Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log file help, URGENT - Think I have a keylogger installed :(


  • This topic is locked This topic is locked
13 replies to this topic

#1 skeletonbobo

skeletonbobo

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 14 May 2015 - 06:47 PM

Hi guys, 
 
I read the sticky at the top of the page and it said logs should be posted 'in this forum'. I couldn't see a link to any particular thread so I assumed it was talking about this section. 
 
I'm in desperate need of some help as I work from home and have a lot of sensitive info, I'm been a little ignorant with security as it's something I treated pretty lightly looking at is as a 'needle in a haystack' sort of of outlook. Hence, I recently opened up an RDP to my computer through my router without a password.
 
I noticed my computer sitting on the welcome screen with my user account 'logged on' a couple of times now as if someone had RDP'd my PC, I didn't think too much of it at first but 2 days ago my PayPal account was skimmed. I saw it again this morning and started joining dots, I checked the windows security logs for RDP going all the way back to the start of it's service to see if this IP address I receiving was just an anomaly as I use RDP for work and in house a lot. However this address only started on the 10th of May (not long after I got a new router and opened up unsecured RDP to my PC) and only comes through at the early hours of the morning for example 3.30AM. 
 
I geolocated the IP to France. 
 
Given that my PayPal password isn't saved on my PC I can only assume there is a keylogger on here.
 
I'm currently running virus removal by Trend Micro although I don't expect that to find it.
 
I've run Hijackthis but can't identify if there is one on here.
 
Please note as my computer is a work PC there are a lot of processes running, I use a VOIP soft client and virtual VPN for work etc so these are to be expected when sifting through.
 
Any help would be GREATLY appreciated. 
 
Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 9:20:12 AM, on 15/05/2015
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
 
 
Boot mode: Normal
 
Running processes:
C:\Program Files (x86)\CounterPath\Bria 3\Bria3.exe
C:\Program Files (x86)\Securepoint SSL VPN\Spvpncl.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Users\Johnnus\AppData\Local\Temp\chrome.exe
D:\Games\Origin\Origin.exe
C:\Windows\SysWOW64\svchost.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Johnnus\Desktop\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://au.search.yahoo.com/?type=937811&fr=spigot-yhp-ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.istartsurf.com/web/?type=ds&ts=1409294304&from=smt&uid=KINGMAXXSSDX120GB_20131202200320123565&q={searchTerms}
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.istartsurf.com/web/?type=ds&ts=1409294304&from=smt&uid=KINGMAXXSSDX120GB_20131202200320123565&q={searchTerms}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKCU\..\Run: [Bria 3] "C:\Program Files (x86)\CounterPath\Bria 3\Bria3.exe"
O4 - HKCU\..\Run: [SpSSLVPN] C:\Program Files (x86)\Securepoint SSL VPN\Spvpncl.exe -useEnglish -manage
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O20 - AppInit_DLLs:  
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASUS Com Service (asComSvc) - Unknown owner - C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Content Protection HECI Service (cphs) - Intel Corporation - C:\Windows\SysWow64\IntelCpHeciSvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Intel® Capability Licensing Service TCP IP Interface - Intel® Corporation - C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® Dynamic Application Loader Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: Origin Client Service - Electronic Arts - D:\Games\Origin\OriginClientService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Securepoint VPN - Unknown owner - C:\Program Files (x86)\Securepoint SSL VPN\SPOpenVPNService.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TeamViewer 10 (TeamViewer) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 9313 bytes

Edited by Queen-Evie, 14 May 2015 - 07:18 PM.
moved from Windows 7 to Malware Removal Logs, which is the only forum MRL logs are allowed in


BC AdBot (Login to Remove)

 


#2 skeletonbobo

skeletonbobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 14 May 2015 - 08:14 PM

Update - I had a hunch and searched my windows folder for any files that were added or modified on the same date and time of the first attack on the 10th at 12.40AM, it looks like they were on for 25 minutes logging off at 1.05AM in that time 4 files were modified or added with a 5th being added at 3.06 with their next logon.

 

See details.

 

Any advice on how to proceed would be greatly appreciated, do I just delete them? There is a rundll32 that I'd be less then inclined to delete unless I know for sure it's a dummy but two files (after a google) are definitely malicious 'webbrowserpass' and 'mailpv'.

 

See attached screenshot.

 

Capture.jpg


Edited by skeletonbobo, 14 May 2015 - 08:15 PM.


#3 skeletonbobo

skeletonbobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 15 May 2015 - 12:09 AM

Please help!

 

I've already had 2 paypal payments processed for $320 a piece.

 

There are more files with the '.pf' extension copied into my C:\Windows\System32 folder at each RDP logon date/time, am I safe to delete all these even though some are labelled run32dll etc?

 

I also found two files 'ad.exe' and 'ad3.exe' which were copied into a random folder at 3AM this morning, I've deleted both but am unsure of their implications. 

 

Any direction would be greatly appreciated!



#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:01 PM

Posted 15 May 2015 - 04:02 AM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems. :warrior:

Before we move on, please read the following points carefully: :exclame:

  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.

Step 1

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)

  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 skeletonbobo

skeletonbobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 15 May 2015 - 04:18 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-05-2015 02
Ran by Johnnus (administrator) on JOHNNUS-PC on 16-05-2015 07:17:11
Running from C:\Users\Johnnus\Desktop
Loaded Profiles: Johnnus (Available profiles: Johnnus)
Platform: Windows 7 Ultimate (X64) OS Language: English (United States)
Internet Explorer Version 9 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(CounterPath) C:\Program Files (x86)\CounterPath\Bria 3\Bria3.exe
(Elaborate Bytes AG) C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
() C:\Users\Johnnus\AppData\Local\Temp\chrome.exe
() C:\Program Files (x86)\Securepoint SSL VPN\SPOpenVPNService.exe
(Securepoint GmbH) C:\Program Files (x86)\Securepoint SSL VPN\Spvpncl.exe
(The OpenVPN Project) C:\Program Files (x86)\Securepoint SSL VPN\bin\openvpn.exe
(Electronic Arts) D:\Games\Origin\Origin.exe
(Intel Corporation) C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
() C:\Windows\System32\PnkBstrA.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [VirtualCloneDrive] => C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe [88984 2013-03-11] (Elaborate Bytes AG)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-3162224221-4102018437-2241672876-1000\...\Run: [Bria 3] => C:\Program Files (x86)\CounterPath\Bria 3\Bria3.exe [8965168 2013-10-03] (CounterPath)
HKU\S-1-5-21-3162224221-4102018437-2241672876-1000\...\Run: [SpSSLVPN] => C:\Program Files (x86)\Securepoint SSL VPN\Spvpncl.exe [1166704 2014-04-11] (Securepoint GmbH)
HKU\S-1-5-21-3162224221-4102018437-2241672876-1000\...\Policies\Explorer: [DisableThumbnailsOnNetworkFolders] 1
HKU\S-1-5-21-3162224221-4102018437-2241672876-1000\...\Policies\Explorer: [NoAutoUpdate] 0
HKU\S-1-5-21-3162224221-4102018437-2241672876-1000\...\MountPoints2: {11564f60-e62e-11e3-995c-806e6f6e6963} - D:\Bin\ASSETUP.exe
HKU\S-1-5-21-3162224221-4102018437-2241672876-1000\...\MountPoints2: {7b283561-e6d2-11e3-a892-40167ea999ab} - H:\setup.exe
BootExecute: autocheck autochk * sdnclean64.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKU\S-1-5-21-3162224221-4102018437-2241672876-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.ninemsn.com.au/?ocid=iehp
HKU\S-1-5-21-3162224221-4102018437-2241672876-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
SearchScopes: HKLM -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = http://www.google.com/search?q={searchTerms}
SearchScopes: HKLM-x32 -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = http://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3162224221-4102018437-2241672876-1000 -> DefaultScope {A1FA139D-B92E-4A16-9FF7-6D4EC0F2665A} URL = https://au.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
SearchScopes: HKU\S-1-5-21-3162224221-4102018437-2241672876-1000 -> {0191A6B0-1154-4C22-9182-23A95BBE92D9} URL = http://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-3162224221-4102018437-2241672876-1000 -> {A1FA139D-B92E-4A16-9FF7-6D4EC0F2665A} URL = https://au.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-14] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-14] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-14] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-14] (Microsoft Corporation)
Hosts: 10.1.1.240 NPI82D05B
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe http://www.istartsurf.com/?type=sc&ts=1409294304&from=smt&uid=KINGMAXXSSDX120GB_20131202200320123565
 
FireFox:
========
FF Plugin: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelogx64.dll [2014-12-03] (EA Digital Illusions CE AB)
FF Plugin: @esn/npbattlelog,version=2.7.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.7.0\npbattlelogx64.dll [2015-03-10] (EA Digital Illusions CE AB)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-02-21] ()
FF Plugin-x32: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelog.dll [2014-12-03] (EA Digital Illusions CE AB)
FF Plugin-x32: @esn/npbattlelog,version=2.7.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.7.0\npbattlelog.dll [2015-03-10] (EA Digital Illusions CE AB)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-03-20] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-03-20] (Intel Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-02-06] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-02-06] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-02-05] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-02] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com.au/
CHR StartupUrls: Default -> "https://www.google.com.au/"
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Profile: C:\Users\Johnnus\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Johnnus\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-05-30]
CHR Extension: (Google Drive) - C:\Users\Johnnus\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-05-30]
CHR Extension: (YouTube) - C:\Users\Johnnus\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-05-30]
CHR Extension: (Google Search) - C:\Users\Johnnus\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-05-30]
CHR Extension: (Netflix) - C:\Users\Johnnus\AppData\Local\Google\Chrome\User Data\Default\Extensions\deceagebecbceejblnlcjooeohmmeldh [2015-04-10]
CHR Extension: (Hola Better Internet) - C:\Users\Johnnus\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2015-04-17]
CHR Extension: (Bookmark Manager) - C:\Users\Johnnus\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-17]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Johnnus\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Google Wallet) - C:\Users\Johnnus\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-05-30]
CHR Extension: (Gmail) - C:\Users\Johnnus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-05-30]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe [936728 2014-01-28] ()
R3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [217088 2007-11-06] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [139264 2007-11-06] (Hewlett-Packard Co.) [File not signed]
R2 IAStorDataMgrSvc; C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [16232 2014-04-11] (Intel Corporation)
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887232 2014-01-31] (Intel® Corporation)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-03-20] (Intel Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2009-05-14] (Hewlett-Packard) [File not signed]
S3 Origin Client Service; D:\Games\Origin\OriginClientService.exe [1931632 2015-04-10] (Electronic Arts)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2009-05-14] (Hewlett-Packard) [File not signed]
R2 PnkBstrA; C:\Windows\system32\PnkBstrA.exe [76152 2015-05-15] ()
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2014-12-28] ()
S3 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
S3 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
R2 Securepoint VPN; C:\Program Files (x86)\Securepoint SSL VPN\SPOpenVPNService.exe [40840 2014-02-14] () [File not signed]
S3 TeamViewer; C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe [5436176 2015-02-17] (TeamViewer GmbH)
S4 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
S4 AllDaySavingsService64; C:\Program Files (x86)\3D8B9817-A88D-45B0-8D50-C95C612CADC3\etmajyzoqm64.exe [X]
S4 hzunyanhtn64; C:\Program Files\005\hzunyanhtn64.exe run options=01100010050000000000000000000000 sourceguid=3D8B9817-A88D-45B0-8D50-C95C612CADC3 [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2014-01-28] ()
S3 AtiHDAudioService; C:\Windows\System32\drivers\AtihdW76.sys [94720 2013-12-20] (Advanced Micro Devices) [File not signed]
R2 Ext2Fsd; C:\Windows\system32\Drivers\Ext2Fsd.sys [771224 2014-08-26] (www.ext2fsd.com)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2015-05-15] ()
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2014-04-11] (Intel Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [118272 2014-03-20] (Intel Corporation)
R1 netfilter64; C:\Windows\System32\drivers\netfilter64.sys [46376 2014-08-01] (NetFilterSDK.com)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-16 07:17 - 2015-05-16 07:17 - 00014348 _____ () C:\Users\Johnnus\Desktop\FRST.txt
2015-05-16 07:16 - 2015-05-16 07:17 - 00000000 ____D () C:\FRST
2015-05-16 07:16 - 2015-05-16 07:16 - 02106368 _____ (Farbar) C:\Users\Johnnus\Desktop\FRST64.exe
2015-05-15 16:13 - 2015-05-15 16:13 - 00023112 _____ () C:\Windows\system32\Drivers\hitmanpro35.sys
2015-05-15 16:13 - 2015-05-15 16:13 - 00000000 ____D () C:\Program Files\Hitman Pro 3.5
2015-05-15 16:12 - 2015-05-15 16:13 - 00000000 ____D () C:\ProgramData\Hitman Pro
2015-05-15 16:10 - 2015-05-15 16:10 - 00003961 _____ () C:\Users\Johnnus\Downloads\[kat.cr]hitman.pro.3.5.9.build.125.x64.incl.crack.torrent
2015-05-15 16:09 - 2015-05-15 16:09 - 00043664 _____ () C:\Windows\system32\Drivers\hitmanpro37.sys
2015-05-15 16:03 - 2015-05-15 16:03 - 00013708 _____ () C:\Users\Johnnus\Downloads\[kat.cr]hitman.pro.3.7.9.build.241.2015.patch.frank.torrent
2015-05-15 16:03 - 2015-05-15 16:03 - 00013708 _____ () C:\Users\Johnnus\Downloads\[kat.cr]hitman.pro.3.7.9.build.241.2015.patch.frank (1).torrent
2015-05-15 15:53 - 2015-05-15 15:54 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-05-15 15:47 - 2015-05-15 15:47 - 00020316 _____ () C:\Users\Johnnus\Downloads\[kat.cr]hitman.pro.3.7.9.cracked.64.bit.danhuk.torrent
2015-05-15 15:17 - 2015-05-15 15:17 - 00001395 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
2015-05-15 15:17 - 2015-05-15 15:17 - 00001383 _____ () C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
2015-05-15 15:17 - 2015-05-15 15:17 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
2015-05-15 15:17 - 2013-09-20 10:49 - 00021040 _____ (Safer Networking Limited) C:\Windows\system32\sdnclean64.exe
2015-05-15 15:13 - 2015-05-15 15:16 - 46525608 _____ (Safer-Networking Ltd. ) C:\Users\Johnnus\Desktop\spybot-2-4.exe
2015-05-15 13:31 - 2015-05-15 13:31 - 00000000 ____D () C:\Users\Johnnus\AppData\Roaming\PC Whiz
2015-05-15 13:31 - 2015-05-15 13:31 - 00000000 ____D () C:\Users\Johnnus\AppData\Roaming\DriverCure
2015-05-15 13:31 - 2015-05-15 13:31 - 00000000 ____D () C:\ProgramData\PC Whiz
2015-05-15 13:29 - 2015-05-15 13:29 - 00060968 _____ () C:\Windows\SysWOW64\CCCInstall_201505151329155417.log
2015-05-15 09:48 - 2015-05-15 09:48 - 00000000 ____D () C:\Users\Johnnus\Desktop\backups
2015-05-15 09:20 - 2015-05-15 16:22 - 00008577 _____ () C:\Users\Johnnus\Desktop\hijackthis.log
2015-05-15 09:20 - 2015-05-15 09:20 - 00388608 _____ (Trend Micro Inc.) C:\Users\Johnnus\Desktop\HijackThis.exe
2015-05-15 09:09 - 2015-05-15 09:09 - 01118208 _____ () C:\Users\Johnnus\Desktop\RDP Log.evtx
2015-05-15 09:09 - 2015-05-15 09:09 - 00000000 ____D () C:\Users\Johnnus\Desktop\LocaleMetaData
2015-05-15 09:05 - 2015-05-15 09:05 - 02406064 _____ (Trend Micro Inc.) C:\Users\Johnnus\Desktop\HousecallLauncher64.exe
2015-05-10 00:41 - 2015-05-10 00:41 - 00000000 ____D () C:\Windows\System32\Tasks\Update
2015-05-01 09:28 - 2015-05-01 09:28 - 00062027 _____ () C:\Users\Johnnus\Downloads\[kickass.to]the.100.the.complete.season.2.hdtv.torrent
2015-04-17 17:58 - 2015-04-17 17:58 - 01639464 _____ () C:\Users\Johnnus\Documents\battlelog-web-plugins_2.7.0_160.exe
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-05-16 07:05 - 2014-05-29 11:27 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-05-15 16:38 - 2009-07-14 15:13 - 00787118 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-05-15 16:34 - 2014-12-29 08:53 - 00076152 _____ () C:\Windows\system32\PnkBstrA.exe
2015-05-15 16:34 - 2014-12-28 14:49 - 00226680 _____ () C:\Windows\SysWOW64\PnkBstrB.exe
2015-05-15 16:32 - 2014-05-28 19:13 - 00006464 _____ () C:\Windows\SysWOW64\Gms.log
2015-05-15 16:31 - 2014-12-28 13:43 - 00000000 ____D () C:\ProgramData\Origin
2015-05-15 16:30 - 2014-05-29 12:38 - 00000000 ____D () C:\Users\Johnnus\AppData\Roaming\Securepoint SSL VPN
2015-05-15 16:29 - 2014-05-29 11:27 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-05-15 16:28 - 2015-01-14 18:04 - 00000000 ____D () C:\ProgramData\NVIDIA
2015-05-15 16:28 - 2014-05-29 11:42 - 00033118 _____ () C:\Windows\PFRO.log
2015-05-15 16:28 - 2009-07-14 15:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-05-15 16:28 - 2009-07-14 14:51 - 00063279 _____ () C:\Windows\setupact.log
2015-05-15 16:23 - 2012-05-30 21:31 - 00000000 ____D () C:\Users\Johnnus\AppData\Roaming\uTorrent
2015-05-15 16:16 - 2015-01-21 12:25 - 00000000 ____D () C:\Users\Johnnus\AppData\Local\Ubisoft Game Launcher
2015-05-15 16:16 - 2015-01-21 12:25 - 00000000 ____D () C:\Program Files (x86)\Ubisoft
2015-05-15 15:59 - 2014-05-29 14:08 - 00000612 __RSH () C:\ProgramData\ntuser.pol
2015-05-15 15:25 - 2014-08-15 09:41 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-05-15 15:17 - 2014-08-15 09:41 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-05-15 14:09 - 2009-07-14 15:32 - 00000000 ____D () C:\Windows\system32\FxsTmp
2015-05-15 13:29 - 2014-05-29 11:40 - 00000000 ____D () C:\ProgramData\AMD
2015-05-15 12:29 - 2014-12-02 13:10 - 00001293 _____ () C:\Users\Johnnus\AppData\Local\census.cache
2015-05-15 12:29 - 2014-12-02 13:10 - 00000000 _____ () C:\Users\Johnnus\AppData\Local\ars.cache
2015-05-15 08:49 - 2005-04-08 12:16 - 00000000 ___HD () C:\Users\Johnnus\AppData\Roaming\EE3D6833
2015-05-15 08:41 - 2014-05-29 11:27 - 00000000 ____D () C:\Users\Johnnus\AppData\Local\Google
2015-05-14 16:26 - 2014-12-28 14:49 - 00226680 _____ () C:\Windows\SysWOW64\PnkBstrB.ex0
2015-05-14 16:22 - 2015-03-19 10:24 - 00000000 ____D () C:\Program Files (x86)\TeamViewer
2015-05-13 19:19 - 2014-05-29 12:32 - 00002146 ____H () C:\Users\Johnnus\Documents\Default.rdp
2015-05-13 14:24 - 2014-05-29 15:35 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-05-06 13:26 - 2014-05-28 16:21 - 00186210 _____ () C:\Windows\WindowsUpdate.log
2015-04-23 22:07 - 2009-07-14 14:45 - 00009776 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-04-23 22:07 - 2009-07-14 14:45 - 00009776 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-04-17 17:58 - 2014-12-28 14:49 - 00000000 ____D () C:\Program Files (x86)\Battlelog Web Plugins
2015-04-17 11:10 - 2014-10-19 20:30 - 00000000 ____D () C:\Users\Johnnus\Desktop\Lacey
 
==================== Files in the root of some directories =======
 
2014-05-29 14:28 - 2014-05-29 14:29 - 6103040 _____ () C:\Program Files (x86)\GUT89A9.tmp
2013-10-18 23:07 - 2013-11-08 16:23 - 0270336 _____ () C:\Users\Johnnus\AppData\Roaming\chrtmp
2015-02-18 12:42 - 2015-02-18 12:42 - 0038421 _____ () C:\Users\Johnnus\AppData\Roaming\Comma Separated Values (DOS).ADR
2014-12-02 13:10 - 2015-05-15 12:29 - 0000000 _____ () C:\Users\Johnnus\AppData\Local\ars.cache
2014-12-02 13:10 - 2015-05-15 12:29 - 0001293 _____ () C:\Users\Johnnus\AppData\Local\census.cache
2014-03-31 14:42 - 2014-11-09 10:16 - 0005120 _____ () C:\Users\Johnnus\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-09-16 18:22 - 2013-09-16 18:22 - 0000036 _____ () C:\Users\Johnnus\AppData\Local\housecall.guid.cache
2013-06-24 18:21 - 2013-06-24 18:21 - 0007637 _____ () C:\Users\Johnnus\AppData\Local\Resmon.ResmonCfg
2014-05-28 19:09 - 2014-05-28 19:09 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-05-29 16:07 - 2014-05-29 16:09 - 0000850 _____ () C:\ProgramData\hpzinstall.log
 
Some content of TEMP:
====================
C:\Users\Johnnus\AppData\Local\Temp\chrome.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-05-14 17:43
 
==================== End Of Log ============================
 
 
 
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14-05-2015 02
Ran by Johnnus at 2015-05-16 07:17:24
Running from C:\Users\Johnnus\Desktop
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-3162224221-4102018437-2241672876-500 - Administrator - Disabled)
Guest (S-1-5-21-3162224221-4102018437-2241672876-501 - Limited - Disabled)
Johnnus (S-1-5-21-3162224221-4102018437-2241672876-1000 - Administrator - Enabled) => C:\Users\Johnnus
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
µTorrent (HKU\S-1-5-21-3162224221-4102018437-2241672876-1000\...\uTorrent) (Version: 3.4.3.40298 - BitTorrent Inc.)
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}) (Version:  - Microsoft)
2007 Microsoft Office Suite Service Pack 2 (SP2) (x32 Version:  - Microsoft) Hidden
64 Bit HP CIO Components Installer (Version: 4.2.1 - Hewlett-Packard) Hidden
Adobe Reader XI (11.0.11) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.11 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{6119B3A6-3603-9695-0398-CDF2AF0A13F8}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Apple Application Support (HKLM-x32\...\{21ECABC3-40B2-42DF-8E21-ACF3A4D0D95A}) (Version: 3.0.5 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{6AF2AC2A-3532-43FD-9F4D-BDC9C0D724C7}) (Version: 7.1.2.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Application Verifier (x64) (HKLM\...\{89026002-A893-42D9-9E20-6829B844735E}) (Version: 4.1.1078 - Microsoft Corporation)
Battlefield 1942 (HKLM-x32\...\{698D7E61-E4BF-4CA6-8A09-CF6BDBFDEF65}) (Version:  - )
Battlefield 4™ (HKLM-x32\...\{ABADE36E-EC37-413B-8179-B432AD3FACE7}) (Version: 1.4.2.25648 - Electronic Arts)
Battlelog Web Plugins (HKLM-x32\...\Battlelog Web Plugins) (Version: 2.7.0 - EA Digital Illusions CE AB)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Bria 3 (HKLM-x32\...\{F73EB1F8-AD7B-475F-B1E4-09CDE8B93DCC}) (Version: 35.7.1238 - CounterPath Corporation)
BufferChm (x32 Version: 100.0.170.000 - Hewlett-Packard) Hidden
Company of Heroes (HKLM-x32\...\Steam App 4560) (Version:  - Relic Entertainment)
Company of Heroes (New Steam Version) (HKLM-x32\...\Steam App 228200) (Version:  - Relic)
Company of Heroes: Opposing Fronts (HKLM-x32\...\Steam App 9340) (Version:  - Relic Entertainment)
Company of Heroes: Tales of Valor (HKLM-x32\...\Steam App 20540) (Version:  - Relic Entertainment)
Debugging Tools for Windows (x64) (HKLM\...\{DBFC6AAE-DCCB-4C23-B01C-3EDDDC03298B}) (Version: 6.12.2.633 - Microsoft Corporation)
DesertCombat  0.7 (HKLM-x32\...\DesertCombat) (Version:  - )
DeviceDiscovery (x32 Version: 100.0.190.000 - Hewlett-Packard) Hidden
DeviceManagementQFolder (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
Dying Light (HKLM-x32\...\RHlpbmdMaWdodA==_is1) (Version: 1 - )
Ext2Fsd 0.53 (HKLM\...\Ext2Fsd_is1) (Version: 0.53 - Matt Wu)
Fraps (HKLM-x32\...\Fraps) (Version:  - )
Google Apps Migration For Microsoft Outlook® 3.4.27.52 (HKLM-x32\...\{65960C6E-BFA2-4FE7-A1BC-8028F3072566}) (Version: 3.4.27.52 - Google, Inc.)
Google Apps Sync™ for Microsoft Outlook® 3.7.395.1040 (HKLM-x32\...\{6394F7C6-207E-466B-AFE3-672C81269D97}) (Version: 3.7.395.1040 - Google, Inc.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 42.0.2311.152 - Google Inc.)
Google Update Helper (x32 Version: 1.3.26.9 - Google Inc.) Hidden
HP Color LaserJet CM1312 MFP Series 5.1 (HKLM\...\{8EEDB90E-6ABC-42bb-AD4C-39DEE05E3EEA}) (Version: 5.1 - HP)
HP Imaging Device Functions 10.0 (HKLM\...\HP Imaging Device Functions) (Version: 10.0 - HP)
hppCLJCM1312 (x32 Version: 005.001.00142 - Hewlett-Packard) Hidden
hppFaxDrvCM1312 (x32 Version: 005.000.00001 - Hewlett-Packard) Hidden
hppFaxUtilityCM1312 (x32 Version: 005.001.00137 - Hewlett-Packard) Hidden
hppFonts (x32 Version: 001.001.00061 - Hewlett-Packard) Hidden
hppManualsCM1312 (x32 Version: 005.001.00145 - Hewlett-Packard) Hidden
hppQFolderCM1312 (x32 Version: 1.00.0000 - Hewlett-Packard) Hidden
hppScanToCM1312 (x32 Version: 005.001.00140 - Hewlett-Packard) Hidden
hppSendFaxCM1312 (x32 Version: 005.000.00001 - Hewlett-Packard) Hidden
Intel® Chipset Device Software (x32 Version: 10.0.14 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 10.0.0.1204 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3412 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 13.0.3.1001 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 3.0.0.16 - Intel Corporation)
iTunes (HKLM\...\{33E28B58-7BA0-47B7-AA01-9225ABA2B8A9}) (Version: 11.3.0.54 - Apple Inc.)
Kutools for Excel 7.5.5.0 (HKLM-x32\...\{A095BA43-4A97-4D55-8E25-A0BC46F10765}_is1) (Version:  - Detong)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6425.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319 (HKLM-x32\...\{196BB40D-1578-3D01-B289-BEFC77A11A1E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Windows Performance Toolkit (HKLM\...\{E7F9E526-2324-437B-A609-E8C5309465CB}) (Version: 4.8.0 - Microsoft Corporation)
Microsoft Windows SDK for Windows 7 (7.1) (HKLM\...\SDKSetup_7.1.7600.0.30514) (Version: 7.1.7600.0.30514 - Microsoft Corporation)
Modern Combat (HKLM-x32\...\Modern Combat 1.016) (Version: 1.016 - BSS Modern Combat Dev Team)
Modern Combat (x32 Version: 1.016 - BSS Modern Combat Dev Team) Hidden
NVIDIA 3D Vision Controller Driver 347.09 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 347.09 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 347.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 347.52 - NVIDIA Corporation)
NVIDIA Graphics Driver 347.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 347.52 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.33.0 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.33.0 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.14.0702 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.14.0702 - NVIDIA Corporation)
Origin (HKLM-x32\...\Origin) (Version: 9.3.6.4639 - Electronic Arts, Inc.)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.993 - Even Balance, Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.77.1126.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7213 - Realtek Semiconductor Corp.)
Securepoint SSL VPN (HKLM-x32\...\{93DC57F9-12DA-4C24-A8FC-E063FEAD9B8D}) (Version: 1.0.3 - Securepoint GmbH)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.4.40 - Safer-Networking Ltd.)
Steam (HKLM-x32\...\Steam) (Version:  - Valve Corporation)
TeamViewer 10 (HKLM-x32\...\TeamViewer) (Version: 10.0.39052 - TeamViewer)
TrayApp (x32 Version: 100.0.170.000 - Hewlett-Packard) Hidden
VirtualCloneDrive (HKLM-x32\...\VirtualCloneDrive) (Version: 5.4.7.0 - Elaborate Bytes)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
WebReg (x32 Version: 100.0.170.000 - Hewlett-Packard) Hidden
Winamp (HKLM-x32\...\Winamp) (Version: 5.666  - Nullsoft, Inc)
WinRAR 5.10 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.10.0 - win.rar GmbH)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
15-05-2015 22:43:13 Scheduled Checkpoint
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 12:34 - 2014-05-29 16:08 - 00000846 ____A C:\Windows\system32\Drivers\etc\hosts
10.1.1.240 NPI82D05B
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {1EBECDF9-14B0-4D91-B7F1-37CE8DCBEBDC} - System32\Tasks\ASUS\i-Setup180513 => C:\Windows\Install\AsusSetup.exe [2014-05-28] (ASUSTeK Computer Inc.)
Task: {32A1BCE9-DD14-4309-AF4C-F74CC79638B6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-05-29] (Google Inc.)
Task: {8E53FCF0-A38E-4E6A-8709-D0DB47C492E0} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2014-05-29] (Google Inc.)
Task: {AE3B3084-BC53-444E-81BE-AFF4D1AE4068} - System32\Tasks\Update\Google Update => Chrome.exe 
Task: {AFA6C515-1461-473B-AD8F-7A61EF20AE2F} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {F478BDA6-B694-4FA3-872A-2BA1483ABC53} - System32\Tasks\ASUS\i-Setup184408 => C:\Windows\MEI-Win7-8-8-1_VER10001204\AsusSetup.exe [2014-05-28] (ASUSTeK Computer Inc.)
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-01-14 18:04 - 2015-02-06 05:07 - 00117576 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2015-05-10 00:41 - 2015-05-11 09:58 - 00188232 _____ () C:\Users\Johnnus\AppData\Local\Temp\chrome.exe
2014-02-14 14:18 - 2014-02-14 14:18 - 00040840 _____ () C:\Program Files (x86)\Securepoint SSL VPN\SPOpenVPNService.exe
2014-04-09 13:24 - 2014-04-09 13:24 - 00199336 _____ () C:\Program Files (x86)\Securepoint SSL VPN\bin\liblzo2-2.dll
2014-04-09 13:24 - 2014-04-09 13:24 - 00122504 _____ () C:\Program Files (x86)\Securepoint SSL VPN\bin\libpkcs11-helper-1.dll
2014-12-29 08:53 - 2015-05-15 16:34 - 00076152 _____ () C:\Windows\system32\PnkBstrA.exe
2013-10-03 15:17 - 2013-10-03 15:17 - 44566064 _____ () C:\Program Files (x86)\CounterPath\Bria 3\CPCLR.dll
2012-11-20 16:11 - 2012-11-20 16:11 - 00047616 _____ () C:\Program Files (x86)\CounterPath\Bria 3\boost_signals-vc100-mt-1_51.dll
2012-11-20 16:10 - 2012-11-20 16:10 - 00015360 _____ () C:\Program Files (x86)\CounterPath\Bria 3\boost_system-vc100-mt-1_51.dll
2010-10-29 14:00 - 2010-10-29 14:00 - 01992192 _____ () C:\Program Files (x86)\CounterPath\Bria 3\YLUSBTEL.dll
2012-11-20 16:11 - 2012-11-20 16:11 - 00066560 _____ () C:\Program Files (x86)\CounterPath\Bria 3\boost_thread-vc100-mt-1_51.dll
2012-11-20 16:11 - 2012-11-20 16:11 - 00023040 _____ () C:\Program Files (x86)\CounterPath\Bria 3\boost_chrono-vc100-mt-1_51.dll
2012-11-20 16:11 - 2012-11-20 16:11 - 00627200 _____ () C:\Program Files (x86)\CounterPath\Bria 3\boost_regex-vc100-mt-1_51.dll
2012-11-20 16:10 - 2012-11-20 16:10 - 00100352 _____ () C:\Program Files (x86)\CounterPath\Bria 3\boost_filesystem-vc100-mt-1_51.dll
2012-11-20 16:11 - 2012-11-20 16:11 - 00040448 _____ () C:\Program Files (x86)\CounterPath\Bria 3\boost_date_time-vc100-mt-1_51.dll
2014-01-31 17:12 - 2014-01-31 17:12 - 00078848 _____ () C:\Program Files (x86)\Securepoint SSL VPN\quazip.dll
2013-05-13 15:42 - 2013-05-13 15:42 - 00107520 _____ () C:\Program Files (x86)\Securepoint SSL VPN\zlib1.dll
2014-02-04 09:23 - 2014-02-04 09:23 - 00311296 _____ () C:\Program Files (x86)\Securepoint SSL VPN\qca2.dll
2014-12-28 13:46 - 2015-04-10 20:40 - 01007104 _____ () D:\Games\Origin\platforms\qwindows.dll
2014-12-28 13:46 - 2015-04-10 20:40 - 00023552 _____ () D:\Games\Origin\imageformats\qgif.dll
2014-12-28 13:46 - 2015-04-10 20:40 - 00024576 _____ () D:\Games\Origin\imageformats\qico.dll
2014-12-28 13:46 - 2015-04-10 20:40 - 00216576 _____ () D:\Games\Origin\imageformats\qjpeg.dll
2014-12-28 13:46 - 2015-04-10 20:40 - 00261120 _____ () D:\Games\Origin\imageformats\qmng.dll
2014-12-28 13:46 - 2015-04-10 20:40 - 00019456 _____ () D:\Games\Origin\imageformats\qtga.dll
2014-12-28 13:46 - 2015-04-10 20:40 - 00337408 _____ () D:\Games\Origin\imageformats\qtiff.dll
2014-12-28 13:46 - 2015-04-10 20:40 - 00018944 _____ () D:\Games\Origin\imageformats\qwbmp.dll
2014-12-28 13:46 - 2015-04-10 20:40 - 00228352 _____ () D:\Games\Origin\mediaservice\wmfengine.dll
2014-03-20 11:43 - 2014-03-20 11:43 - 01241560 _____ () C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\ACE.dll
2015-05-15 03:05 - 2015-05-05 14:06 - 01252680 _____ () C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.152\libglesv2.dll
2015-05-15 03:05 - 2015-05-05 14:06 - 00080712 _____ () C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.152\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\ProgramData\TEMP:F8AF2BB9
 
==================== Safe Mode (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, the associated entry will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-3162224221-4102018437-2241672876-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Johnnus\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 111.118.175.56 - 118.127.33.48
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk => C:\Windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: HotKeysCmds => "C:\Windows\system32\hkcmd.exe"
MSCONFIG\startupreg: HP Color LaserJet CM1312 MFP Series Fax => C:\Program Files (x86)\HP\HP Color LaserJet CM1312 MFP Series\hppfaxprintersrv.exe "HP Color LaserJet CM1312 MFP Series Fax"
MSCONFIG\startupreg: IAStorIcon => "C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe" "C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" 60
MSCONFIG\startupreg: IgfxTray => "C:\Windows\system32\igfxtray.exe"
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: Persistence => "C:\Windows\system32\igfxpers.exe"
MSCONFIG\startupreg: RTHDVCPL => "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
MSCONFIG\startupreg: SDTray => "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
MSCONFIG\startupreg: Search Protection => "C:\Users\Johnnus\AppData\Roaming\Search Protection\SP.EXE" /autostart
MSCONFIG\startupreg: StartCCC => "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
MSCONFIG\startupreg: USB3MON => "C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
MSCONFIG\startupreg: uTorrent => "C:\Users\Johnnus\AppData\Roaming\uTorrent\uTorrent.exe"  /MINIMIZED
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
FirewallRules: [TCP Query User{8F353601-ABBB-49C5-B2FA-24D6429C5663}C:\program files (x86)\counterpath\bria 3\bria3.exe] => (Allow) C:\program files (x86)\counterpath\bria 3\bria3.exe
FirewallRules: [UDP Query User{15CD2C70-7F45-40DB-91EA-FE0AFDD4CE1E}C:\program files (x86)\counterpath\bria 3\bria3.exe] => (Allow) C:\program files (x86)\counterpath\bria 3\bria3.exe
FirewallRules: [{05CF0498-74CC-490A-9C68-99A61DBC6AA6}] => (Allow) C:\Users\Johnnus\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{BD5A177E-4230-4431-A66D-0E19CF07554C}] => (Allow) C:\Users\Johnnus\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [TCP Query User{C46EC7A4-B073-412E-AA62-37FBF64134CF}C:\program files (x86)\counterpath\bria 3\bria3.exe] => (Allow) C:\program files (x86)\counterpath\bria 3\bria3.exe
FirewallRules: [UDP Query User{BAFE8096-C15C-4B3D-835F-B6425CBCD551}C:\program files (x86)\counterpath\bria 3\bria3.exe] => (Allow) C:\program files (x86)\counterpath\bria 3\bria3.exe
FirewallRules: [TCP Query User{272C7CC5-E342-48E6-8F7C-A4705A0B9D85}D:\games\company of heroes\reliccoh.exe] => (Allow) D:\games\company of heroes\reliccoh.exe
FirewallRules: [UDP Query User{68E1EEDC-670F-4C5C-BBCF-38F6B84A88B7}D:\games\company of heroes\reliccoh.exe] => (Allow) D:\games\company of heroes\reliccoh.exe
FirewallRules: [TCP Query User{3CBF9726-93D3-4435-A4D7-7E73FD0A8CB7}D:\games\warcraft iii\war3.exe] => (Allow) D:\games\warcraft iii\war3.exe
FirewallRules: [UDP Query User{2C7384A8-6E5B-4EDE-A779-A9F36A04ADFA}D:\games\warcraft iii\war3.exe] => (Allow) D:\games\warcraft iii\war3.exe
FirewallRules: [{C5F6D3D2-B21E-47FD-9A9B-8210E9EC200F}] => (Allow) D:\games\warcraft iii\war3.exe
FirewallRules: [{8DA2FAFB-03CC-45B4-946E-A23B328C5908}] => (Allow) D:\games\warcraft iii\war3.exe
FirewallRules: [{EBA53A80-4E76-4943-A7AD-BD8960D97E1D}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{1A1BAB1A-B172-45AE-96C9-81B0A5FEAC13}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{8DE836DE-D672-4D29-AA61-4119C6C9CE76}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{D559CDF6-20F2-46F0-856D-53D5BCA6CC82}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{73335402-6603-4414-B616-10E69D971236}] => (Allow) C:\Program Files (x86)\iTunes\iTunes.exe
FirewallRules: [TCP Query User{AEE39D14-672A-43FE-9BD5-D415D9106974}D:\games\battlefield 1942\bf1942.exe] => (Allow) D:\games\battlefield 1942\bf1942.exe
FirewallRules: [UDP Query User{156E803C-A675-4110-82B5-C8AD21A7F648}D:\games\battlefield 1942\bf1942.exe] => (Allow) D:\games\battlefield 1942\bf1942.exe
FirewallRules: [{45C5477C-C3B0-4AF0-A05E-D7F648F3D985}] => (Allow) D:\games\battlefield 1942\bf1942.exe
FirewallRules: [{8A1C4F8C-87A6-4286-89F8-820671C3DD02}] => (Allow) D:\games\battlefield 1942\bf1942.exe
FirewallRules: [{83A8837C-CA44-4A32-993D-7078EE25CBC1}] => (Allow) D:\games\battlefield 4\bf4.exe
FirewallRules: [{428E7C16-4878-4362-AEA6-703E0D95A49F}] => (Allow) D:\games\battlefield 4\bf4.exe
FirewallRules: [TCP Query User{708F477B-421D-4E82-A2EE-554F288FAB56}D:\games\ut2004\system\ut2004.exe] => (Allow) D:\games\ut2004\system\ut2004.exe
FirewallRules: [UDP Query User{850593AA-9D85-4726-90AF-C487F7C07112}D:\games\ut2004\system\ut2004.exe] => (Allow) D:\games\ut2004\system\ut2004.exe
FirewallRules: [TCP Query User{AE1228FE-7DED-4F7F-8335-DE2A1CBD80FE}D:\games\company of heroes\bugreport\bugreport.exe] => (Block) D:\games\company of heroes\bugreport\bugreport.exe
FirewallRules: [UDP Query User{363C02B1-1424-49EC-88B4-62240B0A58B8}D:\games\company of heroes\bugreport\bugreport.exe] => (Block) D:\games\company of heroes\bugreport\bugreport.exe
FirewallRules: [TCP Query User{68526001-B1A3-4723-8569-5186E9E8BF3B}D:\games\bf1942\bf1942.exe] => (Allow) D:\games\bf1942\bf1942.exe
FirewallRules: [UDP Query User{BCB6A543-30A1-4E4D-8D5C-B61DDA1E85BE}D:\games\bf1942\bf1942.exe] => (Allow) D:\games\bf1942\bf1942.exe
FirewallRules: [{8B425EDE-95E9-4324-AEF5-30D782CC2A99}] => (Allow) D:\Games\COH\RelicCOH.exe
FirewallRules: [{F1F63656-1AC4-436B-B189-B356788435A3}] => (Allow) D:\Games\COH\RelicCOH.exe
FirewallRules: [{03C2401C-8580-420F-9F1E-10E28CE14D71}] => (Allow) D:\Games\Steam\Steam.exe
FirewallRules: [{865097D8-84EF-4C18-9CF5-A6D0DEBAD1C9}] => (Allow) D:\Games\Steam\Steam.exe
FirewallRules: [{05EDEDD6-60FB-41FB-A9C4-326145333D61}] => (Allow) D:\Games\Steam\bin\steamwebhelper.exe
FirewallRules: [{D22CB37F-1181-4306-A7EC-922C04832343}] => (Allow) D:\Games\Steam\bin\steamwebhelper.exe
FirewallRules: [{25ABAD94-6EE7-4B8D-86BE-52482AC3498A}] => (Allow) D:\Games\Steam\SteamApps\common\Company of Heroes\RelicCOH.exe
FirewallRules: [{713A477B-E3D5-4723-B446-13C93AC90162}] => (Allow) D:\Games\Steam\SteamApps\common\Company of Heroes\RelicCOH.exe
FirewallRules: [{4D5A07D5-16B7-443C-BCB5-E0EF6F7972D8}] => (Allow) D:\Games\Steam\SteamApps\common\Company of Heroes Relaunch\RelicCOH.exe
FirewallRules: [{D996B968-D94C-4306-BB46-E89361FF85E8}] => (Allow) D:\Games\Steam\SteamApps\common\Company of Heroes Relaunch\RelicCOH.exe
FirewallRules: [TCP Query User{9084A220-1CAD-4A2C-B6CA-B92E4BF776E7}D:\games\steam\steamapps\common\company of heroes\relicdownloader\relicdownloader.exe] => (Allow) D:\games\steam\steamapps\common\company of heroes\relicdownloader\relicdownloader.exe
FirewallRules: [UDP Query User{FDB822CE-5160-468E-8CC3-569A54BFE1B5}D:\games\steam\steamapps\common\company of heroes\relicdownloader\relicdownloader.exe] => (Allow) D:\games\steam\steamapps\common\company of heroes\relicdownloader\relicdownloader.exe
FirewallRules: [{B83288A0-ECCA-4646-9E0E-122805E13918}] => (Block) D:\games\steam\steamapps\common\company of heroes\relicdownloader\relicdownloader.exe
FirewallRules: [{D13F7164-5935-463C-A890-4A1B5C989AD9}] => (Block) D:\games\steam\steamapps\common\company of heroes\relicdownloader\relicdownloader.exe
FirewallRules: [{0B126730-F5DC-4EC9-9DEB-36141E9B7899}] => (Allow) C:\Program Files (x86)\Winamp\winamp.exe
FirewallRules: [{0734B1C2-8364-4825-B321-90595AA4FBCD}] => (Allow) C:\Program Files (x86)\Winamp\winamp.exe
FirewallRules: [TCP Query User{931D0B92-B113-43CE-8AFC-9FC27C367DEC}\\10.1.1.100\volume_4\cod5\codwaw\codwaw.exe] => (Allow) \\10.1.1.100\volume_4\cod5\codwaw\codwaw.exe
FirewallRules: [UDP Query User{435A1E31-BB37-48AA-9BBA-0B35F4D8E346}\\10.1.1.100\volume_4\cod5\codwaw\codwaw.exe] => (Allow) \\10.1.1.100\volume_4\cod5\codwaw\codwaw.exe
FirewallRules: [TCP Query User{9D0DF274-AD39-4910-A2B6-FFABADEF4D65}D:\games\cod5\codwaw\codwaw_lanfixed.exe] => (Allow) D:\games\cod5\codwaw\codwaw_lanfixed.exe
FirewallRules: [UDP Query User{860F6A66-339D-4108-921D-A597B3AA7371}D:\games\cod5\codwaw\codwaw_lanfixed.exe] => (Allow) D:\games\cod5\codwaw\codwaw_lanfixed.exe
FirewallRules: [TCP Query User{C8EC01EE-D682-4981-A754-484A14042F7C}D:\games\cod5\codwaw\codwaw.exe] => (Allow) D:\games\cod5\codwaw\codwaw.exe
FirewallRules: [UDP Query User{459C6611-3D48-4BF3-9A49-DA81EE634FE4}D:\games\cod5\codwaw\codwaw.exe] => (Allow) D:\games\cod5\codwaw\codwaw.exe
FirewallRules: [{FE97FA22-8490-4FB7-9B04-915EAEE16EA4}] => (Allow) D:\games\cod5\codwaw\codwaw.exe
FirewallRules: [{222A279A-0F3B-480D-8B04-D06DBA873E52}] => (Allow) D:\games\cod5\codwaw\codwaw.exe
FirewallRules: [TCP Query User{4BE1CD74-4496-4C5A-ABE3-86811F080386}C:\users\johnnus\desktop\wormsarm\wormsarm\wa.exe] => (Allow) C:\users\johnnus\desktop\wormsarm\wormsarm\wa.exe
FirewallRules: [UDP Query User{F404C2EF-EF63-401D-8445-63D8033AC5BD}C:\users\johnnus\desktop\wormsarm\wormsarm\wa.exe] => (Allow) C:\users\johnnus\desktop\wormsarm\wormsarm\wa.exe
FirewallRules: [{C12177C3-9E0B-4506-8ABE-764DA7ECEAD2}] => (Allow) C:\users\johnnus\desktop\wormsarm\wormsarm\wa.exe
FirewallRules: [{8C51E912-1BDB-4179-9F9C-86B8C19BADF7}] => (Allow) C:\users\johnnus\desktop\wormsarm\wormsarm\wa.exe
FirewallRules: [{955C9897-75A7-459D-B8E8-31E381835B7C}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{91DC408C-7B6C-4159-B3CD-FED071C39C71}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{F7589CD4-D34A-4990-A287-FA6B0AB8BBC9}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{CD76EEED-95CC-48D6-9D05-0C5C7FB6FA97}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{E928B510-5BE4-4B40-B144-F133055DB7EF}] => (Allow) D:\Games\Battlefield 4\bf4_x86.exe
FirewallRules: [{7EB6312A-DF6D-4CDE-A218-D9DD22E420DD}] => (Allow) D:\Games\Battlefield 4\bf4_x86.exe
FirewallRules: [{8783ADFF-BFF7-4105-8735-1E06ED4ACEBF}] => (Allow) D:\Games\Battlefield 4\bf4.exe
FirewallRules: [{0D3E051E-BFD5-4EB2-B32B-416881D91645}] => (Allow) D:\Games\Battlefield 4\bf4.exe
FirewallRules: [TCP Query User{BFF52337-0FB1-4605-B4F3-66657A58D541}C:\users\johnnus\appdata\local\temp\rar$exa0.628\easy_search(4.8.0.0)_08192009.exe] => (Allow) C:\users\johnnus\appdata\local\temp\rar$exa0.628\easy_search(4.8.0.0)_08192009.exe
FirewallRules: [UDP Query User{C35994CB-834E-49C7-8B32-CD442BAAA6F2}C:\users\johnnus\appdata\local\temp\rar$exa0.628\easy_search(4.8.0.0)_08192009.exe] => (Allow) C:\users\johnnus\appdata\local\temp\rar$exa0.628\easy_search(4.8.0.0)_08192009.exe
FirewallRules: [{D01FBB4F-2EF4-4D25-9A96-EA6F91717F78}] => (Allow) D:\Games\Farcry4\Far Cry 4\bin\FarCry4.exe
FirewallRules: [{64A976C5-C11C-412F-BDF0-44517B973BE2}] => (Allow) D:\Games\Farcry4\Far Cry 4\bin\FarCry4.exe
FirewallRules: [{E66C9CFE-C641-4DB4-9CB2-818797BFB3DC}] => (Allow) D:\Games\Farcry4\Far Cry 4\bin\FarCry4.exe
FirewallRules: [{0B5D3908-68DC-4C0B-9F00-A0AC1AD02136}] => (Allow) D:\Games\Farcry4\Far Cry 4\bin\FarCry4.exe
FirewallRules: [{04300151-AE7B-4144-AF4D-3ED0448BCAC8}] => (Allow) D:\Games\Farcry4\Far Cry 4\bin\IGE_WPF64.exe
FirewallRules: [{D1AB1A1F-3E84-471D-A45E-67D375EFDFD3}] => (Allow) D:\Games\Farcry4\Far Cry 4\bin\IGE_WPF64.exe
FirewallRules: [{607EE19C-150E-45FA-BC18-D03E70C312F7}] => (Allow) D:\Games\Farcry4\Far Cry 4\bin\IGE_WPF64.exe
FirewallRules: [{7FEB63F9-66E5-4AC7-868C-436DB21DA2A0}] => (Allow) D:\Games\Farcry4\Far Cry 4\bin\IGE_WPF64.exe
FirewallRules: [{B9C4FE92-BB19-4392-ABB8-55F46E5BD19A}] => (Allow) D:\Games\Origin\Origin.exe
FirewallRules: [{1FFE0EA9-A29C-42C1-A70E-BD90A0225EBC}] => (Allow) D:\Games\Origin\Origin.exe
FirewallRules: [{3D9C44DE-E517-46AC-8116-6367FCDF2F02}] => (Allow) D:\Games\Origin\Origin.exe
FirewallRules: [{FD0F9D2A-E5A1-4615-8C19-432A3C7F967A}] => (Allow) D:\Games\Origin\Origin.exe
FirewallRules: [{C5D434F3-9D0F-4EF5-9D8C-8F33703D700E}] => (Allow) D:\Games\Battlefield 4\bf4_x86.exe
FirewallRules: [{E1239B90-0771-4E7C-880E-691C9E89050E}] => (Allow) D:\Games\Battlefield 4\bf4_x86.exe
FirewallRules: [{CBB9BB71-7727-4279-857C-774F460474BC}] => (Allow) D:\Games\Battlefield 4\bf4.exe
FirewallRules: [{66001E27-8481-442D-83AC-E1F9079B635F}] => (Allow) D:\Games\Battlefield 4\bf4.exe
FirewallRules: [{301B37D8-62DF-48FC-9E4F-9EFC4830D7DC}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{457040B0-5F06-4ACE-B2F1-9885B8F20F78}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer.exe
FirewallRules: [{29EE0CFC-799F-42CF-9922-6F7B7FBEDB13}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [{DB9749C5-E145-4771-8195-BF7C7D540497}] => (Allow) C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FirewallRules: [TCP Query User{A522D16D-852D-48F8-9403-8E056F1AD4F5}D:\games\dying light\dyinglightgame.exe] => (Allow) D:\games\dying light\dyinglightgame.exe
FirewallRules: [UDP Query User{12681373-6971-46CD-8985-34373BEAA5C1}D:\games\dying light\dyinglightgame.exe] => (Allow) D:\games\dying light\dyinglightgame.exe
FirewallRules: [TCP Query User{4CB34528-6A6F-4535-8E09-776ACD2F8B9F}C:\users\johnnus\downloads\easy_search(4.8.0.0)_08192009.exe] => (Allow) C:\users\johnnus\downloads\easy_search(4.8.0.0)_08192009.exe
FirewallRules: [UDP Query User{53E07FA0-91D9-4513-A480-26E276C1765A}C:\users\johnnus\downloads\easy_search(4.8.0.0)_08192009.exe] => (Allow) C:\users\johnnus\downloads\easy_search(4.8.0.0)_08192009.exe
FirewallRules: [{1A0FD5AA-8E59-4258-BC14-80A9BE69E9C9}] => (Block) C:\users\johnnus\downloads\easy_search(4.8.0.0)_08192009.exe
FirewallRules: [{BEAAAF05-DFE8-416A-83C5-DCB9CD9B148E}] => (Block) C:\users\johnnus\downloads\easy_search(4.8.0.0)_08192009.exe
FirewallRules: [TCP Query User{93B2315E-2354-4B82-A1DC-0380C190748E}C:\coh\reliccoh.exe] => (Allow) C:\coh\reliccoh.exe
FirewallRules: [UDP Query User{CE0763CF-4F96-4786-90D6-5491DD64369C}C:\coh\reliccoh.exe] => (Allow) C:\coh\reliccoh.exe
FirewallRules: [TCP Query User{C7FA02C4-DF9C-433B-9BFD-58FE9FDE9881}C:\coh\reliccohnormal.exe] => (Allow) C:\coh\reliccohnormal.exe
FirewallRules: [UDP Query User{FE8B6361-3938-4D9F-95C0-3BCF51365C91}C:\coh\reliccohnormal.exe] => (Allow) C:\coh\reliccohnormal.exe
FirewallRules: [{764D1E6E-4A94-426F-B60F-2611B7D7BEFF}] => (Allow) C:\Users\Johnnus\AppData\Local\Temp\4540206_zxzxz.exe
FirewallRules: [{96B902F5-E0B5-4281-B18C-DCADF74E471B}] => (Allow) C:\Users\Johnnus\AppData\Local\Temp\4540206_zxzxz.exe
FirewallRules: [{2554ACE7-03BF-497C-8B01-9BEA836F62E9}] => (Allow) C:\Users\Johnnus\AppData\Local\Temp\4540206_zxzxz.exe
FirewallRules: [{5DFAB8EA-8D23-45E5-8881-7F34C4F262CB}] => (Allow) C:\Users\Johnnus\AppData\Local\Temp\4540206_zxzxz.exe
FirewallRules: [{9103499C-1C34-4AF2-A4C5-EB8EB05A7B0F}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{59C3FD03-7B5D-48AB-86B2-6357C1BA199B}] => (Allow) C:\Users\Johnnus\AppData\Local\Temp\chrome.exe
FirewallRules: [{900096E3-018C-4C0C-8A3E-07B9E88A5492}] => (Allow) C:\Users\Johnnus\AppData\Local\Temp\chrome.exe
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe] => Enabled:Spybot - Search & Destroy tray access
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe] => Enabled:Spybot-S&D 2 Scanner Service
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe] => Enabled:Spybot-S&D 2 Updater
StandardProfile\AuthorizedApplications: [C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe] => Enabled:Spybot-S&D 2 Background update service
 
==================== Faulty Device Manager Devices =============
 
Name: DNS-343
Description: DNS-343
Class Guid: 
Manufacturer: 
Service: 
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.
 
Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (05/16/2015 07:12:30 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc.manifest2" on line C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_fa645303170382f6.manifest.
 
Error: (05/16/2015 07:12:29 AM) (Source: SideBySide) (EventID: 80) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc.manifest2" on line C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc.manifest.
Component 2: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_fa645303170382f6.manifest.
 
Error: (05/16/2015 00:30:12 AM) (Source: SideBySide) (EventID: 81) (User: )
 
Error: (05/16/2015 00:30:12 AM) (Source: SideBySide) (EventID: 81) (User: )
 
Error: (05/15/2015 04:34:27 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (05/15/2015 04:32:18 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (05/15/2015 04:32:18 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (05/15/2015 04:32:18 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (05/15/2015 04:32:18 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
Error: (05/15/2015 04:32:18 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 4107) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
.
 
 
System errors:
=============
Error: (05/15/2015 04:30:17 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.
 
Error: (05/15/2015 04:12:23 PM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
 
Error: (05/15/2015 04:00:22 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.
 
Error: (05/15/2015 06:29:03 AM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
 
Error: (05/15/2015 01:36:40 AM) (Source: UmrdpService) (EventID: 1111) (User: )
Description: Driver Send To Microsoft OneNote 2010 Driver required for printer Send To OneNote 2010 is unknown. Contact the administrator to install the driver before you log in again.
 
Error: (05/14/2015 04:24:01 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.
 
Error: (05/14/2015 04:22:39 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 4:20:54 PM on ‎14/‎05/‎2015 was unexpected.
 
Error: (05/14/2015 08:35:19 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The HP CUE DeviceDiscovery Service service hung on starting.
 
Error: (05/14/2015 08:33:57 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 8:32:49 AM on ‎14/‎05/‎2015 was unexpected.
 
Error: (05/14/2015 07:30:39 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the UmRdpService service.
 
 
Microsoft Office Sessions:
=========================
Error: (04/30/2015 10:52:38 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6425.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 625 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (04/28/2015 10:26:20 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6425.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 625 seconds with 60 seconds of active time.  This session ended with a crash.
 
Error: (04/22/2015 10:51:53 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6425.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1994 seconds with 360 seconds of active time.  This session ended with a crash.
 
Error: (04/07/2015 02:08:39 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6425.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 10217 seconds with 60 seconds of active time.  This session ended with a crash.
 
Error: (04/07/2015 11:28:54 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6425.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 634 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (09/02/2014 03:22:30 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6425.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 38 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (08/01/2014 00:17:08 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6425.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 7 seconds with 0 seconds of active time.  This session ended with a crash.
 
Error: (08/01/2014 00:16:57 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6425.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 70 seconds with 60 seconds of active time.  This session ended with a crash.
 
Error: (07/31/2014 03:04:16 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6425.1000, Microsoft Office Version: 12.0.6425.1000. This session lasted 54 seconds with 0 seconds of active time.  This session ended with a crash.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i7-4790 CPU @ 3.60GHz
Percentage of memory in use: 31%
Total physical RAM: 8135.18 MB
Available physical RAM: 5557.54 MB
Total Pagefile: 10181.33 MB
Available Pagefile: 7303.44 MB
Total Virtual: 8192 MB
Available Virtual: 8191.79 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:111.69 GB) (Free:5.93 GB) NTFS
Drive d: () (Fixed) (Total:111.79 GB) (Free:20.25 GB) NTFS
Drive q: () (Fixed) (Total:3725.9 GB) (Free:265.31 GB) NTFS
Drive w: () (Network) (Total:465.76 GB) (Free:377.54 GB) 
Drive x: () (Network) (Total:1832.3 GB) (Free:441.54 GB) 
Drive y: () (Network) (Total:1373.85 GB) (Free:1373.1 GB) 
Drive z: () (Network) (Total:915.38 GB) (Free:915.31 GB) 
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: A10C2613)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=111.7 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 111.8 GB) (Disk ID: 26BC2F70)
Partition 1: (Not Active) - (Size=111.8 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 3726 GB) (Disk ID: 00000000)
 
Partition: GPT Partition Type.
 
==================== End Of Log ============================


#6 skeletonbobo

skeletonbobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 15 May 2015 - 06:10 PM

Update -

 

I downloaded a system process viewer that would reveal hidden processes from the default Windows Task Manager.

 

It uncovered a 'chrome.exe' process running that wasn't using much memory and had a different Icon to Chrome, this was a keylogger.

 

It was located in C:\Users\User\AppData\Local accompanied with a .tmp file which upon opening in notepad revealed things typed into Chrome. 

 

I've deleted the .exe and moved the .tmp file / renamed just to ascertain the extent of the damage.

 

I'm still very concerned there is more on here than meets the eye but have once again changed all my passwords, I'd love to reformat and start fresh but I simply have too much work related data on here making it very hard to set back up. 

 

So far I have done the following:

 

Disabled RDP from public sources

Added a password to my Windows User account

Blocked the attackers IP in my router for all incoming and outgoing packets on all ports

Deleted the .pf files I found added at the same time of RDP sessions in my Windows folder (I did leave run32dll and system sounding ones in case they would cause a crash)

Deleted 'ad.exe' & 'ad3.exe' which I found when searching for '.exe' in my work folder assorting the files by Date modified to see their time stamps

Ran spybot search and destroy

Ran hijackthis (posted above)

Ran a process viewer and found keylogger, deleted .exe and moved .tmp file associated with it

 

Am I out of the woods, can I be relatively confident anything from this point forward is safe?



#7 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:01 PM

Posted 16 May 2015 - 04:50 AM


So far I have done the following:



Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.

 
 
:)
 
Step 1

Please download combofix.pngCombofix (by sUBs) and save it to your Desktop.

  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start Combofix.exe and follow its instructions.
  • Do not use the computer while the scan is running. This may cause the program to stall.
  • When finished, a log file will be displayed (that can also be found at C:\Combofix.txt).
    Please copy and paste the contents of this file into your next post.

Note: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." after the scan, just restart the computer.
(You can find more detailed instructions in this guide on using Combofix.)


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#8 skeletonbobo

skeletonbobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 16 May 2015 - 06:26 PM

ComboFix 15-05-13.01 - Johnnus 17/05/2015   9:21.1.8 - x64
Microsoft Windows 7 Ultimate   6.1.7600.0.1252.61.1033.18.8135.6283 [GMT 10:00]
Running from: c:\users\Johnnus\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.pol
c:\users\Johnnus\AppData\Roaming\chrtmp
c:\windows\Install
c:\windows\Install\AsusSetup.exe
c:\windows\Install\AsusSetup.exe.manifest
c:\windows\Install\AsusSetup.ini
c:\windows\Install\Driver\AsusSetup.exe
c:\windows\Install\Driver\AsusSetup.exe.manifest
c:\windows\Install\Driver\AsusSetup.ini
c:\windows\Install\Driver\AsusSetup32.ini
c:\windows\Install\Driver\AsusSetup64.ini
c:\windows\Install\Driver\English.ini
c:\windows\Install\Driver\French.ini
c:\windows\Install\Driver\German.ini
c:\windows\Install\Driver\Japanese.ini
c:\windows\Install\Driver\Korean.ini
c:\windows\Install\Driver\mup.xml
c:\windows\Install\Driver\Russian.ini
c:\windows\Install\Driver\SChinese.ini
c:\windows\Install\Driver\SetupRST.exe
c:\windows\Install\Driver\Spanish.ini
c:\windows\Install\Driver\TChinese.ini
c:\windows\Install\netfx\AsusSetup.exe
c:\windows\Install\netfx\AsusSetup.exe.manifest
c:\windows\Install\netfx\AsusSetup.ini
c:\windows\Install\netfx\dotnetfx45\AsusSetup.exe
c:\windows\Install\netfx\dotnetfx45\AsusSetup.exe.manifest
c:\windows\Install\netfx\dotnetfx45\AsusSetup.ini
c:\windows\Install\netfx\dotnetfx45\Installer.bat
c:\windows\Install\netfx\dotnetfx45\NDP451-KB2858728-x86-x64-AllOS-ENU.exe
c:\windows\iun6002.exe
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((   Files Created from 2015-04-16 to 2015-05-16  )))))))))))))))))))))))))))))))
.
.
2015-05-16 23:23 . 2015-05-16 23:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-05-16 00:31 . 2015-05-16 00:31 22704 ----a-w- c:\windows\system32\drivers\EsgScanner.sys
2015-05-16 00:30 . 2015-05-16 00:30 -------- d-----w- c:\program files\Enigma Software Group
2015-05-15 23:35 . 2015-05-16 23:14 136408 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-05-15 23:35 . 2015-05-15 23:35 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2015-05-15 23:35 . 2015-05-15 23:35 -------- d-----w- c:\programdata\Malwarebytes
2015-05-15 23:35 . 2015-04-13 23:37 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2015-05-15 23:35 . 2015-04-13 23:37 107736 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2015-05-15 23:35 . 2015-04-13 23:37 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2015-05-15 21:52 . 2015-05-15 21:58 -------- d-----w- c:\users\Johnnus\AppData\Roaming\Process Hacker 2
2015-05-15 21:50 . 2015-05-15 21:50 -------- d-----w- c:\program files\Process Hacker 2
2015-05-15 21:16 . 2015-05-15 21:17 -------- d-----w- C:\FRST
2015-05-15 06:13 . 2015-05-15 06:13 23112 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2015-05-15 06:13 . 2015-05-15 06:13 -------- d-----w- c:\program files\Hitman Pro 3.5
2015-05-15 06:12 . 2015-05-15 06:13 -------- d-----w- c:\programdata\Hitman Pro
2015-05-15 06:09 . 2015-05-15 06:09 43664 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2015-05-15 05:53 . 2015-05-15 05:54 -------- d-----w- c:\programdata\HitmanPro
2015-05-15 05:17 . 2013-09-20 00:49 21040 ----a-w- c:\windows\system32\sdnclean64.exe
2015-05-15 03:31 . 2015-05-15 03:31 -------- d-----w- c:\users\Johnnus\AppData\Roaming\PC Whiz
2015-05-15 03:31 . 2015-05-15 03:31 -------- d-----w- c:\users\Johnnus\AppData\Roaming\DriverCure
2015-05-15 03:31 . 2015-05-15 03:31 -------- d-----w- c:\programdata\PC Whiz
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-05-15 06:34 . 2014-12-28 22:53 76152 ----a-w- c:\windows\system32\PnkBstrA.exe
2015-05-15 06:34 . 2014-12-28 04:49 226680 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2015-05-14 06:26 . 2014-12-28 04:49 226680 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2014-05-29 04:29 . 2014-05-29 04:28 6103040 ----a-w- c:\program files (x86)\GUT89A9.tmp
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2009-07-14 . 72D7B3EA16946E8F0CF7458150031CC6 . 1008640 . . [6.1.7600.16385] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_292d5de8870d85d9\user32.dll
[-] 2014-05-28 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7600.16385] .. c:\windows\system32\user32.dll
.
[-] 2014-05-28 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7600.16385] .. c:\windows\SysWOW64\user32.dll
[7] 2009-07-14 . E8B0FFC209E504CB7E79FC24E6C085F0 . 833024 . . [6.1.7600.16385] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7600.16385_none_3382083abb6e47d4\user32.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bria 3"="c:\program files (x86)\CounterPath\Bria 3\Bria3.exe" [2013-10-03 8965168]
"SpSSLVPN"="c:\program files (x86)\Securepoint SSL VPN\Spvpncl.exe" [2014-04-11 1166704]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VirtualCloneDrive"="c:\program files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2013-03-10 88984]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisableThumbnailsOnNetworkFolders"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0\0sdnclean64.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"fst_au_184"=
"SDTray"="c:\program files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 MBAMScheduler;MBAMScheduler;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [x]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe;c:\program files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [x]
R2 Securepoint VPN;Securepoint VPN;c:\program files (x86)\Securepoint SSL VPN\SPOpenVPNService.exe;c:\program files (x86)\Securepoint SSL VPN\SPOpenVPNService.exe [x]
R3 asComSvc;ASUS Com Service;c:\program files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe;c:\program files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe [x]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys;c:\windows\SYSNATIVE\drivers\AtihdW76.sys [x]
R3 EsgScanner;EsgScanner;c:\windows\system32\DRIVERS\EsgScanner.sys;c:\windows\SYSNATIVE\DRIVERS\EsgScanner.sys [x]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys;c:\windows\SYSNATIVE\drivers\hitmanpro37.sys [x]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 Intel® Capability Licensing Service TCP IP Interface;Intel® Capability Licensing Service TCP IP Interface;c:\program files\Intel\iCLS Client\SocketHeciServer.exe;c:\program files\Intel\iCLS Client\SocketHeciServer.exe [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys;c:\windows\SYSNATIVE\drivers\mbam.sys [x]
R3 MBAMWebAccessControl;MBAMWebAccessControl;c:\windows\system32\drivers\mwac.sys;c:\windows\SYSNATIVE\drivers\mwac.sys [x]
R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl64.sys;c:\windows\SYSNATIVE\DRIVERS\netaapl64.sys [x]
R3 Origin Client Service;Origin Client Service;d:\games\Origin\OriginClientService.exe;d:\games\Origin\OriginClientService.exe [x]
R3 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [x]
R3 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe;c:\program files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
S0 iaStorA;iaStorA;c:\windows\system32\DRIVERS\iaStorA.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorA.sys [x]
S0 iaStorF;iaStorF;c:\windows\system32\DRIVERS\iaStorF.sys;c:\windows\SYSNATIVE\DRIVERS\iaStorF.sys [x]
S0 iusb3hcs;Intel® USB 3.0 Host Controller Switch Driver;c:\windows\system32\DRIVERS\iusb3hcs.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hcs.sys [x]
S2 Ext2Fsd;Ext2 File System;c:\windows\system32\Drivers\Ext2Fsd.sys;c:\windows\SYSNATIVE\Drivers\Ext2Fsd.sys [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 jhi_service;Intel® Dynamic Application Loader Host Interface Service;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 iusb3hub;Intel® USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\iusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3hub.sys [x]
S3 iusb3xhc;Intel® USB 3.0 eXtensible Host Controller Driver;c:\windows\system32\DRIVERS\iusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\iusb3xhc.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-05-14 17:05 988488 ----a-w- c:\program files (x86)\Google\Chrome\Application\42.0.2311.152\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2015-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-05-29 01:27]
.
2015-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2014-05-29 01:27]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mDefault_Page_URL = about:blank
mStart Page = about:blank
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 111.118.175.56 118.127.33.48
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-SDWinLogon - SDWinLogon.dll
AddRemove-DesertCombat - c:\windows\iun6002.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2015-05-17  09:24:07
ComboFix-quarantined-files.txt  2015-05-16 23:24
.
Pre-Run: 6,293,807,104 bytes free
Post-Run: 6,252,720,128 bytes free
.
- - End Of File - - 0AD457490ACDD66BBE171EFDA6A07D09
A36C5E4F47E84449FF07ED3517B43A31


#9 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:01 PM

Posted 17 May 2015 - 04:13 AM

Step 1

v21logo.PNG

Scan with Malwarebytes Anti-Malware.
  • Please open Malwarebytes Anti-Malware and update the database.
  • Click "Settings" [1] and go to "Detection and Protection" [2]
  • Make sure "Scan for Rootkits" is checked.
  • Click on Dashboard [3], then click on Scan Now [4] to start the scan.
    :exclame: If Malware or Potentially Unwanted Programs [PUPs] are found, you will receive a prompt:
    m21p.png
  • Click on "Remove Selected" [5].
  • Then click "Save Results" [6] and select
    m21p4.png
  • Return to our forum. Paste your log into your next reply and then click Finish [7].
mbamv21.gif

Step 2

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed, click on Finish.
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
esetlog.png

Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#10 skeletonbobo

skeletonbobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 17 May 2015 - 05:44 PM

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=bc17ba73a08b3f4bbd9617f9fd29bdc1
# engine=23885
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-05-17 02:12:16
# local_time=2015-05-18 12:12:16 (+1000, E. Australia Standard Time)
# country="Australia"
# lang=1033
# osver=6.1.7600 NT 
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 30300990 183501786 0 0
# scanned=270273
# found=28
# cleaned=0
# scan_time=10617
sh=A9AF20BAB92EC036274CEF500920B1EBC229F283 ft=1 fh=9f3e55497974f842 vn="Win32/HackTool.Crack.BM potentially unsafe application" ac=I fn="C:\Program Files (x86)\Maxis\SimCity 4 Deluxe\SC4.exe"
sh=A9AF20BAB92EC036274CEF500920B1EBC229F283 ft=1 fh=9f3e55497974f842 vn="Win32/HackTool.Crack.BM potentially unsafe application" ac=I fn="C:\Program Files (x86)\Maxis\SimCity 4 Deluxe\Apps\SC4.exe"
sh=57A65F5D756CE76FC986C6BEEC724C452A20591D ft=1 fh=852d26691be1c620 vn="Win32/Toolbar.Widgi potentially unwanted application" ac=I fn="C:\Users\Johnnus\Downloads\YTDSetup.exe"
sh=8F33D55E30E24B7A3C3A4F00F07B838FC3BF9A55 ft=1 fh=cba55959175d96fa vn="Win32/SoftonicDownloader.E potentially unwanted application" ac=I fn="D:\Work\Backup\Utilities\SoftonicDownloader_for_google-talk.exe"
sh=8F33D55E30E24B7A3C3A4F00F07B838FC3BF9A55 ft=1 fh=cba55959175d96fa vn="Win32/SoftonicDownloader.E potentially unwanted application" ac=I fn="D:\Work\Utilities\SoftonicDownloader_for_google-talk.exe"
sh=1BCAF9E01143085BCFF129878A1F51E66C9AE5E0 ft=0 fh=0000000000000000 vn="Win32/HackTool.Crack.BM potentially unsafe application" ac=I fn="Q:\Images\SC4 Deluxe.rar"
sh=0A5C8944A2B7A2211FAA186241C5F4D91AAB4835 ft=0 fh=0000000000000000 vn="a variant of Win32/Injector.BLY trojan" ac=I fn="Q:\Images\Battlefield Bad Company 2\Battlefield.Bad.Company.2-RELOADED.MOUSE-FIX\Battlefield.Bad.Company.2-RELOADED.MOUSE-FIX.rar"
sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="a variant of Win32/Injector.CRM trojan" ac=I fn="Q:\Images\Call of Duty World at War\rld-cod5.iso"
sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="a variant of Win32/Keygen.GU potentially unsafe application" ac=I fn="Q:\Images\Crysis\rzr-crys.iso"
sh=B98969BB0B7B9C5103BFD883E0ACD98AD3F33381 ft=0 fh=0000000000000000 vn="Win32/Adware.Virtumonde application" ac=I fn="Q:\Images\European Air War\European Air War.iso"
sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="a variant of Win32/Keygen.GU potentially unsafe application" ac=I fn="Q:\Images\Fifa 10\rzr-fa10.iso"
sh=022D688C7B260274F7754FAE3CBAB91098E87A5E ft=0 fh=0000000000000000 vn="a variant of MSIL/Restamdos.AK trojan" ac=I fn="Q:\Images\FIFA 12\FIFA12.ISO"
sh=366D6D703A5EC2ACA939B3A5D53A7A903CD65F5F ft=1 fh=8b22938d5c54e39e vn="a variant of Win32/Keygen.IH potentially unsafe application" ac=I fn="Q:\Images\Macromedia Studio V8\CD1\keygen.exe"
sh=A9AF20BAB92EC036274CEF500920B1EBC229F283 ft=1 fh=9f3e55497974f842 vn="Win32/HackTool.Crack.BM potentially unsafe application" ac=I fn="Q:\Images\SC4 Upload\Crack\SC4.exe"
sh=384011B23E0E60B76E71201F3C3F1A0E5568D73E ft=1 fh=2466bd48134ff59c vn="a variant of MSIL/HackTool.WinActivator.A potentially unsafe application" ac=I fn="Q:\Images\Windows\windows 7 ultimate x64 ISO\7Loader v1.5\7Loader v1.5.exe"
sh=676C01818190BA49BE414CD5784921BFA163640F ft=1 fh=a573ab0ec8720cfe vn="Win32/HackTool.WpaKill.D potentially unsafe application" ac=I fn="Q:\Images\Windows\Windows Server\Windows Home Server 2008\CRaCK\Antiwpa-V3.4.6 for X64 and X86\AMD64\antiwpa.dll"
sh=EE772E91AEB2612BEFFCED827916F244B0BA444C ft=0 fh=0000000000000000 vn="BAT/HackTool.Agent.AA potentially unsafe application" ac=I fn="Q:\Images\Windows\Windows XP\e-xpc2sp2k7.iso"
sh=6DECBC84914B554751AC2B4542AB204B0EE805FE ft=0 fh=0000000000000000 vn="Win32/Tool.EvID4226 potentially unsafe application" ac=I fn="Q:\Images\Windows\Windows XP\Microsoft Windows XP Pro Corporate Edition with SP2.iso"
sh=F66555E1553D921794D2461B23352B8A4043E360 ft=0 fh=0000000000000000 vn="Win32/HackTool.WinActivator.M potentially unsafe application" ac=I fn="Q:\Images\Windows\Windows XP\Windows XP Home SP3\Windows XP Home Edition 2008SP3English.iso"
sh=74B5A50C296474374F89D119650DBB1A6A7ABB59 ft=0 fh=0000000000000000 vn="a variant of Win32/HackTool.Patcher.X potentially unsafe application" ac=I fn="Q:\Images\Windows\Windows XP\Windows XP Pro SP2\winxpsp2.iso"
sh=375A9F654DDB694A621A29BF2FF30EAD63926FFE ft=0 fh=0000000000000000 vn="Win32/CMDOW.143 potentially unsafe application" ac=I fn="Q:\Images\Windows\Windows XP\Windows XP Pro SP3\Windows XP SP3 Unattended.iso"
sh=04BFD2536899D09566918186B1894A92CAC5B204 ft=1 fh=ded6d3f69b79f185 vn="a variant of Win32/Toolbar.Conduit.B potentially unwanted application" ac=I fn="Q:\Movies\Hot Tub Time Machine\Jaybob's_Movies_Toolbar_Internet Explorer.exe"
sh=A27BFBB4988E87828C8448A2EE5A6D1CC925BA2E ft=1 fh=ec9b5e18e14751a4 vn="a variant of Win32/Toolbar.Conduit.B potentially unwanted application" ac=I fn="Q:\Movies\Paranormal Activity\Jaybob's_Movies_Toolbar.exe"
sh=FD4DD9605A03F619D09B650452E8C81618578B3A ft=1 fh=4c256b24a244bc05 vn="Win32/Toolbar.AskSBar potentially unwanted application" ac=I fn="Q:\Music\Lady Sovereign - Jigsaw\Nero 7.10.1.0\Nero-7.10.1.0_eng_full.exe"
sh=FA9103EE768D7DC764C19469F5B781E7B2D81649 ft=0 fh=0000000000000000 vn="a variant of WMA/TrojanDownloader.GetCodec.gen trojan" ac=I fn="Q:\Music\New Compilation\Lady Hawke Magic.mp3"
sh=1C9240B924C9E0BC8F9AA36B8660FC1D0B9A5DEE ft=1 fh=dc406a0bd47ea305 vn="a variant of Win32/Toolbar.Widgi.B potentially unwanted application" ac=I fn="Q:\Software\YouTube Downloader Pro YTD 4.0 Final Incl Crack - SceneDL\YTDSetup.exe"
sh=8F33D55E30E24B7A3C3A4F00F07B838FC3BF9A55 ft=1 fh=cba55959175d96fa vn="Win32/SoftonicDownloader.E potentially unwanted application" ac=I fn="Q:\Work\Backup\Utilities\SoftonicDownloader_for_google-talk.exe"
sh=8F33D55E30E24B7A3C3A4F00F07B838FC3BF9A55 ft=1 fh=cba55959175d96fa vn="Win32/SoftonicDownloader.E potentially unwanted application" ac=I fn="Q:\Work\Utilities\SoftonicDownloader_for_google-talk.exe"


#11 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:01 PM

Posted 18 May 2015 - 02:37 AM

goGMWSt.gifCRACKED SOFTWARE WARNING

Participating in the use of cracked/pirated/keygen software is not only illegal but also a security risk. Were you aware your machine has cracked software installed? I do not approve of nor support illegal software.

Malware authors promote and release cracked software to spread their infections. I strongly recommend you refrain from participating in this activity; your computer will be repeatedly infected otherwise. Simply visiting a cracked software site can result in infection via drive-by exploits of vulnerable software.

Cracked software will make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. In some instances an infection may cause so much damage to your system that recovery is not possible and the only option is to reformat your Hard Drive and reinstall your Operating System. Please read the following articles for more information.


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#12 skeletonbobo

skeletonbobo
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 18 May 2015 - 06:19 AM

Hi Deeprybka, 

 

My computer was assembled for me by a friend so I'm unsure what you mean?

 

Are you saying the only way to remove this threat is to format my computer?

 

The only reason I have been hacked is because I was careless and allowed my computer to me accessed via RDP over the internet without a password and things snowballed from there. 

 

Prior to this I was infection free. 

 

Would you recommend a next step or shall I look at formatting?

 

I've changed all my passwords and have been monitoring my accounts closely and I think I have removed enough of the problem to be risk free but I am just looking for assurance, RDP has been disabled both publicly and locally, I've added a password and removed a keylogger. I've also blocked traffic to and from that IP address through my router.

 

Do you think I am out of the woods or should I look at starting fresh? 



#13 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:01 PM

Posted 18 May 2015 - 02:46 PM

Are you saying the only way to remove this threat is to format my computer?


No. I am saying that ESET hasn't found any active malware. But for further assistance you have to remove all cracked software.
However, service pack 1 is missing and many other updates. Under these circumstances reinstalling with a Windows 7 SP1 DVD is the best choice.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#14 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:01 PM

Posted 22 May 2015 - 02:50 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users