Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    German authorities identify REvil and GangCrab ransomware bosses

Featured Deal: Protect up to 9 devices from ads and tracking for just $16 in this AdGuard deal

Latest Buyer's Guide:     Best VPNs in 2025

Generic User Avatar

c:\windows\syswow64\drivers\svchost.exe

Started by Brandon85c , May 20 2015 11:36 PM

  • This topic is locked This topic is locked
19 replies to this topic

#1 Brandon85c

Brandon85c

  • Avatar image
  • Members
  • 10 posts
  • OFFLINE
    •  
  • Local time:06:13 PM

Posted 20 May 2015 - 11:36 PM

so this is popping up none stop on malwarebytes i thought it was a mistake so i closed malwarebytes took a shower and came back to about 22 different programs that installed while i was in the shower.

 

so i uninstalled all the programes rand malbytes super antivirues kaspersky tdsskiller and mwb antirootkit.

 

been hunting around on these forums trying to find a solutions but everything i do turns up empty handed and this malwarebytes warning keeps showing up could anyone help me out?


BC AdBot (Login to Remove)

 

#2 deeprybka

deeprybka

  • Avatar image
  • Malware Response Team
  • 5,198 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Germany
  • Local time:03:13 AM

Posted 21 May 2015 - 02:41 AM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems. :warrior:

Before we move on, please read the following points carefully: :exclame:
  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1

Please run a FRST scan. This will help us diagnose your problem.

frst.pngfrstscan.png
Please download Farbar Recovery Scan Tool and save it to your Desktop.
(If you are not sure which version (32-/64-bit) applies to your system, download and try to start both of them as just the right one will run.)
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 Brandon85c

Brandon85c
  • Topic Starter

  • Avatar image
  • Members
  • 10 posts
  • OFFLINE
    •  
  • Local time:06:13 PM

Posted 21 May 2015 - 02:52 AM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 19-05-2015
Ran by Brandon at 2015-05-21 00:51:36
Running from E:\ChromeDL
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1980555204-4143441623-2282392220-500 - Administrator - Disabled)
Brandon (S-1-5-21-1980555204-4143441623-2282392220-1001 - Administrator - Enabled) => C:\Users\Brandon
Guest (S-1-5-21-1980555204-4143441623-2282392220-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1980555204-4143441623-2282392220-1007 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
AlienFX for KoneXTD (HKLM-x32\...\InstallShield_{48725548-E470-4816-99DD-6667EABAB982}) (Version: 1.02 - Roccat GmbH)
AlienFX for KoneXTD (Version: 1.02 - Roccat GmbH) Hidden
AMD Catalyst Install Manager (HKLM\...\{F2A7CE36-57BF-5C86-952D-90DBF3746D82}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
BitTorrent (HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\BitTorrent) (Version: 7.9.3.40299 - BitTorrent Inc.)
Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
Classic Shell (HKLM\...\{7C129CF8-199F-4269-AAEE-60B5D8D716E2}) (Version: 4.2.1 - IvoSoft)
Core Temp 1.0 RC6 (HKLM\...\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1) (Version: 1.0 - Alcpu)
CPUID CPU-Z 1.72 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
EJuiceCalculator (HKLM-x32\...\{1F08C6B0-8F8C-4F50-89AD-F4F7190D249A}) (Version: 5.00.00002 - RodBrown)
EVE Online (HKLM-x32\...\{BAF7798B-050F-415A-9E84-912C424F747D}) (Version: 3.0.0 - CCP Games Ltd.)
EVEMon (HKLM-x32\...\EVEMon) (Version: 1.9.4 - battleclinic.com)
globalupdate Helper (x32 Version: 1.3.25.0 - globalupdate Inc.) Hidden <==== ATTENTION
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 43.0.2357.65 - Google Inc.)
Google Update Helper (x32 Version: 1.3.27.5 - Google Inc.) Hidden
Hearthstone (HKLM-x32\...\Hearthstone) (Version:  - Blizzard Entertainment)
Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version:  - )
Lightshot-5.2.1.1 (HKLM-x32\...\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1) (Version: 5.2.1.1 - Skillbrains)
Logitech Gaming Software 8.58 (HKLM\...\Logitech Gaming Software) (Version: 8.58.183 - Logitech Inc.)
Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
NaturalPoint USB Drivers x64 (HKLM\...\{B408139D-04D6-4464-A979-D335E48F7063}) (Version: 2.50.0000 - NaturalPoint)
pyfa version 1.11.0 (Mosaic 1.0) (HKLM-x32\...\{3DA39096-C08D-49CD-90E0-1D177F32C8AA}_is1) (Version: 1.11.0 (Mosaic 1.0) - pyfa)
ROCCAT Kone XTD Mouse Driver (HKLM-x32\...\{7133137D-DF48-4522-AD88-13C82B7D0A63}) (Version:  - Roccat GmbH)
ROCCAT Power-Grid version 0.461 (HKLM-x32\...\{953CF6E6-4EC8-4E55-A263-720CEBD591FE}_is1) (Version: 0.461 - ROCCAT GmbH)
Roccat Talk (HKLM-x32\...\{605D671E-1D1E-4840-84D9-BFACE17F160D}) (Version: 1.00.0013 - Roccat GmbH)
Skype™ 7.4 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.4.102 - Skype Technologies S.A.)
Space Engineers Toolbox (HKLM-x32\...\{E48CB54D-9956-4483-A004-98935606E1B6}) (Version: 01.080.003.1 - Mid-Space Productions)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1194 - SUPERAntiSpyware.com)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.16 - TeamSpeak Systems GmbH)
Thrustmaster TARGET (HKLM-x32\...\{8036A569-CA02-4D33-A7E9-E9BC8A482E91}) (Version: 2.0.10.0 - Thrustmaster)
TrackIR 5 (HKLM-x32\...\{2f2e6053-043c-4d69-94d0-4d42304ea4ee}) (Version: 5.2.0200 - NaturalPoint)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
VoiceAttack (HKLM-x32\...\{0856200E-46FA-4DBB-84DC-F84FA467FF24}) (Version: 1.5.7.63 - VoiceAttack.com)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
15-05-2015 13:06:36 Installed AlienFX for KoneXTD
17-05-2015 13:16:19 Installed DirectX
20-05-2015 20:21:18 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {01174C27-7F00-461C-974B-DE3014E0BADA} - \StartPoint No Task File <==== ATTENTION
Task: {0B1A67C5-B459-43C0-8F4A-CBCD092B39B9} - \StartPoint Updater No Task File <==== ATTENTION
Task: {1A6CD6FE-FB0F-419D-B601-87BB11D12D49} - \avabvbxvh No Task File <==== ATTENTION
Task: {1D1FB722-D354-4EC7-8C89-DDA32A015342} - System32\Tasks\AlaMaintenance => C:\WINDOWS\SysWOW64\drivers\NVACYU~1.EXE [2015-05-15] ()
Task: {37B648E8-9792-4535-B096-376323DB3F64} - System32\Tasks\IJTKKZ => C:\ProgramData\5ac8bbe84ef54973a48db1c2e820ec2b\5ac8bbe84ef54973a48db1c2e820ec2b.exe
Task: {3FE49BCD-E693-4927-9B22-2DA801221445} - System32\Tasks\Microsoft\Windows\Setup\gwx\launchtrayprocess => C:\Windows\system32\GWX\GWX.exe [2015-05-06] (Microsoft Corporation)
Task: {4C61156C-8B12-4EBF-A1B8-77049645993E} - System32\Tasks\Media_System_Platform => C:\WINDOWS\SysWOW64\drivers\KVN398~1.EXE [2015-05-15] ()
Task: {4DBCD115-BBCB-4875-A94D-BA0CE2DFA2C4} - System32\Tasks\PKFWGHDRL1 => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION
Task: {5772E72A-B3D6-4DFF-BB3D-57585F005558} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2015-04-30] (Microsoft Corporation)
Task: {58967BBA-0177-4017-A34A-4817E65CAF84} - \SmartWeb Upgrade Trigger Task No Task File <==== ATTENTION
Task: {5A8E412D-9CB2-4EFC-A92A-F0E57E2B1A1D} - System32\Tasks\{808CD1AD-6474-444B-8690-E1CD449B55E8} => pcalua.exe -a "C:\Program Files (x86)\StartPoint\startpoint\1.3.23.0\startup.exe" -c /uninstl
Task: {65231A8B-7EBB-43F3-8228-A6B0B0D8A88F} - System32\Tasks\SUPERAntiSpyware Scheduled Task cf0ab486-122c-4c1e-92a9-72d575a2c561 => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com)
Task: {6AE415DA-0190-40F3-9880-8320D9F64D56} - System32\Tasks\Microsoft\Windows\SetupSQMTask => C:\WINDOWS\SYSTEM32\OOBE\SETUPSQM.EXE [2014-10-28] (Microsoft Corporation)
Task: {737C0430-6E25-441F-A672-0DE0287BFC5C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-05-15] (Google Inc.)
Task: {7779881F-BBDA-4CB8-A174-92B9C806B94D} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [2014-10-22] (@ByELDI)
Task: {7C93D5DA-1C88-43D5-8852-6085A24E1A3E} - System32\Tasks\OTZRX1 => C:\ProgramData\Kikblaster\Kikblaster.exe
Task: {812B9FE8-0DC5-4D7C-9EA5-353919A9DD4C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-05-15] (Google Inc.)
Task: {858EADC6-8B78-40C2-ADB1-ED86AD70D49E} - \Selection Tools Update No Task File <==== ATTENTION
Task: {87FDFA2E-7D6A-4303-8918-134CA81F65FA} - System32\Tasks\SUPERAntiSpyware Scheduled Task ff344865-d60e-49a7-8b9b-e83bff96d142 => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com)
Task: {8E7A06AA-E422-4199-9863-3D9336EE410E} - System32\Tasks\propagation utility manager => C:\WINDOWS\SysWOW64\drivers\syscomplus80.exe
Task: {A1A6596C-7C90-4AAE-9F3D-58CE08885BC2} - System32\Tasks\update-sys => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2014-11-28] ()
Task: {A430AC5D-C0A5-4F3C-9436-978FBC3EC3F3} - System32\Tasks\ICRNZUSHUQ => C:\ProgramData\4bf6f2c49d004f2aba9c312f14be371c\4bf6f2c49d004f2aba9c312f14be371c.exe
Task: {A6DA9CC6-2ADF-45E0-AF7F-87832BF8256E} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-05-06] (Microsoft Corporation)
Task: {D5723CD9-D993-4A97-B809-6A210623C64F} - System32\Tasks\slubJ2ww6VeT066 => C:\Users\Brandon\AppData\Roaming\slubJ2ww6VeT066.exe <==== ATTENTION
Task: {D7AF21F1-CF68-4F88-81B1-70853F0B121B} - System32\Tasks\aWcp3fYrq3B1FXiB2RX => C:\Users\Brandon\AppData\Roaming\aWcp3fYrq3B1FXiB2RX.exe <==== ATTENTION
Task: {DF4795B1-71D9-4BBD-9DF9-24EE93D9A806} - \WindApp Update No Task File <==== ATTENTION
Task: {FCDD586D-8598-406F-AEF7-1D5AF52CA636} - System32\Tasks\Core Temp Autostart Brandon => C:\Program Files\Core Temp\Core Temp.exe [2013-10-08] ()
Task: {FFEEC7F9-14E9-4EAF-9DC7-1119FEB4010B} - System32\Tasks\{DB572BCE-7996-410E-82BE-878BD2A2FDBC} => pcalua.exe -a "C:\Program Files (x86)\Edu App\EduAppuninstall.exe"
Task: C:\WINDOWS\Tasks\aWcp3fYrq3B1FXiB2RX.job => C:\Users\Brandon\AppData\Roaming\aWcp3fYrq3B1FXiB2RX.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\OTZRX1.job => C:\ProgramData\Kikblaster\Kikblaster.exe
Task: C:\WINDOWS\Tasks\PKFWGHDRL1.job => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\slubJ2ww6VeT066.job => C:\Users\Brandon\AppData\Roaming\slubJ2ww6VeT066.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task cf0ab486-122c-4c1e-92a9-72d575a2c561.job => C:\Program Files\SUPERAntiSpyware\SASTask.exedC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Task: C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task ff344865-d60e-49a7-8b9b-e83bff96d142.job => C:\Program Files\SUPERAntiSpyware\SASTask.exedC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Task: C:\WINDOWS\Tasks\update-S-1-5-21-1980555204-4143441623-2282392220-1001.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\WINDOWS\Tasks\update-sys.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-05-15 13:42 - 2013-10-08 13:23 - 00890016 _____ () C:\Program Files\Core Temp\Core Temp.exe
2014-09-18 00:23 - 2014-09-18 00:23 - 00866584 _____ () C:\Program Files\Logitech Gaming Software\libGLESv2.dll
2015-03-12 11:23 - 2015-03-12 11:23 - 01050904 _____ () C:\Program Files\Logitech Gaming Software\platforms\qwindows.dll
2014-09-18 00:23 - 2014-09-18 00:23 - 00059160 _____ () C:\Program Files\Logitech Gaming Software\libEGL.dll
2015-03-12 11:23 - 2015-03-12 11:23 - 00242456 _____ () C:\Program Files\Logitech Gaming Software\imageformats\qjpeg.dll
2014-02-28 02:14 - 2014-02-28 02:14 - 00173568 _____ () C:\Program Files\TeamSpeak 3 Client\quazip.dll
2014-02-27 07:51 - 2014-02-27 07:51 - 01080832 _____ () C:\Program Files\TeamSpeak 3 Client\platforms\qwindows.dll
2014-02-27 07:51 - 2014-02-27 07:51 - 00833024 _____ () C:\Program Files\TeamSpeak 3 Client\sqldrivers\qsqlite.dll
2014-08-04 06:43 - 2014-08-04 06:43 - 00102344 _____ () C:\Program Files\TeamSpeak 3 Client\soundbackends\directsound_win64.dll
2014-08-04 06:43 - 2014-08-04 06:43 - 00108488 _____ () C:\Program Files\TeamSpeak 3 Client\soundbackends\windowsaudiosession_win64.dll
2014-02-27 07:51 - 2014-02-27 07:51 - 00030208 _____ () C:\Program Files\TeamSpeak 3 Client\imageformats\qgif.dll
2014-02-27 07:51 - 2014-02-27 07:51 - 00233984 _____ () C:\Program Files\TeamSpeak 3 Client\imageformats\qjpeg.dll
2014-08-04 06:46 - 2014-08-04 06:46 - 00563656 _____ () C:\Program Files\TeamSpeak 3 Client\plugins\clientquery_plugin.dll
2014-08-04 06:46 - 2014-08-04 06:46 - 00579016 _____ () C:\Program Files\TeamSpeak 3 Client\plugins\teamspeak_control_plugin.dll
2015-05-15 13:07 - 2012-06-17 11:20 - 00061440 _____ () C:\Program Files (x86)\ROCCAT\Kone XTD Mouse\hiddriver.dll
2015-05-20 21:13 - 2015-05-13 09:48 - 01281864 _____ () C:\Program Files (x86)\Google\Chrome\Application\43.0.2357.65\libglesv2.dll
2015-05-20 21:13 - 2015-05-13 09:48 - 00080712 _____ () C:\Program Files (x86)\Google\Chrome\Application\43.0.2357.65\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\Users\Brandon\OneDrive:ms-properties
AlternateDataStreams: C:\Users\Brandon\SkyDrive:ms-properties
 
==================== Safe Mode (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, the associated entry will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Brandon\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\1920_1200_caldari.jpg
DNS Servers: 192.168.1.1
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\Services: SkypeUpdate => 2
HKLM\...\StartupApproved\Run32: => "WinCheck"
HKLM\...\StartupApproved\Run32: => "SafeGuard"
HKLM\...\StartupApproved\Run32: => "SmartWeb"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\StartupFolder: => "SafeGuard.lnk"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\StartupFolder: => "crossbrowse.lnk"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\StartupFolder: => "SmartWeb.lnk"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "SUPERAntiSpyware"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "GoogleChromeAutoLaunch_36D1BC24B0BF8F597389900CC2C421B1"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "Itibiti.exe"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "Bubble Dock"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "Boost"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "Selection Tools"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "WindApp"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppextcomobj.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppextcomobj.exe
FirewallRules: [{830A19F2-4FD2-4E45-ADD9-95EA8FA479AE}] => (Allow) C:\Users\Brandon\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{2E99C584-DFF1-4460-92C7-4205CDE83452}] => (Allow) C:\Users\Brandon\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{2BE56A67-C147-4FAC-8FAA-2E9FE11990E9}] => (Allow) C:\Program Files\Logitech Gaming Software\LCore.exe
FirewallRules: [{1BD0231E-3DEB-409E-847E-0C3E5E3CA393}] => (Allow) C:\Program Files\Logitech Gaming Software\LCore.exe
FirewallRules: [TCP Query User{3FCC4538-A1AE-4D76-BE6E-2F6E1D372EAC}C:\program files (x86)\ccp\eve\bin\exefile.exe] => (Allow) C:\program files (x86)\ccp\eve\bin\exefile.exe
FirewallRules: [UDP Query User{7982D350-1429-4A95-8FD3-039E12827599}C:\program files (x86)\ccp\eve\bin\exefile.exe] => (Allow) C:\program files (x86)\ccp\eve\bin\exefile.exe
FirewallRules: [{8AAF5785-D561-479E-B9D0-8AAC5E210149}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{E9E7A81B-02ED-4DFD-B449-4CD11B92C67F}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{71150235-60CF-41BB-B43B-F1BA1FE529DD}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe
FirewallRules: [{D898621F-BC99-48D0-B9CA-9055F0F3D40C}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe
FirewallRules: [TCP Query User{494713FD-716A-4C0F-AB46-D083EF98DD82}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{83DCFE54-F9C6-45AF-B4E0-173A0F22377B}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{4C68FFF3-5E89-4C08-BBE9-AAB2F54642C4}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{C8701F94-5DB9-4293-B20C-5292F0CEBBDC}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{F44B706F-CEF7-4807-A533-BC8CC2B52AA8}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{7613BD8F-9060-4C46-880E-134E9372BA61}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{004A5077-2FCB-496D-A9FC-4C64E6F6F079}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\SpaceEngineers\Bin64\SpaceEngineers.exe
FirewallRules: [{F864F3FF-398C-4FED-A51C-906E7650F668}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\SpaceEngineers\Bin64\SpaceEngineers.exe
FirewallRules: [{D2BFC73D-A9B6-4894-84A5-92A35CCF1291}] => (Allow) C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe
FirewallRules: [{1F06208E-C4AE-46AC-A60B-639FBF6038AA}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{F3B53FFD-63B1-4CBD-B658-852CC1A0EF4B}] => (Allow) LPort=1688
FirewallRules: [{CACCBC35-0A5D-4ACF-81D0-E19DC31F8982}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{08D21492-E83E-4B06-871A-9672E8E80EF7}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
 
==================== Faulty Device Manager Devices =============
 
Name: High Definition Audio Bus
Description: High Definition Audio Bus
Class Guid: {4d36e97d-e325-11ce-bfc1-08002be10318}
Manufacturer: AMD
Service: HDAudBus
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (05/20/2015 08:57:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iiwjljrnpc64.exe, version: 0.0.0.0, time stamp: 0x551bf9ee
Faulting module name: ntdll.dll, version: 6.3.9600.17736, time stamp: 0x550f4336
Exception code: 0xc0000374
Fault offset: 0x00000000000f0f20
Faulting process id: 0x640
Faulting application start time: 0xiiwjljrnpc64.exe0
Faulting application path: iiwjljrnpc64.exe1
Faulting module path: iiwjljrnpc64.exe2
Report Id: iiwjljrnpc64.exe3
Faulting package full name: iiwjljrnpc64.exe4
Faulting package-relative application ID: iiwjljrnpc64.exe5
 
Error: (05/20/2015 08:56:35 PM) (Source: ServiceEx) (EventID: 1) (User: )
Description: Can't start service: error code 3
 
Error: (05/20/2015 08:56:35 PM) (Source: ServiceEx) (EventID: 1) (User: )
Description: Can't launch C:\WINDOWS\SysWOW64\drivers\eventlogman32.exe.  CreateProcess() returned The system cannot find the file specified.
 
Error: (05/20/2015 08:52:45 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program nse230D.tmp version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 266c
 
Start Time: 01d093792eebe767
 
Termination Time: 4294967295
 
Application Path: C:\Users\Brandon\AppData\Local\Temp\nse230D.tmp
 
Report Id: d5a734a6-ff6c-11e4-8261-60a44c601973
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (05/20/2015 08:21:19 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (05/20/2015 08:21:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iiwjljrnpc64.exe, version: 0.0.0.0, time stamp: 0x551bf9ee
Faulting module name: ntdll.dll, version: 6.3.9600.17736, time stamp: 0x550f4336
Exception code: 0xc0000374
Fault offset: 0x00000000000f0f20
Faulting process id: 0x3318
Faulting application start time: 0xiiwjljrnpc64.exe0
Faulting application path: iiwjljrnpc64.exe1
Faulting module path: iiwjljrnpc64.exe2
Report Id: iiwjljrnpc64.exe3
Faulting package full name: iiwjljrnpc64.exe4
Faulting package-relative application ID: iiwjljrnpc64.exe5
 
Error: (05/20/2015 08:20:08 PM) (Source: MsiInstaller) (EventID: 11316) (User: BRANDON)
Description: Product: Consumer Input Update Helper -- Error 1316. The specified account already exists.
 
Error: (05/20/2015 08:15:37 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Networking.RtcDll,language="&#x2a;",processorArchitecture="X86",publicKeyToken="6595b64144ccf1df",type="win32",version="5.2.1002.3"1".
Dependent Assembly Microsoft.Windows.Networking.RtcDll,language="&#x2a;",processorArchitecture="X86",publicKeyToken="6595b64144ccf1df",type="win32",version="5.2.1002.3" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (05/20/2015 08:15:37 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Networking.RtcDll,language="&#x2a;",processorArchitecture="X86",publicKeyToken="6595b64144ccf1df",type="win32",version="5.2.1002.3"1".
Dependent Assembly Microsoft.Windows.Networking.RtcDll,language="&#x2a;",processorArchitecture="X86",publicKeyToken="6595b64144ccf1df",type="win32",version="5.2.1002.3" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (05/20/2015 08:48:16 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider ProtectionManagement attempted to register query "select * from MSFT_MpEvent" whose target class "MSFT_MpEvent" in //./root/microsoft/protectionManagement namespace does not exist. The query will be ignored.
 
 
System errors:
=============
Error: (05/20/2015 09:20:10 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The globalUpdate Update Service (globalUpdate) service failed to start due to the following error: 
%%2
 
Error: (05/20/2015 09:18:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The AODDriver4.2.0 service failed to start due to the following error: 
%%3
 
Error: (05/20/2015 09:03:48 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Update Edu App service failed to start due to the following error: 
%%1053
 
Error: (05/20/2015 09:03:48 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Update Edu App service to connect.
 
Error: (05/20/2015 09:03:45 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Util Edu App service failed to start due to the following error: 
%%1053
 
Error: (05/20/2015 09:03:45 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Util Edu App service to connect.
 
Error: (05/20/2015 09:03:43 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Update Edu App service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
 
Error: (05/20/2015 09:03:42 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Search Protect Service service failed to start due to the following error: 
%%1053
 
Error: (05/20/2015 09:03:42 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Search Protect Service service to connect.
 
Error: (05/20/2015 09:03:40 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Util Edu App service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
 
 
Microsoft Office Sessions:
=========================
Error: (05/20/2015 08:57:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iiwjljrnpc64.exe0.0.0.0551bf9eentdll.dll6.3.9600.17736550f4336c000037400000000000f0f2064001d0937a21f553bbC:\Program Files (x86)\coupoon\iiwjljrnpc64.exeC:\WINDOWS\SYSTEM32\ntdll.dll6e9cf871-ff6d-11e4-8262-60a44c601973
 
Error: (05/20/2015 08:56:35 PM) (Source: ServiceEx) (EventID: 1) (User: )
Description: Can't start service: error code 3
 
Error: (05/20/2015 08:56:35 PM) (Source: ServiceEx) (EventID: 1) (User: )
Description: Can't launch C:\WINDOWS\SysWOW64\drivers\eventlogman32.exe.  CreateProcess() returned The system cannot find the file specified.
 
Error: (05/20/2015 08:52:45 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: nse230D.tmp0.0.0.0266c01d093792eebe7674294967295C:\Users\Brandon\AppData\Local\Temp\nse230D.tmpd5a734a6-ff6c-11e4-8261-60a44c601973
 
Error: (05/20/2015 08:21:19 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
 
Error: (05/20/2015 08:21:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iiwjljrnpc64.exe0.0.0.0551bf9eentdll.dll6.3.9600.17736550f4336c000037400000000000f0f20331801d0937530c72be6C:\Program Files (x86)\coupoon\iiwjljrnpc64.exeC:\WINDOWS\SYSTEM32\ntdll.dll71442f06-ff68-11e4-8261-60a44c601973
 
Error: (05/20/2015 08:20:08 PM) (Source: MsiInstaller) (EventID: 11316) (User: BRANDON)
Description: Product: Consumer Input Update Helper -- Error 1316. The specified account already exists.
(NULL)(NULL)(NULL)(NULL)(NULL)
 
Error: (05/20/2015 08:15:37 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Networking.RtcDll,language="&#x2a;",processorArchitecture="X86",publicKeyToken="6595b64144ccf1df",type="win32",version="5.2.1002.3"C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
 
Error: (05/20/2015 08:15:37 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Networking.RtcDll,language="&#x2a;",processorArchitecture="X86",publicKeyToken="6595b64144ccf1df",type="win32",version="5.2.1002.3"C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
 
Error: (05/20/2015 08:48:16 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: ProtectionManagementselect * from MSFT_MpEventMSFT_MpEvent//./root/microsoft/protectionManagement
 
 
==================== Memory info =========================== 
 
Processor: AMD FX™-8350 Eight-Core Processor 
Percentage of memory in use: 10%
Total physical RAM: 32682.09 MB
Available physical RAM: 29411.66 MB
Total Pagefile: 37546.09 MB
Available Pagefile: 33643.43 MB
Total Virtual: 131072 MB
Available Virtual: 131071.78 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:232.79 GB) (Free:171.92 GB) NTFS
Drive e: () (Fixed) (Total:931.51 GB) (Free:7.92 GB) NTFS
Drive f: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive h: () (Fixed) (Total:93.16 GB) (Free:57.67 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 93670B51)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232.8 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 5DF975FC)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 93.2 GB) (Disk ID: AD989DEC)
Partition 1: (Active) - (Size=93.2 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================
 
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version: 19-05-2015
Ran by Brandon at 2015-05-21 00:51:36
Running from E:\ChromeDL
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1980555204-4143441623-2282392220-500 - Administrator - Disabled)
Brandon (S-1-5-21-1980555204-4143441623-2282392220-1001 - Administrator - Enabled) => C:\Users\Brandon
Guest (S-1-5-21-1980555204-4143441623-2282392220-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1980555204-4143441623-2282392220-1007 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
AlienFX for KoneXTD (HKLM-x32\...\InstallShield_{48725548-E470-4816-99DD-6667EABAB982}) (Version: 1.02 - Roccat GmbH)
AlienFX for KoneXTD (Version: 1.02 - Roccat GmbH) Hidden
AMD Catalyst Install Manager (HKLM\...\{F2A7CE36-57BF-5C86-952D-90DBF3746D82}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
BitTorrent (HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\BitTorrent) (Version: 7.9.3.40299 - BitTorrent Inc.)
Catalyst Control Center (HKLM-x32\...\WUCCCApp) (Version: 1.00.0000 - AMD)
Classic Shell (HKLM\...\{7C129CF8-199F-4269-AAEE-60B5D8D716E2}) (Version: 4.2.1 - IvoSoft)
Core Temp 1.0 RC6 (HKLM\...\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1) (Version: 1.0 - Alcpu)
CPUID CPU-Z 1.72 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
EJuiceCalculator (HKLM-x32\...\{1F08C6B0-8F8C-4F50-89AD-F4F7190D249A}) (Version: 5.00.00002 - RodBrown)
EVE Online (HKLM-x32\...\{BAF7798B-050F-415A-9E84-912C424F747D}) (Version: 3.0.0 - CCP Games Ltd.)
EVEMon (HKLM-x32\...\EVEMon) (Version: 1.9.4 - battleclinic.com)
globalupdate Helper (x32 Version: 1.3.25.0 - globalupdate Inc.) Hidden <==== ATTENTION
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 43.0.2357.65 - Google Inc.)
Google Update Helper (x32 Version: 1.3.27.5 - Google Inc.) Hidden
Hearthstone (HKLM-x32\...\Hearthstone) (Version:  - Blizzard Entertainment)
Itibiti RTC (x32 Version: 0.0.1 - Itibiti Inc) Hidden
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version:  - )
Lightshot-5.2.1.1 (HKLM-x32\...\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1) (Version: 5.2.1.1 - Skillbrains)
Logitech Gaming Software 8.58 (HKLM\...\Logitech Gaming Software) (Version: 8.58.183 - Logitech Inc.)
Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
NaturalPoint USB Drivers x64 (HKLM\...\{B408139D-04D6-4464-A979-D335E48F7063}) (Version: 2.50.0000 - NaturalPoint)
pyfa version 1.11.0 (Mosaic 1.0) (HKLM-x32\...\{3DA39096-C08D-49CD-90E0-1D177F32C8AA}_is1) (Version: 1.11.0 (Mosaic 1.0) - pyfa)
ROCCAT Kone XTD Mouse Driver (HKLM-x32\...\{7133137D-DF48-4522-AD88-13C82B7D0A63}) (Version:  - Roccat GmbH)
ROCCAT Power-Grid version 0.461 (HKLM-x32\...\{953CF6E6-4EC8-4E55-A263-720CEBD591FE}_is1) (Version: 0.461 - ROCCAT GmbH)
Roccat Talk (HKLM-x32\...\{605D671E-1D1E-4840-84D9-BFACE17F160D}) (Version: 1.00.0013 - Roccat GmbH)
Skype™ 7.4 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.4.102 - Skype Technologies S.A.)
Space Engineers Toolbox (HKLM-x32\...\{E48CB54D-9956-4483-A004-98935606E1B6}) (Version: 01.080.003.1 - Mid-Space Productions)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1194 - SUPERAntiSpyware.com)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.16 - TeamSpeak Systems GmbH)
Thrustmaster TARGET (HKLM-x32\...\{8036A569-CA02-4D33-A7E9-E9BC8A482E91}) (Version: 2.0.10.0 - Thrustmaster)
TrackIR 5 (HKLM-x32\...\{2f2e6053-043c-4d69-94d0-4d42304ea4ee}) (Version: 5.2.0200 - NaturalPoint)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
VoiceAttack (HKLM-x32\...\{0856200E-46FA-4DBB-84DC-F84FA467FF24}) (Version: 1.5.7.63 - VoiceAttack.com)
 
==================== Custom CLSID (selected items): ==========================
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
 
==================== Restore Points  =========================
 
15-05-2015 13:06:36 Installed AlienFX for KoneXTD
17-05-2015 13:16:19 Installed DirectX
20-05-2015 20:21:18 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
 
==================== Hosts content: ==========================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 ____A C:\WINDOWS\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)
 
Task: {01174C27-7F00-461C-974B-DE3014E0BADA} - \StartPoint No Task File <==== ATTENTION
Task: {0B1A67C5-B459-43C0-8F4A-CBCD092B39B9} - \StartPoint Updater No Task File <==== ATTENTION
Task: {1A6CD6FE-FB0F-419D-B601-87BB11D12D49} - \avabvbxvh No Task File <==== ATTENTION
Task: {1D1FB722-D354-4EC7-8C89-DDA32A015342} - System32\Tasks\AlaMaintenance => C:\WINDOWS\SysWOW64\drivers\NVACYU~1.EXE [2015-05-15] ()
Task: {37B648E8-9792-4535-B096-376323DB3F64} - System32\Tasks\IJTKKZ => C:\ProgramData\5ac8bbe84ef54973a48db1c2e820ec2b\5ac8bbe84ef54973a48db1c2e820ec2b.exe
Task: {3FE49BCD-E693-4927-9B22-2DA801221445} - System32\Tasks\Microsoft\Windows\Setup\gwx\launchtrayprocess => C:\Windows\system32\GWX\GWX.exe [2015-05-06] (Microsoft Corporation)
Task: {4C61156C-8B12-4EBF-A1B8-77049645993E} - System32\Tasks\Media_System_Platform => C:\WINDOWS\SysWOW64\drivers\KVN398~1.EXE [2015-05-15] ()
Task: {4DBCD115-BBCB-4875-A94D-BA0CE2DFA2C4} - System32\Tasks\PKFWGHDRL1 => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION
Task: {5772E72A-B3D6-4DFF-BB3D-57585F005558} - System32\Tasks\Microsoft\Windows\RemovalTools\MRT_HB => C:\WINDOWS\system32\MRT.exe [2015-04-30] (Microsoft Corporation)
Task: {58967BBA-0177-4017-A34A-4817E65CAF84} - \SmartWeb Upgrade Trigger Task No Task File <==== ATTENTION
Task: {5A8E412D-9CB2-4EFC-A92A-F0E57E2B1A1D} - System32\Tasks\{808CD1AD-6474-444B-8690-E1CD449B55E8} => pcalua.exe -a "C:\Program Files (x86)\StartPoint\startpoint\1.3.23.0\startup.exe" -c /uninstl
Task: {65231A8B-7EBB-43F3-8228-A6B0B0D8A88F} - System32\Tasks\SUPERAntiSpyware Scheduled Task cf0ab486-122c-4c1e-92a9-72d575a2c561 => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com)
Task: {6AE415DA-0190-40F3-9880-8320D9F64D56} - System32\Tasks\Microsoft\Windows\SetupSQMTask => C:\WINDOWS\SYSTEM32\OOBE\SETUPSQM.EXE [2014-10-28] (Microsoft Corporation)
Task: {737C0430-6E25-441F-A672-0DE0287BFC5C} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-05-15] (Google Inc.)
Task: {7779881F-BBDA-4CB8-A174-92B9C806B94D} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [2014-10-22] (@ByELDI)
Task: {7C93D5DA-1C88-43D5-8852-6085A24E1A3E} - System32\Tasks\OTZRX1 => C:\ProgramData\Kikblaster\Kikblaster.exe
Task: {812B9FE8-0DC5-4D7C-9EA5-353919A9DD4C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-05-15] (Google Inc.)
Task: {858EADC6-8B78-40C2-ADB1-ED86AD70D49E} - \Selection Tools Update No Task File <==== ATTENTION
Task: {87FDFA2E-7D6A-4303-8918-134CA81F65FA} - System32\Tasks\SUPERAntiSpyware Scheduled Task ff344865-d60e-49a7-8b9b-e83bff96d142 => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com)
Task: {8E7A06AA-E422-4199-9863-3D9336EE410E} - System32\Tasks\propagation utility manager => C:\WINDOWS\SysWOW64\drivers\syscomplus80.exe
Task: {A1A6596C-7C90-4AAE-9F3D-58CE08885BC2} - System32\Tasks\update-sys => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [2014-11-28] ()
Task: {A430AC5D-C0A5-4F3C-9436-978FBC3EC3F3} - System32\Tasks\ICRNZUSHUQ => C:\ProgramData\4bf6f2c49d004f2aba9c312f14be371c\4bf6f2c49d004f2aba9c312f14be371c.exe
Task: {A6DA9CC6-2ADF-45E0-AF7F-87832BF8256E} - System32\Tasks\Microsoft\Windows\Setup\gwx\refreshgwxconfig => C:\Windows\system32\GWX\GWXConfigManager.exe [2015-05-06] (Microsoft Corporation)
Task: {D5723CD9-D993-4A97-B809-6A210623C64F} - System32\Tasks\slubJ2ww6VeT066 => C:\Users\Brandon\AppData\Roaming\slubJ2ww6VeT066.exe <==== ATTENTION
Task: {D7AF21F1-CF68-4F88-81B1-70853F0B121B} - System32\Tasks\aWcp3fYrq3B1FXiB2RX => C:\Users\Brandon\AppData\Roaming\aWcp3fYrq3B1FXiB2RX.exe <==== ATTENTION
Task: {DF4795B1-71D9-4BBD-9DF9-24EE93D9A806} - \WindApp Update No Task File <==== ATTENTION
Task: {FCDD586D-8598-406F-AEF7-1D5AF52CA636} - System32\Tasks\Core Temp Autostart Brandon => C:\Program Files\Core Temp\Core Temp.exe [2013-10-08] ()
Task: {FFEEC7F9-14E9-4EAF-9DC7-1119FEB4010B} - System32\Tasks\{DB572BCE-7996-410E-82BE-878BD2A2FDBC} => pcalua.exe -a "C:\Program Files (x86)\Edu App\EduAppuninstall.exe"
Task: C:\WINDOWS\Tasks\aWcp3fYrq3B1FXiB2RX.job => C:\Users\Brandon\AppData\Roaming\aWcp3fYrq3B1FXiB2RX.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\OTZRX1.job => C:\ProgramData\Kikblaster\Kikblaster.exe
Task: C:\WINDOWS\Tasks\PKFWGHDRL1.job => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\slubJ2ww6VeT066.job => C:\Users\Brandon\AppData\Roaming\slubJ2ww6VeT066.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task cf0ab486-122c-4c1e-92a9-72d575a2c561.job => C:\Program Files\SUPERAntiSpyware\SASTask.exedC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Task: C:\WINDOWS\Tasks\SUPERAntiSpyware Scheduled Task ff344865-d60e-49a7-8b9b-e83bff96d142.job => C:\Program Files\SUPERAntiSpyware\SASTask.exedC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Task: C:\WINDOWS\Tasks\update-S-1-5-21-1980555204-4143441623-2282392220-1001.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
Task: C:\WINDOWS\Tasks\update-sys.job => C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-05-15 13:42 - 2013-10-08 13:23 - 00890016 _____ () C:\Program Files\Core Temp\Core Temp.exe
2014-09-18 00:23 - 2014-09-18 00:23 - 00866584 _____ () C:\Program Files\Logitech Gaming Software\libGLESv2.dll
2015-03-12 11:23 - 2015-03-12 11:23 - 01050904 _____ () C:\Program Files\Logitech Gaming Software\platforms\qwindows.dll
2014-09-18 00:23 - 2014-09-18 00:23 - 00059160 _____ () C:\Program Files\Logitech Gaming Software\libEGL.dll
2015-03-12 11:23 - 2015-03-12 11:23 - 00242456 _____ () C:\Program Files\Logitech Gaming Software\imageformats\qjpeg.dll
2014-02-28 02:14 - 2014-02-28 02:14 - 00173568 _____ () C:\Program Files\TeamSpeak 3 Client\quazip.dll
2014-02-27 07:51 - 2014-02-27 07:51 - 01080832 _____ () C:\Program Files\TeamSpeak 3 Client\platforms\qwindows.dll
2014-02-27 07:51 - 2014-02-27 07:51 - 00833024 _____ () C:\Program Files\TeamSpeak 3 Client\sqldrivers\qsqlite.dll
2014-08-04 06:43 - 2014-08-04 06:43 - 00102344 _____ () C:\Program Files\TeamSpeak 3 Client\soundbackends\directsound_win64.dll
2014-08-04 06:43 - 2014-08-04 06:43 - 00108488 _____ () C:\Program Files\TeamSpeak 3 Client\soundbackends\windowsaudiosession_win64.dll
2014-02-27 07:51 - 2014-02-27 07:51 - 00030208 _____ () C:\Program Files\TeamSpeak 3 Client\imageformats\qgif.dll
2014-02-27 07:51 - 2014-02-27 07:51 - 00233984 _____ () C:\Program Files\TeamSpeak 3 Client\imageformats\qjpeg.dll
2014-08-04 06:46 - 2014-08-04 06:46 - 00563656 _____ () C:\Program Files\TeamSpeak 3 Client\plugins\clientquery_plugin.dll
2014-08-04 06:46 - 2014-08-04 06:46 - 00579016 _____ () C:\Program Files\TeamSpeak 3 Client\plugins\teamspeak_control_plugin.dll
2015-05-15 13:07 - 2012-06-17 11:20 - 00061440 _____ () C:\Program Files (x86)\ROCCAT\Kone XTD Mouse\hiddriver.dll
2015-05-20 21:13 - 2015-05-13 09:48 - 01281864 _____ () C:\Program Files (x86)\Google\Chrome\Application\43.0.2357.65\libglesv2.dll
2015-05-20 21:13 - 2015-05-13 09:48 - 00080712 _____ () C:\Program Files (x86)\Google\Chrome\Application\43.0.2357.65\libegl.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)
 
AlternateDataStreams: C:\Users\Brandon\OneDrive:ms-properties
AlternateDataStreams: C:\Users\Brandon\SkyDrive:ms-properties
 
==================== Safe Mode (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, the associated entry will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Brandon\AppData\Local\Microsoft\Windows\Themes\RoamedThemeFiles\DesktopBackground\1920_1200_caldari.jpg
DNS Servers: 192.168.1.1
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\Services: SkypeUpdate => 2
HKLM\...\StartupApproved\Run32: => "WinCheck"
HKLM\...\StartupApproved\Run32: => "SafeGuard"
HKLM\...\StartupApproved\Run32: => "SmartWeb"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\StartupFolder: => "SafeGuard.lnk"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\StartupFolder: => "crossbrowse.lnk"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\StartupFolder: => "SmartWeb.lnk"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "SUPERAntiSpyware"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "GoogleChromeAutoLaunch_36D1BC24B0BF8F597389900CC2C421B1"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "Itibiti.exe"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "Bubble Dock"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "Boost"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "Selection Tools"
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\StartupApproved\Run: => "WindApp"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppextcomobj.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppextcomobj.exe
FirewallRules: [{830A19F2-4FD2-4E45-ADD9-95EA8FA479AE}] => (Allow) C:\Users\Brandon\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{2E99C584-DFF1-4460-92C7-4205CDE83452}] => (Allow) C:\Users\Brandon\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{2BE56A67-C147-4FAC-8FAA-2E9FE11990E9}] => (Allow) C:\Program Files\Logitech Gaming Software\LCore.exe
FirewallRules: [{1BD0231E-3DEB-409E-847E-0C3E5E3CA393}] => (Allow) C:\Program Files\Logitech Gaming Software\LCore.exe
FirewallRules: [TCP Query User{3FCC4538-A1AE-4D76-BE6E-2F6E1D372EAC}C:\program files (x86)\ccp\eve\bin\exefile.exe] => (Allow) C:\program files (x86)\ccp\eve\bin\exefile.exe
FirewallRules: [UDP Query User{7982D350-1429-4A95-8FD3-039E12827599}C:\program files (x86)\ccp\eve\bin\exefile.exe] => (Allow) C:\program files (x86)\ccp\eve\bin\exefile.exe
FirewallRules: [{8AAF5785-D561-479E-B9D0-8AAC5E210149}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{E9E7A81B-02ED-4DFD-B449-4CD11B92C67F}] => (Allow) C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{71150235-60CF-41BB-B43B-F1BA1FE529DD}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe
FirewallRules: [{D898621F-BC99-48D0-B9CA-9055F0F3D40C}] => (Allow) C:\Program Files (x86)\Hearthstone\Hearthstone.exe
FirewallRules: [TCP Query User{494713FD-716A-4C0F-AB46-D083EF98DD82}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [UDP Query User{83DCFE54-F9C6-45AF-B4E0-173A0F22377B}C:\program files (x86)\skype\phone\skype.exe] => (Allow) C:\program files (x86)\skype\phone\skype.exe
FirewallRules: [{4C68FFF3-5E89-4C08-BBE9-AAB2F54642C4}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{C8701F94-5DB9-4293-B20C-5292F0CEBBDC}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{F44B706F-CEF7-4807-A533-BC8CC2B52AA8}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{7613BD8F-9060-4C46-880E-134E9372BA61}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{004A5077-2FCB-496D-A9FC-4C64E6F6F079}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\SpaceEngineers\Bin64\SpaceEngineers.exe
FirewallRules: [{F864F3FF-398C-4FED-A51C-906E7650F668}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\SpaceEngineers\Bin64\SpaceEngineers.exe
FirewallRules: [{D2BFC73D-A9B6-4894-84A5-92A35CCF1291}] => (Allow) C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\crossbrowse.exe
FirewallRules: [{1F06208E-C4AE-46AC-A60B-639FBF6038AA}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{F3B53FFD-63B1-4CBD-B658-852CC1A0EF4B}] => (Allow) LPort=1688
FirewallRules: [{CACCBC35-0A5D-4ACF-81D0-E19DC31F8982}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
FirewallRules: [{08D21492-E83E-4B06-871A-9672E8E80EF7}] => (Allow) C:\Program Files\KMSpico\Service_KMS.exe
 
==================== Faulty Device Manager Devices =============
 
Name: High Definition Audio Bus
Description: High Definition Audio Bus
Class Guid: {4d36e97d-e325-11ce-bfc1-08002be10318}
Manufacturer: AMD
Service: HDAudBus
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (05/20/2015 08:57:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iiwjljrnpc64.exe, version: 0.0.0.0, time stamp: 0x551bf9ee
Faulting module name: ntdll.dll, version: 6.3.9600.17736, time stamp: 0x550f4336
Exception code: 0xc0000374
Fault offset: 0x00000000000f0f20
Faulting process id: 0x640
Faulting application start time: 0xiiwjljrnpc64.exe0
Faulting application path: iiwjljrnpc64.exe1
Faulting module path: iiwjljrnpc64.exe2
Report Id: iiwjljrnpc64.exe3
Faulting package full name: iiwjljrnpc64.exe4
Faulting package-relative application ID: iiwjljrnpc64.exe5
 
Error: (05/20/2015 08:56:35 PM) (Source: ServiceEx) (EventID: 1) (User: )
Description: Can't start service: error code 3
 
Error: (05/20/2015 08:56:35 PM) (Source: ServiceEx) (EventID: 1) (User: )
Description: Can't launch C:\WINDOWS\SysWOW64\drivers\eventlogman32.exe.  CreateProcess() returned The system cannot find the file specified.
 
Error: (05/20/2015 08:52:45 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program nse230D.tmp version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 266c
 
Start Time: 01d093792eebe767
 
Termination Time: 4294967295
 
Application Path: C:\Users\Brandon\AppData\Local\Temp\nse230D.tmp
 
Report Id: d5a734a6-ff6c-11e4-8261-60a44c601973
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (05/20/2015 08:21:19 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.
 
 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
.
 
Error: (05/20/2015 08:21:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: iiwjljrnpc64.exe, version: 0.0.0.0, time stamp: 0x551bf9ee
Faulting module name: ntdll.dll, version: 6.3.9600.17736, time stamp: 0x550f4336
Exception code: 0xc0000374
Fault offset: 0x00000000000f0f20
Faulting process id: 0x3318
Faulting application start time: 0xiiwjljrnpc64.exe0
Faulting application path: iiwjljrnpc64.exe1
Faulting module path: iiwjljrnpc64.exe2
Report Id: iiwjljrnpc64.exe3
Faulting package full name: iiwjljrnpc64.exe4
Faulting package-relative application ID: iiwjljrnpc64.exe5
 
Error: (05/20/2015 08:20:08 PM) (Source: MsiInstaller) (EventID: 11316) (User: BRANDON)
Description: Product: Consumer Input Update Helper -- Error 1316. The specified account already exists.
 
Error: (05/20/2015 08:15:37 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Networking.RtcDll,language="&#x2a;",processorArchitecture="X86",publicKeyToken="6595b64144ccf1df",type="win32",version="5.2.1002.3"1".
Dependent Assembly Microsoft.Windows.Networking.RtcDll,language="&#x2a;",processorArchitecture="X86",publicKeyToken="6595b64144ccf1df",type="win32",version="5.2.1002.3" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (05/20/2015 08:15:37 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Networking.RtcDll,language="&#x2a;",processorArchitecture="X86",publicKeyToken="6595b64144ccf1df",type="win32",version="5.2.1002.3"1".
Dependent Assembly Microsoft.Windows.Networking.RtcDll,language="&#x2a;",processorArchitecture="X86",publicKeyToken="6595b64144ccf1df",type="win32",version="5.2.1002.3" could not be found.
Please use sxstrace.exe for detailed diagnosis.
 
Error: (05/20/2015 08:48:16 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: Event provider ProtectionManagement attempted to register query "select * from MSFT_MpEvent" whose target class "MSFT_MpEvent" in //./root/microsoft/protectionManagement namespace does not exist. The query will be ignored.
 
 
System errors:
=============
Error: (05/20/2015 09:20:10 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The globalUpdate Update Service (globalUpdate) service failed to start due to the following error: 
%%2
 
Error: (05/20/2015 09:18:08 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The AODDriver4.2.0 service failed to start due to the following error: 
%%3
 
Error: (05/20/2015 09:03:48 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Update Edu App service failed to start due to the following error: 
%%1053
 
Error: (05/20/2015 09:03:48 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Update Edu App service to connect.
 
Error: (05/20/2015 09:03:45 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Util Edu App service failed to start due to the following error: 
%%1053
 
Error: (05/20/2015 09:03:45 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Util Edu App service to connect.
 
Error: (05/20/2015 09:03:43 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Update Edu App service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
 
Error: (05/20/2015 09:03:42 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Search Protect Service service failed to start due to the following error: 
%%1053
 
Error: (05/20/2015 09:03:42 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Search Protect Service service to connect.
 
Error: (05/20/2015 09:03:40 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Util Edu App service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
 
 
Microsoft Office Sessions:
=========================
Error: (05/20/2015 08:57:01 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iiwjljrnpc64.exe0.0.0.0551bf9eentdll.dll6.3.9600.17736550f4336c000037400000000000f0f2064001d0937a21f553bbC:\Program Files (x86)\coupoon\iiwjljrnpc64.exeC:\WINDOWS\SYSTEM32\ntdll.dll6e9cf871-ff6d-11e4-8262-60a44c601973
 
Error: (05/20/2015 08:56:35 PM) (Source: ServiceEx) (EventID: 1) (User: )
Description: Can't start service: error code 3
 
Error: (05/20/2015 08:56:35 PM) (Source: ServiceEx) (EventID: 1) (User: )
Description: Can't launch C:\WINDOWS\SysWOW64\drivers\eventlogman32.exe.  CreateProcess() returned The system cannot find the file specified.
 
Error: (05/20/2015 08:52:45 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: nse230D.tmp0.0.0.0266c01d093792eebe7674294967295C:\Users\Brandon\AppData\Local\Temp\nse230D.tmpd5a734a6-ff6c-11e4-8261-60a44c601973
 
Error: (05/20/2015 08:21:19 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: 
Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.
 
System Error:
Access is denied.
 
Error: (05/20/2015 08:21:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: iiwjljrnpc64.exe0.0.0.0551bf9eentdll.dll6.3.9600.17736550f4336c000037400000000000f0f20331801d0937530c72be6C:\Program Files (x86)\coupoon\iiwjljrnpc64.exeC:\WINDOWS\SYSTEM32\ntdll.dll71442f06-ff68-11e4-8261-60a44c601973
 
Error: (05/20/2015 08:20:08 PM) (Source: MsiInstaller) (EventID: 11316) (User: BRANDON)
Description: Product: Consumer Input Update Helper -- Error 1316. The specified account already exists.
(NULL)(NULL)(NULL)(NULL)(NULL)
 
Error: (05/20/2015 08:15:37 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Networking.RtcDll,language="&#x2a;",processorArchitecture="X86",publicKeyToken="6595b64144ccf1df",type="win32",version="5.2.1002.3"C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
 
Error: (05/20/2015 08:15:37 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Microsoft.Windows.Networking.RtcDll,language="&#x2a;",processorArchitecture="X86",publicKeyToken="6595b64144ccf1df",type="win32",version="5.2.1002.3"C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe
 
Error: (05/20/2015 08:48:16 AM) (Source: Microsoft-Windows-WMI) (EventID: 24) (User: NT AUTHORITY)
Description: ProtectionManagementselect * from MSFT_MpEventMSFT_MpEvent//./root/microsoft/protectionManagement
 
 
==================== Memory info =========================== 
 
Processor: AMD FX™-8350 Eight-Core Processor 
Percentage of memory in use: 10%
Total physical RAM: 32682.09 MB
Available physical RAM: 29411.66 MB
Total Pagefile: 37546.09 MB
Available Pagefile: 33643.43 MB
Total Virtual: 131072 MB
Available Virtual: 131071.78 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:232.79 GB) (Free:171.92 GB) NTFS
Drive e: () (Fixed) (Total:931.51 GB) (Free:7.92 GB) NTFS
Drive f: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive h: () (Fixed) (Total:93.16 GB) (Free:57.67 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.9 GB) (Disk ID: 93670B51)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232.8 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 5DF975FC)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=07 NTFS)
 
========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 93.2 GB) (Disk ID: AD989DEC)
Partition 1: (Active) - (Size=93.2 GB) - (Type=07 NTFS)
 
==================== End Of Log ============================

#4 deeprybka

deeprybka

  • Avatar image
  • Malware Response Team
  • 5,198 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Germany
  • Local time:03:13 AM

Posted 21 May 2015 - 02:54 AM

FRST.txt is missing.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 Brandon85c

Brandon85c
  • Topic Starter

  • Avatar image
  • Members
  • 10 posts
  • OFFLINE
    •  
  • Local time:06:13 PM

Posted 21 May 2015 - 03:22 AM

kept saying error post to long

Attached Files

  • Attached File  FRST.txt   545.62KB   6 downloads

#6 deeprybka

deeprybka

  • Avatar image
  • Malware Response Team
  • 5,198 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Germany
  • Local time:03:13 AM

Posted 21 May 2015 - 11:17 AM

Hi there,

Step 1
  • Please download and install revouninstaller.pngRevo Uninstaller Free
    note: there is no need to click anything on that page, the download will start automatically
  • Double click Revo Uninstaller to run it
  • From the list of programs double click on the listed program(s) to remove it:
    globalupdate Helper
  • When prompted if you want to uninstall click Yes
  • Be sure the Moderate option is selected then click Next
  • The program will run, If prompted again click Yes
  • When the built-in uninstaller is finished click on Next
  • Once the program has searched for leftovers click Next
  • Check the items in bold only on the list then click Delete
    note: you may have to expand some folders by clicking the "+" mark
  • When prompted click on Yes and then on Next
  • Put a check on any folders that are found and select Delete
  • When prompted select Yes then Next
  • Once done click Finish
Step 2

Please download adwcleaner.png AdwCleaner (by Xplode) and save it to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select "Run As Administrator"
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • After rebooting, a log file (that is saved in C:\AdwCleaner[S#].txt) will open automatically.
    Copy and paste the contents of that logfile in your next reply.
Step 3

v21logo.PNG

Scan with Malwarebytes Anti-Malware.
  • Please open Malwarebytes Anti-Malware and update the database.
  • Click "Settings" [1] and go to "Detection and Protection" [2]
  • Make sure "Scan for Rootkits" is checked.
  • Click on Dashboard [3], then click on Scan Now [4] to start the scan.
    :exclame: If Malware or Potentially Unwanted Programs [PUPs] are found, you will receive a prompt:
    m21p.png
  • Click on "Remove Selected" [5].
  • Then click "Save Results" [6] and select
    m21p4.png
  • Return to our forum. Paste your log into your next reply and then click Finish [7].
mbamv21.gif

Step 4

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#7 Brandon85c

Brandon85c
  • Topic Starter

  • Avatar image
  • Members
  • 10 posts
  • OFFLINE
    •  
  • Local time:06:13 PM

Posted 21 May 2015 - 07:08 PM

Step One: Skipped http://prntscr.com/77x6dl
 
 
Step Two:
# AdwCleaner v4.205 - Logfile created 21/05/2015 at 17:06:11
# Updated 21/05/2015 by Xplode
# Database : 2015-05-21.2 [Server]
# Operating system : Windows 8.1 Pro  (x64)
# Username : Brandon - BRANDON
# Running from : E:\ChromeDL\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
[#] Service Deleted : globalUpdate
[#] Service Deleted : globalUpdatem
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\d258e4a500000324
Folder Deleted : C:\Program Files (x86)\globalUpdate
Folder Deleted : C:\Program Files (x86)\predm
Folder Deleted : C:\Program Files (x86)\Super Optimizer
Folder Deleted : C:\Program Files (x86)\StartPoint
Folder Deleted : C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Local\SafeGuard
Folder Deleted : C:\Users\Brandon\AppData\Local\globalUpdate
Folder Deleted : C:\Users\Brandon\AppData\Roaming\Store
Folder Deleted : C:\Users\Brandon\AppData\Roaming\WTools
File Deleted : C:\END
File Deleted : C:\WINDOWS\AppPatch\Custom\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb
File Deleted : C:\Users\Brandon\AppData\Roaming\aWcp3fYrq3B1FXiB2RX
File Deleted : C:\Users\Brandon\AppData\Roaming\slubJ2ww6VeT066
 
***** [ Scheduled tasks ] *****
 
Task Deleted : SmartWeb Upgrade Trigger Task
Task Deleted : StartPoint
Task Deleted : StartPoint Updater
Task Deleted : update-sys
Task Deleted : WindApp Update
Task Deleted : Selection Tools Update
Task Deleted : aWcp3fYrq3B1FXiB2RX
Task Deleted : slubJ2ww6VeT066
Task Deleted : update-S-1-5-21-1980555204-4143441623-2282392220-1001
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\AppID\CptUrlPassthru.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dca-bho.DLL
Key Deleted : HKLM\SOFTWARE\158455db-a500-393e-d1de-6bc61c7bd5b5
Key Deleted : HKLM\SOFTWARE\570b0e6f-488a-467e-a2b7-45e69043cb26
Key Deleted : HKLM\SOFTWARE\6d83195f-c477-4b6f-8073-03c207b3bd83
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{A57F7191-1E7F-4852-BAAF-F80A43E2687A}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{DD7C44CC-0F60-4FD9-A38F-5CF30D698AC2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}
Key Deleted : HKCU\Software\GlobalUpdate
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\Store
Key Deleted : HKCU\Software\YorkNewCin
Key Deleted : HKCU\Software\HighDefAction
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKCU\Software\AppDataLow\Software\Compete
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\Boost
Key Deleted : HKLM\SOFTWARE\CompeteInc
Key Deleted : HKLM\SOFTWARE\GlobalUpdate
Key Deleted : HKLM\SOFTWARE\InstalledBrowserExtensions
Key Deleted : HKLM\SOFTWARE\SPPDCOM
Key Deleted : HKLM\SOFTWARE\YorkNewCin
Key Deleted : [x64] HKLM\SOFTWARE\InstalledBrowserExtensions
Key Deleted : [x64] HKLM\SOFTWARE\YorkNewCin
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\trovi.com
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <-loopback>
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Google Chrome v43.0.2357.65
 
 
*************************
 
AdwCleaner[R0].txt - [5066 bytes] - [21/05/2015 17:04:53]
AdwCleaner[S0].txt - [4841 bytes] - [21/05/2015 17:06:11]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4900  bytes] ##########
 

#8 Brandon85c

Brandon85c
  • Topic Starter

  • Avatar image
  • Members
  • 10 posts
  • OFFLINE
    •  
  • Local time:06:13 PM

Posted 21 May 2015 - 07:22 PM

Step Three:

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 5/21/2015
Scan Time: 5:09:08 PM
Logfile: 
Administrator: Yes
 
Version: 2.01.6.1022
Malware Database: v2015.05.21.04
Rootkit Database: v2015.05.16.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Brandon
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 346178
Time Elapsed: 5 min, 40 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
Step Four:
 

Attached Files


#9 deeprybka

deeprybka

  • Avatar image
  • Malware Response Team
  • 5,198 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Germany
  • Local time:03:13 AM

Posted 22 May 2015 - 02:42 AM

Step 1

frst.pngfrstfix.png

Press the w8.png + R on your keyboard at the same time. Type notepad and click OK.
  • Copy the entire content of the codebox below and paste into the notepad document:
    CloseProcesses:
C:\ProgramData\4bf6f2c49d004f2aba9c312f14be371c
C:\WINDOWS\SysWOW64\drivers\syscomplus80.exe
C:\ProgramData\Kikblaster
C:\WINDOWS\SysWOW64\drivers\NVACYU~1.EXE 
C:\ProgramData\5ac8bbe84ef54973a48db1c2e820ec2b
C:\WINDOWS\SysWOW64\drivers\KVN398~1.EXE 
C:\Program Files\KMSpico
C:\ProgramData\FlashBeat
Task: {1A6CD6FE-FB0F-419D-B601-87BB11D12D49} - \avabvbxvh No Task File 
Task: {1D1FB722-D354-4EC7-8C89-DDA32A015342} - System32\Tasks\AlaMaintenance => C:\WINDOWS\SysWOW64\drivers\NVACYU~1.EXE [2015-05-15] ()
Task: {37B648E8-9792-4535-B096-376323DB3F64} - System32\Tasks\IJTKKZ => C:\ProgramData\5ac8bbe84ef54973a48db1c2e820ec2b\5ac8bbe84ef54973a48db1c2e820ec2b.exe
Task: {4C61156C-8B12-4EBF-A1B8-77049645993E} - System32\Tasks\Media_System_Platform => C:\WINDOWS\SysWOW64\drivers\KVN398~1.EXE [2015-05-15] ()
Task: {4DBCD115-BBCB-4875-A94D-BA0CE2DFA2C4} - System32\Tasks\PKFWGHDRL1 => C:\ProgramData\FlashBeat\FlashBeat.exe 
Task: {7779881F-BBDA-4CB8-A174-92B9C806B94D} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [2014-10-22] (@ByELDI)
Task: {7C93D5DA-1C88-43D5-8852-6085A24E1A3E} - System32\Tasks\OTZRX1 => C:\ProgramData\Kikblaster\Kikblaster.exe
Task: {8E7A06AA-E422-4199-9863-3D9336EE410E} - System32\Tasks\propagation utility manager => C:\WINDOWS\SysWOW64\drivers\syscomplus80.exe
Task: {A430AC5D-C0A5-4F3C-9436-978FBC3EC3F3} - System32\Tasks\ICRNZUSHUQ => C:\ProgramData\4bf6f2c49d004f2aba9c312f14be371c\4bf6f2c49d004f2aba9c312f14be371c.exe
Task: C:\WINDOWS\Tasks\OTZRX1.job => C:\ProgramData\Kikblaster\Kikblaster.exe
Task: C:\WINDOWS\Tasks\PKFWGHDRL1.job => C:\ProgramData\FlashBeat\FlashBeat.exe 
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\Run: [GoogleChromeAutoLaunch_36D1BC24B0BF8F597389900CC2C421B1] => 
C:\Program Files (x86)\Crossbrowse
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1980555204-4143441623-2282392220-1001 -> {25DF0331-57E8-4F0D-8711-A1220FA79E1A} URL = 
R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [966288 2014-10-22] (@ByELDI) [File not signed]
S2 AlaPerformance; C:\WINDOWS\SysWOW64\drivers\svchost.exe run [X]
2015-05-20 20:32 - 2015-05-20 20:44 - 00000112 _____ () C:\ProgramData\kwKR316Cd.dat
2015-05-20 20:21 - 2015-05-20 21:07 - 00000000 ____D () C:\Program Files (x86)\bb11f101-c797-45eb-a909-19cc926b3749
2015-05-20 20:21 - 2015-05-20 20:49 - 00000000 ____D () C:\ProgramData\abc
2015-05-20 20:16 - 2015-05-20 20:16 - 00000064 _____ () C:\Users\Brandon\AppData\Local\0b0903fc5c820e56e6828fcfa43bc4a0
2015-05-20 20:16 - 2015-05-20 20:16 - 00000000 ____D () C:\Users\Brandon\Downloads\YTDL
2015-05-20 20:11 - 2015-05-20 20:11 - 00000000 ____D () C:\ProgramData\12db864551ae4c578eb17db1a9f5d3cf
2015-05-20 20:08 - 2013-08-22 06:25 - 00000824 _____ () C:\WINDOWS\system32\Drivers\etc\hp.bak
2015-05-20 20:06 - 2015-05-20 21:07 - 00000000 ____D () C:\Program Files (x86)\5be4c51c-ec94-46a8-ba6b-b31f5f494342
2015-05-20 20:06 - 2015-05-20 20:20 - 00000004 _____ () C:\WINDOWS\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-05-20 20:03 - 2015-05-20 20:03 - 00000156 _____ () C:\WINDOWS\SysWOW64\Drivers\adip58209xxc.sys
  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please post it to your reply.

Step 2

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed, click on Finish.
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
esetlog.png

Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#10 Brandon85c

Brandon85c
  • Topic Starter

  • Avatar image
  • Members
  • 10 posts
  • OFFLINE
    •  
  • Local time:06:13 PM

Posted 22 May 2015 - 04:42 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-05-2015
Ran by Brandon at 2015-05-22 02:39:26 Run:1
Running from E:\ChromeDL
Loaded Profiles: Brandon (Available profiles:  & Brandon)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
CloseProcesses:
C:\ProgramData\4bf6f2c49d004f2aba9c312f14be371c
C:\WINDOWS\SysWOW64\drivers\syscomplus80.exe
C:\ProgramData\Kikblaster
C:\WINDOWS\SysWOW64\drivers\NVACYU~1.EXE 
C:\ProgramData\5ac8bbe84ef54973a48db1c2e820ec2b
C:\WINDOWS\SysWOW64\drivers\KVN398~1.EXE 
C:\Program Files\KMSpico
C:\ProgramData\FlashBeat
Task: {1A6CD6FE-FB0F-419D-B601-87BB11D12D49} - \avabvbxvh No Task File 
Task: {1D1FB722-D354-4EC7-8C89-DDA32A015342} - System32\Tasks\AlaMaintenance => C:\WINDOWS\SysWOW64\drivers\NVACYU~1.EXE [2015-05-15] ()
Task: {37B648E8-9792-4535-B096-376323DB3F64} - System32\Tasks\IJTKKZ => C:\ProgramData\5ac8bbe84ef54973a48db1c2e820ec2b\5ac8bbe84ef54973a48db1c2e820ec2b.exe
Task: {4C61156C-8B12-4EBF-A1B8-77049645993E} - System32\Tasks\Media_System_Platform => C:\WINDOWS\SysWOW64\drivers\KVN398~1.EXE [2015-05-15] ()
Task: {4DBCD115-BBCB-4875-A94D-BA0CE2DFA2C4} - System32\Tasks\PKFWGHDRL1 => C:\ProgramData\FlashBeat\FlashBeat.exe 
Task: {7779881F-BBDA-4CB8-A174-92B9C806B94D} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [2014-10-22] (@ByELDI)
Task: {7C93D5DA-1C88-43D5-8852-6085A24E1A3E} - System32\Tasks\OTZRX1 => C:\ProgramData\Kikblaster\Kikblaster.exe
Task: {8E7A06AA-E422-4199-9863-3D9336EE410E} - System32\Tasks\propagation utility manager => C:\WINDOWS\SysWOW64\drivers\syscomplus80.exe
Task: {A430AC5D-C0A5-4F3C-9436-978FBC3EC3F3} - System32\Tasks\ICRNZUSHUQ => C:\ProgramData\4bf6f2c49d004f2aba9c312f14be371c\4bf6f2c49d004f2aba9c312f14be371c.exe
Task: C:\WINDOWS\Tasks\OTZRX1.job => C:\ProgramData\Kikblaster\Kikblaster.exe
Task: C:\WINDOWS\Tasks\PKFWGHDRL1.job => C:\ProgramData\FlashBeat\FlashBeat.exe 
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\...\Run: [GoogleChromeAutoLaunch_36D1BC24B0BF8F597389900CC2C421B1] => 
C:\Program Files (x86)\Crossbrowse
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-1980555204-4143441623-2282392220-1001 -> {25DF0331-57E8-4F0D-8711-A1220FA79E1A} URL = 
R2 Service KMSELDI; C:\Program Files\KMSpico\Service_KMS.exe [966288 2014-10-22] (@ByELDI) [File not signed]
S2 AlaPerformance; C:\WINDOWS\SysWOW64\drivers\svchost.exe run [X]
2015-05-20 20:32 - 2015-05-20 20:44 - 00000112 _____ () C:\ProgramData\kwKR316Cd.dat
2015-05-20 20:21 - 2015-05-20 21:07 - 00000000 ____D () C:\Program Files (x86)\bb11f101-c797-45eb-a909-19cc926b3749
2015-05-20 20:21 - 2015-05-20 20:49 - 00000000 ____D () C:\ProgramData\abc
2015-05-20 20:16 - 2015-05-20 20:16 - 00000064 _____ () C:\Users\Brandon\AppData\Local\0b0903fc5c820e56e6828fcfa43bc4a0
2015-05-20 20:16 - 2015-05-20 20:16 - 00000000 ____D () C:\Users\Brandon\Downloads\YTDL
2015-05-20 20:11 - 2015-05-20 20:11 - 00000000 ____D () C:\ProgramData\12db864551ae4c578eb17db1a9f5d3cf
2015-05-20 20:08 - 2013-08-22 06:25 - 00000824 _____ () C:\WINDOWS\system32\Drivers\etc\hp.bak
2015-05-20 20:06 - 2015-05-20 21:07 - 00000000 ____D () C:\Program Files (x86)\5be4c51c-ec94-46a8-ba6b-b31f5f494342
2015-05-20 20:06 - 2015-05-20 20:20 - 00000004 _____ () C:\WINDOWS\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-05-20 20:03 - 2015-05-20 20:03 - 00000156 _____ () C:\WINDOWS\SysWOW64\Drivers\adip58209xxc.sys
*****************
 
Processes closed successfully.
C:\ProgramData\4bf6f2c49d004f2aba9c312f14be371c => Moved successfully.
"C:\WINDOWS\SysWOW64\drivers\syscomplus80.exe" => File/Directory not found.
"C:\ProgramData\Kikblaster" => File/Directory not found.
C:\WINDOWS\SysWOW64\drivers\NVACYU~1.EXE => Moved successfully.
C:\ProgramData\5ac8bbe84ef54973a48db1c2e820ec2b => Moved successfully.
C:\WINDOWS\SysWOW64\drivers\KVN398~1.EXE => Moved successfully.
C:\Program Files\KMSpico => Moved successfully.
"C:\ProgramData\FlashBeat" => File/Directory not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1A6CD6FE-FB0F-419D-B601-87BB11D12D49}" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1A6CD6FE-FB0F-419D-B601-87BB11D12D49}" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\avabvbxvh" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1D1FB722-D354-4EC7-8C89-DDA32A015342}" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1D1FB722-D354-4EC7-8C89-DDA32A015342}" => Key Deleted successfully.
C:\Windows\System32\Tasks\AlaMaintenance => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AlaMaintenance" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{37B648E8-9792-4535-B096-376323DB3F64}" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{37B648E8-9792-4535-B096-376323DB3F64}" => Key Deleted successfully.
C:\Windows\System32\Tasks\IJTKKZ => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\IJTKKZ" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4C61156C-8B12-4EBF-A1B8-77049645993E}" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4C61156C-8B12-4EBF-A1B8-77049645993E}" => Key Deleted successfully.
C:\Windows\System32\Tasks\Media_System_Platform => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Media_System_Platform" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4DBCD115-BBCB-4875-A94D-BA0CE2DFA2C4}" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4DBCD115-BBCB-4875-A94D-BA0CE2DFA2C4}" => Key Deleted successfully.
C:\Windows\System32\Tasks\PKFWGHDRL1 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PKFWGHDRL1" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7779881F-BBDA-4CB8-A174-92B9C806B94D}" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7779881F-BBDA-4CB8-A174-92B9C806B94D}" => Key Deleted successfully.
C:\Windows\System32\Tasks\AutoPico Daily Restart => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoPico Daily Restart" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{7C93D5DA-1C88-43D5-8852-6085A24E1A3E}" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7C93D5DA-1C88-43D5-8852-6085A24E1A3E}" => Key Deleted successfully.
C:\Windows\System32\Tasks\OTZRX1 => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\OTZRX1" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{8E7A06AA-E422-4199-9863-3D9336EE410E}" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8E7A06AA-E422-4199-9863-3D9336EE410E}" => Key Deleted successfully.
C:\Windows\System32\Tasks\propagation utility manager => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\propagation utility manager" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A430AC5D-C0A5-4F3C-9436-978FBC3EC3F3}" => Key Deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A430AC5D-C0A5-4F3C-9436-978FBC3EC3F3}" => Key Deleted successfully.
C:\Windows\System32\Tasks\ICRNZUSHUQ => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ICRNZUSHUQ" => Key Deleted successfully.
C:\WINDOWS\Tasks\OTZRX1.job => Moved successfully.
C:\WINDOWS\Tasks\PKFWGHDRL1.job => Moved successfully.
HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_36D1BC24B0BF8F597389900CC2C421B1 => value Deleted successfully.
"C:\Program Files (x86)\Crossbrowse" => File/Directory not found.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key Deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value Deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value Deleted successfully.
"HKU\S-1-5-21-1980555204-4143441623-2282392220-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{25DF0331-57E8-4F0D-8711-A1220FA79E1A}" => Key Deleted successfully.
HKCR\CLSID\{25DF0331-57E8-4F0D-8711-A1220FA79E1A} => Key not found. 
Service KMSELDI => Service Deleted successfully.
AlaPerformance => Service Deleted successfully.
C:\ProgramData\kwKR316Cd.dat => Moved successfully.
C:\Program Files (x86)\bb11f101-c797-45eb-a909-19cc926b3749 => Moved successfully.
C:\ProgramData\abc => Moved successfully.
C:\Users\Brandon\AppData\Local\0b0903fc5c820e56e6828fcfa43bc4a0 => Moved successfully.
C:\Users\Brandon\Downloads\YTDL => Moved successfully.
C:\ProgramData\12db864551ae4c578eb17db1a9f5d3cf => Moved successfully.
C:\WINDOWS\system32\Drivers\etc\hp.bak => Moved successfully.
C:\Program Files (x86)\5be4c51c-ec94-46a8-ba6b-b31f5f494342 => Moved successfully.
C:\WINDOWS\SysWOW64\029B560A371F4E00AB32838EBC01B9E7 => Moved successfully.
C:\WINDOWS\SysWOW64\Drivers\adip58209xxc.sys => Moved successfully.
 
 
The system needed a reboot. 
 
==== End of Fixlog 02:39:28 ====

#11 Brandon85c

Brandon85c
  • Topic Starter

  • Avatar image
  • Members
  • 10 posts
  • OFFLINE
    •  
  • Local time:06:13 PM

Posted 22 May 2015 - 10:02 AM

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=db49fa69d02f754498556790d952a55e
# engine=23969
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-05-22 10:50:20
# local_time=2015-05-22 03:50:20 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT 
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 0 9287812 0 0
# scanned=343289
# found=31
# cleaned=0
# scan_time=3995
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\$Recycle.Bin\S-1-5-21-1980555204-4143441623-2282392220-1001\$R6EJTPF.exe"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\$Recycle.Bin\S-1-5-21-1980555204-4143441623-2282392220-1001\$RNB2XEG.exe"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\$Recycle.Bin\S-1-5-21-1980555204-4143441623-2282392220-1001\$RXXB97E.exe"
sh=6E5C86AA57710A5845C5ED4FB7DABC58186C1656 ft=1 fh=f4dcb4581dd9e2dc vn="a variant of Win32/Adware.SpeedingUpMyPC.AG application" ac=I fn="C:\AdwCleaner\Quarantine\C\Program Files (x86)\Super Optimizer\SuperOptimizer.exe.vir"
sh=C55AE2BA1EDED228F945326A8406BBDEFAE19920 ft=1 fh=dd04cefc7d6d18b5 vn="a variant of MSIL/HackTool.IdleKMS.E potentially unsafe application" ac=I fn="C:\FRST\Quarantine\C\Program Files\KMSpico\AutoPico.exe"
sh=C1D551A95B01A88A7B9326FC23C015FEF7CEF426 ft=1 fh=2c64bb280d1095cd vn="a variant of MSIL/HackTool.IdleKMS.E potentially unsafe application" ac=I fn="C:\FRST\Quarantine\C\Program Files\KMSpico\KMSELDI.exe"
sh=0B9FE73ABD042BA3E135FE8B1954DD86CEDA8DC6 ft=1 fh=515a67e973f686ae vn="a variant of MSIL/HackTool.IdleKMS.E potentially unsafe application" ac=I fn="C:\FRST\Quarantine\C\Program Files\KMSpico\Service_KMS.exe"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\FRST\Quarantine\C\WINDOWS\SysWOW64\drivers\KVN398~1.EXE.xBAD"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\FRST\Quarantine\C\WINDOWS\SysWOW64\drivers\NVACYU~1.EXE.xBAD"
sh=A59BE4399120B23C921089DC8FB99069F1056535 ft=1 fh=be80ee32f1ff1445 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\syscomplus80.exe"
sh=6EF8310627537B1D24409574BC3C398CD97C474C ft=1 fh=8f545065e84edd76 vn="Win64/HackKMS.D potentially unsafe application" ac=I fn="C:\Windows\SECOH-QAD.dll"
sh=66C72019EAFA41BBF3E708CC3824C7C4447BDAB6 ft=1 fh=0a46a8abafa4da1b vn="Win64/HackKMS.C potentially unsafe application" ac=I fn="C:\Windows\SECOH-QAD.exe"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Windows\System32\drivers\msconfigvm.exe"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Windows\System32\drivers\sysdriver32l.exe"
sh=A59BE4399120B23C921089DC8FB99069F1056535 ft=1 fh=be80ee32f1ff1445 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Windows\System32\drivers\UMDF\en-US\eventlogman32.exe"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Windows\SysWOW64\drivers\msconfigvm.exe"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Windows\SysWOW64\drivers\sysdriver32l.exe"
sh=A59BE4399120B23C921089DC8FB99069F1056535 ft=1 fh=be80ee32f1ff1445 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Windows\SysWOW64\drivers\UMDF\en-US\eventlogman32.exe"
sh=B94B7F47A3C5383E33CB7D9A42206FF7532B9D9F ft=1 fh=5d7deace12c95cdd vn="multiple threats" ac=I fn="C:\Windows\Temp\fdrjbx.exe"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Windows\Temp\aigamp\er.exe"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Windows\Temp\cgciqb\er.exe"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Windows\Temp\fhszhk\er.exe"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Windows\Temp\ikwsjv\er.exe"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Windows\Temp\jyqfcs\NVACYU~1.EXE"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Windows\Temp\swizjn\er.exe"
sh=CB8CCE71D51AA247639466A1CE8A3603AFAC87CD ft=1 fh=c71c00113c663fd9 vn="Win32/Packed.Autoit.H potentially unwanted application" ac=I fn="C:\Windows\Temp\xzqqvl\NVACYU~1.EXE"
sh=7669F3D56E0CD22381C7EACE00B9D3B1DD41BF07 ft=1 fh=fc296988becdd3eb vn="Win32/Somoto.Q potentially unwanted application" ac=I fn="E:\$RECYCLE.BIN\S-1-5-21-1980555204-4143441623-2282392220-1001\$RU569XH.exe"
sh=95515E5CD54F8D3B375FAFB34E53C0C1D2E7C344 ft=1 fh=00a7bfbc17a0357b vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application" ac=I fn="E:\$RECYCLE.BIN\S-1-5-21-1980555204-4143441623-2282392220-1001\$RUWBDCV.exe"
sh=03F4EF7A4523C0359D8549214740A6FE22280892 ft=1 fh=93f1d9a58679fc37 vn="a variant of MSIL/HackTool.IdleKMS.E potentially unsafe application" ac=I fn="E:\$RECYCLE.BIN\S-1-5-21-1980555204-4143441623-2282392220-1001\$RLM76R8\KMSpico Install\KMSpico_setup.exe"
sh=C55AE2BA1EDED228F945326A8406BBDEFAE19920 ft=1 fh=dd04cefc7d6d18b5 vn="a variant of MSIL/HackTool.IdleKMS.E potentially unsafe application" ac=I fn="E:\$RECYCLE.BIN\S-1-5-21-1980555204-4143441623-2282392220-1001\$RLM76R8\KMSpico Portable\AutoPico.exe"
sh=90D0C5A8F93AA2DC2789CDF58EFD55E7D2687368 ft=0 fh=0000000000000000 vn="MSIL/HackTool.IdleKMS.C potentially unsafe application" ac=I fn="E:\Download\Windows_8.1_Pro_X64_Activated.iso"
 
 
 
that did take a while!

Edited by Brandon85c, 22 May 2015 - 10:05 AM.

#12 deeprybka

deeprybka

  • Avatar image
  • Malware Response Team
  • 5,198 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Germany
  • Local time:03:13 AM

Posted 22 May 2015 - 10:04 AM

Please post the log as instructed.
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#13 Brandon85c

Brandon85c
  • Topic Starter

  • Avatar image
  • Members
  • 10 posts
  • OFFLINE
    •  
  • Local time:06:13 PM

Posted 22 May 2015 - 01:34 PM

hehe i edited it right after you posted that sorry about that


#14 deeprybka

deeprybka

  • Avatar image
  • Malware Response Team
  • 5,198 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Germany
  • Local time:03:13 AM

Posted 22 May 2015 - 03:19 PM

Step 1

frst.pngfrstfix.png

Press the w8.png + R on your keyboard at the same time. Type notepad and click OK.
  • Copy the entire content of the codebox below and paste into the notepad document:
    CloseProcesses:
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\syscomplus80.exe
C:\Windows\SECOH-QAD.dll
C:\Windows\SECOH-QAD.exe
C:\Windows\System32\drivers\msconfigvm.exe
C:\Windows\System32\drivers\sysdriver32l.exe
C:\Windows\System32\drivers\UMDF\en-US\eventlogman32.exe
C:\Windows\SysWOW64\drivers\msconfigvm.exe
C:\Windows\SysWOW64\drivers\sysdriver32l.exe
C:\Windows\SysWOW64\drivers\UMDF\en-US\eventlogman32.exe
CreateRestorePoint:
EmptyTemp:
  • Click File, Save As and type fixlist.txt as the File Name.
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.
Please post it to your reply.


lesestoff.png

Can you please tell me which problems still persist now?
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#15 Brandon85c

Brandon85c
  • Topic Starter

  • Avatar image
  • Members
  • 10 posts
  • OFFLINE
    •  
  • Local time:06:13 PM

Posted 23 May 2015 - 06:28 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-05-2015
Ran by Brandon at 2015-05-23 16:26:34 Run:2
Running from E:\ChromeDL
Loaded Profiles: Brandon &  (Available profiles:  & Brandon)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
CloseProcesses:
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\syscomplus80.exe
C:\Windows\SECOH-QAD.dll
C:\Windows\SECOH-QAD.exe
C:\Windows\System32\drivers\msconfigvm.exe
C:\Windows\System32\drivers\sysdriver32l.exe
C:\Windows\System32\drivers\UMDF\en-US\eventlogman32.exe
C:\Windows\SysWOW64\drivers\msconfigvm.exe
C:\Windows\SysWOW64\drivers\sysdriver32l.exe
C:\Windows\SysWOW64\drivers\UMDF\en-US\eventlogman32.exe
CreateRestorePoint:
EmptyTemp:
*****************
 
Processes closed successfully.
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\syscomplus80.exe => Moved successfully.
C:\Windows\SECOH-QAD.dll => Moved successfully.
C:\Windows\SECOH-QAD.exe => Moved successfully.
"C:\Windows\System32\drivers\msconfigvm.exe" => File/Directory not found.
"C:\Windows\System32\drivers\sysdriver32l.exe" => File/Directory not found.
"C:\Windows\System32\drivers\UMDF\en-US\eventlogman32.exe" => File/Directory not found.
C:\Windows\SysWOW64\drivers\msconfigvm.exe => Moved successfully.
C:\Windows\SysWOW64\drivers\sysdriver32l.exe => Moved successfully.
C:\Windows\SysWOW64\drivers\UMDF\en-US\eventlogman32.exe => Moved successfully.
Restore point was successfully created.
EmptyTemp: => Removed 862.1 MB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 16:26:44 ====

Back to Virus, Trojan, Spyware, and Malware Removal Help


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


  1. BleepingComputer Forums
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·