Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarerbytes Anti-Malware, Chameleon, Rkill and Adwcleaner are not working


  • This topic is locked This topic is locked
21 replies to this topic

#1 Lothar82

Lothar82

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 26 June 2015 - 02:02 PM

Hi, i guess my pc is infected with something but i am not sure if that is the case, and if it is, i dont know how to heal it.

Some signes that something is wrong:

 

1) when i double click MBAM icon nothing happens, program doesnt start. I tried to run it in safe mode and it works. Run a scan in safe mode but it found nothing. 

2) run Chameleon and got: Failed to start Malwarebytes Anti-Malware and Malwarebytes Anti-Malware has terminated - unable to start the scan.

3) tried with Rkill and i got BSOD

4) used Adwcleaner and after scan it found some stuff in registry. Tried to use clean option and again got BSOD (https://imageshack.com/i/f07nhYbzj)

5) installed Superantispyware free and Emsisoft Anti-Malware. Made scans with those two but nothing changed with my problem.

 

FRST log: 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:24-06-2015
Ran by Vjeko (administrator) on VJEKO-PC on 26-06-2015 20:48:22
Running from C:\Users\Vjeko\Downloads\AV
Loaded Profiles: Vjeko (Available Profiles: Vjeko)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Emsisoft Ltd) C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(CobianSoft, Luis Cobian) C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe
() D:\PROGRAMI\EslWire\service\WireHelperSvc.exe
(Panda Security, S.L.) C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Microsoft Corporation) C:\Users\Vjeko\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe
(Emsisoft Ltd) C:\Program Files (x86)\Emsisoft Anti-Malware\a2guard.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PSUAMain] => "C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe" /LaunchSysTray
HKLM-x32\...\Run: [emsisoft anti-malware] => c:\program files (x86)\emsisoft anti-malware\a2guard.exe [4923832 2015-05-26] (Emsisoft Ltd)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\...\Run: [AVG-Secure-Search-Update_0913b] => C:\Users\Vjeko\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid dfe61412236547d3b241d15fa0bbb257-87fad0330af901d05034859f7a7778f7639b570f --CMPID 0913b
HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7799576 2015-05-15] (SUPERAntiSpyware)
HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\...\Run: [BitTorrent] => C:\Users\Vjeko\AppData\Roaming\BitTorrent\BitTorrent.exe [1696104 2015-05-12] (BitTorrent Inc.)
HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Ribbons.scr [241664 2010-11-21] (Microsoft Corporation)
Startup: C:\Users\Vjeko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\p.lnk [2015-06-15]
ShortcutTarget: p.lnk -> C:\Users\Vjeko\AppData\Roaming\obgpzbkmvu.exe (No File)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> D:\programi novi\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> D:\PROGRAMI\Java\bin\ssv.dll [2015-06-26] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> D:\PROGRAMI\Java\bin\jp2ssv.dll [2015-06-26] (Oracle Corporation)
Handler-x32: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\programi novi\Microsoft Office\Office12\GrooveSystemServices.dll [2006-10-27] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 83.139.104.2 83.139.105.2
 
FireFox:
========
FF ProfilePath: C:\Users\Vjeko\AppData\Roaming\Mozilla\Firefox\Profiles\yPfzAplj.default
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> D:\PROGRAMI\Java\bin\dtplugin\npDeployJava1.dll [2015-06-26] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> D:\PROGRAMI\Java\bin\plugin2\npjp2.dll [2015-06-26] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2014-07-02] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2014-07-02] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin-x32: @verimatrix.com/ViewRightWeb -> C:\Program Files (x86)\Verimatrix\ViewRight Web\\npViewRight.dll [2012-12-19] (Verimatrix, Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1706152902-1485719288-3875658684-1001: @verimatrix.com/ViewRightWeb -> C:\Program Files (x86)\Verimatrix\ViewRight Web\\npViewRight.dll [2012-12-19] (Verimatrix, Inc.)
FF Extension: Avira Browser Safety - C:\Users\Vjeko\AppData\Roaming\Mozilla\Firefox\Profiles\yPfzAplj.default\Extensions\abs@avira.com [2015-06-23]
 
Chrome: 
=======
CHR Profile: C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-19]
CHR Extension: (ThemeBeta.com) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajhfedcfdibnicnkmhecbfnblbmjnlpd [2014-12-31]
CHR Extension: (Google Docs) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-19]
CHR Extension: (Google Drive) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-19]
CHR Extension: (YouTube) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-19]
CHR Extension: (Google Search) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-19]
CHR Extension: (Video Downloader professional) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil [2014-12-19]
CHR Extension: (Google Sheets) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-19]
CHR Extension: (Google Wallet) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-19]
CHR Extension: (Gmail) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-19]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-23] (SUPERAntiSpyware.com)
R2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [5155576 2015-05-26] (Emsisoft Ltd)
R2 cbVSCService11; C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian) [File not signed]
R2 EslWireHelper; D:\PROGRAMI\EslWire\service\WireHelperSvc.exe [663056 2014-01-28] ()
S3 Microsoft Office Groove Audit Service; D:\programi novi\Microsoft Office\Office12\GrooveAuditService.exe [65824 2006-10-27] (Microsoft Corporation)
R2 PandaAgent; C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [66808 2014-10-09] (Panda Security, S.L.)
R2 VSSS; C:\Users\Vjeko\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [101099584 2015-06-23] (Microsoft Corporation) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
S2 AntiVirMailService; "C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe" [X]
S2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\Antivirus\sched.exe" [X]
S2 AntiVirService; "C:\Program Files (x86)\Avira\Antivirus\avguard.exe" [X]
S2 AntiVirWebService; "C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe" [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2013-07-19] (Disc Soft Ltd)
R1 epp64; C:\Windows\System32\DRIVERS\epp64.sys [135800 2015-03-24] (Emsisoft GmbH)
S3 FsUsbExDisk; C:\Windows\SysWOW64\FsUsbExDisk.SYS [37344 2014-01-23] () [File not signed]
R1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [93968 2015-02-09] (Panda Security, S.L.)
S1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [202000 2015-02-09] (Panda Security, S.L.)
S1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [110864 2015-02-09] (Panda Security, S.L.)
S1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [116496 2015-02-09] (Panda Security, S.L.)
S1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [99600 2015-02-09] (Panda Security, S.L.)
S4 NNSPIHSW; C:\Windows\System32\DRIVERS\NNSPihsw.sys [69904 2015-02-09] (Panda Security, S.L.)
S1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [124176 2015-02-09] (Panda Security, S.L.)
S1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [299792 2015-02-09] (Panda Security, S.L.)
R1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [166160 2015-02-09] (Panda Security, S.L.)
S1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [113424 2015-02-09] (Panda Security, S.L.)
S1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [257296 2015-02-09] (Panda Security, S.L.)
S1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [106256 2015-02-09] (Panda Security, S.L.)
S2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [107792 2015-02-25] (Panda Security, S.L.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2009-07-14] (Microsoft Corporation)
S3 KProcessHacker2; \??\C:\Program Files\kprocesshacker.sys [X]
S3 NvStreamKms; \??\C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-26 20:47 - 2015-06-26 20:48 - 00000000 ____D C:\FRST
2015-06-26 17:18 - 2015-06-26 17:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Backup 11
2015-06-26 17:18 - 2015-06-26 17:18 - 00000000 ____D C:\Program Files (x86)\Cobian Backup 11
2015-06-26 14:53 - 2015-06-26 14:53 - 00949760 _____ C:\Users\Vjeko\Downloads\FINANCIJSKE KRIZE.ppt
2015-06-26 14:11 - 2015-06-26 15:06 - 00000000 ____D C:\Users\Vjeko\Desktop\ANaliza
2015-06-26 13:08 - 2015-06-26 13:07 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-06-26 13:07 - 2015-06-26 13:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-06-26 13:04 - 2015-06-26 13:05 - 37328992 _____ (Oracle Corporation) C:\Users\Vjeko\Downloads\jre-8u45-windows-i586.exe
2015-06-25 21:14 - 2015-06-25 21:14 - 00000000 ____D C:\Program Files (x86)\ESET
2015-06-24 18:10 - 2015-06-24 18:10 - 00284736 _____ C:\Windows\Minidump\062415-16848-01.dmp
2015-06-24 17:47 - 2015-06-24 17:47 - 00285696 _____ C:\Windows\Minidump\062415-16692-01.dmp
2015-06-24 17:42 - 2015-06-24 18:00 - 00000000 ____D C:\AdwCleaner
2015-06-24 17:12 - 2015-06-24 17:16 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-06-24 17:12 - 2015-06-24 17:12 - 00001106 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-06-24 17:12 - 2015-06-24 17:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-06-24 17:12 - 2015-06-24 17:12 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-06-24 17:12 - 2015-04-14 09:37 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-06-24 17:12 - 2015-04-14 09:37 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-06-24 16:58 - 2015-06-24 17:05 - 00000000 ____D C:\SMCLpav
2015-06-24 15:57 - 2015-06-24 15:57 - 00000000 ____D C:\Users\Vjeko\AppData\Roaming\SUPERAntiSpyware.com
2015-06-24 15:56 - 2015-06-24 15:57 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-06-24 15:56 - 2015-06-24 15:56 - 00001808 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2015-06-24 15:56 - 2015-06-24 15:56 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2015-06-24 15:56 - 2015-06-24 15:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2015-06-24 14:16 - 2015-06-24 14:16 - 00290496 _____ C:\Windows\Minidump\062415-20436-01.dmp
2015-06-24 12:40 - 2015-06-24 12:42 - 00000000 ____D C:\ProgramData\Emsisoft
2015-06-24 12:29 - 2015-06-26 20:45 - 00000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
2015-06-24 12:29 - 2015-06-24 12:29 - 00001095 _____ C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2015-06-24 12:29 - 2015-06-24 12:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2015-06-24 12:29 - 2015-03-24 00:17 - 00135800 _____ (Emsisoft GmbH) C:\Windows\system32\Drivers\epp64.sys
2015-06-24 12:17 - 2015-06-26 20:48 - 00000000 ____D C:\Users\Vjeko\Downloads\AV
2015-06-24 03:10 - 2015-06-24 03:10 - 00284096 _____ C:\Windows\Minidump\062415-22666-01.dmp
2015-06-24 03:03 - 2015-06-24 03:03 - 00290472 _____ C:\Windows\Minidump\062415-21091-01.dmp
2015-06-24 02:36 - 2015-06-24 02:57 - 00000000 ____D C:\Program Files (x86)\Panda Security
2015-06-24 00:43 - 2015-06-24 02:36 - 00000000 ____D C:\Users\Vjeko\AppData\Roaming\Panda Security
2015-06-24 00:41 - 2015-06-24 02:37 - 00000000 ____D C:\ProgramData\Panda Security
2015-06-24 00:39 - 2015-06-24 00:39 - 01415680 _____ (wj32) C:\Program Files\INSKV05B.exe
2015-06-23 22:12 - 2015-06-23 22:12 - 01415680 _____ (wj32) C:\Program Files\NSX27C2N.exe
2015-06-23 22:11 - 2015-06-23 22:11 - 01415680 _____ (wj32) C:\Program Files\3UZ49EJP.exe
2015-06-23 22:02 - 2015-06-23 22:02 - 00000000 ____D C:\Users\Vjeko\AppData\Roaming\Mozilla
2015-06-23 21:48 - 2015-06-23 21:48 - 00000078 _____ C:\cleanup.bat
2015-06-23 21:11 - 2015-06-23 21:11 - 00000000 ____D C:\Users\Vjeko\AppData\Local\Avg
2015-06-23 20:39 - 2015-06-23 20:39 - 00003164 _____ C:\Windows\System32\Tasks\{A7F5F563-1388-4CB5-AC76-23228F1CBEDF}
2015-06-22 22:22 - 2015-06-22 22:22 - 00181945 _____ C:\Users\Vjeko\Downloads\185723-the100season01hr.zip
2015-06-05 12:00 - 2015-06-17 17:58 - 00000000 ____D C:\Users\Vjeko\Desktop\BACKUP - DIPLOMSKI
2015-06-03 21:00 - 2015-06-03 21:00 - 00931328 _____ C:\Users\Vjeko\Downloads\Raspored konzultacija 2014_15 VPŠ (izmjena 02.06.).xls
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-26 20:45 - 2009-07-14 07:13 - 00778150 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-26 19:58 - 2013-07-13 15:53 - 00000948 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-26 19:52 - 2013-07-13 15:33 - 01129715 _____ C:\Windows\WindowsUpdate.log
2015-06-26 19:49 - 2013-07-15 18:48 - 00000000 ____D C:\Users\Vjeko\AppData\Roaming\BitTorrent
2015-06-26 19:49 - 2013-07-13 15:53 - 00000944 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-26 19:48 - 2014-12-19 18:12 - 01753884 _____ C:\Windows\setupact.log
2015-06-26 19:48 - 2013-07-13 20:02 - 00000000 ____D C:\ProgramData\NVIDIA
2015-06-26 19:48 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-26 17:29 - 2014-03-05 16:32 - 00000000 ____D C:\Users\Vjeko\Desktop\Diplomski rad
2015-06-26 13:08 - 2013-09-22 17:54 - 00000000 ____D C:\ProgramData\Oracle
2015-06-24 18:10 - 2013-07-23 19:29 - 00000000 ____D C:\Windows\Minidump
2015-06-24 17:47 - 2010-11-21 05:47 - 00228070 _____ C:\Windows\PFRO.log
2015-06-24 02:41 - 2009-07-14 06:45 - 00463064 _____ C:\Windows\system32\FNTCACHE.DAT
2015-06-24 02:36 - 2013-07-13 15:47 - 00111656 _____ C:\Users\Vjeko\AppData\Local\GDIPFONTCACHEV1.DAT
2015-06-23 13:39 - 2013-07-13 22:09 - 00000000 ____D C:\Users\Vjeko\AppData\Roaming\TS3Client
2015-06-23 01:04 - 2013-07-13 15:55 - 00002179 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-06-21 19:53 - 2014-11-30 15:06 - 00000000 ____D C:\Users\Vjeko\AppData\Local\ESL Wire Game Client
2015-05-28 12:48 - 2009-07-14 07:08 - 00032640 _____ C:\Windows\Tasks\SCHEDLGU.TXT
 
==================== Files in the root of some directories =======
 
2015-06-23 22:11 - 2015-06-23 22:11 - 1415680 _____ (wj32) C:\Program Files\3UZ49EJP.exe
2015-06-24 00:39 - 2015-06-24 00:39 - 1415680 _____ (wj32) C:\Program Files\INSKV05B.exe
2015-06-23 22:12 - 2015-06-23 22:12 - 1415680 _____ (wj32) C:\Program Files\NSX27C2N.exe
2014-04-02 23:40 - 2014-04-02 23:40 - 0034816 _____ () C:\Users\Vjeko\AppData\Roaming\RZR_0020b1504bd58407e0b8f7a06546.db
2014-06-06 16:37 - 2014-06-06 16:37 - 0007616 _____ () C:\Users\Vjeko\AppData\Local\Resmon.ResmonCfg
 
Some files in TEMP:
====================
C:\Users\Vjeko\AppData\Local\Temp\ose00000.exe
C:\Users\Vjeko\AppData\Local\Temp\Quarantine.exe
C:\Users\Vjeko\AppData\Local\Temp\sqlite3.dll
C:\Users\Vjeko\AppData\Local\Temp\TsuD1BF60C0.dll
C:\Users\Vjeko\AppData\Local\Temp\_is4A5A.exe
C:\Users\Vjeko\AppData\Local\Temp\_is8A76.exe
C:\Users\Vjeko\AppData\Local\Temp\_isA047.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-06-23 15:36
 
==================== End of log ============================

 

 

Adwcleaner log:

 

# AdwCleaner v4.207 - Logfile created 24/06/2015 at 17:59:28

# Updated 21/06/2015 by Xplode
# Database : 2015-06-23.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Vjeko - VJEKO-PC
# Running from : C:\Users\Vjeko\Downloads\AV\adwcleaner_4.207.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\AVG Nation toolbar
Key Found : HKCU\Software\Myfree Codec
Key Found : [x64] HKCU\Software\AVG Nation toolbar
Key Found : [x64] HKCU\Software\Myfree Codec
Key Found : HKLM\SOFTWARE\AVG Nation toolbar
Key Found : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Found : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Found : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Found : HKLM\SOFTWARE\Myfree Codec
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Found : HKU\.DEFAULT\Software\Avg Secure Update
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v8.0.7601.17514
 
 
-\\ Mozilla Firefox v
 
 
-\\ Google Chrome v43.0.2357.130
 
[C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://isearch.avg.com/search?cid={A69458E7-DBFE-4450-B9AE-0C8BE88DFA37}&mid=d6e89b7cf95847d18fccd15fa0bbb257-06ce4fc639803a2e3563922518183d8e94088cb9&ds=&lang=&v=14.2.0.1&sg=&pid=avg&pr=&d=&sap=dsp&q={searchTerms}
[C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [2989 bytes] - [24/06/2015 17:42:35]
AdwCleaner[R1].txt - [2879 bytes] - [24/06/2015 17:59:28]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [2938 bytes] ##########

Attached Files



BC AdBot (Login to Remove)

 


#2 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:02:55 AM

Posted 27 June 2015 - 01:42 AM


Hi Lothar82,

Welcome to BleepingComputer. My name is dbrisendine and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:

  • Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
  • All of the assistants and staff at BleepingComputer are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date.
  • Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
  • If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
  • While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
  • Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
  • Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.


    - Save ALL Tools to your Desktop-

    All the tools that I will have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

    Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
    Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
    "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
    Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
    and the click the "Select Folder" button. Click OK to get out of the Options menu.
    IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
    select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
    NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
     

Let's get started....

 

Please move FRST64.exe from the Downloads\AV folder to your desktop.  We will not leave it on the desktop (when we are done, I will remove it and any other tools) but this makes everything easier in the long run.

Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt



Start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
Startup: C:\Users\Vjeko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\p.lnk [2015-06-15]
ShortcutTarget: p.lnk -> C:\Users\Vjeko\AppData\Roaming\obgpzbkmvu.exe (No File)
C:\Users\Vjeko\AppData\Roaming\obgpzbkmvu.exe
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
R2 VSSS; C:\Users\Vjeko\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [101099584 2015-06-23] (Microsoft Corporation) [File not signed]
C:\Users\Vjeko\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe
S2 AntiVirMailService; "C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe" [X]
S2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\Antivirus\sched.exe" [X]
S2 AntiVirService; "C:\Program Files (x86)\Avira\Antivirus\avguard.exe" [X]
S2 AntiVirWebService; "C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe" [X]
C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe
C:\Program Files (x86)\Avira\Antivirus\sched.exe
C:\Program Files (x86)\Avira\Antivirus\avguard.exe
C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe
S3 KProcessHacker2; \??\C:\Program Files\kprocesshacker.sys [X]
S3 NvStreamKms; \??\C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Program Files\kprocesshacker.sys
C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys
C:\Windows\system32\drivers\nvvad64v.sys
C:\Windows\System32\drivers\rdvgkmd.sys
2015-06-24 00:39 - 2015-06-24 00:39 - 01415680 _____ (wj32) C:\Program Files\INSKV05B.exe
2015-06-23 22:12 - 2015-06-23 22:12 - 01415680 _____ (wj32) C:\Program Files\NSX27C2N.exe
2015-06-23 22:11 - 2015-06-23 22:11 - 01415680 _____ (wj32) C:\Program Files\3UZ49EJP.exe
2015-06-23 22:11 - 2015-06-23 22:11 - 1415680 _____ (wj32) C:\Program Files\3UZ49EJP.exe
2015-06-24 00:39 - 2015-06-24 00:39 - 1415680 _____ (wj32) C:\Program Files\INSKV05B.exe
2015-06-23 22:12 - 2015-06-23 22:12 - 1415680 _____ (wj32) C:\Program Files\NSX27C2N.exe
C:\Users\Vjeko\AppData\Local\Temp\ose00000.exe
C:\Users\Vjeko\AppData\Local\Temp\sqlite3.dll
C:\Users\Vjeko\AppData\Local\Temp\TsuD1BF60C0.dll
C:\Users\Vjeko\AppData\Local\Temp\_is4A5A.exe
C:\Users\Vjeko\AppData\Local\Temp\_is8A76.exe
C:\Users\Vjeko\AppData\Local\Temp\_isA047.exe
Task: {09B0A5C1-A66D-4099-8C5A-2F0461155201} - System32\Tasks\{C29379BF-83C9-4B33-AE01-8D260BD2D3D5} => pcalua.exe -a "D:\IGRE\Temple of Elemental Evil\TOEE.EXE" -d "D:\IGRE\Temple of Elemental Evil"
Task: {1D324A7E-EE1D-4D65-89F7-2150EB5AD0DA} - System32\Tasks\{F78131E8-E976-4CD6-94C1-C3A6546CD7BE} => pcalua.exe -a "D:\IGRE\Might and Magic X Legacy\LegacyGDFInstall.exe" -d "D:\IGRE\Might and Magic X Legacy"
Task: {61360B3F-AA1A-47C4-8F65-EC545BEA2B5A} - System32\Tasks\{A7F5F563-1388-4CB5-AC76-23228F1CBEDF} => pcalua.exe -a "C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe" -c /AppMode=SETUP /Uninstall /UDS=1
AlternateDataStreams: C:\ProgramData\TEMP:837EEB93
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
Reboot:
end


NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..". The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#3 Lothar82

Lothar82
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 27 June 2015 - 08:07 AM

Hi!

First of all thanks for help. I did what you asked me and i got BSOD again. Log is below.

 

Fixlog:

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:24-06-2015
Ran by Vjeko at 2015-06-27 14:59:38 Run:1
Running from C:\Users\Vjeko\Desktop
Loaded Profiles: Vjeko (Available Profiles: Vjeko)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
Startup: C:\Users\Vjeko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\p.lnk [2015-06-15]
ShortcutTarget: p.lnk -> C:\Users\Vjeko\AppData\Roaming\obgpzbkmvu.exe (No File)
C:\Users\Vjeko\AppData\Roaming\obgpzbkmvu.exe
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
R2 VSSS; C:\Users\Vjeko\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [101099584 2015-06-23] (Microsoft Corporation) [File not signed]
C:\Users\Vjeko\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe
S2 AntiVirMailService; "C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe" [X]
S2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\Antivirus\sched.exe" [X]
S2 AntiVirService; "C:\Program Files (x86)\Avira\Antivirus\avguard.exe" [X]
S2 AntiVirWebService; "C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe" [X]
C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe
C:\Program Files (x86)\Avira\Antivirus\sched.exe
C:\Program Files (x86)\Avira\Antivirus\avguard.exe
C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe
S3 KProcessHacker2; \??\C:\Program Files\kprocesshacker.sys [X]
S3 NvStreamKms; \??\C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Program Files\kprocesshacker.sys
C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys
C:\Windows\system32\drivers\nvvad64v.sys
C:\Windows\System32\drivers\rdvgkmd.sys
2015-06-24 00:39 - 2015-06-24 00:39 - 01415680 _____ (wj32) C:\Program Files\INSKV05B.exe
2015-06-23 22:12 - 2015-06-23 22:12 - 01415680 _____ (wj32) C:\Program Files\NSX27C2N.exe
2015-06-23 22:11 - 2015-06-23 22:11 - 01415680 _____ (wj32) C:\Program Files\3UZ49EJP.exe
2015-06-23 22:11 - 2015-06-23 22:11 - 1415680 _____ (wj32) C:\Program Files\3UZ49EJP.exe
2015-06-24 00:39 - 2015-06-24 00:39 - 1415680 _____ (wj32) C:\Program Files\INSKV05B.exe
2015-06-23 22:12 - 2015-06-23 22:12 - 1415680 _____ (wj32) C:\Program Files\NSX27C2N.exe
C:\Users\Vjeko\AppData\Local\Temp\ose00000.exe
C:\Users\Vjeko\AppData\Local\Temp\sqlite3.dll
C:\Users\Vjeko\AppData\Local\Temp\TsuD1BF60C0.dll
C:\Users\Vjeko\AppData\Local\Temp\_is4A5A.exe
C:\Users\Vjeko\AppData\Local\Temp\_is8A76.exe
C:\Users\Vjeko\AppData\Local\Temp\_isA047.exe
Task: {09B0A5C1-A66D-4099-8C5A-2F0461155201} - System32\Tasks\{C29379BF-83C9-4B33-AE01-8D260BD2D3D5} => pcalua.exe -a "D:\IGRE\Temple of Elemental Evil\TOEE.EXE" -d "D:\IGRE\Temple of Elemental Evil"
Task: {1D324A7E-EE1D-4D65-89F7-2150EB5AD0DA} - System32\Tasks\{F78131E8-E976-4CD6-94C1-C3A6546CD7BE} => pcalua.exe -a "D:\IGRE\Might and Magic X Legacy\LegacyGDFInstall.exe" -d "D:\IGRE\Might and Magic X Legacy"
Task: {61360B3F-AA1A-47C4-8F65-EC545BEA2B5A} - System32\Tasks\{A7F5F563-1388-4CB5-AC76-23228F1CBEDF} => pcalua.exe -a "C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe" -c /AppMode=SETUP /Uninstall /UDS=1
AlternateDataStreams: C:\ProgramData\TEMP:837EEB93
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
Reboot:
end
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.


#4 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:02:55 AM

Posted 27 June 2015 - 10:28 AM

Can you boot into Safe Mode and scan with FRST? 
 

We need to get a fresh scan from FRST.

  • If you still have the Addition.txt file on your desktop, please delete it now.
  • Right click the FRST file on your desktop and select "Run as Administrator..." (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • If an update is available, the program will inform you and download the update.  Allow it do this please.  Otherwise, just wait for the "The tool is ready to use." message.
  • Please check the Addition.txt in the Option Scan section of FRST.
  • Press the Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The tool will generate will another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#5 Lothar82

Lothar82
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 27 June 2015 - 12:13 PM

Ok, I made a scan in Safe Mode. 

 

FRST log:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:24-06-2015
Ran by Vjeko (administrator) on VJEKO-PC on 27-06-2015 18:52:54
Running from C:\Users\Vjeko\Desktop
Loaded Profiles: Vjeko (Available Profiles: Vjeko)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Safe Mode (minimal)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PSUAMain] => "C:\Program Files (x86)\Panda Security\Panda Security Protection\PSUAMain.exe" /LaunchSysTray
HKLM-x32\...\Run: [emsisoft anti-malware] => c:\program files (x86)\emsisoft anti-malware\a2guard.exe [4923832 2015-05-26] (Emsisoft Ltd)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\...\Run: [AVG-Secure-Search-Update_0913b] => C:\Users\Vjeko\AppData\Roaming\AVG 0913b Campaign\AVG-Secure-Search-Update-0913b.exe /PROMPT --mid dfe61412236547d3b241d15fa0bbb257-87fad0330af901d05034859f7a7778f7639b570f --CMPID 0913b
HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7799576 2015-05-15] (SUPERAntiSpyware)
HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\...\Run: [BitTorrent] => C:\Users\Vjeko\AppData\Roaming\BitTorrent\BitTorrent.exe [1696104 2015-05-12] (BitTorrent Inc.)
HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\system32\Ribbons.scr [241664 2010-11-21] (Microsoft Corporation)
Startup: C:\Users\Vjeko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\p.lnk [2015-06-15]
ShortcutTarget: p.lnk -> C:\Users\Vjeko\AppData\Roaming\obgpzbkmvu.exe (No File)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> D:\programi novi\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> D:\PROGRAMI\Java\bin\ssv.dll [2015-06-26] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> D:\PROGRAMI\Java\bin\jp2ssv.dll [2015-06-26] (Oracle Corporation)
Handler-x32: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\programi novi\Microsoft Office\Office12\GrooveSystemServices.dll [2006-10-27] (Microsoft Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-21] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 83.139.104.2 83.139.105.2
 
FireFox:
========
FF ProfilePath: C:\Users\Vjeko\AppData\Roaming\Mozilla\Firefox\Profiles\yPfzAplj.default
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> D:\PROGRAMI\Java\bin\dtplugin\npDeployJava1.dll [2015-06-26] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> D:\PROGRAMI\Java\bin\plugin2\npjp2.dll [2015-06-26] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2014-07-02] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2014-07-02] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.27.5\npGoogleUpdate3.dll [2015-05-17] (Google Inc.)
FF Plugin-x32: @verimatrix.com/ViewRightWeb -> C:\Program Files (x86)\Verimatrix\ViewRight Web\\npViewRight.dll [2012-12-19] (Verimatrix, Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1706152902-1485719288-3875658684-1001: @verimatrix.com/ViewRightWeb -> C:\Program Files (x86)\Verimatrix\ViewRight Web\\npViewRight.dll [2012-12-19] (Verimatrix, Inc.)
FF Extension: Avira Browser Safety - C:\Users\Vjeko\AppData\Roaming\Mozilla\Firefox\Profiles\yPfzAplj.default\Extensions\abs@avira.com [2015-06-23]
 
Chrome: 
=======
CHR Profile: C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-12-19]
CHR Extension: (ThemeBeta.com) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajhfedcfdibnicnkmhecbfnblbmjnlpd [2014-12-31]
CHR Extension: (Google Docs) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-12-19]
CHR Extension: (Google Drive) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-12-19]
CHR Extension: (YouTube) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-12-19]
CHR Extension: (Google Search) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-12-19]
CHR Extension: (Video Downloader professional) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\elicpjhcidhpjomhibiffojpinpmmpil [2014-12-19]
CHR Extension: (Google Sheets) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-12-19]
CHR Extension: (Google Wallet) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-12-19]
CHR Extension: (Gmail) - C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-12-19]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-23] (SUPERAntiSpyware.com)
S2 a2AntiMalware; C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe [5155576 2015-05-26] (Emsisoft Ltd)
S2 cbVSCService11; C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian) [File not signed]
S2 EslWireHelper; D:\PROGRAMI\EslWire\service\WireHelperSvc.exe [663056 2014-01-28] ()
S3 Microsoft Office Groove Audit Service; D:\programi novi\Microsoft Office\Office12\GrooveAuditService.exe [65824 2006-10-27] (Microsoft Corporation)
S2 PandaAgent; C:\Program Files (x86)\Panda Security\Panda Devices Agent\AgentSvc.exe [66808 2014-10-09] (Panda Security, S.L.)
S2 VSSS; C:\Users\Vjeko\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [101099584 2015-06-23] (Microsoft Corporation) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
S2 AntiVirMailService; "C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe" [X]
S2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\Antivirus\sched.exe" [X]
S2 AntiVirService; "C:\Program Files (x86)\Avira\Antivirus\avguard.exe" [X]
S2 AntiVirWebService; "C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe" [X]
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2013-07-19] (Disc Soft Ltd)
S1 epp64; C:\Windows\System32\DRIVERS\epp64.sys [135800 2015-03-24] (Emsisoft GmbH)
S3 FsUsbExDisk; C:\Windows\SysWOW64\FsUsbExDisk.SYS [37344 2014-01-23] () [File not signed]
S1 NNSALPC; C:\Windows\System32\DRIVERS\NNSAlpc.sys [93968 2015-02-09] (Panda Security, S.L.)
S1 NNSHTTP; C:\Windows\System32\DRIVERS\NNSHttp.sys [202000 2015-02-09] (Panda Security, S.L.)
S1 NNSHTTPS; C:\Windows\System32\DRIVERS\NNSHttps.sys [110864 2015-02-09] (Panda Security, S.L.)
S1 NNSIDS; C:\Windows\System32\DRIVERS\NNSIds.sys [116496 2015-02-09] (Panda Security, S.L.)
S1 NNSPICC; C:\Windows\System32\DRIVERS\NNSPicc.sys [99600 2015-02-09] (Panda Security, S.L.)
S4 NNSPIHSW; C:\Windows\System32\DRIVERS\NNSPihsw.sys [69904 2015-02-09] (Panda Security, S.L.)
S1 NNSPOP3; C:\Windows\System32\DRIVERS\NNSPop3.sys [124176 2015-02-09] (Panda Security, S.L.)
S1 NNSPROT; C:\Windows\System32\DRIVERS\NNSProt.sys [299792 2015-02-09] (Panda Security, S.L.)
S1 NNSPRV; C:\Windows\System32\DRIVERS\NNSPrv.sys [166160 2015-02-09] (Panda Security, S.L.)
S1 NNSSMTP; C:\Windows\System32\DRIVERS\NNSSmtp.sys [113424 2015-02-09] (Panda Security, S.L.)
S1 NNSSTRM; C:\Windows\System32\DRIVERS\NNSStrm.sys [257296 2015-02-09] (Panda Security, S.L.)
S1 NNSTLSC; C:\Windows\System32\DRIVERS\NNSTlsc.sys [106256 2015-02-09] (Panda Security, S.L.)
S2 PSINReg; C:\Windows\System32\DRIVERS\PSINReg.sys [107792 2015-02-25] (Panda Security, S.L.)
S1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2009-07-14] (Microsoft Corporation)
S3 KProcessHacker2; \??\C:\Program Files\kprocesshacker.sys [X]
S3 NvStreamKms; \??\C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-27 18:52 - 2015-06-27 18:53 - 00012126 _____ C:\Users\Vjeko\Desktop\FRST.txt
2015-06-27 17:03 - 2015-06-27 17:03 - 00168587 _____ C:\Users\Vjeko\Desktop\4194a020-268c-41f7-9323-fc2e60adf931.jpeg
2015-06-27 15:00 - 2015-06-27 15:00 - 00284256 _____ C:\Windows\Minidump\062715-14804-01.dmp
2015-06-27 14:58 - 2015-06-27 14:58 - 00003681 _____ C:\Users\Vjeko\Desktop\fixlist.txt
2015-06-26 23:49 - 2015-06-27 14:32 - 00000000 ____D C:\Users\Vjeko\Desktop\New folder (2)
2015-06-26 20:47 - 2015-06-27 18:52 - 00000000 ____D C:\FRST
2015-06-26 20:47 - 2015-06-26 20:47 - 02112512 _____ (Farbar) C:\Users\Vjeko\Desktop\FRST64.exe
2015-06-26 17:18 - 2015-06-26 17:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Backup 11
2015-06-26 17:18 - 2015-06-26 17:18 - 00000000 ____D C:\Program Files (x86)\Cobian Backup 11
2015-06-26 14:53 - 2015-06-26 14:53 - 00949760 _____ C:\Users\Vjeko\Downloads\FINANCIJSKE KRIZE.ppt
2015-06-26 14:11 - 2015-06-27 15:48 - 00000000 ____D C:\Users\Vjeko\Desktop\ANaliza
2015-06-26 13:08 - 2015-06-26 13:07 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-06-26 13:07 - 2015-06-26 13:07 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-06-26 13:04 - 2015-06-26 13:05 - 37328992 _____ (Oracle Corporation) C:\Users\Vjeko\Downloads\jre-8u45-windows-i586.exe
2015-06-25 21:14 - 2015-06-25 21:14 - 00000000 ____D C:\Program Files (x86)\ESET
2015-06-24 18:10 - 2015-06-24 18:10 - 00284736 _____ C:\Windows\Minidump\062415-16848-01.dmp
2015-06-24 17:47 - 2015-06-24 17:47 - 00285696 _____ C:\Windows\Minidump\062415-16692-01.dmp
2015-06-24 17:42 - 2015-06-24 18:00 - 00000000 ____D C:\AdwCleaner
2015-06-24 17:12 - 2015-06-24 17:16 - 00107736 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-06-24 17:12 - 2015-06-24 17:12 - 00001106 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-06-24 17:12 - 2015-06-24 17:12 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-06-24 17:12 - 2015-06-24 17:12 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-06-24 17:12 - 2015-04-14 09:37 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2015-06-24 17:12 - 2015-04-14 09:37 - 00025816 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbam.sys
2015-06-24 16:58 - 2015-06-24 17:05 - 00000000 ____D C:\SMCLpav
2015-06-24 15:57 - 2015-06-24 15:57 - 00000000 ____D C:\Users\Vjeko\AppData\Roaming\SUPERAntiSpyware.com
2015-06-24 15:56 - 2015-06-24 15:57 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-06-24 15:56 - 2015-06-24 15:56 - 00001808 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2015-06-24 15:56 - 2015-06-24 15:56 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2015-06-24 15:56 - 2015-06-24 15:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2015-06-24 14:16 - 2015-06-24 14:16 - 00290496 _____ C:\Windows\Minidump\062415-20436-01.dmp
2015-06-24 12:40 - 2015-06-24 12:42 - 00000000 ____D C:\ProgramData\Emsisoft
2015-06-24 12:29 - 2015-06-27 18:50 - 00000000 ____D C:\Program Files (x86)\Emsisoft Anti-Malware
2015-06-24 12:29 - 2015-06-24 12:29 - 00001095 _____ C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk
2015-06-24 12:29 - 2015-06-24 12:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware
2015-06-24 12:29 - 2015-03-24 00:17 - 00135800 _____ (Emsisoft GmbH) C:\Windows\system32\Drivers\epp64.sys
2015-06-24 12:17 - 2015-06-27 14:37 - 00000000 ____D C:\Users\Vjeko\Downloads\AV
2015-06-24 03:10 - 2015-06-24 03:10 - 00284096 _____ C:\Windows\Minidump\062415-22666-01.dmp
2015-06-24 03:03 - 2015-06-24 03:03 - 00290472 _____ C:\Windows\Minidump\062415-21091-01.dmp
2015-06-24 02:36 - 2015-06-24 02:57 - 00000000 ____D C:\Program Files (x86)\Panda Security
2015-06-24 00:43 - 2015-06-24 02:36 - 00000000 ____D C:\Users\Vjeko\AppData\Roaming\Panda Security
2015-06-24 00:41 - 2015-06-24 02:37 - 00000000 ____D C:\ProgramData\Panda Security
2015-06-24 00:39 - 2015-06-24 00:39 - 01415680 _____ (wj32) C:\Program Files\INSKV05B.exe
2015-06-23 22:12 - 2015-06-23 22:12 - 01415680 _____ (wj32) C:\Program Files\NSX27C2N.exe
2015-06-23 22:11 - 2015-06-23 22:11 - 01415680 _____ (wj32) C:\Program Files\3UZ49EJP.exe
2015-06-23 22:02 - 2015-06-23 22:02 - 00000000 ____D C:\Users\Vjeko\AppData\Roaming\Mozilla
2015-06-23 21:48 - 2015-06-23 21:48 - 00000078 _____ C:\cleanup.bat
2015-06-23 21:11 - 2015-06-23 21:11 - 00000000 ____D C:\Users\Vjeko\AppData\Local\Avg
2015-06-23 20:39 - 2015-06-23 20:39 - 00003164 _____ C:\Windows\System32\Tasks\{A7F5F563-1388-4CB5-AC76-23228F1CBEDF}
2015-06-22 22:22 - 2015-06-22 22:22 - 00181945 _____ C:\Users\Vjeko\Downloads\185723-the100season01hr.zip
2015-06-05 12:00 - 2015-06-17 17:58 - 00000000 ____D C:\Users\Vjeko\Desktop\BACKUP - DIPLOMSKI
2015-06-03 21:00 - 2015-06-03 21:00 - 00931328 _____ C:\Users\Vjeko\Downloads\Raspored konzultacija 2014_15 VPŠ (izmjena 02.06.).xls
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-06-27 18:50 - 2013-07-13 15:33 - 01136522 _____ C:\Windows\WindowsUpdate.log
2015-06-27 18:49 - 2014-03-05 16:32 - 00000000 ____D C:\Users\Vjeko\Desktop\Diplomski rad
2015-06-27 17:58 - 2013-07-13 15:53 - 00000948 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-06-27 15:03 - 2013-07-15 18:48 - 00000000 ____D C:\Users\Vjeko\AppData\Roaming\BitTorrent
2015-06-27 15:01 - 2013-07-13 15:53 - 00000944 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-06-27 15:01 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-06-27 15:00 - 2014-12-19 18:12 - 01753996 _____ C:\Windows\setupact.log
2015-06-27 15:00 - 2013-07-23 19:29 - 00000000 ____D C:\Windows\Minidump
2015-06-27 15:00 - 2013-07-13 20:02 - 00000000 ____D C:\ProgramData\NVIDIA
2015-06-26 23:46 - 2009-07-14 07:13 - 00778150 _____ C:\Windows\system32\PerfStringBackup.INI
2015-06-26 13:08 - 2013-09-22 17:54 - 00000000 ____D C:\ProgramData\Oracle
2015-06-24 17:47 - 2010-11-21 05:47 - 00228070 _____ C:\Windows\PFRO.log
2015-06-24 02:41 - 2009-07-14 06:45 - 00463064 _____ C:\Windows\system32\FNTCACHE.DAT
2015-06-24 02:36 - 2013-07-13 15:47 - 00111656 _____ C:\Users\Vjeko\AppData\Local\GDIPFONTCACHEV1.DAT
2015-06-23 13:39 - 2013-07-13 22:09 - 00000000 ____D C:\Users\Vjeko\AppData\Roaming\TS3Client
2015-06-23 01:04 - 2013-07-13 15:55 - 00002179 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-06-21 19:53 - 2014-11-30 15:06 - 00000000 ____D C:\Users\Vjeko\AppData\Local\ESL Wire Game Client
2015-05-28 12:48 - 2009-07-14 07:08 - 00032640 _____ C:\Windows\Tasks\SCHEDLGU.TXT
 
==================== Files in the root of some directories =======
 
2015-06-23 22:11 - 2015-06-23 22:11 - 1415680 _____ (wj32) C:\Program Files\3UZ49EJP.exe
2015-06-24 00:39 - 2015-06-24 00:39 - 1415680 _____ (wj32) C:\Program Files\INSKV05B.exe
2015-06-23 22:12 - 2015-06-23 22:12 - 1415680 _____ (wj32) C:\Program Files\NSX27C2N.exe
2014-04-02 23:40 - 2014-04-02 23:40 - 0034816 _____ () C:\Users\Vjeko\AppData\Roaming\RZR_0020b1504bd58407e0b8f7a06546.db
2014-06-06 16:37 - 2014-06-06 16:37 - 0007616 _____ () C:\Users\Vjeko\AppData\Local\Resmon.ResmonCfg
 
Some files in TEMP:
====================
C:\Users\Vjeko\AppData\Local\Temp\ose00000.exe
C:\Users\Vjeko\AppData\Local\Temp\Quarantine.exe
C:\Users\Vjeko\AppData\Local\Temp\sqlite3.dll
C:\Users\Vjeko\AppData\Local\Temp\TsuD1BF60C0.dll
C:\Users\Vjeko\AppData\Local\Temp\_is4A5A.exe
C:\Users\Vjeko\AppData\Local\Temp\_is8A76.exe
C:\Users\Vjeko\AppData\Local\Temp\_isA047.exe
 
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-06-23 15:36
 

 

==================== End of log ============================
 
 
ADDITION:
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:24-06-2015
Ran by Vjeko at 2015-06-27 18:53:53
Running from C:\Users\Vjeko\Desktop
Boot Mode: Safe Mode (minimal)
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-1706152902-1485719288-3875658684-500 - Administrator - Disabled)
Guest (S-1-5-21-1706152902-1485719288-3875658684-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1706152902-1485719288-3875658684-1002 - Limited - Enabled)
Vjeko (S-1-5-21-1706152902-1485719288-3875658684-1001 - Administrator - Enabled) => C:\Users\Vjeko
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Emsisoft Anti-Malware (Enabled - Up to date) {2F44E1F9-850B-1C7A-0E56-EB2E0A3E20C9}
AS: Emsisoft Anti-Malware (Enabled - Up to date) {9425001D-A331-13F4-34E6-D05C71B96A74}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
Adobe Reader XI (11.0.11) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.11 - Adobe Systems Incorporated)
BitTorrent (HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\...\BitTorrent) (Version: 7.9.3.40299 - BitTorrent Inc.)
CBR Reader (HKLM-x32\...\{EDAAC216-AC73-4152-9654-E12FE5A69F5D}_is1) (Version:  - cbrreader.com)
Chessmaster Grandmaster Edition (HKLM-x32\...\InstallShield_{27614800-84A9-484E-9CCB-43ED2F1205F5}) (Version: 1.00.0000 - Ubisoft)
Chessmaster Grandmaster Edition (x32 Version: 1.00.0000 - Ubisoft) Hidden
Cobian Backup 11 Gravity (HKLM-x32\...\CobBackup11) (Version:  - )
CPUID CPU-Z 1.70 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.47.1.0335 - Disc Soft Ltd)
Divinity Original Sin (HKLM-x32\...\RGl2aW5pdHlPcmlnaW5hbFNpbg==_is1) (Version: 1 - )
Emsisoft Anti-Malware (HKLM-x32\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 10.0 - Emsisoft Ltd.)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
ESL Wire 1.18.0 (HKLM\...\ESL Wire_is1) (Version:  - Turtle Entertainment GmbH)
ffdshow v1.3.4532 [2014-07-17] (HKLM-x32\...\ffdshow_is1) (Version: 1.3.4532.0 - )
Free Audio Editor v8.6.1 (HKLM-x32\...\Free Audio Editor_is1) (Version:  - Copyright© 2005-2014 FAEMedia, Inc.)
GOM Player (HKLM-x32\...\GOM Player) (Version: 2.2.69.5227 - Gretech Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 43.0.2357.130 - Google Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.27.5 - Google Inc.) Hidden
Homeworld Remastered Collection (HKLM-x32\...\SG9tZXdvcmxkUmVtYXN0ZXJlZENvbGxlY3Rpb24=_is1) (Version: 1 - )
Impulse (HKLM-x32\...\Impulse) (Version:  - Stardock)
Impulse (x32 Version: 1.0 - Stardock Corporation) Hidden
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Malwarebytes Anti-Malware version 2.1.6.1022 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.6.1022 - Malwarebytes Corporation)
Microsoft .NET Framework 4 Client Profile (HKLM\...\Microsoft .NET Framework 4 Client Profile) (Version: 4.0.30320 - Microsoft Corporation)
Microsoft .NET Framework 4 Extended (HKLM\...\Microsoft .NET Framework 4 Extended) (Version: 4.0.30320 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{929CE49F-1CA7-4CF3-A9A1-6D757443C63F}) (Version: 1.2.0241 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
MyFreeCodec (HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\...\MyFreeCodec) (Version:  - )
NVIDIA 3D Vision Controller Driver 340.50 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 340.50 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 340.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 340.52 - NVIDIA Corporation)
NVIDIA Graphics Driver 340.52 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 340.52 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.1220 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.1220 - NVIDIA Corporation)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
Panda Devices Agent (HKLM-x32\...\Panda Devices Agent) (Version: 1.03.04 - Panda Security)
Panda Devices Agent (x32 Version: 1.05.00 - Panda Security) Hidden
Pillars of Eternity (HKLM-x32\...\1207666813_is1) (Version: 2.0.0.1 - GOG.com)
Pillars of Eternity Preorder Item and Pet (HKLM-x32\...\Pillars of Eternity Preorder Item and Pet_is1) (Version: 2.0.0.1 - GOG.com)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.34.0 - SAMSUNG Electronics Co., Ltd.)
Sid Meier's Civilization V (HKLM-x32\...\Sid Meier's Civilization V_is1) (Version:  - )
Sid Meier's Civilization V Brave New World (HKLM-x32\...\U2lkTWVpZXJzQ2l2aWxpemF0aW9uVg==_is1) (Version: 1 - )
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1194 - SUPERAntiSpyware.com)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.10 - TeamSpeak Systems GmbH)
Terraria (HKLM-x32\...\1207665503_is1) (Version: 2.0.0.1 - GOG.com)
ViewRight Web PC (HKLM-x32\...\{B62D5F4C-BEB2-4DCD-A8B4-EE21CCAEC28A}) (Version: 3.3.0.0 - Verimatrix, Inc.)
Visual Studio 2010 x64 Redistributables (HKLM\...\{21B133D6-5979-47F0-BE1C-F6A6B304693F}) (Version: 13.0.0.1 - AVG Technologies)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VSDC Free Video Editor version 2.3.0.337 (HKLM-x32\...\VSDC Free Video Editor_is1) (Version: 2.3.0.337 - Flash-Integro LLC)
WinRAR 4.20 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.20.0 - win.rar GmbH)
World of Tanks (HKLM-x32\...\{1EAC1D02-C6AC-4FA6-9A44-96258C37C812EU}_is1) (Version:  - Wargaming.net)
XBMC (HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\...\XBMC) (Version:  - Team XBMC)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Restore Points =========================
 
ATTENTION: System Restore is disabled
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 04:34 - 2009-06-10 23:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {09B0A5C1-A66D-4099-8C5A-2F0461155201} - System32\Tasks\{C29379BF-83C9-4B33-AE01-8D260BD2D3D5} => pcalua.exe -a "D:\IGRE\Temple of Elemental Evil\TOEE.EXE" -d "D:\IGRE\Temple of Elemental Evil"
Task: {1D324A7E-EE1D-4D65-89F7-2150EB5AD0DA} - System32\Tasks\{F78131E8-E976-4CD6-94C1-C3A6546CD7BE} => pcalua.exe -a "D:\IGRE\Might and Magic X Legacy\LegacyGDFInstall.exe" -d "D:\IGRE\Might and Magic X Legacy"
Task: {61360B3F-AA1A-47C4-8F65-EC545BEA2B5A} - System32\Tasks\{A7F5F563-1388-4CB5-AC76-23228F1CBEDF} => pcalua.exe -a "C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe" -c /AppMode=SETUP /Uninstall /UDS=1
Task: {675F82DF-E133-4A1B-A2BA-7AF0F8D4F264} - System32\Tasks\Microsoft\Windows\Windows Activation Technologies\ValidationTask => C:\Windows\system32\Wat\WatAdminSvc.exe [2014-11-04] (Microsoft Corporation)
Task: {6F216C95-82B4-4664-9655-5424C6FB0F8D} - System32\Tasks\SidebarExecute => C:\Program Files\Windows Sidebar\sidebar.exe [2010-11-21] (Microsoft Corporation)
Task: {C6C93E91-FDA7-4DF8-B783-B88FA5B8AFC6} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2014-12-19] (Adobe Systems Incorporated)
Task: {CCD46F50-A704-4BBD-8BA6-760051056A6E} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-07-13] (Google Inc.)
Task: {CE1BC586-B3A0-417B-8A19-372F704724B3} - System32\Tasks\0415avUpdateInfo => C:\ProgramData\Avg_Update_0415av\0415av_AVG-Secure-Search-Update.exe [2015-04-21] ()
Task: {E1E12F67-1E4D-40EE-B975-A572A70E11E6} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-07-13] (Google Inc.)
Task: C:\Windows\Tasks\0415avUpdateInfo.job => C:\ProgramData\Avg_Update_0415av\0415av_AVG-Secure-Search-Update.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (Whitelisted) ==============
 
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
AlternateDataStreams: C:\ProgramData\TEMP:837EEB93
 
==================== Safe Mode (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NanoServiceMain => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSUAService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\NanoServiceMain => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\PSUAService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="1"
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Vjeko\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: Media is not connected to internet.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Who Is On My Wifi.lnk => C:\Windows\pss\Who Is On My Wifi.lnk.CommonStartup
MSCONFIG\startupfolder: C:^Users^Vjeko^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe => C:\Windows\pss\PowerReg Scheduler V3.exe.Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: BitTorrent => "C:\Users\Vjeko\AppData\Roaming\BitTorrent\BitTorrent.exe"  /MINIMIZED
MSCONFIG\startupreg: DAEMON Tools Lite => "D:\PROGRAMI\DAEMON Tools Lite\DTLite.exe" -autorun
MSCONFIG\startupreg: GrooveMonitor => "D:\programi novi\Microsoft Office\Office12\GrooveMonitor.exe"
MSCONFIG\startupreg: KiesAirMessage => D:\PROGRAMI\Kies\KiesAirMessage.exe -startup
MSCONFIG\startupreg: KiesPDLR => D:\PROGRAMI\Kies\External\FirmwareUpdate\KiesPDLR.exe
MSCONFIG\startupreg: KiesPreload => D:\PROGRAMI\Kies\Kies.exe /preload
MSCONFIG\startupreg: KiesTrayAgent => D:\PROGRAMI\Kies\KiesTrayAgent.exe
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [TCP Query User{36576725-1AA8-421C-AF96-C08B09B1D8CC}D:\igre\world_of_tanks\worldoftanks.exe] => (Allow) D:\igre\world_of_tanks\worldoftanks.exe
FirewallRules: [UDP Query User{5E9BBCCC-6A80-4A51-85E6-9D4DA7B359D3}D:\igre\world_of_tanks\worldoftanks.exe] => (Allow) D:\igre\world_of_tanks\worldoftanks.exe
FirewallRules: [{7C4D8F03-E635-480B-9452-4972611B7603}] => (Allow) D:\programi novi\Microsoft Office\Office12\outlook.exe
FirewallRules: [{F1450796-098F-4689-9F64-33329A2A6313}] => (Allow) D:\programi novi\Microsoft Office\Office12\GROOVE.EXE
FirewallRules: [{59A3DF3B-0C30-4DE9-A3D8-A0AF78298EF2}] => (Allow) D:\programi novi\Microsoft Office\Office12\GROOVE.EXE
FirewallRules: [{8B704655-B339-4AAE-A099-68625FC61667}] => (Allow) D:\programi novi\Microsoft Office\Office12\ONENOTE.EXE
FirewallRules: [{FD82B550-F4F0-413D-B550-24B0966D2E1E}] => (Allow) D:\programi novi\Microsoft Office\Office12\ONENOTE.EXE
FirewallRules: [{C5E41219-9F5F-4C55-8426-B89D350889BA}] => (Allow) C:\Users\Vjeko\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{75E2B885-F606-4B17-84E2-D645760BEA1C}] => (Allow) C:\Users\Vjeko\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{AD16E90E-4D11-48F5-9FAB-0EA17B496145}] => (Allow) C:\Users\Vjeko\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{E3DBEF43-6126-4CE1-8A3B-53F96E98D104}] => (Allow) C:\Users\Vjeko\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [TCP Query User{688B35E8-4E7F-4343-9372-8C5A0C2DCAE6}D:\igre\world_of_tanks\wotlauncher.exe] => (Allow) D:\igre\world_of_tanks\wotlauncher.exe
FirewallRules: [UDP Query User{221DB15D-B5C5-404A-BB09-C483CCC04561}D:\igre\world_of_tanks\wotlauncher.exe] => (Allow) D:\igre\world_of_tanks\wotlauncher.exe
FirewallRules: [{6EF052D6-DDD9-464B-94CA-C1A4EE1097AA}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{9E540010-04F9-4904-AECC-48645056B5C8}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{B0325434-3692-444B-A24D-CB8AC0638A71}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{140C245E-CD95-48D6-B7C6-23540213B241}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [TCP Query User{6A97051B-440D-45C0-A2C1-57AD59A1E48E}C:\program files (x86)\java\jre7\bin\java.exe] => (Allow) C:\program files (x86)\java\jre7\bin\java.exe
FirewallRules: [UDP Query User{6FFBF210-BCA6-42F1-B2C8-A7A98CD480B8}C:\program files (x86)\java\jre7\bin\java.exe] => (Allow) C:\program files (x86)\java\jre7\bin\java.exe
FirewallRules: [{14260A9F-2D38-43B9-B9CD-E9EED5D164B4}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{3CB2D56A-A76B-4545-AD1D-15B2CA68EEFC}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{41C81E22-D9D8-48AE-9F3D-B6F390430EE8}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{4128A739-167B-437E-A65E-801D50A8B158}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [TCP Query User{D5D5DE4E-2499-4007-B4EA-AE7C503CD02C}D:\igre\world of warplanes\wowplauncher.exe] => (Allow) D:\igre\world of warplanes\wowplauncher.exe
FirewallRules: [UDP Query User{D2CFC194-2CEF-4B7B-9038-B2D29C236120}D:\igre\world of warplanes\wowplauncher.exe] => (Allow) D:\igre\world of warplanes\wowplauncher.exe
FirewallRules: [TCP Query User{A5296EE1-C664-4F6A-A365-CF6639A0E780}D:\igre\world_of_warplanes\wowplauncher.exe] => (Allow) D:\igre\world_of_warplanes\wowplauncher.exe
FirewallRules: [UDP Query User{A308D470-1093-44C8-BD8F-D107C6438FD8}D:\igre\world_of_warplanes\wowplauncher.exe] => (Allow) D:\igre\world_of_warplanes\wowplauncher.exe
FirewallRules: [{F13308C5-4638-4CC3-9C8A-581D7D8533CE}] => (Allow) LPort=80
FirewallRules: [{16566797-88F8-43CE-BF9B-C17DF689D871}] => (Allow) LPort=443
FirewallRules: [{A606178A-CF9D-4B35-8F13-CBE09023035C}] => (Allow) LPort=20010
FirewallRules: [{743CFF56-C92D-46B5-AEE2-5640702E061F}] => (Allow) LPort=3478
FirewallRules: [{F981E9BB-95A6-41DA-85B2-3C08FBD03CFB}] => (Allow) LPort=7850
FirewallRules: [{2E59A7D1-507A-4341-9F66-AB1F92792B6A}] => (Allow) LPort=27022
FirewallRules: [{C08FEA1A-A2B5-40BD-ADBB-640A4AC2A5F2}] => (Allow) LPort=6881
FirewallRules: [{9606ACC0-904E-49FB-8654-F2E9781E67EF}] => (Allow) LPort=33333
FirewallRules: [{CA17DDE5-7F0B-4946-A0D2-160F8C48E023}] => (Allow) LPort=20443
FirewallRules: [{40A5C283-A496-4775-8DE5-C690DC2BB456}] => (Allow) LPort=8090
FirewallRules: [{1EDA5A8C-53EA-4C2A-A1F2-0AD3DB805C24}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{3F8D1D79-06ED-49EE-A826-0991101DC2A6}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{DCD35943-A16B-4866-A6E9-108EC7D0F6E5}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{8CE68EF1-5F17-45AA-ADEE-9B2FBD29FBAE}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [TCP Query User{B3D8264A-8BE8-4C29-8ED8-77DC30795E25}D:\igre\flashback\binaries\win32\flashback.exe] => (Allow) D:\igre\flashback\binaries\win32\flashback.exe
FirewallRules: [UDP Query User{DDE1E89F-9BA0-4072-B66B-4DAF7834C87C}D:\igre\flashback\binaries\win32\flashback.exe] => (Allow) D:\igre\flashback\binaries\win32\flashback.exe
FirewallRules: [{8C3328CB-8249-4F72-89C2-9815CE9E27BF}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{05C210FA-6581-441E-A6F5-9C3DB0A5742C}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{88A75CDD-1C1E-4681-BC7D-F1B1513F5B8A}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{19829954-3417-4D11-9BE7-A77A57942FC2}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{A6DD571B-C790-40A4-B2A5-95F7E71B427A}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{B86EB4CB-502F-4A95-8852-B4BB7FDA8788}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{6B49F46B-A380-49F1-88A6-E4D63BE6735A}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{4CF6019A-67FC-410D-BFFD-2555B48A797E}] => (Allow) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{EF0A6D10-D01D-4B63-BEB8-6E5D8C5290CE}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{539B470E-239E-4A27-8667-5A73A8683AA7}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{355D41FA-62D6-4158-82CD-B9B3104DC3C2}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{B124FADE-FCBA-49CA-9842-9C08638BB20E}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [TCP Query User{29E89C1E-8DB5-4F87-A231-BD40624BAB52}D:\igre\xcom enemy within\xew\binaries\win32\xcomew.exe] => (Allow) D:\igre\xcom enemy within\xew\binaries\win32\xcomew.exe
FirewallRules: [UDP Query User{67B89946-A1B8-4742-827C-12EFE7D8A1BC}D:\igre\xcom enemy within\xew\binaries\win32\xcomew.exe] => (Allow) D:\igre\xcom enemy within\xew\binaries\win32\xcomew.exe
FirewallRules: [{1674E882-838C-4CAC-9E16-020D1EC42006}] => (Allow) C:\Windows\SysWOW64\muzapp.exe
FirewallRules: [{536F5E67-B850-4C77-BFCE-197DC7BB7279}] => (Allow) C:\Windows\SysWOW64\muzapp.exe
FirewallRules: [TCP Query User{CE018490-E53D-496B-A369-8C4CBE9B4118}D:\igre\warlock 2 the exiled\game.exe] => (Allow) D:\igre\warlock 2 the exiled\game.exe
FirewallRules: [UDP Query User{42835A47-DD45-489F-BAE4-0ADE1FD1701A}D:\igre\warlock 2 the exiled\game.exe] => (Allow) D:\igre\warlock 2 the exiled\game.exe
FirewallRules: [TCP Query User{29AC61EB-EC3A-47F1-96BE-E56E7D50E06E}D:\igre\age of wonders iii\aow3.exe] => (Allow) D:\igre\age of wonders iii\aow3.exe
FirewallRules: [UDP Query User{E460E273-4C39-47EB-AE8C-91F5E621E623}D:\igre\age of wonders iii\aow3.exe] => (Allow) D:\igre\age of wonders iii\aow3.exe
FirewallRules: [TCP Query User{B4533899-E41E-4468-9E15-C50A7EC19D01}D:\igre\might and magic x legacy\might and magic x legacy.exe] => (Allow) D:\igre\might and magic x legacy\might and magic x legacy.exe
FirewallRules: [UDP Query User{30906A96-0BBF-4C6A-8DF7-34FAC12352FD}D:\igre\might and magic x legacy\might and magic x legacy.exe] => (Allow) D:\igre\might and magic x legacy\might and magic x legacy.exe
FirewallRules: [TCP Query User{2A8BA6D8-41D8-44D1-931F-30DEB0F7D50F}D:\igre\divinity original sin\shipping\eocapp.exe] => (Allow) D:\igre\divinity original sin\shipping\eocapp.exe
FirewallRules: [UDP Query User{883607D8-572B-4B3A-9D23-68946DC9516F}D:\igre\divinity original sin\shipping\eocapp.exe] => (Allow) D:\igre\divinity original sin\shipping\eocapp.exe
FirewallRules: [TCP Query User{23B88550-BB10-4C8B-B7A8-A38DD6E36423}C:\program files (x86)\java\jre1.8.0_25\bin\jp2launcher.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_25\bin\jp2launcher.exe
FirewallRules: [UDP Query User{F8F8CAA7-0E5F-4B9E-87A1-DE9F025A51E6}C:\program files (x86)\java\jre1.8.0_25\bin\jp2launcher.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_25\bin\jp2launcher.exe
FirewallRules: [TCP Query User{889ADF4A-FEF6-489D-84CA-6BE55135004A}D:\programi\xbmc\xbmc.exe] => (Allow) D:\programi\xbmc\xbmc.exe
FirewallRules: [UDP Query User{FCC1F919-6B21-465A-84AB-29A8F07AFFEA}D:\programi\xbmc\xbmc.exe] => (Allow) D:\programi\xbmc\xbmc.exe
FirewallRules: [{5294B7C9-5A47-4D4E-B1AF-626A6C2F1A91}] => (Allow) D:\PROGRAMI\EslWire\wire.exe
FirewallRules: [{AF26E811-11F1-493D-8D95-09BD90021709}] => (Allow) D:\PROGRAMI\EslWire\wire.exe
FirewallRules: [{A4327D9A-C43E-460C-9358-7E4AAEDB6DB7}] => (Allow) D:\PROGRAMI\FlashIntegro\VideoEditor\VideoEditor.exe
FirewallRules: [{C633F11F-FBC9-4C4D-A5DE-172417722A80}] => (Allow) D:\PROGRAMI\FlashIntegro\VideoEditor\VideoEditor.exe
FirewallRules: [{7FFD36E8-29A6-49C3-AD7E-7EF0FA5FA78D}] => (Allow) D:\PROGRAMI\FlashIntegro\VideoEditor\Updater.exe
FirewallRules: [{A8A65974-F7D5-4847-9030-6519B011941C}] => (Allow) D:\PROGRAMI\FlashIntegro\VideoEditor\Updater.exe
FirewallRules: [TCP Query User{83606D27-6D28-445E-A67C-47BF924479D4}C:\users\vjeko\appdata\local\popcorn time\node-webkit\popcorn time.exe] => (Allow) C:\users\vjeko\appdata\local\popcorn time\node-webkit\popcorn time.exe
FirewallRules: [UDP Query User{D76FDECD-3162-4558-A101-17CFFFC122D4}C:\users\vjeko\appdata\local\popcorn time\node-webkit\popcorn time.exe] => (Allow) C:\users\vjeko\appdata\local\popcorn time\node-webkit\popcorn time.exe
FirewallRules: [{8BECCF8A-2C01-4028-80FE-FCC61FC9A897}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Faulty Device Manager Devices =============
 
Name: Security Processor Loader Driver
Description: Security Processor Loader Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer: 
Service: spldr
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (06/27/2015 06:53:31 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/27/2015 03:02:38 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/27/2015 03:01:18 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.
 
Error: (06/27/2015 02:47:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: psprofiler.exe, version: 4.0.0.21, time stamp: 0x5448c49c
Faulting module name: psprofiler.exe, version: 4.0.0.21, time stamp: 0x5448c49c
Exception code: 0xc0000005
Fault offset: 0x0001be23
Faulting process id: 0x684
Faulting application start time: 0xpsprofiler.exe0
Faulting application path: psprofiler.exe1
Faulting module path: psprofiler.exe2
Report Id: psprofiler.exe3
 
Error: (06/27/2015 02:01:53 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.
 
Error: (06/27/2015 02:01:38 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/26/2015 08:47:16 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: psprofiler.exe, version: 4.0.0.21, time stamp: 0x5448c49c
Faulting module name: psprofiler.exe, version: 4.0.0.21, time stamp: 0x5448c49c
Exception code: 0xc0000005
Fault offset: 0x0001be23
Faulting process id: 0x818
Faulting application start time: 0xpsprofiler.exe0
Faulting application path: psprofiler.exe1
Faulting module path: psprofiler.exe2
Report Id: psprofiler.exe3
 
Error: (06/26/2015 07:50:21 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (06/26/2015 07:48:49 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Windows license activation failed. Error 0x80070005.
 
Error: (06/26/2015 05:50:43 PM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.
 
 
Operation:
   Gathering Writer Data
 
Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {f300c2c3-ef40-4791-991c-f6da9239733d}
 
 
System errors:
=============
Error: (06/27/2015 06:52:17 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (06/27/2015 06:52:17 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (06/27/2015 06:52:17 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (06/27/2015 06:52:17 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (06/27/2015 06:52:17 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (06/27/2015 06:52:17 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (06/27/2015 06:52:17 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{9E175B6D-F52A-11D8-B9A5-505054503030}
 
Error: (06/27/2015 06:52:17 PM) (Source: DCOM) (EventID: 10005) (User: )
Description: 1084WSearch{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
 
Error: (06/27/2015 06:52:15 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
Error: (06/27/2015 06:52:15 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: 
%%1068
 
 
Microsoft Office:
=========================
 
CodeIntegrity Errors:
===================================
  Date: 2015-03-06 14:41:16.282
  Description: Windows is unable to verify the image integrity of the file \Device\CdRom0\TBPanelx64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-03-06 14:41:16.266
  Description: Windows is unable to verify the image integrity of the file \Device\CdRom0\TBPanelx64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-03-06 14:40:14.661
  Description: Windows is unable to verify the image integrity of the file \Device\CdRom0\TBPanelx64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-03-06 14:40:14.645
  Description: Windows is unable to verify the image integrity of the file \Device\CdRom0\TBPanelx64.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-03-07 03:38:11.069
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-03-07 03:38:11.063
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-03-07 03:38:07.635
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-03-07 03:38:07.629
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-03-07 03:38:05.243
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2014-03-07 03:38:05.236
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume1\Windows\SysWOW64\FsUsbExDisk.Sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™2 CPU 6300 @ 1.86GHz
Percentage of memory in use: 29%
Total physical RAM: 3327.55 MB
Available physical RAM: 2330.95 MB
Total Pagefile: 6653.31 MB
Available Pagefile: 5669.88 MB
Total Virtual: 8192 MB
Available Virtual: 8191.84 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:39.06 GB) (Free:8.06 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive d: (Vjeko) (Fixed) (Total:109.99 GB) (Free:19.59 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149 GB) (Disk ID: F81FF81F)
Partition 1: (Active) - (Size=39.1 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=110 GB) - (Type=07 NTFS)
 
==================== End of log ============================


#6 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:02:55 AM

Posted 27 June 2015 - 01:35 PM

Download the attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Please boot your system into Safe Mode to run this script! Very Important!

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..". The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpslenkmnr9.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

Attached Files


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#7 Lothar82

Lothar82
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 27 June 2015 - 01:51 PM

ok, here it is.

 

Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:24-06-2015

Ran by Vjeko at 2015-06-27 20:45:29 Run:1
Running from C:\Users\Vjeko\Desktop
Loaded Profiles: Vjeko (Available Profiles: Vjeko)
Boot Mode: Safe Mode (minimal)
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Policies\Explorer: [TaskbarNoNotification] 1
HKLM\...\Policies\Explorer: [HideSCAHealth] 1
Startup: C:\Users\Vjeko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\p.lnk [2015-06-15]
ShortcutTarget: p.lnk -> C:\Users\Vjeko\AppData\Roaming\obgpzbkmvu.exe (No File)
C:\Users\Vjeko\AppData\Roaming\obgpzbkmvu.exe
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
R2 VSSS; C:\Users\Vjeko\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [101099584 2015-06-23] (Microsoft Corporation) [File not signed]
C:\Users\Vjeko\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe
S2 AntiVirMailService; "C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe" [X]
S2 AntiVirSchedulerService; "C:\Program Files (x86)\Avira\Antivirus\sched.exe" [X]
S2 AntiVirService; "C:\Program Files (x86)\Avira\Antivirus\avguard.exe" [X]
S2 AntiVirWebService; "C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe" [X]
C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe
C:\Program Files (x86)\Avira\Antivirus\sched.exe
C:\Program Files (x86)\Avira\Antivirus\avguard.exe
C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe
S3 KProcessHacker2; \??\C:\Program Files\kprocesshacker.sys [X]
S3 NvStreamKms; \??\C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [X]
S4 nvvad_WaveExtensible; system32\drivers\nvvad64v.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Program Files\kprocesshacker.sys
C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys
C:\Windows\system32\drivers\nvvad64v.sys
C:\Windows\System32\drivers\rdvgkmd.sys
2015-06-24 00:39 - 2015-06-24 00:39 - 01415680 _____ (wj32) C:\Program Files\INSKV05B.exe
2015-06-23 22:12 - 2015-06-23 22:12 - 01415680 _____ (wj32) C:\Program Files\NSX27C2N.exe
2015-06-23 22:11 - 2015-06-23 22:11 - 01415680 _____ (wj32) C:\Program Files\3UZ49EJP.exe
2015-06-23 22:11 - 2015-06-23 22:11 - 1415680 _____ (wj32) C:\Program Files\3UZ49EJP.exe
2015-06-24 00:39 - 2015-06-24 00:39 - 1415680 _____ (wj32) C:\Program Files\INSKV05B.exe
2015-06-23 22:12 - 2015-06-23 22:12 - 1415680 _____ (wj32) C:\Program Files\NSX27C2N.exe
C:\Users\Vjeko\AppData\Local\Temp\ose00000.exe
C:\Users\Vjeko\AppData\Local\Temp\sqlite3.dll
C:\Users\Vjeko\AppData\Local\Temp\TsuD1BF60C0.dll
C:\Users\Vjeko\AppData\Local\Temp\_is4A5A.exe
C:\Users\Vjeko\AppData\Local\Temp\_is8A76.exe
C:\Users\Vjeko\AppData\Local\Temp\_isA047.exe
Task: {09B0A5C1-A66D-4099-8C5A-2F0461155201} - System32\Tasks\{C29379BF-83C9-4B33-AE01-8D260BD2D3D5} => pcalua.exe -a "D:\IGRE\Temple of Elemental Evil\TOEE.EXE" -d "D:\IGRE\Temple of Elemental Evil"
Task: {1D324A7E-EE1D-4D65-89F7-2150EB5AD0DA} - System32\Tasks\{F78131E8-E976-4CD6-94C1-C3A6546CD7BE} => pcalua.exe -a "D:\IGRE\Might and Magic X Legacy\LegacyGDFInstall.exe" -d "D:\IGRE\Might and Magic X Legacy"
Task: {61360B3F-AA1A-47C4-8F65-EC545BEA2B5A} - System32\Tasks\{A7F5F563-1388-4CB5-AC76-23228F1CBEDF} => pcalua.exe -a "C:\Program Files (x86)\AVG\AVG2015\avgmfapx.exe" -c /AppMode=SETUP /Uninstall /UDS=1
AlternateDataStreams: C:\ProgramData\TEMP:837EEB93
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
Reboot:
end
*****************
 
Error: Restore point can only be created in normal mode.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\TaskbarNoNotification => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\HideSCAHealth => value removed successfully
C:\Users\Vjeko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\p.lnk => moved successfully.
C:\Users\Vjeko\AppData\Roaming\obgpzbkmvu.exe not found.
"C:\Users\Vjeko\AppData\Roaming\obgpzbkmvu.exe" => File/Folder not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => key removed successfully
VSSS => Service removed successfully
C:\Users\Vjeko\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe => moved successfully.
AntiVirMailService => Service removed successfully
AntiVirSchedulerService => Service removed successfully
AntiVirService => Service removed successfully
AntiVirWebService => Service removed successfully
"C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe" => File/Folder not found.
"C:\Program Files (x86)\Avira\Antivirus\sched.exe" => File/Folder not found.
"C:\Program Files (x86)\Avira\Antivirus\avguard.exe" => File/Folder not found.
"C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe" => File/Folder not found.
KProcessHacker2 => Service removed successfully
NvStreamKms => Service removed successfully
nvvad_WaveExtensible => Service removed successfully
VGPU => Service removed successfully
"C:\Program Files\kprocesshacker.sys" => File/Folder not found.
"C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys" => File/Folder not found.
"C:\Windows\system32\drivers\nvvad64v.sys" => File/Folder not found.
"C:\Windows\System32\drivers\rdvgkmd.sys" => File/Folder not found.
C:\Program Files\INSKV05B.exe => moved successfully.
C:\Program Files\NSX27C2N.exe => moved successfully.
C:\Program Files\3UZ49EJP.exe => moved successfully.
"C:\Program Files\3UZ49EJP.exe" => File/Folder not found.
"C:\Program Files\INSKV05B.exe" => File/Folder not found.
"C:\Program Files\NSX27C2N.exe" => File/Folder not found.
C:\Users\Vjeko\AppData\Local\Temp\ose00000.exe => moved successfully.
C:\Users\Vjeko\AppData\Local\Temp\sqlite3.dll => moved successfully.
C:\Users\Vjeko\AppData\Local\Temp\TsuD1BF60C0.dll => moved successfully.
C:\Users\Vjeko\AppData\Local\Temp\_is4A5A.exe => moved successfully.
C:\Users\Vjeko\AppData\Local\Temp\_is8A76.exe => moved successfully.
C:\Users\Vjeko\AppData\Local\Temp\_isA047.exe => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{09B0A5C1-A66D-4099-8C5A-2F0461155201}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09B0A5C1-A66D-4099-8C5A-2F0461155201}" => key removed successfully
C:\Windows\System32\Tasks\{C29379BF-83C9-4B33-AE01-8D260BD2D3D5} => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{C29379BF-83C9-4B33-AE01-8D260BD2D3D5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{1D324A7E-EE1D-4D65-89F7-2150EB5AD0DA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1D324A7E-EE1D-4D65-89F7-2150EB5AD0DA}" => key removed successfully
C:\Windows\System32\Tasks\{F78131E8-E976-4CD6-94C1-C3A6546CD7BE} => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{F78131E8-E976-4CD6-94C1-C3A6546CD7BE}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{61360B3F-AA1A-47C4-8F65-EC545BEA2B5A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{61360B3F-AA1A-47C4-8F65-EC545BEA2B5A}" => key removed successfully
C:\Windows\System32\Tasks\{A7F5F563-1388-4CB5-AC76-23228F1CBEDF} => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{A7F5F563-1388-4CB5-AC76-23228F1CBEDF}" => key removed successfully
C:\ProgramData\TEMP => ":837EEB93" ADS removed successfully.
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Could not flush the DNS Resolver Cache: Function failed during execution.
 
 
========= End of CMD: =========
 
 
=========  netsh advfirewall reset =========
 
 
An error occurred while attempting to contact the  Windows Firewall service. Make sure that the service is running and try your request again.
 
 
========= End of CMD: =========
 
 
=========  netsh advfirewall set allprofiles state on =========
 
 
An error occurred while attempting to contact the  Windows Firewall service. Make sure that the service is running and try your request again.
 
 
========= End of CMD: =========
 
 
========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
=========  bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
Unable to connect to BITS - 0x8007042c
 
========= End of CMD: =========
 
 
========= RemoveProxy: =========
 
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-1706152902-1485719288-3875658684-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
 
 
========= End of RemoveProxy: =========
 
 
=========  DEL %TEMP%\*.* /F /S /Q =========
 
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\AdobeARM.log
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\adwcleaner.db
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\AdwCleaner.jpg
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Cleaning.ico
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\EULA.txt
C:\Users\Vjeko\AppData\Local\Temp\FXSAPIDebugLogFile.txt
The process cannot access the file because it is being used by another process.
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\JavaDeployReg.log
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\jusched.log
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\LastScan.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Quarantine.exe
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Report.ico
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Scan.ico
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\setA07C.tmp
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\setE391.tmp
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Uninstall.ico
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\{B7718B94-196A-474C-8E6F-4A01743E4BE2}
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\~DF58799EE8D71A33B8.TMP
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\~DFF1BD174FD6CCBD3A.TMP
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\a2temp\update.ini
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\msohtmlclip1\01\clip_colorschememapping.xml
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\msohtmlclip1\01\clip_themedata.thmx
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\NVIDIA Corporation\NV_Cache\63547c51a55c7182c5c77fb521826c6c_fce8394c8fd8a83d_6229ccd76215aea1_0_0.bin
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\NVIDIA Corporation\NV_Cache\63547c51a55c7182c5c77fb521826c6c_fce8394c8fd8a83d_6229ccd76215aea1_0_0.toc
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\0.png
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\1.png
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\2.png
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\3.png
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\4.png
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\5.png
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0601_Stronghold_Exterior.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0601_Stronghold_Exterior.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0602_Brighthollow_Lower.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0602_Brighthollow_Lower.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0604_Stronghold_Great_Hall.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0604_Stronghold_Great_Hall.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0605_Stronghold_Dungeon.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0605_Stronghold_Dungeon.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0606_Stronghold_Barracks.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0606_Stronghold_Barracks.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0607_Stronghold_Library.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0607_Stronghold_Library.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0701_Encampment.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0701_Encampment.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0702_Ruin_Interior.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0702_Ruin_Interior.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0703_Ruin_Exterior.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0703_Ruin_Exterior.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0704_Valewood.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0704_Valewood.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0705_Gilded_Vale.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0705_Gilded_Vale.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0706_Esternwood.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0706_Esternwood.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0707_Raedrics_Hold_Ext.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0707_Raedrics_Hold_Ext.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0711_Temple_Eothas_Int_01.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0711_Temple_Eothas_Int_01.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0712_Backer_Inn_Lower.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0712_Backer_Inn_Lower.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0712_Temple_Eothas_Int_02.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0712_Temple_Eothas_Int_02.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0714_Backer_Inn_Upper.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0714_Backer_Inn_Upper.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0715_Home_01.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0715_Home_01.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0716_Blacksmith.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0716_Blacksmith.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0717_Aslaugs_Compass_Lagoon.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0717_Aslaugs_Compass_Lagoon.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0719_Windmill.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0719_Windmill.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0720_Home_02.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0720_Home_02.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0721_Sea_Cave_Int.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0721_Sea_Cave_Int.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0722_Home_03.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0722_Home_03.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0723_Bear_Cave.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0723_Bear_Cave.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0801_Black_Meadow_Wilderness.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0801_Black_Meadow_Wilderness.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0802_Gilded_Vale_Wilderness.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0802_Gilded_Vale_Wilderness.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0810_Gilded_Vale_Hideout.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_0810_Gilded_Vale_Hideout.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_1001_Od_Nua_Old_Watcher.fog
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\AR_1001_Od_Nua_Old_Watcher.lvl
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\MobileObjects.save
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\saveinfo.xml
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\Obsidian Entertainment\Pillars of Eternity\TempSaveData\screenshot.png
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX0\DGNano.dll
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX0\MsiZap.Exe
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX0\MsiZap.Exe.manifest
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX0\PAV2WSC.dll
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX0\Pav2WSC.exe
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX0\PAVSMCL.dll
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX0\pgunnt.exe
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX0\PGUse.exe
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX0\pguui.dll
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX0\qrvD.krn
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX0\SMCLPav.dll
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX0\SMCLpav.exe
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX0\Version.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\AVDisplayName.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\AVstate.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\check.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\checkup.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\chrome.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\chrome2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\chrome3.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\chrome4.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\chrome5.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\chrome6.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\chrome7.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\chrome8.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\defragcheck.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\defragcheck2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\defragcheck3.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\defragcheck4.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\ff2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\ff3.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\flash.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\flash2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\flashcheck.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\flashx64.bat
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\hostcopy.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\IEversion.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\IEVersion2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\install.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\MSEx64.bat
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup10.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup11.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup12.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup13.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup14.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup15.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup16.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup17.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup18.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup19.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup20.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup21.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup22.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup23.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup24.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup25.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup26.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup27.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup28.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup29.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup3.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup30.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup31.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup32.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup4.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup5.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup6.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup7.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup8.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\notcheckup9.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\Objlist.exe
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\OS1check.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\OS1check2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\prelimcheckup.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\prelimcheckup2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\prelimcheckup3.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\prelimproccheck.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\prelimspycheck.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\prelimspycheck2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process10.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process11.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process12.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process13.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process14.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process15.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process16.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process17.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process18.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process19.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process20.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process21.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process22.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process23.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process24.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process25.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process26.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process27.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process28.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process29.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process30.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process31.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process32.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process33.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process34.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process35.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process36.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process37.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process38.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process39.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process4.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process40.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process5.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process6.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process7.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process8.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\process9.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\rc2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\rc3.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\runprocesses.exe
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\SecurityCheck.bat
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\tb2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\UAC.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\UAC2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\Vista7FirewallCheck1.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\Vista7FirewallCheck2.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\wscsvc1.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\x64SPcheck.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\Other\cmdinfo.exe
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\Other\Copyright Information.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\Other\nircmdc.exe
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\Other\sed.exe
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\Other\swreg.exe
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\RarSFX1\SecurityCheck\Other\Update History.txt
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\{0287A9BE-B489-4D40-8996-2908126CDEBA}\ISSetup.dll
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\{0287A9BE-B489-4D40-8996-2908126CDEBA}\_Setup.dll
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\{68162CE8-3924-4F08-ABB7-494063308580}\ISSetup.dll
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\{68162CE8-3924-4F08-ABB7-494063308580}\_Setup.dll
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\{9F5D311F-434A-4E7A-BE4D-0F09A4AEB696}\ISSetup.dll
Deleted file - C:\Users\Vjeko\AppData\Local\Temp\{9F5D311F-434A-4E7A-BE4D-0F09A4AEB696}\_Setup.dll
 
========= End of CMD: =========
 
 
=========  RD /S /Q %TEMP% =========
 
C:\Users\Vjeko\AppData\Local\Temp\FXSAPIDebugLogFile.txt - The process cannot access the file because it is being used by another process.
 
========= End of CMD: =========
 
 
 
The system needed a reboot.. 
 
==== End of Fixlog 20:45:34 ====


#8 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:02:55 AM

Posted 27 June 2015 - 02:26 PM

How is your system running now?

 

FIRST >>>>

Please download Farbar Service Scanner to your desktop and double click on the file to run it.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

 

 

 

SECOND >>>>

 

AdwCleaner by Xplode

Close all open windows and browsers.

  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

    AdwCleaner_v4111_zpsn56hzjza.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it will ask to reboot, allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.


 

 


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#9 Lothar82

Lothar82
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 27 June 2015 - 02:51 PM

So far so good :) YAY! :)

 

 

FSS log:

 

Farbar Service Scanner Version: 17-01-2015

Ran by Vjeko (administrator) on 27-06-2015 at 21:35:26
Running from "C:\Users\Vjeko\Desktop"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Policy: 
========================
 
 
Action Center:
============
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 
 
**** End of log ****
 
 
AdwCleaner log:
 
# AdwCleaner v4.207 - Logfile created 27/06/2015 at 21:43:16
# Updated 21/06/2015 by Xplode
# Database : 2015-06-23.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Vjeko - VJEKO-PC
# Running from : C:\Users\Vjeko\Desktop\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKCU\Software\AVG Nation toolbar
Key Deleted : HKCU\Software\Myfree Codec
Key Deleted : HKLM\SOFTWARE\AVG Nation toolbar
Key Deleted : HKLM\SOFTWARE\Myfree Codec
Key Deleted : HKU\.DEFAULT\Software\Avg Secure Update
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v8.0.7601.17514
 
 
-\\ Mozilla Firefox v
 
 
-\\ Google Chrome v43.0.2357.130
 
[C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://isearch.avg.com/search?cid={A69458E7-DBFE-4450-B9AE-0C8BE88DFA37}&mid=d6e89b7cf95847d18fccd15fa0bbb257-06ce4fc639803a2e3563922518183d8e94088cb9&ds=&lang=&v=14.2.0.1&sg=&pid=avg&pr=&d=&sap=dsp&q={searchTerms}
[C:\Users\Vjeko\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://en.softonic.com/s/{searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [2989 bytes] - [24/06/2015 17:42:35]
AdwCleaner[R1].txt - [3049 bytes] - [24/06/2015 17:59:28]
AdwCleaner[R2].txt - [3097 bytes] - [27/06/2015 21:39:28]
AdwCleaner[S0].txt - [2948 bytes] - [27/06/2015 21:43:16]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3007  bytes] ##########


#10 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:02:55 AM

Posted 28 June 2015 - 01:23 AM

Malwarebytes' Anti-Malware
Please download the latest version of Malwarebytes' Anti-Malware from Here.  The version you have installed needs to be updated.

Double Click on the mbam-setup.exe file to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link
Main%20Screen_zpsnnwza0ky.png

Once the program has loaded and updated, select "Scan Now >>" to start the scan.
Main%20Screen_zpsnnwza0ky.png

The scan may take some time to finish, so please be patient.

If any malware is found, you will be presented with a screen like the one below.
mbam21-removeselected_zpsg83p7wis.jpg

If any malware is found, make sure that everything is checked, and click Remove Selected.
When the scan is complete, click View detailed log >> to view the results.
The report screen will open.
At the bottom click on Export and select as txt file, save the file to your desktop and click OK.  When the export is complete, select OPEN.
The log file will be opened in your default text file viewer (usually Notepad); select the whole text (Ctrl + A) and copy (Ctrl + c) it to paste here in a reply.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#11 Lothar82

Lothar82
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 28 June 2015 - 09:00 AM

Ok, i did what you said. I think.

 

Downloaded MBAM, updated it and made a scan but it found nothing (log is below).

But... my MBAM version is free, not premium. Can that be the reason that it found nothing?

At least MBAM works now. Another thing i noticed is that scan was finished very fast in like 10-15 minutes (previous scans when everything was still "normal" lasted over hour).

 

 

MBAM log:

 

Malwarebytes Anti-Malware

www.malwarebytes.org
 
Scan Date: 28.6.2015.
Scan Time: 14:41
Logfile: MBAM.txt
Administrator: Yes
 
Version: 2.1.8.1057
Malware Database: v2015.06.28.02
Rootkit Database: v2015.06.26.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Vjeko
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 354500
Time Elapsed: 21 min, 16 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#12 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:02:55 AM

Posted 28 June 2015 - 03:37 PM

Is Emsisoft scanning now?  If you do the Eicar download test, does it catch the file? ( The test files can be downloaded from the site here. )
 
As to Malwarebytes' Antimalware Pro vs. Free; the detection rate is the same for both products; the Pro has real time monitoring where as the Free does not.

 

This next step may take a while (just to warn you) .....

ESET Online does not work with IE 11 (Internet Explorer) at the moment (a few weeks ago anyway) so if you have IE 11, Chrome or Firefox has to be used instead.  ESET Online does work with IE 10 and earlier.

You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same

Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Stop and ask if you have any questions.

Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.

-------------------------------------------------------------------------------------------------------------------

Hold down Control key and click on the following link to open ESET OnlineScan in a new window.

Link =>> ESET Online Scanner  <<

Click the Run ESET Online Scanner located on the left side of the page (not the free trial).

abfacb96-0c99-4b59-b9e9-9298aa0ee3ec_zps

For browsers other than Internet Explorer only: (Microsoft Internet Explorer users can skip this step)
Click on the esetsmartinstaller link in the popup window that opens. Save it to your desktop.

Getinstallerpopup2_zps65f446a6.png

Double click on the icon on your desktop.

desktopfile_zps98a1ee89.png

Check (accept) the Terms of Use.

TOU_zps4ecd3406.png

Click the START button.
Accept any security warnings from your browser.

Now in the Computer scan settings window that appears:-
Make sure that the option Enable detection of potentially unwanted applications is selected.
Now click on Advanced Settings and configure the options as follows:

Remove found threats is Not checked
Scan archives is checked
Scan for potentially unsafe applications is checked
Enable Anti-Stealth Technology is checked


Now click on: Start
Loadsettings_2014-08-23_zps3f2d0c88.png

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

Downloadingsignatures_zps36c38587.png

Scanningdisplay_zpsec3aac14.png

When the scan is finished, if any threats are found you will see the screen below.  Click to view the found threats.

Threatsfound_zpsfe95fb4e.png

At the bottom of the listed threats, there is an option to save the results to a text file.  Please do this so you can attach the results here for review and removal of the items that are not false positives (these will be scripted out so do not worry).

Exporttotextfile_zps16cb487f.png

Once the log text file is saved, return to the Scan Finished screen by clicking "<<Back", then click on the uninstall button and click Finish.

UninstallcheckedandFinish_zps6fb26ad8.pn

Attach the saved log file in your next reply please.  Thanks.


Edited by dbrisendine, 28 June 2015 - 03:42 PM.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#13 Lothar82

Lothar82
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 28 June 2015 - 03:49 PM

 

 

Is Emsisoft scanning now?  If you do the Eicar download test, does it catch the file? ( The test files can be downloaded from the site here. )

 

All 4 files were blocked by chrome. (??) There was not specific warning from Emsisoft AM. 

 

I will do the rest now...



#14 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:02:55 AM

Posted 28 June 2015 - 04:35 PM

If you have IE running you can test with IE.  Chrome has a "Smart Malware Blocking" feature turned on by default; it seems to keep out the bad by blocking everything but the absolutely Good files.  Checking on how to adjust this and will get back to you.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#15 Lothar82

Lothar82
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 28 June 2015 - 05:50 PM

Ok, done.

 

ESET scan log:

 

C:\FRST\Quarantine\C\Users\Vjeko\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe.xBAD Win32/Agent.XHN trojan

D:\IGRE\Divinity Original Sin\Shipping\steam_api.dll a variant of Win32/HackTool.Crack.CS potentially unsafe application
D:\IGRE\Homeworld Remastered Collection\Homeworld1Classic\exe\steam_api.dll a variant of Win32/HackTool.Crack.CS potentially unsafe application
D:\IGRE\Homeworld Remastered Collection\Homeworld2Classic\Bin\Release\steam_api.dll a variant of Win32/HackTool.Crack.CS potentially unsafe application
D:\IGRE\Homeworld Remastered Collection\HomeworldRM\Bin\Release\steam_api.dll a variant of Win32/HackTool.Crack.CS potentially unsafe application
D:\IGRE\Homeworld Remastered Collection\HWLauncher\steam_api.dll a variant of Win32/HackTool.Crack.CS potentially unsafe application
D:\IGRE\Sid Meier's Civilization V\steam_api.dll a variant of Win32/HackTool.Crack.CS potentially unsafe application
D:\TORRENT DOWNLOADS\Divinity Original Sin [Crack от RELOADED]\Shipping\steam_api.dll a variant of Win32/HackTool.Crack.CS potentially unsafe application
D:\TORRENT DOWNLOADS\Homeworld.Remastered.Collection.Update.1.Hotfix-RELOADED\Crack\Homeworld1Classic\exe\steam_api.dll a variant of Win32/HackTool.Crack.CS potentially unsafe application
D:\TORRENT DOWNLOADS\Homeworld.Remastered.Collection.Update.1.Hotfix-RELOADED\Crack\Homeworld2Classic\Bin\Release\steam_api.dll a variant of Win32/HackTool.Crack.CS potentially unsafe application
D:\TORRENT DOWNLOADS\Homeworld.Remastered.Collection.Update.1.Hotfix-RELOADED\Crack\HomeworldRM\Bin\Release\steam_api.dll a variant of Win32/HackTool.Crack.CS potentially unsafe application
D:\TORRENT DOWNLOADS\Homeworld.Remastered.Collection.Update.1.Hotfix-RELOADED\Crack\HWLauncher\steam_api.dll a variant of Win32/HackTool.Crack.CS potentially unsafe application





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users