Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

svchost.com infection


  • This topic is locked This topic is locked
13 replies to this topic

#1 TehBlaxxor

TehBlaxxor

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 04 August 2015 - 05:41 AM

This has been happening for the past two-three days: every time I try to run a program, svchost.com asks for permission. I have also noticed certain files being damaged or missing and sometimes the "hack shield" for games detect random stuff that isn't even there.

 

Yes, there is a svchost.com application in C:\Windows and it is an MS-DOS type. I've tried running Malware Bytes and a few other tools. I found other malware and successfully removed it, but I can't find an end to this virus.

 

Every time I remove it and I try to run EXECUTABLES, it asks me what to open them with. Eventually, the file comes back even if I delete it from the Recycle bin. I have found no suspicious processes.

 

7nLp0Mw.png


Edited by TehBlaxxor, 04 August 2015 - 05:41 AM.


BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:18 AM

Posted 04 August 2015 - 05:47 AM

Greetings and :welcome: to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:

  • Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
  • Make sure to read my instructions fully before attempting a step.
  • If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
  • Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
  • Important information in my posts will often be in bold, make sure to take note of these.
  • I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
  • I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
  • Let's get going now :thumbup2:

==========================
 
Hi TehBlaxxor,
 
Please download Farbar Recovery Scan Tool and save it to your Desktop.
 
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system, download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
  • Please copy and paste the log in your next reply.

Note 2: The first time the tool is run it generates another log (Addition.txt - also located in the same directory the tool was run from). Please also paste that, along with the FRST.txt into your next reply.
 
--------------
 
To recap, in your next reply I would like to see the following. Make sure to copy & paste them unless I ask otherwise:

  • FRST.txt
  • Addition.txt

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 TehBlaxxor

TehBlaxxor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 04 August 2015 - 05:53 AM

Greetings! I have followed your steps and here are the results:
 
FRST.txt:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:02-08-2015 01
Ran by Stefan (administrator) on STEFAN-PC (04-08-2015 13:49:50)
Running from C:\Users\Stefan\Downloads
Loaded Profiles: Stefan (Available Profiles: Stefan)
Platform: Microsoft Windows 7 Ultimate Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AnchorFree Inc.) C:\Program Files\Hotspot Shield\bin\cmw_srv.exe
() C:\Program Files\Hotspot Shield\bin\hsswd.exe
(Nero AG) C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(LogMeIn Inc.) D:\LogMeIn Hamachi\hamachi-2.exe
(LogMeIn, Inc.) D:\LogMeIn Hamachi\LMIGuardianSvc.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Skillbrains) C:\Program Files\Skillbrains\lightshot\5.2.1.1\Lightshot.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31072 2008-10-25] (Microsoft Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe [2279712 2013-12-10] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [Lightshot] => C:\Program Files\Skillbrains\lightshot\Lightshot.exe [226560 2014-11-18] ()
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
HKLM\...\Run: [LogMeIn Hamachi Ui] => D:\LogMeIn Hamachi\hamachi-2-ui.exe [5579624 2015-08-03] (LogMeIn Inc.)
HKLM\...\Winlogon: [Userinit] userinit.exe,c:\program files\microsoft\desktoplayer.exe,
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [Pando Media Booster] => C:\Program Files\Pando Networks\Media Booster\PMB.exe [4284976 2013-05-19] ()
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [DAEMON Tools Ultra Agent] => D:\DAEMON Tools Ultra\DTAgent.exe [3165216 2015-08-02] ()
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [DAEMON Tools Lite] => C:\Program Files\DAEMON Tools Lite\DTLite.exe [3673696 2013-08-01] (Disc Soft Ltd)
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [53282944 2015-06-29] (Skype Technologies S.A.)
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5529880 2015-03-13] (Piriform Ltd)
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [Akamai NetSession Interface] => C:\Users\Stefan\AppData\Local\Akamai\netsession_win.exe [4714904 2015-08-03] ()
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [Clownfish] => D:\PESTE CLOVN\Clownfish.exe [1382664 2015-08-02] ()
IFEO\bitguard.exe: [Debugger] tasklist.exe
IFEO\bprotect.exe: [Debugger] tasklist.exe
IFEO\bpsvc.exe: [Debugger] tasklist.exe
IFEO\browserdefender.exe: [Debugger] tasklist.exe
IFEO\browserprotect.exe: [Debugger] tasklist.exe
IFEO\browsersafeguard.exe: [Debugger] tasklist.exe
IFEO\dprotectsvc.exe: [Debugger] tasklist.exe
IFEO\jumpflip: [Debugger] tasklist.exe
IFEO\protectedsearch.exe: [Debugger] tasklist.exe
IFEO\searchinstaller.exe: [Debugger] tasklist.exe
IFEO\searchprotection.exe: [Debugger] tasklist.exe
IFEO\searchprotector.exe: [Debugger] tasklist.exe
IFEO\searchsettings.exe: [Debugger] tasklist.exe
IFEO\searchsettings64.exe: [Debugger] tasklist.exe
IFEO\snapdo.exe: [Debugger] tasklist.exe
IFEO\stinst32.exe: [Debugger] tasklist.exe
IFEO\stinst64.exe: [Debugger] tasklist.exe
IFEO\umbrella.exe: [Debugger] tasklist.exe
IFEO\utiljumpflip.exe: [Debugger] tasklist.exe
IFEO\volaro: [Debugger] tasklist.exe
IFEO\vonteera: [Debugger] tasklist.exe
IFEO\websteroids.exe: [Debugger] tasklist.exe
IFEO\websteroidsservice.exe: [Debugger] tasklist.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyServer: [S-1-5-21-481355970-3911323781-190828911-1001] => http=127.0.0.1:8888;https=127.0.0.1:8888
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-481355970-3911323781-190828911-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
SearchScopes: HKU\S-1-5-21-481355970-3911323781-190828911-1001 -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL =
SearchScopes: HKU\S-1-5-21-481355970-3911323781-190828911-1001 -> {997A4750-381F-41C2-9ED4-E6C2CD012936} URL = http://searchou.com/?q={searchTerms}&id=7cf20d0e00000000000000ffb36a1def&r=159
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-05-21] (Oracle Corporation)
BHO: No Name -> {A7AE14C7-B067-82C3-583F-85F59AFE7860} -> No File
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-21] (Oracle Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-12] (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 193.231.252.1 192.168.0.1
Tcpip\..\Interfaces\{B52EBE2B-1D74-4E2E-A1A6-586297E22AD7}: [DhcpNameServer] 193.231.252.1 192.168.0.1
Tcpip\..\Interfaces\{CEAD5A0D-FA43-43EA-976F-9124974CCFB2}: [NameServer] 8.8.8.8

FireFox:
========
FF ProfilePath: C:\Users\Stefan\AppData\Roaming\Mozilla\Firefox\Profiles\i57f7wl9.default-1438683375717
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-14] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1202122.dll [2013-04-03] (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-21] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-21] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll [2013-05-13] ( Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-12-19] (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-12-19] (NVIDIA Corporation)
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [2013-05-19] (Pando Networks)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-481355970-3911323781-190828911-1001: @kaneva.com/KanevaPatch -> C:\Program Files\Kaneva\npkanevapatch.dll No File
FF Plugin HKU\S-1-5-21-481355970-3911323781-190828911-1001: @nsroblox.roblox.com/launcher -> C:\Users\Stefan\AppData\Local\Roblox\Versions\version-ea077ae9bef64263\\NPRobloxProxy.dll [2013-01-01] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-481355970-3911323781-190828911-1001: @nsroblox.roblox.com/launcher64 -> C:\Users\Stefan\AppData\Local\Roblox\Versions\version-ea077ae9bef64263\\NPRobloxProxy64.dll [2013-01-01] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-481355970-3911323781-190828911-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Stefan\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-06-12] (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-481355970-3911323781-190828911-1001: pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [2013-05-19] (Pando Networks)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npkanevapatch.dll [2013-04-09] (Kaneva, LLC.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Extension: Hotspot Shield Helper (Please allow this installation) - C:\Program Files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com [2015-06-03]
FF HKLM\...\Firefox\Extensions: [fiddlerhook@fiddler2.com] - D:\Fiddler2\FiddlerHook
FF Extension: FiddlerHook - D:\Fiddler2\FiddlerHook [2014-08-02]

Chrome:
=======
CHR Profile: C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (ROBLOX 3D Preview Plugin) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\begdomdbhchlodcakjoephdlnmkkljoa [2014-03-11]
CHR Extension: (Fast Proxy) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkjcdfmmpdfjohenejbkaaafkoeknjnh [2014-08-08]
CHR Extension: (Adblock Plus) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-03-31]
CHR Extension: (OneTab) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\chphlpgkkbolifaimnlloiipkdnihall [2014-08-08]
CHR Extension: (No Name) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgbimgjoijjemhdamicmljbncacfndmp [2014-08-08]
CHR Extension: (Tampermonkey) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2014-05-30]
CHR Extension: (ROBLOX Group Shout Notifier) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\edbploaefmmlnfjjoidiiohbdfcpgihg [2014-08-08]
CHR Extension: (EditThisCookie) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2014-08-06]
CHR Extension: (AdBlock) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-08-11]
CHR Extension: (TU 95) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmdceamebdfbknogpjgpnlfkhhdfiadd [2014-08-08]
CHR Extension: (Roblox OBC Theme Changer) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\iaobbfadkioeagmemoalfhebogdenjnk [2014-08-08]
CHR Extension: (Zalmos SSL Web Proxy for Free) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\idefjamndcpplnamdlbodoebjgkpdmpn [2014-08-08]
CHR Extension: (Adblock Advisor) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\iplojogpbcbnjoemcalepfmbcpnkpjjo [2014-03-31]
CHR Extension: (Roblox Forum Enhancer) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcpdfglmclgjedmjhiakmmgkcibkimod [2014-08-08]
CHR Extension: (Roblox Hat Notifier) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjepeiijmflchkjgfjpopeimafiognkc [2014-08-08]
CHR Extension: (Build with Chrome) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbbhbjeecagnlfgggogfclkdjamoapf [2014-08-08]
CHR Extension: (ROBLOX: Quick Asset Downloader) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\meljceogbjjmgjhhbnmjjgepchpjkklc [2014-05-30]
CHR Extension: (FastestFox for Chrome) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmffncokckfccddfenhkhnllmlobdahm [2014-05-26]
CHR Extension: (ROBLOX Outfit Saver Extension) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpaohnjlgfabcooefhihmafmdcbliakf [2014-08-08]
CHR Extension: (Google Wallet) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-01]
CHR Extension: (Roblox Assault Team - Group Shout Notifier) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\obghddnhnefhbeibehcibghkccmlpama [2014-08-08]
CHR Extension: (My Chrome Theme) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\oehpjpccmlcalbenfhnacjeocbjdonic [2014-08-08]
CHR Extension: (fun coupons) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pogchimbndbckepmhaagnapfmlfgnala [2015-04-01]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Hamachi2Svc; D:\LogMeIn Hamachi\hamachi-2.exe [1883496 2015-08-03] (LogMeIn Inc.)
R2 hshld; C:\Program Files\Hotspot Shield\bin\cmw_srv.exe [1169616 2015-06-04] (AnchorFree Inc.)
S3 HssTrayService; C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE [96600 2015-06-04] ()
R2 HssWd; C:\Program Files\Hotspot Shield\bin\hsswd.exe [589520 2015-06-04] ()
R2 NvNetworkService; C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe [1494304 2013-12-10] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [14658848 2013-12-10] (NVIDIA Corporation)
R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [131272 2014-01-17] (Sandboxie Holdings, LLC)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 dtscsibus; C:\Windows\System32\DRIVERS\dtscsibus.sys [24704 2013-06-13] (Disc Soft Ltd)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [243128 2013-10-20] (Disc Soft Ltd)
R3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2015-03-30] (LogMeIn, Inc.)
R1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [39528 2015-06-04] (AnchorFree Inc.)
R3 msloop; C:\Windows\System32\DRIVERS\loop.sys [5632 2009-07-14] (Microsoft Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad32v.sys [34080 2013-12-05] (NVIDIA Corporation)
R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [161888 2014-01-17] (Sandboxie Holdings, LLC)
R3 SCREAMINGBDRIVER; C:\Windows\System32\drivers\ScreamingBAudio.sys [34896 2012-07-31] (Screaming Bee LLC)
R3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [35288 2013-08-22] (The OpenVPN Project)
R3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [36968 2015-06-04] (Anchorfree Inc.)
S3 WinRing0_1_2_0; D:\Game Booster 3\Driver\WinRing0.sys [14416 2010-11-01] (OpenLibSys.org)
S3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 XFDriver; \??\D:\Xfire2\XFDriver.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-04 13:49 - 2015-08-04 13:50 - 00017594 _____ C:\Users\Stefan\Downloads\FRST.txt
2015-08-04 13:49 - 2015-08-04 13:49 - 00000000 ____D C:\FRST
2015-08-04 13:48 - 2015-08-04 13:49 - 01673728 _____ (Farbar) C:\Users\Stefan\Downloads\FRST.exe
2015-08-04 13:16 - 2015-08-04 13:16 - 00041472 _____ C:\Windows\svchost.com
2015-08-04 12:59 - 2015-08-04 12:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Hamachi
2015-08-04 12:58 - 2015-08-04 12:58 - 00000168 _____ C:\Windows\setupact.log
2015-08-04 12:58 - 2015-08-04 12:58 - 00000000 _____ C:\Windows\setuperr.log
2015-08-04 12:47 - 2015-08-04 13:01 - 00000000 ____D C:\TDSSKiller_Quarantine
2015-08-03 14:55 - 2015-08-03 14:55 - 00000590 _____ C:\ProgramData\Microsoft\Windows\Start Menu\WinRAR.lnk
2015-08-03 14:47 - 2015-08-03 14:48 - 00000222 _____ C:\Windows\system32\metin2.cfg
2015-08-03 13:14 - 2015-08-03 13:14 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-08-03 08:08 - 2015-08-03 08:08 - 02303488 _____ (Python Software Foundation) C:\Windows\system32\python27.dll
2015-08-03 08:08 - 2015-06-26 13:11 - 00827392 _____ (PythonLabs at Zope Corporation) C:\Windows\system32\python22.dll
2015-08-02 19:28 - 2015-08-04 13:24 - 00000058 _____ C:\Windows\directx.sys
2015-07-16 18:57 - 2015-07-16 18:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoHotkey
2015-07-12 14:25 - 2015-08-03 13:05 - 00000000 ____D C:\Users\Stefan\AppData\Local\LogMeIn Hamachi
2015-07-11 21:53 - 2015-07-11 21:53 - 00000000 ____D C:\Users\Stefan\AppData\Local\GitHub,_Inc
2015-07-11 18:10 - 2015-07-11 18:10 - 00000000 ____D C:\Users\Stefan\AppData\Local\DigitalVolcano
2015-07-11 18:09 - 2015-07-11 18:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hash Tool
2015-07-11 13:59 - 2015-07-11 14:02 - 00000000 ____D C:\Users\Stefan\Documents\ClownfishSoundTemp
2015-07-11 09:57 - 2015-07-11 09:57 - 00000549 _____ C:\Users\Public\Desktop\DarkComet Remover.lnk
2015-07-11 09:57 - 2015-07-11 09:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DarkComet RAT Remover
2015-07-09 18:56 - 2015-07-09 18:57 - 00000000 ____D C:\ProgramData\Hotspot Shield
2015-07-09 18:56 - 2015-07-09 18:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotspot Shield
2015-07-09 18:55 - 2015-07-09 18:57 - 00000000 ____D C:\Program Files\Hotspot Shield
2015-07-09 18:55 - 2015-06-04 02:01 - 00039528 _____ (AnchorFree Inc.) C:\Windows\system32\Drivers\hssdrv6.sys
2015-07-09 18:54 - 2015-07-09 18:54 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\Hotspot Shield
2015-07-07 21:19 - 2015-07-07 21:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Metin2 Factory
2015-07-06 20:37 - 2015-07-06 20:37 - 00000000 ____D C:\Program Files\Microsoft XNA
2015-07-06 18:15 - 2015-07-06 18:15 - 00000000 ____D C:\ProgramData\Screaming Bee
2015-07-06 17:37 - 2015-07-06 17:37 - 00000000 ____D C:\ProgramData\LogMeIn
2015-07-06 15:47 - 2015-08-04 11:37 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\uTorrent
2015-07-06 15:42 - 2015-07-06 15:41 - 00485905 _____ C:\Users\Stefan\Downloads\terraria.zip
2015-07-05 17:03 - 2015-07-05 17:03 - 00000000 ____D C:\Users\Stefan\AppData\Local\CrashRpt

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-04 13:49 - 2013-05-04 05:05 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\Skype
2015-08-04 13:42 - 2015-04-01 18:42 - 00001310 _____ C:\Windows\Tasks\fun_coupons_notification_service.job
2015-08-04 13:20 - 2013-05-17 13:24 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-08-04 13:16 - 2015-05-04 16:50 - 00000000 ____D C:\Users\Stefan\Desktop\Old Firefox Data
2015-08-04 13:03 - 2009-07-14 07:34 - 00014192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-04 13:03 - 2009-07-14 07:34 - 00014192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-04 13:02 - 2013-05-04 13:47 - 02051102 _____ C:\Windows\WindowsUpdate.log
2015-08-04 13:02 - 2013-05-04 04:55 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-04 13:02 - 2013-05-04 04:55 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-04 12:58 - 2015-06-02 18:12 - 00302828 _____ C:\Windows\PFRO.log
2015-08-04 12:58 - 2013-05-04 05:46 - 00000000 ____D C:\ProgramData\NVIDIA
2015-08-04 12:58 - 2009-07-14 07:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-04 12:51 - 2013-05-05 00:23 - 00000378 _____ C:\Windows\Tasks\update-S-1-5-21-481355970-3911323781-190828911-1001.job
2015-08-04 12:39 - 2013-05-09 20:43 - 00000000 ____D C:\Program Files\Common Files\Adobe
2015-08-04 12:39 - 2013-05-09 20:41 - 00000000 ____D C:\ProgramData\Adobe
2015-08-04 12:38 - 2013-05-09 20:46 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\Adobe
2015-08-04 12:38 - 2013-05-09 20:43 - 00000000 ____D C:\Program Files\Adobe
2015-08-04 11:30 - 2013-05-05 00:23 - 00000378 _____ C:\Windows\Tasks\update-sys.job
2015-08-03 14:55 - 2013-05-04 04:41 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-08-03 14:55 - 2013-05-04 04:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-08-03 14:44 - 2014-08-25 21:23 - 00000000 ____D C:\Windows\Minidump
2015-08-03 13:58 - 2014-06-15 09:29 - 00000000 ____D C:\Windows\pss
2015-08-03 13:57 - 2015-03-21 20:14 - 00000000 ____D C:\ProgramData\Nimoru
2015-08-03 13:57 - 2014-07-19 16:32 - 00000000 ____D C:\Program Files\globalUpdate
2015-08-03 13:57 - 2014-03-06 19:47 - 00000000 ____D C:\Program Files\websaave
2015-08-03 13:57 - 2014-02-15 14:15 - 00000000 ____D C:\Program Files\weBsaaVee
2015-08-03 13:51 - 2013-05-04 04:41 - 00000000 ____D C:\Program Files\WinRAR
2015-08-03 13:14 - 2015-06-03 14:04 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-08-03 13:06 - 2014-10-25 20:35 - 05198184 _____ C:\Users\Public\Desktop\MorphVOXPro4_Install-1.exe
2015-08-03 13:03 - 2013-05-19 11:46 - 00000000 ____D C:\Users\Stefan\AppData\Local\PMB Files
2015-08-03 12:12 - 2013-07-02 18:56 - 00026176 ____H (LogMeIn, Inc.) C:\Windows\system32\hamachi.sys
2015-08-02 14:38 - 2014-08-22 16:54 - 00184832 _____ C:\Users\Stefan\Desktop\DepCheck.exe
2015-08-02 14:38 - 2014-07-14 11:48 - 00227328 _____ C:\Users\Stefan\xextool.exe
2015-08-02 14:38 - 2014-02-16 11:01 - 00900423 _____ C:\Users\Stefan\Desktop\w.exe
2015-08-02 14:38 - 2013-07-01 18:59 - 00526464 _____ C:\Users\Stefan\Desktop\Minecraft.exe
2015-08-02 14:37 - 2013-12-26 14:07 - 01657077 ___SH C:\Users\Stefan\AppData\Roaming\Roblox.exe
2015-08-02 14:30 - 2013-05-04 03:55 - 00000000 ____D C:\Users\Stefan
2015-07-30 07:56 - 2013-05-04 04:56 - 00002131 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-07-20 15:31 - 2015-04-10 19:18 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\.minecraft
2015-07-16 20:13 - 2013-05-19 11:46 - 00000000 ____D C:\ProgramData\PMB Files
2015-07-16 18:57 - 2009-07-14 10:49 - 00000000 ____D C:\Windows\ShellNew
2015-07-15 22:39 - 2013-05-09 20:44 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-07-14 22:20 - 2013-05-17 13:24 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-07-14 22:20 - 2013-05-17 13:24 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-07-13 17:26 - 2015-01-01 11:05 - 00000000 ____D C:\Users\Stefan\Documents\Visual Studio 2012
2015-07-11 21:53 - 2015-01-02 13:11 - 00000000 ____D C:\Users\Stefan\AppData\Local\GitHub
2015-07-11 21:51 - 2015-01-02 13:11 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\GitHub
2015-07-09 13:43 - 2014-10-11 10:55 - 00000000 ___RD C:\Program Files\Skype
2015-07-09 13:43 - 2013-05-04 05:04 - 00000000 ____D C:\ProgramData\Skype
2015-07-09 13:41 - 2013-05-17 13:13 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service
2015-07-08 08:50 - 2014-07-21 18:56 - 00000000 ____D C:\Users\Stefan\Documents\My Games
2015-07-08 08:50 - 2009-07-14 07:52 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-07-07 17:09 - 2013-05-04 09:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation
2015-07-07 17:09 - 2013-05-04 05:44 - 00000000 ____D C:\Program Files\NVIDIA Corporation
2015-07-07 09:22 - 2009-07-14 05:37 - 00000000 ____D C:\Windows\Help
2015-07-06 20:37 - 2009-07-14 05:37 - 00000000 ____D C:\Program Files\Common Files\microsoft shared
2015-07-06 15:48 - 2014-02-20 18:31 - 00002645 _____ C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\µTorrent.lnk

==================== Files in the root of some directories =======

2015-06-13 13:46 - 2015-06-13 13:46 - 0000754 _____ () C:\Program Files\Drakensang Online.lnk
2013-05-24 15:52 - 2013-05-24 15:52 - 2762223 _____ () C:\Users\Stefan\AppData\Roaming\55982saved - copy.exe.52201.gzquar
2013-05-24 15:52 - 2013-05-24 15:52 - 2762223 _____ () C:\Users\Stefan\AppData\Roaming\74529saved - copy.exe.49067.gzquar
2013-06-26 09:46 - 2013-06-26 09:46 - 2762223 _____ () C:\Users\Stefan\AppData\Roaming\78083RBXSmoother.exe.92955.gzquar
2014-05-24 15:50 - 2015-05-29 17:03 - 0000132 _____ () C:\Users\Stefan\AppData\Roaming\Adobe PNG Format CS6 Prefs
2013-05-05 17:48 - 2013-08-03 21:16 - 0000104 _____ () C:\Users\Stefan\AppData\Roaming\Camdata.ini
2013-05-05 17:48 - 2013-08-03 21:16 - 0000408 _____ () C:\Users\Stefan\AppData\Roaming\CamLayout.ini
2013-05-05 17:48 - 2013-08-03 21:16 - 0000408 _____ () C:\Users\Stefan\AppData\Roaming\CamShapes.ini
2013-05-05 17:48 - 2013-08-03 21:16 - 0004509 _____ () C:\Users\Stefan\AppData\Roaming\CamStudio.cfg
2015-05-09 13:13 - 2015-05-09 13:13 - 0000113 _____ () C:\Users\Stefan\AppData\Roaming\D2Info0
2015-05-09 13:13 - 2015-05-09 13:57 - 0000008 _____ () C:\Users\Stefan\AppData\Roaming\DofusAppId0_1
2014-08-28 12:48 - 2014-08-28 12:48 - 0000849 _____ () C:\Users\Stefan\AppData\Roaming\Roaming - Shortcut.lnk
2013-12-26 14:07 - 2015-08-02 14:37 - 1657077 ___SH () C:\Users\Stefan\AppData\Roaming\Roblox.exe
2014-06-19 12:19 - 2014-06-19 12:19 - 0000024 _____ () C:\Users\Stefan\AppData\Roaming\temp.ini
2014-08-28 12:48 - 2014-08-28 12:51 - 0041472 ___SH () C:\Users\Stefan\AppData\Roaming\Thumbs.db
2013-07-02 14:28 - 2014-08-08 18:53 - 0006656 _____ () C:\Users\Stefan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-05-21 19:19 - 2013-05-21 20:23 - 0000600 _____ () C:\Users\Stefan\AppData\Local\PUTTY.RND
2013-06-26 09:44 - 2013-06-26 09:44 - 0000165 _____ () C:\Users\Stefan\AppData\Local\Tempscratch.cmd
2013-05-05 00:23 - 2013-05-05 00:23 - 0000003 _____ () C:\Users\Stefan\AppData\Local\updater.log
2013-05-05 00:23 - 2015-04-22 20:57 - 0000412 _____ () C:\Users\Stefan\AppData\Local\UserProducts.xml
2013-05-04 04:23 - 2013-05-04 04:23 - 0139583 _____ () C:\ProgramData\1367630557.bdinstall.bin
2014-02-15 14:57 - 2014-02-15 14:57 - 0036382 _____ () C:\ProgramData\1392465437.bdinstall.bin
2014-02-15 14:58 - 2014-02-15 14:58 - 0098975 _____ () C:\ProgramData\1392465439.bdinstall.bin

Some files in TEMP:
====================
C:\Users\Stefan\AppData\Local\Temp\{147FAA49-85CF-4CE2-B87D-EBBE97372E5D}.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-07-13 09:06

==================== End of log ============================

Addition.txt:
Additional scan result of Farbar Recovery Scan Tool (x86) Version:02-08-2015 01
Ran by Stefan (2015-08-04 13:51:31)
Running from C:\Users\Stefan\Downloads
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-481355970-3911323781-190828911-500 - Administrator - Disabled)
Guest (S-1-5-21-481355970-3911323781-190828911-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-481355970-3911323781-190828911-1002 - Limited - Enabled)
Stefan (S-1-5-21-481355970-3911323781-190828911-1001 - Administrator - Enabled) => C:\Users\Stefan

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\uTorrent) (Version: 3.4.3.40760 - BitTorrent Inc.)
2007 Microsoft Office Suite Service Pack 2 (SP2) (HKLM\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}) (Version: - Microsoft)
2007 Microsoft Office Suite Service Pack 2 (SP2) (Version: - Microsoft) Hidden
Adobe AIR (HKLM\...\Adobe AIR) (Version: 16.0.0.245 - Adobe Systems Incorporated)
Adobe Flash Player 18 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.12) (HKLM\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM\...\Adobe Shockwave Player) (Version: 12.0.2.122 - Adobe Systems, Inc.)
AdVenture Capitalist (HKLM\...\Steam App 346900) (Version: - Hyper Hippo Games)
Advertising Center (Version: 0.0.0.1 - Nero AG) Hidden
Akamai NetSession Interface (HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Akamai) (Version: - Akamai Technologies, Inc)
AutoHotkey 1.1.22.03 (HKLM\...\AutoHotkey) (Version: 1.1.22.03 - Lexikos)
Bandicam (HKLM\...\Bandicam) (Version: 2.0.2.655 - Bandisoft.com)
Blend for Visual Studio Add-in for Adobe FXG Import (Version: 1.0.40218.0 - Microsoft Corporation) Hidden
Blend for Visual Studio SDK for .NET 4.5 (Version: 3.0.40218.0 - Microsoft Corporation) Hidden
Blend for Visual Studio SDK for Silverlight 5 (Version: 3.0.40218.0 - Microsoft Corporation) Hidden
Brawlhalla (HKLM\...\Steam App 291550) (Version: - Blue Mammoth Games)
CCleaner (HKLM\...\CCleaner) (Version: 5.04 - Piriform)
Cheat Engine 6.4 (HKLM\...\Cheat Engine 6.4_is1) (Version: - Cheat Engine)
Clicker Heroes (HKLM\...\Steam App 363970) (Version: - )
Clownfish for Skype (HKLM\...\Clownfish) (Version: - )
Counter-Strike (HKLM\...\Counter-Strike) (Version: - )
DAEMON Tools Lite (HKLM\...\DAEMON Tools Lite) (Version: 4.47.1.0337 - Disc Soft Ltd)
DAEMON Tools Ultra (HKLM\...\DAEMON Tools Ultra) (Version: 1.1.0.0101 - Disc Soft Ltd)
DarkComet RAT Remover version 1.0 (HKLM\...\DarkComet RAT Remover_is1) (Version: 1.0 - Phrozen ® Software 2012.)
DarkComet Remover version 2.0 (HKLM\...\DarkComet Remover_is1) (Version: 2.0 - Phrozen ® Software 2013.)
DataNumen TAR Repair v2.0 (HKLM\...\DataNumen TAR Repair v2.0) (Version: - )
Dxtory version 2.0.119 (HKLM\...\Dxtory2.0_is1) (Version: 2.0.119 - Dxtory Software)
Entity Framework Designer for Visual Studio 2012 - enu (HKLM\...\{3F29268A-F53A-4387-9F2B-E9368A823178}) (Version: 11.1.30729.00 - Microsoft Corporation)
Ezvid (HKLM\...\{F96D619D-99D6-4C9C-A393-0CD22DE1CA66}_is1) (Version: 0982 - Ezvid, inc.)
Fiddler (HKLM\...\Fiddler2) (Version: 4.4.9.2 - Telerik)
Galactic Voices (HKLM\...\{6FA87E69-ECA6-4708-BF05-8EC699DEA764}) (Version: 1.3.2 - Screaming Bee)
Game Booster 3 (HKLM\...\Game Booster_is1) (Version: 3.4 - IObit)
GeForce Experience NvStream Client Components (Version: 1.6.28 - NVIDIA Corporation) Hidden
GitHub (HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\5f7eb300e2ea4ebf) (Version: 2.6.6.2 - GitHub, Inc.)
Google Chrome (HKLM\...\Google Chrome) (Version: 44.0.2403.125 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (Version: 1.3.28.1 - Google Inc.) Hidden
Hash Tool (HKLM\...\Hash Tool_is1) (Version: 1.1 - DigitalVolcano)
Hotspot Shield 4.15.3 (HKLM\...\HotspotShield) (Version: 4.15.3 - AnchorFree Inc.)
HxD Hex Editor version 1.7.7.0 (HKLM\...\HxD Hex Editor_is1) (Version: 1.7.7.0 - Maël Hörz)
Icon Changer V 1.0 (HKLM\...\Icon Changer V 1.0) (Version: - )
IDA Pro Free v5.0 (HKLM\...\IDA Pro Free_is1) (Version: - Hex-Rays SA)
Java 8 Update 45 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
Java SE Development Kit 7 Update 67 (HKLM\...\{32A3A4F4-B792-11D6-A78A-00B0D0170670}) (Version: 1.7.0.670 - Oracle)
Java SE Development Kit 8 Update 40 (HKLM\...\{32A3A4F4-B792-11D6-A78A-00B0D0180400}) (Version: 8.0.400.26 - Oracle Corporation)
JPEXS Free Flash Decompiler (HKLM\...\{E618D276-6596-41F4-8A98-447D442A77DB}_is1) (Version: 4.1.1 - JPEXS)
Kingo Android ROOT version 1.2.2.1915 (HKLM\...\{AE7675D6-0B31-494F-ABFA-822E1A0FDF17}_is1) (Version: 1.2.2.1915 - Kingosoft Technology Ltd.)
League of Legends (HKLM\...\League of Legends 3.0.1) (Version: 3.0.1 - Riot Games)
League of Legends (Version: 3.0.1 - Riot Games) Hidden
Lightshot-5.2.1.1 (HKLM\...\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1) (Version: 5.2.1.1 - Skillbrains)
LogMeIn Hamachi (HKLM\...\LogMeIn Hamachi) (Version: 2.2.0.383 - LogMeIn, Inc.)
LogMeIn Hamachi (Version: 2.2.0.383 - LogMeIn, Inc.) Hidden
MegaDownloader 0.92 (HKLM\...\{C12C2297-65A4-4E64-9AE1-29F0D947FDA0}}_is1) (Version: 0.92 - Andres_age)
Metin2 Factory version 1.5 (HKLM\...\{C8B02306-E576-48F6-BC12-E5BECDCD6163}_is1) (Version: 1.5 - Factory Network)
Metin2GX 1.20 (HKLM\...\Metin2GX 1.20) (Version: 1.20 - Asist Online Activ)
Metin2United (HKLM\...\{B7BC7C6F-9A4E-4973-BE84-ECA8E3427C97}) (Version: 1.0.0.0 - Metin2United)
Microsoft .NET Framework 4.5 Multi-Targeting Pack (HKLM\...\{5CBFF3F3-2D40-34EE-BCA5-A95BC19E400D}) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft .NET Framework 4.5 SDK (HKLM\...\{1948E039-EC79-4591-951D-9867A8C14C90}) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (ENU) (HKLM\...\{D3517C62-68A5-37CF-92F7-93C029A89681}) (Version: 4.5.50932 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 Multi-Targeting Pack (HKLM\...\{6A0C6700-EA93-372C-8871-DCCF13D160A4}) (Version: 4.5.50932 - Microsoft Corporation)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Help Viewer 2.0 (HKLM\...\Microsoft Help Viewer 2.0) (Version: 2.0.50727 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM\...\ENTERPRISE) (Version: 12.0.6425.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20513.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Command Line Utilities (HKLM\...\{45A8F8FF-ED9B-40B2-B923-94F46FCF6135}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Data-Tier App Framework (HKLM\...\{FBA6F90E-36EC-4FC9-9B25-3834E3BD46A8}) (Version: 11.0.2316.0 - Microsoft Corporation)
Microsoft SQL Server 2012 Express LocalDB (HKLM\...\{D9DA2981-3298-4F1A-9192-F2CF5BD91145}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Management Objects (HKLM\...\{DA1C1761-5F4F-4332-AB9D-29EDF3F8EA0A}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Native Client (HKLM\...\{83C7F964-AC58-4104-B613-B4D0F61DA8CD}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL Compiler Service (HKLM\...\{79B49428-E9B0-4479-A0FA-3EFF8AFA9F07}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 Transact-SQL ScriptDom (HKLM\...\{CD920828-2B95-49A4-8BFD-1D34BCBF5A27}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2012 T-SQL Language Service (HKLM\...\{6D6D43E5-218C-4B05-92D3-2240810F4760}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft SQL Server 2014 Express LocalDB (HKLM\...\{4A1DEB7A-341B-453E-A3AF-7EA9902F9711}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server 2014 Management Objects (HKLM\...\{2774595F-BC2A-4B12-A25B-0C37A37049B0}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server 2014 Transact-SQL Compiler Service (HKLM\...\{E9C3861A-B0E6-4A1A-983B-E1938C01224A}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server 2014 Transact-SQL ScriptDom (HKLM\...\{C340BAB2-9A21-41B9-A465-7AC7B1DF773E}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server 2014 T-SQL Language Service (HKLM\...\{47D08E7A-92A1-489B-B0BF-415516497BCE}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft SQL Server Compact 4.0 SP1 ENU (HKLM\...\{773AC1E4-5F27-4DF6-A932-7FDDE35C069D}) (Version: 4.0.8876.1 - Microsoft Corporation)
Microsoft SQL Server Data Tools - enu (11.1.50318.0) (HKLM\...\{C87D761D-3CE9-4F21-9353-8779927C8554}) (Version: 11.1.50318.0 - Microsoft Corporation)
Microsoft SQL Server Data Tools 2012 (HKLM\...\{58d28222-b4df-41e9-9238-59961a53c4f5}) (Version: 11.1.50318.0 - Microsoft Corporation)
Microsoft SQL Server Data Tools Build Utilities - enu (11.1.20828.01) (HKLM\...\{FAE0523E-08A4-4717-8E8E-6EC6F32CBE88}) (Version: 11.1.20828.01 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2012 (HKLM\...\{E2082604-4BA5-44BB-BBFB-AF0F3CB8C6AB}) (Version: 11.0.2100.60 - Microsoft Corporation)
Microsoft System CLR Types for SQL Server 2014 (HKLM\...\{4AEB505C-95E1-4964-9B64-8D27F3186D30}) (Version: 12.0.2000.8 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM\...\{4fd02573-5f12-4ae4-8027-c63f8e1115af}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual Studio 2012 Shell (Integrated) (HKLM\...\{55b160d2-8221-45fd-ab30-4388c69c0f3b}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual Studio 2012 Shell (Integrated) Language Pack - ENU (HKLM\...\{e1d01f79-be4a-4e83-b707-a009c4f6e53f}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual Studio 2012 Shell (Isolated) (HKLM\...\{d2e0df0f-bf0a-4a89-9530-ebf93842c393}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual Studio 2012 Shell (Isolated) Language Pack - ENU (HKLM\...\{b8df2deb-8a9f-48c8-9608-1eb3861b5630}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual Studio Express 2012 for Windows Desktop - ENU (HKLM\...\{e0efdce9-a486-4676-8aa5-65bb08cbf34c}) (Version: 11.0.50727.42 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
MorphVOX Junior (HKLM\...\{E741AE90-F491-4EB2-B160-33B0CCD85CB1}) (Version: 2.8.0 - Screaming Bee)
MorphVOX Pro (HKLM\...\{4bfc0d50-0417-46a0-ab1e-475fb1a90916}) (Version: 4.4.17.22603 - Screaming Bee)
MorphVOX Pro (Version: 4.4.17.22603 - Screaming Bee) Hidden
Mozilla Firefox 39.0 (x86 en-US) (HKLM\...\Mozilla Firefox 39.0 (x86 en-US)) (Version: 39.0 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
Nero 9 Essentials (HKLM\...\{a4481611-25ec-4bc2-8a67-adf4d3b44735}) (Version: - Nero AG)
No-IP DUC (HKLM\...\NoIPDUC) (Version: 4.0.2 - Vitalwerks Internet Solutions LLC)
Notepad++ (HKLM\...\Notepad++) (Version: 5.9.8 - )
NVIDIA 3D Vision Controller Driver 332.21 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 332.21 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 332.21 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 332.21 - NVIDIA Corporation)
NVIDIA GeForce Experience 1.8.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 1.8.1 - NVIDIA Corporation)
NVIDIA Graphics Driver 332.21 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 332.21 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.13.0725 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.0725 - NVIDIA Corporation)
NVIDIA Virtual Audio 1.2.19 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_VirtualAudio.Driver) (Version: 1.2.19 - NVIDIA Corporation)
OpenAL (HKLM\...\OpenAL) (Version: - )
Paint.NET v3.5.11 (HKLM\...\{72EF03F5-0507-4861-9A44-D99FD4C41417}) (Version: 3.61.0 - dotPDN LLC)
Pando Media Booster (HKLM\...\{980A182F-E0A2-4A40-94C1-AE0C1235902E}) (Version: 2.6.0.9 - Pando Networks Inc.)
Personality Voices (HKLM\...\{82D4F024-1779-4CBA-B8DA-FC214FC7DF72}) (Version: 1.0.2 - Screaming Bee)
Prerequisites for SSDT (HKLM\...\{21373064-AD95-48DB-A32E-0D9E08EF7355}) (Version: 12.0.2000.8 - Microsoft Corporation)
Prerequisites for SSDT (HKLM\...\{9169C939-ED01-446A-BD0C-29873BAF4E48}) (Version: 11.0.2100.60 - Microsoft Corporation)
Resource Hacker Version 3.6.0 (HKLM\...\ResourceHacker_is1) (Version: - )
ROBLOX Player for Stefan (HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\{373B1718-8CC5-4567-8EE2-9033AD08A680}) (Version: - ROBLOX Corporation)
S4 League (HKLM\...\S4 League) (Version: - )
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.24.0 - SAMSUNG Electronics Co., Ltd.)
Sci-Fi Voice Pack (HKLM\...\{6B1113AD-E770-4A4D-BDF5-AAA0C430DC7D}) (Version: 1.3.2 - Screaming Bee)
SHIELD Streaming (Version: 1.6.85 - NVIDIA Corporation) Hidden
Skype™ 7.6 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.6.105 - Skype Technologies S.A.)
Sothink SWF Decompiler (HKLM\...\{BCDB856C-D247-4DEE-9132-89C02F4D6B8C}_is1) (Version: 7.4 - SourceTec Software Co., LTD)
Sothink SWF Editor (HKLM\...\{0BF1DE3D-31B9-417F-A915-4BCC5AAEE3CD}_is1) (Version: 1.3 - SourceTec Software Co., LTD)
Steam (HKLM\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
Sublime Text 2.0.2 (HKLM\...\Sublime Text 2_is1) (Version: - )
SWiX 1.4.0.2318 (HKLM\...\SWiX_is1) (Version: 1.4.0.2318 - Richmedia Ltd.)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
System Requirements Lab Detection (HKLM\...\{F4EC312E-D3F8-4088-A2C0-5E6B37005CD1}) (Version: 6.1.3.0 - Husdawg, LLC)
TAP-Windows 9.9.2 (HKLM\...\TAP-Windows) (Version: 9.9.2 - )
TeamSpeak 3 Client (HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\TeamSpeak 3 Client) (Version: 3.0.16 - TeamSpeak Systems GmbH)
Unity Web Player (HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\UnityWebPlayer) (Version: - Unity Technologies ApS)
Update for (KB2504637) (HKLM\...\{CFEF48A8-BFB8-3EAC-8BA5-DE4F8AA267CE}.KB2504637) (Version: 1 - Microsoft Corporation)
Visual Studio 2012 Update 4 (KB2707250) (HKLM\...\{312d9252-c71c-4c84-b171-f4ad46e22098}) (Version: 11.0.61030 - Microsoft Corporation)
Voice Changer for Skype (HKLM\...\{576BD2E7-287E-4722-8B51-9BB54B55F7FC}) (Version: 2.2.0 - AthTek)
WebHarvy (HKLM\...\{844AF52E-FECD-4BDC-AB6E-11EF790A7DA2}) (Version: 3.3.0.106 - SysNucleus)
WinHTTrack Website Copier 3.48-8 (HKLM\...\WinHTTrack Website Copier_is1) (Version: 3.48.8 - HTTrack)
WinRAR 5.21 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.21.0 - win.rar GmbH)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-481355970-3911323781-190828911-1001_Classes\CLSID\{31261F21-2B16-45EE-BEAB-07C4CFA18B65}\InprocServer32 -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
CustomCLSID: HKU\S-1-5-21-481355970-3911323781-190828911-1001_Classes\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32 -> C:\Users\Stefan\AppData\LocalLow\Unity\WebPlayer\loader\UnityWebPluginAX.ocx (Unity Technologies ApS)
CustomCLSID: HKU\S-1-5-21-481355970-3911323781-190828911-1001_Classes\CLSID\{76D50904-6780-4c8b-8986-1A7EE0B1716D}\InprocServer32 -> C:\Users\Stefan\AppData\Local\Roblox\Versions\version-ea077ae9bef64263\RobloxProxy.dll (ROBLOX Corporation)
CustomCLSID: HKU\S-1-5-21-481355970-3911323781-190828911-1001_Classes\CLSID\{DEE03C2B-0C0C-41A9-9877-FD4B4D7B6EA3}\InprocServer32 -> C:\Users\Stefan\AppData\Local\Roblox\Versions\version-ea077ae9bef64263\RobloxProxy64.dll (ROBLOX Corporation)

==================== Restore Points =========================


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 05:04 - 2013-09-03 17:19 - 00000833 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {18FD64DF-10CF-437C-BC3E-79A3E4A58002} - System32\Tasks\update-S-1-5-21-481355970-3911323781-190828911-1001 => C:\Program Files\Skillbrains\Updater\Updater.exe [2014-03-25] ()
Task: {19D046C8-B63D-449B-AC26-95A5EC9E5C30} - System32\Tasks\{C0C6A6A8-A3E5-4B98-ABDC-5FE133F47D6B} => pcalua.exe -a C:\Users\Stefan\AppData\Local\Temp\luiA822.tmp\setup.exe -d C:\Users\Stefan\AppData\Roaming\.minecraft
Task: {19E462C4-914B-43C9-BA0C-2E9E38F73A4E} - System32\Tasks\update-sys => C:\Program Files\Skillbrains\Updater\Updater.exe [2014-03-25] ()
Task: {345AB6B1-703A-4540-9CD3-06140E76C2B3} - System32\Tasks\{FC5D2E72-B20E-4C59-AC9B-9F10C9A4A529} => pcalua.exe -a C:\Users\Stefan\AppData\Roaming\uTorrent\uTorrent.exe -d D:\Downloads -c "D:\Downloads\girlshare.ro_Metin2FORCE.rar(1).torrent" /SHELLASSOC
Task: {39D51DE8-9742-42CA-AE11-9F1297236638} - System32\Tasks\{000B2E79-61C2-4C3E-8A84-52ED14BB3F8F} => pcalua.exe -a C:\Windows\svchost.com -d C:\Windows\system32 -c "C:\Windows\system32\taskmgr.exe" /4
Task: {46C758E6-4258-4286-BD19-358072D78E77} - System32\Tasks\{9835BA7C-6973-4C2E-8AC4-CB4C63640938} => pcalua.exe -a D:\Downloads\compressor_decompressor.exe -d D:\Downloads
Task: {485E3B26-BB2A-4F43-A9EF-BDE9F2A3F2CC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-05-04] (Google Inc.)
Task: {533A8BA8-438F-4D7F-914B-0FE17C1CDE69} - System32\Tasks\fun_coupons_notification_service => C:\Program Files\fun coupons\fun_coupons_notification_service.exe <==== ATTENTION
Task: {5D886CEE-4F3D-462E-B9C3-B9CA15EC6060} - System32\Tasks\{B9B136FA-0E4E-4920-B29E-DC15C015B5D0} => pcalua.exe -a D:\!!!!!!!!!!!!!!!!!!!!!!!ALAGABULA\LeagueSharp\System\SWF-COMPRESSOR-DECOMPRESS.exe -d D:\!!!!!!!!!!!!!!!!!!!!!!!ALAGABULA\LeagueSharp\System
Task: {688AC177-DE0B-45FD-8162-9524AE9677C9} - \AmiUpdXp No Task File <==== ATTENTION
Task: {8A43F2D3-6B5B-4288-B918-01A05C29A59D} - System32\Tasks\{E31EE8CF-0836-466E-B97E-0CA0EDE31DF2} => pcalua.exe -a D:\TS3\package_inst.exe -d C:\Users\Stefan\Downloads -c "C:\Users\Stefan\Downloads\soundboard-0.9.8.4b-win32.ts3_plugin"
Task: {8F418946-3679-4527-B1EF-C28AC654EFAC} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-03-13] (Piriform Ltd)
Task: {B331016A-B08B-47B4-8825-F6A25D6E0E4D} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2013-05-04] (Google Inc.)
Task: {B7ECC110-3020-47E7-9A26-B9A8D608FD1E} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-07-07] (Adobe Systems Incorporated)
Task: {CA1E6B24-E032-41A0-9407-4850D8A2FA3A} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2015-07-14] (Adobe Systems Incorporated)
Task: {CFFC6D8A-88EA-46D8-A552-A795E4918FCA} - System32\Tasks\Game_Booster_AutoUpdate => D:\Game Booster 3\AutoUpdate.exe [2015-08-02] ()
Task: {E449A161-1FB1-4509-B03C-D5BE19DAE3D0} - System32\Tasks\{7B8D3B0D-D4EB-4F60-B3BD-0510AB6FE58F} => pcalua.exe -a C:\Users\Public\Desktop\MorphVOXPro4_Install-1.exe -d C:\Users\Stefan\Desktop
Task: {F608E1DD-1072-4790-B327-2F81D773635E} - System32\Tasks\{9557B361-463C-4E7C-9E38-1BD3CD8C6C44} => pcalua.exe -a "D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!METINUL LUI X\JOACA GURA\Metin2PlayMouth.exe" -d "D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!METINUL LUI X\JOACA GURA"

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\fun_coupons_notification_service.job => C:\Program Files\fun coupons\fun_coupons_notification_service.exeǧ/url='http:/cdn.selectbestopt.com/notf_sys/index.html' /crregname='fun coupons' /appid='73143' /srcid='2913' /bic='a92881e2a3423944dde015eba46f7704' /verifier='937ab016a7dc94ce8d0b63d6543e0c3f' /installerversion='1.50.3.10' /statsdomain='http:/stats.buildomserv.com/data.gif?' /errorsdomain='http:/stats.buildomserv.com/data.gif?' /monetizationdomain='http:/logs.buildomserv.com/monetization.gif <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\update-S-1-5-21-481355970-3911323781-190828911-1001.job => C:\Program Files\Skillbrains\Updater\Updater.exe
Task: C:\Windows\Tasks\update-sys.job => C:\Program Files\Skillbrains\Updater\Updater.exe

==================== Loaded Modules (Whitelisted) ==============

2013-05-04 05:45 - 2013-12-19 21:37 - 00107296 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax.dll
2015-06-04 01:57 - 2015-06-04 01:57 - 01749200 _____ () C:\Program Files\Hotspot Shield\bin\af_proxy.dll
2015-06-04 02:07 - 2015-06-04 02:07 - 00616144 _____ () C:\Program Files\Hotspot Shield\bin\HssRep.4.15.3.dll
2015-04-25 04:03 - 2015-04-25 04:03 - 00280143 _____ () C:\Program Files\Hotspot Shield\bin\libidn-11.dll
2009-03-27 23:02 - 2009-03-27 23:02 - 01554920 _____ () C:\Program Files\Hotspot Shield\bin\libeay32.dll
2009-03-27 23:02 - 2009-03-27 23:02 - 00332254 _____ () C:\Program Files\Hotspot Shield\bin\libssl32.dll
2015-06-04 01:59 - 2015-06-04 01:59 - 00589520 _____ () C:\Program Files\Hotspot Shield\bin\hsswd.exe
2011-07-19 00:04 - 2011-07-19 00:04 - 00296448 _____ () C:\Program Files\Notepad++\NppShell_04.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\Stefan\Desktop\Minecraft.exe:BDU

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" value will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\08855149.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\08855149.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Hamachi2Svc => ""="Service"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

HKLM\...\exefile\open\command: C:\Windows\svchost.com "%1" %* <===== ATTENTION
HKU\S-1-5-21-481355970-3911323781-190828911-1001\Software\Classes\.exe: exefile => <===== ATTENTION

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-481355970-3911323781-190828911-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 8.8.8.8 - 193.231.252.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: CGVPNCliService => 2
MSCONFIG\startupfolder: C:^Users^Stefan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk => C:\Windows\pss\Dropbox.lnk.Startup
MSCONFIG\startupreg: BlueStacks Agent => C:\Program Files\BlueStacks\HD-Agent.exe
MSCONFIG\startupreg: Clownfish => "C:\Program Files\Clownfish\Clownfish.exe"
MSCONFIG\startupreg: CyberGhost => "C:\Program Files\CyberGhost 5\CyberGhost.EXE" /autostart
MSCONFIG\startupreg: LogMeIn Hamachi Ui => "D:\Hamachi\hamachi-2-ui.exe" --auto-start
MSCONFIG\startupreg: MicroUpdate => C:\Users\Stefan\Documents\MSDCSC\msdcsc.exe
MSCONFIG\startupreg: MK LOL => "C:\Program Files\MKJogo\MK IM\Bin\MKIM.exe" -auto
MSCONFIG\startupreg: Overwolf => C:\Program Files\Overwolf\Overwolf.exe -silent
MSCONFIG\startupreg: PrivitizeVPN => C:\Program Files\PrivitizeVPN\PrivitizeVPN.exe /autorun
MSCONFIG\startupreg: Roblox => C:\Users\Stefan\AppData\Roaming\Roblox.exe
MSCONFIG\startupreg: rundll32 => C:\Users\Stefan\Documents\MSDCSC\msdcsc.exe
MSCONFIG\startupreg: SandboxieControl => "C:\Program Files\Sandboxie\SbieCtrl.exe"
MSCONFIG\startupreg: SkypeVoiceChanger => D:\SkypeVC\SkypeVoiceChanger.exe /auto
MSCONFIG\startupreg: Steam => "D:\Steam\Steam.exe" -silent
MSCONFIG\startupreg: uTorrent => "C:\Users\Stefan\AppData\Roaming\uTorrent\uTorrent.exe" /MINIMIZED

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{069FED77-9CAF-4FBB-B05B-7FCA49185FD6}] => (Allow) C:\Program Files\Skype\Phone\Skype.exe
FirewallRules: [{7A19AE2A-2854-4910-A9DF-FB0B90C13A0F}] => (Allow) D:\Steam\Steam.exe
FirewallRules: [{C228E6A9-03DB-46E0-8044-89619FB985FC}] => (Allow) D:\Steam\Steam.exe
FirewallRules: [{64CB8851-9149-45D3-B21F-5D6F88217CAC}] => (Allow) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
FirewallRules: [{A1CA2B71-E1D3-4107-9A7F-6407940ED0C2}] => (Allow) C:\Program Files\Pando Networks\Media Booster\PMB.exe
FirewallRules: [{E571ADAC-0766-45E0-9369-F4089BDD1638}] => (Allow) C:\Program Files\Pando Networks\Media Booster\PMB.exe
FirewallRules: [{704ACA91-A665-4DD1-B43A-637E07FFFB38}] => (Allow) C:\Program Files\Pando Networks\Media Booster\PMB.exe
FirewallRules: [{5345BDB1-AE37-4A8F-A4CE-FD6BEA4B4473}] => (Allow) C:\Program Files\Pando Networks\Media Booster\PMB.exe
FirewallRules: [{C536AEE3-1A36-467B-ABFA-6A512706850D}] => (Allow) LPort=58347
FirewallRules: [{57DAD92D-AFEE-4F89-BDAB-E99A8C58A0BA}] => (Allow) LPort=58347
FirewallRules: [{D9D6C365-048B-48C2-A543-248EC3BFDBAD}] => (Allow) LPort=58347
FirewallRules: [{EA28EDC7-6C9A-4D16-A533-8854FE9A468D}] => (Allow) LPort=58347
FirewallRules: [{E335347B-9C4F-4877-B8BB-2C994C4F59AD}] => (Allow) C:\Program Files\Pando Networks\Media Booster\PMB.exe
FirewallRules: [{3BCFD8B5-0275-4D51-9EB1-5AF536916F0A}] => (Allow) D:\Steam\Steam.exe
FirewallRules: [{8EA71272-58FB-4CF4-A2D9-31325DFF5340}] => (Allow) D:\Steam\Steam.exe
FirewallRules: [{6D8B6F03-6CF2-46EF-BEC2-CC6860FE8D0F}] => (Allow) D:\Fiddler2\Fiddler.exe
FirewallRules: [{941EC0BB-6F7E-43E4-B8D8-D64E6CD281DD}] => (Allow) D:\Steam\bin\steamwebhelper.exe
FirewallRules: [{E1A3B5CA-DDC2-47FF-89BA-7A73E8C1E040}] => (Allow) D:\Steam\bin\steamwebhelper.exe
FirewallRules: [{C90CF14B-89E3-4C8C-85A0-8DA10FE85829}] => (Allow) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{9E82709F-6446-4ED2-BF8F-8DF29302E227}] => (Allow) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
FirewallRules: [{C65C7929-A5C9-4DED-841E-89F088A33E99}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{5DDC4E13-301A-49CD-9AF8-51881D44E8B9}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
FirewallRules: [{7E7399F0-E241-479E-8712-F307128FFADA}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{FA9F8B96-3461-4624-9914-05675137B6B9}] => (Allow) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe
FirewallRules: [{9620DA91-D05A-486B-A554-011A61D38F7B}] => (Allow) D:\Riot Games\League of Legends\lol.launcher.exe
FirewallRules: [{40F6E46F-751B-46AA-9408-6290694B8B68}] => (Allow) D:\Riot Games\League of Legends\lol.launcher.exe
FirewallRules: [{D2976B67-6A36-4B52-BDA6-2FDC9406D541}] => (Allow) D:\Riot Games\League of Legends\lol.launcher.exe
FirewallRules: [{D0F79010-992D-497A-AAD0-AA616BAC120D}] => (Allow) D:\Riot Games\League of Legends\lol.launcher.exe
FirewallRules: [TCP Query User{2F0E3F8A-2F09-4B15-B458-0160A2652D4F}D:\!!!!!vs\psi\psi.exe] => (Allow) D:\!!!!!vs\psi\psi.exe
FirewallRules: [UDP Query User{BC807DF9-09AE-4769-A829-A99965AA0580}D:\!!!!!vs\psi\psi.exe] => (Allow) D:\!!!!!vs\psi\psi.exe
FirewallRules: [{49F7541D-8933-4DAF-83DA-D2D5AB82F59F}] => (Block) D:\!!!!!vs\psi\psi.exe
FirewallRules: [{D6959404-B51B-480D-A101-6C4E72EC0471}] => (Block) D:\!!!!!vs\psi\psi.exe
FirewallRules: [{76D625EC-FC78-40D7-B4CB-925B22E8CB4F}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe
FirewallRules: [{D1ADDF91-A231-4F84-9CDA-B28B86C7CDAA}] => (Allow) C:\ProgramData\Battle.net\Agent\Agent.3634\Agent.exe
FirewallRules: [{0AF2BA89-276C-4C13-A635-A63D7CD1E4ED}] => (Allow) D:\Battle.net\Battle.net.exe
FirewallRules: [{92A0C310-0B22-47D2-B85B-6E1BF418EDD8}] => (Allow) D:\Battle.net\Battle.net.exe
FirewallRules: [{C046C081-79FD-468C-8A82-CAE9B1CBE2E2}] => (Allow) D:\Hearthstone\Hearthstone.exe
FirewallRules: [{5F60EE72-C5C2-4DEB-B4BF-8449A3E33971}] => (Allow) D:\Hearthstone\Hearthstone.exe
FirewallRules: [{86608A3F-EE2C-4D7E-BC6B-9ED22C73AB47}] => (Allow) D:\!!!!!Vs\!!!!!!!!!!!VSTUD\Common7\IDE\WDExpress.exe
FirewallRules: [{DBAA29E2-D3D4-42EE-8EED-010C2EC65431}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [{971C8473-01E5-4735-94E3-37AC867FA75D}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{97FC753E-1D01-4818-9487-97E8A65EE262}C:\program files\mozilla firefox\firefox.exe] => (Allow) C:\program files\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{6D207278-376B-4BAB-A729-A9878799B7FD}C:\program files\mozilla firefox\firefox.exe] => (Allow) C:\program files\mozilla firefox\firefox.exe
FirewallRules: [TCP Query User{1FC2B952-430B-4881-9D28-FFFE17A6B34F}D:\!!!!!!!!!!!!!!!!!reversingmangas\lessons\files\smartbotui.exe] => (Allow) D:\!!!!!!!!!!!!!!!!!reversingmangas\lessons\files\smartbotui.exe
FirewallRules: [UDP Query User{A4018CF7-A5F4-41B7-9177-52BFE1C8AF07}D:\!!!!!!!!!!!!!!!!!reversingmangas\lessons\files\smartbotui.exe] => (Allow) D:\!!!!!!!!!!!!!!!!!reversingmangas\lessons\files\smartbotui.exe
FirewallRules: [{151B3882-9494-4F9F-B05F-E309742E8D86}] => (Block) D:\!!!!!!!!!!!!!!!!!reversingmangas\lessons\files\smartbotui.exe
FirewallRules: [{7465555E-BB0C-486C-A78B-5B2F3C93C06F}] => (Block) D:\!!!!!!!!!!!!!!!!!reversingmangas\lessons\files\smartbotui.exe
FirewallRules: [{06477F7E-88B1-4040-9DB8-ABFCF9AAFDCE}] => (Allow) D:\!!!!!Vs\!!!!!!!!!!!VSTUD\Common7\IDE\devenv.exe
FirewallRules: [TCP Query User{0851DC4F-C875-4F0B-B57C-611BC79FDEB6}D:\download\csgo\csgo.exe] => (Allow) D:\download\csgo\csgo.exe
FirewallRules: [UDP Query User{5D1D26BD-C208-47FC-8C1A-39728E2AE31E}D:\download\csgo\csgo.exe] => (Allow) D:\download\csgo\csgo.exe
FirewallRules: [{964DF5C3-4E7C-472C-B7E0-66F004197804}] => (Block) D:\download\csgo\csgo.exe
FirewallRules: [{AA52694A-8946-435F-86A0-630B318CCD1D}] => (Block) D:\download\csgo\csgo.exe
FirewallRules: [TCP Query User{D4938493-CE27-428A-B25A-B45620B4BDCD}D:\steam\steamapps\common\cantar straik\csgo.exe] => (Allow) D:\steam\steamapps\common\cantar straik\csgo.exe
FirewallRules: [UDP Query User{2A2067B6-19B2-463E-AC0F-49D9B5A72CBD}D:\steam\steamapps\common\cantar straik\csgo.exe] => (Allow) D:\steam\steamapps\common\cantar straik\csgo.exe
FirewallRules: [{D780CA3C-BA4E-470C-8813-969FAE7F6E3D}] => (Block) D:\steam\steamapps\common\cantar straik\csgo.exe
FirewallRules: [{E23C20B1-8D9D-42A7-B8C4-6070F488059D}] => (Block) D:\steam\steamapps\common\cantar straik\csgo.exe
FirewallRules: [TCP Query User{E18AAA4E-00E1-48FE-A949-3069D63F1AC7}D:\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe] => (Allow) D:\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe
FirewallRules: [UDP Query User{A01D036B-C94A-404C-9642-027F5AC38335}D:\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe] => (Allow) D:\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe
FirewallRules: [{AFE7A26C-34B0-4A85-ADCF-1AAF190316A7}] => (Block) D:\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe
FirewallRules: [{77456B2C-1652-4235-9E0C-5D8B7A274A38}] => (Block) D:\hi-rez studios\hirezgames\smite\binaries\win32\smite.exe
FirewallRules: [TCP Query User{DC7A7C6C-F0FD-4A96-BAE9-E6FE85D7A510}D:\heroes of the storm\versions\base34846\heroesofthestorm.exe] => (Allow) D:\heroes of the storm\versions\base34846\heroesofthestorm.exe
FirewallRules: [UDP Query User{C8D0F551-12F6-4BA6-94DF-160C26E91518}D:\heroes of the storm\versions\base34846\heroesofthestorm.exe] => (Allow) D:\heroes of the storm\versions\base34846\heroesofthestorm.exe
FirewallRules: [{40D5CDA9-EE73-4D9F-9824-D296885F4642}] => (Block) D:\heroes of the storm\versions\base34846\heroesofthestorm.exe
FirewallRules: [{80CD9C71-3F54-4E46-83ED-4E9E874696BB}] => (Block) D:\heroes of the storm\versions\base34846\heroesofthestorm.exe
FirewallRules: [TCP Query User{F553D20A-FA49-42D5-AFF8-E245B85A69C6}C:\program files\java\jre1.8.0_31\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_31\bin\javaw.exe
FirewallRules: [UDP Query User{272B483A-8A36-4F40-A555-4BBF3CCDB366}C:\program files\java\jre1.8.0_31\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_31\bin\javaw.exe
FirewallRules: [{99041367-5C1C-4FA5-AF4D-38E4F682D97C}] => (Block) C:\program files\java\jre1.8.0_31\bin\javaw.exe
FirewallRules: [{6476EE2D-25C1-4AB8-8541-B8E3A3FCCD4E}] => (Block) C:\program files\java\jre1.8.0_31\bin\javaw.exe
FirewallRules: [TCP Query User{5622EC77-939F-415A-B6C8-BD057F032F5C}D:\charles\charles.exe] => (Allow) D:\charles\charles.exe
FirewallRules: [UDP Query User{9FA7E3A9-1C75-4982-96AF-B2E2F42372B6}D:\charles\charles.exe] => (Allow) D:\charles\charles.exe
FirewallRules: [{BFCEF27F-102C-4B0C-A51B-33B8E48CB14C}] => (Block) D:\charles\charles.exe
FirewallRules: [{87C307BF-5344-4992-9A4D-057CC5694D34}] => (Block) D:\charles\charles.exe
FirewallRules: [TCP Query User{BA7A247F-A09A-481D-A3FA-246C5F547647}D:\java\jre\bin\javaw.exe] => (Allow) D:\java\jre\bin\javaw.exe
FirewallRules: [UDP Query User{EE2EF7FC-5BA3-4A62-A90B-876C28EBD217}D:\java\jre\bin\javaw.exe] => (Allow) D:\java\jre\bin\javaw.exe
FirewallRules: [{4F305DA4-DD53-43E6-AADC-6B3037AB007D}] => (Block) D:\java\jre\bin\javaw.exe
FirewallRules: [{D0C232FE-2EE8-413D-80DA-93165F807BF0}] => (Block) D:\java\jre\bin\javaw.exe
FirewallRules: [TCP Query User{ADFF1F91-2FA9-4C32-8A90-8EC05C8B073D}C:\users\stefan\appdata\local\roblox\versions\version-af96ba91ce124068\robloxstudiobeta.exe] => (Allow) C:\users\stefan\appdata\local\roblox\versions\version-af96ba91ce124068\robloxstudiobeta.exe
FirewallRules: [UDP Query User{90EF47DE-3DF4-4C53-8382-81C426DA0733}C:\users\stefan\appdata\local\roblox\versions\version-af96ba91ce124068\robloxstudiobeta.exe] => (Allow) C:\users\stefan\appdata\local\roblox\versions\version-af96ba91ce124068\robloxstudiobeta.exe
FirewallRules: [{003758D8-D7DE-4B53-97B7-C70AC061828F}] => (Block) C:\users\stefan\appdata\local\roblox\versions\version-af96ba91ce124068\robloxstudiobeta.exe
FirewallRules: [{F539252B-A6F5-4047-9B97-F561858AAEDF}] => (Block) C:\users\stefan\appdata\local\roblox\versions\version-af96ba91ce124068\robloxstudiobeta.exe
FirewallRules: [{9F6B5BDC-1AD6-4ECE-BB76-E8E96996313E}] => (Allow) D:\Steam\SteamApps\common\Brawlhalla\Brawlhalla.exe
FirewallRules: [{90D665A4-FEA6-4042-A457-FF8665F03183}] => (Allow) D:\Steam\SteamApps\common\Brawlhalla\Brawlhalla.exe
FirewallRules: [{EF39402A-E625-4EBC-963B-500E3C00A2D3}] => (Allow) C:\Program Files\Raptr\raptr.exe
FirewallRules: [{AA471CC2-AE57-4A39-BF11-6B3EA79C5627}] => (Allow) C:\Program Files\Raptr\raptr.exe
FirewallRules: [{C9CCC514-E554-4C43-A541-1F87BF19E6C5}] => (Allow) C:\Program Files\Raptr\raptr_im.exe
FirewallRules: [{4F0222B8-8023-48E5-8D7D-99B681D496F4}] => (Allow) C:\Program Files\Raptr\raptr_im.exe
FirewallRules: [{53F46119-F360-4382-B18D-A03F03B35542}] => (Allow) D:\Steam\SteamApps\common\AdVenture Capitalist\adventure-capitalist.exe
FirewallRules: [{EF617748-6987-43B2-929E-07F2CECE940A}] => (Allow) D:\Steam\SteamApps\common\AdVenture Capitalist\adventure-capitalist.exe
FirewallRules: [TCP Query User{A644C6A3-A137-46D8-8205-4CC7E760965F}D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe] => (Allow) D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
FirewallRules: [UDP Query User{2CA275FA-4F76-4045-B7E1-3D3B4EA74DE9}D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe] => (Allow) D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
FirewallRules: [{D01D291E-E7ED-4C7C-8584-A2E9AAC00B95}] => (Block) D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
FirewallRules: [{566CED40-A102-4DAD-8D3B-C6016A087822}] => (Block) D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
FirewallRules: [{8354B4E0-EB3D-4D35-8150-60F57FD8B40D}] => (Allow) D:\Steam\SteamApps\common\Clicker Heroes\Clicker Heroes.exe
FirewallRules: [{B5BFB8FC-3CCC-4765-B20F-009D695300AB}] => (Allow) D:\Steam\SteamApps\common\Clicker Heroes\Clicker Heroes.exe
FirewallRules: [TCP Query User{AABFE0BE-A279-4F13-9998-6394DF1D7D7E}D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!metinul lui x\metin2x v5.3\metin2x.exe] => (Allow) D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!metinul lui x\metin2x v5.3\metin2x.exe
FirewallRules: [UDP Query User{A78D8958-2EBC-415E-886B-F3A5F2293019}D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!metinul lui x\metin2x v5.3\metin2x.exe] => (Allow) D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!metinul lui x\metin2x v5.3\metin2x.exe
FirewallRules: [{55A7044F-C625-4E4F-8816-22BEC1848D9F}] => (Allow) D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!metinul lui x\metin2x v5.3\metin2x.exe
FirewallRules: [{4B809926-B6A3-457E-B590-DCA8E592D891}] => (Allow) D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!metinul lui x\metin2x v5.3\metin2x.exe
FirewallRules: [TCP Query User{DE989500-B9D7-4262-834F-72E9C29C67C8}C:\users\stefan\appdata\local\temp\darkcomet.exe] => (Allow) C:\users\stefan\appdata\local\temp\darkcomet.exe
FirewallRules: [UDP Query User{1916DC73-144B-4674-8400-71E0D54FA63D}C:\users\stefan\appdata\local\temp\darkcomet.exe] => (Allow) C:\users\stefan\appdata\local\temp\darkcomet.exe
FirewallRules: [{C2E24F11-D33C-4298-8F81-F1880FC55740}] => (Block) C:\users\stefan\appdata\local\temp\darkcomet.exe
FirewallRules: [{4B90EB11-FA80-45C8-B005-470B209FC1BB}] => (Block) C:\users\stefan\appdata\local\temp\darkcomet.exe
FirewallRules: [TCP Query User{C1D6F1EA-4EF0-4B7B-ACFD-36D564ECD12A}D:\downloads\piratekings.exe] => (Allow) D:\downloads\piratekings.exe
FirewallRules: [UDP Query User{48BFB9C1-94A3-4403-8EB7-F9AFEA1D73AC}D:\downloads\piratekings.exe] => (Allow) D:\downloads\piratekings.exe
FirewallRules: [{EAF80038-88E5-4109-AF37-7B2EBD7FEF67}] => (Block) D:\downloads\piratekings.exe
FirewallRules: [{F3F1D4A3-9A4F-4EBD-9DEE-0B9F005337CC}] => (Block) D:\downloads\piratekings.exe
FirewallRules: [TCP Query User{7FCE4197-F923-45DB-96BB-C97A22FF8594}C:\users\stefan\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\stefan\appdata\local\akamai\netsession_win.exe
FirewallRules: [UDP Query User{878E17D4-0E78-4E15-8BF0-60C3052734E5}C:\users\stefan\appdata\local\akamai\netsession_win.exe] => (Allow) C:\users\stefan\appdata\local\akamai\netsession_win.exe
FirewallRules: [{0C2296C3-D5D9-4BC2-927A-576786BE0939}] => (Block) C:\users\stefan\appdata\local\akamai\netsession_win.exe
FirewallRules: [{4F189E26-A86A-49C1-88A7-B3F59EA1B17E}] => (Block) C:\users\stefan\appdata\local\akamai\netsession_win.exe
FirewallRules: [{F48527BC-3D8F-41C9-A00C-1B0A4F0632BE}] => (Allow) D:\Steam\SteamApps\common\RIFT\riftpatchlive.exe
FirewallRules: [{6A4747A8-EACF-4685-A02D-B75ECADAF7B8}] => (Allow) D:\Steam\SteamApps\common\RIFT\riftpatchlive.exe
FirewallRules: [TCP Query User{BE42304D-AB7C-447A-85BB-8969B8DBDA2E}D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!metinul lui x\vai ce c ma re am\hl.exe] => (Allow) D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!metinul lui x\vai ce c ma re am\hl.exe
FirewallRules: [UDP Query User{DF99A921-9FF1-4EBF-8682-2DAD6F9844C5}D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!metinul lui x\vai ce c ma re am\hl.exe] => (Allow) D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!metinul lui x\vai ce c ma re am\hl.exe
FirewallRules: [{2A534757-844C-41F5-AF6D-06788E1CE843}] => (Block) D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!metinul lui x\vai ce c ma re am\hl.exe
FirewallRules: [{AC61CFE0-EDA7-4361-9779-0184860515FA}] => (Block) D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!metinul lui x\vai ce c ma re am\hl.exe
FirewallRules: [TCP Query User{BA8E711F-FA0B-409B-9756-A20161321639}C:\program files\java\jre1.8.0_45\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_45\bin\javaw.exe
FirewallRules: [UDP Query User{D13B70F4-ED09-4578-B296-86D17DC3B68E}C:\program files\java\jre1.8.0_45\bin\javaw.exe] => (Allow) C:\program files\java\jre1.8.0_45\bin\javaw.exe
FirewallRules: [{6FE06637-C165-4A9B-8A4C-EEDD318031D2}] => (Block) C:\program files\java\jre1.8.0_45\bin\javaw.exe
FirewallRules: [{6BD72777-8857-4365-B999-FC463D003F3E}] => (Block) C:\program files\java\jre1.8.0_45\bin\javaw.exe
FirewallRules: [{0998C628-1CEA-46DF-96D6-8A092333122C}] => (Allow) C:\Users\Stefan\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{2979723B-2A33-4D54-B0CF-6AB2779FFA4C}] => (Allow) C:\Users\Stefan\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{11DBCDB6-F085-4F6F-826A-F2600B74F287}] => (Allow) C:\Users\Stefan\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{F886DD5F-B5E1-45EF-926F-EDED4088517D}] => (Allow) C:\Users\Stefan\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{6802C47F-974D-4797-9CBD-63FC0ECE40AE}] => (Allow) C:\Users\Stefan\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{DC956AF7-CE11-40BD-86FF-57AC6010BC33}] => (Allow) C:\Users\Stefan\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{774A198E-3718-47E1-8853-5BE81326CE63}] => (Allow) C:\Program Files\Google\Chrome\Application\chrome.exe

==================== Faulty Device Manager Devices =============

Name:
Description:
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (08/04/2015 01:00:18 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program hsscp.exe version 4.15.3.9146 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 910

Start Time: 01d0ce9c48f2cc60

Termination Time: 546

Application Path: C:\Program Files\Hotspot Shield\bin\hsscp.exe

Report Id: 989d5be1-3a8f-11e5-9010-001d602734cc

Error: (08/04/2015 12:39:43 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: explorer.exe, version: 6.1.7601.17514, time stamp: 0x4ce796f3
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x678514dd
Faulting process id: 0x46a0
Faulting application start time: 0xexplorer.exe0
Faulting application path: explorer.exe1
Faulting module path: explorer.exe2
Report Id: explorer.exe3

Error: (08/04/2015 11:48:37 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Stefan\AppData\Local\Temp\CC53110C-85A1-4338-9FE6-5EA2B3BC1CBE\dismhost.exe {8538B87E-CB0F-4FCD-99A4-2652E6F1A52B}; Description = Removed service pack backup files; Error = 0x8004231f).

Error: (08/04/2015 11:48:31 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {76886f77-ebc6-4c04-9697-a76184ff6a47}

Error: (08/04/2015 11:47:17 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Stefan\AppData\Local\Temp\5E94328B-9118-4C2E-A25C-8F09D70BDDCA\dismhost.exe {7AB1EF9C-0087-4166-8EB7-56D720D23230}; Description = Removed service pack backup files; Error = 0x8004231f).

Error: (08/04/2015 11:47:11 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {76886f77-ebc6-4c04-9697-a76184ff6a47}

Error: (08/04/2015 11:46:52 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Stefan\AppData\Local\Temp\6E29C054-3AEB-4634-9811-849856DC2CD5\dismhost.exe {86048B4A-0558-4E80-B9EE-236AB85F0F3D}; Description = Removed service pack backup files; Error = 0x8004231f).

Error: (08/04/2015 11:46:45 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {76886f77-ebc6-4c04-9697-a76184ff6a47}

Error: (08/04/2015 11:45:18 AM) (Source: System Restore) (EventID: 8193) (User: )
Description: Failed to create restore point (Process = C:\Users\Stefan\AppData\Local\Temp\41E87CF3-F5E4-45B2-94B2-753F6BF2AB4D\dismhost.exe {343D271C-4172-4DA8-952A-23CD97CC8110}; Description = Removed service pack backup files; Error = 0x8004231f).

Error: (08/04/2015 11:45:08 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface. hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
Gathering Writer Data

Context:
Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
Writer Name: System Writer
Writer Instance ID: {76886f77-ebc6-4c04-9697-a76184ff6a47}


System errors:
=============
Error: (08/04/2015 12:59:51 PM) (Source: Service Control Manager) (EventID: 7030) (User: )
Description: The LogMeIn Hamachi Tunneling Engine service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (08/03/2015 02:42:41 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The MBAMService service terminated unexpectedly. It has done this 1 time(s).

Error: (08/03/2015 02:29:54 PM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (08/03/2015 01:06:42 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Hotspot Shield Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (08/03/2015 01:05:47 PM) (Source: WMPNetworkSvc) (EventID: 14332) (User: )
Description: WMPNetworkSvc0x80004005

Error: (08/03/2015 01:05:22 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Assistant service to connect.

Error: (08/03/2015 01:04:59 PM) (Source: BugCheck) (EventID: 1001) (User: )
Description: 0x000000f4 (0x00000003, 0xb1e0e530, 0xb1e0e69c, 0xe2c58eb0)C:\Windows\MEMORY.DMP080315-51979-01

Error: (08/03/2015 01:04:30 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 1:03:20 PM on ‎8/‎3/‎2015 was unexpected.

Error: (08/01/2015 09:16:19 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.

Error: (07/30/2015 07:32:13 AM) (Source: Service Control Manager) (EventID: 7011) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.


Microsoft Office:
=========================

CodeIntegrity:
===================================
Date: 2013-06-19 17:50:03.089
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Bitdefender\Antivirus Free Edition\avc3\avc3_sig_193\avcuf32.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-06-19 17:38:40.356
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Bitdefender\Antivirus Free Edition\avc3\avc3_sig_193\avcuf32.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-06-19 16:57:15.012
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Bitdefender\Antivirus Free Edition\avc3\avc3_sig_193\avcuf32.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-06-19 16:46:08.428
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Bitdefender\Antivirus Free Edition\avc3\avc3_sig_193\avcuf32.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-06-19 16:36:48.262
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Bitdefender\Antivirus Free Edition\avc3\avc3_sig_193\avcuf32.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-06-19 16:21:59.429
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Bitdefender\Antivirus Free Edition\avc3\avc3_sig_193\avcuf32.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-06-19 15:55:13.148
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Bitdefender\Antivirus Free Edition\avc3\avc3_sig_193\avcuf32.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-06-19 15:37:50.847
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Bitdefender\Antivirus Free Edition\avc3\avc3_sig_193\avcuf32.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-06-19 15:28:43.824
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Bitdefender\Antivirus Free Edition\avc3\avc3_sig_193\avcuf32.dll because the set of per-page image hashes could not be found on the system.

Date: 2013-06-19 14:51:43.137
Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume1\Program Files\Bitdefender\Antivirus Free Edition\avc3\avc3_sig_193\avcuf32.dll because the set of per-page image hashes could not be found on the system.


==================== Memory info ===========================

Processor: AMD Athlon™ 64 Processor 3200+
Percentage of memory in use: 57%
Total physical RAM: 3071.37 MB
Available physical RAM: 1305.73 MB
Total Virtual: 6141.02 MB
Available Virtual: 4066.77 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:29.29 GB) (Free:0.68 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: () (Fixed) (Total:119.75 GB) (Free:5.63 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 149.1 GB) (Disk ID: DD04DD04)
Partition 1: (Active) - (Size=29.3 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=119.7 GB) - (Type=OF Extended)

==================== End of log ============================

Edited by xXToffeeXx, 04 August 2015 - 05:56 AM.


#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:18 AM

Posted 04 August 2015 - 08:06 AM

Hi TehBlaxxor,
 
Win32/Ramnit (and related variants) is a dangerous file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a backdoor that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A or VBS/GenericWin32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a backdoor that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the antivirus or antimalware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.

With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousandscannot be disinfected properly by your antivirus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of damage can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remotecrack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection. However, a variant called the Ramnit worm targets Facebook users....can bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions and compromise online banking.

In my opinion, Ramnit is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Security vendors that claim to be able to remove file infectors cannot guarantee that all traces of it will be removed as they may not find all the remnants. If something goes awry during the malware removal process there is always a risk the computer may become unstable or unbootable and you could lose access to all your data.

Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your antivirus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean,reformat and reinstall the OS. Please read:

Let me know what you want to do, I can attempt to clean this computer but there is no guarantees. 
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 TehBlaxxor

TehBlaxxor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 04 August 2015 - 08:52 AM

I will buy a new computer in two/three weeks, therefore I am wondering if it is possible to attempt to clean it without reformatting so it can last for the remaining 14 days (or at least stop the infection from spreading).

 

Also, is there a risk that the computer may not boot properly after reformatting?



#6 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:18 AM

Posted 05 August 2015 - 07:51 AM

Hi TehBlaxxor,
 
I can try to remove the virus, however it has likely infected quite a few executables it may come back.
 
There should be very little risk of this as I will not be targeting files which the system needs to boot.
 
We need to run a fix with FRST:

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • Copy and paste the script below in the notepad document:​
HKLM\...\Winlogon: [Userinit] userinit.exe,c:\program files\microsoft\desktoplayer.exe,
c:\program files\microsoft\desktoplayer.exe
IFEO\bitguard.exe: [Debugger] tasklist.exe
IFEO\bprotect.exe: [Debugger] tasklist.exe
IFEO\bpsvc.exe: [Debugger] tasklist.exe
IFEO\browserdefender.exe: [Debugger] tasklist.exe
IFEO\browserprotect.exe: [Debugger] tasklist.exe
IFEO\browsersafeguard.exe: [Debugger] tasklist.exe
IFEO\dprotectsvc.exe: [Debugger] tasklist.exe
IFEO\jumpflip: [Debugger] tasklist.exe
IFEO\protectedsearch.exe: [Debugger] tasklist.exe
IFEO\searchinstaller.exe: [Debugger] tasklist.exe
IFEO\searchprotection.exe: [Debugger] tasklist.exe
IFEO\searchprotector.exe: [Debugger] tasklist.exe
IFEO\searchsettings.exe: [Debugger] tasklist.exe
IFEO\searchsettings64.exe: [Debugger] tasklist.exe
IFEO\snapdo.exe: [Debugger] tasklist.exe
IFEO\stinst32.exe: [Debugger] tasklist.exe
IFEO\stinst64.exe: [Debugger] tasklist.exe
IFEO\umbrella.exe: [Debugger] tasklist.exe
IFEO\utiljumpflip.exe: [Debugger] tasklist.exe
IFEO\volaro: [Debugger] tasklist.exe
IFEO\vonteera: [Debugger] tasklist.exe
IFEO\websteroids.exe: [Debugger] tasklist.exe
IFEO\websteroidsservice.exe: [Debugger] tasklist.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
ProxyServer: [S-1-5-21-481355970-3911323781-190828911-1001] => http=127.0.0.1:8888;https=127.0.0.1:8888
SearchScopes: HKU\S-1-5-21-481355970-3911323781-190828911-1001 -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL =
SearchScopes: HKU\S-1-5-21-481355970-3911323781-190828911-1001 -> {997A4750-381F-41C2-9ED4-E6C2CD012936} URL = http://searchou.com/?q={searchTerms}&id=7cf20d0e00000000000000ffb36a1def&r=159
BHO: No Name -> {A7AE14C7-B067-82C3-583F-85F59AFE7860} -> No File
CHR Extension: (fun coupons) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pogchimbndbckepmhaagnapfmlfgnala [2015-04-01]
2015-08-03 13:57 - 2015-03-21 20:14 - 00000000 ____D C:\ProgramData\Nimoru
2015-08-03 13:57 - 2014-07-19 16:32 - 00000000 ____D C:\Program Files\globalUpdate
2015-08-03 13:57 - 2014-03-06 19:47 - 00000000 ____D C:\Program Files\websaave
2015-08-03 13:57 - 2014-02-15 14:15 - 00000000 ____D C:\Program Files\weBsaaVee
C:\Users\Stefan\AppData\Local\Temp\{147FAA49-85CF-4CE2-B87D-EBBE97372E5D}.exe
Task: {39D51DE8-9742-42CA-AE11-9F1297236638} - System32\Tasks\{000B2E79-61C2-4C3E-8A84-52ED14BB3F8F} => pcalua.exe -a C:\Windows\svchost.com -d C:\Windows\system32 -c "C:\Windows\system32\taskmgr.exe" /4
Task: {533A8BA8-438F-4D7F-914B-0FE17C1CDE69} - System32\Tasks\fun_coupons_notification_service => C:\Program Files\fun coupons\fun_coupons_notification_service.exe <==== ATTENTION
Task: {688AC177-DE0B-45FD-8162-9524AE9677C9} - \AmiUpdXp No Task File <==== ATTENTION
Task: C:\Windows\Tasks\fun_coupons_notification_service.job => C:\Program Files\fun coupons\fun_coupons_notification_service.exeǧ/url='http:/cdn.selectbestopt.com/notf_sys/index.html' /crregname='fun coupons' /appid='73143' /srcid='2913' /bic='a92881e2a3423944dde015eba46f7704' /verifier='937ab016a7dc94ce8d0b63d6543e0c3f' /installerversion='1.50.3.10' /statsdomain='http:/stats.buildomserv.com/data.gif?' /errorsdomain='http:/stats.buildomserv.com/data.gif?' /monetizationdomain='http:/logs.buildomserv.com/monetization.gif <==== ATTENTION
HKLM\...\exefile\open\command: C:\Windows\svchost.com "%1" %* <===== ATTENTION
HKU\S-1-5-21-481355970-3911323781-190828911-1001\Software\Classes\.exe: exefile => <===== ATTENTION
C:\Windows\svchost.com
C:\Users\Stefan\Documents\MSDCSC
FirewallRules: [TCP Query User{A644C6A3-A137-46D8-8205-4CC7E760965F}D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe] => (Allow) D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
FirewallRules: [UDP Query User{2CA275FA-4F76-4045-B7E1-3D3B4EA74DE9}D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe] => (Allow) D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
FirewallRules: [{D01D291E-E7ED-4C7C-8584-A2E9AAC00B95}] => (Block) D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
FirewallRules: [{566CED40-A102-4DAD-8D3B-C6016A087822}] => (Block) D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
FirewallRules: [TCP Query User{DE989500-B9D7-4262-834F-72E9C29C67C8}C:\users\stefan\appdata\local\temp\darkcomet.exe] => (Allow) C:\users\stefan\appdata\local\temp\darkcomet.exe
FirewallRules: [UDP Query User{1916DC73-144B-4674-8400-71E0D54FA63D}C:\users\stefan\appdata\local\temp\darkcomet.exe] => (Allow) C:\users\stefan\appdata\local\temp\darkcomet.exe
FirewallRules: [{C2E24F11-D33C-4298-8F81-F1880FC55740}] => (Block) C:\users\stefan\appdata\local\temp\darkcomet.exe
FirewallRules: [{4B90EB11-FA80-45C8-B005-470B209FC1BB}] => (Block) C:\users\stefan\appdata\local\temp\darkcomet.exe
C:\users\stefan\appdata\local\temp\darkcomet.exe
  • Save the file to your desktop and name it as fixlist.txt

Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
  • Please copy and paste the log in your next reply.

xXToffeeXx~


Edited by xXToffeeXx, 18 August 2015 - 01:02 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#7 TehBlaxxor

TehBlaxxor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 06 August 2015 - 03:55 AM

I have followed the instructions and it seems like something is wrong.

 

I get the following message when pressing "Fix":

4LlahrG.png

 

Yes, I have run the program as Administrator.

 

I also get this message when saving the .txt file, so I suppose it's related to the issue:

9Fxa9nl.png



#8 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:18 AM

Posted 06 August 2015 - 04:03 AM

Hi TehBlaxxor,
 
Please recreate the text file with the fix contents from the last post and when the save box appears, click on the Encoding button and then click on Unicode option. You need to save the text file in C:\Users\Stefan\Downloads.
 
Once that is done, please run FRST and click Fix.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#9 TehBlaxxor

TehBlaxxor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 06 August 2015 - 05:13 AM

Done that. Had to redownload FRST (perhaps the old one was corrupted?).

 

Some programs don't have svchost.com asking for permission, but some still do. I haven't given permission to those though.

 

I have a question: will running this fix work later on?

 

Here is the Fixlist.txt:

 

Fix result of Farbar Recovery Scan Tool (x86) Version:02-08-2015 01
Ran by Stefan (2015-08-06 13:05:33) Run:1
Running from C:\Users\Stefan\Downloads
Loaded Profiles: Stefan (Available Profiles: Stefan)
Boot Mode: Normal

==============================================

fixlist content:
*****************
HKLM\...\Winlogon: [Userinit] userinit.exe,c:\program files\microsoft\desktoplayer.exe,
c:\program files\microsoft\desktoplayer.exe
IFEO\bitguard.exe: [Debugger] tasklist.exe
IFEO\bprotect.exe: [Debugger] tasklist.exe
IFEO\bpsvc.exe: [Debugger] tasklist.exe
IFEO\browserdefender.exe: [Debugger] tasklist.exe
IFEO\browserprotect.exe: [Debugger] tasklist.exe
IFEO\browsersafeguard.exe: [Debugger] tasklist.exe
IFEO\dprotectsvc.exe: [Debugger] tasklist.exe
IFEO\jumpflip: [Debugger] tasklist.exe
IFEO\protectedsearch.exe: [Debugger] tasklist.exe
IFEO\searchinstaller.exe: [Debugger] tasklist.exe
IFEO\searchprotection.exe: [Debugger] tasklist.exe
IFEO\searchprotector.exe: [Debugger] tasklist.exe
IFEO\searchsettings.exe: [Debugger] tasklist.exe
IFEO\searchsettings64.exe: [Debugger] tasklist.exe
IFEO\snapdo.exe: [Debugger] tasklist.exe
IFEO\stinst32.exe: [Debugger] tasklist.exe
IFEO\stinst64.exe: [Debugger] tasklist.exe
IFEO\umbrella.exe: [Debugger] tasklist.exe
IFEO\utiljumpflip.exe: [Debugger] tasklist.exe
IFEO\volaro: [Debugger] tasklist.exe
IFEO\vonteera: [Debugger] tasklist.exe
IFEO\websteroids.exe: [Debugger] tasklist.exe
IFEO\websteroidsservice.exe: [Debugger] tasklist.exe
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
ProxyServer: [S-1-5-21-481355970-3911323781-190828911-1001] => http=127.0.0.1:8888;https=127.0.0.1:8888
SearchScopes: HKU\S-1-5-21-481355970-3911323781-190828911-1001 -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL =
SearchScopes: HKU\S-1-5-21-481355970-3911323781-190828911-1001 -> {997A4750-381F-41C2-9ED4-E6C2CD012936} URL = http://searchou.com/?q={searchTerms}&id=7cf20d0e00000000000000ffb36a1def&r=159
BHO: No Name -> {A7AE14C7-B067-82C3-583F-85F59AFE7860} -> No File
CHR Extension: (fun coupons) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pogchimbndbckepmhaagnapfmlfgnala [2015-04-01]
2015-08-03 13:57 - 2015-03-21 20:14 - 00000000 ____D C:\ProgramData\Nimoru
2015-08-03 13:57 - 2014-07-19 16:32 - 00000000 ____D C:\Program Files\globalUpdate
2015-08-03 13:57 - 2014-03-06 19:47 - 00000000 ____D C:\Program Files\websaave
2015-08-03 13:57 - 2014-02-15 14:15 - 00000000 ____D C:\Program Files\weBsaaVee
C:\Users\Stefan\AppData\Local\Temp\{147FAA49-85CF-4CE2-B87D-EBBE97372E5D}.exe
Task: {39D51DE8-9742-42CA-AE11-9F1297236638} - System32\Tasks\{000B2E79-61C2-4C3E-8A84-52ED14BB3F8F} => pcalua.exe -a C:\Windows\svchost.com -d C:\Windows\system32 -c "C:\Windows\system32\taskmgr.exe" /4
Task: {533A8BA8-438F-4D7F-914B-0FE17C1CDE69} - System32\Tasks\fun_coupons_notification_service => C:\Program Files\fun coupons\fun_coupons_notification_service.exe <==== ATTENTION
Task: {688AC177-DE0B-45FD-8162-9524AE9677C9} - \AmiUpdXp No Task File <==== ATTENTION
Task: C:\Windows\Tasks\fun_coupons_notification_service.job => C:\Program Files\fun coupons\fun_coupons_notification_service.exeǧ/url='http:/cdn.selectbestopt.com/notf_sys/index.html' /crregname='fun coupons' /appid='73143' /srcid='2913' /bic='a92881e2a3423944dde015eba46f7704' /verifier='937ab016a7dc94ce8d0b63d6543e0c3f' /installerversion='1.50.3.10' /statsdomain='http:/stats.buildomserv.com/data.gif?' /errorsdomain='http:/stats.buildomserv.com/data.gif?' /monetizationdomain='http:/logs.buildomserv.com/monetization.gif <==== ATTENTION
HKLM\...\exefile\open\command: C:\Windows\svchost.com "%1" %* <===== ATTENTION
HKU\S-1-5-21-481355970-3911323781-190828911-1001\Software\Classes\.exe: exefile => <===== ATTENTION
C:\Windows\svchost.com
C:\Users\Stefan\Documents\MSDCSC
FirewallRules: [TCP Query User{A644C6A3-A137-46D8-8205-4CC7E760965F}D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe] => (Allow) D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
FirewallRules: [UDP Query User{2CA275FA-4F76-4045-B7E1-3D3B4EA74DE9}D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe] => (Allow) D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
FirewallRules: [{D01D291E-E7ED-4C7C-8584-A2E9AAC00B95}] => (Block) D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
FirewallRules: [{566CED40-A102-4DAD-8D3B-C6016A087822}] => (Block) D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe
FirewallRules: [TCP Query User{DE989500-B9D7-4262-834F-72E9C29C67C8}C:\users\stefan\appdata\local\temp\darkcomet.exe] => (Allow) C:\users\stefan\appdata\local\temp\darkcomet.exe
FirewallRules: [UDP Query User{1916DC73-144B-4674-8400-71E0D54FA63D}C:\users\stefan\appdata\local\temp\darkcomet.exe] => (Allow) C:\users\stefan\appdata\local\temp\darkcomet.exe
FirewallRules: [{C2E24F11-D33C-4298-8F81-F1880FC55740}] => (Block) C:\users\stefan\appdata\local\temp\darkcomet.exe
FirewallRules: [{4B90EB11-FA80-45C8-B005-470B209FC1BB}] => (Block) C:\users\stefan\appdata\local\temp\darkcomet.exe
C:\users\stefan\appdata\local\temp\darkcomet.exe
*****************

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => value restored successfully
"c:\program files\microsoft\desktoplayer.exe" => File/Folder not found.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bitguard.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bprotect.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\bpsvc.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\browserdefender.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\browserprotect.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\browsersafeguard.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\dprotectsvc.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\jumpflip" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\protectedsearch.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\searchinstaller.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\searchprotection.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\searchprotector.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\searchsettings.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\searchsettings64.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\snapdo.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\stinst32.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\stinst64.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\umbrella.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\utiljumpflip.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\volaro" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\vonteera" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\websteroids.exe" => key removed successfully.
"HKLM\Software\microsoft\windows nt\currentversion\Image File Execution Options\websteroidsservice.exe" => key removed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully.
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully.
HKU\S-1-5-21-481355970-3911323781-190828911-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully.
HKU\S-1-5-21-481355970-3911323781-190828911-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully.
"HKU\S-1-5-21-481355970-3911323781-190828911-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{997A4750-381F-41C2-9ED4-E6C2CD012936}" => key removed successfully.
HKCR\CLSID\{997A4750-381F-41C2-9ED4-E6C2CD012936} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7AE14C7-B067-82C3-583F-85F59AFE7860}" => key removed successfully.
HKCR\CLSID\{A7AE14C7-B067-82C3-583F-85F59AFE7860} => key not found.
C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pogchimbndbckepmhaagnapfmlfgnala => moved successfully.
C:\ProgramData\Nimoru => moved successfully.
C:\Program Files\globalUpdate => moved successfully.
C:\Program Files\websaave => moved successfully.
C:\Program Files\weBsaaVee => moved successfully.
"C:\Users\Stefan\AppData\Local\Temp\{147FAA49-85CF-4CE2-B87D-EBBE97372E5D}.exe" => File/Folder not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{39D51DE8-9742-42CA-AE11-9F1297236638}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{39D51DE8-9742-42CA-AE11-9F1297236638}" => key removed successfully.
C:\Windows\System32\Tasks\{000B2E79-61C2-4C3E-8A84-52ED14BB3F8F} => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{000B2E79-61C2-4C3E-8A84-52ED14BB3F8F}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{533A8BA8-438F-4D7F-914B-0FE17C1CDE69}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{533A8BA8-438F-4D7F-914B-0FE17C1CDE69}" => key removed successfully.
C:\Windows\System32\Tasks\fun_coupons_notification_service => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\fun_coupons_notification_service" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{688AC177-DE0B-45FD-8162-9524AE9677C9}" => key removed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{688AC177-DE0B-45FD-8162-9524AE9677C9}" => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AmiUpdXp => key not found.
C:\Windows\Tasks\fun_coupons_notification_service.job => moved successfully.
HKLM\Software\Classes\exefile\shell\open\command\\Default => value restored successfully
"HKU\S-1-5-21-481355970-3911323781-190828911-1001\Software\Classes\.exe" => key removed successfully.
C:\Windows\svchost.com => moved successfully.
"C:\Users\Stefan\Documents\MSDCSC" => File/Folder not found.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{A644C6A3-A137-46D8-8205-4CC7E760965F}D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{2CA275FA-4F76-4045-B7E1-3D3B4EA74DE9}D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{D01D291E-E7ED-4C7C-8584-A2E9AAC00B95} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{566CED40-A102-4DAD-8D3B-C6016A087822} => value removed successfully.
D:\!!!!!!!!!!!!!!!!!!!!!!!alagabula\leaguesharp\sunt frumos\xena rat - 2.0.0.exe => moved successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{DE989500-B9D7-4262-834F-72E9C29C67C8}C:\users\stefan\appdata\local\temp\darkcomet.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{1916DC73-144B-4674-8400-71E0D54FA63D}C:\users\stefan\appdata\local\temp\darkcomet.exe => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{C2E24F11-D33C-4298-8F81-F1880FC55740} => value removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4B90EB11-FA80-45C8-B005-470B209FC1BB} => value removed successfully.
"C:\users\stefan\appdata\local\temp\darkcomet.exe" => File/Folder not found.


The system needed a reboot.

==== End of Fixlog 13:05:36 ====



#10 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:18 AM

Posted 06 August 2015 - 01:18 PM

Hi TehBlaxxor,
 

Some programs don't have svchost.com asking for permission, but some still do. I haven't given permission to those though.

This is due to the virus infecting some programs so every time an infected program is run, the virus also runs.
 

I have a question: will running this fix work later on?

Some of it will, however the values which don't exist will produce errors in the script.
 
Please re-run FRST from the desktop (like you did before) and press the scan button. It will produce a FRST.txt log located on the desktop. Please copy and paste the log into your next reply.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#11 TehBlaxxor

TehBlaxxor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 08 August 2015 - 04:22 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:06-08-2015
Ran by Stefan (administrator) on STEFAN-PC (08-08-2015 12:06:26)
Running from C:\Users\Stefan\Downloads
Loaded Profiles: Stefan (Available Profiles: Stefan)
Platform: Microsoft Windows 7 Ultimate  Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Sandboxie Holdings, LLC) C:\Program Files\Sandboxie\SbieSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(AnchorFree Inc.) C:\Program Files\Hotspot Shield\bin\cmw_srv.exe
() C:\Program Files\Hotspot Shield\bin\hsswd.exe
(Nero AG) C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(LogMeIn Inc.) D:\LogMeIn Hamachi\hamachi-2.exe
(LogMeIn, Inc.) D:\LogMeIn Hamachi\LMIGuardianSvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Microsoft Corporation) C:\Program Files\Windows Media Player\wmplayer.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Skillbrains) C:\Program Files\Skillbrains\lightshot\5.2.1.1\Lightshot.exe
(Alexander Roshal) C:\Users\Stefan\AppData\Local\Temp\3582-490\WinRAR.exe
(Ymir Entertainment) D:\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!METINUL LUI X\joaca 2 guri\Metin2 PlayMouth - UltraFun\Metin2PlayMouth.exe
(Farbar) C:\Users\Stefan\Downloads\FRST(2).exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [GrooveMonitor] => C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [31072 2008-10-25] (Microsoft Corporation)
HKLM\...\Run: [NvBackend] => C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe [2279712 2013-12-10] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [Lightshot] => C:\Program Files\Skillbrains\lightshot\Lightshot.exe [226560 2014-11-18] ()
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [334896 2015-04-30] (Oracle Corporation)
HKLM\...\Run: [LogMeIn Hamachi Ui] => D:\LogMeIn Hamachi\hamachi-2-ui.exe [5621096 2015-08-04] ()
HKLM\...\Winlogon: [Userinit] c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [Pando Media Booster] => C:\Program Files\Pando Networks\Media Booster\PMB.exe [4284976 2013-05-19] ()
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [DAEMON Tools Ultra Agent] => D:\DAEMON Tools Ultra\DTAgent.exe [3165216 2015-08-02] ()
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [DAEMON Tools Lite] => C:\Program Files\DAEMON Tools Lite\DTLite.exe [3673696 2013-08-01] (Disc Soft Ltd)
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [53282944 2015-06-29] (Skype Technologies S.A.)
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner.exe [5529880 2015-03-13] (Piriform Ltd)
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [Akamai NetSession Interface] => C:\Users\Stefan\AppData\Local\Akamai\netsession_win.exe [4714904 2015-08-03] ()
HKU\S-1-5-21-481355970-3911323781-190828911-1001\...\Run: [Clownfish] => D:\PESTE CLOVN\Clownfish.exe [1382664 2015-08-02] ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\S-1-5-21-481355970-3911323781-190828911-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_45\bin\ssv.dll [2015-05-21] (Oracle Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-21] (Oracle Corporation)
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll [2009-02-12] (Microsoft Corporation)
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 193.231.252.1 192.168.0.1
Tcpip\..\Interfaces\{B52EBE2B-1D74-4E2E-A1A6-586297E22AD7}: [DhcpNameServer] 193.231.252.1 192.168.0.1
Tcpip\..\Interfaces\{CEAD5A0D-FA43-43EA-976F-9124974CCFB2}: [NameServer] 8.8.8.8

FireFox:
========
FF ProfilePath: C:\Users\Stefan\AppData\Roaming\Mozilla\Firefox\Profiles\i57f7wl9.default-1438683375717
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-07-14] ()
FF Plugin: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw_1202122.dll [2013-04-03] (Adobe Systems, Inc.)
FF Plugin: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-21] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-21] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.20513.0\npctrl.dll [2013-05-13] ( Microsoft Corporation)
FF Plugin: @nvidia.com/3DVision -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-12-19] (NVIDIA Corporation)
FF Plugin: @nvidia.com/3DVisionStreaming -> C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-12-19] (NVIDIA Corporation)
FF Plugin: @pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [2013-05-19] (Pando Networks)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-481355970-3911323781-190828911-1001: @kaneva.com/KanevaPatch -> C:\Program Files\Kaneva\npkanevapatch.dll No File
FF Plugin HKU\S-1-5-21-481355970-3911323781-190828911-1001: @nsroblox.roblox.com/launcher -> C:\Users\Stefan\AppData\Local\Roblox\Versions\version-ea077ae9bef64263\\NPRobloxProxy.dll [2013-01-01] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-481355970-3911323781-190828911-1001: @nsroblox.roblox.com/launcher64 -> C:\Users\Stefan\AppData\Local\Roblox\Versions\version-ea077ae9bef64263\\NPRobloxProxy64.dll [2013-01-01] ( ROBLOX Corporation)
FF Plugin HKU\S-1-5-21-481355970-3911323781-190828911-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Stefan\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-06-12] (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-481355970-3911323781-190828911-1001: pandonetworks.com/PandoWebPlugin -> C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll [2013-05-19] (Pando Networks)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npkanevapatch.dll [2013-04-09] (Kaneva, LLC.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Extension: Hotspot Shield Helper (Please allow this installation) - C:\Program Files\Mozilla Firefox\extensions\afurladvisor@anchorfree.com [2015-06-03]
FF HKLM\...\Firefox\Extensions: [fiddlerhook@fiddler2.com] - D:\Fiddler2\FiddlerHook
FF Extension: FiddlerHook - D:\Fiddler2\FiddlerHook [2014-08-02]

Chrome:
=======
CHR Profile: C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (ROBLOX 3D Preview Plugin) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\begdomdbhchlodcakjoephdlnmkkljoa [2014-03-11]
CHR Extension: (Fast Proxy) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkjcdfmmpdfjohenejbkaaafkoeknjnh [2014-08-08]
CHR Extension: (Adblock Plus) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-03-31]
CHR Extension: (OneTab) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\chphlpgkkbolifaimnlloiipkdnihall [2014-08-08]
CHR Extension: (GreenAddress) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgbimgjoijjemhdamicmljbncacfndmp [2014-08-08]
CHR Extension: (Tampermonkey) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2014-05-30]
CHR Extension: (ROBLOX Group Shout Notifier) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\edbploaefmmlnfjjoidiiohbdfcpgihg [2014-08-08]
CHR Extension: (EditThisCookie) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2014-08-06]
CHR Extension: (AdBlock) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2014-08-11]
CHR Extension: (TU 95) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmdceamebdfbknogpjgpnlfkhhdfiadd [2014-08-08]
CHR Extension: (Roblox OBC Theme Changer) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\iaobbfadkioeagmemoalfhebogdenjnk [2014-08-08]
CHR Extension: (Zalmos SSL Web Proxy for Free) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\idefjamndcpplnamdlbodoebjgkpdmpn [2014-08-08]
CHR Extension: (Adblock Advisor) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\iplojogpbcbnjoemcalepfmbcpnkpjjo [2014-03-31]
CHR Extension: (Roblox Forum Enhancer) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcpdfglmclgjedmjhiakmmgkcibkimod [2014-08-08]
CHR Extension: (Roblox Hat Notifier) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjepeiijmflchkjgfjpopeimafiognkc [2014-08-08]
CHR Extension: (Build with Chrome) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lbbbhbjeecagnlfgggogfclkdjamoapf [2014-08-08]
CHR Extension: (ROBLOX: Quick Asset Downloader) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\meljceogbjjmgjhhbnmjjgepchpjkklc [2014-05-30]
CHR Extension: (FastestFox for Chrome) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmffncokckfccddfenhkhnllmlobdahm [2014-05-26]
CHR Extension: (ROBLOX Outfit Saver Extension) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mpaohnjlgfabcooefhihmafmdcbliakf [2014-08-08]
CHR Extension: (Google Wallet) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-01]
CHR Extension: (Roblox Assault Team - Group Shout Notifier) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\obghddnhnefhbeibehcibghkccmlpama [2014-08-08]
CHR Extension: (My Chrome Theme) - C:\Users\Stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\oehpjpccmlcalbenfhnacjeocbjdonic [2014-08-08]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Hamachi2Svc; D:\LogMeIn Hamachi\hamachi-2.exe [1883496 2015-08-03] (LogMeIn Inc.)
R2 hshld; C:\Program Files\Hotspot Shield\bin\cmw_srv.exe [1169616 2015-06-04] (AnchorFree Inc.)
S3 HssTrayService; C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE [96600 2015-06-04] ()
R2 HssWd; C:\Program Files\Hotspot Shield\bin\hsswd.exe [589520 2015-06-04] ()
R2 NvNetworkService; C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe [1494304 2013-12-10] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [14658848 2013-12-10] (NVIDIA Corporation)
R2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [131272 2014-01-17] (Sandboxie Holdings, LLC)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [680960 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 dtscsibus; C:\Windows\System32\DRIVERS\dtscsibus.sys [24704 2013-06-13] (Disc Soft Ltd)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [243128 2013-10-20] (Disc Soft Ltd)
R3 hamachi; C:\Windows\System32\DRIVERS\hamachi.sys [26176 2015-03-30] (LogMeIn, Inc.)
R1 HssDRV6; C:\Windows\System32\DRIVERS\hssdrv6.sys [39528 2015-06-04] (AnchorFree Inc.)
R3 msloop; C:\Windows\System32\DRIVERS\loop.sys [5632 2009-07-14] (Microsoft Corporation)
R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad32v.sys [34080 2013-12-05] (NVIDIA Corporation)
R3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [161888 2014-01-17] (Sandboxie Holdings, LLC)
R3 SCREAMINGBDRIVER; C:\Windows\System32\drivers\ScreamingBAudio.sys [34896 2012-07-31] (Screaming Bee LLC)
R3 tap0901; C:\Windows\System32\DRIVERS\tap0901.sys [35288 2013-08-22] (The OpenVPN Project)
R3 taphss6; C:\Windows\System32\DRIVERS\taphss6.sys [36968 2015-06-04] (Anchorfree Inc.)
S3 WinRing0_1_2_0; D:\Game Booster 3\Driver\WinRing0.sys [14416 2010-11-01] (OpenLibSys.org)
R3 EagleXNt; \??\C:\Windows\system32\drivers\EagleXNt.sys [X]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 XFDriver; \??\D:\Xfire2\XFDriver.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-08 12:05 - 2015-08-08 12:05 - 01673728 _____ (Farbar) C:\Users\Stefan\Downloads\FRST(2).exe
2015-08-07 12:43 - 2015-08-07 12:43 - 00012863 _____ C:\Users\Stefan\Downloads\Metin2Power-Official-2015-Update-10.03.2015.torrent
2015-08-07 09:06 - 2015-08-07 09:06 - 00012914 _____ C:\Users\Stefan\Downloads\Metin2Absolute.rar.torrent
2015-08-06 13:07 - 2015-08-06 13:07 - 00041472 _____ C:\Windows\svchost.com
2015-08-06 13:05 - 2015-08-06 13:29 - 01715200 _____ C:\Users\Stefan\Downloads\FRST(1).exe
2015-08-06 11:51 - 2015-08-06 11:52 - 00005149 _____ C:\Users\Stefan\Desktop\fixlist.txt
2015-08-04 19:51 - 2015-08-04 21:46 - 08566080 _____ C:\Users\Stefan\Downloads\FxRamnit.exe
2015-08-04 19:51 - 2015-08-04 21:35 - 01068922 _____ C:\Users\Stefan\Downloads\FxRamnit.log
2015-08-04 13:51 - 2015-08-04 13:52 - 00056059 _____ C:\Users\Stefan\Downloads\Addition.txt
2015-08-04 13:49 - 2015-08-08 12:06 - 00016009 _____ C:\Users\Stefan\Downloads\FRST.txt
2015-08-04 13:49 - 2015-08-08 12:06 - 00000000 ____D C:\FRST
2015-08-04 13:48 - 2015-08-04 21:46 - 01715200 _____ C:\Users\Stefan\Downloads\FRST.exe
2015-08-04 12:59 - 2015-08-04 12:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Hamachi
2015-08-04 12:58 - 2015-08-06 13:35 - 00000672 _____ C:\Windows\setupact.log
2015-08-04 12:58 - 2015-08-04 12:58 - 00000000 _____ C:\Windows\setuperr.log
2015-08-04 12:47 - 2015-08-04 13:01 - 00000000 ____D C:\TDSSKiller_Quarantine
2015-08-03 14:55 - 2015-08-03 14:55 - 00000590 _____ C:\ProgramData\Microsoft\Windows\Start Menu\WinRAR.lnk
2015-08-03 14:47 - 2015-08-03 14:48 - 00000222 _____ C:\Windows\system32\metin2.cfg
2015-08-03 13:14 - 2015-08-03 13:14 - 00000000 ____D C:\ProgramData\Malwarebytes
2015-08-03 08:08 - 2015-08-03 08:08 - 02303488 _____ (Python Software Foundation) C:\Windows\system32\python27.dll
2015-08-03 08:08 - 2015-06-26 13:11 - 00827392 _____ (PythonLabs at Zope Corporation) C:\Windows\system32\python22.dll
2015-08-02 19:28 - 2015-08-08 12:03 - 00000058 _____ C:\Windows\directx.sys
2015-07-16 18:57 - 2015-07-16 18:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoHotkey
2015-07-12 14:25 - 2015-08-04 21:38 - 00000000 ____D C:\Users\Stefan\AppData\Local\LogMeIn Hamachi
2015-07-11 21:53 - 2015-07-11 21:53 - 00000000 ____D C:\Users\Stefan\AppData\Local\GitHub,_Inc
2015-07-11 18:10 - 2015-07-11 18:10 - 00000000 ____D C:\Users\Stefan\AppData\Local\DigitalVolcano
2015-07-11 18:09 - 2015-07-11 18:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hash Tool
2015-07-11 13:59 - 2015-07-11 14:02 - 00000000 ____D C:\Users\Stefan\Documents\ClownfishSoundTemp
2015-07-11 09:57 - 2015-07-11 09:57 - 00000549 _____ C:\Users\Public\Desktop\DarkComet Remover.lnk
2015-07-11 09:57 - 2015-07-11 09:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DarkComet RAT Remover
2015-07-09 18:56 - 2015-07-09 18:57 - 00000000 ____D C:\ProgramData\Hotspot Shield
2015-07-09 18:56 - 2015-07-09 18:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotspot Shield
2015-07-09 18:55 - 2015-07-09 18:57 - 00000000 ____D C:\Program Files\Hotspot Shield
2015-07-09 18:55 - 2015-06-04 02:01 - 00039528 _____ (AnchorFree Inc.) C:\Windows\system32\Drivers\hssdrv6.sys
2015-07-09 18:54 - 2015-07-09 18:54 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\Hotspot Shield

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-08 12:20 - 2013-05-17 13:24 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-08-08 12:20 - 2013-05-04 05:05 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\Skype
2015-08-08 12:02 - 2013-05-04 04:55 - 00000886 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-08 11:45 - 2015-06-03 14:04 - 00000000 ____D C:\Program Files\Mozilla Firefox
2015-08-08 11:30 - 2013-05-05 00:23 - 00000378 _____ C:\Windows\Tasks\update-sys.job
2015-08-08 09:25 - 2013-05-05 00:23 - 00000378 _____ C:\Windows\Tasks\update-S-1-5-21-481355970-3911323781-190828911-1001.job
2015-08-07 21:07 - 2013-05-04 13:47 - 02063133 _____ C:\Windows\WindowsUpdate.log
2015-08-07 13:02 - 2013-05-04 04:55 - 00000882 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-07 12:54 - 2015-07-06 15:47 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\uTorrent
2015-08-06 13:40 - 2009-07-14 07:34 - 00014192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-08-06 13:40 - 2009-07-14 07:34 - 00014192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-08-06 13:35 - 2015-06-02 18:12 - 00303532 _____ C:\Windows\PFRO.log
2015-08-06 13:35 - 2013-05-04 05:46 - 00000000 ____D C:\ProgramData\NVIDIA
2015-08-06 13:35 - 2009-07-14 07:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-06 13:33 - 2013-05-19 11:46 - 00000000 ____D C:\Users\Stefan\AppData\Local\PMB Files
2015-08-06 13:07 - 2014-01-29 18:22 - 00000008 __RSH C:\ProgramData\ntuser.pol
2015-08-06 13:05 - 2009-07-14 05:37 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2015-08-06 10:25 - 2013-05-04 04:56 - 00002131 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-08-04 13:16 - 2015-05-04 16:50 - 00000000 ____D C:\Users\Stefan\Desktop\Old Firefox Data
2015-08-04 12:39 - 2013-05-09 20:43 - 00000000 ____D C:\Program Files\Common Files\Adobe
2015-08-04 12:39 - 2013-05-09 20:41 - 00000000 ____D C:\ProgramData\Adobe
2015-08-04 12:38 - 2013-05-09 20:46 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\Adobe
2015-08-04 12:38 - 2013-05-09 20:43 - 00000000 ____D C:\Program Files\Adobe
2015-08-03 14:55 - 2013-05-04 04:41 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-08-03 14:55 - 2013-05-04 04:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2015-08-03 14:44 - 2014-08-25 21:23 - 00000000 ____D C:\Windows\Minidump
2015-08-03 13:58 - 2014-06-15 09:29 - 00000000 ____D C:\Windows\pss
2015-08-03 13:51 - 2013-05-04 04:41 - 00000000 ____D C:\Program Files\WinRAR
2015-08-03 13:06 - 2014-10-25 20:35 - 05198184 _____ C:\Users\Public\Desktop\MorphVOXPro4_Install-1.exe
2015-08-03 12:12 - 2013-07-02 18:56 - 00026176 ____H (LogMeIn, Inc.) C:\Windows\system32\hamachi.sys
2015-08-02 14:38 - 2014-08-22 16:54 - 00184832 _____ C:\Users\Stefan\Desktop\DepCheck.exe
2015-08-02 14:38 - 2014-07-14 11:48 - 00227328 _____ C:\Users\Stefan\xextool.exe
2015-08-02 14:38 - 2014-02-16 11:01 - 00900423 _____ C:\Users\Stefan\Desktop\w.exe
2015-08-02 14:38 - 2013-07-01 18:59 - 00526464 _____ C:\Users\Stefan\Desktop\Minecraft.exe
2015-08-02 14:37 - 2013-12-26 14:07 - 01657077 ___SH C:\Users\Stefan\AppData\Roaming\Roblox.exe
2015-08-02 14:30 - 2013-05-04 03:55 - 00000000 ____D C:\Users\Stefan
2015-07-20 15:31 - 2015-04-10 19:18 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\.minecraft
2015-07-16 20:13 - 2013-05-19 11:46 - 00000000 ____D C:\ProgramData\PMB Files
2015-07-16 18:57 - 2009-07-14 10:49 - 00000000 ____D C:\Windows\ShellNew
2015-07-15 22:39 - 2013-05-09 20:44 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-07-14 22:20 - 2013-05-17 13:24 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe
2015-07-14 22:20 - 2013-05-17 13:24 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl
2015-07-13 17:26 - 2015-01-01 11:05 - 00000000 ____D C:\Users\Stefan\Documents\Visual Studio 2012
2015-07-11 21:53 - 2015-01-02 13:11 - 00000000 ____D C:\Users\Stefan\AppData\Local\GitHub
2015-07-11 21:51 - 2015-01-02 13:11 - 00000000 ____D C:\Users\Stefan\AppData\Roaming\GitHub
2015-07-09 13:43 - 2014-10-11 10:55 - 00000000 ___RD C:\Program Files\Skype
2015-07-09 13:43 - 2013-05-04 05:04 - 00000000 ____D C:\ProgramData\Skype
2015-07-09 13:41 - 2013-05-17 13:13 - 00000000 ____D C:\Program Files\Mozilla Maintenance Service

==================== Files in the root of some directories =======

2015-06-13 13:46 - 2015-06-13 13:46 - 0000754 _____ () C:\Program Files\Drakensang Online.lnk
2013-05-24 15:52 - 2013-05-24 15:52 - 2762223 _____ () C:\Users\Stefan\AppData\Roaming\55982saved - copy.exe.52201.gzquar
2013-05-24 15:52 - 2013-05-24 15:52 - 2762223 _____ () C:\Users\Stefan\AppData\Roaming\74529saved - copy.exe.49067.gzquar
2013-06-26 09:46 - 2013-06-26 09:46 - 2762223 _____ () C:\Users\Stefan\AppData\Roaming\78083RBXSmoother.exe.92955.gzquar
2014-05-24 15:50 - 2015-05-29 17:03 - 0000132 _____ () C:\Users\Stefan\AppData\Roaming\Adobe PNG Format CS6 Prefs
2013-05-05 17:48 - 2013-08-03 21:16 - 0000104 _____ () C:\Users\Stefan\AppData\Roaming\Camdata.ini
2013-05-05 17:48 - 2013-08-03 21:16 - 0000408 _____ () C:\Users\Stefan\AppData\Roaming\CamLayout.ini
2013-05-05 17:48 - 2013-08-03 21:16 - 0000408 _____ () C:\Users\Stefan\AppData\Roaming\CamShapes.ini
2013-05-05 17:48 - 2013-08-03 21:16 - 0004509 _____ () C:\Users\Stefan\AppData\Roaming\CamStudio.cfg
2015-05-09 13:13 - 2015-05-09 13:13 - 0000113 _____ () C:\Users\Stefan\AppData\Roaming\D2Info0
2015-05-09 13:13 - 2015-05-09 13:57 - 0000008 _____ () C:\Users\Stefan\AppData\Roaming\DofusAppId0_1
2014-08-28 12:48 - 2014-08-28 12:48 - 0000849 _____ () C:\Users\Stefan\AppData\Roaming\Roaming - Shortcut.lnk
2013-12-26 14:07 - 2015-08-02 14:37 - 1657077 ___SH () C:\Users\Stefan\AppData\Roaming\Roblox.exe
2014-06-19 12:19 - 2014-06-19 12:19 - 0000024 _____ () C:\Users\Stefan\AppData\Roaming\temp.ini
2014-08-28 12:48 - 2014-08-28 12:51 - 0041472 ___SH () C:\Users\Stefan\AppData\Roaming\Thumbs.db
2013-07-02 14:28 - 2014-08-08 18:53 - 0006656 _____ () C:\Users\Stefan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2013-05-21 19:19 - 2013-05-21 20:23 - 0000600 _____ () C:\Users\Stefan\AppData\Local\PUTTY.RND
2013-06-26 09:44 - 2013-06-26 09:44 - 0000165 _____ () C:\Users\Stefan\AppData\Local\Tempscratch.cmd
2013-05-05 00:23 - 2013-05-05 00:23 - 0000003 _____ () C:\Users\Stefan\AppData\Local\updater.log
2013-05-05 00:23 - 2015-04-22 20:57 - 0000412 _____ () C:\Users\Stefan\AppData\Local\UserProducts.xml
2013-05-04 04:23 - 2013-05-04 04:23 - 0139583 _____ () C:\ProgramData\1367630557.bdinstall.bin
2014-02-15 14:57 - 2014-02-15 14:57 - 0036382 _____ () C:\ProgramData\1392465437.bdinstall.bin
2014-02-15 14:58 - 2014-02-15 14:58 - 0098975 _____ () C:\ProgramData\1392465439.bdinstall.bin

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\explorer.exe => File is digitally signed
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-07-13 09:06

==================== End of log ============================



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:18 AM

Posted 08 August 2015 - 05:00 AM

Hi TehBlaxxor,
 
ESET Online Scanner

  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:18 AM

Posted 15 August 2015 - 02:35 PM

Hi TehBlaxxor,

 

How are you getting on with these steps?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:18 AM

Posted 18 August 2015 - 01:02 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users