Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Svchost in Temp files won't go away and keeps using up my CPU


  • This topic is locked This topic is locked
9 replies to this topic

#1 HourlySword

HourlySword

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 26 January 2015 - 05:45 AM

Hello, so i've been struggling with a really stubborn infection the past couple of days and i don't think i'm gonna be able to fix it. Two nights ago while  i was browsing the web i noticed my temps spike up to the 80s for no reason. After some researching i pinpointed the cpu usage to an svchost file in the windows temp directory. I've had a similar infection on another computer some time ago and i managed to fix it up pretty easy. So i loaded up malwarebytes and it found the svchost, removed it and asked for a reboot. Upon reboot the process reappeared at startup doing the same thing and the file was recreated. I can only assume that malwarebytes wasn't able to find the rootkit(s) and since then i've been running various other scans with and without rkill to try and find it to no avail. I'm pretty sure i accidentaly misclicked an ad at some point before this all happened so i guess that could be how i got this. The infection uses my computer as a bitcoin mining hub with Claymore CryptoNote CPU Miner v3.4 Beta. I have logs and stuff from that software that it automatically creates in my windows temp directory but i don't think that would help. I've already changed all my passwords on another computer and haven't accessed anything on this computer since i've known about the infection. Any help is greatly appreciated. The FRST scan was done while the miner was inactive.

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-01-2015 01
Ran by Alex (administrator) on HOURLYSWORD on 26-01-2015 05:26:36
Running from C:\Users\Alex\Music
Loaded Profiles: Alex (Available profiles: Alex)
Platform: Windows 8.1 Pro (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Stardock Software, Inc) C:\Program Files (x86)\Stardock\Start8\Start8Srv.exe
(Stardock Software, Inc) C:\Program Files (x86)\Stardock\Start8\Start8_64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
() C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe
() C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsusFanControlService\1.06.01\AsusFanControlService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe
(BlueStack Systems, Inc.) C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(DTS, Inc) C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(Hi-Rez Studios) C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(A-Volute) C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver\RzMaelstromVADStreamingService.exe
(Razer, Inc.) C:\Program Files (x86)\Razer\Core\64bit\RzOvlMon.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Program Files (x86)\ASUS\AI Suite III\DIP4\DIPAwayMode\DipAwayMode.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite III\AISuite3.exe
() C:\Program Files\Core Temp\Core Temp.exe
(Microsoft Corporation) C:\Windows\System32\InputMethod\JPN\JpnIME.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Microsoft Corporation) C:\Windows\System32\schtasks.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite III\USB 3.0 Boost\U3BoostSvr64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Corsair Components, Inc.) C:\Program Files (x86)\Corsair\Corsair Gaming Software\CorsairHID.exe
(Skillbrains) C:\Program Files (x86)\Skillbrains\lightshot\5.2.0.17\Lightshot.exe
() C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.2\bin\TrayPopupE\TrayTipAgentE.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Integrated Clock Controller Service\ICCProxy.exe
() C:\Program Files (x86)\ASUS\AI Suite III\AsusMiniBar.exe
(Mozilla Corporation) C:\Program Files (x86)\Firefox Developer Edition\firefox.exe
() C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\extensions\adbhelper@mozilla.org\win32\adb.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(Mozilla Corporation) C:\Program Files (x86)\Firefox Developer Edition\plugin-container.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_16_0_0_296.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
() X:\Games\Borderlands 2\unins000.exe
() C:\Users\Alex\AppData\Local\Temp\_iu14D2N.tmp


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7573208 2014-04-22] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg_DTS] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1385840 2014-04-15] (Realtek Semiconductor)
HKLM\...\Run: [Fences] => C:\Program Files (x86)\Stardock\Fences\Fences.exe [3993744 2014-05-22] (Stardock Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2585928 2015-01-16] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [EaseUS EPM tray] => C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.2\bin\EpmNews.exe [2089056 2014-11-18] (CHENGDU YIWO Tech Development Co., Ltd)
HKLM-x32\...\Run: [Razer Synapse] => C:\Program Files (x86)\Razer\Synapse\RzSynapse.exe [585536 2014-11-03] (Razer Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1021128 2014-11-20] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Corsair Gaming Software] => C:\Program Files (x86)\Corsair\Corsair Gaming Software\CorsairHID.exe [10601224 2014-09-08] (Corsair Components, Inc.)
HKLM-x32\...\Run: [BlueStacks Agent] => C:\Program Files (x86)\BlueStacks\HD-Agent.exe [839384 2014-09-16] (BlueStack Systems, Inc.)
HKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-12] (Logitech Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Lightshot] => C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe [226560 2014-11-18] ()
HKLM-x32\...\Run: [EaseUS EPM Tray Agent] => C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.2\bin\TrayPopupE\TrayTipAgentE.exe [255072 2014-11-18] ()
HKU\S-1-5-21-2587691102-3219643133-190135626-1001\...\Run: [Google Update] => C:\Users\Alex\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2014-07-15] (Google Inc.)
HKU\S-1-5-21-2587691102-3219643133-190135626-1001\...\Run: [LightShot] => C:\Users\Alex\AppData\Local\Skillbrains\lightshot\Lightshot.exe
HKU\S-1-5-21-2587691102-3219643133-190135626-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [30878816 2014-12-11] (Skype Technologies S.A.)
HKU\S-1-5-21-2587691102-3219643133-190135626-1001\...\MountPoints2: {06d000f3-5b61-11e4-829f-54271ebe7e6d} - "H:\CMADownloader.exe"
HKU\S-1-5-21-2587691102-3219643133-190135626-1001\...\MountPoints2: {224ef050-6db8-11e4-82ad-54271ebe7e6d} - "H:\CMADownloader.exe"
HKU\S-1-5-21-2587691102-3219643133-190135626-1001\...\MountPoints2: {24aded6c-6959-11e4-82a7-54271ebe7e6d} - "H:\HTC_Sync_Manager_PC.exe"
Startup: C:\Users\Alex\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
ShortcutTarget: Logitech . Product Registration.lnk -> C:\Program Files (x86)\Logitech\Ereg\eReg.exe (Leader Technologies/Logitech)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Content Manager Assistant for PlayStation®.lnk
ShortcutTarget: Content Manager Assistant for PlayStation®.lnk -> C:\Program Files (x86)\Sony\Content Manager Assistant\CMA.exe (Sony Computer Entertainment Inc.)
BootExecute: autocheck autochk * sdnclean64.exe

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-2587691102-3219643133-190135626-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
BHO: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Lync Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files (x86)\Microsoft Office\Office15\OCHelper.dll (Microsoft Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office15\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files (x86)\Microsoft Office\Office15\GROOVEEX.DLL (Microsoft Corporation)
DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} https://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF ProfilePath: C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default
FF Homepage: https://www.google.com/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_16_0_0_296.dll ()
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_296.dll ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\3.0.40818.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office15\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2587691102-3219643133-190135626-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Alex\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin HKU\S-1-5-21-2587691102-3219643133-190135626-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Alex\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMeetingJoinPluginOC.dll (Microsoft Corporation)
FF SearchPlugin: C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\searchplugins\youtube-video-search.xml
FF Extension: Flash Video Downloader - Full HD Download - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\artur.dubovoy@gmail.com [2014-11-13]
FF Extension: New Tab Plus - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\weidunewtab@gmail.com [2014-07-15]
FF Extension: FT DeepDark - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{77d2ed30-4cd2-11e0-b8af-0800200c9a66} [2014-11-02]
FF Extension: WOT - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2014-07-15]
FF Extension: Flash and Video Download - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a} [2014-11-02]
FF Extension: Tab Badge - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\badge@darktrojan.net.xpi [2014-07-15]
FF Extension: BrowserProtect - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\browserprotect@browserprotect.com.xpi [2014-07-15]
FF Extension: Element Hiding Helper for Adblock Plus - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\elemhidehelper@adblockplus.org.xpi [2014-07-15]
FF Extension: Elite Proxy Switcher - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\eliteproxyswitcher@my-proxy.com.xpi [2014-07-15]
FF Extension: MEGA EXTENSION - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\firefox@mega.co.nz.xpi [2014-07-15]
FF Extension: Wiktionary and Google Translate - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\googledictionary@toptip.ca.xpi [2014-07-15]
FF Extension: Lazarus: Form Recovery - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\lazarus@interclue.com.xpi [2014-07-15]
FF Extension: Personas Plus - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\personas@christopher.beard.xpi [2014-07-15]
FF Extension: Turn Off the Lights - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\stefanvandamme@stefanvd.net.xpi [2014-07-15]
FF Extension: Tab Scope - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\tabscope@xuldev.org.xpi [2014-07-15]
FF Extension: Test Pilot - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\testpilot@labs.mozilla.com.xpi [2014-07-15]
FF Extension: UnPlug - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\unplug@compunach.xpi [2014-07-15]
FF Extension: YouTube to MP3 - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\youtube2mp3@mondayx.de.xpi [2014-07-15]
FF Extension: Zoom Page - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\zoompage@DW-dev.xpi [2014-07-15]
FF Extension: URL Fixer - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{0fa2149e-bb2c-4ac2-a8d3-479599819475}.xpi [2014-07-15]
FF Extension: FlashGot - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi [2014-08-30]
FF Extension: Image Zoom - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}.xpi [2014-07-15]
FF Extension: Stylish - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpi [2014-07-15]
FF Extension: ImageBot - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{55009080-176f-11da-8cd6-0800200c9a66}.xpi [2014-07-15]
FF Extension: Soundcloud SUPER +2: Downloader and Recommender - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{988da70d-b78d-44a1-a9c7-ed11832a9e2e}.xpi [2014-07-15]
FF Extension: SoundCloud Downloader - Technowise - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{c8d3bc80-0810-4d21-a2c2-be5f2b2832ac}.xpi [2014-07-15]
FF Extension: Adblock Plus - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-07-15]
FF Extension: Download Statusbar - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi [2014-07-15]
FF Extension: Extended Statusbar - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{daf44bf7-a45e-4450-979c-91cf07434c3d}.xpi [2014-07-15]
FF Extension: Tab Mix Plus - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi [2014-07-15]
FF Extension: DownThemAll! - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2014-08-30]
FF Extension: Greasemonkey - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2014-07-15]
FF Extension: User Agent Switcher - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi [2014-08-29]
FF Extension: Zoom toolbar - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}.xpi [2014-07-15]
FF Extension: Adblock Edge - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi [2014-07-15]
FF Extension: ADB Helper - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\adbhelper@mozilla.org [2014-12-21]
FF Extension: Flash Video Downloader - YouTube HD Download [4K] - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\artur.dubovoy@gmail.com [2015-01-07]
FF Extension: Firefox Developer Tools Adapters - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\fxdevtools-adapters@mozilla.org [2015-01-21]
FF Extension: FT DeepDark - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{77d2ed30-4cd2-11e0-b8af-0800200c9a66} [2014-11-11]
FF Extension: WOT - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} [2014-11-11]
FF Extension: Flash and Video Download - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{bee6eb20-01e0-ebd1-da83-080329fb9a3a} [2015-01-18]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\badge@darktrojan.net.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\browserprotect@browserprotect.com.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\elemhidehelper@adblockplus.org.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\eliteproxyswitcher@my-proxy.com.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\firefox@mega.co.nz.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\googledictionary@toptip.ca.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\lazarus@interclue.com.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\personas@christopher.beard.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\stefanvandamme@stefanvd.net.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\tabscope@xuldev.org.xpi [2014-11-11]
FF Extension: Test Pilot - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\testpilot@labs.mozilla.com.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\unplug@compunach.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\youtube2mp3@mondayx.de.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\zoompage@DW-dev.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{0fa2149e-bb2c-4ac2-a8d3-479599819475}.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpi [2014-11-11]
FF Extension: ImageBot - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{55009080-176f-11da-8cd6-0800200c9a66}.xpi [2014-11-11]
FF Extension: Soundcloud SUPER +2: Downloader and Recommender - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{988da70d-b78d-44a1-a9c7-ed11832a9e2e}.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{c8d3bc80-0810-4d21-a2c2-be5f2b2832ac}.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{daf44bf7-a45e-4450-979c-91cf07434c3d}.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{dc572301-7619-498c-a57d-39143191b318}.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}.xpi [2014-11-11]
FF Extension: No Name - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}.xpi [2014-11-11]
FF Extension: Adblock Edge - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi [2014-11-11]
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Firefox Developer Edition\firefox.exe

Chrome:
=======
CHR Profile: C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-07-15]
CHR Extension: (Google Drive) - C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-15]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-07-15]
CHR Extension: (YouTube) - C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-07-15]
CHR Extension: (Adblock Plus) - C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-07-15]
CHR Extension: (Google Search) - C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-15]
CHR Extension: (FVD Downloader) - C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfmhcpmkbdkbgbmkjoiopeeegenkdikp [2014-10-07]
CHR Extension: (Skype Click to Call) - C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2014-08-19]
CHR Extension: (Google Wallet) - C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-15]
CHR Extension: (Gmail) - C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-15]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe [936728 2014-01-28] ()
R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.22\aaHMSvc.exe [954648 2014-01-28] (ASUSTeK Computer Inc.)
R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe [1360016 2014-04-24] ()
R2 AsusFanControlService; C:\Program Files (x86)\ASUS\AsusFanControlService\1.06.01\AsusFanControlService.exe [382776 2014-04-24] (ASUSTeK Computer Inc.)
S2 BcmBtRSupport; C:\Windows\system32\BtwRSupportService.exe [2251992 2013-11-14] (Broadcom Corporation.)
S2 BstHdAndroidSvc; C:\Program Files (x86)\BlueStacks\HD-Service.exe [391168 2014-09-19] (BlueStack Systems, Inc.) [File not signed]
R2 BstHdLogRotatorSvc; C:\Program Files (x86)\BlueStacks\HD-LogRotatorService.exe [384728 2014-09-16] (BlueStack Systems, Inc.)
R2 BstHdUpdaterSvc; C:\Program Files (x86)\BlueStacks\HD-UpdaterService.exe [777944 2014-09-16] (BlueStack Systems, Inc.)
R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
S3 DAUpdaterSvc; X:\Games (S)\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe [25832 2014-07-15] (BioWare)
R2 DTSAudioSvc; C:\Program Files\Realtek\Audio\HDA\DTSU2PAuSrv64.exe [240576 2013-10-07] (DTS, Inc)
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [174112 2014-11-28] (EasyAntiCheat Ltd)
S3 Futuremark SystemInfo Service; C:\Program Files (x86)\Futuremark\SystemInfo\FMSISvc.exe [614624 2014-12-10] (Futuremark)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148744 2015-01-16] (NVIDIA Corporation)
U2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9216 2014-08-22] (Hi-Rez Studios) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887232 2014-01-31] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-03-20] (Intel Corporation)
S4 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2014-11-21] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [969016 2014-11-21] (Malwarebytes Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1706312 2015-01-16] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [21833544 2015-01-16] (NVIDIA Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [1903472 2014-12-22] (Electronic Arts)
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [183488 2014-10-31] ()
R2 RzMaelstromVADStreamingService; C:\ProgramData\Razer\Synapse\Devices\Razer Surround\Driver\RzMaelstromVADStreamingService.exe [4250624 2014-06-09] (A-Volute) [File not signed]
R2 RzOvlMon; C:\Program Files (x86)\Razer\Core\64bit\rzovlmon.exe [32960 2014-04-18] (Razer, Inc.)
R2 Start8; C:\Program Files (x86)\Stardock\Start8\Start8Srv.exe [143288 2014-04-05] (Stardock Software, Inc)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [368632 2014-09-21] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2014-09-21] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2013-07-04] ()
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-03] ()
R3 ASUSFILTER; C:\Windows\SysWow64\drivers\ASUSFILTER.sys [46152 2011-09-20] (MCCI Corporation)
R3 bcbtums; C:\Windows\system32\drivers\bcbtums.sys [170712 2013-11-14] (Broadcom Corporation.)
R3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [7488688 2014-07-15] (Broadcom Corporation)
R2 BstHdDrv; C:\Program Files (x86)\BlueStacks\HD-Hypervisor-amd64.sys [122072 2014-09-16] (BlueStack Systems)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-03-18] (Microsoft Corporation)
R3 CorsairVBusDriver; C:\Windows\System32\drivers\CorsairVBusDriver.sys [48296 2014-09-08] (Corsair)
R3 CorsairVHidDriver; C:\Windows\System32\drivers\CorsairVHidDriver.sys [22184 2014-09-08] (Corsair)
R1 dtsoftbus01; C:\Windows\System32\drivers\dtsoftbus01.sys [283200 2014-07-16] (DT Soft Ltd)
S3 epmntdrv; C:\Windows\system32\epmntdrv.sys [18528 2014-11-18] ()
S3 epmntdrv; C:\Windows\SysWOW64\epmntdrv.sys [14944 2014-11-18] ()
S3 EuGdiDrv; C:\Windows\system32\EuGdiDrv.sys [10848 2014-11-18] ()
S3 EuGdiDrv; C:\Windows\SysWOW64\EuGdiDrv.sys [10208 2014-11-18] ()
S3 Hamachi; C:\Windows\system32\DRIVERS\Hamdrv.sys [46136 2014-10-18] (LogMeIn Inc.)
R4 IOMap; C:\Windows\system32\drivers\IOMap64.sys [24824 2014-04-24] (ASUSTeK Computer Inc.)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2014-11-21] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2014-11-21] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [118272 2014-03-20] (Intel Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19784 2015-01-16] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [38032 2014-11-22] (NVIDIA Corporation)
S3 qcusbser; C:\Windows\system32\DRIVERS\qcusbser.sys [242688 2013-04-24] (QUALCOMM Incorporated)
R3 rzbtendpt; C:\Windows\System32\drivers\rzbtendpt.sys [33960 2014-05-19] (Razer Inc)
R3 RzDxgk; C:\Windows\system32\drivers\RzDxgk.sys [129472 2014-04-18] (Razer, Inc.)
R1 RzFilter; C:\Windows\system32\drivers\RzFilter.sys [74432 2014-04-18] (Razer, Inc.)
R3 RZMAELSTROMVADService; C:\Windows\system32\drivers\RzMaelstromVAD.sys [32768 2014-06-09] (Windows ® Win 7 DDK provider)
R2 rzpmgrk; C:\Windows\system32\drivers\rzpmgrk.sys [37184 2014-10-31] (Razer, Inc.)
R2 rzpnk; C:\Windows\system32\drivers\rzpnk.sys [129600 2014-11-17] (Razer, Inc.)
R3 rzvkeyboard; C:\Windows\System32\drivers\rzvkeyboard.sys [31912 2014-09-04] (Razer Inc)
R3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2014-09-21] (Microsoft Corporation)
S3 XFDriver64; C:\Program Files (x86)\Xfire2\XFDriver64.sys [17160 2013-03-14] (XFire)
R3 xusb22; C:\Windows\system32\DRIVERS\xusb22.sys [87040 2014-05-15] (Microsoft Corporation)
R3 ALSysIO; \??\C:\Users\Alex\AppData\Local\Temp\ALSysIO64.sys [X]
S3 btwaudio; \SystemRoot\system32\drivers\btwaudio.sys [X]
S3 btwavdt; \SystemRoot\system32\drivers\btwavdt.sys [X]
S3 btwl2cap; \SystemRoot\system32\DRIVERS\btwl2cap.sys [X]
S3 btwrchid; \SystemRoot\System32\drivers\btwrchid.sys [X]
S3 cpuz138; \??\C:\Windows\TEMP\cpuz138\cpuz138_x64.sys [X]
S3 GPUZ; \??\C:\Windows\TEMP\GPUZ.sys [X]
S3 RtlWlanu; \SystemRoot\system32\DRIVERS\rtwlanu.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-26 05:07 - 2015-01-26 05:07 - 00000085 _____ () C:\Windows\wininit.ini
2015-01-25 09:04 - 2015-01-25 09:04 - 00000000 ____D () C:\Program Files (x86)\ESET
2015-01-25 08:59 - 2015-01-26 05:26 - 00000000 ____D () C:\FRST
2015-01-25 08:48 - 2015-01-25 08:48 - 04909382 _____ () C:\Users\Alex\Downloads\mbam-chameleon-3.1.7.0.zip
2015-01-25 08:48 - 2015-01-25 08:48 - 04909382 _____ () C:\Users\Alex\Downloads\mbam-chameleon-3.1.7.0 (1).zip
2015-01-25 08:42 - 2015-01-25 08:42 - 00000862 _____ () C:\Users\Alex\Desktop\JRT.txt
2015-01-25 08:41 - 2015-01-25 08:41 - 00000000 ____D () C:\Windows\ERUNT
2015-01-25 08:34 - 2015-01-25 08:34 - 00351504 _____ () C:\Windows\Minidump\012515-15656-01.dmp
2015-01-25 01:27 - 2015-01-26 05:08 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-01-25 01:27 - 2015-01-26 05:07 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-01-25 01:27 - 2015-01-25 01:27 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2015-01-25 01:23 - 2015-01-25 01:24 - 00000000 ____D () C:\AdwCleaner
2015-01-25 01:07 - 2015-01-25 08:49 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-25 01:07 - 2015-01-25 01:07 - 00001114 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-01-25 01:07 - 2015-01-25 01:07 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-01-25 01:07 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-01-25 01:07 - 2014-11-21 06:14 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-01-25 01:07 - 2014-11-21 06:14 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-01-25 01:02 - 2015-01-25 01:15 - 00002578 _____ () C:\Users\Alex\Desktop\Rkill.txt
2015-01-23 23:23 - 2015-01-23 23:23 - 00000222 _____ () C:\Users\Alex\Desktop\The Binding of Isaac Rebirth.url
2015-01-19 22:16 - 2015-01-19 22:16 - 00000000 ____D () C:\Users\Alex\AppData\Local\RzStats
2015-01-19 01:00 - 2015-01-19 01:00 - 22455009 _____ () C:\Users\Alex\Downloads\MandoPony - Turning Over a New Leaf.zip
2015-01-18 00:26 - 2015-01-18 00:43 - 959556646 _____ () C:\Users\Alex\Downloads\Zoids - Battle Legends (USA).7z
2015-01-18 00:00 - 2015-01-18 00:02 - 100562195 _____ () C:\Users\Alex\Downloads\[MetalGojira] Pokemon 2.B.A. Master.zip
2015-01-17 23:53 - 2015-01-17 23:53 - 00021370 _____ () C:\Users\Alex\Downloads\K70RGB3.zip
2015-01-16 19:13 - 2015-01-16 19:13 - 00194885 _____ () C:\Users\Alex\Downloads\hjsplit.zip
2015-01-16 19:05 - 2014-04-24 13:29 - 00024824 _____ (ASUSTeK Computer Inc.) C:\Windows\system32\Drivers\IOMap64.sys
2015-01-16 08:51 - 2015-01-16 08:51 - 00000000 ____D () C:\ProgramData\Oracle
2015-01-16 08:47 - 2015-01-16 08:48 - 283552574 _____ () C:\Users\Alex\Downloads\Zoids_Battle_Legends-USA-GAMECUBE-DAGGER.rar
2015-01-16 07:13 - 2015-01-16 07:13 - 00000969 _____ () C:\Users\Alex\Desktop\Ustealth.lnk
2015-01-16 06:26 - 2015-01-16 06:26 - 00001404 _____ () C:\Users\Public\Desktop\EaseUS Partition Master 10.2.lnk
2015-01-16 06:26 - 2015-01-16 06:26 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EaseUS Partition Master 10.2
2015-01-16 06:26 - 2014-11-18 14:46 - 03384928 _____ () C:\Windows\system32\BootMan.exe
2015-01-16 06:26 - 2014-11-18 14:46 - 02502240 _____ () C:\Windows\SysWOW64\BootMan.exe
2015-01-16 06:26 - 2014-11-18 14:46 - 00021088 _____ () C:\Windows\SysWOW64\EuEpmGdi.dll
2015-01-16 06:26 - 2014-11-18 14:46 - 00017504 _____ () C:\Windows\system32\EuEpmGdi.dll
2015-01-16 06:26 - 2014-11-18 14:39 - 00018528 _____ () C:\Windows\system32\epmntdrv.sys
2015-01-16 06:26 - 2014-11-18 14:39 - 00014944 _____ () C:\Windows\SysWOW64\epmntdrv.sys
2015-01-16 06:26 - 2014-11-18 14:39 - 00010848 _____ () C:\Windows\system32\EuGdiDrv.sys
2015-01-16 06:26 - 2014-11-18 14:39 - 00010208 _____ () C:\Windows\SysWOW64\EuGdiDrv.sys
2015-01-16 06:26 - 2014-11-18 14:38 - 00101984 _____ () C:\Windows\system32\setupempdrvx64.exe
2015-01-16 06:26 - 2014-11-18 14:38 - 00088160 _____ () C:\Windows\SysWOW64\setupempdrv03.exe
2015-01-16 06:17 - 2015-01-16 06:18 - 30603720 _____ (EaseUS ) C:\Users\Alex\Downloads\epm.exe
2015-01-16 06:17 - 2015-01-16 06:17 - 31722776 _____ (EaseUS ) C:\Users\Alex\Downloads\epm_trial.exe
2015-01-15 17:10 - 2008-10-15 06:22 - 05631312 _____ (Microsoft Corporation) C:\Windows\system32\D3DX9_40.dll
2015-01-15 17:10 - 2008-10-15 06:22 - 04379984 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DX9_40.dll
2015-01-15 17:10 - 2008-10-15 06:22 - 02605920 _____ (Microsoft Corporation) C:\Windows\system32\D3DCompiler_40.dll
2015-01-15 17:10 - 2008-10-15 06:22 - 02036576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\D3DCompiler_40.dll
2015-01-15 17:10 - 2008-10-15 06:22 - 00519000 _____ (Microsoft Corporation) C:\Windows\system32\d3dx10_40.dll
2015-01-15 17:10 - 2008-10-15 06:22 - 00452440 _____ (Microsoft Corporation) C:\Windows\SysWOW64\d3dx10_40.dll
2015-01-15 02:54 - 2015-01-15 02:55 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\XnView
2015-01-15 02:53 - 2015-01-15 02:54 - 00000931 _____ () C:\Users\Alex\Desktop\XnView.lnk
2015-01-15 02:53 - 2015-01-15 02:53 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XnView
2015-01-15 02:53 - 2015-01-15 02:53 - 00000000 ____D () C:\Program Files (x86)\XnView
2015-01-15 02:52 - 2015-01-15 02:52 - 15317744 _____ (Gougelet Pierre-e ) C:\Users\Alex\Downloads\XnView-win-full.exe
2015-01-15 00:38 - 2015-01-15 01:46 - 1204473773 _____ () C:\Users\Alex\Downloads\ACOK_1.5.rar
2015-01-15 00:34 - 2015-01-15 00:34 - 00000222 _____ () C:\Users\Alex\Desktop\Depth.url
2015-01-10 22:32 - 2015-01-10 22:32 - 00000000 __SHD () C:\Users\Alex\AppData\Local\EmieBrowserModeList
2015-01-10 06:02 - 2015-01-10 06:02 - 00002149 _____ () C:\Users\Public\Desktop\3D Vision Photo Viewer.lnk
2015-01-10 06:02 - 2014-12-12 19:47 - 00620176 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvStreaming.exe
2015-01-10 06:01 - 2014-10-09 02:17 - 01540240 _____ (NVIDIA Corporation) C:\Windows\system32\nvhdagenco64.dll
2015-01-09 05:26 - 2015-01-09 05:26 - 00000836 _____ () C:\Users\Alex\Desktop\League of Legends.lnk
2015-01-08 04:57 - 2015-01-08 04:58 - 89710468 _____ () C:\Users\Alex\Downloads\WIFI_Win7-8-8-1_V6342235.zip
2015-01-08 04:56 - 2015-01-08 04:56 - 05744195 _____ () C:\Users\Alex\Downloads\Z97-PRO-ASUS-2012.zip
2015-01-08 04:25 - 2015-01-08 04:25 - 03896279 _____ () C:\Users\Alex\Downloads\p64v266.zip
2015-01-08 04:25 - 2015-01-08 04:25 - 00001081 _____ () C:\Users\Alex\Desktop\prime95.lnk
2015-01-08 04:13 - 2015-01-08 04:13 - 00334064 _____ () C:\Windows\Minidump\010815-13468-01.dmp
2015-01-07 02:59 - 2015-01-07 03:01 - 84575133 _____ () C:\Users\Alex\Downloads\Xfire - Videos Star Wars Battlefront II.mp4
2015-01-07 01:05 - 2015-01-07 01:05 - 00000022 _____ () C:\Windows\GPU-Z.INI
2015-01-07 01:05 - 2015-01-07 01:05 - 00000000 ____D () C:\Temp
2015-01-07 01:04 - 2015-01-07 01:05 - 00000000 ____D () C:\Users\Alex\Documents\3DMark
2015-01-07 01:04 - 2015-01-07 01:04 - 00000000 ____D () C:\Users\Alex\AppData\Local\Futuremark
2015-01-07 01:04 - 2015-01-07 01:04 - 00000000 ____D () C:\Program Files (x86)\Futuremark
2015-01-07 00:42 - 2015-01-07 00:42 - 00000193 _____ () C:\Users\Alex\Desktop\3DMark Demo.url
2015-01-07 00:38 - 2015-01-07 00:59 - 307606328 _____ (NVIDIA Corporation) C:\Users\Alex\Downloads\347.09-desktop-win8-win7-winvista-64bit-international-whql.exe
2015-01-06 02:57 - 2015-01-06 02:57 - 00010520 _____ () C:\Users\Alex\Downloads\ASUS VG248QE Nvidia2.icm
2015-01-02 01:25 - 2015-01-02 01:25 - 00000222 _____ () C:\Users\Alex\Desktop\Divinity Original Sin.url
2015-01-01 17:48 - 2015-01-01 17:48 - 51200920 _____ () C:\Users\Alex\Downloads\Hard Knocks (final).wav

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-26 05:26 - 2014-07-15 00:45 - 01698842 _____ () C:\Windows\WindowsUpdate.log
2015-01-26 05:22 - 2014-07-15 00:52 - 00003596 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2587691102-3219643133-190135626-1001
2015-01-26 05:22 - 2013-08-22 10:36 - 00000000 ____D () C:\Windows\AppReadiness
2015-01-26 05:17 - 2014-07-15 01:04 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\BitTorrent
2015-01-26 05:14 - 2014-03-18 05:02 - 00005388 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-26 05:13 - 2014-07-16 00:20 - 00000000 _____ () C:\Windows\Path.idx
2015-01-26 05:10 - 2014-07-16 00:37 - 00006464 _____ () C:\Windows\SysWOW64\Gms.log
2015-01-26 05:09 - 2014-12-08 02:21 - 00003758 _____ () C:\Windows\System32\Tasks\AutoKMS
2015-01-26 05:09 - 2014-10-03 16:56 - 00093623 _____ () C:\Windows\system32\lvcoinst.log
2015-01-26 05:08 - 2014-12-18 03:38 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-01-26 05:08 - 2014-07-15 23:55 - 01048576 _____ () C:\Windows\PE_Rom.dll
2015-01-26 05:08 - 2014-03-18 04:51 - 00094282 _____ () C:\Windows\PFRO.log
2015-01-26 05:08 - 2013-08-22 09:45 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-26 05:07 - 2014-10-16 11:15 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-26 04:58 - 2013-08-22 10:36 - 00000000 ____D () C:\Windows\system32\sru
2015-01-25 12:21 - 2014-10-11 21:49 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-25 12:19 - 2014-11-13 10:01 - 00000000 ____D () C:\Program Files (x86)\Firefox Developer Edition
2015-01-25 11:28 - 2014-07-15 01:04 - 00000928 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2587691102-3219643133-190135626-1001UA.job
2015-01-25 11:26 - 2014-07-15 01:09 - 00000410 _____ () C:\Windows\Tasks\update-S-1-5-21-2587691102-3219643133-190135626-1001.job
2015-01-25 09:28 - 2014-07-15 01:04 - 00000876 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2587691102-3219643133-190135626-1001Core.job
2015-01-25 08:34 - 2014-07-15 02:19 - 713896785 ____N () C:\Windows\MEMORY.DMP
2015-01-25 08:34 - 2014-07-15 02:19 - 00000000 ____D () C:\Windows\Minidump
2015-01-25 08:30 - 2014-07-15 01:09 - 00000410 _____ () C:\Windows\Tasks\update-sys.job
2015-01-25 01:13 - 2013-08-22 08:25 - 00262144 ___SH () C:\Windows\system32\config\BBI
2015-01-25 00:36 - 2014-07-15 01:09 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Skype
2015-01-25 00:07 - 2014-10-16 11:15 - 00003718 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-01-24 23:17 - 2014-07-15 01:13 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-01-24 00:39 - 2014-07-15 15:47 - 00913920 ___SH () C:\Users\Alex\Desktop\Thumbs.db
2015-01-23 23:45 - 2014-07-15 02:31 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\vlc
2015-01-23 23:24 - 2014-07-15 16:14 - 00000000 ____D () C:\Users\Alex\Documents\My Games
2015-01-23 22:53 - 2013-08-22 09:46 - 00049734 _____ () C:\Windows\setupact.log
2015-01-22 19:51 - 2014-07-15 01:04 - 00002416 _____ () C:\Users\Alex\Desktop\Google Chrome.lnk
2015-01-20 02:06 - 2014-08-23 04:54 - 00048128 ___SH () C:\Users\Alex\Downloads\Thumbs.db
2015-01-20 01:57 - 2014-07-17 04:54 - 00005535 _____ () C:\Windows\MB.idx
2015-01-19 22:14 - 2014-07-15 15:24 - 00000000 ____D () C:\Users\Alex\AppData\Local\Razer
2015-01-18 05:59 - 2014-07-15 00:47 - 00000000 ____D () C:\Users\Alex\AppData\Local\Packages
2015-01-18 00:05 - 2014-07-15 15:50 - 00000000 ____D () C:\Users\Alex\Desktop\Downloaded Songs
2015-01-17 23:52 - 2014-09-09 11:11 - 00021370 _____ () C:\Users\Alex\Downloads\K70RGB.zip
2015-01-16 08:51 - 2014-07-15 01:07 - 00320936 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe
2015-01-16 08:51 - 2014-07-15 01:07 - 00191400 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe
2015-01-16 08:51 - 2014-07-15 01:07 - 00190888 _____ (Oracle Corporation) C:\Windows\system32\java.exe
2015-01-16 08:51 - 2014-07-15 01:07 - 00111016 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2015-01-16 08:51 - 2014-07-15 01:06 - 00000000 ____D () C:\Program Files\Java
2015-01-16 06:18 - 2014-07-15 00:59 - 00000000 ____D () C:\Program Files (x86)\EaseUS
2015-01-16 01:41 - 2014-12-18 03:39 - 01756424 _____ (NVIDIA Corporation) C:\Windows\system32\nvspbridge64.dll
2015-01-16 01:41 - 2014-12-18 03:39 - 01514528 _____ (NVIDIA Corporation) C:\Windows\system32\nvspcap64.dll
2015-01-16 01:41 - 2014-12-18 03:39 - 01316184 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspbridge.dll
2015-01-16 01:41 - 2014-12-18 03:39 - 01278920 _____ (NVIDIA Corporation) C:\Windows\SysWOW64\nvspcap.dll
2015-01-15 19:49 - 2014-11-18 08:30 - 00000000 ____D () C:\ProgramData\Origin
2015-01-15 19:49 - 2014-11-18 08:30 - 00000000 ____D () C:\Program Files (x86)\Origin
2015-01-15 18:15 - 2014-09-26 01:21 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Awesomium
2015-01-15 17:10 - 2014-07-15 01:13 - 00155205 _____ () C:\Windows\DirectX.log
2015-01-15 17:08 - 2014-07-15 00:47 - 00000000 ____D () C:\Users\Alex
2015-01-15 16:43 - 2014-07-16 03:02 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\Stardock
2015-01-11 01:21 - 2014-07-15 02:34 - 00008593 _____ () C:\Users\Alex\Documents\TombRaider.log
2015-01-11 01:12 - 2014-09-09 11:11 - 00000000 ____D () C:\Users\Alex\Downloads\K70RGB
2015-01-10 22:26 - 2014-07-15 01:05 - 00000000 ____D () C:\Program Files (x86)\Nightly
2015-01-10 06:02 - 2014-12-18 03:39 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2015-01-09 21:02 - 2014-08-11 14:45 - 00000000 ____D () C:\Users\Alex\AppData\Local\Battle.net
2015-01-09 21:00 - 2014-08-11 14:45 - 00000000 ____D () C:\Program Files (x86)\Battle.net
2015-01-09 20:59 - 2014-08-11 17:14 - 00000000 ____D () C:\Program Files (x86)\Hearthstone
2015-01-07 00:36 - 2014-12-19 00:13 - 00000000 ____D () C:\Users\Alex\AppData\Roaming\NVIDIA
2015-01-06 03:09 - 2014-07-15 01:08 - 00001200 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Paint.NET.lnk
2015-01-06 03:09 - 2014-07-15 01:08 - 00001188 _____ () C:\Users\Public\Desktop\Paint.NET.lnk
2015-01-06 03:09 - 2014-07-15 01:08 - 00000000 ____D () C:\Program Files\Paint.NET
2015-01-06 02:56 - 2014-09-10 12:22 - 00010520 _____ () C:\Users\Alex\Downloads\ASUS VG248QE Nvidia.icm
2015-01-06 01:28 - 2014-07-19 01:42 - 00000000 ____D () C:\Users\Alex\AppData\Local\Adobe
2014-12-31 06:14 - 2014-07-15 00:46 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

==================== Files in the root of some directories =======

2014-07-15 01:09 - 2014-07-15 01:09 - 0000003 _____ () C:\Users\Alex\AppData\Local\updater.log
2014-07-15 01:09 - 2014-12-17 23:37 - 0000425 _____ () C:\Users\Alex\AppData\Local\UserProducts.xml
2014-07-15 23:47 - 2014-07-15 23:47 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

Files to move or delete:
====================
C:\Users\Alex\AppData\Roaming\Origin\update.vbe


Some content of TEMP:
====================
C:\Users\Alex\AppData\Local\Temp\GMfc.dll
C:\Users\Alex\AppData\Local\Temp\Mfc42.dll
C:\Users\Alex\AppData\Local\Temp\MSVCRT.dll
C:\Users\Alex\AppData\Local\Temp\ose00000.exe
C:\Users\Alex\AppData\Local\Temp\start.exe
C:\Users\Alex\AppData\Local\Temp\UnivUI.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-01-20 10:12

==================== End Of Log ============================

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:28 AM

Posted 26 January 2015 - 08:05 AM

Hi. I'm checking your log now and will reply with instructions soon.
 



#3 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:28 AM

Posted 26 January 2015 - 11:23 AM

Please follow these steps:

1.- Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it to your Desktop as fixlist.txt

CloseProcesses:
HKLM-x32\...\Run: [Lightshot] => C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe [226560 2014-11-18] ()
C:\Program Files (x86)\Skillbrains
HKU\S-1-5-21-2587691102-3219643133-190135626-1001\...\Run: [LightShot] => C:\Users\Alex\AppData\Local\Skillbrains\lightshot\Lightshot.exe
C:\Users\Alex\AppData\Local\Skillbrains\lightshot\Lightshot.exe
FF Extension: BrowserProtect - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\browserprotect@browserprotect.com.xpi [2014-07-15]
R3 ALSysIO; \??\C:\Users\Alex\AppData\Local\Temp\ALSysIO64.sys [X]
S3 btwaudio; \SystemRoot\system32\drivers\btwaudio.sys [X]
S3 btwavdt; \SystemRoot\system32\drivers\btwavdt.sys [X]
S3 btwl2cap; \SystemRoot\system32\DRIVERS\btwl2cap.sys [X]
S3 btwrchid; \SystemRoot\System32\drivers\btwrchid.sys [X]
S3 cpuz138; \??\C:\Windows\TEMP\cpuz138\cpuz138_x64.sys [X]
S3 GPUZ; \??\C:\Windows\TEMP\GPUZ.sys [X]
S3 RtlWlanu; \SystemRoot\system32\DRIVERS\rtwlanu.sys [X]
2015-01-10 22:32 - 2015-01-10 22:32 - 00000000 __SHD () C:\Users\Alex\AppData\Local\EmieBrowserModeList
2015-01-26 05:09 - 2014-12-08 02:21 - 00003758 _____ () C:\Windows\System32\Tasks\AutoKMS
C:\Users\Alex\AppData\Roaming\Origin\update.vbe
C:\Users\Alex\AppData\Local\Temp\GMfc.dll
C:\Users\Alex\AppData\Local\Temp\Mfc42.dll
C:\Users\Alex\AppData\Local\Temp\MSVCRT.dll
C:\Users\Alex\AppData\Local\Temp\ose00000.exe
C:\Users\Alex\AppData\Local\Temp\start.exe
C:\Users\Alex\AppData\Local\Temp\UnivUI.dll
2014-07-15 23:47 - 2014-07-15 23:47 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
CustomCLSID: HKU\S-1-5-21-2587691102-3219643133-190135626-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Alex\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2587691102-3219643133-190135626-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Alex\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
Task: {1A46DBCF-E908-4EA1-8D90-403687C2FF67} - System32\Tasks\Origin => C:\Users\Alex\AppData\Roaming\Origin\update.vbe [2014-08-22] () <==== ATTENTION
Task: {31E740DB-CF56-446D-A712-0A891E932686} - System32\Tasks\update-sys => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2014-03-25] ()
Task: {3D743FC6-8695-46D7-952D-D82C75525C84} - System32\Tasks\update-S-1-5-21-2587691102-3219643133-190135626-1001 => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2014-03-25] ()
Task: {47E5DEBB-BD92-40F7-B911-87C6F6537904} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2014-12-08] ()
Task: C:\Windows\Tasks\update-S-1-5-21-2587691102-3219643133-190135626-1001.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\Windows\Tasks\update-sys.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
EmptyTemp:

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST and press the Fix button just once and wait.
The tool will make a log on your desktop (Fixlog.txt) please post it to your reply.

2.- Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, this time click on the Clean button.
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[Sn].txt ('n' represents the most recent report).

3.- Download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt in your next message.

 



#4 HourlySword

HourlySword
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 26 January 2015 - 12:07 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-01-2015 01
Ran by Alex at 2015-01-26 11:51:38 Run:1
Running from C:\Users\Alex\Desktop
Loaded Profiles: Alex (Available profiles: Alex)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CloseProcesses:
HKLM-x32\...\Run: [Lightshot] => C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe [226560 2014-11-18] ()
C:\Program Files (x86)\Skillbrains
HKU\S-1-5-21-2587691102-3219643133-190135626-1001\...\Run: [LightShot] => C:\Users\Alex\AppData\Local\Skillbrains\lightshot\Lightshot.exe
C:\Users\Alex\AppData\Local\Skillbrains\lightshot\Lightshot.exe
FF Extension: BrowserProtect - C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\browserprotect@browserprotect.com.xpi [2014-07-15]
R3 ALSysIO; \??\C:\Users\Alex\AppData\Local\Temp\ALSysIO64.sys [X]
S3 btwaudio; \SystemRoot\system32\drivers\btwaudio.sys [X]
S3 btwavdt; \SystemRoot\system32\drivers\btwavdt.sys [X]
S3 btwl2cap; \SystemRoot\system32\DRIVERS\btwl2cap.sys [X]
S3 btwrchid; \SystemRoot\System32\drivers\btwrchid.sys [X]
S3 cpuz138; \??\C:\Windows\TEMP\cpuz138\cpuz138_x64.sys [X]
S3 GPUZ; \??\C:\Windows\TEMP\GPUZ.sys [X]
S3 RtlWlanu; \SystemRoot\system32\DRIVERS\rtwlanu.sys [X]
2015-01-10 22:32 - 2015-01-10 22:32 - 00000000 __SHD () C:\Users\Alex\AppData\Local\EmieBrowserModeList
2015-01-26 05:09 - 2014-12-08 02:21 - 00003758 _____ () C:\Windows\System32\Tasks\AutoKMS
C:\Users\Alex\AppData\Roaming\Origin\update.vbe
C:\Users\Alex\AppData\Local\Temp\GMfc.dll
C:\Users\Alex\AppData\Local\Temp\Mfc42.dll
C:\Users\Alex\AppData\Local\Temp\MSVCRT.dll
C:\Users\Alex\AppData\Local\Temp\ose00000.exe
C:\Users\Alex\AppData\Local\Temp\start.exe
C:\Users\Alex\AppData\Local\Temp\UnivUI.dll
2014-07-15 23:47 - 2014-07-15 23:47 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
CustomCLSID: HKU\S-1-5-21-2587691102-3219643133-190135626-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Alex\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2587691102-3219643133-190135626-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Alex\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
Task: {1A46DBCF-E908-4EA1-8D90-403687C2FF67} - System32\Tasks\Origin => C:\Users\Alex\AppData\Roaming\Origin\update.vbe [2014-08-22] () <==== ATTENTION
Task: {31E740DB-CF56-446D-A712-0A891E932686} - System32\Tasks\update-sys => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2014-03-25] ()
Task: {3D743FC6-8695-46D7-952D-D82C75525C84} - System32\Tasks\update-S-1-5-21-2587691102-3219643133-190135626-1001 => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2014-03-25] ()
Task: {47E5DEBB-BD92-40F7-B911-87C6F6537904} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2014-12-08] ()
Task: C:\Windows\Tasks\update-S-1-5-21-2587691102-3219643133-190135626-1001.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\Windows\Tasks\update-sys.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
EmptyTemp:
*****************

Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Lightshot => value deleted successfully.
C:\Program Files (x86)\Skillbrains => Moved successfully.
HKU\S-1-5-21-2587691102-3219643133-190135626-1001\Software\Microsoft\Windows\CurrentVersion\Run\\LightShot => value deleted successfully.
"C:\Users\Alex\AppData\Local\Skillbrains\lightshot\Lightshot.exe" => File/Directory not found.
C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\wvs8u75u.default\Extensions\browserprotect@browserprotect.com.xpi => Moved successfully.
ALSysIO => Unable to stop service
ALSysIO => Service deleted successfully.
btwaudio => Service deleted successfully.
btwavdt => Service deleted successfully.
btwl2cap => Service deleted successfully.
btwrchid => Service deleted successfully.
cpuz138 => Service deleted successfully.
GPUZ => Service deleted successfully.
RtlWlanu => Service deleted successfully.
C:\Users\Alex\AppData\Local\EmieBrowserModeList => Moved successfully.
C:\Windows\System32\Tasks\AutoKMS => Moved successfully.
C:\Users\Alex\AppData\Roaming\Origin\update.vbe => Moved successfully.
C:\Users\Alex\AppData\Local\Temp\GMfc.dll => Moved successfully.
C:\Users\Alex\AppData\Local\Temp\Mfc42.dll => Moved successfully.
C:\Users\Alex\AppData\Local\Temp\MSVCRT.dll => Moved successfully.
C:\Users\Alex\AppData\Local\Temp\ose00000.exe => Moved successfully.
C:\Users\Alex\AppData\Local\Temp\start.exe => Moved successfully.
C:\Users\Alex\AppData\Local\Temp\UnivUI.dll => Moved successfully.
C:\ProgramData\DP45977C.lfl => Moved successfully.
"HKU\S-1-5-21-2587691102-3219643133-190135626-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}" => Key deleted successfully.
"HKU\S-1-5-21-2587691102-3219643133-190135626-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1A46DBCF-E908-4EA1-8D90-403687C2FF67}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1A46DBCF-E908-4EA1-8D90-403687C2FF67}" => Key deleted successfully.
C:\Windows\System32\Tasks\Origin => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Origin" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{31E740DB-CF56-446D-A712-0A891E932686}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{31E740DB-CF56-446D-A712-0A891E932686}" => Key deleted successfully.
C:\Windows\System32\Tasks\update-sys => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\update-sys" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3D743FC6-8695-46D7-952D-D82C75525C84}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3D743FC6-8695-46D7-952D-D82C75525C84}" => Key deleted successfully.
C:\Windows\System32\Tasks\update-S-1-5-21-2587691102-3219643133-190135626-1001 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\update-S-1-5-21-2587691102-3219643133-190135626-1001" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{47E5DEBB-BD92-40F7-B911-87C6F6537904}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47E5DEBB-BD92-40F7-B911-87C6F6537904}" => Key deleted successfully.
C:\Windows\System32\Tasks\AutoKMS not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => Key deleted successfully.
C:\Windows\Tasks\update-S-1-5-21-2587691102-3219643133-190135626-1001.job => Moved successfully.
C:\Windows\Tasks\update-sys.job => Moved successfully.
EmptyTemp: => Removed 890.9 MB temporary data.


The system needed a reboot.

==== End of Fixlog 11:52:02 ====

 

# AdwCleaner v4.109 - Report created 26/01/2015 at 11:57:16
# Updated 24/01/2015 by Xplode
# Database : 2015-01-25.1 [Live]
# Operating System : Windows 8.1 Pro  (64 bits)
# Username : Alex - HOURLYSWORD
# Running from : C:\Users\Alex\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\GreenTree Applications
[!] Folder Deleted : C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\browserprotect@browserprotect.com.xpi
File Deleted : C:\Users\Alex\AppData\Roaming\Mozilla\Firefox\Profiles\n8ny9xwr.dev-edition-default\Extensions\browserprotect@browserprotect.com.xpi

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17416


-\\ Mozilla Firefox v


-\\ Google Chrome v

[C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Alex\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [2710 octets] - [25/01/2015 01:23:49]
AdwCleaner[R1].txt - [2163 octets] - [26/01/2015 11:55:51]
AdwCleaner[S0].txt - [1608 octets] - [26/01/2015 11:57:16]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1668 octets] ##########

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 8.1 Pro x64
Ran by Alex on 01/26/2015 Mon at 12:00:34.71
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] "C:\Windows\wininit.ini"



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 01/26/2015 Mon at 12:01:30.46
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


 

Attached Files



#5 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:28 AM

Posted 26 January 2015 - 03:23 PM

Follow these steps:
 
1.- Open Malwarebytes Anti-Malware

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Please update the database by clicking on the Update Now button as shown below.
Capture1_zps47821576.jpg
  • Following the update, Click Settings > Detection and Protection and make sure Scan for Rootkits it checked.
MBAM%20rootkit%20setting.jpg
  • Click on Dashboard, then click on the large green Scan Now button to begin the Threat Scan.If Malware or Potentially Unwanted Programs are found you will receive a Prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on View Detailed Log.
MBAMThreatScan_zpsc6c6daeb.jpg
  • After viewing the results, please click on the Copy to Clipboard button > OK.
    MBAMScanLog_zps21b494ad.jpg
  • Return to our forum. Paste your log into your next reply.
  • Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.
2.- Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes and if it finds anything, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#6 HourlySword

HourlySword
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 27 January 2015 - 12:07 PM

And 9 hours later, the eset scan is finally done lol. Was it supposed to take that long?

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/26/2015
Scan Time: 11:24:30 PM
Logfile: malwarebytes.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.27.02
Rootkit Database: v2015.01.14.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Alex

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 353240
Time Elapsed: 4 min, 39 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

C:\Users\Alex\Downloads\epm.exe    a variant of Win32/OpenCandy.C potentially unsafe application
C:\Windows\SECOH-QAD.exe    Win64/HackKMS.C potentially unsafe application
X:\Android\Android\xfire_installer.exe    Win32/OpenCandy potentially unsafe application
X:\Android\EMU\Emulators\GBA\Tiger GBA v2.7.6.apk    a variant of Android/AdDisplay.Wooboo.C potentially unwanted application
X:\Android\EMU\Emulators\GBA\Old Versions\Tiger GBA v2.6.5.apk    a variant of Android/AdDisplay.Wooboo.C potentially unwanted application
X:\Android\EMU\Emulators\GBA\Old Versions\Tiger GBA v2.7.0.apk    a variant of Android/AdDisplay.Wooboo.C potentially unwanted application
X:\Android\EMU\Emulators\GBC\Tiger GBC v2.1.0.apk    a variant of Android/AdDisplay.Wooboo.C potentially unwanted application
X:\Android\EMU\Emulators\GBC\Old Versions\Tiger GBC v1.2.9.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\EMU\Emulators\MAME\Old Versions\Tiger Arcade v1.4.2.apk    a variant of Android/AdDisplay.Youmi.E potentially unwanted application
X:\Android\EMU\Emulators\NDS\Tiger NDS v0.0.1b_demo.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\EMU\Emulators\NDS\Old Versions\Tiger NDS v1.0.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\EMU\Emulators\NES\Tiger NES v1.4.0.apk    a variant of Android/AdDisplay.Wooboo.C potentially unwanted application
X:\Android\EMU\Emulators\NES\Old Versions\Tiger NES v1.3.0.apk    a variant of Android/AdDisplay.Wooboo.C potentially unwanted application
X:\Android\EMU\Emulators\PSX\Tiger PSone v1.0.5.apk    a variant of Android/AdDisplay.Wooboo.C potentially unwanted application
X:\Android\EMU\Emulators\Sega Genesis\Tiger Genesis v2.0.0.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\EMU\Emulators\Sega Genesis\Old Versions\TigerGenesis v1.0.3.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\EMU\Emulators\SNES\Tiger SNES v2.4.4.apk    a variant of Android/AdDisplay.Wooboo.C potentially unwanted application
X:\Android\EMU\Emulators\SNES\Old Versions\Tiger SNES v2.0.6.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\EMU\Emulators\SNES\Old Versions\Tiger SNES v2.2.1.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\RCK\1-Click Transformer Root_1.1.7z    Win32/PrcView potentially unsafe application
X:\Android\RCK\1-Click Transformer Root_1.1\Source\Process.exe    Win32/PrcView potentially unsafe application
X:\Android\Resources\AEAIO\emulators\Tiger Arcade v1.4.2.apk    a variant of Android/AdDisplay.Youmi.E potentially unwanted application
X:\Android\Resources\AEAIO\emulators\Tiger GBA v2.6.5.apk    a variant of Android/AdDisplay.Wooboo.C potentially unwanted application
X:\Android\Resources\AEAIO\emulators\Tiger GBC Emulator v2.6.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\Resources\AEAIO\emulators\Tiger NES Emulator v1.2.0.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\Resources\AEAIO\emulators\Tiger Sega Genesis Emulator v1.0.3.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\Resources\AEAIO\emulators\Tiger SNES Emulator v2.0.6.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\Resources\AEAIO\emulators\Tiger SNES Emulator v2.2.1.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\Resources\emltrs_rom\emulators\Tiger Arcade v1.4.2.apk    a variant of Android/AdDisplay.Youmi.E potentially unwanted application
X:\Android\Resources\emltrs_rom\emulators\Tiger GBC Emulator v1.2.9.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\Resources\emltrs_rom\emulators\Tiger Sega Genesis Emulator v1.0.3.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Android\Resources\emltrs_rom\emulators\Tiger SNES Emulator v2.0.6.apk    a variant of Android/AdDisplay.Wiyun.E potentially unwanted application
X:\Applications USE\SetupBatteryCare\SetupBatteryCare.exe    Win32/OpenCandy potentially unsafe application
X:\Installers\Applications\epm.exe    a variant of Win32/OpenCandy.C potentially unsafe application
X:\Installers\Applications\FreemakeAudioConverterSetup.exe    a variant of Win32/OpenCandy.C potentially unsafe application
X:\Installers\Applications\Freemake Video Converter 4.1.4.11\Freemake Video Converter 4.1.4.11\Freemake Video Converter 4.1.4.11.exe    a variant of Win32/OpenCandy.C potentially unsafe application
X:\Installers\Games\Dungeon Keeper 2\Dungeon Keeper 2.exe    a variant of Win64/BitCoinMiner.AG potentially unsafe application

Attached Files


Edited by HourlySword, 27 January 2015 - 04:00 PM.


#7 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:28 AM

Posted 27 January 2015 - 05:00 PM

Please do the following:

Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it to your Desktop as fixlist.txt
 
C:\Users\Alex\Downloads\epm.exe
C:\Windows\SECOH-QAD.exe
X:\Android\Android\xfire_installer.exe
X:\Applications USE\SetupBatteryCare\SetupBatteryCare.exe
X:\Installers\Applications\epm.exe 
X:\Installers\Applications\FreemakeAudioConverterSetup.exe
X:\Installers\Applications\Freemake Video Converter 4.1.4.11\Freemake Video Converter 4.1.4.11\Freemake Video Converter 4.1.4.11.exe
X:\Installers\Games\Dungeon Keeper 2\
NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST and press the Fix button just once and wait.
The tool will make a log on your desktop (Fixlog.txt) please post it to your reply.


How are things running now?

#8 HourlySword

HourlySword
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:28 AM

Posted 27 January 2015 - 11:08 PM

Well the symptoms stopped after i ran the first fix you gave me at the beginning and they haven't returned.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-01-2015 01
Ran by Alex at 2015-01-27 22:55:46 Run:2
Running from C:\Users\Alex\Desktop
Loaded Profiles: Alex (Available profiles: Alex)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\Users\Alex\Downloads\epm.exe
C:\Windows\SECOH-QAD.exe
X:\Android\Android\xfire_installer.exe
X:\Applications USE\SetupBatteryCare\SetupBatteryCare.exe
X:\Installers\Applications\epm.exe
X:\Installers\Applications\FreemakeAudioConverterSetup.exe
X:\Installers\Applications\Freemake Video Converter 4.1.4.11\Freemake Video Converter 4.1.4.11\Freemake Video Converter 4.1.4.11.exe
X:\Installers\Games\Dungeon Keeper 2\
*****************

"C:\Users\Alex\Downloads\epm.exe" => File/Directory not found.
"C:\Windows\SECOH-QAD.exe" => File/Directory not found.
"X:\Android\Android\xfire_installer.exe" => File/Directory not found.
"X:\Applications USE\SetupBatteryCare\SetupBatteryCare.exe" => File/Directory not found.
"X:\Installers\Applications\epm.exe" => File/Directory not found.
"X:\Installers\Applications\FreemakeAudioConverterSetup.exe" => File/Directory not found.
"X:\Installers\Applications\Freemake Video Converter 4.1.4.11\Freemake Video Converter 4.1.4.11\Freemake Video Converter 4.1.4.11.exe" => File/Directory not found.
"X:\Installers\Games\Dungeon Keeper 2" => File/Directory not found.

==== End of Fixlog 22:55:46 ====

Attached Files



#9 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:28 AM

Posted 28 January 2015 - 03:09 PM

If the computer is running fine and you're not having any other problem, then follow these final steps:

Create a System restore point.

Open System by clicking the Start button , right-clicking Computer, and then clicking Properties.
In the left pane, click System protection. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
Click the System Protection tab, and then click Create.
In the System Protection dialog box, type a description, and then click Create.

Remove ESET Online Scanner:

Click on Start, Settings, Control Panel
Double click on Add/Remove Programs
Find: Eset Online Scanner in the list of installed programs and click on Change/Remove to uninstall it.

Run Delfix

This program will remove the tools used and its logs. If anything remains, you can delete manually delete them.
Please download Delfix and save it to your desktop.
Double click on Delfix.exe to run the tool and click on the Run button.

Finally, to help protect your computer in the future I recommend you to read this article: So how did I get infected in the first place?. I also recommend running Secunia PSI. It will monitor the software you have installed and let you know when something needs to be updated.

Be sure to post back if you have any more problems.

#10 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:28 AM

Posted 06 April 2015 - 06:36 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users