Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Respectsale Removal Help


  • This topic is locked This topic is locked
18 replies to this topic

#1 PapaChewbacca

PapaChewbacca

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 12 June 2015 - 08:30 PM

Hi there! Over the past couple days I have been plagued by this god forsaken malware called Respectsale. I have tried uninstalling it but I can't find the software anywhere! It's not in my google chrome extensions either! I had to wipe my computer a few months back and now I am low on money since I just bought a plane ticket back home, which is why I do not have an antivirus installed. If anyone can help me I would be very grateful for this malware has been slowing down my laptop quite a bit lately. Thank you in advanced

BC AdBot (Login to Remove)

 


#2 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 AM

Posted 12 June 2015 - 09:52 PM

Hello and welcome to Bleeping Computer! My nickname is Pystryker :) , and I will be helping you with your issue today.


Before we get started, I have a few things I need to go over with you
  • If you are receiving help for this issue at another forum, please let me know so I can close this thread.
  • Please download to and run all requested tools from your Desktop.
  • Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process.
  • At the top of your post, please click on the "Follow this topic" button and make sure that the "Received notification" box is checked and set to "Instantly" This will send an email to you as soon as I reply to your topic, allowing us to solve your problem faster.
  • If any of your security programs give you a warning about any tool I ask you to use, please do not worry. All the links and tools I provide to you will be safe.
  • Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  • This is a complicated process. It requires several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order.
  • Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. I promise to do the same for you.
  • It is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine. Therefore, I highly recommend you backup any critical personal files on your machine before we start.
  • If you have any questions at all, please don't hesitate to ask. There's no such thing as a stupid question when dealing with malware.
  • If you are unsure of an instruction I give you, or if something unexepected occurs, Do NOT proceed! Stop and ask for clarification of the instruction or tell me what occurred.
  • Please remember, the fixes are for your machine and your machine ONLY! Do not use these fixes on any other machine, each fix is tailor made for your system only. Using a fix on another machine can and will cause serious damage.
  • Once we have cleaned your machine, we'll have some cleanup and prevention steps to go through. We will also provide you with some information about how to reduce your chances of infection and get some protections in place to help defend you against this in the future
  • Please be patient while I am analyzing your logs. I know you are probably scared and very frustrated with this problem, but I am a volunteer and sometimes life does get in the way. :)
Now, let's get started, shall we? :thumbsup:


Hello, let's get a look at your system and see what's going on. :)


Step 1: Scan with Farbar's Recovery Scan Tool (FRST)

Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Place a check in the box marked Addition.txt

    farbarmainpanel_zps77bf9e25.jpg
  • Press the Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.
Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

FRST Log

Addition.txt Log

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#3 PapaChewbacca

PapaChewbacca
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 14 June 2015 - 05:06 PM

Hi! Sorry for the late reply, but here are my logs

 

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-06-2015
Ran by Ariel Hardiyanto (administrator) on ARIELHARDIYANTO on 14-06-2015 14:51:31
Running from C:\Users\Ariel Hardiyanto\Downloads
Loaded Profiles: Ariel Hardiyanto (Available Profiles: Ariel Hardiyanto)
Platform: Windows 8.1 Single Language (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\Excited Art\Excited Art.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
() C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Curse, Inc) C:\Users\Ariel Hardiyanto\AppData\Roaming\Curse Client\Bin\Curse.exe
(Razer Inc.) C:\Program Files (x86)\Razer\Razer Cortex\main.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Hi-Rez Studios) C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2673296 2015-04-08] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [169768 2015-02-12] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [508800 2014-12-17] (Oracle Corporation)
HKLM-x32\...\Run: [RazerCortex] => C:\Program Files (x86)\Razer\Razer Cortex\RazerCortex.exe [98256 2015-01-25] (Razer Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [amd_dc_opt] => C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKU\S-1-5-21-2490194775-2778516244-1439768383-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2892992 2015-06-04] (Valve Corporation)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [175880 2015-04-08] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [154256 2015-04-08] (NVIDIA Corporation)
Startup: C:\Users\Ariel Hardiyanto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Curse.lnk [2015-03-07]
ShortcutTarget: Curse.lnk -> C:\Users\Ariel Hardiyanto\AppData\Roaming\Curse Client\Bin\Curse.exe (Curse, Inc)
Startup: C:\Users\Ariel Hardiyanto\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Download The Escapists v1.0 Full Release Torrent - KickassTorrents.lnk [2015-04-11]
ShortcutTarget: Download The Escapists v1.0 Full Release Torrent - KickassTorrents.lnk -> C:\ProgramData\{4f7f6b43-0d72-e2ac-4f7f-f6b430d7ad0c}\Download The Escapists v1.0 Full Release Torrent - KickassTorrents.exe (No File)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKU\S-1-5-21-2490194775-2778516244-1439768383-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

FireFox:
========
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll [2015-02-28] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2014-10-29] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-02-28] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-02-28] (Oracle Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\Ariel Hardiyanto\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Slides) - C:\Users\Ariel Hardiyanto\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-06-12]
CHR Extension: (Google Docs) - C:\Users\Ariel Hardiyanto\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-06-12]
CHR Extension: (Google Drive) - C:\Users\Ariel Hardiyanto\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-06-12]
CHR Extension: (YouTube) - C:\Users\Ariel Hardiyanto\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-06-12]
CHR Extension: (Google Search) - C:\Users\Ariel Hardiyanto\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-06-12]
CHR Extension: (Google Sheets) - C:\Users\Ariel Hardiyanto\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-06-12]
CHR Extension: (Gmail) - C:\Users\Ariel Hardiyanto\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-06-12]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77128 2015-01-19] (Apple Inc.)
S2 BcmBtRSupport; C:\Windows\system32\BtwRSupportService.exe [2252504 2013-09-04] (Broadcom Corporation.)
S3 BthHFSrv; C:\Windows\System32\BthHFSrv.dll [324608 2014-11-20] (Microsoft Corporation)
R2 Excited Art; C:\Program Files (x86)\Excited Art\Excited Art.exe [8016275 2015-06-06] () [File not signed] <==== ATTENTION
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1152144 2015-04-08] (NVIDIA Corporation)
R2 HiPatchService; C:\Program Files (x86)\Hi-Rez Studios\HiPatchService.exe [9216 2015-03-12] (Hi-Rez Studios) [File not signed]
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [319376 2014-10-01] (Intel Corporation)
S2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1871160 2015-04-14] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1080120 2015-04-14] (Malwarebytes Corporation)
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1878672 2015-04-08] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [22995600 2015-04-08] (NVIDIA Corporation)
R2 Razer Game Scanner Service; C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe [186560 2015-01-30] ()
R2 RzKLService; C:\Program Files (x86)\Razer\Razer Cortex\RzKLService.exe [129168 2015-01-25] (Razer Inc.)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 bcbtums; C:\Windows\system32\drivers\bcbtums.sys [170712 2013-09-04] (Broadcom Corporation.)
R3 BCM43XX; C:\Windows\system32\DRIVERS\bcmwl63a.sys [8536752 2013-07-01] (Broadcom Corporation)
R3 BthLEEnum; C:\Windows\system32\DRIVERS\BthLEEnum.sys [226304 2014-11-20] (Microsoft Corporation)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-04-14] (Malwarebytes Corporation)
S3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-04-14] (Malwarebytes Corporation)
R1 MpKsleda84ec9; C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B450D161-9E54-481B-9F54-421A6B00E993}\MpKsleda84ec9.sys [45352 2015-06-12] (Microsoft Corporation)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19600 2015-04-08] (NVIDIA Corporation)
R3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [38032 2014-11-22] (NVIDIA Corporation)
R2 rzpmgrk; C:\Windows\system32\drivers\rzpmgrk.sys [37184 2015-01-30] (Razer, Inc.)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
R4 cbfs3; \SystemRoot\System32\drivers\cbfs3.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-14 14:51 - 2015-06-14 14:51 - 00013120 _____ C:\Users\Ariel Hardiyanto\Downloads\FRST.txt
2015-06-14 14:37 - 2015-06-14 14:39 - 00013345 _____ C:\Users\Ariel Hardiyanto\Desktop\FRST.txt
2015-06-14 14:36 - 2015-06-14 14:51 - 00000000 ____D C:\FRST
2015-06-14 14:35 - 2015-06-14 14:34 - 02109952 _____ (Farbar) C:\Users\Ariel Hardiyanto\Desktop\FRST64.exe
2015-06-14 14:33 - 2015-06-14 14:34 - 02109952 _____ (Farbar) C:\Users\Ariel Hardiyanto\Downloads\FRST64.exe
2015-06-13 00:15 - 2015-06-13 00:15 - 00000000 ____D C:\Rbackup
2015-06-13 00:14 - 2015-06-13 00:14 - 00000791 _____ C:\Users\Ariel Hardiyanto\Desktop\Perfect Uninstaller.lnk
2015-06-13 00:14 - 2015-06-13 00:14 - 00000042 _____ C:\Windows\SysWOW64\AK083E209605E394C.lie
2015-06-13 00:11 - 2015-06-13 00:12 - 02669808 _____ (www.PerfectUninstaller.net ) C:\Users\Ariel Hardiyanto\Downloads\PerfectUninstaller_Setup.exe
2015-06-09 15:46 - 2015-06-09 15:46 - 367144970 _____ C:\Windows\MEMORY.DMP
2015-06-09 15:46 - 2015-06-09 15:46 - 00323712 _____ C:\Windows\Minidump\060915-25625-01.dmp
2015-06-09 15:46 - 2015-06-09 15:46 - 00000000 ____D C:\Windows\Minidump
2015-06-07 19:22 - 2015-06-13 22:08 - 00136408 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-06-07 19:22 - 2015-06-07 19:22 - 00001118 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-06-07 19:22 - 2015-06-07 19:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-06-07 19:22 - 2015-06-07 19:22 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-06-07 19:22 - 2015-06-07 19:22 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-06-07 19:22 - 2015-04-14 09:38 - 00064216 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-06-07 19:22 - 2015-04-14 09:37 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-06-07 19:22 - 2015-04-14 09:37 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-06-07 19:21 - 2015-06-07 19:21 - 21546080 _____ (Malwarebytes Corporation ) C:\Users\Ariel Hardiyanto\Downloads\mbam-setup-2.1.6.1022.exe
2015-06-07 13:41 - 2015-06-07 22:32 - 00000000 ____D C:\Program Files (x86)\LinkProc
2015-06-07 13:39 - 2015-06-13 19:39 - 00000408 _____ C:\Windows\Tasks\MagnumSubs.job
2015-06-07 13:39 - 2015-06-07 19:39 - 00000000 ____D C:\ProgramData\{23d55207-8edf-b478-23d5-552078ed481e}
2015-06-07 13:39 - 2015-06-07 13:39 - 00004096 _____ C:\Windows\SysWOW64\ntwdblib.dll
2015-06-07 13:39 - 2015-06-07 13:39 - 00003316 _____ C:\Windows\System32\Tasks\MagnumSubs
2015-06-06 18:46 - 2015-06-06 18:46 - 00000000 ____D C:\Program Files (x86)\Excited Art
2015-06-06 10:09 - 2015-06-09 22:58 - 00000000 ____D C:\Users\Ariel Hardiyanto\Desktop\Fallout New Vegas Backups
2015-06-03 17:00 - 2015-06-03 17:00 - 00000000 ____D C:\Users\Ariel Hardiyanto\AppData\Local\FalloutNV
2015-06-03 16:50 - 2015-06-03 16:50 - 00000221 _____ C:\Users\Ariel Hardiyanto\Desktop\Fallout New Vegas.url
2015-05-20 17:46 - 2015-06-13 23:09 - 00000024 _____ C:\Users\Ariel Hardiyanto\AppData\Roaming\appdataFr25.bin
2015-05-15 20:32 - 2015-05-15 20:32 - 00000230 _____ C:\ProgramData\HirezPipeError.txt
2015-05-15 19:24 - 2015-05-15 19:24 - 00001836 _____ C:\Users\Public\Desktop\Smite.lnk

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-06-14 14:40 - 2015-02-28 21:15 - 00003998 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{E7432CF3-064A-4976-8A7B-211DBF0EC5E6}
2015-06-14 14:40 - 2015-02-28 21:12 - 01309541 _____ C:\Windows\WindowsUpdate.log
2015-06-14 10:30 - 2015-03-13 15:31 - 00000000 ____D C:\Program Files (x86)\Steam
2015-06-13 22:59 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\AppReadiness
2015-06-13 15:46 - 2015-02-28 21:19 - 00003600 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2490194775-2778516244-1439768383-1001
2015-06-12 18:19 - 2015-03-01 21:01 - 00000000 ____D C:\Program Files (x86)\iExplorer
2015-06-12 13:09 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\system32\sru
2015-06-11 22:42 - 2015-02-28 21:13 - 00000000 ____D C:\Users\Ariel Hardiyanto
2015-06-11 22:42 - 2013-08-22 07:46 - 00034956 _____ C:\Windows\setupact.log
2015-06-11 22:42 - 2013-08-22 07:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-10 21:52 - 2015-03-07 02:13 - 00000000 ____D C:\Users\Ariel Hardiyanto\AppData\Roaming\Curse Client
2015-06-09 15:46 - 2014-11-20 21:31 - 00019232 _____ C:\Windows\PFRO.log
2015-06-07 23:16 - 2013-08-22 08:43 - 00000000 ____D C:\Windows\DigitalLocker
2015-06-07 22:32 - 2015-04-11 01:12 - 00000000 ____D C:\ProgramData\{4f7f6b43-0d72-e2ac-4f7f-f6b430d7ad0c}
2015-06-07 13:41 - 2015-04-21 17:14 - 00000000 ____D C:\Program Files (x86)\decodit
2015-06-07 13:41 - 2015-04-21 17:12 - 00000000 ____D C:\ProgramData\14725749606637155111
2015-06-03 16:57 - 2015-02-28 22:56 - 00080329 _____ C:\Windows\DirectX.log
2015-06-03 16:46 - 2015-02-28 22:56 - 00000000 ____D C:\Users\Ariel Hardiyanto\Documents\My Games
2015-05-29 22:22 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\system32\NDF
2015-05-25 16:41 - 2015-02-28 21:18 - 00002193 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-05-15 20:32 - 2015-02-28 21:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hi-Rez Studios
2015-05-15 19:17 - 2015-04-21 20:59 - 00000020 _____ C:\Users\Ariel Hardiyanto\AppData\Roaming\appdataFr3.bin

==================== Files in the root of some directories =======

2015-05-20 17:46 - 2015-06-13 23:09 - 0000024 _____ () C:\Users\Ariel Hardiyanto\AppData\Roaming\appdataFr25.bin
2015-04-21 20:59 - 2015-05-15 19:17 - 0000020 _____ () C:\Users\Ariel Hardiyanto\AppData\Roaming\appdataFr3.bin
2015-05-23 13:12 - 2015-06-07 19:07 - 0011864 _____ () C:\Users\Ariel Hardiyanto\AppData\Local\Temp-log.txt
2015-05-15 20:32 - 2015-05-15 20:32 - 0000230 _____ () C:\ProgramData\HirezPipeError.txt

Some files in TEMP:
====================
C:\Users\Ariel Hardiyanto\AppData\Local\Temp\HiPatchSelfUpdateWindow.exe
C:\Users\Ariel Hardiyanto\AppData\Local\Temp\HiRezLauncherControls.dll
C:\Users\Ariel Hardiyanto\AppData\Local\Temp\jre-8u45-windows-au.exe
C:\Users\Ariel Hardiyanto\AppData\Local\Temp\ntwdblib.dll
C:\Users\Ariel Hardiyanto\AppData\Local\Temp\setacl.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-06-12 13:31

==================== End of log ============================


and here is my Addition.txt:

Additional scan result of Farbar Recovery Scan Tool (x64) Version:13-06-2015
Ran by Ariel Hardiyanto at 2015-06-14 14:52:10
Running from C:\Users\Ariel Hardiyanto\Downloads
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-2490194775-2778516244-1439768383-500 - Administrator - Disabled)
Ariel Hardiyanto (S-1-5-21-2490194775-2778516244-1439768383-1001 - Administrator - Enabled) => C:\Users\Ariel Hardiyanto
Guest (S-1-5-21-2490194775-2778516244-1439768383-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-2490194775-2778516244-1439768383-1001\...\uTorrent) (Version: 3.4.3.39944 - BitTorrent Inc.)
Adobe Flash Player 10 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 10.3.183.90 - Adobe Systems Incorporated)
Apple Mobile Device Support (HKLM\...\{C4123106-B685-48E6-B9BD-E4F911841EB4}) (Version: 8.1.1.3 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
Batman: Arkham City GOTY (HKLM-x32\...\Steam App 200260) (Version:  - Rocksteady Studios)
Batman™: Arkham Origins (HKLM-x32\...\Steam App 209000) (Version:  - WB Games Montreal)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Borderlands 2 (HKLM-x32\...\Steam App 49520) (Version:  - Gearbox Software)
Counter-Strike: Global Offensive (HKLM-x32\...\Steam App 730) (Version:  - Valve)
Curse (HKLM-x32\...\{DEE70742-F4E9-44CA-B2B9-EE95DCF37295}) (Version: 6.0.0.0 - Curse)
Dota 2 (HKLM-x32\...\Steam App 570) (Version:  - Valve)
Dual-Core Optimizer (HKLM-x32\...\{9FD6F1A8-5550-46AF-8509-271DF0E768B5}) (Version: 1.1.4.0169 - AMD)
Dukungan Aplikasi Apple (32-bit) (HKLM-x32\...\{447CDCE5-F555-429B-BFA6-642C3C6D684F}) (Version: 3.1.2 - Apple Inc.)
Dukungan Aplikasi Apple (64-bit) (HKLM\...\{0DF7096B-715A-4233-8633-C7A16ED6D616}) (Version: 3.1.2 - Apple Inc.)
Fallout: New Vegas (HKLM-x32\...\Steam App 22380) (Version:  - Obsidian Entertainment)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 43.0.2357.81 - Google Inc.)
Google Update Helper (x32 Version: 1.3.27.5 - Google Inc.) Hidden
Hi-Rez Studios Authenticate and Update Service (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF1FC}) (Version: 3.0.0.0 - Hi-Rez Studios)
InfiniteCrisis_410193F41CAE (HKLM-x32\...\InfiniteCrisis_410193F41CAE) (Version:  - Turbine, Inc)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3958 - Intel Corporation)
iTunes (HKLM\...\{D227565A-0033-40AD-89BA-653A205CDC11}) (Version: 12.1.1.4 - Apple Inc.)
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Minecraft (HKLM-x32\...\{1C16BCA3-EBC1-49F6-8623-8FBFB9CCC872}) (Version: 1.0.3.0 - Mojang)
NVIDIA GeForce Experience 2.4.1.21 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.4.1.21 - NVIDIA Corporation)
NVIDIA Graphics Driver 350.12 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 350.12 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.15.0324 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.15.0324 - NVIDIA Corporation)
PAYDAY 2 (HKLM-x32\...\Steam App 218620) (Version:  - OVERKILL - a Starbreeze Studio.)
Perfect Uninstaller v6.3.4.0 (HKLM\...\Perfect Uninstaller_is1) (Version:  - www.PerfectUninstaller.net)
QuickTime (HKLM-x32\...\{0E64B098-8018-4256-BA23-C316A43AD9B0}) (Version: 7.72.80.56 - Apple Inc.)
Razer Cortex (HKLM-x32\...\Razer Cortex_is1) (Version: 5.3.25.0 - Razer Inc.)
SHIELD Streaming (Version: 4.1.1000 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (Version: 2.4.1.21 - NVIDIA Corporation) Hidden
Smite (HKLM-x32\...\{3C87E0FF-BC0A-4F5E-951B-68DC3F8DF017}) (Version: 2.7.2767.0 - Hi-Rez Studios)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Unturned (HKLM-x32\...\Steam App 304930) (Version:  - Nelson Sexton)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2490194775-2778516244-1439768383-1001_Classes\CLSID\{820D63D5-8CFF-46DE-86AF-4997DEDD6DB5}\localserver32 -> C:\Windows\system32\igfxEM.exe (Intel Corporation)

==================== Restore Points =========================

27-05-2015 15:49:35 Scheduled Checkpoint
03-06-2015 16:51:42 Installed DirectX
09-06-2015 17:24:05 Removed Dual-Core Optimizer.

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2013-08-22 06:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {3125175E-9948-43EF-BABC-06C35A53D723} - System32\Tasks\MagnumSubs => c:\programdata\{23d55207-8edf-b478-23d5-552078ed481e}\7514894461598274653b.exe <==== ATTENTION
Task: {879D3DE9-7D2C-4FB7-B955-4063D6CA5FD9} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: C:\Windows\Tasks\MagnumSubs.job => c:\programdata\{23d55207-8edf-b478-23d5-552078ed481e}\7514894461598274653b.exe <==== ATTENTION

==================== Loaded Modules (Whitelisted) ==============

2015-04-15 22:20 - 2015-04-08 17:58 - 00012104 _____ () C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
2015-04-15 22:23 - 2015-04-08 14:30 - 00116552 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2015-02-12 14:20 - 2015-02-12 14:20 - 00085832 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-02-12 14:20 - 2015-02-12 14:20 - 01346344 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2015-06-06 18:46 - 2015-06-06 18:46 - 08016275 _____ () C:\Program Files (x86)\Excited Art\Excited Art.exe
2015-01-30 17:10 - 2015-01-30 17:10 - 00186560 _____ () C:\Program Files (x86)\Razer\Razer Services\GSS\GameScannerService.exe
2015-04-15 22:34 - 2015-04-08 17:58 - 00011920 _____ () C:\Program Files (x86)\NVIDIA Corporation\Update Core\detoured.dll
2015-02-28 23:05 - 2012-11-20 02:13 - 00264192 _____ () C:\Program Files (x86)\Razer\Razer Cortex\D3DX8Wrapper.dll
2015-04-15 22:20 - 2015-04-08 17:58 - 00012104 _____ () C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll
2015-01-27 13:02 - 2015-01-27 13:02 - 00307712 _____ () C:\Users\Ariel Hardiyanto\AppData\Roaming\Curse Client\Bin\opus.dll
2015-01-27 13:02 - 2015-01-27 13:02 - 00437248 _____ () C:\Users\Ariel Hardiyanto\AppData\Roaming\Curse Client\Bin\WebRTC_CSharpWrapper.dll
2015-03-13 15:37 - 2015-04-16 10:40 - 00776192 _____ () C:\Program Files (x86)\Steam\SDL2.dll
2015-03-13 15:37 - 2015-04-22 19:16 - 04962816 _____ () C:\Program Files (x86)\Steam\v8.dll
2015-03-13 15:37 - 2015-06-04 11:56 - 02407104 _____ () C:\Program Files (x86)\Steam\video.dll
2015-03-13 15:37 - 2015-04-22 19:16 - 01556992 _____ () C:\Program Files (x86)\Steam\icui18n.dll
2015-03-13 15:37 - 2015-04-22 19:16 - 01187840 _____ () C:\Program Files (x86)\Steam\icuuc.dll
2015-03-13 15:36 - 2014-12-01 14:31 - 02396672 _____ () C:\Program Files (x86)\Steam\libavcodec-56.dll
2015-03-13 15:36 - 2014-12-01 14:31 - 00479744 _____ () C:\Program Files (x86)\Steam\libavformat-56.dll
2015-03-13 15:36 - 2014-12-01 14:31 - 00332800 _____ () C:\Program Files (x86)\Steam\libavresample-2.dll
2015-03-13 15:36 - 2014-12-01 14:31 - 00442880 _____ () C:\Program Files (x86)\Steam\libavutil-54.dll
2015-03-13 15:36 - 2014-12-01 14:31 - 00485888 _____ () C:\Program Files (x86)\Steam\libswscale-3.dll
2015-03-13 15:36 - 2015-06-04 11:56 - 00703168 _____ () C:\Program Files (x86)\Steam\bin\chromehtml.DLL
2015-03-13 15:36 - 2015-05-11 12:01 - 36302728 _____ () C:\Program Files (x86)\Steam\bin\libcef.dll
2015-05-13 20:21 - 2015-05-11 12:01 - 08958344 _____ () C:\Program Files (x86)\Steam\bin\pdf.dll
2015-05-25 16:40 - 2015-05-22 13:22 - 01281864 _____ () C:\Program Files (x86)\Google\Chrome\Application\43.0.2357.81\libglesv2.dll
2015-05-25 16:40 - 2015-05-22 13:22 - 00080712 _____ () C:\Program Files (x86)\Google\Chrome\Application\43.0.2357.81\libegl.dll
2015-05-25 16:40 - 2015-05-22 13:22 - 14982472 _____ () C:\Program Files (x86)\Google\Chrome\Application\43.0.2357.81\PepperFlash\pepflashplayer.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2490194775-2778516244-1439768383-1001\Control Panel\Desktop\\Wallpaper -> C:\Windows\web\wallpaper\Windows\img0.jpg
DNS Servers: 75.75.75.75 - 75.75.76.76

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{4194E04C-0303-47B3-86A5-1B48D41EBEB2}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{3D8A5377-22FF-441C-BC90-3EBD70E39886}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{7134F010-B868-4313-9B6B-3DC0B0FD05C3}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{A9AA7EC7-7126-4153-AF2A-A069320580DE}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
FirewallRules: [{0A52F4EB-1A7A-4A48-B8C0-B309F8F007BA}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{E561021E-6802-4BC1-A94A-5F26C4B35EAB}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [TCP Query User{5906D11B-E4B2-4E75-8DB3-2066BB008360}C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe] => (Allow) C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe
FirewallRules: [UDP Query User{F500AB31-2BFB-476C-84A1-05D4E0EC4921}C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe] => (Allow) C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe
FirewallRules: [{7602A5CF-791B-46C9-A833-5E72531C8BD4}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{64B5402C-C4FA-40BA-9D4B-FE6AE326947C}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{D83DE217-202B-4231-986D-7FD8521A1D2D}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{C99FDC4E-8CFE-4503-B7FE-84E9469A22ED}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{AE126BFB-D277-45FE-818C-7F47FF3F49BF}] => (Allow) C:\Program Files\iTunes\iTunes.exe
FirewallRules: [{EB3047A3-FF46-40E7-9646-45D1C0A4383A}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{CAE9EC60-2013-4E6F-B459-9DB47FCDE6DA}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{2866D29E-E8D9-47B1-81BF-451C8AE4C444}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{EE4E50BC-9F15-4E9E-B0D4-C2BA187AFA2D}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [TCP Query User{1A25CF5F-B099-4187-BDCB-A45B30A676C3}C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe] => (Allow) C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe
FirewallRules: [UDP Query User{3A59613A-1B30-4515-8A52-F43ACC1AAC0D}C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe] => (Allow) C:\program files (x86)\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe
FirewallRules: [{2BD180C0-279A-409E-B003-ACDA3963BEC6}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\PAYDAY 2\payday2_win32_release.exe
FirewallRules: [{28652562-CCCA-4991-BE86-49D20258D5D0}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\PAYDAY 2\payday2_win32_release.exe
FirewallRules: [{40462778-A360-42E6-A6A1-1F0A1DA88327}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\dota.exe
FirewallRules: [{30AE428F-54E2-4F13-A8DB-B2EE376433EE}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\dota 2 beta\dota.exe
FirewallRules: [TCP Query User{9AD08EA6-E38F-43E4-8847-6B5023254308}C:\program files (x86)\hi-rez studios\hirezgames\smite pt\binaries\win32\smite.exe] => (Allow) C:\program files (x86)\hi-rez studios\hirezgames\smite pt\binaries\win32\smite.exe
FirewallRules: [UDP Query User{9A3829F0-0BD4-4CB2-87DE-202D3BCB70CA}C:\program files (x86)\hi-rez studios\hirezgames\smite pt\binaries\win32\smite.exe] => (Allow) C:\program files (x86)\hi-rez studios\hirezgames\smite pt\binaries\win32\smite.exe
FirewallRules: [TCP Query User{153C1D4B-9008-45AC-B075-1069D4D7DE45}C:\program files (x86)\hi-rez studios\hirezgames\smite pt\binaries\win32\smite.exe] => (Allow) C:\program files (x86)\hi-rez studios\hirezgames\smite pt\binaries\win32\smite.exe
FirewallRules: [UDP Query User{C5C32ED7-984B-4427-ADF8-096DDAA3D92B}C:\program files (x86)\hi-rez studios\hirezgames\smite pt\binaries\win32\smite.exe] => (Allow) C:\program files (x86)\hi-rez studios\hirezgames\smite pt\binaries\win32\smite.exe
FirewallRules: [{4FA4AA00-E683-43AC-BB65-155F5F637EC9}] => (Allow) C:\Users\Ariel Hardiyanto\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{D172B797-EA41-4EDB-9BA9-2F7A895E0D1B}] => (Allow) C:\Users\Ariel Hardiyanto\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{6CAA73F7-6DB5-4418-8C87-94B1EA6FF7AB}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe
FirewallRules: [{AB936710-F710-468B-829A-5012BF32E0BF}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Counter-Strike Global Offensive\csgo.exe
FirewallRules: [{2BBE49E0-A2FA-4E4A-B1D5-BBC313636354}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Borderlands 2\Binaries\Win32\Launcher.exe
FirewallRules: [{E8E8668C-1A01-458E-ABDF-1442E983A75D}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Borderlands 2\Binaries\Win32\Launcher.exe
FirewallRules: [{81F85DCC-2C44-4A71-B023-6DAA1E112A5E}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Borderlands 2\Binaries\Win32\Borderlands2.exe
FirewallRules: [{27D13B2F-957D-4B5D-B550-BD6AA06F9798}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Borderlands 2\Binaries\Win32\Borderlands2.exe
FirewallRules: [{9B20F3F0-6160-443B-873B-B1C011621BAC}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Unturned\Unturned.exe
FirewallRules: [{C5AA7A52-573E-43D4-9755-925DD15728E2}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Unturned\Unturned.exe
FirewallRules: [{9D2F9F67-D657-49BC-BB3B-D97126EBEE2C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Batman Arkham City GOTY\Binaries\Win32\BatmanAC.exe
FirewallRules: [{58318AA4-5942-419E-AE4B-8123E6C46B5A}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Batman Arkham City GOTY\Binaries\Win32\BatmanAC.exe
FirewallRules: [{51F3D5A2-8AA7-4D98-AA46-2F0272DEDCFE}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Batman Arkham Origins\SinglePlayer\Binaries\Win32\BatmanOrigins.exe
FirewallRules: [{373C2DD7-B328-4461-8826-2D61CF310C4B}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Batman Arkham Origins\SinglePlayer\Binaries\Win32\BatmanOrigins.exe
FirewallRules: [{469CC4CC-BAB9-4070-9923-9EEA2E346FF8}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Batman Arkham Origins\Online\Binaries\Win32\BatmanOriginsOnline.exe
FirewallRules: [{682935A7-2D0E-4EF7-83AD-1BCF838E0DB5}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Batman Arkham Origins\Online\Binaries\Win32\BatmanOriginsOnline.exe
FirewallRules: [{2A16607A-F833-4388-84D6-37BEAE8B5E48}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{E2730F38-E1C8-4B3F-AC47-39F5020B1D0F}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Fallout New Vegas\FalloutNVLauncher.exe
FirewallRules: [{BDB944D6-CDBC-459C-88F9-F42366A0560C}] => (Allow) C:\Program Files (x86)\Steam\steamapps\common\Fallout New Vegas\FalloutNVLauncher.exe

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (06/14/2015 02:47:56 PM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2006) (User: NT AUTHORITY)
Description: There was an error with the Windows Location Provider database

Error: (06/14/2015 02:39:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: FRST64.exe, version: 13.6.2015.0, time stamp: 0x557c4658
Faulting module name: ntdll.dll, version: 6.3.9600.17668, time stamp: 0x54c850f5
Exception code: 0xc0000024
Fault offset: 0x00000000000ec500
Faulting process id: 0x2064
Faulting application start time: 0xFRST64.exe0
Faulting application path: FRST64.exe1
Faulting module path: FRST64.exe2
Report Id: FRST64.exe3
Faulting package full name: FRST64.exe4
Faulting package-relative application ID: FRST64.exe5

Error: (06/14/2015 02:29:58 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 13407063

Error: (06/14/2015 02:29:58 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 13407063

Error: (06/14/2015 02:29:58 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (06/14/2015 10:46:36 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4719

Error: (06/14/2015 10:46:36 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4719

Error: (06/14/2015 10:46:36 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (06/14/2015 10:46:35 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 3563

Error: (06/14/2015 10:46:35 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 3563

System errors:
=============
Error: (06/14/2015 10:29:42 AM) (Source: DCOM) (EventID: 10016) (User: ArielHardiyanto)
Description: application-specificLocalLaunch{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}ArielHardiyantoAriel HardiyantoS-1-5-21-2490194775-2778516244-1439768383-1001LocalHost (Using LRPC)UnavailableUnavailable

Error: (06/14/2015 10:29:42 AM) (Source: DCOM) (EventID: 10016) (User: ArielHardiyanto)
Description: application-specificLocalLaunch{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}ArielHardiyantoAriel HardiyantoS-1-5-21-2490194775-2778516244-1439768383-1001LocalHost (Using LRPC)UnavailableUnavailable

Error: (06/13/2015 11:30:07 PM) (Source: DCOM) (EventID: 10016) (User: ArielHardiyanto)
Description: application-specificLocalLaunch{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}ArielHardiyantoAriel HardiyantoS-1-5-21-2490194775-2778516244-1439768383-1001LocalHost (Using LRPC)UnavailableUnavailable

Error: (06/13/2015 11:30:07 PM) (Source: DCOM) (EventID: 10016) (User: ArielHardiyanto)
Description: application-specificLocalLaunch{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}ArielHardiyantoAriel HardiyantoS-1-5-21-2490194775-2778516244-1439768383-1001LocalHost (Using LRPC)UnavailableUnavailable

Error: (06/13/2015 09:12:10 PM) (Source: DCOM) (EventID: 10016) (User: ArielHardiyanto)
Description: application-specificLocalLaunch{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}ArielHardiyantoAriel HardiyantoS-1-5-21-2490194775-2778516244-1439768383-1001LocalHost (Using LRPC)UnavailableUnavailable

Error: (06/13/2015 09:12:10 PM) (Source: DCOM) (EventID: 10016) (User: ArielHardiyanto)
Description: application-specificLocalLaunch{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}ArielHardiyantoAriel HardiyantoS-1-5-21-2490194775-2778516244-1439768383-1001LocalHost (Using LRPC)UnavailableUnavailable

Error: (06/13/2015 03:06:43 PM) (Source: DCOM) (EventID: 10016) (User: ArielHardiyanto)
Description: application-specificLocalLaunch{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}ArielHardiyantoAriel HardiyantoS-1-5-21-2490194775-2778516244-1439768383-1001LocalHost (Using LRPC)UnavailableUnavailable

Error: (06/13/2015 03:06:43 PM) (Source: DCOM) (EventID: 10016) (User: ArielHardiyanto)
Description: application-specificLocalLaunch{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}ArielHardiyantoAriel HardiyantoS-1-5-21-2490194775-2778516244-1439768383-1001LocalHost (Using LRPC)UnavailableUnavailable

Error: (06/13/2015 03:06:26 PM) (Source: DCOM) (EventID: 10016) (User: ArielHardiyanto)
Description: application-specificLocalLaunch{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}ArielHardiyantoAriel HardiyantoS-1-5-21-2490194775-2778516244-1439768383-1001LocalHost (Using LRPC)UnavailableUnavailable

Error: (06/13/2015 03:06:26 PM) (Source: DCOM) (EventID: 10016) (User: ArielHardiyanto)
Description: application-specificLocalLaunch{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}{DDCFD26B-FEED-44CD-B71D-79487D2E5E5A}ArielHardiyantoAriel HardiyantoS-1-5-21-2490194775-2778516244-1439768383-1001LocalHost (Using LRPC)UnavailableUnavailable

Microsoft Office:
=========================
Error: (06/14/2015 02:47:56 PM) (Source: Microsoft-Windows-LocationProvider) (EventID: 2006) (User: NT AUTHORITY)
Description: -2147024883

Error: (06/14/2015 02:39:29 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: FRST64.exe13.6.2015.0557c4658ntdll.dll6.3.9600.1766854c850f5c000002400000000000ec500206401d0a6ea2d4dc54bC:\Users\Ariel Hardiyanto\Desktop\FRST64.exeC:\Windows\SYSTEM32\ntdll.dlld5af75ec-12dd-11e5-8282-b8763fbb888a

Error: (06/14/2015 02:29:58 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 13407063

Error: (06/14/2015 02:29:58 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 13407063

Error: (06/14/2015 02:29:58 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (06/14/2015 10:46:36 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4719

Error: (06/14/2015 10:46:36 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 4719

Error: (06/14/2015 10:46:36 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: Continuously busy for more than a second

Error: (06/14/2015 10:46:35 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 3563

Error: (06/14/2015 10:46:35 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledEvent 3563

==================== Memory info ===========================

Processor: Intel® Core™ i5-3337U CPU @ 1.80GHz
Percentage of memory in use: 70%
Total physical RAM: 3974.8 MB
Available physical RAM: 1185.98 MB
Total Pagefile: 8070.8 MB
Available Pagefile: 4121.37 MB
Total Virtual: 131072 MB
Available Virtual: 131071.83 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:465.25 GB) (Free:256.28 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End of log ============================



#4 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 AM

Posted 14 June 2015 - 08:01 PM

Hello, let's get started. :thumbup2:

Please note:  This steps are just the beginning of cleaning your machine, and I must request you stay with me till I declare you machine clean.  Absence of symptoms does not mean your machine is clean.

Step 1:  P2P Warning

I noticed that you have a P2P file sharing  program on your computer . I cannot stress highly enough the danger in using these types of programs. P2P programs are one of the major avenues of infection these days. The files downloaded with these programs are the majority of the time,  infected with trojans, malware, rootkits, etc.

 You run the risk of getting an infection that can compromise your sensitive data, such as financial records, personal information, etc. That is just the infection aspect of using P2P programs. You also run the risk of possible arrest, fines, or in severe cases, jail time for illegal downloading of copyrighted material.

There are also new infections out there such as CryptoWall 3.0 and CryptoLocker.  When infected with these, all of your personal files on any drive connected to your computer will be affected.  These infections copy all your files, encrypt them, and then delete the originals, leaving you with the encrypted copies.  You are then presented with a screen telling you you have a certain amount of time to pay the ransom for the decryption code to decrypt your files.  Even if you pay the ransom, there decryption process usually results in corrupt and unusable files.  

There is nothing we can do to decrypt the files, as they use very sophisticated encryption techniques.   Please consider this when using P2P programs.  Malware and ransomware writers use P2P to spread their infections.


Here are some information sources about the dangers of P2P programs:

FBI - Peer to Peer Scams

USA Today Artticle on P2P Programs

File Sharing Infects 500,000 Computers

I very much recommend you uninstall this program from your machine. If not, I can guarantee you will be back needing help with your machine again. The risks of infections from content downloaded with P2P programs far outweigh any benefit of using them.

It is, of course, your choice as to whether or not you remove the program from your machine. It is my duty though, to point out how dangerous it is to use these programs. However, I must request that you do not use it while we are cleaning your machine.


Step 2: Chrome Uninstall and Program Uninstalls

Unfortunately, the malware infection has changed your Chrome browser into the Development Build.  This greatly lowers the security of the browser and allows malware to install any extension it pleases.  We need to resolve this first.

1. If you have bookmarks, let's save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
4. Now we need to uninstall chromevia the Control Panel.
Note:  When asked about user data or settings you must remove this also, so please check the box.
5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
6.  Import your bookmarks back into Chrome.
7.  Sign back in to your Chrome browser so that your bookmarks sync with your online account.


Program Uninstalls

Please uninstall the following program from your machine as it's an adware/malware related program.  

Perfect Uninstaller v6.3.4.0


Step 3:  Fix with FRST

Note: Please move FRST64.exe from C:\Users\Ariel Hardiyanto\Downloads to your desktop or the fix will not work.
  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the desktop as fixlist.txt

    NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Start
CreateRestorePoint:
CloseProcesses:
ShortcutTarget: Download The Escapists v1.0 Full Release Torrent - KickassTorrents.lnk -> C:\ProgramData\{4f7f6b43-0d72-e2ac-4f7f-f6b430d7ad0c}\Download The Escapists v1.0 Full Release Torrent - KickassTorrents.exe (No File)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
() C:\Program Files (x86)\Excited Art\Excited Art.exe
C:\Program Files (x86)\Excited Art
R2 Excited Art; C:\Program Files (x86)\Excited Art\Excited Art.exe [8016275 2015-06-06] () [File not signed] <==== ATTENTION
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
R4 cbfs3; \SystemRoot\System32\drivers\cbfs3.sys [X]
2015-06-13 00:11 - 2015-06-13 00:12 - 02669808 _____ (www.PerfectUninstaller.net ) C:\Users\Ariel Hardiyanto\Downloads\PerfectUninstaller_Setup.exe
Task: {3125175E-9948-43EF-BABC-06C35A53D723} - System32\Tasks\MagnumSubs => c:\programdata\{23d55207-8edf-b478-23d5-552078ed481e}\7514894461598274653b.exe <==== ATTENTION
Task: C:\Windows\Tasks\MagnumSubs.job => c:\programdata\{23d55207-8edf-b478-23d5-552078ed481e}\7514894461598274653b.exe <==== ATTENTION
CMD: bitsadmin /reset /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:
Hosts:
End


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.


Run FRST and press the Fix button just once and wait. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.


Things I need to see in your next post:

Fixlog.txt Log

Edited by pystryker, 14 June 2015 - 11:08 PM.

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#5 PapaChewbacca

PapaChewbacca
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 16 June 2015 - 04:29 PM

Hi! Thanks for the reply! Here is the Fixlog as requested:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:13-06-2015
Ran by Ariel Hardiyanto at 2015-06-16 14:19:00 Run:1
Running from C:\Users\Ariel Hardiyanto\Desktop
Loaded Profiles: Ariel Hardiyanto (Available Profiles: Ariel Hardiyanto)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
ShortcutTarget: Download The Escapists v1.0 Full Release Torrent - KickassTorrents.lnk -> C:\ProgramData\{4f7f6b43-0d72-e2ac-4f7f-f6b430d7ad0c}\Download The Escapists v1.0 Full Release Torrent - KickassTorrents.exe (No File)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
() C:\Program Files (x86)\Excited Art\Excited Art.exe
C:\Program Files (x86)\Excited Art
R2 Excited Art; C:\Program Files (x86)\Excited Art\Excited Art.exe [8016275 2015-06-06] () [File not signed] <==== ATTENTION
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
R4 cbfs3; \SystemRoot\System32\drivers\cbfs3.sys [X]
2015-06-13 00:11 - 2015-06-13 00:12 - 02669808 _____ (www.PerfectUninstaller.net ) C:\Users\Ariel Hardiyanto\Downloads\PerfectUninstaller_Setup.exe
Task: {3125175E-9948-43EF-BABC-06C35A53D723} - System32\Tasks\MagnumSubs => c:\programdata\{23d55207-8edf-b478-23d5-552078ed481e}\7514894461598274653b.exe <==== ATTENTION
Task: C:\Windows\Tasks\MagnumSubs.job => c:\programdata\{23d55207-8edf-b478-23d5-552078ed481e}\7514894461598274653b.exe <==== ATTENTION
CMD: bitsadmin /reset /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:
Hosts:
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\ProgramData\{4f7f6b43-0d72-e2ac-4f7f-f6b430d7ad0c}\Download The Escapists v1.0 Full Release Torrent - KickassTorrents.exe not found.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
C:\Program Files (x86)\Excited Art\Excited Art.exe => Could not close process
C:\Program Files (x86)\Excited Art => moved successfully.
Excited Art => Service removed successfully
gupdate => Service removed successfully
gupdatem => Service removed successfully
cbfs3 => Service not found.
C:\Users\Ariel Hardiyanto\Downloads\PerfectUninstaller_Setup.exe => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3125175E-9948-43EF-BABC-06C35A53D723}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3125175E-9948-43EF-BABC-06C35A53D723}" => key removed successfully
C:\Windows\System32\Tasks\MagnumSubs => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\MagnumSubs" => key removed successfully
C:\Windows\Tasks\MagnumSubs.job => moved successfully.
 
=========  bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
{6FD99AF2-CA47-4B80-8FAA-AA61414CB971} canceled.
{EE46D6A1-291E-4712-A56C-B5826E10AB57} canceled.
{E6B603E4-C01C-430E-811E-924C3D9EB617} canceled.
{92E99268-78DF-4834-A4B6-7DFF7045D3F3} canceled.
{EEA080E7-3AE0-49AF-BFFF-49571D1131BC} canceled.
{FCB28AD5-1041-4256-B3EA-4FA62058F6FB} canceled.
{B884D609-7993-40A6-B707-779C74B39F23} canceled.
{96FD74BD-7814-427C-9263-E29315ADA025} canceled.
{23B975B2-37B2-41ED-B122-2F52BC59E1FE} canceled.
{F8E73111-C92B-4249-9C64-BE458C7970AC} canceled.
{F80F361E-F2AE-4021-825A-A4B91C02948D} canceled.
{36B3DAD1-AFC5-4CC6-B17E-AEA925A9CE9C} canceled.
12 out of 12 jobs canceled.
 
========= End of CMD: =========
 
 
=========  netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
=========  netsh advfirewall set allprofiles state on =========
 
Ok.
 
 
========= End of CMD: =========
 
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
C:\Windows\System32\Drivers\etc\hosts => moved successfully.
Hosts restored successfully.
EmptyTemp: => 1.8 GB temporary data Removed.
 
 
The system needed a reboot.. 
 
==== End of Fixlog 14:24:54 ====


#6 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 AM

Posted 16 June 2015 - 08:09 PM

Hello :)

Looks good, let's continue with the cleaning. After running these 2 steps, please include an update with the logs on how the machine is running.

Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Step 1: Junkware Removal Tool

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 2: AdwCleaner

Download ADWcleaner by clicking here. Please save it to your Desktop


adwcleanerscreen_zpsm6wq1ei9.jpg
  • Double click (Vista and 7 Users)right click the adwcleaner.exe file and click Run as Adminstrator and accept the UAC prompt to run AdwCleaner
  • Close any open windows or browsers.
  • Pause your Anti-Virus program if it is running.
  • Once it starts, click on the Scan button.
  • Let the scan complete itself. This may take a few minutes.
  • Once the scan has finished, it will say "Pending, uncheck elements you don't want to remove.", don't worry about unchecking anything and then click the Cleaning button. When finished, it will ask to reboot. Please reboot.
  • When the machine has rebooted, a log will be produced. Please copy/paste that in your next reply. Here's how:
    • Click the Logfile button and the log will open. Copy and Paste the contents of the log file into your next reply.
    This report is also saved at C:\AdwCleaner[R0].txt
Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

Junkware Removal Tool Log

AdwCleaner Log

How is the machine running?

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#7 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 AM

Posted 19 June 2015 - 05:36 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#8 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 AM

Posted 20 June 2015 - 07:34 AM

User returned.

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#9 PapaChewbacca

PapaChewbacca
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 21 June 2015 - 12:53 AM

JRT Log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 7.0.3 (06.19.2015:1)
OS: Windows 8.1 Single Language x64
Ran by Ariel Hardiyanto on 20/06/2015 at 22:29:49,23
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Tasks
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
Successfully deleted: [File] C:\Users\Ariel Hardiyanto\AppData\Roaming\appdataFr25.bin
Successfully deleted: [File] C:\Users\Ariel Hardiyanto\AppData\Roaming\appdataFr3.bin
Successfully deleted: [File] C:\Users\Ariel Hardiyanto\appdata\local\google\chrome\user data\default\local storage\hxxp_st.chatango.com_0.localstorage
Successfully deleted: [File] C:\Users\Ariel Hardiyanto\appdata\local\google\chrome\user data\default\local storage\hxxp_st.chatango.com_0.localstorage-journal
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] C:\Program Files (x86)\linkproc
Successfully deleted: [Folder] C:\ProgramData\14725749606637155111
 
 
 
~~~ Chrome
 
 
[C:\Users\Ariel Hardiyanto\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
 
[C:\Users\Ariel Hardiyanto\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
 
[C:\Users\Ariel Hardiyanto\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
 
[C:\Users\Ariel Hardiyanto\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 20/06/2015 at 22:34:05,89
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by PapaChewbacca, 21 June 2015 - 12:54 AM.


#10 PapaChewbacca

PapaChewbacca
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 21 June 2015 - 12:55 AM

AdWare Log:

 

# AdwCleaner v4.206 - Logfile created 20/06/2015 at 22:45:29
# Updated 01/06/2015 by Xplode
# Database : 2015-06-17.1 [Server]
# Operating system : Windows 8.1 Single Language  (x64)
# Username : Ariel Hardiyanto - ARIELHARDIYANTO
# Running from : C:\Users\Ariel Hardiyanto\Desktop\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\{23d55207-8edf-b478-23d5-552078ed481e}
Folder Deleted : C:\ProgramData\{4f7f6b43-0d72-e2ac-4f7f-f6b430d7ad0c}
Folder Deleted : C:\ProgramData\{9bb5296d-8aee-7542-9bb5-5296d8aea5b6}
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\b51451fd-45a9-4ef5-b7c2-326883dd886a
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{96BB8E60-6EF9-47E0-9ED8-4AD477ECF427}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EB559340-3A8F-4456-B24D-160098054EF0}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2DF3E224-05CD-4113-AA7A-86F2F6607B46}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5A1D3F9E-73B5-95EC-1233-6646E1358965}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BE360B8B-0F10-CA89-FC84-A5EAB71A6AF8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9D9BEFAE-9499-F52B-6CC4-94818CCC2AB5}
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Google Chrome v43.0.2357.124
 
[C:\Users\Ariel Hardiyanto\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Ariel Hardiyanto\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [2191 bytes] - [20/06/2015 22:42:46]
AdwCleaner[S0].txt - [2146 bytes] - [20/06/2015 22:45:29]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2205  bytes] ##########

Edited by PapaChewbacca, 21 June 2015 - 12:55 AM.


#11 PapaChewbacca

PapaChewbacca
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 21 June 2015 - 12:56 AM

The machine is working better with my browser on. Before this, the browser would slow down significantly with Chrome open. (Note the edits I made on the posts above were just because my individual posts were merging into one, so I edited each to remove it.)



#12 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 AM

Posted 21 June 2015 - 07:42 AM

The machine is working better with my browser on. Before this, the browser would slow down significantly with Chrome open. (Note the edits I made on the posts above were just because my individual posts were merging into one, so I edited each to remove it.)


Excellent, let's scan for orphans and remnants, and check for out of date programs. :thumbup2:


Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Step 1: Scan with Malwarebytes


Start Malwarebytes Anti-Malware and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings_zpsb6b9ada0.jpg

Go back to the Dashboard and select Scan Now

mbam21-console_zpslhr5hawa.jpg

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot_zps9089ab30.jpg

MBAMLog_zpsade07f42.jpg

On completion of the scan (or after the reboot), start MBAM,

Click History, then Application Logs, then check the Select box by the first Scan Log in the list.

Click View, then click Export, select text file and save to the desktop as MBAM.txt and post in your next reply.



Step 2: Scan with ESET Online Scanner


Please note: You can use Internet Explorer or Firefox for this step. Either browser used will have to be ran in admin mode.

Right click on either the Internet Explorer icon or the Firefox icon in the Start Menu or Quick Launch Bar on the Task bar and select Run as Administrator from the menu.

If you use Firefox, you will be prompted to download esetsmartinstaller_enu.exe. Please do so, then double click it to install it.

Please click on this link and then click the ESET Online Scanner bar ---->esetbar_zps93905f48.jpg
  • Select the option YES, I accept the Terms of Use then click on Start
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
  • Now click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • Now click on Finish
  • Use notepad to open the logfile located at C:\Program Files(x86)\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Step 3: SecurityCheck Scan


Download Security Checksecuritycheck_zpsb7736812.jpg by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Things I need to see in your next post:
  • ESET Scan Log
  • MBAM Log
  • SecurityCheck Log

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#13 PapaChewbacca

PapaChewbacca
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 21 June 2015 - 06:42 PM

ESET:

 

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK
Update Init
Update Download
Update Finalize
Updated modules version: 24434

Edited by PapaChewbacca, 21 June 2015 - 06:42 PM.


#14 PapaChewbacca

PapaChewbacca
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 21 June 2015 - 06:43 PM


MBAM:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 21/06/2015
Scan Time: 15:41:19
Logfile: MBAM.txt
Administrator: Yes
 
Version: 2.01.6.1022
Malware Database: v2015.06.21.04
Rootkit Database: v2015.06.15.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Ariel Hardiyanto
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 351386
Time Elapsed: 25 min, 39 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

Edited by PapaChewbacca, 21 June 2015 - 06:44 PM.


#15 PapaChewbacca

PapaChewbacca
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 21 June 2015 - 06:45 PM

SecurityCheck:

 

 Results of screen317's Security Check version 1.004 
   x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
Windows Defender  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java 8 Update 31 
 Java version 32-bit out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
  Adobe Flash Player  10.3.183.90 Flash Player out of Date! 
 Google Chrome (43.0.2357.124)
````````Process Check: objlist.exe by Laurent```````` 
 Windows Defender MSMpEng.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbam.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users