\nlaapi.dll
2015-01-13 21:13:28 303616 ----a-w- C:\Windows\System32\nlasvc.dll
2015-01-13 21:13:28 156672 ----a-w- C:\Windows\SysWow64\ncsi.dll
2015-01-13 21:13:27 141312 ----a-w- C:\Windows\System32\drivers\mrxdav.sys
2015-01-13 21:13:26 87040 ----a-w- C:\Windows\System32\TSWbPrxy.exe
2015-01-13 21:13:24 5553592 ----a-w- C:\Windows\System32\ntoskrnl.exe
2015-01-13 21:13:24 3971512 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2015-01-13 21:13:23 503808 ----a-w- C:\Windows\System32\srcore.dll
2015-01-13 21:13:23 3916728 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2015-01-13 21:13:23 296960 ----a-w- C:\Windows\System32\rstrui.exe
2015-01-13 21:13:22 50176 ----a-w- C:\Windows\System32\srclient.dll
2015-01-13 21:13:22 43008 ----a-w- C:\Windows\SysWow64\srclient.dll
2015-01-11 16:46:20 -------- d-----w- C:\Program Files (x86)\Radio Player Live
2015-01-11 16:45:42 -------- d-----w- C:\Program Files (x86)\uanisales
2015-01-11 16:45:25 -------- d-----w- C:\Program Files (x86)\unIsaleoss
2015-01-07 17:39:00 -------- d-----w- C:\Users\Jeremy\AppData\Local\Diagnostics
.
==================== Find3M  ====================
.
2015-01-17 17:43:07 129752 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
2015-01-16 21:45:30 2033 ----a-w- C:\Windows\patsearch.bin
2015-01-14 05:55:19 71344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2015-01-14 05:55:19 701616 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2014-12-31 11:14:31 298120 ------w- C:\Windows\System32\MpSigStub.exe
2014-12-13 05:09:01 144384 ----a-w- C:\Windows\System32\ieUnatt.exe
2014-12-13 03:33:44 115712 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2014-12-11 00:09:19 9714821 ----a-w- C:\Users\Jeremy\xfire_installer_46139.exe
2014-12-10 21:39:31 1180834 ----a-w- C:\Users\Jeremy\7z935.exe
2014-12-04 02:50:55 413184 ----a-w- C:\Windows\System32\generaltel.dll
2014-12-04 02:50:45 741376 ----a-w- C:\Windows\System32\invagent.dll
2014-12-04 02:50:40 396800 ----a-w- C:\Windows\System32\devinv.dll
2014-12-04 02:50:38 830976 ----a-w- C:\Windows\System32\appraiser.dll
2014-12-04 02:50:37 227328 ----a-w- C:\Windows\System32\aepdu.dll
2014-12-04 02:50:37 192000 ----a-w- C:\Windows\System32\aepic.dll
2014-12-04 02:44:48 1083392 ----a-w- C:\Windows\System32\aeinv.dll
2014-12-01 23:28:44 1232040 ----a-w- C:\Windows\System32\aitstatic.exe
2014-11-22 03:06:23 2724864 ----a-w- C:\Windows\System32\mshtml.tlb
2014-11-22 03:06:11 4096 ----a-w- C:\Windows\System32\ieetwcollectorres.dll
2014-11-22 02:50:39 66560 ----a-w- C:\Windows\System32\iesetup.dll
2014-11-22 02:50:10 580096 ----a-w- C:\Windows\System32\vbscript.dll
2014-11-22 02:49:54 48640 ----a-w- C:\Windows\System32\ieetwproxystub.dll
2014-11-22 02:48:20 88064 ----a-w- C:\Windows\System32\MshtmlDac.dll
2014-11-22 02:35:29 114688 ----a-w- C:\Windows\System32\ieetwcollector.exe
2014-11-22 02:34:51 814080 ----a-w- C:\Windows\System32\jscript9diag.dll
2014-11-22 02:34:07 6039552 ----a-w- C:\Windows\System32\jscript9.dll
2014-11-22 02:26:31 968704 ----a-w- C:\Windows\System32\MsSpellCheckingFacility.exe
2014-11-22 02:20:44 2724864 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2014-11-22 02:14:16 77824 ----a-w- C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-11-22 02:07:43 501248 ----a-w- C:\Windows\SysWow64\vbscript.dll
2014-11-22 02:07:17 62464 ----a-w- C:\Windows\SysWow64\iesetup.dll
2014-11-22 02:06:32 47616 ----a-w- C:\Windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05:02 64000 ----a-w- C:\Windows\SysWow64\MshtmlDac.dll
2014-11-22 01:54:30 620032 ----a-w- C:\Windows\SysWow64\jscript9diag.dll
2014-11-22 01:47:10 1359360 ----a-w- C:\Windows\System32\mshtmlmedia.dll
2014-11-22 01:46:58 2125312 ----a-w- C:\Windows\System32\inetcpl.cpl
2014-11-22 01:40:04 60416 ----a-w- C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29:26 4299264 ----a-w- C:\Windows\SysWow64\jscript9.dll
2014-11-22 01:28:21 2358272 ----a-w- C:\Windows\System32\wininet.dll
2014-11-22 01:22:49 2052096 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2014-11-22 01:21:57 1155072 ----a-w- C:\Windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:00:20 1888256 ----a-w- C:\Windows\SysWow64\wininet.dll
2014-11-21 11:14:22 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
2014-11-21 11:14:12 93400 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
2014-11-21 11:14:08 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
2014-11-11 03:09:06 1424384 ----a-w- C:\Windows\System32\WindowsCodecs.dll
2014-11-11 03:08:52 241152 ----a-w- C:\Windows\System32\pku2u.dll
2014-11-11 03:08:48 728064 ----a-w- C:\Windows\System32\kerberos.dll
2014-11-11 02:44:45 1230336 ----a-w- C:\Windows\SysWow64\WindowsCodecs.dll
2014-11-11 02:44:32 186880 ----a-w- C:\Windows\SysWow64\pku2u.dll
2014-11-11 02:44:25 550912 ----a-w- C:\Windows\SysWow64\kerberos.dll
2014-11-11 01:46:26 119296 ----a-w- C:\Windows\System32\drivers\tdx.sys
2014-11-08 03:16:08 2048 ----a-w- C:\Windows\System32\tzres.dll
2014-11-08 02:45:09 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2014-10-30 02:03:43 165888 ----a-w- C:\Windows\System32\charmap.exe
2014-10-30 01:45:43 155136 ----a-w- C:\Windows\SysWow64\charmap.exe
2014-10-25 01:57:59 77824 ----a-w- C:\Windows\System32\packager.dll
2014-10-25 01:32:37 67584 ----a-w- C:\Windows\SysWow64\packager.dll
2014-10-20 04:16:07 353864 ----a-w- C:\Windows\SysWow64\msvcr71.dll
2014-10-20 04:16:06 505416 ----a-w- C:\Windows\SysWow64\msvcp71.dll
1998-12-09 02:53:54 99840 ----a-w- C:\Program Files (x86)\Common Files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- C:\Program Files (x86)\Common Files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- C:\Program Files (x86)\Common Files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- C:\Program Files (x86)\Common Files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- C:\Program Files (x86)\Common Files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- C:\Program Files (x86)\Common Files\IRASRIAL.DLL
.
============= FINISH: 21:39:46.05 ===============
 


BC AdBot (Login to Remove)

 


#2 Phil Schwarz

Phil Schwarz
  • Topic Starter

  • Members
  • 484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 17 January 2015 - 10:23 PM

Apparently prep steps 7 and 8 were to post the DDS output captured in step 6, and then to wait for a response -- so consider them fulfilled as well :-).  Again, thanks for the rapid initial response!



#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:29 AM

Posted 17 January 2015 - 11:57 PM

Hello Phil Schwarz,

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.

 

1.

Download and run Junkware Removal Tool. ***Your Anti Virus may see this download as malicious, don't worry continue on. 

Please download Junkware Removal Tool to your desktop.

 

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
    the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next Reply.

 

 

2.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 Phil Schwarz

Phil Schwarz
  • Topic Starter

  • Members
  • 484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 18 January 2015 - 03:47 PM

JRT.txt -- surprisingly sparse:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 7 Professional x64
Ran by Jeremy on Sun 01/18/2015 at 14:44:36.66
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\Jeremy\appdata\local\pro_pc_cleaner"
Successfully deleted: [Folder] "C:\Users\Jeremy\documents\propccleaner"
 
 
 
~~~ FireFox
 
Emptied folder: C:\Users\Jeremy\AppData\Roaming\mozilla\firefox\profiles\5fs2p5jk.default\minidumps [3 files]
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 01/18/2015 at 14:53:00.84
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
FRST.txt:
 
Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 18-01-2015 01
Ran by Jeremy (administrator) on SAMWISE on 18-01-2015 15:42:19
Running from C:\Program Files (x86)\BleepingComputer
Loaded Profiles: Jeremy (Available profiles: Jeremy)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Andrea Electronics Corporation) C:\Windows\System32\AEADISRV.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\AMT\LMS.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe
() C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe
(Intel Corporation) C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
(Intel Corporation) C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(CANON INC.) C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE
() C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
() C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin64\rpsystray.exe
(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Sysinternals - www.sysinternals.com) C:\Program Files (x86)\Sysinternals\ProcessExplorer\procexp.exe
(Sysinternals - www.sysinternals.com) C:\Users\Jeremy\AppData\Local\Temp\procexp64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [picon] => C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe [796696 2009-07-24] (Intel Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [MFNetworkScanUtility] => C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE [486552 2012-09-27] (CANON INC.)
HKLM\...\Run: [WrtMon.exe] => C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe [20480 2006-09-20] ()
HKLM-x32\...\Run: [SoundMAXPnP] => C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1314816 2009-05-18] (Analog Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe [296520 2014-10-19] (RealNetworks, Inc.)
HKLM-x32\...\Run: [RealDownloader] => C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe [551488 2014-09-23] ()
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Binpif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Binexe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bincom <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Binscr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [22869088 2014-10-21] (Google)
HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\MountPoints2: {8da7a10e-03be-11e4-a43a-806e6f6e6963} - D:\install.EXE id= ver=1.0.0.0
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealPlayer Cloud Service UI.lnk
ShortcutTarget: RealPlayer Cloud Service UI.lnk -> C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin64\rpsystray.exe (RealNetworks, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
ShortcutTarget: Symantec Fax Starter Edition Port.lnk -> C:\Program Files (x86)\Microsoft Office\Office\1033\OLFSNT40.EXE (Microsoft Corporation)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKU\S-1-5-21-3805180030-359751056-14507808-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin64.dll (RealDownloader)
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler-x32: http - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: http - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: ipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Winsock: Catalog9 01 C:\Windows\SysWOW64\ColorMedia.dll [324776] (CartCrunch Israel Ltd.)
Winsock: Catalog9 02 C:\Windows\SysWOW64\ColorMedia.dll [324776] (CartCrunch Israel Ltd.)
Winsock: Catalog9 03 C:\Windows\SysWOW64\ColorMedia.dll [324776] (CartCrunch Israel Ltd.)
Winsock: Catalog9 04 C:\Windows\SysWOW64\ColorMedia.dll [324776] (CartCrunch Israel Ltd.)
Winsock: Catalog9 15 C:\Windows\SysWOW64\ColorMedia.dll [324776] (CartCrunch Israel Ltd.)
Winsock: Catalog9-x64 01 C:\Windows\system32\ColorMedia64.dll [370688] (CartCrunch Israel Ltd.)
Winsock: Catalog9-x64 02 C:\Windows\system32\ColorMedia64.dll [370688] (CartCrunch Israel Ltd.)
Winsock: Catalog9-x64 03 C:\Windows\system32\ColorMedia64.dll [370688] (CartCrunch Israel Ltd.)
Winsock: Catalog9-x64 04 C:\Windows\system32\ColorMedia64.dll [370688] (CartCrunch Israel Ltd.)
Winsock: Catalog9-x64 15 C:\Windows\system32\ColorMedia64.dll [370688] (CartCrunch Israel Ltd.)
Tcpip\Parameters: [DhcpNameServer] 208.59.247.45 208.59.247.46
 
FireFox:
========
FF ProfilePath: C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\5fs2p5jk.default
FF DefaultSearchEngine: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_280.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_280.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=17.0.14.69 -> c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=17.0.14 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=17.0.14.69 -> c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer Cloud)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{4642CD99-8FDF-4550-94E1-63360972C326}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014-10-19]
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\Firefox\Extensions: [{09A29523-659E-5B10-EA0A-1632B50980B3}] - C:\Program Files (x86)\ver0SpeeditUp\186.xpi
 
Chrome: 
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-16]
CHR Extension: (Google Docs) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-04]
CHR Extension: (Google Drive) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-18]
CHR Extension: (YouTube) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-18]
CHR Extension: (Google Search) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-18]
CHR Extension: (Google Sheets) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-16]
CHR Extension: (Gmail) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-18]
CHR HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AEADIFilters; C:\Windows\system32\AEADISRV.EXE [111616 2008-07-15] (Andrea Electronics Corporation)
S3 dkab_device; C:\Windows\system32\DKabcoms.exe [476568 2006-10-21] ( )
S3 dkab_device; C:\Windows\SysWOW64\DKabcoms.exe [508824 2006-10-21] ( )
R2 hmpalertsvc; C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1876816 2014-07-20] (SurfRight B.V.)
R2 LMS; C:\Program Files (x86)\Intel\AMT\LMS.exe [174616 2009-07-24] (Intel Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39568 2014-09-26] ()
R2 RealPlayer Cloud Service; c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe [1141848 2014-10-19] (RealNetworks, Inc.)
R2 RealPlayerUpdateSvc; C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [31344 2014-09-26] ()
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2010-06-25] (CACE Technologies, Inc.)
R2 UNS; C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2066968 2009-07-24] (Intel Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 cherimoya; C:\Windows\System32\drivers\cherimoya.sys [60376 2015-01-06] (Cherimoya Ltd)
R1 cmwf; C:\Windows\system32\Drivers\cmwf.sys [33952 2015-01-07] () [File not signed]
R1 cmwr; C:\Windows\system32\Drivers\cmwr.sys [45216 2015-01-07] () [File not signed]
R2 hmpalert; C:\Windows\System32\drivers\hmpalert.sys [93144 2014-07-21] ()
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
R2 NPF; C:\Windows\System32\drivers\npf.sys [35344 2010-06-25] (CACE Technologies, Inc.)
S3 usbio; C:\Windows\System32\Drivers\dsiarhwprog_x64.sys [54640 2013-03-19] (Thesycon GmbH, Germany)
R2 webinstrNHKT; C:\Windows\system32\Drivers\webinstrNHKT.sys [56432 2015-01-16] (Corsica)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-18 15:06 - 2015-01-18 15:06 - 00000634 _____ () C:\Users\Jeremy\Desktop\JRT.txt
2015-01-17 21:41 - 2015-01-17 21:42 - 00000000 ____D () C:\BleepingComputer
2015-01-17 21:39 - 2015-01-17 21:39 - 00017476 _____ () C:\Users\Jeremy\Desktop\dds.txt
2015-01-17 21:39 - 2015-01-17 21:39 - 00007252 _____ () C:\Users\Jeremy\Desktop\attach.txt
2015-01-17 15:18 - 2015-01-17 15:18 - 01686759 _____ () C:\Users\Jeremy\Downloads\PSTools.zip
2015-01-17 13:58 - 2015-01-18 15:42 - 00000000 ____D () C:\FRST
2015-01-17 13:04 - 2015-01-17 13:05 - 00000000 ____D () C:\Program Files (x86)\no$gba
2015-01-17 13:03 - 2015-01-17 13:03 - 00191678 _____ () C:\Users\Jeremy\Downloads\no$gba-w.zip
2015-01-16 17:31 - 2015-01-16 17:31 - 00021976 _____ () C:\Windows\system32\Drivers\SPPD.sys
2015-01-16 16:45 - 2015-01-16 16:45 - 00056432 _____ (Corsica) C:\Windows\system32\Drivers\webinstrNHKT.sys
2015-01-16 16:45 - 2015-01-16 16:45 - 00003756 _____ () C:\Windows\System32\Tasks\NNYOXBV
2015-01-16 16:45 - 2015-01-07 21:07 - 00045216 _____ () C:\Windows\system32\Drivers\cmwr.sys
2015-01-16 16:45 - 2015-01-07 21:07 - 00033952 _____ () C:\Windows\system32\Drivers\cmwf.sys
2015-01-16 16:45 - 2015-01-07 20:54 - 00370688 _____ (CartCrunch Israel Ltd.) C:\Windows\system32\ColorMedia64.dll
2015-01-16 16:45 - 2015-01-07 20:54 - 00324776 _____ (CartCrunch Israel Ltd.) C:\Windows\SysWOW64\ColorMedia.dll
2015-01-16 16:44 - 2015-01-16 16:45 - 00003622 _____ () C:\Windows\System32\Tasks\gtaUpt
2015-01-16 16:44 - 2015-01-06 12:38 - 00060376 _____ (Cherimoya Ltd) C:\Windows\system32\Drivers\cherimoya.sys
2015-01-16 16:31 - 2015-01-16 16:31 - 00000000 ____D () C:\Program Files (x86)\7-Zip
2015-01-16 16:21 - 2015-01-16 16:21 - 00000064 _____ () C:\Users\Jeremy\AppData\Local\90c44f312ec5676ae73fdad19d917baa
2015-01-16 16:20 - 2015-01-18 14:37 - 00001342 _____ () C:\Windows\Tasks\PAJPOO.job
2015-01-16 16:20 - 2015-01-16 16:20 - 00004368 _____ () C:\Windows\System32\Tasks\PAJPOO
2015-01-16 16:19 - 2015-01-18 14:37 - 00001688 _____ () C:\Windows\Tasks\HPNWPFB.job
2015-01-16 16:19 - 2015-01-16 16:19 - 00004714 _____ () C:\Windows\System32\Tasks\HPNWPFB
2015-01-14 20:07 - 2015-01-14 20:07 - 15689724 _____ () C:\Users\Jeremy\Downloads\3DS Emu_v3.5_patched.zip
2015-01-14 19:52 - 2015-01-14 19:52 - 00793119 _____ () C:\Users\Jeremy\Downloads\3DS-Emulator-v3.0.41.rar
2015-01-14 18:09 - 2015-01-14 18:10 - 42831026 _____ () C:\Users\Jeremy\Downloads\Pokemon Heart Gold NTEVO.rar
2015-01-14 18:08 - 2015-01-14 18:09 - 42829949 _____ () C:\Users\Jeremy\Downloads\Pokemon Soul Silver NTEVO.rar
2015-01-13 22:39 - 2015-01-13 22:39 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-13 16:13 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-13 16:13 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-13 16:13 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-13 16:13 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-13 16:13 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-13 16:13 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-13 16:13 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-13 16:13 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-13 16:13 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-13 16:13 - 2014-12-11 12:47 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-13 16:13 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-13 16:13 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-13 16:13 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-11 18:12 - 2015-01-11 18:12 - 00181160 _____ () C:\Users\Jeremy\Downloads\no$gba-w_2.7a.zip
2015-01-11 16:52 - 2014-07-04 15:37 - 00001416 _____ () C:\Users\Jeremy\Desktop\Internet Explorer.lnk
2015-01-11 15:50 - 2015-01-11 15:50 - 05347971 _____ () C:\Users\Jeremy\Downloads\Pokemon FireRed.zip
2015-01-11 11:46 - 2015-01-13 20:59 - 00000000 ____D () C:\Program Files (x86)\Radio Player Live
2015-01-11 11:45 - 2015-01-13 21:26 - 00000000 ____D () C:\Program Files (x86)\uanisales
2015-01-11 11:45 - 2015-01-13 20:59 - 00000000 ____D () C:\Program Files (x86)\unIsaleoss
2015-01-11 11:43 - 2015-01-11 11:43 - 01136320 _____ () C:\Users\Jeremy\Downloads\Pokemon_Sapphire_Version_USA.exe
2015-01-11 11:39 - 2015-01-11 11:39 - 00007548 _____ () C:\Users\Jeremy\Downloads\js.js
2015-01-07 16:44 - 2015-01-07 16:54 - 42712969 _____ () C:\Users\Jeremy\Downloads\moo.rar
2015-01-05 18:15 - 2015-01-16 17:30 - 00000000 ____D () C:\Users\Jeremy\Desktop\NDS and GBA Games and emulators
2015-01-05 18:11 - 2015-01-05 18:11 - 42557718 _____ () C:\Users\Jeremy\Downloads\4787 - Pokemon - HeartGold Version (U).rar
2015-01-05 15:32 - 2015-01-05 15:36 - 00000000 ____D () C:\ProgramData\WinZip
2015-01-05 15:24 - 2015-01-05 15:24 - 00906024 _____ ( ) C:\Users\Jeremy\Downloads\winzip19-mediafire.exe.6i4yyhg.partial
2014-12-31 15:26 - 2014-12-31 15:26 - 00762704 _____ ( ) C:\Users\Jeremy\Desktop\CR_Downloader_for_no$gba.exe
2014-12-30 21:28 - 2014-12-30 21:28 - 00000227 _____ () C:\Users\Jeremy\Desktop\How to get Wi-Fi with DeSmuME - YouTube.URL
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-18 15:42 - 2014-07-04 14:19 - 00000000 ____D () C:\Program Files (x86)\BleepingComputer
2015-01-18 15:20 - 2014-07-21 21:03 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-18 15:16 - 2014-07-04 14:10 - 01529541 _____ () C:\Windows\WindowsUpdate.log
2015-01-18 14:55 - 2013-10-03 19:56 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-18 14:44 - 2009-07-13 23:45 - 00031904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-18 14:44 - 2009-07-13 23:45 - 00031904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-18 14:43 - 2009-07-14 00:13 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-18 14:38 - 2014-07-21 23:26 - 00000000 ____D () C:\Windows\CryptoGuard
2015-01-18 14:37 - 2014-10-28 16:07 - 00000000 ___RD () C:\Users\Jeremy\Google Drive
2015-01-18 14:37 - 2014-07-21 21:03 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-18 14:37 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-18 14:37 - 2009-07-13 23:51 - 00055716 _____ () C:\Windows\setupact.log
2015-01-17 15:20 - 2014-07-04 14:20 - 00000000 ____D () C:\Program Files (x86)\Sysinternals
2015-01-17 14:56 - 2014-08-02 15:40 - 00000000 ____D () C:\Program Files (x86)\Kaspersky
2015-01-17 13:18 - 2010-11-20 22:47 - 00229580 _____ () C:\Windows\PFRO.log
2015-01-17 13:17 - 2014-07-18 16:30 - 00000000 ____D () C:\AdwCleaner
2015-01-17 12:43 - 2014-07-04 14:38 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-16 16:45 - 2014-12-09 15:39 - 00002033 _____ () C:\Windows\patsearch.bin
2015-01-16 16:41 - 2014-07-04 15:54 - 00000000 ____D () C:\Users\Jeremy\AppData\Local\Microsoft Games
2015-01-16 16:25 - 2013-10-03 19:54 - 00000000 ____D () C:\Program Files (x86)\Analog Devices
2015-01-16 16:07 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-14 03:02 - 2014-07-04 16:38 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 03:00 - 2014-07-04 16:38 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-14 00:55 - 2013-10-03 19:56 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-14 00:55 - 2013-10-03 19:56 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-14 00:55 - 2013-10-03 19:56 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-13 23:29 - 2014-07-28 21:23 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-11 15:57 - 2014-10-19 18:33 - 00000000 ____D () C:\Users\Jeremy\Desktop\BFME Maps, Save, and Files
2015-01-05 15:36 - 2014-07-15 16:49 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-12-31 06:14 - 2010-11-20 22:27 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-12-22 17:19 - 2014-12-16 17:09 - 00000000 ____D () C:\Users\Jeremy\Desktop\Halo maps, mods and files
 
==================== Files in the root of some directories =======
1998-12-08 21:53 - 1998-12-08 21:53 - 0099840 _____ (Symantec Corp.) C:\Program Files (x86)\Common Files\IRAABOUT.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0048640 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files (x86)\Common Files\IRALPTTR.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0070144 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files (x86)\Common Files\IRAMDMTR.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0186368 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files (x86)\Common Files\IRAREG.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0017920 _____ (Symantec Corp.) C:\Program Files (x86)\Common Files\IRASRIAL.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0031744 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files (x86)\Common Files\IRAWEBTR.DLL
2014-07-20 17:06 - 2014-07-20 17:06 - 0000000 _____ () C:\Users\Jeremy\AppData\Roaming\bitlord_log.txt
2014-09-01 03:18 - 2014-09-01 03:18 - 0001248 _____ () C:\Users\Jeremy\AppData\Roaming\HPNWPFB
2014-09-01 03:18 - 2014-09-01 03:18 - 0002086 _____ () C:\Users\Jeremy\AppData\Roaming\PAJPOO
2015-01-16 16:21 - 2015-01-16 16:21 - 0000064 _____ () C:\Users\Jeremy\AppData\Local\90c44f312ec5676ae73fdad19d917baa
2014-07-20 17:16 - 2014-07-20 17:16 - 0000218 _____ () C:\Users\Jeremy\AppData\Local\recently-used.xbel
 
Files to move or delete:
====================
C:\Users\Jeremy\7z935.exe
C:\Users\Jeremy\DivXInstaller.exe
C:\Users\Jeremy\googleupdatesetup.exe
C:\Users\Jeremy\RealPlayerCloud.exe
C:\Users\Jeremy\xfire_installer_46139.exe
 
 
Some content of TEMP:
====================
C:\Users\Jeremy\AppData\Local\Temp\17EB1411-0D1A-6DF9-98D4-BDAC78646837.dll
C:\Users\Jeremy\AppData\Local\Temp\17EB1411-0D1A-6DF9-98D4-BDAC78646837.exe
C:\Users\Jeremy\AppData\Local\Temp\37230C07-3CAC-B478-D5F0-EE91D93FB296.exe
C:\Users\Jeremy\AppData\Local\Temp\8SkF6WTVKH.exe
C:\Users\Jeremy\AppData\Local\Temp\AE793DB8-DF2C-13B5-9D1E-6C1EF0B5B1EE.exe
C:\Users\Jeremy\AppData\Local\Temp\AutoRun.exe
C:\Users\Jeremy\AppData\Local\Temp\AutoRunGUI.dll
C:\Users\Jeremy\AppData\Local\Temp\BAC667ED-76D4-0586-1876-B5C8A457564D.dll
C:\Users\Jeremy\AppData\Local\Temp\BAC667ED-76D4-0586-1876-B5C8A457564D.exe
C:\Users\Jeremy\AppData\Local\Temp\CloudBackup3173.exe
C:\Users\Jeremy\AppData\Local\Temp\CloudBackup4705.exe
C:\Users\Jeremy\AppData\Local\Temp\comver.dll
C:\Users\Jeremy\AppData\Local\Temp\eauninstall.exe
C:\Users\Jeremy\AppData\Local\Temp\FeXEx3NDnb.exe
C:\Users\Jeremy\AppData\Local\Temp\FreemakeVideoDownloader_3.7.0.17.exe
C:\Users\Jeremy\AppData\Local\Temp\I695Ubx0EC.exe
C:\Users\Jeremy\AppData\Local\Temp\J7tbu1HcSZ.exe
C:\Users\Jeremy\AppData\Local\Temp\lowproc.exe
C:\Users\Jeremy\AppData\Local\Temp\mQS1dbOET0.exe
C:\Users\Jeremy\AppData\Local\Temp\old haloupdate.exe
C:\Users\Jeremy\AppData\Local\Temp\optprosetup.exe
C:\Users\Jeremy\AppData\Local\Temp\oxntnJ1uqq.exe
C:\Users\Jeremy\AppData\Local\Temp\procexp64.exe
C:\Users\Jeremy\AppData\Local\Temp\Quarantine.exe
C:\Users\Jeremy\AppData\Local\Temp\sdf5F90.exe
C:\Users\Jeremy\AppData\Local\Temp\sdfC989.exe
C:\Users\Jeremy\AppData\Local\Temp\SpOrder.dll
C:\Users\Jeremy\AppData\Local\Temp\sqlite3.dll
C:\Users\Jeremy\AppData\Local\Temp\stubhelper.dll
C:\Users\Jeremy\AppData\Local\Temp\The Battle for Middle-earth_uninst.exe
C:\Users\Jeremy\AppData\Local\Temp\z2nN3vH55B.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-14 00:47
 
==================== End Of Log ============================
 
Addition.txt:
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 18-01-2015 01
Ran by Jeremy at 2015-01-18 15:43:02
Running from C:\Program Files (x86)\BleepingComputer
Boot Mode: Normal
==========================================================
 
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
7-Zip 9.22beta (HKLM-x32\...\7-Zip) (Version:  - )
Action Replay Code Manager (HKLM-x32\...\Action Replay Code Manager_is1) (Version:  - )
Action Replay DSi Code Manager (HKLM-x32\...\Action Replay DSi Code Manager_is1) (Version:  - )
Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.280 - Adobe Systems Incorporated)
Adobe Flash Player 16 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 16.0.0.280 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.07) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.07 - Adobe Systems Incorporated)
Belarc Advisor 8.4 (HKLM-x32\...\Belarc Advisor) (Version: 8.4.0.0 - Belarc Inc.)
Canon MF Toolbox 4.9.1.1.mf14 (HKLM-x32\...\{6767DFEE-8909-453A-B553-C7693912B2EB}) (Version: 4.9.1.1.mf14 - CANON INC.)
Canon MF4700 Series (HKLM\...\{47A8DB42-4E21-4d55-9931-D4F44CC3F03B}) (Version: 4.1.0.1 - CANON INC.)
Compatibility Pack for the 2007 Office system (HKLM-x32\...\{90120000-0020-0409-0000-0000000FF1CE}) (Version: 12.0.6612.1000 - Microsoft Corporation)
Dell Software Uninstall (HKLM\...\Dell_HostCD) (Version:  - Dell, Inc.)
DSi Compatible Action Replay Firmware Update version 1.0 (HKLM\...\DSi Compatible Action Replay Firmware Update_is1) (Version: 1.0 - )
GameFly Download Manager (HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\7998bdbe8c95db7f) (Version: 1.0.0.98 - GameFly)
GameRanger (HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\GameRanger) (Version:  - GameRanger Technologies)
GameSpy Arcade (HKLM-x32\...\GameSpy Arcade) (Version:  - )
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 39.0.2171.95 - Google Inc.)
Google Drive (HKLM-x32\...\{C60F3836-333A-4AE2-B526-CFDBA143A9BA}) (Version: 1.18.7821.2489 - Google, Inc.)
Google Earth (HKLM-x32\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Grand Theft Auto - Vice City (HKLM-x32\...\Grand Theft Auto - Vice City) (Version: 1.00 - Rockstar Games)
Grand Theft Auto III (HKLM-x32\...\Grand Theft Auto III) (Version: 1.1 - Rockstar Games)
Grand Theft Auto: San Andreas (HKLM-x32\...\Steam App 12120) (Version:  - Rockstar Games)
HitmanPro.Alert (HKLM\...\HitmanPro.Alert) (Version: 2.6.5.77 - SurfRight B.V.)
HP Softpaq SP45813  (HKLM-x32\...\SP45813) (Version:  - )
HP Softpaq SP45814  (HKLM-x32\...\SP45814) (Version:  - )
Intel® Management Engine Interface (HKLM\...\HECI) (Version:  - Intel Corporation)
Intel® Active Management Technology (HKLM\...\MESOL) (Version:  - Intel Corporation)
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Halo (HKLM-x32\...\Halo) (Version:  - Microsoft)
Microsoft Halo Custom Edition (HKLM-x32\...\Halo CE) (Version:  - )
Microsoft Office 2000 SR-1 Premium (HKLM-x32\...\{00000409-78E1-11D2-B60F-006097C998E7}) (Version: 9.00.9327 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.31211.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Mozilla Firefox 35.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 35.0 (x86 en-US)) (Version: 35.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
Presto! PageManager 7.15.38 (HKLM-x32\...\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}) (Version: 7.15.38 - NewSoft Technology Corporation)
RealDownloader (x32 Version: 17.0.14.26 - RealNetworks) Hidden
RealDownloader (x32 Version: 17.0.14.8 - RealNetworks, Inc.) Hidden
RealNetworks - Microsoft Visual C++ 2008 Runtime (x32 Version: 9.0 - RealNetworks, Inc) Hidden
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0 - RealNetworks, Inc) Hidden
RealNetworks - Microsoft Visual C++ 2010 Runtime (x32 Version: 10.0 - RealNetworks, Inc) Hidden
RealPlayer Cloud (HKLM-x32\...\RealPlayer 17.0) (Version: 17.0.14 - RealNetworks)
RealUpgrade 1.1 (x32 Version: 1.1.0 - RealNetworks, Inc.) Hidden
SoundMAX (HKLM-x32\...\{F0A37341-D692-11D4-A984-009027EC0A9C}) (Version: 6.10.2.7255 - Analog Devices)
Steam (HKLM-x32\...\Steam) (Version:  - Valve Corporation)
T3A Patch for BFME 1 version 1.06 (HKLM-x32\...\T3APATCH106_is1) (Version: 1.06 - )
The Battle for Middle-earth ™ (HKLM-x32\...\{962E05CF-3394-496D-0091-850CF1762F6B}) (Version:  - )
UpdateService (x32 Version: 1.0.0 - RealNetworks, Inc.) Hidden
Video Downloader (x32 Version: 1.0.0 - RealNetworks) Hidden
Warhammer® 40,000™: Dawn of War® II – Retribution™ (HKLM-x32\...\Steam App 56400) (Version:  - Relic Entertainment)
Windows Driver Package - Datel Design & Development (usbio) USBIOControlledDevices  (05/21/2012 2.40.0.0) (HKLM\...\7BD98A593B77F7A2CC2A9538524495FE39D5962E) (Version: 05/21/2012 2.40.0.0 - Datel Design & Development)
Windows Driver Package - Datel Design & Development USBIOControlledDevices  (05/21/2012 2.40.0.0) (HKLM\...\66D0EA0FEC96AC8BA6F5D30012E2C0BE83D4A67B) (Version: 05/21/2012 2.40.0.0 - Datel Design & Development)
WinPcap 4.1.2 (HKLM-x32\...\WinPcapInst) (Version: 4.1.0.2001 - CACE Technologies)
Xfire (HKLM-x32\...\Xfire) (Version:  - )
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
22-12-2014 16:52:28 Windows Update
26-12-2014 16:51:46 Windows Update
30-12-2014 16:52:09 Windows Update
04-01-2015 02:19:01 Windows Update
05-01-2015 15:36:16 Removed WinZip 19.0
05-01-2015 15:38:07 Removed File Association Helper
08-01-2015 10:14:26 Windows Update
12-01-2015 18:42:42 Windows Update
14-01-2015 03:00:13 Windows Update
17-01-2015 13:11:10 Windows Update
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-13 21:34 - 2009-06-10 16:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {2679E88C-673D-434A-961D-662F9D93C991} - System32\Tasks\gtaUpt => C:\Program Files\shopperz\zaeed.bat
Task: {33A4D966-502B-4D0B-873C-91D0F98A5C2E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-07-21] (Google Inc.)
Task: {36A7E3A1-A2C7-4EFB-AB39-737021D8D719} - System32\Tasks\PAJPOO => C:\Users\Jeremy\AppData\Roaming\PAJPOO.exe <==== ATTENTION
Task: {415F6A8C-4F8E-4AEB-890F-9B93DE7E5392} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-3805180030-359751056-14507808-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\recordingmanager.exe [2014-09-26] (RealNetworks, Inc.)
Task: {6F450460-E26E-4AA5-B48D-17C91604B296} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-3805180030-359751056-14507808-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\RealUpgrade.exe [2014-09-26] (RealNetworks, Inc.)
Task: {74F4B5CA-72F6-4A81-B76B-10491711C320} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-07-21] (Google Inc.)
Task: {752B6346-4B21-4A70-9A58-2D857432133C} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2015-01-14] (Adobe Systems Incorporated)
Task: {76AEEF7D-9338-4C99-976E-3756573AFF20} - System32\Tasks\HPNWPFB => C:\Users\Jeremy\AppData\Roaming\HPNWPFB.exe <==== ATTENTION
Task: {955F5336-B91C-46EC-91B2-4F3FF226EA14} - System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-3805180030-359751056-14507808-1000 => C:\Program Files (x86)\RealNetworks\RealDownloader\RealUpgrade.exe [2014-09-26] (RealNetworks, Inc.)
Task: {ABEA357E-002D-452D-A92A-53E5C9FB41C7} - System32\Tasks\{FE6C16A6-5CD2-4294-BC49-42F933F70462} => pcalua.exe -a C:\Zip\unrarw32.exe -d C:\Zip
Task: {C2328268-1579-4A7B-B9D1-E01ABB642722} - System32\Tasks\NNYOXBV => C:\ProgramData\3a8e94626c7e455eab9ee6b45c18d0d0\3a8e94626c7e455eab9ee6b45c18d0d0.exe
Task: {CC99F6E1-0075-407B-9336-D39434F9EB6F} - System32\Tasks\RealDownloader Update Check => C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe [2014-09-23] ()
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\HPNWPFB.job => C:\Users\Jeremy\AppData\Roaming\HPNWPFB.exe <==== ATTENTION
Task: C:\Windows\Tasks\PAJPOO.job => C:\Users\Jeremy\AppData\Roaming\PAJPOO.exe <==== ATTENTION
 
==================== Loaded Modules (whitelisted) =============
 
2014-09-26 09:18 - 2014-09-26 09:18 - 00039568 _____ () C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
2014-09-26 14:14 - 2014-09-26 14:14 - 00031344 _____ () C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe
2014-07-04 15:08 - 2006-09-20 07:35 - 00020480 _____ () C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
2014-07-04 15:08 - 2006-10-30 15:59 - 00024576 _____ () C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe
2014-09-23 13:54 - 2014-09-23 13:54 - 00551488 _____ () C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe
2014-10-19 23:16 - 2014-10-19 23:16 - 00865880 _____ () c:\program files (x86)\real\realplayer\RPDS\Plugins\cldplin.dll
2014-09-26 14:13 - 2014-09-26 14:13 - 00035464 _____ () C:\Program Files (x86)\Real\UpdateService\DL2UpdatePlugin.dll
2014-09-26 14:13 - 2014-09-26 14:13 - 00035976 _____ () C:\Program Files (x86)\Real\UpdateService\RealDownloaderUpdatePlugin.dll
2014-09-26 14:13 - 2014-09-26 14:13 - 00033400 _____ () C:\Program Files (x86)\Real\UpdateService\RPDSUpdatePlugin.dll
2014-09-26 14:13 - 2014-09-26 14:13 - 00034456 _____ () C:\Program Files (x86)\Real\UpdateService\VideoDLUpdatePlugin.dll
2013-10-03 19:55 - 2009-07-24 13:29 - 00077824 _____ () C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\DTMessageLib.dll
2014-09-23 13:05 - 2014-09-23 13:05 - 01382048 _____ () C:\Program Files (x86)\RealNetworks\RealDownloader\cpprest100_1_2.dll
2014-09-23 13:54 - 2014-09-23 13:54 - 00064064 _____ () C:\Program Files (x86)\RealNetworks\RealDownloader\dtvhooks.dll
2015-01-18 14:37 - 2015-01-18 14:37 - 00098816 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\win32api.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00110080 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\pywintypes27.dll
2015-01-18 14:37 - 2015-01-18 14:37 - 00364544 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\pythoncom27.dll
2015-01-18 14:37 - 2015-01-18 14:37 - 00045568 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\_socket.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 01160704 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\_ssl.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00320512 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\win32com.shell.shell.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00713216 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\_hashlib.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 01175040 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\wx._core_.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00805888 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\wx._gdi_.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00811008 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\wx._windows_.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 01062400 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\wx._controls_.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00735232 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\wx._misc_.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00128512 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\_elementtree.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00127488 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\pyexpat.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00557056 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\pysqlite2._sqlite.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00087552 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\_ctypes.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00119808 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\win32file.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00108544 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\win32security.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00007168 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\hashobjs_ext.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00167936 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\win32gui.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00018432 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\win32event.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00038912 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\win32inet.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00011264 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\win32crypt.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00070656 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\wx._html2.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00027136 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\_multiprocessing.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00035840 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\win32process.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00686080 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\unicodedata.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00122368 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\wx._wizard.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00024064 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\win32pipe.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00025600 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\win32pdh.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00525640 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\windows._lib_cacheinvalidation.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00010240 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\select.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00017408 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\win32profile.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00022528 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\win32ts.pyd
2015-01-18 14:37 - 2015-01-18 14:37 - 00078336 _____ () C:\Users\Jeremy\AppData\Local\Temp\_MEI28722\wx._animate.pyd
2014-12-12 18:23 - 2014-12-05 20:50 - 01077064 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\libglesv2.dll
2014-12-12 18:23 - 2014-12-05 20:50 - 00211272 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\libegl.dll
2014-12-12 18:23 - 2014-12-05 20:50 - 09009480 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\pdf.dll
2014-12-12 18:23 - 2014-12-05 20:50 - 01677128 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\ffmpegsumo.dll
2014-12-12 18:23 - 2014-12-05 20:50 - 14913352 _____ () C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\PepperFlash\pepflashplayer.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmwf.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\cmwr.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cmwf.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\cmwr.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ColorMedia => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\myradioplayer => ""="service"
 
==================== EXE Association (whitelisted) =============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== MSCONFIG/TASK MANAGER disabled items =========
 
(Currently there is no automatic fix for this section.)
 
 
========================= Accounts: ==========================
 
Administrator (S-1-5-21-3805180030-359751056-14507808-500 - Administrator - Disabled)
Guest (S-1-5-21-3805180030-359751056-14507808-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3805180030-359751056-14507808-1002 - Limited - Enabled)
Jeremy (S-1-5-21-3805180030-359751056-14507808-1000 - Administrator - Enabled) => C:\Users\Jeremy
 
==================== Faulty Device Manager Devices =============
 
Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
Name: PS/2 Compatible Mouse
Description: PS/2 Compatible Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
Name: Standard PS/2 Keyboard
Description: Standard PS/2 Keyboard
Class Guid: {4d36e96b-e325-11ce-bfc1-08002be10318}
Manufacturer: (Standard keyboards)
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (01/18/2015 03:10:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: taskbarcpl.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c9da
Exception code: 0xc000041d
Fault offset: 0x000000000000c12f
Faulting process id: 0xbbf4
Faulting application start time: 0xexplorer.exe0
Faulting application path: explorer.exe1
Faulting module path: explorer.exe2
Report Id: explorer.exe3
 
Error: (01/18/2015 03:10:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: taskbarcpl.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c9da
Exception code: 0xc0000005
Fault offset: 0x000000000000c12f
Faulting process id: 0xbbf4
Faulting application start time: 0xexplorer.exe0
Faulting application path: explorer.exe1
Faulting module path: explorer.exe2
Report Id: explorer.exe3
 
Error: (01/18/2015 03:10:20 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: taskbarcpl.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c9da
Exception code: 0xc000041d
Fault offset: 0x000000000000c12f
Faulting process id: 0x13fd4
Faulting application start time: 0xexplorer.exe0
Faulting application path: explorer.exe1
Faulting module path: explorer.exe2
Report Id: explorer.exe3
 
Error: (01/18/2015 03:10:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: taskbarcpl.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c9da
Exception code: 0xc0000005
Fault offset: 0x000000000000c12f
Faulting process id: 0x13fd4
Faulting application start time: 0xexplorer.exe0
Faulting application path: explorer.exe1
Faulting module path: explorer.exe2
Report Id: explorer.exe3
 
Error: (01/18/2015 03:09:57 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: taskbarcpl.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c9da
Exception code: 0xc000041d
Fault offset: 0x000000000000c12f
Faulting process id: 0x13dac
Faulting application start time: 0xexplorer.exe0
Faulting application path: explorer.exe1
Faulting module path: explorer.exe2
Report Id: explorer.exe3
 
Error: (01/18/2015 03:09:54 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: taskbarcpl.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c9da
Exception code: 0xc0000005
Fault offset: 0x000000000000c12f
Faulting process id: 0x13dac
Faulting application start time: 0xexplorer.exe0
Faulting application path: explorer.exe1
Faulting module path: explorer.exe2
Report Id: explorer.exe3
 
Error: (01/18/2015 03:09:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: taskbarcpl.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c9da
Exception code: 0xc000041d
Fault offset: 0x000000000000c12f
Faulting process id: 0xa71c
Faulting application start time: 0xexplorer.exe0
Faulting application path: explorer.exe1
Faulting module path: explorer.exe2
Report Id: explorer.exe3
 
Error: (01/18/2015 03:09:41 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: taskbarcpl.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c9da
Exception code: 0xc000041d
Fault offset: 0x000000000000c12f
Faulting process id: 0xa71c
Faulting application start time: 0xexplorer.exe0
Faulting application path: explorer.exe1
Faulting module path: explorer.exe2
Report Id: explorer.exe3
 
Error: (01/18/2015 03:09:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: taskbarcpl.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c9da
Exception code: 0xc0000005
Fault offset: 0x000000000000c12f
Faulting process id: 0xa71c
Faulting application start time: 0xexplorer.exe0
Faulting application path: explorer.exe1
Faulting module path: explorer.exe2
Report Id: explorer.exe3
 
Error: (01/18/2015 03:09:28 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 6.1.7601.17567, time stamp: 0x4d672ee4
Faulting module name: taskbarcpl.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c9da
Exception code: 0xc000041d
Fault offset: 0x000000000000c12f
Faulting process id: 0x13fe0
Faulting application start time: 0xexplorer.exe0
Faulting application path: explorer.exe1
Faulting module path: explorer.exe2
Report Id: explorer.exe3
 
 
System errors:
=============
Error: (01/18/2015 03:36:51 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {3EEF301F-B596-4C0B-BD92-013BEAFCE793}
 
 
Microsoft Office Sessions:
=========================
Error: (01/18/2015 03:10:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.1.7601.175674d672ee4taskbarcpl.dll6.1.7601.175144ce7c9dac000041d000000000000c12fbbf401d0335ad39178afC:\Windows\explorer.exeC:\Windows\System32\taskbarcpl.dll136d66f0-9f4e-11e4-b73d-0024811d44b8
 
Error: (01/18/2015 03:10:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.1.7601.175674d672ee4taskbarcpl.dll6.1.7601.175144ce7c9dac0000005000000000000c12fbbf401d0335ad39178afC:\Windows\explorer.exeC:\Windows\System32\taskbarcpl.dll117985f6-9f4e-11e4-b73d-0024811d44b8
 
Error: (01/18/2015 03:10:20 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.1.7601.175674d672ee4taskbarcpl.dll6.1.7601.175144ce7c9dac000041d000000000000c12f13fd401d0335ac6abe413C:\Windows\explorer.exeC:\Windows\System32\taskbarcpl.dll068c9514-9f4e-11e4-b73d-0024811d44b8
 
Error: (01/18/2015 03:10:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.1.7601.175674d672ee4taskbarcpl.dll6.1.7601.175144ce7c9dac0000005000000000000c12f13fd401d0335ac6abe413C:\Windows\explorer.exeC:\Windows\System32\taskbarcpl.dll0493f15a-9f4e-11e4-b73d-0024811d44b8
 
Error: (01/18/2015 03:09:57 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.1.7601.175674d672ee4taskbarcpl.dll6.1.7601.175144ce7c9dac000041d000000000000c12f13dac01d0335ab92471e4C:\Windows\explorer.exeC:\Windows\System32\taskbarcpl.dllf9006025-9f4d-11e4-b73d-0024811d44b8
 
Error: (01/18/2015 03:09:54 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.1.7601.175674d672ee4taskbarcpl.dll6.1.7601.175144ce7c9dac0000005000000000000c12f13dac01d0335ab92471e4C:\Windows\explorer.exeC:\Windows\System32\taskbarcpl.dllf70c7f2b-9f4d-11e4-b73d-0024811d44b8
 
Error: (01/18/2015 03:09:45 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.1.7601.175674d672ee4taskbarcpl.dll6.1.7601.175144ce7c9dac000041d000000000000c12fa71c01d0335aafc04410C:\Windows\explorer.exeC:\Windows\System32\taskbarcpl.dllf17382c7-9f4d-11e4-b73d-0024811d44b8
 
Error: (01/18/2015 03:09:41 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.1.7601.175674d672ee4taskbarcpl.dll6.1.7601.175144ce7c9dac000041d000000000000c12fa71c01d0335aafc04410C:\Windows\explorer.exeC:\Windows\System32\taskbarcpl.dllef9c3250-9f4d-11e4-b73d-0024811d44b8
 
Error: (01/18/2015 03:09:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.1.7601.175674d672ee4taskbarcpl.dll6.1.7601.175144ce7c9dac0000005000000000000c12fa71c01d0335aafc04410C:\Windows\explorer.exeC:\Windows\System32\taskbarcpl.dlleda5eff6-9f4d-11e4-b73d-0024811d44b8
 
Error: (01/18/2015 03:09:28 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.1.7601.175674d672ee4taskbarcpl.dll6.1.7601.175144ce7c9dac000041d000000000000c12f13fe001d0335aa734b374C:\Windows\explorer.exeC:\Windows\System32\taskbarcpl.dlle7cf0fca-9f4d-11e4-b73d-0024811d44b8
 
 
CodeIntegrity Errors:
===================================
  Date: 2015-01-18 15:34:59.153
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-01-18 15:06:43.638
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-01-18 14:54:20.438
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-01-18 14:37:04.588
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-01-17 22:01:48.042
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-01-17 21:25:24.237
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-01-17 19:07:59.700
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-01-17 18:50:29.246
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-01-17 17:44:38.225
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-01-17 15:19:48.489
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume3\Windows\System32\hmpalert.dll because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 Duo CPU E8500 @ 3.16GHz
Percentage of memory in use: 56%
Total physical RAM: 3991.25 MB
Available physical RAM: 1731.6 MB
Total Pagefile: 7980.68 MB
Available Pagefile: 5542.46 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:913.88 GB) (Free:834.22 GB) NTFS
Drive d: (RETURN_KING_EXT_D1) (CDROM) (Total:7.36 GB) (Free:0 GB) UDF
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 9D339448)
Partition 1: (Not Active) - (Size=11.7 GB) - (Type=27)
Partition 2: (Active) - (Size=5.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=913.9 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
 


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:29 AM

Posted 18 January 2015 - 04:09 PM

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Attached File  fixlist.txt   28.95KB   10 downloads

 

Let me know how the machine is running after this fix.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 Phil Schwarz

Phil Schwarz
  • Topic Starter

  • Members
  • 484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 18 January 2015 - 05:11 PM

Hi Fireman4IT --

 

Thanks for the quick response.

One question before I apply this FRST64 fixlist --

FRST64 flagged HKLM Group Policy restrictions that I had intentionally put into place, to guard against inadvertent activation of CryptoLocker and similar threats that could encrypt or destroy contents of file systems on this machine or on others in the local area network.  Is it OK for me to remove the lines for these group policy restrictions from the fixlist, before I apply it?  I don't want FRST64 to remove the restrictions.

 

Thanks...



#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:29 AM

Posted 18 January 2015 - 05:20 PM

Yes that would be fine.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 Phil Schwarz

Phil Schwarz
  • Topic Starter

  • Members
  • 484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 18 January 2015 - 05:40 PM

FRST64 was not able to remove cmwf.sys or cmwr.sys from c:\windows\system32\drivers.

Registry keys causing those drivers to load in safeboot and regular startup appear to be intact still.

 

FRST64 fix results:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-01-2015 01
Ran by Jeremy at 2015-01-18 17:31:25 Run:1
Running from C:\Program Files (x86)\BleepingComputer
Loaded Profiles: Jeremy (Available profiles: Jeremy)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
FF HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\Firefox\Extensions: [{09A29523-659E-5B10-EA0A-1632B50980B3}] - C:\Program Files (x86)\ver0SpeeditUp\186.xpi
C:\Program Files (x86)\ver0SpeeditUp
CHR HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
R1 cmwf; C:\Windows\system32\Drivers\cmwf.sys [33952 2015-01-07] () [File not signed]
R1 cmwr; C:\Windows\system32\Drivers\cmwr.sys [45216 2015-01-07] () [File not signed]
C:\Windows\system32\Drivers\cmwf.sys
C:\Windows\system32\Drivers\cmwr.sys
R2 webinstrNHKT; C:\Windows\system32\Drivers\webinstrNHKT.sys [56432 2015-01-16] (Corsica)
C:\Windows\system32\Drivers\webinstrNHKT.sys
R1 cherimoya; C:\Windows\System32\drivers\cherimoya.sys [60376 2015-01-06] (Cherimoya Ltd)
C:\Windows\System32\drivers\cherimoya.sys
Task: {2679E88C-673D-434A-961D-662F9D93C991} - System32\Tasks\gtaUpt => C:\Program Files\shopperz\zaeed.bat
Task: {36A7E3A1-A2C7-4EFB-AB39-737021D8D719} - System32\Tasks\PAJPOO => C:\Users\Jeremy\AppData\Roaming\PAJPOO.exe <==== ATTENTION
Task: C:\Windows\Tasks\HPNWPFB.job => C:\Users\Jeremy\AppData\Roaming\HPNWPFB.exe <==== ATTENTION
Task: C:\Windows\Tasks\PAJPOO.job => C:\Users\Jeremy\AppData\Roaming\PAJPOO.exe <==== ATTENTION
Task: {ABEA357E-002D-452D-A92A-53E5C9FB41C7} - System32\Tasks\{FE6C16A6-5CD2-4294-BC49-42F933F70462} => pcalua.exe -a C:\Zip\unrarw32.exe -d C:\Zip
Task: {C2328268-1579-4A7B-B9D1-E01ABB642722} - System32\Tasks\NNYOXBV => C:\ProgramData\3a8e94626c7e455eab9ee6b45c18d0d0\3a8e94626c7e455eab9ee6b45c18d0d0.exe
 
 
*****************
 
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-21-3805180030-359751056-14507808-1000\Software\Mozilla\Firefox\Extensions\\{09A29523-659E-5B10-EA0A-1632B50980B3} => value deleted successfully.
"C:\Program Files (x86)\ver0SpeeditUp" => File/Directory not found.
"HKU\S-1-5-21-3805180030-359751056-14507808-1000\SOFTWARE\Google\Chrome\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh" => Key deleted successfully.
cmwf => Unable to stop service
cmwf => Error deleting Service
cmwr => Unable to stop service
cmwr => Error deleting Service
Could not move "C:\Windows\system32\Drivers\cmwf.sys" => Scheduled to move on reboot.
Could not move "C:\Windows\system32\Drivers\cmwr.sys" => Scheduled to move on reboot.
webinstrNHKT => Service stopped successfully.
webinstrNHKT => Service deleted successfully.
C:\Windows\system32\Drivers\webinstrNHKT.sys => Moved successfully.
cherimoya => Unable to stop service
cherimoya => Service deleted successfully.
C:\Windows\System32\drivers\cherimoya.sys => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2679E88C-673D-434A-961D-662F9D93C991}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2679E88C-673D-434A-961D-662F9D93C991}" => Key deleted successfully.
C:\Windows\System32\Tasks\gtaUpt => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\gtaUpt" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{36A7E3A1-A2C7-4EFB-AB39-737021D8D719}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{36A7E3A1-A2C7-4EFB-AB39-737021D8D719}" => Key deleted successfully.
C:\Windows\System32\Tasks\PAJPOO => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PAJPOO" => Key deleted successfully.
C:\Windows\Tasks\HPNWPFB.job => Moved successfully.
C:\Windows\Tasks\PAJPOO.job => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{ABEA357E-002D-452D-A92A-53E5C9FB41C7}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{ABEA357E-002D-452D-A92A-53E5C9FB41C7}" => Key deleted successfully.
C:\Windows\System32\Tasks\{FE6C16A6-5CD2-4294-BC49-42F933F70462} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{FE6C16A6-5CD2-4294-BC49-42F933F70462}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C2328268-1579-4A7B-B9D1-E01ABB642722}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C2328268-1579-4A7B-B9D1-E01ABB642722}" => Key deleted successfully.
C:\Windows\System32\Tasks\NNYOXBV => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\NNYOXBV" => Key deleted successfully.
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-01-18 17:33:22)<=
 
"C:\Windows\system32\Drivers\cmwf.sys" => File could not move.
"C:\Windows\system32\Drivers\cmwr.sys" => File could not move.
 
==== End of Fixlog 17:33:22 ====


#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:29 AM

Posted 18 January 2015 - 06:50 PM


For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.


To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.


On the System Recovery Options menu you will get the following options:Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64)  and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 


Edited by fireman4it, 18 January 2015 - 06:56 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 Phil Schwarz

Phil Schwarz
  • Topic Starter

  • Members
  • 484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 18 January 2015 - 09:56 PM

Ah -- excellent -- I didn't realize that FRST could run from a flash drive visible to a Win7 recovery boot.

(Last time I had to disinfect a Windows computer it was WinXP... no such luxury in that environment :-).)

And I didn't realize that FRST was smart enough to detect that it was running on a recovery boot, and find and scan the main Windows partition on the hard disk...

 

Running the fix this way should indeed let us get rid of the driver binaries and registry entries.

Awaiting your fix file... here's the scan report...

 

FRST.txt from FRST64.exe run from flash drive under recovery boot:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 18-01-2015 03
Ran by SYSTEM on MININT-0N7DB0L on 18-01-2015 21:35:12
Running from g:\
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [picon] => C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe [796696 2009-07-24] (Intel Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [MFNetworkScanUtility] => C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE [486552 2012-09-27] (CANON INC.)
HKLM\...\Run: [WrtMon.exe] => C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe [20480 2006-09-20] ()
HKLM-x32\...\Run: [SoundMAXPnP] => C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1314816 2009-05-18] (Analog Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe [296520 2014-10-19] (RealNetworks, Inc.)
HKLM-x32\...\Run: [RealDownloader] => C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe [551488 2014-09-23] ()
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Binpif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Binexe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bincom <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Binscr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\Jeremy\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [22869088 2014-10-21] (Google)
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AEADIFilters; C:\Windows\system32\AEADISRV.EXE [111616 2008-07-15] (Andrea Electronics Corporation)
S3 dkab_device; C:\Windows\system32\DKabcoms.exe [476568 2006-10-21] ( )
S3 dkab_device; C:\Windows\SysWOW64\DKabcoms.exe [508824 2006-10-21] ( )
S2 hmpalertsvc; C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1876816 2014-07-19] (SurfRight B.V.)
S2 LMS; C:\Program Files (x86)\Intel\AMT\LMS.exe [174616 2009-07-24] (Intel Corporation)
S2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
S3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
S2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39568 2014-09-26] ()
S2 RealPlayer Cloud Service; c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe [1141848 2014-10-19] (RealNetworks, Inc.)
S2 RealPlayerUpdateSvc; C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [31344 2014-09-26] ()
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2010-06-25] (CACE Technologies, Inc.)
S2 UNS; C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2066968 2009-07-24] (Intel Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S1 cmwf; C:\Windows\system32\Drivers\cmwf.sys [33952 2015-01-07] (CartCrunch Israel Ltd.)
S1 cmwr; C:\Windows\system32\Drivers\cmwr.sys [45216 2015-01-07] (CartCrunch Israel Ltd.)
S2 hmpalert; C:\Windows\System32\drivers\hmpalert.sys [93144 2014-07-21] ()
S0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
S2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
S2 NPF; C:\Windows\System32\drivers\npf.sys [35344 2010-06-25] (CACE Technologies, Inc.)
S3 usbio; C:\Windows\System32\Drivers\dsiarhwprog_x64.sys [54640 2013-03-19] (Thesycon GmbH, Germany)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-18 18:22 - 2015-01-18 18:22 - 02126848 _____ (Farbar) C:\Users\Jeremy\Downloads\FRST64.exe
2015-01-18 12:06 - 2015-01-18 12:06 - 00000634 _____ () C:\Users\Jeremy\Desktop\JRT.txt
2015-01-17 18:41 - 2015-01-17 18:42 - 00000000 ____D () C:\BleepingComputer
2015-01-17 18:39 - 2015-01-17 18:39 - 00017476 _____ () C:\Users\Jeremy\Desktop\dds.txt
2015-01-17 18:39 - 2015-01-17 18:39 - 00007252 _____ () C:\Users\Jeremy\Desktop\attach.txt
2015-01-17 12:18 - 2015-01-17 12:18 - 01686759 _____ () C:\Users\Jeremy\Downloads\PSTools.zip
2015-01-17 10:58 - 2015-01-18 21:35 - 00000000 ____D () C:\FRST
2015-01-17 10:04 - 2015-01-17 10:05 - 00000000 ____D () C:\Program Files (x86)\no$gba
2015-01-17 10:03 - 2015-01-17 10:03 - 00191678 _____ () C:\Users\Jeremy\Downloads\no$gba-w.zip
2015-01-16 14:31 - 2015-01-16 14:31 - 00021976 _____ () C:\Windows\System32\Drivers\SPPD.sys
2015-01-16 13:45 - 2015-01-07 18:07 - 00045216 _____ (CartCrunch Israel Ltd.) C:\Windows\System32\Drivers\cmwr.sys
2015-01-16 13:45 - 2015-01-07 18:07 - 00033952 _____ (CartCrunch Israel Ltd.) C:\Windows\System32\Drivers\cmwf.sys
2015-01-16 13:45 - 2015-01-07 17:54 - 00370688 _____ (CartCrunch Israel Ltd.) C:\Windows\System32\ColorMedia64.dll
2015-01-16 13:45 - 2015-01-07 17:54 - 00324776 _____ (CartCrunch Israel Ltd.) C:\Windows\SysWOW64\ColorMedia.dll
2015-01-16 13:31 - 2015-01-16 13:31 - 00000000 ____D () C:\Program Files (x86)\7-Zip
2015-01-16 13:21 - 2015-01-16 13:21 - 00000064 _____ () C:\Users\Jeremy\AppData\Local\90c44f312ec5676ae73fdad19d917baa
2015-01-16 13:19 - 2015-01-16 13:19 - 00004714 _____ () C:\Windows\System32\Tasks\HPNWPFB
2015-01-14 17:07 - 2015-01-14 17:07 - 15689724 _____ () C:\Users\Jeremy\Downloads\3DS Emu_v3.5_patched.zip
2015-01-14 16:52 - 2015-01-14 16:52 - 00793119 _____ () C:\Users\Jeremy\Downloads\3DS-Emulator-v3.0.41.rar
2015-01-14 15:09 - 2015-01-14 15:10 - 42831026 _____ () C:\Users\Jeremy\Downloads\Pokemon Heart Gold NTEVO.rar
2015-01-14 15:08 - 2015-01-14 15:09 - 42829949 _____ () C:\Users\Jeremy\Downloads\Pokemon Soul Silver NTEVO.rar
2015-01-13 19:39 - 2015-01-13 19:39 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-13 13:13 - 2014-12-18 19:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2015-01-13 13:13 - 2014-12-18 17:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\System32\Drivers\mrxdav.sys
2015-01-13 13:13 - 2014-12-11 21:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2015-01-13 13:13 - 2014-12-11 21:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\System32\srcore.dll
2015-01-13 13:13 - 2014-12-11 21:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\System32\rstrui.exe
2015-01-13 13:13 - 2014-12-11 21:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\System32\srclient.dll
2015-01-13 13:13 - 2014-12-11 21:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-13 13:13 - 2014-12-11 21:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-13 13:13 - 2014-12-11 21:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-13 13:13 - 2014-12-11 09:47 - 00087040 _____ (Microsoft Corporation) C:\Windows\System32\TSWbPrxy.exe
2015-01-13 13:13 - 2014-12-05 20:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\System32\nlasvc.dll
2015-01-13 13:13 - 2014-12-05 19:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-13 13:13 - 2014-12-05 19:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-11 15:12 - 2015-01-11 15:12 - 00181160 _____ () C:\Users\Jeremy\Downloads\no$gba-w_2.7a.zip
2015-01-11 13:52 - 2014-07-04 12:37 - 00001416 _____ () C:\Users\Jeremy\Desktop\Internet Explorer.lnk
2015-01-11 12:50 - 2015-01-11 12:50 - 05347971 _____ () C:\Users\Jeremy\Downloads\Pokemon FireRed.zip
2015-01-11 08:46 - 2015-01-13 17:59 - 00000000 ____D () C:\Program Files (x86)\Radio Player Live
2015-01-11 08:45 - 2015-01-13 18:26 - 00000000 ____D () C:\Program Files (x86)\uanisales
2015-01-11 08:45 - 2015-01-13 17:59 - 00000000 ____D () C:\Program Files (x86)\unIsaleoss
2015-01-11 08:43 - 2015-01-11 08:43 - 01136320 _____ () C:\Users\Jeremy\Downloads\Pokemon_Sapphire_Version_USA.exe
2015-01-11 08:39 - 2015-01-11 08:39 - 00007548 _____ () C:\Users\Jeremy\Downloads\js.js
2015-01-07 13:44 - 2015-01-07 13:54 - 42712969 _____ () C:\Users\Jeremy\Downloads\moo.rar
2015-01-05 15:15 - 2015-01-16 14:30 - 00000000 ____D () C:\Users\Jeremy\Desktop\NDS and GBA Games and emulators
2015-01-05 15:11 - 2015-01-05 15:11 - 42557718 _____ () C:\Users\Jeremy\Downloads\4787 - Pokemon - HeartGold Version (U).rar
2015-01-05 12:32 - 2015-01-05 12:36 - 00000000 ____D () C:\ProgramData\WinZip
2015-01-05 12:24 - 2015-01-05 12:24 - 00906024 _____ ( ) C:\Users\Jeremy\Downloads\winzip19-mediafire.exe.6i4yyhg.partial
2014-12-31 12:26 - 2014-12-31 12:26 - 00762704 _____ ( ) C:\Users\Jeremy\Desktop\CR_Downloader_for_no$gba.exe
2014-12-30 18:28 - 2014-12-30 18:28 - 00000227 _____ () C:\Users\Jeremy\Desktop\How to get Wi-Fi with DeSmuME - YouTube.URL
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-18 18:31 - 2014-07-21 20:26 - 00000000 ____D () C:\Windows\CryptoGuard
2015-01-18 18:30 - 2014-07-21 18:03 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-18 18:30 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-18 18:30 - 2009-07-13 20:51 - 00055996 _____ () C:\Windows\setupact.log
2015-01-18 18:29 - 2014-07-04 11:10 - 01562250 _____ () C:\Windows\WindowsUpdate.log
2015-01-18 18:24 - 2009-07-13 21:13 - 00781298 _____ () C:\Windows\System32\PerfStringBackup.INI
2015-01-18 18:21 - 2009-07-13 20:45 - 00031904 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-18 18:21 - 2009-07-13 20:45 - 00031904 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-18 18:20 - 2014-07-21 18:03 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-18 18:14 - 2014-10-28 13:07 - 00000000 ___RD () C:\Users\Jeremy\Google Drive
2015-01-18 14:32 - 2010-11-20 19:47 - 00230298 _____ () C:\Windows\PFRO.log
2015-01-18 14:31 - 2014-07-04 11:19 - 00000000 ____D () C:\Program Files (x86)\BleepingComputer
2015-01-18 11:55 - 2013-10-03 16:56 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-17 12:20 - 2014-07-04 11:20 - 00000000 ____D () C:\Program Files (x86)\Sysinternals
2015-01-17 11:56 - 2014-08-02 12:40 - 00000000 ____D () C:\Program Files (x86)\Kaspersky
2015-01-17 10:17 - 2014-07-18 13:30 - 00000000 ____D () C:\AdwCleaner
2015-01-17 09:43 - 2014-07-04 11:38 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\System32\Drivers\MBAMSwissArmy.sys
2015-01-16 13:45 - 2014-12-09 12:39 - 00002033 _____ () C:\Windows\patsearch.bin
2015-01-16 13:41 - 2014-07-04 12:54 - 00000000 ____D () C:\Users\Jeremy\AppData\Local\Microsoft Games
2015-01-16 13:25 - 2013-10-03 16:54 - 00000000 ____D () C:\Program Files (x86)\Analog Devices
2015-01-16 13:07 - 2009-07-13 19:20 - 00000000 ____D () C:\Windows\System32\NDF
2015-01-14 00:02 - 2014-07-04 13:38 - 00000000 ____D () C:\Windows\System32\MRT
2015-01-14 00:00 - 2014-07-04 13:38 - 113365784 _____ (Microsoft Corporation) C:\Windows\System32\MRT.exe
2015-01-13 21:55 - 2013-10-03 16:56 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-13 21:55 - 2013-10-03 16:56 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-13 21:55 - 2013-10-03 16:56 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-13 20:29 - 2014-07-28 18:23 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-11 12:57 - 2014-10-19 15:33 - 00000000 ____D () C:\Users\Jeremy\Desktop\BFME Maps, Save, and Files
2015-01-05 12:36 - 2014-07-15 13:49 - 00000000 ____D () C:\Windows\System32\appmgmt
2014-12-31 03:14 - 2010-11-20 19:27 - 00298120 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2014-12-22 14:19 - 2014-12-16 14:09 - 00000000 ____D () C:\Users\Jeremy\Desktop\Halo maps, mods and files
 
Files to move or delete:
====================
C:\Users\Jeremy\7z935.exe
C:\Users\Jeremy\DivXInstaller.exe
C:\Users\Jeremy\googleupdatesetup.exe
C:\Users\Jeremy\RealPlayerCloud.exe
C:\Users\Jeremy\xfire_installer_46139.exe
 
 
Some content of TEMP:
====================
C:\Users\Jeremy\AppData\Local\Temp\17EB1411-0D1A-6DF9-98D4-BDAC78646837.dll
C:\Users\Jeremy\AppData\Local\Temp\17EB1411-0D1A-6DF9-98D4-BDAC78646837.exe
C:\Users\Jeremy\AppData\Local\Temp\37230C07-3CAC-B478-D5F0-EE91D93FB296.exe
C:\Users\Jeremy\AppData\Local\Temp\8SkF6WTVKH.exe
C:\Users\Jeremy\AppData\Local\Temp\AE793DB8-DF2C-13B5-9D1E-6C1EF0B5B1EE.exe
C:\Users\Jeremy\AppData\Local\Temp\AutoRun.exe
C:\Users\Jeremy\AppData\Local\Temp\AutoRunGUI.dll
C:\Users\Jeremy\AppData\Local\Temp\BAC667ED-76D4-0586-1876-B5C8A457564D.dll
C:\Users\Jeremy\AppData\Local\Temp\BAC667ED-76D4-0586-1876-B5C8A457564D.exe
C:\Users\Jeremy\AppData\Local\Temp\CloudBackup3173.exe
C:\Users\Jeremy\AppData\Local\Temp\CloudBackup4705.exe
C:\Users\Jeremy\AppData\Local\Temp\comver.dll
C:\Users\Jeremy\AppData\Local\Temp\eauninstall.exe
C:\Users\Jeremy\AppData\Local\Temp\FeXEx3NDnb.exe
C:\Users\Jeremy\AppData\Local\Temp\FreemakeVideoDownloader_3.7.0.17.exe
C:\Users\Jeremy\AppData\Local\Temp\I695Ubx0EC.exe
C:\Users\Jeremy\AppData\Local\Temp\J7tbu1HcSZ.exe
C:\Users\Jeremy\AppData\Local\Temp\lowproc.exe
C:\Users\Jeremy\AppData\Local\Temp\mQS1dbOET0.exe
C:\Users\Jeremy\AppData\Local\Temp\old haloupdate.exe
C:\Users\Jeremy\AppData\Local\Temp\optprosetup.exe
C:\Users\Jeremy\AppData\Local\Temp\oxntnJ1uqq.exe
C:\Users\Jeremy\AppData\Local\Temp\Quarantine.exe
C:\Users\Jeremy\AppData\Local\Temp\sdf5F90.exe
C:\Users\Jeremy\AppData\Local\Temp\sdfC989.exe
C:\Users\Jeremy\AppData\Local\Temp\SpOrder.dll
C:\Users\Jeremy\AppData\Local\Temp\sqlite3.dll
C:\Users\Jeremy\AppData\Local\Temp\stubhelper.dll
C:\Users\Jeremy\AppData\Local\Temp\The Battle for Middle-earth_uninst.exe
C:\Users\Jeremy\AppData\Local\Temp\z2nN3vH55B.exe
 
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== Restore Points  =========================
 
Restore point made on: 2014-12-22 13:53:04
Restore point made on: 2014-12-26 13:52:03
Restore point made on: 2014-12-30 13:52:25
Restore point made on: 2015-01-03 23:19:15
Restore point made on: 2015-01-05 12:36:31
Restore point made on: 2015-01-05 12:38:12
Restore point made on: 2015-01-08 07:14:37
Restore point made on: 2015-01-12 15:42:53
Restore point made on: 2015-01-14 00:00:20
Restore point made on: 2015-01-17 10:11:25
 
==================== Memory info =========================== 
 
Percentage of memory in use: 15%
Total physical RAM: 3991.25 MB
Available physical RAM: 3362.77 MB
Total Pagefile: 3989.45 MB
Available Pagefile: 3352.76 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:913.88 GB) (Free:834.15 GB) NTFS
Drive e: (Recovery) (Fixed) (Total:11.72 GB) (Free:8.42 GB) NTFS
Drive f: (RETURN_KING_EXT_D1) (CDROM) (Total:7.36 GB) (Free:0 GB) UDF
Drive g: (UDISK) (Removable) (Total:0.93 GB) (Free:0.65 GB) FAT
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: (SYSTEM) (Fixed) (Total:5.91 GB) (Free:5.88 GB) NTFS ==>[System with boot components (obtained from reading drive)]
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 9D339448)
Partition 1: (Not Active) - (Size=11.7 GB) - (Type=27)
Partition 2: (Active) - (Size=5.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=913.9 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 956 MB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=956 MB) - (Type=06)
 
 
LastRegBack: 2015-01-13 21:47
 
==================== End Of Log ============================


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:29 AM

Posted 18 January 2015 - 10:03 PM

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\Firefox\Extensions: [{09A29523-659E-5B10-EA0A-1632B50980B3}] - C:\Program Files (x86)\ver0SpeeditUp\186.xpi
C:\Program Files (x86)\ver0SpeeditUp
CHR HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
R1 cmwf; C:\Windows\system32\Drivers\cmwf.sys [33952 2015-01-07] () [File not signed]
R1 cmwr; C:\Windows\system32\Drivers\cmwr.sys [45216 2015-01-07] () [File not signed]
C:\Windows\system32\Drivers\cmwf.sys
C:\Windows\system32\Drivers\cmwr.sys
R2 webinstrNHKT; C:\Windows\system32\Drivers\webinstrNHKT.sys [56432 2015-01-16] (Corsica)
C:\Windows\system32\Drivers\webinstrNHKT.sys
R1 cherimoya; C:\Windows\System32\drivers\cherimoya.sys [60376 2015-01-06] (Cherimoya Ltd)
C:\Windows\System32\drivers\cherimoya.sys
Task: {2679E88C-673D-434A-961D-662F9D93C991} - System32\Tasks\gtaUpt => C:\Program Files\shopperz\zaeed.bat
Task: {36A7E3A1-A2C7-4EFB-AB39-737021D8D719} - System32\Tasks\PAJPOO => C:\Users\Jeremy\AppData\Roaming\PAJPOO.exe <==== ATTENTION
Task: C:\Windows\Tasks\HPNWPFB.job => C:\Users\Jeremy\AppData\Roaming\HPNWPFB.exe <==== ATTENTION
Task: C:\Windows\Tasks\PAJPOO.job => C:\Users\Jeremy\AppData\Roaming\PAJPOO.exe <==== ATTENTION
Task: {ABEA357E-002D-452D-A92A-53E5C9FB41C7} - System32\Tasks\{FE6C16A6-5CD2-4294-BC49-42F933F70462} => pcalua.exe -a C:\Zip\unrarw32.exe -d C:\Zip
Task: {C2328268-1579-4A7B-B9D1-E01ABB642722} - System32\Tasks\NNYOXBV => C:\ProgramData\3a8e94626c7e455eab9ee6b45c18d0d0\3a8e94626c7e455eab9ee6b45c18d0d0.exe

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.
On Windows XP: Now please boot into the BartPE CD.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 Phil Schwarz

Phil Schwarz
  • Topic Starter

  • Members
  • 484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 18 January 2015 - 10:50 PM

Progress -- FRST64 deleted the cmwf.sys and cmwr.sys driver binaries, as expected.

But I still see the registry entries there.

 

Do we need to delete those by hand (or with a .reg script)?

 

Here's the fixlog from the FRST64 fix run on the recovery boot:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 18-01-2015 03
Ran by SYSTEM at 2015-01-18 22:33:22 Run:2
Running from g:\
Boot Mode: Recovery
==============================================
 
Content of fixlist:
*****************
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\Firefox\Extensions: [{09A29523-659E-5B10-EA0A-1632B50980B3}] - C:\Program Files (x86)\ver0SpeeditUp\186.xpi
C:\Program Files (x86)\ver0SpeeditUp
CHR HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
R1 cmwf; C:\Windows\system32\Drivers\cmwf.sys [33952 2015-01-07] () [File not signed]
R1 cmwr; C:\Windows\system32\Drivers\cmwr.sys [45216 2015-01-07] () [File not signed]
C:\Windows\system32\Drivers\cmwf.sys
C:\Windows\system32\Drivers\cmwr.sys
R2 webinstrNHKT; C:\Windows\system32\Drivers\webinstrNHKT.sys [56432 2015-01-16] (Corsica)
C:\Windows\system32\Drivers\webinstrNHKT.sys
R1 cherimoya; C:\Windows\System32\drivers\cherimoya.sys [60376 2015-01-06] (Cherimoya Ltd)
C:\Windows\System32\drivers\cherimoya.sys
Task: {2679E88C-673D-434A-961D-662F9D93C991} - System32\Tasks\gtaUpt => C:\Program Files\shopperz\zaeed.bat
Task: {36A7E3A1-A2C7-4EFB-AB39-737021D8D719} - System32\Tasks\PAJPOO => C:\Users\Jeremy\AppData\Roaming\PAJPOO.exe <==== ATTENTION
Task: C:\Windows\Tasks\HPNWPFB.job => C:\Users\Jeremy\AppData\Roaming\HPNWPFB.exe <==== ATTENTION
Task: C:\Windows\Tasks\PAJPOO.job => C:\Users\Jeremy\AppData\Roaming\PAJPOO.exe <==== ATTENTION
Task: {ABEA357E-002D-452D-A92A-53E5C9FB41C7} - System32\Tasks\{FE6C16A6-5CD2-4294-BC49-42F933F70462} => pcalua.exe -a C:\Zip\unrarw32.exe -d C:\Zip
Task: {C2328268-1579-4A7B-B9D1-E01ABB642722} - System32\Tasks\NNYOXBV => C:\ProgramData\3a8e94626c7e455eab9ee6b45c18d0d0\3a8e94626c7e455eab9ee6b45c18d0d0.exe
*****************
 
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = => Error: The entry should be fixed outside recovery mode.
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = => Error: The entry should be fixed outside recovery mode.
FF HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\Firefox\Extensions: [{09A29523-659E-5B10-EA0A-1632B50980B3}] - C:\Program Files (x86)\ver0SpeeditUp\186.xpi => Error: The entry should be fixed outside recovery mode.
"C:\Program Files (x86)\ver0SpeeditUp" => File/Directory not found.
CHR HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path => Error: The entry should be fixed outside recovery mode.
cmwf => Service deleted successfully.
cmwr => Service deleted successfully.
C:\Windows\system32\Drivers\cmwf.sys => Moved successfully.
C:\Windows\system32\Drivers\cmwr.sys => Moved successfully.
webinstrNHKT => Service not found.
"C:\Windows\system32\Drivers\webinstrNHKT.sys" => File/Directory not found.
cherimoya => Service not found.
"C:\Windows\System32\drivers\cherimoya.sys" => File/Directory not found.
Task: {2679E88C-673D-434A-961D-662F9D93C991} - System32\Tasks\gtaUpt => C:\Program Files\shopperz\zaeed.bat => Error: The entry should be fixed outside recovery mode.
Task: {36A7E3A1-A2C7-4EFB-AB39-737021D8D719} - System32\Tasks\PAJPOO => C:\Users\Jeremy\AppData\Roaming\PAJPOO.exe <==== ATTENTION => Error: The entry should be fixed outside recovery mode.
Task: C:\Windows\Tasks\HPNWPFB.job => C:\Users\Jeremy\AppData\Roaming\HPNWPFB.exe <==== ATTENTION => Error: The entry should be fixed outside recovery mode.
Task: C:\Windows\Tasks\PAJPOO.job => C:\Users\Jeremy\AppData\Roaming\PAJPOO.exe <==== ATTENTION => Error: The entry should be fixed outside recovery mode.
Task: {ABEA357E-002D-452D-A92A-53E5C9FB41C7} - System32\Tasks\{FE6C16A6-5CD2-4294-BC49-42F933F70462} => pcalua.exe -a C:\Zip\unrarw32.exe -d C:\Zip => Error: The entry should be fixed outside recovery mode.
Task: {C2328268-1579-4A7B-B9D1-E01ABB642722} - System32\Tasks\NNYOXBV => C:\ProgramData\3a8e94626c7e455eab9ee6b45c18d0d0\3a8e94626c7e455eab9ee6b45c18d0d0.exe => Error: The entry should be fixed outside recovery mode.
 
==== End of Fixlog 22:33:23 ====


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:29 AM

Posted 19 January 2015 - 12:36 AM

GO ahead and delete them manually if you can. Then let me know how the machine is running? Please post a new FRST.txt also.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 Phil Schwarz

Phil Schwarz
  • Topic Starter

  • Members
  • 484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:29 AM

Posted 19 January 2015 - 11:59 AM

OK, I was able to delete the cmwf.sys and cmwr.sys keys from all locations in the 3 control sets' Control keys (safeboot minimal & network).

I was *not* able to delete the LEGACY_CMWF or LEGACY_CMWR keys from the 3 control sets' Enum keys however.

I notice also that there is a LEGACY_CHERIMOYA key in each Enum as well -- and cherimoya.sys is one of the things that FRST was able to remove.

 

The adware does seem to be gone -- I think the key step in that regard was running FRST64.exe from a recovery boot, to be able to get at the driver binaries on disk when they were not opened by the running OS.

 

Here is the FRST.txt I ran after completing the above manual registry edits:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 18-01-2015 01
Ran by Jeremy (administrator) on SAMWISE on 19-01-2015 11:41:35
Running from C:\Program Files (x86)\BleepingComputer
Loaded Profiles: Jeremy (Available profiles: Jeremy)
Platform: Windows 7 Professional Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(SurfRight B.V.) C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Andrea Electronics Corporation) C:\Windows\System32\AEADISRV.EXE
(Intel Corporation) C:\Program Files (x86)\Intel\AMT\LMS.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin\rpdsvc.exe
() C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe
(Intel Corporation) C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
(Intel Corporation) C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(CANON INC.) C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE
() C:\Windows\System32\spool\drivers\x64\3\WrtMon.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
() C:\Windows\System32\spool\drivers\x64\3\WrtProc.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin64\rpsystray.exe
(Analog Devices, Inc.) C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe
(RealNetworks, Inc.) C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
() C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Microsoft Corporation) C:\Windows\System32\wbengine.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [picon] => C:\Program Files (x86)\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe [796696 2009-07-24] (Intel Corporation)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1331288 2014-08-22] (Microsoft Corporation)
HKLM\...\Run: [MFNetworkScanUtility] => C:\Program Files\Canon\Canon MF Network Scan Utility\CNMFSUT6.EXE [486552 2012-09-27] (CANON INC.)
HKLM\...\Run: [WrtMon.exe] => C:\Windows\system32\spool\drivers\x64\3\WrtMon.exe [20480 2006-09-20] ()
HKLM-x32\...\Run: [SoundMAXPnP] => C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe [1314816 2009-05-18] (Analog Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [TkBellExe] => C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe [296520 2014-10-19] (RealNetworks, Inc.)
HKLM-x32\...\Run: [RealDownloader] => C:\Program Files (x86)\RealNetworks\RealDownloader\downloader2.exe [551488 2014-09-23] ()
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Binpif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Binexe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bincom <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Binscr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [22869088 2014-10-21] (Google)
HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\MountPoints2: {8da7a10e-03be-11e4-a43a-806e6f6e6963} - D:\install.EXE id= ver=1.0.0.0
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RealPlayer Cloud Service UI.lnk
ShortcutTarget: RealPlayer Cloud Service UI.lnk -> C:\Program Files (x86)\Real\RealPlayer\RPDS\Bin64\rpsystray.exe (RealNetworks, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
ShortcutTarget: Symantec Fax Starter Edition Port.lnk -> C:\Program Files (x86)\Microsoft Office\Office\1033\OLFSNT40.EXE (Microsoft Corporation)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKU\S-1-5-21-3805180030-359751056-14507808-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
BHO: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin64.dll (RealDownloader)
BHO-x32: RealNetworks Download and Record Plugin for Internet Explorer -> {3049C3E9-B461-4BC5-8870-4C09146192CA} -> C:\Program Files (x86)\RealNetworks\RealDownloader\BrowserPlugins\IE\rndlbrowserrecordplugin.dll (RealDownloader)
Handler-x32: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll (Belarc, Inc.)
Handler-x32: http - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: http - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: https - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: ipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF42-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Handler-x32: msdaipp - {E1D2BF40-A96B-11D1-9C6B-0000F875AC61} - C:\PROGRA~2\COMMON~1\System\OLEDB~1\MSDAIPP.DLL (Microsoft Corporation)
Winsock: Catalog9 01 C:\Windows\SysWOW64\ColorMedia.dll [324776] (CartCrunch Israel Ltd.)
Winsock: Catalog9 02 C:\Windows\SysWOW64\ColorMedia.dll [324776] (CartCrunch Israel Ltd.)
Winsock: Catalog9 03 C:\Windows\SysWOW64\ColorMedia.dll [324776] (CartCrunch Israel Ltd.)
Winsock: Catalog9 04 C:\Windows\SysWOW64\ColorMedia.dll [324776] (CartCrunch Israel Ltd.)
Winsock: Catalog9 15 C:\Windows\SysWOW64\ColorMedia.dll [324776] (CartCrunch Israel Ltd.)
Winsock: Catalog9-x64 01 C:\Windows\system32\ColorMedia64.dll [370688] (CartCrunch Israel Ltd.)
Winsock: Catalog9-x64 02 C:\Windows\system32\ColorMedia64.dll [370688] (CartCrunch Israel Ltd.)
Winsock: Catalog9-x64 03 C:\Windows\system32\ColorMedia64.dll [370688] (CartCrunch Israel Ltd.)
Winsock: Catalog9-x64 04 C:\Windows\system32\ColorMedia64.dll [370688] (CartCrunch Israel Ltd.)
Winsock: Catalog9-x64 15 C:\Windows\system32\ColorMedia64.dll [370688] (CartCrunch Israel Ltd.)
Tcpip\Parameters: [DhcpNameServer] 208.59.247.45 208.59.247.46
 
FireFox:
========
FF ProfilePath: C:\Users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\5fs2p5jk.default
FF DefaultSearchEngine: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_280.dll ()
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_280.dll ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @real.com/nppl3260;version=17.0.14.69 -> c:\program files (x86)\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprndlhtml5videoshim;version=17.0.14 -> C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\MozillaPlugins\nprndlhtml5videoshim.dll (RealNetworks, Inc.)
FF Plugin-x32: @real.com/nprpplugin;version=17.0.14.69 -> c:\program files (x86)\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer Cloud)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF HKLM-x32\...\Firefox\Extensions: [{4642CD99-8FDF-4550-94E1-63360972C326}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
FF Extension: RealDownloader - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext [2014-10-19]
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext
 
Chrome: 
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-16]
CHR Extension: (Google Docs) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-04]
CHR Extension: (Google Drive) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-18]
CHR Extension: (YouTube) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-18]
CHR Extension: (Google Search) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-18]
CHR Extension: (Google Sheets) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-16]
CHR Extension: (Gmail) - C:\Users\Jeremy\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-18]
CHR HKU\S-1-5-21-3805180030-359751056-14507808-1000\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AEADIFilters; C:\Windows\system32\AEADISRV.EXE [111616 2008-07-15] (Andrea Electronics Corporation)
S3 dkab_device; C:\Windows\system32\DKabcoms.exe [476568 2006-10-21] ( )
S3 dkab_device; C:\Windows\SysWOW64\DKabcoms.exe [508824 2006-10-21] ( )
R2 hmpalertsvc; C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe [1876816 2014-07-20] (SurfRight B.V.)
R2 LMS; C:\Program Files (x86)\Intel\AMT\LMS.exe [174616 2009-07-24] (Intel Corporation)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [23784 2014-08-22] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [368624 2014-08-22] (Microsoft Corporation)
R2 RealNetworks Downloader Resolver Service; C:\Program Files (x86)\RealNetworks\RealDownloader\rndlresolversvc.exe [39568 2014-09-26] ()
R2 RealPlayer Cloud Service; c:\program files (x86)\real\realplayer\RPDS\Bin\rpdsvc.exe [1141848 2014-10-19] (RealNetworks, Inc.)
R2 RealPlayerUpdateSvc; C:\Program Files (x86)\Real\UpdateService\RealPlayerUpdateSvc.exe [31344 2014-09-26] ()
S3 rpcapd; C:\Program Files (x86)\WinPcap\rpcapd.exe [117264 2010-06-25] (CACE Technologies, Inc.)
R2 UNS; C:\Program Files (x86)\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2066968 2009-07-24] (Intel Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 hmpalert; C:\Windows\System32\drivers\hmpalert.sys [93144 2014-07-21] ()
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [269008 2014-07-17] (Microsoft Corporation)
R2 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [125584 2014-07-17] (Microsoft Corporation)
R2 NPF; C:\Windows\System32\drivers\npf.sys [35344 2010-06-25] (CACE Technologies, Inc.)
S3 usbio; C:\Windows\System32\Drivers\dsiarhwprog_x64.sys [54640 2013-03-19] (Thesycon GmbH, Germany)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-19 10:41 - 2015-01-19 10:41 - 00044335 _____ () C:\Users\Jeremy\Downloads\Regdelnull.zip
2015-01-18 21:22 - 2015-01-18 21:22 - 02126848 _____ (Farbar) C:\Users\Jeremy\Downloads\FRST64.exe
2015-01-18 15:06 - 2015-01-18 15:06 - 00000634 _____ () C:\Users\Jeremy\Desktop\JRT.txt
2015-01-17 21:41 - 2015-01-17 21:42 - 00000000 ____D () C:\BleepingComputer
2015-01-17 21:39 - 2015-01-17 21:39 - 00017476 _____ () C:\Users\Jeremy\Desktop\dds.txt
2015-01-17 21:39 - 2015-01-17 21:39 - 00007252 _____ () C:\Users\Jeremy\Desktop\attach.txt
2015-01-17 15:18 - 2015-01-17 15:18 - 01686759 _____ () C:\Users\Jeremy\Downloads\PSTools.zip
2015-01-17 13:58 - 2015-01-19 11:41 - 00000000 ____D () C:\FRST
2015-01-17 13:04 - 2015-01-17 13:05 - 00000000 ____D () C:\Program Files (x86)\no$gba
2015-01-17 13:03 - 2015-01-17 13:03 - 00191678 _____ () C:\Users\Jeremy\Downloads\no$gba-w.zip
2015-01-16 17:31 - 2015-01-16 17:31 - 00021976 _____ () C:\Windows\system32\Drivers\SPPD.sys
2015-01-16 16:45 - 2015-01-07 20:54 - 00370688 _____ (CartCrunch Israel Ltd.) C:\Windows\system32\ColorMedia64.dll
2015-01-16 16:45 - 2015-01-07 20:54 - 00324776 _____ (CartCrunch Israel Ltd.) C:\Windows\SysWOW64\ColorMedia.dll
2015-01-16 16:31 - 2015-01-16 16:31 - 00000000 ____D () C:\Program Files (x86)\7-Zip
2015-01-16 16:21 - 2015-01-16 16:21 - 00000064 _____ () C:\Users\Jeremy\AppData\Local\90c44f312ec5676ae73fdad19d917baa
2015-01-16 16:19 - 2015-01-16 16:19 - 00004714 _____ () C:\Windows\System32\Tasks\HPNWPFB
2015-01-14 20:07 - 2015-01-14 20:07 - 15689724 _____ () C:\Users\Jeremy\Downloads\3DS Emu_v3.5_patched.zip
2015-01-14 19:52 - 2015-01-14 19:52 - 00793119 _____ () C:\Users\Jeremy\Downloads\3DS-Emulator-v3.0.41.rar
2015-01-14 18:09 - 2015-01-14 18:10 - 42831026 _____ () C:\Users\Jeremy\Downloads\Pokemon Heart Gold NTEVO.rar
2015-01-14 18:08 - 2015-01-14 18:09 - 42829949 _____ () C:\Users\Jeremy\Downloads\Pokemon Soul Silver NTEVO.rar
2015-01-13 22:39 - 2015-01-13 22:39 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-13 16:13 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-13 16:13 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-13 16:13 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-13 16:13 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-13 16:13 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-13 16:13 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-13 16:13 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-13 16:13 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-13 16:13 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-13 16:13 - 2014-12-11 12:47 - 00087040 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-13 16:13 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-13 16:13 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-13 16:13 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-11 18:12 - 2015-01-11 18:12 - 00181160 _____ () C:\Users\Jeremy\Downloads\no$gba-w_2.7a.zip
2015-01-11 16:52 - 2014-07-04 15:37 - 00001416 _____ () C:\Users\Jeremy\Desktop\Internet Explorer.lnk
2015-01-11 15:50 - 2015-01-11 15:50 - 05347971 _____ () C:\Users\Jeremy\Downloads\Pokemon FireRed.zip
2015-01-11 11:46 - 2015-01-13 20:59 - 00000000 ____D () C:\Program Files (x86)\Radio Player Live
2015-01-11 11:45 - 2015-01-13 21:26 - 00000000 ____D () C:\Program Files (x86)\uanisales
2015-01-11 11:45 - 2015-01-13 20:59 - 00000000 ____D () C:\Program Files (x86)\unIsaleoss
2015-01-11 11:43 - 2015-01-11 11:43 - 01136320 _____ () C:\Users\Jeremy\Downloads\Pokemon_Sapphire_Version_USA.exe
2015-01-11 11:39 - 2015-01-11 11:39 - 00007548 _____ () C:\Users\Jeremy\Downloads\js.js
2015-01-07 16:44 - 2015-01-07 16:54 - 42712969 _____ () C:\Users\Jeremy\Downloads\moo.rar
2015-01-05 18:15 - 2015-01-16 17:30 - 00000000 ____D () C:\Users\Jeremy\Desktop\NDS and GBA Games and emulators
2015-01-05 18:11 - 2015-01-05 18:11 - 42557718 _____ () C:\Users\Jeremy\Downloads\4787 - Pokemon - HeartGold Version (U).rar
2015-01-05 15:32 - 2015-01-05 15:36 - 00000000 ____D () C:\ProgramData\WinZip
2015-01-05 15:24 - 2015-01-05 15:24 - 00906024 _____ ( ) C:\Users\Jeremy\Downloads\winzip19-mediafire.exe.6i4yyhg.partial
2014-12-31 15:26 - 2014-12-31 15:26 - 00762704 _____ ( ) C:\Users\Jeremy\Desktop\CR_Downloader_for_no$gba.exe
2014-12-30 21:28 - 2014-12-30 21:28 - 00000227 _____ () C:\Users\Jeremy\Desktop\How to get Wi-Fi with DeSmuME - YouTube.URL
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-19 11:41 - 2014-07-04 14:19 - 00000000 ____D () C:\Program Files (x86)\BleepingComputer
2015-01-19 11:40 - 2014-10-28 16:07 - 00000000 ___RD () C:\Users\Jeremy\Google Drive
2015-01-19 11:40 - 2014-07-21 23:26 - 00000000 ____D () C:\Windows\CryptoGuard
2015-01-19 11:40 - 2014-07-04 14:10 - 01623532 _____ () C:\Windows\WindowsUpdate.log
2015-01-19 11:39 - 2014-07-21 21:03 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-19 11:39 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-19 11:39 - 2009-07-13 23:51 - 00056388 _____ () C:\Windows\setupact.log
2015-01-19 11:20 - 2014-07-21 21:03 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-19 10:56 - 2009-07-13 23:45 - 00031904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-19 10:56 - 2009-07-13 23:45 - 00031904 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-19 10:55 - 2013-10-03 19:56 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-19 10:53 - 2009-07-14 00:13 - 00781298 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-19 10:48 - 2014-07-04 14:10 - 00000000 ____D () C:\Users\Jeremy
2015-01-19 10:48 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\registration
2015-01-19 10:42 - 2014-07-04 14:20 - 00000000 ____D () C:\Program Files (x86)\Sysinternals
2015-01-18 17:32 - 2010-11-20 22:47 - 00230298 _____ () C:\Windows\PFRO.log
2015-01-17 14:56 - 2014-08-02 15:40 - 00000000 ____D () C:\Program Files (x86)\Kaspersky
2015-01-17 13:17 - 2014-07-18 16:30 - 00000000 ____D () C:\AdwCleaner
2015-01-17 12:43 - 2014-07-04 14:38 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-16 16:45 - 2014-12-09 15:39 - 00002033 _____ () C:\Windows\patsearch.bin
2015-01-16 16:41 - 2014-07-04 15:54 - 00000000 ____D () C:\Users\Jeremy\AppData\Local\Microsoft Games
2015-01-16 16:25 - 2013-10-03 19:54 - 00000000 ____D () C:\Program Files (x86)\Analog Devices
2015-01-16 16:07 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-14 03:02 - 2014-07-04 16:38 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 03:00 - 2014-07-04 16:38 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-14 00:55 - 2013-10-03 19:56 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-14 00:55 - 2013-10-03 19:56 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-14 00:55 - 2013-10-03 19:56 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-13 23:29 - 2014-07-28 21:23 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-11 15:57 - 2014-10-19 18:33 - 00000000 ____D () C:\Users\Jeremy\Desktop\BFME Maps, Save, and Files
2015-01-05 15:36 - 2014-07-15 16:49 - 00000000 ____D () C:\Windows\system32\appmgmt
2014-12-31 06:14 - 2010-11-20 22:27 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-12-22 17:19 - 2014-12-16 17:09 - 00000000 ____D () C:\Users\Jeremy\Desktop\Halo maps, mods and files
 
==================== Files in the root of some directories =======
1998-12-08 21:53 - 1998-12-08 21:53 - 0099840 _____ (Symantec Corp.) C:\Program Files (x86)\Common Files\IRAABOUT.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0048640 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files (x86)\Common Files\IRALPTTR.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0070144 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files (x86)\Common Files\IRAMDMTR.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0186368 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files (x86)\Common Files\IRAREG.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0017920 _____ (Symantec Corp.) C:\Program Files (x86)\Common Files\IRASRIAL.DLL
1998-12-08 21:53 - 1998-12-08 21:53 - 0031744 _____ (Symantec Corp., Peter Norton Computing Group) C:\Program Files (x86)\Common Files\IRAWEBTR.DLL
2014-07-20 17:06 - 2014-07-20 17:06 - 0000000 _____ () C:\Users\Jeremy\AppData\Roaming\bitlord_log.txt
2014-09-01 03:18 - 2014-09-01 03:18 - 0001248 _____ () C:\Users\Jeremy\AppData\Roaming\HPNWPFB
2014-09-01 03:18 - 2014-09-01 03:18 - 0002086 _____ () C:\Users\Jeremy\AppData\Roaming\PAJPOO
2015-01-16 16:21 - 2015-01-16 16:21 - 0000064 _____ () C:\Users\Jeremy\AppData\Local\90c44f312ec5676ae73fdad19d917baa
2014-07-20 17:16 - 2014-07-20 17:16 - 0000218 _____ () C:\Users\Jeremy\AppData\Local\recently-used.xbel
 
Files to move or delete:
====================
C:\Users\Jeremy\7z935.exe
C:\Users\Jeremy\DivXInstaller.exe
C:\Users\Jeremy\googleupdatesetup.exe
C:\Users\Jeremy\RealPlayerCloud.exe
C:\Users\Jeremy\xfire_installer_46139.exe
 
 
Some content of TEMP:
====================
C:\Users\Jeremy\AppData\Local\Temp\17EB1411-0D1A-6DF9-98D4-BDAC78646837.dll
C:\Users\Jeremy\AppData\Local\Temp\17EB1411-0D1A-6DF9-98D4-BDAC78646837.exe
C:\Users\Jeremy\AppData\Local\Temp\37230C07-3CAC-B478-D5F0-EE91D93FB296.exe
C:\Users\Jeremy\AppData\Local\Temp\8SkF6WTVKH.exe
C:\Users\Jeremy\AppData\Local\Temp\AE793DB8-DF2C-13B5-9D1E-6C1EF0B5B1EE.exe
C:\Users\Jeremy\AppData\Local\Temp\AutoRun.exe
C:\Users\Jeremy\AppData\Local\Temp\AutoRunGUI.dll
C:\Users\Jeremy\AppData\Local\Temp\BAC667ED-76D4-0586-1876-B5C8A457564D.dll
C:\Users\Jeremy\AppData\Local\Temp\BAC667ED-76D4-0586-1876-B5C8A457564D.exe
C:\Users\Jeremy\AppData\Local\Temp\CloudBackup3173.exe
C:\Users\Jeremy\AppData\Local\Temp\CloudBackup4705.exe
C:\Users\Jeremy\AppData\Local\Temp\comver.dll
C:\Users\Jeremy\AppData\Local\Temp\eauninstall.exe
C:\Users\Jeremy\AppData\Local\Temp\FeXEx3NDnb.exe
C:\Users\Jeremy\AppData\Local\Temp\FreemakeVideoDownloader_3.7.0.17.exe
C:\Users\Jeremy\AppData\Local\Temp\I695Ubx0EC.exe
C:\Users\Jeremy\AppData\Local\Temp\J7tbu1HcSZ.exe
C:\Users\Jeremy\AppData\Local\Temp\lowproc.exe
C:\Users\Jeremy\AppData\Local\Temp\mQS1dbOET0.exe
C:\Users\Jeremy\AppData\Local\Temp\old haloupdate.exe
C:\Users\Jeremy\AppData\Local\Temp\optprosetup.exe
C:\Users\Jeremy\AppData\Local\Temp\oxntnJ1uqq.exe
C:\Users\Jeremy\AppData\Local\Temp\Quarantine.exe
C:\Users\Jeremy\AppData\Local\Temp\sdf5F90.exe
C:\Users\Jeremy\AppData\Local\Temp\sdfC989.exe
C:\Users\Jeremy\AppData\Local\Temp\SpOrder.dll
C:\Users\Jeremy\AppData\Local\Temp\sqlite3.dll
C:\Users\Jeremy\AppData\Local\Temp\stubhelper.dll
C:\Users\Jeremy\AppData\Local\Temp\The Battle for Middle-earth_uninst.exe
C:\Users\Jeremy\AppData\Local\Temp\z2nN3vH55B.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-14 00:47
 
==================== End Of Log ============================


#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:10:29 AM

Posted 20 January 2015 - 12:02 AM

We need to find a replacement file on your system

Please do the following:
 

  •    
  • boot into System Recovery Options and run FRST64.

       
  • Type the following in the edit box after "Search:" :

        cherimoya;cmwf;cmwr;cherimoya.sys;cmwf.sys;cmwr.sys


    Click Search Registry button and post the log it makes to your reply.


Edited by fireman4it, 20 January 2015 - 12:03 AM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users