Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware - partially removed


  • This topic is locked This topic is locked
24 replies to this topic

#1 Daru

Daru

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 25 April 2015 - 09:58 AM

Hello, my machine became infected with Ransomware that locked the desktop & explorer with a local police department splash screen, asking for money to remove.  Unfortunately I tried to remove it before I found this forum so I have already run a couple of scanners - ESET online scanner & Combofix.  While this did remove the desktop lock, I believe fragments still exist on the machine due to strange activity in the process list.  Windows installer, Windows foundation presentation host, CTF Loader, COM Surrogate and notepad constantly use large amounts of CPU.  Lastly I'm getting memory errors regularly,  probably because the active infection is referencing removed portions.  "The instruction at 0x306bd5b2 referenced memory at 0x00000018. Memory could not be read"  If anyone could help, I would appreciate it

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-04-2015
Ran by Rick (administrator) on RICK-PC-NEW on 25-04-2015 10:40:55
Running from C:\Users\Rick\Downloads
Loaded Profiles: Rick (Available profiles: Rick & admin2)
Platform: Windows 8 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicShellService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
() C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\AI Suite II\EPU\EPUHelp.exe
(Nero AG) C:\Program Files (x86)\Nero\Update\NASvc.exe
(Microsoft Corporation) C:\Windows\System32\WWAHost.exe
(Microsoft Corporation) C:\Windows\WinStore\WSHost.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Microsoft Corporation) C:\Windows\SysWOW64\winver.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
() C:\Users\Rick\Downloads\Defogger.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Windows\System32\PresentationHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6548112 2012-06-12] (Realtek Semiconductor)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2531472 2014-12-12] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [843712 2012-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [ASUS Ai Charger] => C:\Program Files (x86)\ASUS\ASUS Ai Charger\AiChargerAP.exe [547984 2012-08-13] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [3187360 2012-10-25] (ASUSTek Computer Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642216 2012-08-15] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [91432 2012-03-28] (CyberLink Corp.)
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [89456 2011-03-07] (Elaborate Bytes AG)
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2889408 2015-04-13] (Valve Corporation)
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\Run: [Spotify Web Helper] => C:\Users\Rick\AppData\Roaming\Spotify\SpotifyWebHelper.exe [2018360 2015-04-11] (Spotify Ltd)
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\Run: [Spotify] => C:\Users\Rick\AppData\Roaming\Spotify\Spotify.exe [7112248 2015-04-11] (Spotify Ltd)
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7451928 2015-03-13] (Piriform Ltd)
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\Run: [FEDDB609] => C:\Users\Rick\AppData\Roaming\FEDDB609\bin.exe [233984 2015-04-23] (Boris Eyrich Software)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2013-04-12] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2013-04-12] (IvoSoft)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyServer: [S-1-5-21-2680648856-1668043267-3130069616-1002] => alluseprox.info:8080
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://duckduckgo.com/
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2013-04-12] (IvoSoft)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2013-05-17] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2013-05-17] (Oracle Corporation)
BHO: ClassicIE9BHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIE9DLL_64.dll [2013-04-12] (IvoSoft)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-04-04] (Adobe Systems Incorporated)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2013-04-12] (IvoSoft)
BHO-x32: ClassicIE9BHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIE9DLL_32.dll [2013-04-12] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2013-04-12] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2013-04-12] (IvoSoft)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
DPF: HKLM-x32 {AA299E98-6FB5-409F-99D3-D30D749F4864} https://itadvantage.nextdimensioninc.com/inc/kaxRemote.dll
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
 
FireFox:
========
FF ProfilePath: C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\fmdt13wd.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_13_0_0_182.dll [2014-04-11] ()
FF Plugin: @java.com/DTPlugin,version=10.21.2 -> C:\Windows\system32\npDeployJava1.dll [2013-05-17] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.21.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2013-05-17] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_182.dll [2014-04-11] ()
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2014-12-12] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2014-12-12] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: @TrendMicro.com/FFExtension -> C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension\components\npToolbarChrome.dll No File
FF Plugin-x32: @videolan.org/vlc,version=2.0.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2012-12-12] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll [2012-04-04] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2680648856-1668043267-3130069616-1002: @citrixonline.com/appdetectorplugin -> C:\Users\Rick\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2014-07-16] (Citrix Online)
FF Plugin HKU\S-1-5-21-2680648856-1668043267-3130069616-1002: @kaseya.com/LiveConnect63 -> C:\Users\Rick\AppData\Local\Mozilla\Plugins [2015-04-13] ()
FF Plugin HKU\S-1-5-21-2680648856-1668043267-3130069616-1002: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Rick\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2014-01-22] (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-2680648856-1668043267-3130069616-1002: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [2015-04-18] ()
FF Extension: Adblock Plus - C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\fmdt13wd.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2013-06-11]
FF Extension: Greasemonkey - C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\fmdt13wd.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi [2013-02-19]
FF Extension: No Name - C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\fmdt13wd.default\extensions\swiffout@grownsoftware.com [Not Found]
 
Chrome: 
=======
CHR Profile: C:\Users\Rick\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (ZenMate) - C:\Users\Rick\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdcgdnkidjaadafnichfpabhfomcebme [2014-09-16]
CHR Extension: (Bookmark Manager) - C:\Users\Rick\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-21]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\Rick\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2015-04-14]
CHR Extension: (Live Connect) - C:\Users\Rick\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfgnpeijmldmjbigmlbjnkjlifodjfmm [2014-04-22]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Rick\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Google Wallet) - C:\Users\Rick\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-04-22]
CHR HKLM\...\Chrome\Extension: [bmiabdepfhhiieiipmeecdmeljggmfee] - No Path Or update_url value
CHR HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kfgnpeijmldmjbigmlbjnkjlifodjfmm] - C:\Users\Rick\AppData\Local\Kaseya\LiveConnect\LiveConnect-6-3.crx [2013-03-19]
CHR HKLM-x32\...\Chrome\Extension: [bmiabdepfhhiieiipmeecdmeljggmfee] - No Path Or update_url value
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2012-08-15] (Advanced Micro Devices, Inc.) [File not signed]
R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [920736 2012-06-01] ()
R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [951936 2012-06-01] (ASUSTeK Computer Inc.)
R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [149120 2012-02-17] (ASUSTeK Computer Inc.)
S3 BRSptSvc; C:\ProgramData\BitRaider\BRSptSvc.exe [477960 2014-05-05] (BitRaider, LLC)
R2 ClassicShellService; C:\Program Files\Classic Shell\ClassicShellService.exe [68608 2013-04-12] (IvoSoft) [File not signed]
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [174112 2014-11-25] (EasyAntiCheat Ltd)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148560 2014-12-12] (NVIDIA Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1701520 2014-12-12] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19823248 2014-12-12] (NVIDIA Corporation)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [1931632 2015-04-18] (Electronic Arts)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2015-04-18] ()
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [16056 2014-03-29] (Microsoft Corporation)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R3 AiCharger; C:\Windows\SysWow64\drivers\AiCharger.sys [14848 2012-03-22] (ASUSTek Computer Inc.)
U5 AppMgmt; C:\Windows\system32\svchost.exe [29696 2012-09-20] (Microsoft Corporation)
R2 APXACC; C:\Windows\system32\DRIVERS\appexDrv.sys [199008 2012-06-23] (AppEx Networks Corporation)
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-08-24] ()
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-03] ()
R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdW86.sys [98472 2012-07-17] (Advanced Micro Devices)
R3 AU8168; C:\Windows\system32\DRIVERS\au630x64.sys [792648 2013-09-23] (Realtek                                            )
S3 BRDriver64; C:\ProgramData\BitRaider\BRDriver64.sys [75048 2014-05-05] (BitRaider)
R1 dtsoftbus01; C:\Windows\System32\drivers\dtsoftbus01.sys [283200 2013-05-21] (DT Soft Ltd)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2014-12-12] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [38032 2014-11-22] (NVIDIA Corporation)
U3 TrueSight; C:\Windows\System32\Drivers\TrueSight.sys [35064 2015-04-21] ()
R3 xusb22; C:\Windows\System32\drivers\xusb22.sys [89088 2012-07-25] (Microsoft Corporation)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 WinRing0_1_2_0; \??\C:\Program Files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-25 10:40 - 2015-04-25 10:41 - 00017963 _____ () C:\Users\Rick\Downloads\FRST.txt
2015-04-25 10:40 - 2015-04-25 10:41 - 00000000 ____D () C:\FRST
2015-04-25 10:40 - 2015-04-25 10:40 - 02099712 _____ (Farbar) C:\Users\Rick\Downloads\FRST64.exe
2015-04-25 10:35 - 2015-04-25 10:35 - 00050477 _____ () C:\Users\Rick\Downloads\Defogger.exe
2015-04-25 10:35 - 2015-04-25 10:35 - 00000540 _____ () C:\Users\Rick\Downloads\defogger_disable.log
2015-04-25 10:35 - 2015-04-25 10:35 - 00000168 _____ () C:\Users\Rick\defogger_reenable
2015-04-24 23:21 - 2015-04-24 23:22 - 00000712 _____ () C:\Windows\DtcInstall.log
2015-04-24 23:19 - 2015-04-24 23:19 - 00001586 _____ () C:\Windows\comsetup.log
2015-04-24 23:15 - 2015-04-24 23:22 - 00521309 _____ () C:\Windows\setupact.log
2015-04-24 23:15 - 2015-04-24 23:15 - 00000000 _____ () C:\Windows\setuperr.log
2015-04-24 20:18 - 2015-04-24 21:17 - 00000000 ____D () C:\Users\Rick\AppData\Local\CrashDumps
2015-04-23 16:35 - 2015-04-23 16:35 - 00660100 _____ () C:\Users\Rick\Desktop\Capture.jpeg
2015-04-23 16:34 - 2015-04-23 16:34 - 00010631 _____ () C:\Users\Rick\Desktop\download.jpeg
2015-04-23 06:12 - 2015-04-23 06:12 - 00000000 ___HD () C:\Users\Rick\AppData\Roaming\FEDDB609
2015-04-22 20:24 - 2015-04-22 20:24 - 00000000 ____D () C:\Users\Rick\AppData\Local\openvr
2015-04-22 18:13 - 2015-04-22 18:13 - 00004437 _____ () C:\Users\Rick\Desktop\Uplay.exe - Shortcut.lnk
2015-04-21 19:31 - 2015-04-24 23:35 - 00608698 _____ () C:\Windows\WindowsUpdate.log
2015-04-21 19:17 - 2015-04-21 19:17 - 16884312 _____ () C:\Users\admin2\Downloads\RogueKiller.exe
2015-04-21 18:38 - 2015-04-21 18:39 - 02347384 _____ (ESET) C:\Users\admin2\Downloads\esetsmartinstaller_enu (1).exe
2015-04-21 18:37 - 2015-04-21 18:37 - 00849968 _____ () C:\cc_20150421_183658.reg
2015-04-21 18:22 - 2015-04-21 18:22 - 00000829 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-04-21 18:22 - 2015-04-21 18:22 - 00000000 ____D () C:\Program Files\CCleaner
2015-04-21 18:21 - 2015-04-21 18:22 - 05344528 _____ (Piriform Ltd) C:\Users\admin2\Downloads\ccsetup504.exe
2015-04-21 15:09 - 2015-04-21 15:09 - 00012577 _____ () C:\ComboFix.txt
2015-04-21 14:56 - 2015-04-21 15:09 - 00000000 ____D () C:\ComboFix
2015-04-21 14:07 - 2015-04-21 19:17 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-04-21 14:07 - 2015-04-21 14:07 - 00000000 ____D () C:\ProgramData\RogueKiller
2015-04-21 08:34 - 2015-04-21 08:34 - 00000000 ___HD () C:\Windows\AxInstSV
2015-04-21 08:34 - 2015-04-21 08:34 - 00000000 ____D () C:\Program Files (x86)\ESET
2015-04-20 22:14 - 2015-04-20 22:14 - 00001126 _____ () C:\Users\admin2\Desktop\ComboFix - Shortcut.lnk
2015-04-20 21:47 - 2015-04-20 21:47 - 00000000 ____D () C:\Users\admin2\Documents\7 Days To Die
2015-04-20 21:35 - 2015-04-20 21:35 - 05619466 ____R (Swearware) C:\Users\admin2\Downloads\ComboFix.exe
2015-04-20 20:25 - 2015-04-20 20:25 - 00000000 ____D () C:\Users\admin2\AppData\Roaming\vlc
2015-04-20 20:00 - 2015-04-20 20:00 - 02347384 _____ (ESET) C:\Users\admin2\Downloads\esetsmartinstaller_enu.exe
2015-04-20 20:00 - 2015-04-20 20:00 - 00000000 ____D () C:\Users\admin2\AppData\Roaming\Macromedia
2015-04-20 08:07 - 2015-04-21 19:31 - 00000000 ___HD () C:\ProgramData\{9CAD18B2-FF9B-4CCA-8EE0-A4CDA3AD5F51}
2015-04-20 08:07 - 2015-04-20 08:07 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-04-18 15:01 - 2015-04-19 02:49 - 00281688 _____ () C:\Windows\SysWOW64\PnkBstrB.xtr
2015-04-18 15:01 - 2015-04-18 15:01 - 00000000 ____D () C:\Users\Rick\AppData\Local\PunkBuster
2015-04-18 14:50 - 2015-04-19 02:49 - 00281688 _____ () C:\Windows\SysWOW64\PnkBstrB.exe
2015-04-18 14:50 - 2015-04-18 16:44 - 00281688 _____ () C:\Windows\SysWOW64\PnkBstrB.ex0
2015-04-18 14:50 - 2015-04-18 14:50 - 00076888 _____ () C:\Windows\SysWOW64\PnkBstrA.exe
2015-04-18 14:08 - 2015-04-18 14:08 - 00000000 ____D () C:\Program Files (x86)\Origin Games
2015-04-18 13:18 - 2015-04-18 14:08 - 00000000 ____D () C:\Users\Rick\AppData\Roaming\Origin
2015-04-18 13:18 - 2015-04-18 14:08 - 00000000 ____D () C:\Users\Rick\AppData\Local\Origin
2015-04-18 13:16 - 2015-04-18 14:16 - 00000000 ____D () C:\ProgramData\Origin
2015-04-18 13:16 - 2015-04-18 13:18 - 00000000 ____D () C:\Program Files (x86)\Origin
2015-04-18 13:16 - 2015-04-18 13:16 - 00000990 _____ () C:\Users\Public\Desktop\Origin.lnk
2015-04-18 13:16 - 2015-04-18 13:16 - 00000000 ____D () C:\ProgramData\Electronic Arts
2015-04-13 21:16 - 2015-04-13 21:16 - 00002973 _____ () C:\Windows\Kaseya-KLC-201540413-21-15-47.html
2015-04-04 14:02 - 2015-04-04 14:02 - 00001887 _____ () C:\Users\Rick\Desktop\medieval2_RetrofitMP.bat - Shortcut.lnk
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-04-25 10:42 - 2014-07-16 18:29 - 00000580 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2680648856-1668043267-3130069616-1002.job
2015-04-25 10:35 - 2013-01-31 00:16 - 00000000 ____D () C:\Users\Rick
2015-04-25 10:19 - 2013-03-08 21:28 - 00000000 ____D () C:\Users\Rick\AppData\Roaming\uTorrent
2015-04-25 10:10 - 2014-04-22 14:37 - 00000930 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-04-25 10:02 - 2012-07-26 04:12 - 00000000 ____D () C:\Windows\system32\sru
2015-04-25 08:36 - 2013-12-22 21:16 - 00000000 ____D () C:\Users\Rick\AppData\Local\Thunderbird
2015-04-25 08:28 - 2013-12-22 21:16 - 00000000 ____D () C:\Program Files (x86)\Mozilla Thunderbird
2015-04-25 08:28 - 2013-03-05 15:12 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-04-25 03:10 - 2014-04-22 14:37 - 00000926 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-24 23:25 - 2014-11-21 18:09 - 00000000 ___HD () C:\$Windows.~BT
2015-04-24 23:22 - 2013-11-22 23:38 - 00064773 _____ () C:\Windows\diagwrn.xml
2015-04-24 23:22 - 2013-11-22 23:38 - 00064773 _____ () C:\Windows\diagerr.xml
2015-04-24 23:22 - 2012-07-26 01:26 - 00262144 ___SH () C:\Windows\system32\config\ELAM
2015-04-24 23:19 - 2012-07-26 04:12 - 00000000 ____D () C:\Windows\registration
2015-04-24 21:29 - 2014-09-10 02:21 - 00000000 ____D () C:\Users\Rick\AppData\Roaming\Mumble
2015-04-24 21:27 - 2012-07-26 04:12 - 00000000 ____D () C:\Windows\AUInstallAgent
2015-04-24 21:22 - 2013-02-01 04:09 - 00000000 ____D () C:\Program Files (x86)\Steam
2015-04-21 20:36 - 2013-01-31 00:23 - 00003600 _____ () C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2680648856-1668043267-3130069616-1002
2015-04-21 19:44 - 2013-02-06 22:04 - 00000000 ____D () C:\Users\Rick\AppData\Roaming\vlc
2015-04-21 19:39 - 2013-01-31 00:22 - 00007595 _____ () C:\Users\Rick\AppData\Local\Resmon.ResmonCfg
2015-04-21 19:36 - 2012-07-26 03:28 - 00860782 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-04-21 19:31 - 2014-08-19 18:47 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-04-21 19:31 - 2012-07-26 03:22 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-04-21 18:35 - 2013-07-15 18:41 - 00000000 ____D () C:\Users\Rick\AppData\Roaming\inkscape
2015-04-21 18:35 - 2013-05-21 20:04 - 00000000 ____D () C:\Users\Rick\AppData\Roaming\DAEMON Tools Lite
2015-04-21 18:35 - 2013-04-28 08:22 - 00000000 ____D () C:\Users\Rick\AppData\Roaming\TeamViewer
2015-04-21 18:35 - 2013-03-06 21:59 - 00000000 ____D () C:\Users\Rick\AppData\Roaming\Ventrilo
2015-04-21 18:34 - 2013-11-27 23:08 - 00000000 ____D () C:\Windows\Minidump
2015-04-21 18:34 - 2012-10-25 00:54 - 00000000 ____D () C:\Windows\Panther
2015-04-21 15:09 - 2015-02-21 00:35 - 00000000 ____D () C:\Qoobox
2015-04-21 15:08 - 2012-07-26 01:26 - 00000215 _____ () C:\Windows\system.ini
2015-04-20 21:40 - 2015-02-27 23:01 - 00000000 ____D () C:\Users\admin2\AppData\Roaming\Mumble
2015-04-20 21:35 - 2015-02-27 23:00 - 00000000 ____D () C:\Users\admin2\Documents\my games
2015-04-20 19:59 - 2015-02-27 22:58 - 00000000 ____D () C:\Users\admin2\AppData\Local\Google
2015-04-20 17:44 - 2015-03-17 21:57 - 00000000 ____D () C:\Users\Rick\AppData\Roaming\Spotify
2015-04-20 09:56 - 2015-03-17 21:58 - 00000000 ____D () C:\Users\Rick\AppData\Local\Spotify
2015-04-18 16:59 - 2013-05-02 22:49 - 00000000 ____D () C:\Users\Rick\AppData\Local\Ubisoft Game Launcher
2015-04-18 15:00 - 2013-02-23 14:20 - 00000000 ____D () C:\Users\Rick\Documents\My Games
2015-04-17 18:11 - 2014-04-22 14:37 - 00002190 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-04-14 01:18 - 2014-07-16 18:29 - 00003584 _____ () C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-2680648856-1668043267-3130069616-1002
2015-04-13 21:16 - 2013-03-19 20:10 - 00000000 ____D () C:\Users\Rick\AppData\Local\KLC
2015-04-11 17:42 - 2015-03-17 21:58 - 00001769 _____ () C:\Users\Rick\Desktop\Spotify.lnk
2015-04-11 17:42 - 2015-03-17 21:58 - 00001755 _____ () C:\Users\Rick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk
2015-04-11 14:46 - 2014-01-30 20:02 - 00000000 ____D () C:\Temp
2015-04-03 18:01 - 2013-07-21 13:05 - 00000000 ____D () C:\Users\Rick\AppData\Roaming\Natural Selection 2
 
==================== Files in the root of some directories =======
 
2013-08-24 17:02 - 2013-08-24 17:02 - 0000092 _____ () C:\Users\Rick\AppData\Local\fusioncache.dat
2013-07-15 19:00 - 2013-07-15 19:00 - 0000218 _____ () C:\Users\Rick\AppData\Local\recently-used.xbel
2013-01-31 00:22 - 2015-04-21 19:39 - 0007595 _____ () C:\Users\Rick\AppData\Local\Resmon.ResmonCfg
 
Some content of TEMP:
====================
C:\Users\Rick\AppData\Local\temp\dllnt_dump.dll
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-04-18 04:10
 
==================== End Of Log ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 24-04-2015
Ran by Rick at 2015-04-25 10:42:29
Running from C:\Users\Rick\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
admin2 (S-1-5-21-2680648856-1668043267-3130069616-1005 - Limited - Enabled) => C:\Users\admin2
Administrator (S-1-5-21-2680648856-1668043267-3130069616-500 - Administrator - Disabled)
ASPNET (S-1-5-21-2680648856-1668043267-3130069616-1004 - Limited - Enabled)
Guest (S-1-5-21-2680648856-1668043267-3130069616-501 - Limited - Enabled)
Rick (S-1-5-21-2680648856-1668043267-3130069616-1002 - Administrator - Enabled) => C:\Users\Rick
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
7 Days to Die (HKLM-x32\...\Steam App 251570) (Version:  - The Fun Pimps)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
A Game of Thrones version 0.6 (HKLM-x32\...\{7C82709E-75FE-4C3A-976A-8C97908DDD7B}_is1) (Version: 0.6 - AGOT TEAM)
Adobe Flash Player 13 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 13.0.0.182 - Adobe Systems Incorporated)
Adobe Reader X (10.1.3) MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-AA0000000001}) (Version: 10.1.3 - Adobe Systems Incorporated)
Agarest: Generations of War (HKLM-x32\...\Steam App 237890) (Version:  - Ghostlight)
AI Suite II (HKLM-x32\...\{34D3688E-A737-44C5-9E2A-FF73618728E1}) (Version: 2.00.01 - ASUSTeK Computer Inc.)
Alan Wake (HKLM-x32\...\Steam App 108710) (Version:  - Remedy Entertainment)
Alien Swarm (HKLM-x32\...\Steam App 630) (Version:  - Valve)
AMD Catalyst Install Manager (HKLM\...\{EE39D5DF-E9BB-20C3-2852-CD3C0E85EB96}) (Version: 8.0.881.0 - Advanced Micro Devices, Inc.)
AMD Quick Stream (HKLM\...\{E9EED4AE-682B-4501-9574-D09A21717599}_is1) (Version: 3.3.26.0 - AppEx Networks)
Anodyne (HKLM-x32\...\Steam App 234900) (Version:  - Sean Hogan and Jonathan Kittaka)
Antichamber (HKLM-x32\...\Steam App 219890) (Version:  - Alexander Bruce)
ASUS Ai Charger (HKLM-x32\...\{7FB64E72-9B0E-4460-A821-040C341E414A}) (Version: 1.03.00 - ASUSTeK Computer Inc.)
ASUSDVD (HKLM-x32\...\InstallShield_{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}) (Version: 10.0.4126.52 - CyberLink Corp.)
ASUSDVD (x32 Version: 10.0.4126.52 - CyberLink Corp.) Hidden
AudibleManager (HKLM-x32\...\AudibleManager) (Version: 18414980.4759644.48.2001221320 - Audible, Inc.)
Battle for Wesnoth 1.10.5 (HKLM-x32\...\Battle for Wesnoth 1.10.5) (Version: 1.10.5 - )
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
BitRaider Web Client (HKLM-x32\...\BitRaider Web Client) (Version: 1.1.9.9 - BitRaider, LLC)
Blockland (HKLM-x32\...\Steam App 250340) (Version:  - Eric Hartman)
Blood Bowl: Chaos Edition (HKLM-x32\...\Steam App 216890) (Version:  - Cyanide Studios)
Borderlands 2 (HKLM-x32\...\Steam App 49520) (Version:  - Gearbox Software)
BOSS (HKLM-x32\...\BOSS) (Version: 2.1.1 - BOSS Development Team)
Call of Warhammer: Øòîðì Õàîñà 1.5 ñ ìóçûêîé è îçâó÷êîé (HKLM-x32\...\Rage of Dark Gods. Battle for the Empire (Call o~CF6C5540_is1) (Version:  - Call of Warhammer Team. Ïîðòàë Ñi×ú Total WarS.)
CCleaner (HKLM\...\CCleaner) (Version: 5.04 - Piriform)
Chivalry: Medieval Warfare (HKLM-x32\...\Steam App 219640) (Version:  - Torn Banner Studios)
Citrix Online Launcher (HKLM-x32\...\{3E7E6F1E-7376-475A-8BC9-E3126B20CF5F}) (Version: 1.0.198 - Citrix)
Classic Shell (HKLM\...\{7F34ADBE-77C0-47A0-BBC6-B3DA16CE8E68}) (Version: 3.6.7 - IvoSoft)
Cockatrice (HKLM-x32\...\Cockatrice) (Version:  - )
Company of Heroes (New Steam Version) (HKLM-x32\...\Steam App 228200) (Version:  - )
ConnectWise Internet Client 64-bit (HKLM\...\{800DAD34-BEA5-4279-9EEF-F86B346F8210}) (Version: 14.4.1 - ConnectWise)
Core Temp 1.0 RC4 (HKLM\...\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1) (Version: 1.0 - Alcpu)
Crusader Kings II (HKLM-x32\...\Steam App 203770) (Version:  - Paradox)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.47.1.0333 - Disc Soft Ltd)
Dead Space (HKLM-x32\...\Steam App 17470) (Version:  - EA Redwood Shores)
Death to Spies (HKLM-x32\...\Steam App 9800) (Version:  - Haggard Games)
Death to Spies: Moment of Truth (HKLM-x32\...\Steam App 34410) (Version:  - Haggard Games)
Demigod (HKLM-x32\...\Steam App 202710) (Version:  - Gas Powered Games)
Desura (HKLM-x32\...\Desura) (Version: 100.53 - Desura)
Desura: Gnomoria (HKLM-x32\...\Desura_76867029696544) (Version: Alpha - Robotronic Games)
Deus Ex: Human Revolution (HKLM-x32\...\Steam App 28050) (Version:  - Eidos Montreal)
Diablo III (HKLM-x32\...\Diablo III) (Version:  - Blizzard Entertainment)
Dishonored (HKLM-x32\...\Steam App 205100) (Version: 1.0 - Bethesda Softworks)
Divine Divinity (HKLM-x32\...\Steam App 214170) (Version:  - )
Divinity II: Developer's Cut (HKLM-x32\...\Steam App 219780) (Version:  - Larian Studios)
Dogs of War Online - Beta (HKLM-x32\...\Steam App 219700) (Version:  - Cyanide Studios)
Dota 2 (HKLM-x32\...\Steam App 570) (Version:  - Valve)
Dungeonland (HKLM-x32\...\Steam App 218130) (Version:  - Critical Studio)
DYNASTY WARRIORS 8: Xtreme Legends Complete Edition (HKLM-x32\...\Steam App 278080) (Version:  - TECMO KOEI GAMES CO., LTD.)
Earth 2140 HD (HKLM-x32\...\Steam App 253860) (Version:  - Reality Pump Studios)
eManual (HKLM-x32\...\{0C84E634-EB68-4A54-B21E-A05EC87A4CC5}) (Version: 1.00.00 - ASUSTeK Computer Inc.)
Empire: Total War (HKLM-x32\...\Steam App 10500) (Version:  - The Creative Assembly)
Endless Legend (HKLM-x32\...\Steam App 289130) (Version:  - AMPLITUDE Studios)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
Europa Universalis III (HKLM-x32\...\Steam App 25800) (Version:  - Paradox Development Studio)
Expeditions: Conquistador (HKLM-x32\...\Steam App 237430) (Version:  - Logic Artists)
Fallout Tactics (HKLM-x32\...\Steam App 38420) (Version:  - 14° East)
Fallout: New Vegas (HKLM-x32\...\Steam App 22380) (Version:  - Obsidian Entertainment)
Far Cry® 3 (HKLM-x32\...\Steam App 220240) (Version:  - Ubisoft Montreal, Massive Entertainment, and Ubisoft Shanghai)
FINAL FANTASY XIV - A Realm Reborn (HKLM-x32\...\{2B41E132-07DF-4925-A3D3-F2D1765CCDFE}) (Version: 1.0.0000 - SQUARE ENIX CO., LTD.)
Forge (HKLM-x32\...\Steam App 223390) (Version:  - Dark Vale Games)
Fotogalerie (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
FTL: Faster Than Light (HKLM-x32\...\Steam App 212680) (Version:  - Subset Games)
Galactic Civilizations II: Ultimate Edition (HKLM-x32\...\Steam App 202200) (Version:  - Stardock Entertainment)
Galeria de Fotografias (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Galería de fotos (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Galerie de photos (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Game of Thrones  (HKLM-x32\...\Steam App 208730) (Version:  - Cyanide Studios)
gamelauncher-ps2-live (HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\SOE-C:/Users/Public/Sony Online Entertainment/Installed Games/PlanetSide 2) (Version:  - Sony Online Entertainment)
GameSpy Arcade (HKLM-x32\...\GameSpy Arcade) (Version:  - )
Geneforge 1 (HKLM-x32\...\Steam App 200960) (Version:  - Spiderweb Software)
Gnomoria (HKLM-x32\...\Steam App 224500) (Version:  - )
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 42.0.2311.90 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
GoToMeeting 7.1.8.2553 (HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\GoToMeeting) (Version: 7.1.8.2553 - CitrixOnline)
Halo: Spartan Assault (HKLM-x32\...\Steam App 277430) (Version:  - Vanguard Games)
Hammerwatch (HKLM-x32\...\Steam App 239070) (Version:  - )
Hearthstone (HKLM-x32\...\Hearthstone) (Version:  - Blizzard Entertainment)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Inkscape 0.48.4 (HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\Inkscape) (Version: 0.48.4 - )
Java 7 Update 21 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86417021FF}) (Version: 7.0.210 - Oracle)
Kinetic Void (HKLM-x32\...\Steam App 227160) (Version:  - Badland Studio)
King Arthur - Fallen Champions (HKLM-x32\...\Steam App 24460) (Version:  - NeocoreGames)
King Arthur II - The Role-playing Wargame (HKLM-x32\...\Steam App 24480) (Version:  - NeocoreGames)
League of Legends (HKLM-x32\...\League of Legends 3.0.0) (Version: 3.0.0 - Riot Games)
League of Legends (x32 Version: 3.0.0 - Riot Games) Hidden
Leviathan: Warships (HKLM-x32\...\Steam App 202270) (Version:  - Pieces Interactive)
LiveConnect (HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\{5A85FD2D-9D1C-43C1-A3F8-EA2703BBC12F}) (Version: 6.3.0.0 - Live Connect)
Magic Online (HKLM-x32\...\{AF7733C1-FB0B-4FED-9730-E0433AF7A2EF}) (Version: 3.00.0000 - Wizards of the Coast)
Magic Workstation 0.94f (HKLM-x32\...\Magic Workstation_is1) (Version:  - Magic Technology)
Magic: The Gathering - Duels of the Planeswalkers 2013 (HKLM-x32\...\Steam App 97330) (Version:  - )
Magicka (HKLM-x32\...\Steam App 42910) (Version:  - Arrowhead Game Studios)
March of War (HKLM-x32\...\Steam App 234310) (Version:  - ISOTX)
Marvel Heroes (HKLM-x32\...\Steam App 226320) (Version:  - Gazillion Entertainment)
Mass Effect (HKLM-x32\...\Steam App 17460) (Version:  - BioWare)
Medieval II - Retrofit Multiplayer version 2.0 (HKLM-x32\...\0000RetrofitMP_is1) (Version:  - )
Medieval II: Total War (HKLM-x32\...\Steam App 4700) (Version:  - The Creative Assembly)
Medieval II: Total War Kingdoms (HKLM-x32\...\Steam App 4780) (Version:  - The Creative Assembly)
Men of War (HKLM-x32\...\Steam App 7830) (Version:  - Best Way)
Microsoft .NET Framework 1.1 (HKLM-x32\...\Microsoft .NET Framework 1.1  (1033)) (Version:  - )
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (HKLM-x32\...\{41785C66-90F2-40CE-8CB5-1C94BFC97280}) (Version: 3.5.0.0 - Microsoft Corporation)
Microsoft Office (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.6120.5004 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 3.1 (HKLM-x32\...\{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}) (Version: 3.1.10527.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
Minecraft1.5.2 (HKLM-x32\...\Minecraft1.5.2) (Version:  - )
Minecraft1.7.9 (HKLM-x32\...\Minecraft1.7.9) (Version:  - )
Mirror's Edge (HKLM-x32\...\Steam App 17410) (Version:  - DICE)
Mount & Blade: Warband (HKLM-x32\...\Steam App 48700) (Version:  - TaleWorlds Entertainment)
Mount & Blade: With Fire and Sword (HKLM-x32\...\Steam App 48720) (Version:  - TaleWorlds Entertainment)
Movie Maker (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
Mozilla Firefox 35.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 35.0.1 (x86 en-US)) (Version: 35.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 24.6.0 - Mozilla)
Mozilla Thunderbird 31.4.0 (x86 en-US) (HKLM-x32\...\Mozilla Thunderbird 31.4.0 (x86 en-US)) (Version: 31.4.0 - Mozilla)
MSXML 4.0 SP3 Parser (HKLM-x32\...\{196467F1-C11F-4F76-858B-5812ADC83B94}) (Version: 4.30.2100.0 - Microsoft Corporation)
MSXML 4.0 SP3 Parser (KB2758694) (HKLM-x32\...\{1D95BA90-F4F8-47EC-A882-441C99D30C1E}) (Version: 4.30.2117.0 - Microsoft Corporation)
Mumble 1.2.8 (HKLM-x32\...\{A9DBD31A-A09F-4C7E-86D1-3B21C59000D1}) (Version: 1.2.8 - Thorvald Natvig)
My Game Long Name (HKLM\...\UDK-293a3b32-f272-465d-972d-494483c6fe3f) (Version:  - Epic Games, Inc.)
Napoleon: Total War (HKLM-x32\...\Steam App 34030) (Version:  - The Creative Assembly)
Natural Selection 2 (HKLM-x32\...\Steam App 4920) (Version:  - Unknown Worlds Entertainment)
NEO Scavenger (HKLM-x32\...\Steam App 248860) (Version:  - Blue Bottle Games)
Nero 12 Essentials OEM.a01 (HKLM-x32\...\{2AC099EA-CC1C-4E4E-BDFC-0353DCF13DD0}) (Version: 12.5.00400 - Nero AG)
Nether (HKLM-x32\...\Steam App 247730) (Version:  - Phosphor Games)
Nexus Mod Manager (HKLM\...\6af12c54-643b-4752-87d0-8335503010de_is1) (Version: 0.52.3 - Black Tree Gaming)
NexusTK (HKLM-x32\...\NexusTK) (Version: 7.06 - KRU Interactive)
NVIDIA 3D Vision Controller Driver 347.09 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 347.09 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 347.09 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 347.09 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.1.5 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.1.5 - NVIDIA Corporation)
NVIDIA Graphics Driver 347.09 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 347.09 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.33.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.33.0 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.14.0702 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.14.0702 - NVIDIA Corporation)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
OpenOffice.org 3.4.1 (HKLM-x32\...\{9F1F2AEA-C72A-4DD6-991E-C5506A5625E4}) (Version: 3.41.9593 - Apache Software Foundation)
Origin (HKLM-x32\...\Origin) (Version: 9.5.12.2862 - Electronic Arts, Inc.)
Out of the Park Baseball 14 (HKLM-x32\...\Steam App 263840) (Version:  - Out of the Park Developments)
Papers, Please (HKLM-x32\...\Steam App 239030) (Version:  - 3909)
Path of Exile (HKLM-x32\...\Steam App 238960) (Version:  - Grinding Gear Games)
PlanetSide 2 (HKLM-x32\...\Steam App 218230) (Version:  - Sony Online Entertainment)
PlanetSide 2 (HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\soe-PlanetSide 2) (Version: 1.0.3.183 - Sony Online Entertainment)
Prerequisite installer (x32 Version: 12.0.0002 - Nero AG) Hidden
Project Freedom (HKLM-x32\...\Steam App 34810) (Version:  - City Interactive)
ProxyFirewall 1.0.4 Beta (HKLM-x32\...\ProxyFirewall_is1) (Version:  - Unique Internet Services)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.993 - Even Balance, Inc.)
Raccolta foto (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
RAW - Realms of Ancient War (HKLM-x32\...\Steam App 209730) (Version:  - Wizarbox)
Realm of the Mad God (HKLM-x32\...\Steam App 200210) (Version:  - Wild Shadow Studios)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.3.730.2012 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6657 - Realtek Semiconductor Corp.)
RIFT™ (HKLM-x32\...\Steam App 39120) (Version:  - Trion Worlds)
RPG Maker VX Ace (HKLM-x32\...\Steam App 220700) (Version:  - Enterbrain)
S.T.A.L.K.E.R.: Clear Sky (HKLM-x32\...\Steam App 20510) (Version:  - GSC Game World)
Saints Row IV (HKLM-x32\...\Steam App 206420) (Version:  - Deep Silver Volition)
SHIELD Streaming (Version: 3.1.3000 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 16.18.9 - NVIDIA Corporation) Hidden
Sid Meier's Civilization 4 - Beyond the Sword (HKLM-x32\...\{32E4F0D2-C135-475E-A841-1D59A0D22989}) (Version: 3.17 - Firaxis Games)
Sid Meier's Civilization 4 - Warlords (HKLM-x32\...\{3E4B349F-10B5-4586-9D99-489A90A8B228}) (Version: 2.13 - Firaxis Games)
Sid Meier's Civilization 4 (HKLM-x32\...\{CFBCE791-2D53-4FCE-B3FB-D6E01F4112E8}) (Version: 1.74 - Firaxis Games)
Sid Meier's Civilization 4 (x32 Version: 1.00.0000 - Firaxis Games) Hidden
Sid Meier's Civilization V (HKLM-x32\...\Steam App 8930) (Version:  - 2K Games, Inc.)
Sins of a Solar Empire: Trinity (HKLM-x32\...\Steam App 201290) (Version:  - Ironclad Games, Stardock Entertainment)
South Park™: The Stick of Truth™ (HKLM-x32\...\Steam App 213670) (Version:  - Obsidian Entertainment)
Space Engineers (HKLM-x32\...\Steam App 244850) (Version:  - Keen Software House)
SpaceChem (HKLM-x32\...\Steam App 92800) (Version:  - Zachtronics)
Spotify (HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\Spotify) (Version: 1.0.3.101.gbfa97dfe - Spotify AB)
Star Wars - Battlefront II (HKLM-x32\...\Steam App 6060) (Version:  - Pandemic Studios)
Star Wars The Old Republic (HKLM-x32\...\swtor_swtor) (Version: 7.0.0.40 - Bioware/EA)
Star Wars: Empire at War Gold (HKLM-x32\...\Steam App 32470) (Version:  - Petroglyph)
Star Wars: Knights of the Old Republic (HKLM-x32\...\Steam App 32370) (Version:  - BioWare)
Star Wars: The Old Republic (HKLM-x32\...\{3B11D799-48E0-48ED-BFD7-EA655676D8BB}) (Version: 1.00 - Electronic Arts, Inc.)
Starbound (HKLM-x32\...\Steam App 211820) (Version:  - )
State of Decay (HKLM-x32\...\Steam App 241540) (Version:  - Undead Labs)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
Sword of the Stars II: Enhanced Edition (HKLM-x32\...\Steam App 42990) (Version:  - Kerberos Productions)
System Requirements Lab Detection (HKLM-x32\...\{A365ABCD-E4E9-43BD-B756-E3233FFA6EEA}) (Version: 6.1.1.0 - Husdawg, LLC)
Tabletop Simulator (HKLM-x32\...\Steam App 286160) (Version:  - Berserk Games)
Talisman: Digital Edition (HKLM-x32\...\Steam App 247000) (Version:  - Nomad Games Limited)
Team Fortress 2 (HKLM-x32\...\Steam App 440) (Version:  - Valve)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.6 - TeamSpeak Systems GmbH)
Terraria (HKLM-x32\...\Steam App 105600) (Version:  - Re-Logic)
The Banner Saga (HKLM-x32\...\Steam App 237990) (Version:  - Stoic)
The Elder Scrolls V: Skyrim (HKLM-x32\...\Steam App 72850) (Version:  - Bethesda Game Studios)
The Showdown Effect (HKLM-x32\...\Steam App 204080) (Version:  - Arrowhead Game Studios)
The Walking Dead (HKLM-x32\...\Steam App 207610) (Version:  - )
The Wolf Among Us (HKLM-x32\...\{8DDB4912-18CA-4377-B487-1938520981FF}) (Version: 1.0.0.0 - Telltale Games)
Theatre of War (HKLM-x32\...\Steam App 46290) (Version:  - 1C Company)
Torchlight (HKLM-x32\...\Torchlight_is1) (Version:  - GOG.com)
Torchlight II (HKLM-x32\...\Steam App 200710) (Version:  - )
Torchlight II Demo (HKLM-x32\...\Steam App 219850) (Version:  - )
Total War: ROME II - Emperor Edition (HKLM-x32\...\Steam App 214950) (Version:  - Creative Assembly)
Total War: SHOGUN 2 (HKLM-x32\...\Steam App 34330) (Version:  - The Creative Assembly)
Ubisoft Game Launcher (HKLM-x32\...\{888F1505-C2B3-4FDE-835D-36353EBD4754}) (Version: 1.0.0.0 - UBISOFT)
Unity Web Player (HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\UnityWebPlayer) (Version:  - Unity Technologies ApS)
Universe Sandbox (HKLM-x32\...\Steam App 72200) (Version:  - Giant Army)
Ventrilo Client for Windows x64 (HKLM\...\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}) (Version: 3.0.8.0 - Flagship Industries, Inc.)
VirtualCloneDrive (HKLM-x32\...\VirtualCloneDrive) (Version:  - Elaborate Bytes)
Visual CertExam Suite (HKLM-x32\...\Visual CertExam Suite_is1) (Version:  - Avanset)
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
VLC media player 2.0.5 (HKLM-x32\...\VLC media player) (Version: 2.0.5 - VideoLAN)
War of the Roses (HKLM-x32\...\Steam App 42160) (Version:  - Fatshark)
War of the Roses Balance Beta (HKLM-x32\...\Steam App 206980) (Version:  - )
Warframe (HKLM-x32\...\Steam App 230410) (Version:  - )
Warhammer 40,000: Dawn of War – Soulstorm (HKLM-x32\...\Steam App 9450) (Version:  - Relic Entertainment)
Warlock - Master of the Arcane (HKLM-x32\...\Steam App 203630) (Version:  - Ino-Co Plus)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3505.0912 - Microsoft Corporation)
WinRAR 4.20 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)
Worms Armageddon (HKLM-x32\...\Steam App 217200) (Version:  - Team17 Digital Ltd.)
X3 Reunion (HKLM-x32\...\{9838EAFF-B13B-4A03-AEAE-6D508136545D}) (Version: 12 - DeepSilver)
X3: Albion Prelude (HKLM-x32\...\Steam App 201310) (Version:  - Egosoft)
X3: Reunion (HKLM-x32\...\Steam App 2810) (Version:  - Egosoft)
X3: Terran Conflict (HKLM-x32\...\Steam App 2820) (Version:  - Egosoft)
XCOM: Enemy Unknown (HKLM-x32\...\Steam App 200510) (Version:  - Firaxis Games)
XIII Century (HKLM-x32\...\Steam App 34420) (Version:  - Unicorn Games Studio)
Συλλογή φωτογραφιών (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
影像中心 (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
照片库 (x32 Version: 16.4.3505.0912 - Microsoft Corporation) Hidden
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
CustomCLSID: HKU\S-1-5-21-2680648856-1668043267-3130069616-1002_Classes\CLSID\{84B5A313-CD5D-4904-8BA2-AFDC81C1B309}\InprocServer32 -> C:\Users\Rick\AppData\Local\Citrix\GoToMeeting\1468\G2MOutlookAddin64.dll (Citrix Online, a division of Citrix Systems, Inc.)
CustomCLSID: HKU\S-1-5-21-2680648856-1668043267-3130069616-1002_Classes\CLSID\{A9F56A45-9E88-4BA0-8B81-F7130C2C2C16}\InprocServer32 -> C:\ProgramData\{9CAD18B2-FF9B-4CCA-8EE0-A4CDA3AD5F51}\cmcfg32.dll ()
 
==================== Restore Points  =========================
 
22-04-2015 03:00:34 Scheduled Checkpoint
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2012-07-26 01:26 - 2015-04-20 22:41 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
 
==================== Scheduled Tasks (whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {4E3ABED1-3854-442C-ADDC-18813E1DCC0E} - System32\Tasks\{50711DC8-F1BC-4EB8-9AE8-09E34AADA1D5} => pcalua.exe -a "E:\Software\HP Monitor Drivers\HP Display Installer.exe" -d "E:\Software\HP Monitor Drivers"
Task: {8386DCA3-667E-4BA7-8E1F-902F2192BE28} - System32\Tasks\G2MUpdateTask-S-1-5-21-2680648856-1668043267-3130069616-1002 => C:\Users\Rick\AppData\Local\Citrix\GoToMeeting\2553\g2mupdate.exe [2015-04-14] (Citrix Online, a division of Citrix Systems, Inc.)
Task: {8AC8BAE1-6A82-41A8-8F36-036B4D024DE9} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-22] (Google Inc.)
Task: {98D3F674-856D-4F61-A5AB-D16736FD76A3} - System32\Tasks\Razer_Game_Booster_AutoUpdate => C:\Program Files (x86)\Razer\Razer Game Booster\AutoUpdate.exe
Task: {9D132ABF-F01B-4228-B99E-7F3D78B3BDD9} - System32\Tasks\ASUS\ASUS AI Suite II Execute => C:\Program Files (x86)\ASUS\AI Suite II\AsRoutineController.exe [2012-03-13] (ASUSTeK Computer Inc.)
Task: {A84D24EB-F273-4AC1-ACDA-94DA38D81ACE} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-04-22] (Google Inc.)
Task: C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-2680648856-1668043267-3130069616-1002.job => C:\Users\Rick\AppData\Local\Citrix\GoToMeeting\2553\g2mupdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (whitelisted) ==============
 
2014-08-19 18:47 - 2014-12-13 04:03 - 00117576 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2012-10-25 01:12 - 2012-06-01 05:42 - 00920736 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe
2015-04-18 14:50 - 2015-04-18 14:50 - 00076888 _____ () C:\Windows\SysWOW64\PnkBstrA.exe
2015-04-25 10:35 - 2015-04-25 10:35 - 00050477 _____ () C:\Users\Rick\Downloads\Defogger.exe
2012-10-25 01:12 - 2015-04-21 19:31 - 00024576 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.19\PEbiosinterface32.dll
2012-10-25 01:12 - 2010-06-28 22:58 - 00104448 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.19\ATKEX.dll
2013-03-12 17:10 - 2015-03-10 02:37 - 00775680 _____ () C:\Program Files (x86)\Steam\SDL2.dll
2015-02-19 20:47 - 2014-12-01 20:29 - 05002752 _____ () C:\Program Files (x86)\Steam\v8.dll
2014-05-21 21:44 - 2015-04-13 19:44 - 02371776 _____ () C:\Program Files (x86)\Steam\video.dll
2015-02-19 20:47 - 2014-12-01 20:29 - 01612800 _____ () C:\Program Files (x86)\Steam\icui18n.dll
2015-02-19 20:47 - 2014-12-01 20:29 - 01210368 _____ () C:\Program Files (x86)\Steam\icuuc.dll
2014-08-28 22:54 - 2014-12-01 17:31 - 02396672 _____ () C:\Program Files (x86)\Steam\libavcodec-56.dll
2014-08-28 22:54 - 2014-12-01 17:31 - 00479744 _____ () C:\Program Files (x86)\Steam\libavformat-56.dll
2014-08-28 22:54 - 2014-12-01 17:31 - 00332800 _____ () C:\Program Files (x86)\Steam\libavresample-2.dll
2014-08-28 22:54 - 2014-12-01 17:31 - 00442880 _____ () C:\Program Files (x86)\Steam\libavutil-54.dll
2014-08-28 22:54 - 2014-12-01 17:31 - 00485888 _____ () C:\Program Files (x86)\Steam\libswscale-3.dll
2013-02-01 04:12 - 2015-04-13 19:44 - 00702656 _____ () C:\Program Files (x86)\Steam\bin\chromehtml.DLL
2013-02-01 04:12 - 2015-02-24 21:58 - 34641288 _____ () C:\Program Files (x86)\Steam\bin\libcef.dll
2014-08-14 18:01 - 2015-02-24 21:58 - 01709960 _____ () C:\Program Files (x86)\Steam\bin\ffmpegsumo.dll
2015-04-17 18:11 - 2015-04-13 17:55 - 01252680 _____ () C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.90\libglesv2.dll
2015-04-17 18:11 - 2015-04-13 17:55 - 00080712 _____ () C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.90\libegl.dll
 
==================== Alternate Data Streams (whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
 
==================== Safe Mode (whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, the associated entry will be removed from the registry.)
 
IE trusted site: HKU\.DEFAULT\...\clonewarsadventures.com -> clonewarsadventures.com
IE trusted site: HKU\.DEFAULT\...\freerealms.com -> freerealms.com
IE trusted site: HKU\.DEFAULT\...\soe.com -> soe.com
IE trusted site: HKU\.DEFAULT\...\sony.com -> sony.com
IE trusted site: HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\soe.com -> soe.com
IE trusted site: HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\sony.com -> sony.com
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\Control Panel\Desktop\\Wallpaper -> C:\Temp\vivi.jpg
DNS Servers: 192.168.0.1
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
HKLM\...\StartupApproved\Run32: => "StartCCC"
HKLM\...\StartupApproved\Run32: => "RemoteControl10"
HKLM\...\StartupApproved\Run32: => "nmapp"
HKLM\...\StartupApproved\Run32: => "nmctxth"
HKLM\...\StartupApproved\Run32: => "VirtualCloneDrive"
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\StartupApproved\StartupFolder: => "OpenOffice.org 3.4.1.lnk"
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\StartupApproved\StartupFolder: => "program.lnk"
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\StartupApproved\StartupFolder: => "971D5E7AC.lnk"
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\StartupApproved\Run: => "DAEMON Tools Lite"
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\StartupApproved\Run: => "CCleaner Monitoring"
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\StartupApproved\Run: => "Spotify"
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\StartupApproved\Run: => "Spotify Web Helper"
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (04/25/2015 10:15:23 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.
 
Error: (04/25/2015 10:15:23 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.
 
Error: (04/25/2015 03:01:03 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.
 
Error: (04/24/2015 09:17:54 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 10.0.9200.17054, time stamp: 0x53d0b9f0
Faulting module name: MLANG.dll, version: 6.2.9200.16384, time stamp: 0x501087b1
Exception code: 0xc0000005
Fault offset: 0x0000a53d
Faulting process id: 0xf3ec
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3
Faulting package full name: IEXPLORE.EXE4
Faulting package-relative application ID: IEXPLORE.EXE5
 
Error: (04/24/2015 09:15:41 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 10.0.9200.17054, time stamp: 0x53d0b9f0
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0xb478
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3
Faulting package full name: IEXPLORE.EXE4
Faulting package-relative application ID: IEXPLORE.EXE5
 
Error: (04/24/2015 08:18:22 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 10.0.9200.17054, time stamp: 0x53d0b9f0
Faulting module name: MLANG.dll, version: 6.2.9200.16384, time stamp: 0x501087b1
Exception code: 0xc0000005
Fault offset: 0x0000a53d
Faulting process id: 0x147c
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3
Faulting package full name: IEXPLORE.EXE4
Faulting package-relative application ID: IEXPLORE.EXE5
 
Error: (04/24/2015 03:02:33 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.
 
Error: (04/24/2015 03:01:11 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.
 
Error: (04/21/2015 08:05:18 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.
 
Error: (04/21/2015 08:05:16 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifest.
 
 
System errors:
=============
Error: (04/24/2015 11:25:11 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070070: English ESD Bundle Parent.
 
Error: (04/24/2015 04:10:26 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.
 
Error: (04/24/2015 04:10:26 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.
 
Error: (04/24/2015 04:06:29 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.
 
Error: (04/24/2015 04:06:28 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.
 
Error: (04/24/2015 04:06:28 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.
 
Error: (04/24/2015 04:06:28 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.
 
Error: (04/24/2015 10:01:11 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.
 
Error: (04/24/2015 06:06:51 AM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.
 
Error: (04/23/2015 09:39:59 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 40.
 
 
Microsoft Office Sessions:
=========================
Error: (04/25/2015 10:15:23 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestC:\Users\Rick\Downloads\esetsmartinstaller_enu (1).exe
 
Error: (04/25/2015 10:15:23 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestC:\Users\Rick\Downloads\esetsmartinstaller_enu.exe
 
Error: (04/25/2015 03:01:03 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestc:\program files (x86)\ESET\eset online scanner\ESETSmartInstaller.exe
 
Error: (04/24/2015 09:17:54 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: IEXPLORE.EXE10.0.9200.1705453d0b9f0MLANG.dll6.2.9200.16384501087b1c00000050000a53df3ec01d07ef560b6b928C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Windows\SYSTEM32\MLANG.dlle5ca9267-eae8-11e4-bed3-08606e4539ba
 
Error: (04/24/2015 09:15:41 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: IEXPLORE.EXE10.0.9200.1705453d0b9f0unknown0.0.0.000000000c000000500000000b47801d07ef53940c6e7C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEunknown96a56b31-eae8-11e4-bed3-08606e4539ba
 
Error: (04/24/2015 08:18:22 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: IEXPLORE.EXE10.0.9200.1705453d0b9f0MLANG.dll6.2.9200.16384501087b1c00000050000a53d147c01d07c9021570187C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXEC:\Windows\SYSTEM32\MLANG.dll9456b60d-eae0-11e4-bed3-08606e4539ba
 
Error: (04/24/2015 03:02:33 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestc:\program files (x86)\ESET\eset online scanner\ESETSmartInstaller.exe
 
Error: (04/24/2015 03:01:11 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestc:\program files (x86)\ESET\eset online scanner\ESETSmartInstaller.exe
 
Error: (04/21/2015 08:05:18 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestC:\Users\admin2\Downloads\esetsmartinstaller_enu (1).exe
 
Error: (04/21/2015 08:05:16 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_418ab7ef718b27ef.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9200.16579_none_8937eec6860750f5.manifestC:\Users\admin2\Downloads\esetsmartinstaller_enu.exe
 
 
CodeIntegrity Errors:
===================================
  Date: 2015-04-20 22:39:37.667
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-04-20 22:39:37.605
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-02-20 23:56:43.605
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: AMD A8-5500 APU with Radeon™ HD Graphics 
Percentage of memory in use: 59%
Total physical RAM: 7645.56 MB
Available physical RAM: 3065.51 MB
Total Pagefile: 11919.67 MB
Available Pagefile: 3864.61 MB
Total Virtual: 8192 MB
Available Virtual: 8191.77 MB
 
==================== Drives ================================
 
Drive c: (Windows) (Fixed) (Total:150 GB) (Free:29.92 GB) NTFS
Drive d: (Data) (Fixed) (Total:765.35 GB) (Free:43.78 GB) NTFS
Drive i: (SYSTEM) (Fixed) (Total:0.25 GB) (Free:0.2 GB) FAT32
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 5F9790BC)
 
Partition: GPT Partition Type.
 
==================== End Of Log ============================


BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,783 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 25 April 2015 - 11:57 AM

Hello Daru and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here

Thanks
---------------------------------------------------------------------------------------------------------
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Are you still with us?

:hello:
 
Sincerely


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 Daru

Daru
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 25 April 2015 - 12:26 PM

I've read and understood your bullet points and will disable my AV.

I'll wait patiently - thanks for reviewing



#4 olgun52

olgun52

  • Malware Response Team
  • 3,783 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 25 April 2015 - 12:58 PM

Hi Daru,

C:\Windows\Kaseya-KLC-201540413-21-15-47.html
C:\Users\Rick\Desktop\medieval2_RetrofitMP.bat

Do you recognise this programs?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 Daru

Daru
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 25 April 2015 - 01:17 PM

Yes I recognize both.  One is a game mod, the other is remote management software



#6 olgun52

olgun52

  • Malware Response Team
  • 3,783 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 25 April 2015 - 01:24 PM

Thank you Daru,
 
Step 1:
FRST Script:
Please download this attached txt.gif  fixlist.txt   2.07KB   0 downloads and save it in the same directory as FRST.

  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

NOT : It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
and fixlist.txt are in the same location or the fix will not work.

 

Step 2:
Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

Step 4:

Please download Malwarebytes Anti-Malware and save it to your desktop.

  • Double-click mbam-setup-2.1.4.1018.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • At the end of the installation, a database update will be performed.
  • Click on Scan Now.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export.
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.

Already installed:
Threat Scan

  • On the Dashboard, click the Scan Now button.
  • A check for database updates will be performed.
  • After the update check completes, a Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export.
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.

Have a nice day.

Attached Files


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 Daru

Daru
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 25 April 2015 - 02:58 PM

Hey Yılmaz,  I have an update.  After running your fix in step one, I'm no longer seeing high CPU usage from those processes!  Additionally, I have not noticed any further memory errors.  I've included the contents from the logs in steps 1,2 and 3 below.  I was going to attach the log from step 4 as requested but for some reason I cannot find how to upload files.. I've just copy and pasted the contents - let me know how to attach if you need the entire file
 
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 24-04-2015
Ran by Rick at 2015-04-25 14:37:38 Run:1
Running from C:\Temp
Loaded Profiles: Rick (Available profiles: Rick & admin2)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-2680648856-1668043267-3130069616-1002_Classes\CLSID\{A9F56A45-9E88-4BA0-8B81-F7130C2C2C16}\InprocServer32 -> C:\ProgramData\{9CAD18B2-FF9B-4CCA-8EE0-A4CDA3AD5F51}\cmcfg32.dll ()
 HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\StartupApproved\Run: => "CCleaner Monitoring"
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\StartupApproved\StartupFolder: => "program.lnk"
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\StartupApproved\StartupFolder: => "971D5E7AC.lnk"
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
FF Plugin-x32: @TrendMicro.com/FFExtension -> C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension\components\npToolbarChrome.dll No File
FF Extension: No Name - C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\fmdt13wd.default\extensions\swiffout@grownsoftware.com [Not Found]
CHR HKLM\...\Chrome\Extension: [bmiabdepfhhiieiipmeecdmeljggmfee] - No Path Or update_url value
CHR HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kfgnpeijmldmjbigmlbjnkjlifodjfmm] - C:\Users\Rick\AppData\Local\Kaseya\LiveConnect\LiveConnect-6-3.crx [2013-03-19]
CHR HKLM-x32\...\Chrome\Extension: [bmiabdepfhhiieiipmeecdmeljggmfee] - No Path Or update_url value
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
2015-04-20 08:07 - 2015-04-21 19:31 - 00000000 ___HD () C:\ProgramData\{9CAD18B2-FF9B-4CCA-8EE0-A4CDA3AD5F51}
cmd: type C:\ComboFix.txt
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
 
 
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-2680648856-1668043267-3130069616-1002_Classes\CLSID\{A9F56A45-9E88-4BA0-8B81-F7130C2C2C16}" => Key deleted successfully.
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\Software\Microsoft\Windows\CurrentVersion\Run\\HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\StartupApproved\Run: => "CCleaner Monitoring" => Value not found.
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\StartupApproved\StartupFolder: => "program.lnk" => Error: No automatic fix found for this entry.
HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\...\StartupApproved\StartupFolder: => "971D5E7AC.lnk" => Error: No automatic fix found for this entry.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found. 
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found. 
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@TrendMicro.com/FFExtension" => Key deleted successfully.
C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\fmdt13wd.default\extensions\swiffout@grownsoftware.com not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\bmiabdepfhhiieiipmeecdmeljggmfee" => Key deleted successfully.
"HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\SOFTWARE\Google\Chrome\Extensions\kfgnpeijmldmjbigmlbjnkjlifodjfmm" => Key deleted successfully.
C:\Users\Rick\AppData\Local\Kaseya\LiveConnect\LiveConnect-6-3.crx => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\bmiabdepfhhiieiipmeecdmeljggmfee" => Key deleted successfully.
catchme => Service deleted successfully.
 
"C:\ProgramData\{9CAD18B2-FF9B-4CCA-8EE0-A4CDA3AD5F51}" directory move:
 
Could not move "C:\ProgramData\{9CAD18B2-FF9B-4CCA-8EE0-A4CDA3AD5F51}" directory. => Scheduled to move on reboot.
 
 
=========  type C:\ComboFix.txt =========
 
ComboFix 15-04-19.01 - Rick 04/21/2015  14:58:10.3.4 - x64 NETWORK
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.7646.6004 [GMT -4:00]
Running from: c:\users\admin2\Downloads\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2015-03-21 to 2015-04-21  )))))))))))))))))))))))))))))))
.
.
2015-04-21 19:07 . 2015-04-21 19:07 -------- d-----w- c:\users\Rick\AppData\Local\temp
2015-04-21 19:07 . 2015-04-21 19:07 -------- d-----w- c:\users\Public\AppData\Local\temp
2015-04-21 19:07 . 2015-04-21 19:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-04-21 19:07 . 2015-04-21 19:07 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2015-04-21 19:07 . 2015-04-21 19:07 -------- d-----w- c:\users\admin2\AppData\Local\temp
2015-04-21 18:07 . 2015-04-21 18:07 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-04-21 18:07 . 2015-04-21 18:07 -------- d-----w- c:\programdata\RogueKiller
2015-04-21 12:34 . 2015-04-21 12:34 -------- d-----w- c:\program files (x86)\ESET
2015-04-21 12:34 . 2015-04-21 12:34 -------- d--h--w- c:\windows\AxInstSV
2015-04-21 00:25 . 2015-04-21 00:25 -------- d-----w- c:\users\admin2\AppData\Roaming\vlc
2015-04-20 12:07 . 2015-04-21 18:54 -------- d--h--w- c:\programdata\{9CAD18B2-FF9B-4CCA-8EE0-A4CDA3AD5F51}
2015-04-18 19:01 . 2015-04-19 06:49 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2015-04-18 19:01 . 2015-04-18 19:01 -------- d-----w- c:\users\Rick\AppData\Local\PunkBuster
2015-04-18 18:50 . 2015-04-19 06:49 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2015-04-18 18:50 . 2015-04-18 20:44 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2015-04-18 18:50 . 2015-04-18 18:50 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2015-04-18 18:08 . 2015-04-18 18:08 -------- d-----w- c:\program files (x86)\Origin Games
2015-04-18 17:18 . 2015-04-18 18:08 -------- d-----w- c:\users\Rick\AppData\Roaming\Origin
2015-04-18 17:18 . 2015-04-18 18:08 -------- d-----w- c:\users\Rick\AppData\Local\Origin
2015-04-18 17:16 . 2015-04-18 18:16 -------- d-----w- c:\programdata\Origin
2015-04-18 17:16 . 2015-04-18 17:16 -------- d-----w- c:\programdata\Electronic Arts
2015-04-18 17:16 . 2015-04-18 17:18 -------- d-----w- c:\program files (x86)\Origin
2015-04-15 00:01 . 2015-04-15 00:01 -------- d-----w- c:\windows\ServiceProfiles\LocalService\winhttp
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-04-17 23:00 . 2014-11-25 17:00 17536 ----a-w- c:\programdata\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2015-03-09 12:08 . 2015-03-09 12:08 0 ----a-w- c:\windows\SysWow64\RENDF35.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ShareOverlay]
@="{594D4122-1F87-41E2-96C7-825FB4796516}"
[HKEY_CLASSES_ROOT\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}]
2013-04-13 03:28 611840 ----a-w- c:\program files\Classic Shell\ClassicExplorer32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2015-04-13 2889408]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2013-03-14 3672640]
"Spotify Web Helper"="c:\users\Rick\AppData\Roaming\Spotify\SpotifyWebHelper.exe" [2015-04-11 2018360]
"Spotify"="c:\users\Rick\AppData\Roaming\Spotify\Spotify.exe" [2015-04-11 7112248]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"ASUS Ai Charger"="c:\program files (x86)\ASUS\ASUS Ai Charger\AiChargerAP.exe" [2012-08-13 547984]
"ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2012-10-25 3187360]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-08-15 642216]
"RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2012-03-29 91432]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
.
c:\users\Rick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
971D5E7AC.lnk - c:\windows\system32\rundll32.exe  c:\progra~3\CA7E5D179.cpp,work [2012-7-25 51712]
OpenOffice.org 3.4.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2012-8-13 1199104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"PromptOnSecureDesktop"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
R1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys;SysWow64\drivers\AsUpIO.sys [x]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
R2 APXACC;AppEx Networks Accelerator LWF;c:\windows\system32\DRIVERS\appexDrv.sys;c:\windows\SYSNATIVE\DRIVERS\appexDrv.sys [x]
R2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [x]
R2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe;c:\program files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [x]
R2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [x]
R2 GfExperienceService;NVIDIA GeForce Experience Service;c:\program files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe;c:\program files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [x]
R2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
R2 NvNetworkService;NVIDIA Network Service;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [x]
R2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW86.sys;c:\windows\SYSNATIVE\drivers\AtihdW86.sys [x]
R3 BRDriver64;BRDriver64;c:\programdata\BitRaider\BRDriver64.sys;c:\programdata\BitRaider\BRDriver64.sys [x]
R3 BRSptSvc;BitRaider Mini-Support Service;c:\programdata\BitRaider\BRSptSvc.exe;c:\programdata\BitRaider\BRSptSvc.exe [x]
R3 Desura Install Service;Desura Install Service;c:\program files (x86)\Common Files\Desura\desura_service.exe;c:\program files (x86)\Common Files\Desura\desura_service.exe [x]
R3 EasyAntiCheat;EasyAntiCheat;c:\windows\system32\EasyAntiCheat.exe;c:\windows\SYSNATIVE\EasyAntiCheat.exe [x]
R3 NvStreamKms;NvStreamKms;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [x]
R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
R3 Origin Client Service;Origin Client Service;c:\program files (x86)\Origin\OriginClientService.exe;c:\program files (x86)\Origin\OriginClientService.exe [x]
R3 RTL8168;Realtek 8168 NT Driver;c:\windows\system32\DRIVERS\Rt630x64.sys;c:\windows\SYSNATIVE\DRIVERS\Rt630x64.sys [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys;c:\program files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys [x]
R3 WUDFWpdMtp;WUDFWpdMtp;c:\windows\system32\DRIVERS\WUDFRd.sys;c:\windows\SYSNATIVE\DRIVERS\WUDFRd.sys [x]
R3 xusb22;Xbox 360 Wireless Receiver Driver Service 22;c:\windows\System32\drivers\xusb22.sys;c:\windows\SYSNATIVE\drivers\xusb22.sys [x]
S0 amd_sata;amd_sata;c:\windows\System32\drivers\amd_sata.sys;c:\windows\SYSNATIVE\drivers\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\System32\drivers\amd_xata.sys;c:\windows\SYSNATIVE\drivers\amd_xata.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\System32\drivers\dtsoftbus01.sys;c:\windows\SYSNATIVE\drivers\dtsoftbus01.sys [x]
S3 AiCharger;AiCharger;SysWow64\drivers\AiCharger.sys;SysWow64\drivers\AiCharger.sys [x]
S3 AU8168;AU 8168 NT Driver;c:\windows\system32\DRIVERS\au630x64.sys;c:\windows\SYSNATIVE\DRIVERS\au630x64.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-04-17 22:11 988488 ----a-w- c:\program files (x86)\Google\Chrome\Application\42.0.2311.90\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-04-21 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-2680648856-1668043267-3130069616-1002.job
- c:\users\Rick\AppData\Local\Citrix\GoToMeeting\2553\g2mupdate.exe [2015-04-14 05:18]
.
2015-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-04-22 18:37]
.
2015-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-04-22 18:37]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ShareOverlay]
@="{594D4122-1F87-41E2-96C7-825FB4796516}"
[HKEY_CLASSES_ROOT\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}]
2013-04-13 03:28 742400 ----a-w- c:\program files\Classic Shell\ClassicExplorer64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2012-06-12 6548112]
"NvBackend"="c:\program files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe" [2014-12-13 2531472]
"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2014-12-13 2824504]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://duckduckgo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyServer = alluseprox.info:8080
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: localhost
Trusted Zone: nextdimensioninc.com\itadvantage
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\fmdt13wd.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{F241C880-6982-4CE5-8CF7-7085BA96DA5A} - (no file)
ShellIconOverlayIdentifiers-{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} - (no file)
ShellIconOverlayIdentifiers-{BBACC218-34EA-4666-9D7A-C78F2274A524} - (no file)
AddRemove-Floris Mod Pack_is1 - c:\program files (x86)\Steam\SteamApps\common\MountBlade Warband\Modules\New Folder\Modules\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Completion time: 2015-04-21  15:09:54
ComboFix-quarantined-files.txt  2015-04-21 19:09
ComboFix2.txt  2015-04-21 02:54
ComboFix3.txt  2015-02-21 05:20
.
Pre-Run: 14,727,598,080 bytes free
Post-Run: 14,629,498,880 bytes free
.
- - End Of File - - C08C52E2E6A46EAC0F34C4789BABFFEE
5FB38429D5D77768867C76DCBDB35194
 
========= End of CMD: =========
 
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========  netsh winsock reset all =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv4 reset =========
 
Resetting Global, OK!
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
=========  netsh int ipv6 reset =========
 
Resetting Interface, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting , failed.
Access is denied.
 
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
EmptyTemp: => Removed 2.8 GB temporary data.
 
=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2015-04-25 15:15:21)<=
 
C:\ProgramData\{9CAD18B2-FF9B-4CCA-8EE0-A4CDA3AD5F51} => Is moved successfully.
 
==== End of Fixlog 15:15:21 ====
 

# AdwCleaner v4.202 - Logfile created 25/04/2015 at 15:20:59
# Updated 23/04/2015 by Xplode
# Database : 2015-04-23.2 [Server]
# Operating system : Windows 8  (x64)
# Username : Rick - RICK-PC-NEW
# Running from : C:\Users\Rick\Desktop\adwcleaner_4.202.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\ProgramData\AVG Security Toolbar
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\AVG Nation toolbar
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\AVG Nation toolbar
Key Deleted : HKLM\SOFTWARE\AVG Secure Search
Key Deleted : HKLM\SOFTWARE\AVG Security Toolbar
Key Deleted : HKLM\SOFTWARE\InstallIQ
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Steam App 228200
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - alluseprox.info:8080
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v10.0.9200.17054
 
 
-\\ Mozilla Firefox v35.0.1 (x86 en-US)
 
 
-\\ Google Chrome v42.0.2311.90
 
[C:\Users\admin2\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\admin2\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
 
-\\ Chromium v
 
 
*************************
 
AdwCleaner[R0].txt - [1936 bytes] - [25/04/2015 15:19:35]
AdwCleaner[S0].txt - [1581 bytes] - [25/04/2015 15:20:59]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1640  bytes] ##########
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.6.3 (04.25.2015:1)
OS: Windows 8 x64
Ran by Rick on Sat 04/25/2015 at 15:26:10.31
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Tasks
 
Successfully deleted: [Task] C:\Windows\system32\tasks\Optimize Start Menu Cache Files-S-1-5-21-2680648856-1668043267-3130069616-1002
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-2680648856-1668043267-3130069616-1002\Software\Microsoft\Internet Explorer\Main\\Start Page
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] C:\Windows\syswow64\ai_recyclebin
 
 
 
~~~ FireFox
 
Successfully deleted: [Folder] C:\Users\Rick\AppData\Roaming\mozilla\firefox\profiles\fmdt13wd.default\extensions\staged
Emptied folder: C:\Users\Rick\AppData\Roaming\mozilla\firefox\profiles\fmdt13wd.default\minidumps [99 files]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 04/25/2015 at 15:28:33.88
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 4/25/2015
Scan Time: 3:33:03 PM
Logfile: MBAMscanLOG.txt
Administrator: Yes
 
Version: 2.01.6.1022
Malware Database: v2015.04.25.05
Rootkit Database: v2015.04.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8
CPU: x64
File System: NTFS
User: Rick
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 437297
Time Elapsed: 12 min, 14 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 1
Trojan.Tinba, HKU\S-1-5-21-2680648856-1668043267-3130069616-1002\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|FEDDB609, C:\Users\Rick\AppData\Roaming\FEDDB609\bin.exe, Quarantined, [379283ed5c2ec274048a8dbfa75bfc04]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
Trojan.Tinba, C:\Users\Rick\AppData\Roaming\FEDDB609\bin.exe, Quarantined, [379283ed5c2ec274048a8dbfa75bfc04], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#8 olgun52

olgun52

  • Malware Response Team
  • 3,783 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 25 April 2015 - 04:06 PM

Glad to hear that everything is running well.

 I was going to attach the log from step 4 as requested but for some reason I cannot find how to upload files.. I've just copy and pasted the contents - let me know how to attach if you need the entire file

Okay is Logs.

 

Please be sure to run our tools with administrator rights.
 
ComboFix run:
 
* IMPORTANT : 1   Place ComboFix.exe on your Desktop
* IMPORTANT : 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.
 
Have a nice day.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 Daru

Daru
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 25 April 2015 - 04:37 PM

Ensured I ran as administrator as requested.
 
ComboFix 15-04-19.01 - Rick 04/25/2015  17:13:41.4.4 - x64
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.7646.5917 [GMT -4:00]
Running from: c:\users\Rick\Downloads\ComboFix.exe
.
.
(((((((((((((((((((((((((   Files Created from 2015-03-25 to 2015-04-25  )))))))))))))))))))))))))))))))
.
.
2015-04-25 21:22 . 2015-04-25 21:22 -------- d-----w- c:\users\Public\AppData\Local\temp
2015-04-25 21:22 . 2015-04-25 21:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-04-25 21:22 . 2015-04-25 21:22 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2015-04-25 21:22 . 2015-04-25 21:22 -------- d-----w- c:\users\admin2\AppData\Local\temp
2015-04-25 19:32 . 2015-04-25 19:48 136408 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-04-25 19:32 . 2015-04-25 19:32 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2015-04-25 19:32 . 2015-04-25 19:32 -------- d-----w- c:\programdata\Malwarebytes
2015-04-25 19:32 . 2015-04-14 13:38 64216 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-04-25 19:32 . 2015-04-14 13:37 107736 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-04-25 19:32 . 2015-04-14 13:37 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-04-25 19:26 . 2015-04-25 19:26 -------- d-----w- C:\RegBackup
2015-04-25 19:19 . 2015-04-25 19:21 -------- d-----w- C:\AdwCleaner
2015-04-25 18:50 . 2015-04-25 18:50 -------- d-----w- c:\windows\ServiceProfiles\LocalService\winhttp
2015-04-25 14:40 . 2015-04-25 19:15 -------- d-----w- C:\FRST
2015-04-25 00:18 . 2015-04-25 01:17 -------- d-----w- c:\users\Rick\AppData\Local\CrashDumps
2015-04-23 10:12 . 2015-04-25 19:45 -------- d--h--w- c:\users\Rick\AppData\Roaming\FEDDB609
2015-04-23 00:24 . 2015-04-23 00:24 -------- d-----w- c:\users\Rick\AppData\Local\openvr
2015-04-21 22:37 . 2015-04-21 22:37 849968 ----a-w- C:\cc_20150421_183658.reg
2015-04-21 22:22 . 2015-04-21 22:22 -------- d-----w- c:\program files\CCleaner
2015-04-21 19:09 . 2015-04-25 21:23 -------- d-----w- c:\users\Rick\AppData\Local\temp
2015-04-21 18:07 . 2015-04-21 23:17 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-04-21 18:07 . 2015-04-21 18:07 -------- d-----w- c:\programdata\RogueKiller
2015-04-21 12:34 . 2015-04-21 12:34 -------- d-----w- c:\program files (x86)\ESET
2015-04-21 12:34 . 2015-04-21 12:34 -------- d--h--w- c:\windows\AxInstSV
2015-04-21 00:25 . 2015-04-21 00:25 -------- d-----w- c:\users\admin2\AppData\Roaming\vlc
2015-04-18 19:01 . 2015-04-19 06:49 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2015-04-18 19:01 . 2015-04-18 19:01 -------- d-----w- c:\users\Rick\AppData\Local\PunkBuster
2015-04-18 18:50 . 2015-04-19 06:49 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2015-04-18 18:50 . 2015-04-18 20:44 281688 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2015-04-18 18:50 . 2015-04-18 18:50 76888 ----a-w- c:\windows\SysWow64\PnkBstrA.exe
2015-04-18 18:08 . 2015-04-18 18:08 -------- d-----w- c:\program files (x86)\Origin Games
2015-04-18 17:18 . 2015-04-18 18:08 -------- d-----w- c:\users\Rick\AppData\Roaming\Origin
2015-04-18 17:18 . 2015-04-18 18:08 -------- d-----w- c:\users\Rick\AppData\Local\Origin
2015-04-18 17:16 . 2015-04-18 18:16 -------- d-----w- c:\programdata\Origin
2015-04-18 17:16 . 2015-04-18 17:16 -------- d-----w- c:\programdata\Electronic Arts
2015-04-18 17:16 . 2015-04-18 17:18 -------- d-----w- c:\program files (x86)\Origin
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-04-17 23:00 . 2014-11-25 17:00 17536 ----a-w- c:\programdata\Microsoft\windowssampling\Sqm\Manifest\Sqm3.bin
2015-03-09 12:08 . 2015-03-09 12:08 0 ----a-w- c:\windows\SysWow64\RENDF35.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ShareOverlay]
@="{594D4122-1F87-41E2-96C7-825FB4796516}"
[HKEY_CLASSES_ROOT\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}]
2013-04-13 03:28 611840 ----a-w- c:\program files\Classic Shell\ClassicExplorer32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2015-04-13 2889408]
"Spotify Web Helper"="c:\users\Rick\AppData\Roaming\Spotify\SpotifyWebHelper.exe" [2015-04-11 2018360]
"Spotify"="c:\users\Rick\AppData\Roaming\Spotify\Spotify.exe" [2015-04-11 7112248]
"CCleaner Monitoring"="c:\program files\CCleaner\CCleaner64.exe" [2015-03-13 7451928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"ASUS Ai Charger"="c:\program files (x86)\ASUS\ASUS Ai Charger\AiChargerAP.exe" [2012-08-13 547984]
"ASUSPRP"="c:\program files (x86)\ASUS\APRP\APRP.EXE" [2012-10-25 3187360]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-08-15 642216]
"RemoteControl10"="c:\program files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe" [2012-03-29 91432]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"PromptOnSecureDesktop"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableCursorSuppression"= 1 (0x1)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R3 BRDriver64;BRDriver64;c:\programdata\BitRaider\BRDriver64.sys;c:\programdata\BitRaider\BRDriver64.sys [x]
R3 BRSptSvc;BitRaider Mini-Support Service;c:\programdata\BitRaider\BRSptSvc.exe;c:\programdata\BitRaider\BRSptSvc.exe [x]
R3 Desura Install Service;Desura Install Service;c:\program files (x86)\Common Files\Desura\desura_service.exe;c:\program files (x86)\Common Files\Desura\desura_service.exe [x]
R3 EasyAntiCheat;EasyAntiCheat;c:\windows\system32\EasyAntiCheat.exe;c:\windows\SYSNATIVE\EasyAntiCheat.exe [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 Origin Client Service;Origin Client Service;c:\program files (x86)\Origin\OriginClientService.exe;c:\program files (x86)\Origin\OriginClientService.exe [x]
R3 RTL8168;Realtek 8168 NT Driver;c:\windows\system32\DRIVERS\Rt630x64.sys;c:\windows\SYSNATIVE\DRIVERS\Rt630x64.sys [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys;c:\program files (x86)\Razer\Razer Game Booster\Driver\WinRing0x64.sys [x]
R3 WUDFWpdMtp;WUDFWpdMtp;c:\windows\system32\DRIVERS\WUDFRd.sys;c:\windows\SYSNATIVE\DRIVERS\WUDFRd.sys [x]
S0 amd_sata;amd_sata;c:\windows\System32\drivers\amd_sata.sys;c:\windows\SYSNATIVE\drivers\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\System32\drivers\amd_xata.sys;c:\windows\SYSNATIVE\drivers\amd_xata.sys [x]
S1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys;SysWow64\drivers\AsUpIO.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\System32\drivers\dtsoftbus01.sys;c:\windows\SYSNATIVE\drivers\dtsoftbus01.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S2 AMD FUEL Service;AMD FUEL Service;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe;c:\program files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
S2 APXACC;AppEx Networks Accelerator LWF;c:\windows\system32\DRIVERS\appexDrv.sys;c:\windows\SYSNATIVE\DRIVERS\appexDrv.sys [x]
S2 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [x]
S2 asHmComSvc;ASUS HM Com Service;c:\program files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe;c:\program files (x86)\ASUS\AAHM\1.00.20\aaHMSvc.exe [x]
S2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.13\AsSysCtrlService.exe [x]
S2 GfExperienceService;NVIDIA GeForce Experience Service;c:\program files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe;c:\program files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [x]
S2 NAUpdate;Nero Update;c:\program files (x86)\Nero\Update\NASvc.exe;c:\program files (x86)\Nero\Update\NASvc.exe [x]
S2 NvNetworkService;NVIDIA Network Service;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe;c:\program files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [x]
S2 NvStreamSvc;NVIDIA Streamer Service;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe;c:\program files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 AiCharger;AiCharger;SysWow64\drivers\AiCharger.sys;SysWow64\drivers\AiCharger.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW86.sys;c:\windows\SYSNATIVE\drivers\AtihdW86.sys [x]
S3 AU8168;AU 8168 NT Driver;c:\windows\system32\DRIVERS\au630x64.sys;c:\windows\SYSNATIVE\DRIVERS\au630x64.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
S3 NvStreamKms;NvStreamKms;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys;c:\program files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [x]
S3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);c:\windows\system32\drivers\nvvad64v.sys;c:\windows\SYSNATIVE\drivers\nvvad64v.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys;c:\windows\SYSNATIVE\DRIVERS\usbfilter.sys [x]
S3 xusb22;Xbox 360 Wireless Receiver Driver Service 22;c:\windows\System32\drivers\xusb22.sys;c:\windows\SYSNATIVE\drivers\xusb22.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-04-17 22:11 988488 ----a-w- c:\program files (x86)\Google\Chrome\Application\42.0.2311.90\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-04-25 c:\windows\Tasks\G2MUpdateTask-S-1-5-21-2680648856-1668043267-3130069616-1002.job
- c:\users\Rick\AppData\Local\Citrix\GoToMeeting\2553\g2mupdate.exe [2015-04-14 05:18]
.
2015-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-04-22 18:37]
.
2015-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-04-22 18:37]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ShareOverlay]
@="{594D4122-1F87-41E2-96C7-825FB4796516}"
[HKEY_CLASSES_ROOT\CLSID\{594D4122-1F87-41E2-96C7-825FB4796516}]
2013-04-13 03:28 742400 ----a-w- c:\program files\Classic Shell\ClassicExplorer64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtkNGUI64.exe" [2012-06-12 6548112]
"NvBackend"="c:\program files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe" [2014-12-13 2531472]
"ShadowPlay"="c:\windows\system32\nvspcap64.dll" [2014-12-13 2824504]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: localhost
Trusted Zone: nextdimensioninc.com\itadvantage
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\fmdt13wd.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
@SACL=(02 0000)
.
Completion time: 2015-04-25  17:32:51
ComboFix-quarantined-files.txt  2015-04-25 21:32
ComboFix2.txt  2015-04-21 19:09
ComboFix3.txt  2015-04-21 02:54
ComboFix4.txt  2015-02-21 05:20
.
Pre-Run: 36,930,039,808 bytes free
Post-Run: 36,392,566,784 bytes free
.
- - End Of File - - 8844491236DEA52B6AD7EB3F8C68123E
5FB38429D5D77768867C76DCBDB35194


#10 olgun52

olgun52

  • Malware Response Team
  • 3,783 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 25 April 2015 - 05:18 PM

c:\users\Rick\AppData\Roaming\FEDDB609

Do you recognise this programme?

----------------------------------------------

 

Please go to: VirusTotal
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.
 
c:\users\Rick\AppData\Roaming\FEDDB609
c:\windows\SysWow64\RENDF35.tmp
 
Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.

---------------------------------------------------------------------------------------------------------

next...

 

Please download and run RogueKiller  32/64 bit to your desktop

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 Daru

Daru
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 25 April 2015 - 06:22 PM

Well c:\users\Rick\AppData\Roaming\FEDDB609 was a directory so I could not scan it.  There was no files in the folder either.  It was marked as hidden.  

These were the results from scanning c:\windows\SysWow64\RENDF35.tmp - it has 0 Byte size so the scan came up clean.  Rogue Killer log included below

 

SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

File name: RENDF35.tmp
Detection ratio: 0 / 57
Analysis date: 2015-04-25 22:48:47 UTC ( 0 minutes ago ) 
5956 134
 Empty file! This file is 0 bytes in size, software running in your computer may have blocked the file that you intended to upload or you may have sent an empty file.

 

 

RogueKiller V10.6.0.0 [Apr 17 2015] by Adlice Software
 
Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Normal mode
User : Rick [Administrator]
Started from : C:\Users\Rick\Downloads\RogueKiller.exe
Mode : Scan -- Date : 04/25/2015  19:09:11
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 6 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 1 ¤¤¤
[C:\Windows\System32\Drivers\etc\hosts] 127.0.0.1       localhost
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x20]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DM 003-9YN162 SATA Disk Device +++++
--- User ---
[MBR] c6e3b146168bb1bb2c2ed97069b151c0
[BSP] 74b6b9d0a446a6e4339f3ff04832fe00 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 800 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1640448 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2172928 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2435072 | Size: 153600 MB
4 - Basic data partition | Offset (sectors): 317007872 | Size: 783720 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1922066432 | Size: 15360 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 
 
============================================
RKreport_SCN_04212015_141923.log - RKreport_DEL_04212015_142220.log - RKreport_SCN_04212015_192422.log - RKreport_SCN_04252015_185546.log


#12 olgun52

olgun52

  • Malware Response Team
  • 3,783 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 26 April 2015 - 02:46 PM

Hi Daru,thanks.

 

 

Please do the following,

Download zoek.exe to your Desktop:
http://hijackthis.nl/smeenk/

Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications Here
http://www.bleepingc...opic114351.html

On Windows Vista, 7, and 8, right-click Zoek.exe and select: Run as Administrator
Give it a few seconds to appear

Next, copy/paste the entire script inside the codebox below to the input field of Zoek:

createsrpoint;
autoclean;
emptyalltemp;
emptyclsid;

emptyfolderscheck;delete
ielook;
firefoxlook;
chromelook;

ipconfig /flushdns;b

Now...
Close any open programs.
Click the Run script button, and wait. It takes a few minutes to run.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

------------------------------------------------------------------------------

Next....

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 Daru

Daru
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 26 April 2015 - 08:30 PM

 
Zoek.exe v5.0.0.0 Updated 23-04-2015
Tool run by Rick on Sun 04/26/2015 at 17:22:11.51.
Microsoft Windows 8 6.2.9200  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Rick\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
4/26/2015 5:23:10 PM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\AGEIA Technologies deleted successfully
C:\PROGRA~2\Origin Games deleted successfully
C:\PROGRA~3\Windows Genuine Advantage deleted successfully
C:\Users\Rick\AppData\Roaming\FEDDB609 deleted successfully
C:\Users\Rick\AppData\Roaming\System deleted successfully
C:\Users\Rick\AppData\Roaming\uTorrent deleted successfully
C:\Users\admin2\AppData\Local\VirtualStore deleted successfully
C:\Users\Rick\AppData\Local\Avg2013 deleted successfully
C:\Users\Rick\AppData\Local\QuoteWerksIntegrator deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~2\AGEIA Technologies not found
C:\PROGRA~2\Origin Games not found
C:\Users\Rick\AppData\Roaming\Natural Selection 2 deleted
C:\PROGRA~3\Pure Networks deleted
C:\PROGRA~3\Package Cache deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\gpt.ini deleted
C:\Windows\Syswow64\RENDF35.tmp deleted
 
==== Firefox Extensions ======================
 
ProfilePath: C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\fmdt13wd.default
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
- Greasemonkey - %ProfilePath%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}.xpi
 
ProfilePath: C:\Users\Rick\AppData\Roaming\Thunderbird\Profiles\kslo1yax.default
- ProfilePassword - %ProfilePath%\extensions\{b9615918-d3de-44a4-ab65-76df7ea1f1c1}.xpi
 
AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
==== Firefox Plugins ======================
 
Profilepath: C:\Users\Rick\AppData\Roaming\Mozilla\Firefox\Profiles\fmdt13wd.default
E3B4EA121F7BDEB0F6366E2BA9608CB5 - C:\Users\Rick\AppData\Local\Citrix\Plugins\104\npappdetector.dll - Citrix Online Web Deployment Plugin 1.0.0.104
ABE2E50533899C45DFA03E1D8767648F - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_13_0_0_182.dll - Shockwave Flash
B33B016B77560C7832BF4D311EA23328 - C:\Users\Rick\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll - Unity Player
61AAAE0550E8A50BAC17AA2928520B36 - C:\Users\Rick\AppData\Local\Mozilla\Plugins\npklcrl-6-3.dll - Live Connect Relay
66E28EAD7E032F269C9AF8CB10AA060C - C:\Users\Rick\AppData\Local\Mozilla\Plugins\npkvpn-6-3.dll - Kaseya VPN
18D5784061653249944BE65A630DDF6D - C:\Users\Rick\AppData\Local\Mozilla\Plugins\npklcdt-6-3.dll - Live Connect Desktop Thumbnail
40E7254D77D2922FFC71F910A097BF0B - C:\Users\Rick\AppData\Local\Mozilla\Plugins\npklcel-6-3.dll - Live Connect Event Logging
69ADA70B9777130888E50A22477908C6 - C:\Users\Rick\AppData\Local\Mozilla\Plugins\npklcfm-6-3.dll - Live Connect File Manager
9D684D5ADCDCBFA6B4AD6991AF767BED - C:\Users\Rick\AppData\Local\Mozilla\Plugins\npklcmp-6-3.dll - Live Connect Message Protocol
ED9EFCF8F35FC5BEDDE766510A4575B4 - C:\Users\Rick\AppData\Local\Mozilla\Plugins\npklcre-6-3.dll - Live Connect Registry Editor
557170D4EBA0FCA72CA789868B0F0B2B - C:\Users\Rick\AppData\Local\Mozilla\Plugins\npklccl-6-3.dll - Live Connect Command Line
5D8996ACE31D96765231CF4AAF4F2939 - C:\Users\Rick\AppData\Local\Mozilla\Plugins\npklctm-6-3.dll - Live Connect Task Manager
DF75A4F441458D74C15EE15DEB701AA4 - C:\Users\Rick\AppData\Local\Mozilla\Plugins\npklcug-6-3.dll - Live Connect Local Users and Groups
 
 
==== Chromium Look ======================
 
Google Chrome Version: 42.0.2311.90 (Latest Stable version: 42.0.2311.90) [z-db]
 
 
Google Slides - admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek
Google Docs - admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake
Google Drive - admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf
YouTube - admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo
Google Search - admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf
Google Sheets - admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap
Bookmark Manager - admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik
Chrome Hotword Shared Module - admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
Google Wallet - admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Gmail - admin2\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia
ZenMate - Rick\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdcgdnkidjaadafnichfpabhfomcebme
Bookmark Manager - Rick\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik
Reddit Enhancement Suite - Rick\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb
Chrome Hotword Shared Module - Rick\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
Google Wallet - Rick\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE10SR"
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Rick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Rick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Cache found
 
==== Empty Chrome Cache ======================
 
C:\Users\admin2\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\Users\Rick\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
Java Cache cleared successfully
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=7263 folders=229 457203678 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\admin2\AppData\Local\temp emptied successfully
C:\Users\Administrator\AppData\Local\temp emptied successfully
C:\Users\Default\AppData\Local\temp emptied successfully
C:\Users\Default User\AppData\Local\temp emptied successfully
C:\Users\Public\AppData\Local\temp emptied successfully
C:\Users\Rick\AppData\Local\temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\Rick\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on Sun 04/26/2015 at 17:39:36.66 ======================
 
 
ESET LOG:
 
C:\AdwCleaner\Quarantine\C\ProgramData\apn\APN-Stub\W3IV6-G\APNIC.dll.vir a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\FRST\Quarantine\C\ProgramData\{9CAD18B2-FF9B-4CCA-8EE0-A4CDA3AD5F51}\cmcfg32.dll a variant of Win64/Kryptik.OP trojan
C:\Users\admin2\Downloads\ccsetup504.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
 


#14 olgun52

olgun52

  • Malware Response Team
  • 3,783 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 AM

Posted 27 April 2015 - 12:34 PM

Hi Daru,

 

Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 11.0.00 (XI) to your PC's desktop.
 

  • Uninstall Adobe Reader X via Start => Control Panel > Uninstall a program
  • Install the new downloaded updated software.

Note that the McAfee Security scan is prechecked. You may wish to uncheck it before downloading.
mcafee-ssp.jpg

---------------------------------------

 

Update Adobe Flash Player

Please update your Adobe Flash Player to the latest version

 

Uninstall: Adobe Flash Player 13

  • Download Adobe Flash Player here and save it to your desktop. Uncheck "Yes, install McAfee Security Scan Plus - optional"
  • Close any open browsers
  • Double click on the adobeflashplayer.jpg icon to launch the installation
  • If you are presented with a warning popup select "Run"
  • Once the installation is complete click "Finish"

-------------------------------------

 

Updating Java and Clearing Cache:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to update.

Please go to Start > Control Panel > Programs and Features > uninstall all the Java Programs you see, now download the latest Java from the following link and install it:

Java 7 Update 21

Now system reboot.

  • Download the latest version of Java Runtime Environment (JRE) 8
  • Recommended Version is 8 Update 45
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x64 Offline and save the file.
  • Close any programs you may have running - especially your web browser.

java-1.jpg
See this page for instructions on how to clear java's cache.

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)

  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Installed Applications and Applets
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 Daru

Daru
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:02:06 AM

Posted 27 April 2015 - 08:41 PM

Completed upgrades for Adobe reader, flash player & Java successfully






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users