Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

homepage and default search engine keeps getting changed


  • This topic is locked This topic is locked
27 replies to this topic

#1 meister99

meister99

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 30 August 2015 - 02:13 AM

Hi

 

I'm running a Samsung Series 5 Ultra with Windows 8.1 and have discovered an issue. Recently the home page and default search engine of my browsers, both Google Chrome and Internet Explorer, keeps getting changed. This results in my browser opening that one page (which is a search engine website) everytime i opened a new tab, and always using that search engine everytime i searched using Chrome's omnibox. This problem still persist after resetting the home page and default search engine many times and also uninstalling and reinstalling Google Chrome. The homepage keeps getting changed to this address: http://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoLgjo2KkUSlD5acDZtZK7CPoQeL9qTS0SU7tdS2VdymQMna41niKFgfGjn5lUMjVgZTf2tbIeerhfa

 

Help?

 

 

Thankyou for your attention, below is the FRST.txt log file from a scan done just before posting this topic

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:29-08-2015
Ran by Samsung 5 Ultra (administrator) on MOTHERSHIP (30-08-2015 13:54:25)
Running from C:\Users\Samsung 5 Ultra\Downloads
Loaded Profiles: Samsung 5 Ultra (Available Profiles: Samsung 5 Ultra & Gede A)
Platform: Windows 8.1 Pro (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files (x86)\Garena Plus\ggdllhost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(SafeNet Inc.) C:\Windows\System32\hasplms.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(INNORIX) C:\Windows\SysWOW64\innosvcd.exe
() C:\Program Files\NixSrv\NixSrv.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
() C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe
(Mentor Graphics Corporation) C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\remotesolverdispatcherservice.exe
(Mentor Graphics Corporation) C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\dispatcher.exe
() C:\ProgramData\Saophase\Saophase.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
() C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDTouch.exe
(LINE Corporation) C:\Program Files (x86)\Naver\LINE\Line.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(Dassault Systèmes SolidWorks Corp.) C:\Program Files\SolidWorks Corp\SolidWorks\sldworks_fs.exe
(Power Software Ltd) C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\NixSrv\packages\21363b31-a91e-4507-96ff-da5bf2eb3159\NixHost.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
() C:\ProgramData\Saophase\Redkix.exe
() C:\ProgramData\ExtTag\ExtTag.exe
(Microsoft Corporation) C:\Program Files (x86)\Internet Explorer\ielowutil.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
() C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nssCB3E.exe
() C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nssCB3F.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Users\Samsung 5 Ultra\Downloads\Windows-KB890830-x64-V5.27.exe
(Microsoft Corporation) D:\1981d5136c174b78ec09\mrtstub.exe
(Microsoft Corporation) C:\Windows\System32\MRT.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3274056 2013-11-25] (ELAN Microelectronics Corp.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [336992 2012-08-17] (Power Software Ltd)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-03-07] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31087200 2015-01-23] (Skype Technologies S.A.)
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [GarenaPlus] => C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe [10014656 2015-08-06] ()
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [LINE] => C:\Program Files (x86)\Naver\LINE\Line.exe [15664152 2015-08-18] (LINE Corporation)
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [apphide] => C:\Program Files (x86)\baidu\pps.exe
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [GoogleChromeAutoLaunch_FE12F96DA070CFADCEB210CFE73E3C6E] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [813896 2015-08-18] (Google Inc.)
AppInit_DLLs: C:\ProgramData\ExtTag\Tech-Core.dll => C:\ProgramData\ExtTag\Tech-Core.dll [212992 2015-08-30] ()
AppInit_DLLs-x32: C:\ProgramData\ExtTag\Lamtech.dll => C:\ProgramData\ExtTag\Lamtech.dll [194560 2015-08-30] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2015-03-12]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SolidWorks 2013 Fast Start.lnk [2015-03-27]
ShortcutTarget: SolidWorks 2013 Fast Start.lnk -> C:\Windows\Installer\{B6B5EA7E-B91F-443D-A958-B0062FB53804}\NewShortcut2_87EDF6C81D0A4B7B84F42FE0C6A9D608.exe (Flexera Software, Inc.)
GroupPolicyScripts: Group Policy detected <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.hao123.com/?tn=92280131_hao_pg
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://u.msn.com/id-id/?ocid=iehp
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL = 
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> DefaultScope {56304CC1-F182-44BC-B8B8-A7A42B96DB1C} URL = hxxps://id.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> {56304CC1-F182-44BC-B8B8-A7A42B96DB1C} URL = hxxps://id.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2011-02-12] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-09-24] (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-26] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\ssv.dll [2015-03-29] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-29] (Oracle Corporation)
Winsock: Catalog9 01 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9 02 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9 03 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9 04 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9 16 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9-x64 01 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
Winsock: Catalog9-x64 02 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
Winsock: Catalog9-x64 03 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
Winsock: Catalog9-x64 04 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
Winsock: Catalog9-x64 16 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{0AEAFFA0-A462-42E5-A94F-9E09E7BEA8E5}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{351B2076-CEB6-4281-808E-32A0F800D9A8}: [DhcpNameServer] 192.168.1.1
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.istartsurf.com/?type=sc&ts=1440693660&z=a2a8e2f57c0a90f30b2d997gezbzfe3q2t0c6w1zcq&from=obw&uid=ST500LT012-9WS142_W0V5A168XXXXW0V5A168
 
FireFox:
========
FF ProfilePath: C:\Users\Samsung 5 Ultra\AppData\Roaming\Mozilla\Firefox\Profiles\dzt5shd3.default
FF NetworkProxy: "type", 5
FF Homepage: C:\ProgramData\ExtTags\ff.HP
FF NewTab: C:\ProgramData\ExtTags\ff.NT
FF Plugin: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-09-23] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-09-23] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll [2015-08-13] ()
FF Plugin-x32: @esn.me/esnsonar,version=0.70.4 -> C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll [2011-11-03] (ESN Social Software AB)
FF Plugin-x32: @esn/esnlaunch,version=2.3.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.3.0\npesnlaunch.dll [2013-09-16] (ESN Social Software AB)
FF Plugin-x32: @innorix.com/innogmp -> C:\Program Files (x86)\INNORIX\npinnogmp.dll [2013-04-04] (INNORIX)
FF Plugin-x32: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [No File]
FF Plugin-x32: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-29] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-29] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-25] (Microsoft Corporation)
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [2015-07-07] ( Garena)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-30] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-30] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2012-12-19] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2081238159-1021517717-438538016-1001: @innorix.com/innogmp -> C:\Program Files (x86)\INNORIX\npinnogmp.dll [2013-04-04] (INNORIX)
FF Plugin HKU\S-1-5-21-2081238159-1021517717-438538016-1001: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll No File
FF Plugin HKU\S-1-5-21-2081238159-1021517717-438538016-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Samsung 5 Ultra\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2014-12-05] (Unity Technologies ApS)
FF user.js: detected! => C:\Users\Samsung 5 Ultra\AppData\Roaming\Mozilla\Firefox\Profiles\dzt5shd3.default\user.js [2015-08-28]
FF SearchPlugin: C:\Users\Samsung 5 Ultra\AppData\Roaming\Mozilla\Firefox\Profiles\dzt5shd3.default\searchplugins\findit.xml [2015-08-30]
FF HKLM\...\Firefox\Extensions: [{0420BEC0-F2C1-4578-8F19-471B9E5C63A5}] - C:\Program Files\shopperz240820151333\Firefox
FF HKLM-x32\...\Firefox\Extensions: [{0420BEC0-F2C1-4578-8F19-471B9E5C63A5}] - C:\Program Files\shopperz240820151333\Firefox
 
Chrome: 
=======
CHR Profile: C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-08-28]
CHR Extension: (Google Docs) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-01]
CHR Extension: (Google Drive) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-08-28]
CHR Extension: (YouTube) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-08-28]
CHR Extension: (Adblock Plus) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-08-28]
CHR Extension: (Google Search) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-08-28]
CHR Extension: (Google Sheets) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-08-28]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-04]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-01]
CHR Extension: (Browsec) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\omghfjlpggmjjaagoclmmobgdodcjboh [2015-08-28]
CHR Extension: (Gmail) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-28]
CHR Profile: C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (YouTube) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-01]
CHR Extension: (Gmail) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-01]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ExtTag; C:\ProgramData\ExtTag\ExtTag.exe [33792 2015-08-27] () [File not signed]
R2 hasplms; C:\Windows\system32\hasplms.exe [4609928 2013-08-01] (SafeNet Inc.)
R2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2011-08-18] (Hewlett-Packard Co.) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 Innosvcd; C:\Windows\SysWOW64\innosvcd.exe [193144 2013-04-04] (INNORIX)
R2 Net Driver HPZ12; C:\Windows\System32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R2 NixSrv; C:\Program Files\NixSrv\NixSrv.exe [379904 2015-08-27] () [File not signed]
R2 Pml Driver HPZ12; C:\Windows\System32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76152 2015-05-30] ()
R2 pyodqct; C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe [52736 2015-08-27] () [File not signed]
R2 RemoteSolverDispatcher; C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\remotesolverdispatcherservice.exe [52360 2012-11-22] (Mentor Graphics Corporation) [File not signed]
R2 Saophase; C:\ProgramData\Saophase\Saophase.exe [33792 2015-08-27] () [File not signed]
S3 SolidWorks Licensing Service; C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2015-02-16] (SolidWorks) [File not signed]
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)
S2 atuvpazpa; "C:\ProgramData\IcyCarje\gigoamaw.exe" /ts2=1 [X]
S2 gopibeko; no ImagePath
S2 jimocoso; C:\Program Files (x86)\271D2900-1440693668-11E2-9ABD-B08B03FE1D00\jnssCB91.tmp [X]
S2 qivihofe; C:\Program Files (x86)\271D2900-1440693668-11E2-9ABD-B08B03FE1D00\knso9B7F.tmp [X]
S2 sihkahtaa; no ImagePath
S2 SSFK; no ImagePath
S2 totyseku; C:\Program Files (x86)\271D2900-1440693668-11E2-9ABD-B08B03FE1D00\hnsgF989.tmp [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [36608 2013-12-12] (Advanced Micro Devices, Inc.)
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3855872 2013-09-25] (Qualcomm Atheros Communications, Inc.)
S3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-09-25] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [27040 2012-09-25] (Windows ® Win 7 DDK provider)
R3 ETDSMBus; C:\Windows\system32\DRIVERS\ETDSMBus.sys [23344 2013-11-22] (ELAN Microelectronic Corp.)
R2 hardlock; C:\Windows\system32\drivers\hardlock.sys [331328 2013-08-01] (SafeNet Inc.)
R3 irstrtdv; C:\Windows\System32\drivers\irstrtdv.sys [20192 2013-11-25] (Intel Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation)
R3 RadioHIDMini; C:\Windows\System32\drivers\RadioHIDMini.sys [23408 2012-07-28] (Windows ® Win 7 DDK provider)
S3 SDGame; C:\Windows\System32\svchost.exe [37768 2013-08-22] (Microsoft Corporation)
S3 usbrndis6; C:\Windows\system32\DRIVERS\usb80236.sys [20992 2013-08-22] (Microsoft Corporation)
S1 cherimoya; system32\drivers\cherimoya.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S1 QMUdisk; \??\C:\Program Files (x86)\Tencent\QQPCMgr\10.10.16443.223\QMUdisk64.sys [X]
S3 TS888x64; \??\C:\Program Files (x86)\Tencent\QQPCMgr\10.10.16443.223\TS888x64.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
S3 xspirit; \??\C:\Windows\xspirit.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-30 13:54 - 2015-08-30 13:55 - 00023026 _____ C:\Users\Samsung 5 Ultra\Downloads\FRST.txt
2015-08-30 13:54 - 2015-08-30 13:54 - 00000000 ____D C:\FRST
2015-08-30 13:53 - 2015-08-30 13:53 - 02186752 _____ (Farbar) C:\Users\Samsung 5 Ultra\Downloads\FRST64.exe
2015-08-30 13:37 - 2015-08-30 13:38 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\NPE
2015-08-30 13:37 - 2015-08-30 13:37 - 00000000 ____D C:\ProgramData\Norton
2015-08-30 13:35 - 2015-08-30 13:36 - 03088296 _____ (Symantec Corporation) C:\Users\Samsung 5 Ultra\Downloads\NPE.exe
2015-08-30 13:04 - 2015-08-30 13:04 - 00002265 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-08-30 13:04 - 2015-08-30 13:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-08-30 13:01 - 2015-08-30 13:06 - 00001052 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-30 13:01 - 2015-08-30 13:06 - 00001048 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-30 13:01 - 2015-08-30 13:01 - 00004024 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-08-30 13:01 - 2015-08-30 13:01 - 00003788 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-08-30 12:29 - 2015-08-30 12:30 - 00000000 ____D C:\ProgramData\ExtTag
2015-08-30 12:29 - 2015-08-30 12:29 - 00000000 ____D C:\ProgramData\ExtTags
2015-08-30 12:20 - 2015-08-30 12:21 - 51076312 _____ (Microsoft Corporation) C:\Users\Samsung 5 Ultra\Downloads\Windows-KB890830-x64-V5.27 (1).exe
2015-08-30 10:20 - 2015-08-30 12:29 - 00002377 _____ C:\Windows\SysWOW64\findit.xml
2015-08-30 10:20 - 2015-08-30 12:29 - 00000000 ____D C:\ProgramData\Saophase
2015-08-30 10:20 - 2015-08-30 10:20 - 00000000 ____D C:\ProgramData\Saophases
2015-08-30 10:19 - 2015-08-30 10:19 - 04241742 _____ (Bycatch) C:\Program Files\Common Files\jjo4znmu.exe
2015-08-30 10:04 - 2015-08-30 10:04 - 00003156 _____ C:\Windows\System32\Tasks\2dlfjddd
2015-08-30 10:04 - 2015-08-30 10:04 - 00000000 ____D C:\Program Files\Common Files\b1lu1epr
2015-08-28 20:49 - 2015-08-28 20:49 - 00003238 _____ C:\Windows\System32\Tasks\posuownooa
2015-08-28 19:45 - 2015-08-28 19:45 - 01995622 _____ C:\Users\Samsung 5 Ultra\Downloads\HoxHud P9.1.5 Self-installer.exe
2015-08-28 09:04 - 2015-07-28 10:59 - 132483416 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-08-28 08:51 - 2015-08-28 08:54 - 51076312 _____ (Microsoft Corporation) C:\Users\Samsung 5 Ultra\Downloads\Windows-KB890830-x64-V5.27.exe
2015-08-28 08:43 - 2015-08-28 08:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-08-28 08:43 - 2015-08-28 08:43 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-08-28 08:43 - 2015-08-28 08:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-08-28 08:34 - 2015-08-28 08:35 - 13155552 _____ (Microsoft Corporation) C:\Users\Samsung 5 Ultra\Downloads\Silverlight_x64.exe
2015-08-28 07:48 - 2015-08-28 07:48 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\IQIYI Video
2015-08-28 07:48 - 2015-08-28 07:48 - 00000000 ____D C:\Users\Public\QiYi
2015-08-28 06:32 - 2015-08-28 06:32 - 00028984 _____ (Tencent) C:\Windows\SysWOW64\Drivers\TS888x64.sys
2015-08-28 06:21 - 2015-08-28 06:21 - 00003148 _____ C:\Windows\System32\Tasks\{E2F4F4E6-58B2-48C5-BEEA-26ABBA3C38FE}
2015-08-28 02:05 - 2015-08-28 02:05 - 00000000 ____D C:\ProgramData\KingSoft
2015-08-28 02:04 - 2015-08-28 02:04 - 00000000 ____D C:\ProgramData\TXQMPC
2015-08-28 02:03 - 2015-08-28 02:03 - 00000000 ____D C:\Program Files\Common Files\Tencent
2015-08-28 02:02 - 2015-08-28 06:34 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\腾讯软件
2015-08-28 02:02 - 2015-08-28 06:08 - 00087864 _____ (电脑管家) C:\Windows\system32\Drivers\TFsFltX64.sys
2015-08-28 02:02 - 2015-08-28 02:02 - 00000000 ____D C:\Program Files (x86)\Tencent
2015-08-28 02:01 - 2015-08-28 06:11 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\Tencent
2015-08-28 02:01 - 2015-08-28 02:04 - 00000000 ____D C:\ProgramData\Tencent
2015-08-28 01:07 - 2015-08-28 06:31 - 00000376 _____ C:\Windows\Tasks\APSnotifierPP3.job
2015-08-28 01:07 - 2015-08-28 06:31 - 00000376 _____ C:\Windows\Tasks\APSnotifierPP2.job
2015-08-28 01:07 - 2015-08-28 01:27 - 00000378 _____ C:\Windows\Tasks\APSnotifierPP1.job
2015-08-28 01:07 - 2015-08-28 01:07 - 00002828 _____ C:\Windows\System32\Tasks\APSnotifierPP1
2015-08-28 01:07 - 2015-08-28 01:07 - 00002826 _____ C:\Windows\System32\Tasks\APSnotifierPP3
2015-08-28 01:07 - 2015-08-28 01:07 - 00002826 _____ C:\Windows\System32\Tasks\APSnotifierPP2
2015-08-28 00:52 - 2015-08-28 00:52 - 00628688 _____ (CMI Limited) C:\Users\Samsung 5 Ultra\AppData\Local\nspF0E2.tmp
2015-08-28 00:52 - 2015-08-28 00:52 - 00000000 __SHD C:\Users\Samsung 5 Ultra\AppData\Roaming\AnyProtectEx
2015-08-28 00:44 - 2015-08-28 00:44 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\Unity
2015-08-28 00:44 - 2015-08-28 00:44 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\SysassistByHotWheel
2015-08-28 00:28 - 2015-08-28 06:21 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\10182
2015-08-28 00:22 - 2015-08-28 00:22 - 00004816 _____ C:\Windows\SysWOW64\Ooteeotoor.ini
2015-08-28 00:22 - 2015-08-28 00:22 - 00002536 _____ C:\Windows\SysWOW64\OoteeotoorOff.ini
2015-08-28 00:22 - 2015-08-28 00:22 - 00002536 _____ C:\Windows\system32\OoteeotoorOff.ini
2015-08-28 00:22 - 2015-08-24 17:36 - 00353656 _____ C:\Windows\system32\Ooteeotoor64.dll
2015-08-28 00:22 - 2015-08-24 17:36 - 00283512 _____ C:\Windows\SysWOW64\Ooteeotoor.dll
2015-08-28 00:19 - 2015-08-28 06:48 - 00000000 ____D C:\Program Files (x86)\baidu
2015-08-28 00:18 - 2015-08-28 00:18 - 00003284 _____ C:\Windows\System32\Tasks\runTask
2015-08-28 00:18 - 2015-08-28 00:18 - 00000000 ____D C:\Windows\system32\abis
2015-08-28 00:13 - 2015-08-28 00:13 - 00000000 ____D C:\ProgramData\1WinManPro1
2015-08-28 00:03 - 2015-08-28 00:03 - 00001111 _____ C:\Users\Samsung 5 Ultra\Desktop\Continue Live Installation.lnk
2015-08-27 23:55 - 2015-08-28 06:21 - 00000000 ____D C:\ProgramData\{2889c22f-91d7-6b43-2889-9c22f91d08be}
2015-08-27 23:54 - 2015-08-28 00:18 - 00003188 _____ C:\Windows\System32\Tasks\updateTask
2015-08-27 23:54 - 2015-08-27 23:54 - 00000000 ____D C:\ProgramData\cWinManProc
2015-08-27 23:53 - 2015-08-28 06:36 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\Opera Software
2015-08-27 23:53 - 2015-08-27 23:53 - 00004288 _____ C:\Windows\System32\Tasks\CB3FF984-5FD6-4973-A9EB-B73B627DB5D6
2015-08-27 23:51 - 2015-08-30 11:56 - 00000000 ____D C:\Program Files (x86)\globalUpdate
2015-08-27 23:51 - 2015-08-28 01:51 - 00000004 _____ C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-08-27 23:51 - 2015-08-27 23:51 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\globalUpdate
2015-08-27 23:42 - 2015-08-28 06:21 - 00000000 ____D C:\Program Files (x86)\SFK
2015-08-27 23:42 - 2015-08-28 00:13 - 00000124 _____ C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
2015-08-27 23:42 - 2015-08-27 23:56 - 00000000 ____D C:\ProgramData\update
2015-08-27 23:42 - 2015-08-27 23:43 - 00000000 ____D C:\ProgramData\MWinManProM
2015-08-27 23:42 - 2013-08-22 20:25 - 00000824 _____ C:\Windows\system32\Drivers\etc\hp.bak
2015-08-27 23:41 - 2015-08-28 00:41 - 00000000 ____D C:\Program Files\NixSrv
2015-08-27 23:41 - 2015-08-27 23:41 - 00052736 _____ C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe
2015-08-27 23:41 - 2015-08-27 23:41 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\VOPackage
2015-08-27 23:39 - 2015-08-28 06:34 - 00000000 ____D C:\ProgramData\IcyCarje
2015-08-27 23:08 - 2015-08-27 23:09 - 01850119 _____ C:\Windows\chromebrowser.exe
2015-08-26 17:57 - 2015-08-29 23:18 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\OSP
2015-08-26 15:02 - 2015-08-30 12:29 - 00003476 _____ C:\Windows\System32\Tasks\gg_uac_daemon_Samsung 5 Ultra
2015-08-13 19:03 - 2015-08-13 19:03 - 00001148 _____ C:\Users\Samsung 5 Ultra\Desktop\Universe Sandbox 2.lnk
2015-08-13 01:03 - 2015-08-13 01:05 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\Universe Sandbox ²
2015-08-13 00:02 - 2015-08-13 13:25 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\Universe Sandbox
2015-08-13 00:02 - 2015-08-13 00:02 - 00000000 __SHD C:\Users\Samsung 5 Ultra\AppData\Roaming\wyUpdate AU
2015-08-13 00:02 - 2015-08-13 00:02 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\System
2015-08-13 00:02 - 2015-08-13 00:02 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\Universe Sandbox
2015-08-11 22:31 - 2015-08-11 22:31 - 00000221 _____ C:\Users\Samsung 5 Ultra\Desktop\Total War SHOGUN 2.url
2015-08-07 13:45 - 2015-08-07 13:45 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\Klei
2015-08-07 11:52 - 2015-08-07 11:52 - 00000222 _____ C:\Users\Samsung 5 Ultra\Desktop\Invisible, Inc..url
2015-08-05 20:18 - 2015-08-05 20:18 - 00001475 _____ C:\Users\Samsung 5 Ultra\Desktop\nvse_loader.exe - Shortcut.lnk
2015-08-04 16:12 - 2015-08-04 16:12 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\FOMM
2015-08-04 16:09 - 2015-08-30 12:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fallout Mod Manager
2015-08-04 16:09 - 2015-08-04 16:09 - 00000516 _____ C:\Users\Samsung 5 Ultra\Desktop\Fallout Mod Manager.lnk
2015-08-04 16:09 - 2015-08-04 16:09 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\FOMM
2015-08-04 15:53 - 2015-08-04 16:02 - 00000000 ____D C:\Users\Samsung 5 Ultra\Downloads\FNV modding tools
2015-08-02 08:19 - 2015-08-02 08:19 - 00000000 __SHD C:\ProgramData\SecuROM
2015-08-02 08:17 - 2015-08-02 08:17 - 00178800 _____ (Sony DADC Austria AG.) C:\Windows\SysWOW64\CmdLineExt_x64.dll
2015-08-02 08:17 - 2015-08-02 08:17 - 00000000 __RHD C:\Users\Samsung 5 Ultra\AppData\Roaming\SecuROM
2015-08-02 07:56 - 2015-08-02 07:56 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\SCE
2015-07-31 09:37 - 2015-08-02 08:20 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\Rockstar Games
2015-07-31 09:37 - 2015-07-31 09:37 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\Rockstar Games
2015-07-31 09:37 - 2015-07-31 09:37 - 00000000 ____D C:\Program Files\Rockstar Games
2015-07-31 09:37 - 2015-07-31 09:37 - 00000000 ____D C:\Program Files (x86)\Rockstar Games
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-30 13:48 - 2015-01-03 00:13 - 00000000 ____D C:\Program Files (x86)\Steam
2015-08-30 13:09 - 2015-01-01 05:12 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2081238159-1021517717-438538016-1001
2015-08-30 13:03 - 2015-01-01 08:37 - 00000000 ____D C:\Program Files (x86)\Google
2015-08-30 13:01 - 2015-01-01 11:52 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\Deployment
2015-08-30 13:00 - 2013-08-22 22:36 - 00000000 ____D C:\Windows\system32\sru
2015-08-30 12:41 - 2015-01-01 04:51 - 01968383 _____ C:\Windows\WindowsUpdate.log
2015-08-30 12:32 - 2015-07-24 14:09 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\GarenaPlus
2015-08-30 12:32 - 2015-07-24 14:07 - 00000000 ____D C:\ProgramData\GarenaMessenger
2015-08-30 12:29 - 2015-01-01 08:13 - 00001430 _____ C:\Users\Gede A\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-08-30 12:29 - 2015-01-01 04:51 - 00001430 _____ C:\Users\Samsung 5 Ultra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-08-30 12:28 - 2015-01-26 08:26 - 00000657 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2015-08-30 12:28 - 2013-08-22 21:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-30 12:25 - 2013-08-22 20:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2015-08-29 22:31 - 2015-01-01 05:22 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\AIMP3
2015-08-28 08:43 - 2013-08-22 22:36 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2015-08-28 08:18 - 2015-01-01 04:47 - 00178820 _____ C:\Windows\PFRO.log
2015-08-28 08:15 - 2013-08-22 17:06 - 00655872 _____ (Microsoft Corporation) C:\Windows\system32\dnsapi.dll
2015-08-28 08:15 - 2013-08-22 09:55 - 00492032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dnsapi.dll
2015-08-28 08:03 - 2015-01-01 04:51 - 00000000 ____D C:\Users\Samsung 5 Ultra
2015-08-28 06:49 - 2015-01-01 05:17 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-08-28 06:46 - 2015-03-18 21:48 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\vlc
2015-08-28 06:32 - 2015-01-01 04:52 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-08-28 06:31 - 2013-08-22 21:44 - 00503480 _____ C:\Windows\system32\FNTCACHE.DAT
2015-08-28 06:28 - 2015-02-23 21:35 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\BitTorrent
2015-08-28 06:07 - 2015-04-13 19:01 - 00000754 _____ C:\Users\Samsung 5 Ultra\Desktop\Phantasy Star Online 2.lnk
2015-08-28 06:06 - 2013-08-23 02:11 - 00000000 ____D C:\Windows\ShellNew
2015-08-28 02:03 - 2015-01-01 04:51 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\VirtualStore
2015-08-27 19:59 - 2015-01-01 05:03 - 00863592 _____ C:\Windows\system32\PerfStringBackup.INI
2015-08-27 19:59 - 2013-08-22 21:46 - 00116979 _____ C:\Windows\setupact.log
2015-08-26 15:05 - 2013-08-22 22:36 - 00000000 ____D C:\Windows\LiveKernelReports
2015-08-25 11:29 - 2015-07-30 15:37 - 00000368 _____ C:\Users\Samsung 5 Ultra\Desktop\songs to download.txt
2015-08-23 01:06 - 2015-01-24 20:57 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\DragonNest
2015-08-18 19:31 - 2015-03-16 20:30 - 00001079 _____ C:\ProgramData\Microsoft\Windows\Start Menu\LINE.lnk
2015-08-18 19:31 - 2015-03-16 20:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LINE
2015-08-18 14:06 - 2015-07-24 14:07 - 00000000 ____D C:\Program Files (x86)\Garena Plus
2015-08-18 10:03 - 2013-08-22 20:25 - 00000202 _____ C:\Windows\win.ini
2015-08-13 00:42 - 2013-08-22 22:38 - 00414368 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-08-13 00:41 - 2015-01-01 08:32 - 00225234 _____ C:\Windows\DirectX.log
2015-08-07 18:02 - 2015-04-16 19:50 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\BPA
 
==================== Files in the root of some directories =======
 
2015-08-30 10:19 - 2015-08-30 10:19 - 4241742 _____ (Bycatch) C:\Program Files\Common Files\jjo4znmu.exe
2015-08-28 00:52 - 2015-08-28 00:52 - 0628688 _____ (CMI Limited) C:\Users\Samsung 5 Ultra\AppData\Local\nspF0E2.tmp
2015-06-29 13:16 - 2015-06-29 13:16 - 0007602 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Resmon.ResmonCfg
2015-03-29 14:59 - 2015-05-14 20:55 - 0000000 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Temptable.xml
2015-08-27 23:41 - 2015-08-27 23:41 - 0052736 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe
2015-08-27 23:41 - 2015-08-27 23:41 - 0000187 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe.config
2015-01-01 05:44 - 2015-01-01 05:44 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-03-12 08:41 - 2015-03-12 08:52 - 0000838 _____ () C:\ProgramData\hpzinstall.log
2015-08-27 23:42 - 2015-08-28 00:13 - 0000124 _____ () C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
 
Files to move or delete:
====================
C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
 
 
Some files in TEMP:
====================
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\1711c8e99916365035ec713c8f8e149a.dll
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\3442.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\amisetup0751__13312.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\bitool.dll
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\c8eb790646128f34aa04a36111aca8cf.dll
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\drm_dyndata_7370014.dll
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\drm_dyndata_7380014.dll
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\install1804741.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\IQIYIsetup_l_huayukeji@kb006.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\MediaPlayer__11426_il4.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\moxcli.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nsa217D.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nssCB3E.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nssCB3F.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\oprun17872.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\oprun8347.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\PCMgr_AndroidServer.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\PCMgr_Setup_10_10_16443_223.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1010.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1011.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1012.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1013_1.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\PointBlank_GarenaPlus_Patch_1014.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\pumssx.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\qqpcmgr_v10.7.16065.215_71643_Silence.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\setup3.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\SpOrder.dll
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\Uninstall.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\Updater.exe
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\Vlc media player.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-08-25 11:18
 
==================== End of FRST.txt ============================
 
Additional scan result of Farbar Recovery Scan Tool (x64) Version:29-08-2015
Ran by Samsung 5 Ultra (2015-08-30 13:55:30)
Running from C:\Users\Samsung 5 Ultra\Downloads
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-2081238159-1021517717-438538016-500 - Administrator - Enabled)
Gede A (S-1-5-21-2081238159-1021517717-438538016-1002 - Administrator - Enabled) => C:\Users\Gede A
Guest (S-1-5-21-2081238159-1021517717-438538016-501 - Limited - Disabled)
Samsung 5 Ultra (S-1-5-21-2081238159-1021517717-438538016-1001 - Administrator - Enabled) => C:\Users\Samsung 5 Ultra
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AV: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
1310 (x32 Version: 140.0.425.000 - Hewlett-Packard) Hidden
1310_Help (x32 Version: 82.0.58.000 - Hewlett-Packard) Hidden
1310Trb (x32 Version: 82.0.242.000 - Hewlett-Packard) Hidden
64 Bit HP CIO Components Installer (Version: 7.2.8 - Hewlett-Packard) Hidden
adblocker (HKLM-x32\...\{18A25151-1DF2-44F9-8AC0-A6D27190FE5A}) (Version: 1.1.0.31 - adblocker) <==== ATTENTION
Adobe Flash Player 11 Plugin (HKLM-x32\...\Adobe Flash Player Plugin) (Version: 11.1.102.55 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.01) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.01 - Adobe Systems Incorporated)
AIMP3 (HKLM-x32\...\AIMP3) (Version: v3.00.985 - AIMP DevTeam)
AIO_CDB_ProductContext (x32 Version: 140.0.425.000 - Hewlett-Packard) Hidden
AIO_CDB_Software (x32 Version: 140.0.428.000 - Hewlett-Packard) Hidden
AIO_Scan (x32 Version: 130.0.421.000 - Hewlett-Packard) Hidden
Apple Application Support (HKLM-x32\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{BDD99690-3541-4619-9D2A-3CDDB3E15F9E}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ARK: Survival Evolved (HKLM-x32\...\Steam App 346110) (Version:  - Studio Wildcard)
Audacity 2.0.6 (HKLM-x32\...\Audacity_is1) (Version: 2.0.6 - Audacity Team)
Battlelog Web Plugins (HKLM-x32\...\Battlelog Web Plugins) (Version: 2.3.0 - EA Digital Illusions CE AB)
BitTorrent (HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\BitTorrent) (Version: 7.9.4.40912 - BitTorrent Inc.)
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
BufferChm (x32 Version: 140.0.298.000 - Hewlett-Packard) Hidden
Cities Skylines (HKLM-x32\...\Cities Skylines_is1) (Version: 1.0 - Релиз от R.G. Steamgames)
Copy (x32 Version: 140.0.298.000 - Hewlett-Packard) Hidden
Counter-Strike: Global Offensive (HKLM-x32\...\Steam App 730) (Version:  - Valve)
Crusader Kings II (HKLM-x32\...\Steam App 203770) (Version:  - Paradox Development Studio)
Crusader Kings II Way of Life (HKLM-x32\...\Crusader Kings II Way of Life_is1) (Version:  - )
Destinations (x32 Version: 140.0.253.000 - Hewlett-Packard) Hidden
DeviceDiscovery (x32 Version: 140.0.298.000 - Hewlett-Packard) Hidden
DocProc (x32 Version: 140.0.185.000 - Hewlett-Packard) Hidden
ESN Sonar (HKLM-x32\...\ESN Sonar-0.70.4) (Version: 0.70.4 - ESN Social Software AB)
ETDWare X64 11.7.20.5_WHQL (HKLM\...\Elantech) (Version: 11.7.20.5 - ELAN Microelectronic Corp.)
Fallout Mod Manager 0.13.21 (HKLM-x32\...\Generic Mod Manager_is1) (Version:  - Q, Timeslip)
Fallout: New Vegas (HKLM-x32\...\Steam App 22380) (Version:  - Obsidian Entertainment)
Fax (x32 Version: 140.0.307.000 - Hewlett-Packard) Hidden
FFmpeg (Windows) for Audacity version 2.2.2 (HKLM-x32\...\{9C7E31E3-017F-434C-AC40-24431A354A1E}_is1) (Version: 2.2.2 - )
Garena - PointBlank ID (HKLM-x32\...\PBID) (Version:  - Garena Online Pte Ltd.)
Garena+ (HKLM-x32\...\im) (Version: 2011 - Garena Online Pte Ltd.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 44.0.2403.157 - Google Inc.)
Google Update Helper (x32 Version: 1.3.28.13 - Google Inc.) Hidden
GPBaseService2 (x32 Version: 140.0.297.000 - Hewlett-Packard) Hidden
HP Customer Participation Program 14.0 (HKLM\...\HPExtendedCapabilities) (Version: 14.0 - HP)
HP Imaging Device Functions 14.0 (HKLM\...\HP Imaging Device Functions) (Version: 14.0 - HP)
HP Photo Creations (HKLM-x32\...\HP Photo Creations) (Version: 1.0.0.2024 - HP Photo Creations Powered by RocketLife)
HP Photosmart Officejet and Deskjet All-In-One Driver Software (HKLM\...\{6F5B70F0-EA6C-4A5B-BB16-8390BD66B251}) (Version: 14.0 - HP)
HP Solution Center 14.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 14.0 - HP)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
HPPhotoGadget (x32 Version: 140.0.524.000 - Hewlett-Packard) Hidden
HPProductAssistant (x32 Version: 140.0.298.000 - Hewlett-Packard) Hidden
HPSSupply (x32 Version: 140.0.297.000 - Hewlett-Packard) Hidden
Intel® Driver Update Utility 2.0 (x32 Version: 2.0.0.29 - Intel) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3379 - Intel Corporation)
Intel® Driver Update Utility (HKLM-x32\...\{8409c4f7-2340-4933-a304-5d37db4fb48b}) (Version: 2.0.0.29 - Intel)
Invisible, Inc. (HKLM-x32\...\Steam App 243970) (Version:  - Klei Entertainment)
Java 8 Update 40 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218040F0}) (Version: 8.0.400 - Oracle Corporation)
LADSPA_plugins-win-0.4.15 (HKLM-x32\...\LADSPA_plugins-win_is1) (Version:  - Audacity Team)
LAME v3.99.3 (for Windows) (HKLM-x32\...\LAME_is1) (Version:  - )
LINE (HKLM-x32\...\LINE) (Version: 4.1.2.525 - LINE Corporation)
LMMS 1.1.0 (HKLM-x32\...\LMMS) (Version: 1.1.0 - LMMS Developers)
LostSagaID (HKLM-x32\...\LostSagaID) (Version:  - IO Entertainment Co., Ltd.)
MarketResearch (x32 Version: 140.0.299.000 - Hewlett-Packard) Hidden
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}) (Version: 3.5.92.0 - Microsoft Corporation)
Microsoft Games for Windows Marketplace (HKLM-x32\...\{67F42018-F647-4D3C-BE62-F8CB4FE2FCD5}) (Version: 3.5.67.0 - Microsoft Corporation)
Microsoft Office 2003 Web Components (HKLM-x32\...\{90120000-00A4-0409-0000-0000000FF1CE}) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Office Professional Plus 2010 (HKLM-x32\...\Office14.PROPLUSR) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40728.0 - Microsoft Corporation)
Microsoft Visio 2010 Service Pack 1 (SP1) (HKLM-x32\...\{90140000-0057-0000-0000-0000000FF1CE}_Office14.VISIO_{01D8AE4B-A04D-47E5-81BF-E3F98B81B8C3}) (Version:  - Microsoft)
Microsoft Visio Premium 2010 (HKLM-x32\...\Office14.VISIO) (Version: 14.0.6029.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual Studio 2005 Remote Debugger Light (x64) - ENU (HKLM\...\Microsoft Visual Studio 2005 Remote Debugger Light (x64) - ENU) (Version:  - Microsoft Corporation)
Microsoft Visual Studio 2005 Tools for Applications - ENU (HKLM-x32\...\Microsoft Visual Studio 2005 Tools for Applications - ENU) (Version:  - Microsoft Corporation)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 33.0.2 - Mozilla)
MPC-HC 1.7.8 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.8 - MPC-HC Team)
Network64 (Version: 140.0.306.000 - Hewlett-Packard) Hidden
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.7.4 - Notepad++ Team)
NVIDIA PhysX (HKLM-x32\...\{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}) (Version: 9.12.1031 - NVIDIA Corporation)
OCR Software by I.R.I.S. 14.0 (HKLM\...\HPOCR) (Version: 14.0 - HP)
PAYDAY 2 (HKLM-x32\...\Steam App 218620) (Version:  - OVERKILL - a Starbreeze Studio.)
Phantasy Star Online 2 (HKLM-x32\...\http://pso2.jp/appid/release/asiasoft_sg_is1) (Version:  - Asiasoft)
PhotoScape (HKLM-x32\...\PhotoScape) (Version:  - )
PlanetSide 2 (HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\SOE-PlanetSide 2) (Version:  - Sony Online Entertainment)
PowerISO (HKLM-x32\...\PowerISO) (Version: 5.4 - Power Software Ltd)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.994 - Even Balance, Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7161 - Realtek Semiconductor Corp.)
Rockstar Games Social Club (HKLM-x32\...\Rockstar Games Social Club) (Version: 1.1.6.1 - Rockstar Games)
Scan (x32 Version: 140.0.253.000 - Hewlett-Packard) Hidden
Sent 1.3.9 (HKLM-x32\...\Sent_is1) (Version:  - Winsent Lab, http://www.winsentmessenger.com)
Shop for HP Supplies (HKLM\...\Shop for HP Supplies) (Version: 14.0 - HP)
Skype™ 7.1 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.1.105 - Skype Technologies S.A.)
Software Version Updater (HKLM-x32\...\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}) (Version:  - ) <==== ATTENTION
SolidCAM2013 (HKLM-x32\...\{970B9787-1C2A-4BFD-8723-F6AB6215219E}) (Version: 13.01.0 - SolidCAM)
SolidWorks 2013 x64 Edition SP02 (HKLM-x32\...\SolidWorks Installation Manager 20130-40200-1100-100) (Version: 21.2.0.50 - SolidWorks Corporation)
SolidWorks 2013 x64 Edition SP02 (Version: 21.120.50 - SolidWorks) Hidden
SolidWorks eDrawings 2013 x64 Edition SP02 (Version: 13.2.110 - Dassault Systèmes SolidWorks Corp) Hidden
SolidWorks Flow Simulation 2013 SP02 x64 Edition  (Version: 21.20.51 - SolidWorks Corporation) Hidden
SolidWorks Plastics 2013 SP02 x64 Edition (Version: 21.20.50 - SolidWorks Corporation) Hidden
SolutionCenter (x32 Version: 140.0.299.000 - Hewlett-Packard) Hidden
Star wars Battlefront II version 1.3 (HKLM-x32\...\{2EF34761-F147-4984-8AF1-BB9F8DA76CDD}_is1) (Version: 1.3 - )
Status (x32 Version: 140.0.342.000 - Hewlett-Packard) Hidden
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 16.2.14.2 - Synaptics Incorporated)
System Requirements Lab Detection (HKLM-x32\...\{008B3C7C-162C-4C3A-93DA-21B0801E7D35}) (Version: 6.1.0.0 - Husdawg, LLC)
The Sims™ 3 Кино Каталог (HKLM-x32\...\{D0087539-3C57-44E0-BEE7-D779D546CBE1}) (Version: 20.0.53 - Electronic Arts)
Toolbox (x32 Version: 140.0.596.000 - Hewlett-Packard) Hidden
Total War: SHOGUN 2 (HKLM-x32\...\Steam App 34330) (Version:  - The Creative Assembly)
TrayApp (x32 Version: 140.0.297.000 - Hewlett-Packard) Hidden
Trove (HKLM-x32\...\Steam App 304050) (Version:  - Trion Worlds)
Unity Web Player (HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\UnityWebPlayer) (Version: 4.6.1f1 - Unity Technologies ApS)
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
Waterfox 33.0.2 (x64 en-US) (HKLM\...\Waterfox 33.0.2 (x64 en-US)) (Version: 33.0.2 - Mozilla)
WebReg (x32 Version: 140.0.297.017 - Hewlett-Packard) Hidden
WinRAR 5.00 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.00.0 - win.rar GmbH)
Wrye Bash (HKLM-x32\...\Wrye Bash) (Version: 0.3.0.5 - Wrye & Wrye Bash Development Team)
YTD Video Downloader 4.9 (HKLM-x32\...\{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}) (Version: 4.9 - GreenTree Applications SRL) <==== ATTENTION
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Restore Points =========================
 
13-08-2015 00:00:58 Installed DirectX
26-08-2015 00:55:23 Scheduled Checkpoint
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2013-08-22 20:25 - 2013-08-22 20:25 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {09C7CA9B-5DE3-4F96-8AB9-77BB43F98AA4} - System32\Tasks\APSnotifierPP2 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {336D48DD-FA93-4EED-BC8C-78ABB245667C} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2014-01-23] (Realtek Semiconductor)
Task: {3528F940-DB4A-42B0-8130-08C379AA212A} - System32\Tasks\Synaptics TouchPad Enhancements => \Program Files\Synaptics\SynTP\SynTPEnh.exe [2012-10-16] (Synaptics Incorporated)
Task: {40B63141-8A4A-49E6-AB32-348C36191D5E} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {698E135F-AEC9-4C0E-8A54-528B1B5BF5F6} - System32\Tasks\RtHDVBg_SRSSA => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2014-01-23] (Realtek Semiconductor)
Task: {71B342E2-667B-4999-9BEE-C3598C833E5A} - System32\Tasks\gg_uac_daemon_Samsung 5 Ultra => C:\Program Files (x86)\Garena Plus\ggdllhost.exe [2015-07-23] ()
Task: {807BAE4D-5826-4E72-B4D1-AFB727D60E26} - System32\Tasks\{E2F4F4E6-58B2-48C5-BEEA-26ABBA3C38FE} => pcalua.exe -a C:\ProgramData\IcyCarje\Uninstaller.exe -c /ga=1503 /ai=121 /bi=0
Task: {A74ED3C4-E4D0-4999-A48E-BBFA420785CC} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-30] (Google Inc.)
Task: {B0E53EE1-1975-466E-8472-28E305E47C96} - System32\Tasks\APSnotifierPP1 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {B7B5FAA4-D124-444C-98A2-1C27660C4075} - System32\Tasks\APSnotifierPP3 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {D26B2B8F-CB8A-4B58-9166-1551A4E5AE9C} - System32\Tasks\runTask => %TEMP%/Updater.exe
Task: {DD2AB9B6-36A5-440C-A6FE-ABD4F7DE8416} - System32\Tasks\CB3FF984-5FD6-4973-A9EB-B73B627DB5D6 => C:\Users\Samsung 5 Ultra\AppData\Local\CB3FF984-5FD6-4973-A9EB-B73B627DB5D6\CB3FF984-5FD6-4973-A9EB-B73B627DB5D6.exe <==== ATTENTION
Task: {E908DC5E-1C44-45FC-9A9A-11D91C7FAE73} - System32\Tasks\posuownooa => C:\Windows\system32\config\systemprofile\AppData\Local\Vol-Flex [2015-08-27] ()
Task: {EF6C8468-B47D-456A-B86F-28BA85EB5F86} - System32\Tasks\{DAC994C1-D5B8-45E8-85DC-58D9B8F03C86} => pcalua.exe -a "C:\Users\Samsung 5 Ultra\Downloads\macrogamer_v275_setup.exe" -d "C:\Users\Samsung 5 Ultra\Downloads"
Task: {F30DF902-9386-4CB3-AA20-4B55A3DDD71D} - System32\Tasks\2dlfjddd => C:\Program Files\Common Files\b1lu1epr\18080nf4avaun.exe [2015-08-18] ()
Task: {FA9D03BA-51C6-42EF-BED3-92FFAAD262D9} - System32\Tasks\updateTask => c:\task.vbs
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP3.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Loaded Modules (Whitelisted) ==============
 
2015-08-28 00:22 - 2015-08-24 17:36 - 00353656 _____ () C:\Windows\system32\Ooteeotoor64.dll
2015-07-23 14:37 - 2015-07-23 14:37 - 00056256 _____ () C:\Program Files (x86)\Garena Plus\ggdllhost.exe
2011-03-17 00:07 - 2011-03-17 00:07 - 04297568 _____ () C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
2010-10-20 15:23 - 2010-10-20 15:23 - 08801632 _____ () C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
2014-05-12 16:49 - 2014-05-12 16:49 - 00222720 _____ () C:\Program Files (x86)\Notepad++\NppShell_06.dll
2015-08-27 15:48 - 2015-08-27 15:48 - 00379904 _____ () C:\Program Files\NixSrv\NixSrv.exe
2015-01-01 09:43 - 2015-05-30 13:22 - 00076152 _____ () C:\Windows\SysWOW64\PnkBstrA.exe
2015-08-27 23:41 - 2015-08-27 23:41 - 00052736 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe
2015-08-27 15:20 - 2015-08-27 15:20 - 00033792 _____ () C:\ProgramData\Saophase\Saophase.exe
2015-01-01 05:47 - 2013-12-21 03:02 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2015-07-23 14:37 - 2015-08-06 18:30 - 10014656 _____ () C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe
2013-01-18 22:12 - 2013-01-18 22:12 - 00276008 _____ () C:\Program Files\SolidWorks Corp\SolidWorks\sldBodyDiffu.dll
2015-08-28 00:41 - 2015-08-30 12:28 - 00855040 _____ () C:\Program Files\NixSrv\packages\21363b31-a91e-4507-96ff-da5bf2eb3159\NixHost.exe
2015-08-30 10:20 - 2015-08-30 10:20 - 00150528 _____ () C:\ProgramData\Saophase\Redkix.exe
2015-08-27 15:20 - 2015-08-27 15:20 - 00033792 _____ () C:\ProgramData\ExtTag\ExtTag.exe
2015-05-21 21:27 - 2015-05-21 21:27 - 00005632 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nssCB3E.exe
2015-08-16 15:25 - 2015-08-16 15:25 - 00489787 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nssCB3F.exe
2015-07-14 17:26 - 2015-08-01 16:07 - 01089472 _____ () C:\Program Files (x86)\Garena Plus\ggspawn.dll
2014-10-12 04:06 - 2014-10-12 04:06 - 00073544 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-12 04:05 - 2014-10-12 04:05 - 01044776 _____ () C:\Program Files (x86)\Common Files\Apple\Apple Application Support\libxml2.dll
2015-07-23 14:37 - 2015-07-23 14:37 - 00111552 _____ () C:\Program Files (x86)\Garena Plus\CommonLib.dll
2015-07-23 14:37 - 2015-07-23 14:37 - 00040384 _____ () C:\Program Files (x86)\Garena Plus\DibModule.dll
2015-07-23 14:38 - 2015-08-11 16:12 - 00040896 _____ () C:\Program Files (x86)\Garena Plus\VersionModule.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00058304 _____ () C:\Program Files (x86)\Garena Plus\FileLoader.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00094144 _____ () C:\Program Files (x86)\Garena Plus\PluginKernel.dll
2015-07-23 14:37 - 2015-07-23 14:37 - 00494016 _____ () C:\Program Files (x86)\Garena Plus\CxImage.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00032192 _____ () C:\Program Files (x86)\Garena Plus\PluginModule.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00177600 _____ () C:\Program Files (x86)\Garena Plus\lib\fs\YYFileSystem.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00380864 _____ () C:\Program Files (x86)\Garena Plus\lib\Http.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00191424 _____ () C:\Program Files (x86)\Garena Plus\lib\MP3Module.dll
2012-02-22 15:52 - 2012-02-22 15:52 - 00162304 _____ () C:\Program Files (x86)\Garena Plus\lame_enc.DLL
2015-07-23 14:38 - 2015-07-23 14:38 - 00226752 _____ () C:\Program Files (x86)\Garena Plus\lib\TaskManagerLib.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00113088 _____ () C:\Program Files (x86)\Garena Plus\lib\UILayout.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00965056 _____ () C:\Program Files (x86)\Garena Plus\lib\XLL.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00061888 _____ () C:\Program Files (x86)\Garena Plus\lib\XmlUIModule.dll
2012-02-22 15:52 - 2012-02-22 15:52 - 00573100 _____ () C:\Program Files (x86)\Garena Plus\sqlite3.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00231360 _____ () C:\Program Files (x86)\Garena Plus\Plugins\StatsPlugin.dll
2015-07-23 14:38 - 2015-08-06 18:31 - 01507264 _____ () C:\Program Files (x86)\Garena Plus\Plugins\ggplugin.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00199616 _____ () C:\Program Files (x86)\Garena Plus\ImageModule.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00162240 _____ () C:\Program Files (x86)\Garena Plus\libmpg123.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 02948032 _____ () C:\Program Files (x86)\Garena Plus\ggdownloader.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00072640 _____ () C:\Program Files (x86)\Garena Plus\lib\delay_load\AudioMixerLib.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00023488 _____ () C:\Program Files (x86)\Garena Plus\lib\delay_load\ClientTcp.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 01552320 _____ () C:\Program Files (x86)\Garena Plus\lib\delay_load\FileSender.dll
2013-02-01 12:42 - 2013-02-01 12:42 - 00153088 _____ () C:\Program Files (x86)\Garena Plus\libzmq.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00963008 _____ () C:\Program Files (x86)\Garena Plus\lib\delay_load\GaFileTransfer.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00251840 _____ () C:\Program Files (x86)\Garena Plus\lib\delay_load\MediaEngine.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00033216 _____ () C:\Program Files (x86)\Garena Plus\ServerMemAlloc.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00523712 _____ () C:\Program Files (x86)\Garena Plus\lib\delay_load\RSALib.dll
2015-07-23 14:38 - 2015-07-23 14:38 - 00075200 _____ () C:\Program Files (x86)\Garena Plus\lib\delay_load\UdtLib.dll
2015-08-18 09:20 - 2015-08-18 09:20 - 03129368 _____ () C:\Program Files (x86)\Naver\LINE\ampkit_windows.dll
2015-07-03 12:44 - 2015-07-03 12:44 - 00123416 _____ () C:\Program Files (x86)\Naver\LINE\PlayerHelper.dll
2015-08-30 12:58 - 2015-08-30 12:58 - 00011264 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nsxCBAA.tmp\System.dll
2015-08-30 12:58 - 2015-08-30 12:58 - 00222720 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nsxCBAA.tmp\myplugin.dll
2015-08-30 12:58 - 2015-08-30 12:58 - 00009728 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nsxCBAA.tmp\nsDialogs.dll
2015-08-30 12:29 - 2015-08-30 12:29 - 00194560 _____ () C:\ProgramData\ExtTag\Lamtech.dll
2015-08-30 10:20 - 2015-08-30 10:20 - 00194560 _____ () C:\ProgramData\Saophase\ZonTouch.dll
2015-08-30 13:04 - 2015-08-18 12:23 - 01405768 _____ () C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.157\libglesv2.dll
2015-08-30 13:04 - 2015-08-18 12:23 - 00081224 _____ () C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.157\libegl.dll
2015-08-30 13:04 - 2015-08-18 12:23 - 16393032 _____ () C:\Program Files (x86)\Google\Chrome\Application\44.0.2403.157\PepperFlash\pepflashplayer.dll
2015-01-03 00:19 - 2015-07-03 23:12 - 00778240 _____ () C:\Program Files (x86)\Steam\SDL2.dll
2015-01-20 17:30 - 2015-07-03 23:12 - 04962816 _____ () C:\Program Files (x86)\Steam\v8.dll
2015-01-03 00:19 - 2015-08-20 03:39 - 02413248 _____ () C:\Program Files (x86)\Steam\video.dll
2015-01-20 17:30 - 2015-07-03 23:12 - 01556992 _____ () C:\Program Files (x86)\Steam\icui18n.dll
2015-01-20 17:30 - 2015-07-03 23:12 - 01187840 _____ () C:\Program Files (x86)\Steam\icuuc.dll
2015-01-03 00:18 - 2014-12-02 04:31 - 02396672 _____ () C:\Program Files (x86)\Steam\libavcodec-56.dll
2015-01-03 00:18 - 2014-12-02 04:31 - 00479744 _____ () C:\Program Files (x86)\Steam\libavformat-56.dll
2015-01-03 00:18 - 2014-12-02 04:31 - 00332800 _____ () C:\Program Files (x86)\Steam\libavresample-2.dll
2015-01-03 00:18 - 2014-12-02 04:31 - 00442880 _____ () C:\Program Files (x86)\Steam\libavutil-54.dll
2015-01-03 00:18 - 2014-12-02 04:31 - 00485888 _____ () C:\Program Files (x86)\Steam\libswscale-3.dll
2015-01-03 00:18 - 2015-08-20 03:39 - 00704192 _____ () C:\Program Files (x86)\Steam\bin\chromehtml.DLL
2015-07-24 01:40 - 2015-07-27 08:13 - 00171008 _____ () C:\Program Files (x86)\Steam\bin\openvr_api.dll
2015-01-03 00:18 - 2015-07-03 23:12 - 39553928 _____ () C:\Program Files (x86)\Steam\bin\libcef.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\QQPCRTP => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\QQPCRTP => ""="service"
 
==================== EXE Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
IE trusted site: HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\clonewarsadventures.com -> clonewarsadventures.com
IE trusted site: HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\freerealms.com -> freerealms.com
IE trusted site: HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\soe.com -> soe.com
IE trusted site: HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\sony.com -> sony.com
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Samsung 5 Ultra\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
HKLM\...\StartupApproved\StartupFolder: => "HP Digital Imaging Monitor.lnk"
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\StartupApproved\Run: => "GoogleChromeAutoLaunch_FE12F96DA070CFADCEB210CFE73E3C6E"
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\StartupApproved\Run: => "Skype"
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\StartupApproved\Run: => "apphide"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [SPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppextcomobj.exe
FirewallRules: [SPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppextcomobj.exe
FirewallRules: [TCP Query User{C350987F-867E-4B6F-9056-3919979014C3}C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe] => (Allow) C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
FirewallRules: [UDP Query User{02C9E300-5BFC-48BE-A3D4-90510FF400F6}C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe] => (Allow) C:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
FirewallRules: [{4958BE23-9878-498C-8D3A-91AE38EDFB9B}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{C468C2DA-A3DD-45DE-A6B4-4C2EED23E3E7}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{83558A05-66B2-493D-95A5-70B76B4C5D55}] => (Allow) C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\SonarHost.exe
FirewallRules: [{231EC703-23C4-45B6-964D-D04F75898E42}] => (Allow) C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\SonarHost.exe
FirewallRules: [{D9E69EBE-620B-4F9B-BE98-772B28BD5E44}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{83BAE9DE-7112-4AA1-808F-F7848DF0D944}] => (Allow) C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{EFB0A30C-32FD-4EF4-AD9E-2DEFEEF9BCD8}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{ED42ECE0-0760-4351-96C1-D735716189C9}] => (Allow) C:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{70A04693-3A0E-4C23-B3C1-728AE18AC944}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{B9733139-839B-43FC-BF4C-20DD27ABD287}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe
FirewallRules: [{400CEC7B-91AA-4659-B565-1ECB11E4F0F8}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{62E707AD-3F14-4348-93D5-7C203FF2D447}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{BFD89073-5E84-474C-A358-941C684D7A29}] => (Allow) D:\SteamLibrary\steamapps\common\PAYDAY 2\payday2_win32_release.exe
FirewallRules: [{836E1E81-CD75-40B2-A24C-7B5DA9081F5A}] => (Allow) D:\SteamLibrary\steamapps\common\PAYDAY 2\payday2_win32_release.exe
FirewallRules: [{77F78F5E-2D48-420F-A2C0-E21809D72599}] => (Allow) D:\Dragon Nest\DragonNest.exe
FirewallRules: [{DCDD1FB2-75DE-40D0-898F-B1735206A379}] => (Allow) D:\Dragon Nest\DragonNest.exe
FirewallRules: [{C054EB14-CCA1-4240-B3D8-8C91138D2F90}] => (Allow) D:\SteamLibrary\steamapps\common\Warframe\Tools\Launcher.exe
FirewallRules: [{62909085-7F18-4A61-8E9E-33781F21E98E}] => (Allow) D:\SteamLibrary\steamapps\common\Warframe\Tools\Launcher.exe
FirewallRules: [{01C397F2-2BF1-4E37-9AE6-9C09C0C01F2D}] => (Allow) D:\SteamLibrary\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{5E559FEB-5779-4484-BDE0-02C96BC48E88}] => (Allow) D:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{A495144E-EA15-410E-97F3-46A5F53ADE99}] => (Allow) D:\SteamLibrary\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{F726AD91-474B-45BA-A17D-AB259D59BA4E}] => (Allow) D:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{00101D7D-B4AD-4728-AE14-B16AE6705898}] => (Allow) D:\SteamLibrary\steamapps\common\Warframe\Warframe.exe
FirewallRules: [{60942233-0320-4B6C-8AD8-21FA2718D62A}] => (Allow) D:\SteamLibrary\steamapps\common\Warframe\Warframe.x64.exe
FirewallRules: [{C8E5D63A-2621-45F5-8BEC-3165B3F23269}] => (Allow) D:\SteamLibrary\steamapps\common\Warframe\Tools\Launcher.exe
FirewallRules: [{375A20AF-4663-496B-9462-AD8843C6AA5F}] => (Allow) D:\SteamLibrary\steamapps\common\Warframe\Tools\RemoteCrashSender.exe
FirewallRules: [{E385BE4B-7D16-4A42-8A2C-C18D225D195B}] => (Allow) D:\Sent\sent.exe
FirewallRules: [{BE8309AA-A1BA-4EDA-9852-500532B102FC}] => (Allow) D:\Sent\sent.exe
FirewallRules: [{6934D56D-5A1B-4510-A437-2FAC73E82A1F}] => (Allow) LPort=139
FirewallRules: [{25C5B148-654F-4A67-A5AC-0E3F81CE4B84}] => (Allow) LPort=445
FirewallRules: [{672B6B23-C360-4977-9461-8CA2781AEC73}] => (Allow) LPort=137
FirewallRules: [{5C34D584-B8C2-42A6-A1D8-756C339BE8F4}] => (Allow) LPort=138
FirewallRules: [{7F88D247-ECE3-48D9-9539-0ECD12639A2F}] => (Allow) C:\Windows\SysWOW64\innogmp.exe
FirewallRules: [{E3E30CEB-AFF9-4FF1-8795-2F76D5EA4212}] => (Allow) C:\Windows\SysWOW64\innogmp.exe
FirewallRules: [{B8FE625A-37D8-4BC9-BA6D-723753A2007D}] => (Allow) C:\Windows\SysWOW64\innosvcd.exe
FirewallRules: [{99BFC8D2-3D1A-4263-9894-9366C73DA56D}] => (Allow) C:\Windows\SysWOW64\innosvcd.exe
FirewallRules: [{1B404FBF-22DD-4DC8-A821-846328F64F3C}] => (Allow) D:\LostSaga\autoupgrade.exe
FirewallRules: [{31B18477-CDE4-4359-99EA-910064BD7A1B}] => (Allow) D:\LostSaga\autoupgrade.exe
FirewallRules: [{89E69F82-21A4-4D28-BA33-413642F40182}] => (Allow) D:\LostSaga\lostsaga.exe
FirewallRules: [{CE972899-819D-42EF-8AE3-B0EF2390FADD}] => (Allow) D:\LostSaga\lostsaga.exe
FirewallRules: [{1A843024-1250-4976-9B2A-1EEE2D850CD7}] => (Allow) D:\SteamLibrary\steamapps\common\Crusader Kings II\CK2game.exe
FirewallRules: [{29BE9252-9813-473F-BF3A-DDD77C77CD7E}] => (Allow) D:\SteamLibrary\steamapps\common\Crusader Kings II\CK2game.exe
FirewallRules: [{9315A074-075C-4A2D-BC5C-A093C85F7FF9}] => (Allow) C:\Users\Samsung 5 Ultra\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{0993D43F-4D6A-4E9D-AF6D-9646BAFF8DA0}] => (Allow) C:\Users\Samsung 5 Ultra\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{C2E4AC0F-96DD-421E-A327-4F71E3C60A7B}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
FirewallRules: [{62CF6510-6F27-458E-A4B9-DA28AD507CC1}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqste08.exe
FirewallRules: [{7449EB49-255B-4E2F-A462-458A2C2DB318}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpofxm08.exe
FirewallRules: [{81ACEE32-E619-4EED-8C88-DB4C5125611D}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hposfx08.exe
FirewallRules: [{6A8246A5-3CC0-4C10-8AFA-3701C1BABA74}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hposid01.exe
FirewallRules: [{DB6BD4A4-9B50-40BC-8135-15208035BAA1}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqkygrp.exe
FirewallRules: [{30C268D8-88EF-4EDF-B051-949A46DA708D}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcopy2.exe
FirewallRules: [{13146C7E-1613-4427-B387-0B706948BAC1}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpfccopy.exe
FirewallRules: [{BD90BF86-3CE7-4314-8CCA-86637C94F8C0}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpzwiz01.exe
FirewallRules: [{5F6C7AE3-ED04-4ABC-B949-0DCEE0765413}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpoews01.exe
FirewallRules: [{81C2238B-4041-44CA-86F2-0FBDDC1C390F}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqnrs08.exe
FirewallRules: [{064A2E6C-84FD-40A8-9D33-B63DD4475A5F}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe
FirewallRules: [{D2C54642-0459-41F0-A52D-DE2296B2321D}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpofxs08.exe
FirewallRules: [{F1C03503-112B-4558-8A7E-D5E4D99D7B18}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqfxt08.exe
FirewallRules: [{68E96C4E-BB30-41FF-8638-8163DA1744E8}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgplgtupl.exe
FirewallRules: [{5619F011-26CF-4292-A487-EAD6DFA4F4A5}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
FirewallRules: [{C0E9B277-C63F-4850-A296-AED350E2ABDF}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqusgm.exe
FirewallRules: [{008C184D-81B9-4DC1-AFDA-EEC32AC61529}] => (Allow) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqusgh.exe
FirewallRules: [{CAD50498-2F55-4549-BC2E-5D00F1BF860B}] => (Allow) C:\Program Files (x86)\HP\hp software update\hpwucli.exe
FirewallRules: [{80CC1CAC-F954-46F4-A575-E9E362197573}] => (Allow) C:\Program Files (x86)\Naver\LINE\Line.exe
FirewallRules: [{A8DC9C84-CEA2-4A9F-965A-25B6412DE8FF}] => (Allow) C:\Program Files (x86)\Naver\LINE\Line.exe
FirewallRules: [{892FB3D6-20E4-4B8A-A80C-691AC3B27447}] => (Allow) C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe
FirewallRules: [{AD14D665-6896-479A-857A-0161FDCBFB9B}] => (Allow) C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe
FirewallRules: [{EFE6A629-2799-44FD-941E-FAD6DF2C3BE5}] => (Allow) C:\Program Files\SolidWorks Corp\SolidWorks\photoview\photoview360.exe
FirewallRules: [{50F79566-41B4-447A-B5B7-5CBD5B5C6A10}] => (Allow) C:\Program Files\SolidWorks Corp\SolidWorks\photoview\photoview360.exe
FirewallRules: [{5B34B0B2-F4DE-4A1D-8AAB-F0C24BFEDBA2}] => (Allow) C:\Program Files\SolidWorks Corp\SolidWorks\photoview\photoview360_cl.exe
FirewallRules: [{6D0E676B-E232-470E-8C0F-3FF6642B500D}] => (Allow) C:\Program Files\SolidWorks Corp\SolidWorks\photoview\photoview360_cl.exe
FirewallRules: [{98B82392-4AAF-4799-9E64-0C7E75B9233D}] => (Allow) C:\Windows\system32\hasplms.exe
FirewallRules: [TCP Query User{1C43451D-81F2-4E62-A605-E4DE3FF1D373}C:\users\samsung 5 ultra\appdata\local\temp\rar$exa0.446\keygen.exe] => (Allow) C:\users\samsung 5 ultra\appdata\local\temp\rar$exa0.446\keygen.exe
FirewallRules: [UDP Query User{35D9A3AC-995B-4AA7-BBD5-5D2AE03291C0}C:\users\samsung 5 ultra\appdata\local\temp\rar$exa0.446\keygen.exe] => (Allow) C:\users\samsung 5 ultra\appdata\local\temp\rar$exa0.446\keygen.exe
FirewallRules: [{B5119DD0-441F-4D12-8F4D-12D2EB1F5399}] => (Allow) D:\SteamLibrary\steamapps\common\America's Army\AAPG\Binaries\AALauncher32.exe
FirewallRules: [{75C0469E-8EF1-4459-9350-42AAEA50888A}] => (Allow) D:\SteamLibrary\steamapps\common\America's Army\AAPG\Binaries\AALauncher32.exe
FirewallRules: [{2A293878-47C0-44EC-B312-5D51645101E1}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{931B9119-08A4-4C02-898E-17FE632AF62E}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{5CD93D83-585F-488D-813E-9B6F0B685888}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{0FDF4583-AD71-4FA6-9112-F5B228A15190}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [TCP Query User{50BD2985-C577-4D35-A525-65B08637F9BB}D:\steamlibrary\steamapps\common\america's army\aapg\binaries\win32\aagame.exe] => (Allow) D:\steamlibrary\steamapps\common\america's army\aapg\binaries\win32\aagame.exe
FirewallRules: [UDP Query User{702D26A4-F1E8-4E23-884D-C5A5E982B176}D:\steamlibrary\steamapps\common\america's army\aapg\binaries\win32\aagame.exe] => (Allow) D:\steamlibrary\steamapps\common\america's army\aapg\binaries\win32\aagame.exe
FirewallRules: [{0127039C-90B4-4436-8286-62E314F8225B}] => (Allow) D:\SteamLibrary\steamapps\common\Trove\GlyphClient.exe
FirewallRules: [{9B6F87A3-654B-4D85-B80B-3B2F5ACCBE0A}] => (Allow) D:\SteamLibrary\steamapps\common\Trove\GlyphClient.exe
FirewallRules: [{88884A5F-EA5A-4A9B-88CC-6F217BA1D6C5}] => (Allow) D:\SteamLibrary\steamapps\common\ARK\ShooterGame\Binaries\Win64\ShooterGame.exe
FirewallRules: [{2D2ACE41-8FC9-4CD6-AB5E-9B9DE94FCC58}] => (Allow) D:\SteamLibrary\steamapps\common\ARK\ShooterGame\Binaries\Win64\ShooterGame.exe
FirewallRules: [{F2E77C90-43B6-404A-B5BE-E29ACE35FB3E}] => (Allow) D:\SteamLibrary\steamapps\common\Counter-Strike Global Offensive\csgo.exe
FirewallRules: [{77231886-280F-4923-B4B2-5613BE0DEE62}] => (Allow) D:\SteamLibrary\steamapps\common\Counter-Strike Global Offensive\csgo.exe
FirewallRules: [{61FBBAB9-D0BD-4769-8FF5-E63F9F1E449B}] => (Allow) C:\Program Files (x86)\Garena Plus\ggdllhost.exe
FirewallRules: [{27414F26-A60C-43A2-8507-A40794567DB5}] => (Allow) C:\GarenaDownload\Games\pbid\pbidInstaller.exe
FirewallRules: [{48449367-D9AB-410F-A3D6-8C1BE6F7B40C}] => (Allow) C:\GarenaDownload\Games\pbid\pbidInstaller.exe
FirewallRules: [{41F91F89-A4E9-4969-8334-F1063FD89851}] => (Allow) D:\LostSaga\autoupgrade.exe
FirewallRules: [{F5D592E3-8C79-4692-9712-5B61B3F22E60}] => (Allow) D:\LostSaga\autoupgrade.exe
FirewallRules: [{AC022EAF-A61D-469F-B8DF-9EABA276FA11}] => (Allow) D:\LostSaga\lostsaga.exe
FirewallRules: [{33B3F881-A324-45A3-A7C9-8C0B95E40475}] => (Allow) D:\LostSaga\lostsaga.exe
FirewallRules: [TCP Query User{A6BDA329-E199-43E5-95DF-774582E56BEA}C:\program files (x86)\garena plus\garenamessenger.exe] => (Allow) C:\program files (x86)\garena plus\garenamessenger.exe
FirewallRules: [UDP Query User{55825C69-6260-49FB-A295-169EBC275614}C:\program files (x86)\garena plus\garenamessenger.exe] => (Allow) C:\program files (x86)\garena plus\garenamessenger.exe
FirewallRules: [{B9606A7B-6496-46D4-914D-DA9548B1C110}] => (Allow) C:\Program Files (x86)\GarenaPBID\gamedata\Apps\PBID\PointBlank.exe
FirewallRules: [{D29F4C26-D43F-4BD4-B593-FEA0D869C322}] => (Allow) C:\Program Files (x86)\GarenaPBID\gamedata\Apps\PBID\PointBlank.exe
FirewallRules: [TCP Query User{602DF0BA-850C-4069-81FD-4F662B98E829}D:\steamlibrary\steamapps\common\grand theft auto v\gta5.exe] => (Allow) D:\steamlibrary\steamapps\common\grand theft auto v\gta5.exe
FirewallRules: [UDP Query User{6BB6A357-3387-46F5-A40D-9A2997045CA6}D:\steamlibrary\steamapps\common\grand theft auto v\gta5.exe] => (Allow) D:\steamlibrary\steamapps\common\grand theft auto v\gta5.exe
FirewallRules: [{7BA75840-8BA0-4175-A21C-723E8A4224F2}] => (Allow) D:\SteamLibrary\steamapps\common\Fallout New Vegas\FalloutNVLauncher.exe
FirewallRules: [{BBDD3422-9934-4DA0-9185-50F730EF9832}] => (Allow) D:\SteamLibrary\steamapps\common\Fallout New Vegas\FalloutNVLauncher.exe
FirewallRules: [TCP Query User{F1493C9B-6DDA-4F35-85C2-28F0863200C7}D:\steamlibrary\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe] => (Allow) D:\steamlibrary\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe
FirewallRules: [UDP Query User{AB754EB3-126E-4DE1-86CA-464B39C47211}D:\steamlibrary\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe] => (Allow) D:\steamlibrary\steamapps\common\grand theft auto iv\gtaiv\gtaiv.exe
FirewallRules: [TCP Query User{884FDCF0-1341-4A27-9976-CFD1D9FE18E2}D:\steamlibrary\steamapps\common\planetside 2\planetside2_x64.exe] => (Allow) D:\steamlibrary\steamapps\common\planetside 2\planetside2_x64.exe
FirewallRules: [UDP Query User{508DD8F7-135B-4B30-A826-ADB90FFD352C}D:\steamlibrary\steamapps\common\planetside 2\planetside2_x64.exe] => (Allow) D:\steamlibrary\steamapps\common\planetside 2\planetside2_x64.exe
FirewallRules: [{6AE70781-9546-433C-80BA-F94FC7DB23CA}] => (Allow) %systemroot%\system32\alg.exe
FirewallRules: [{B7E3EDC1-DC73-4476-8166-235421A983E5}] => (Allow) D:\SteamLibrary\steamapps\common\InvisibleInc\invisibleinc.exe
FirewallRules: [{9DA8C7A8-2C97-4B13-9A84-34D4DD3BEAAA}] => (Allow) D:\SteamLibrary\steamapps\common\InvisibleInc\invisibleinc.exe
FirewallRules: [{6E7335AF-C5E4-420C-B55B-05B6CCB9680C}] => (Allow) D:\SteamLibrary\steamapps\common\Total War SHOGUN 2\Shogun2.exe
FirewallRules: [{FD762D28-EF55-4B9B-81F4-44726C1D60B5}] => (Allow) D:\SteamLibrary\steamapps\common\Total War SHOGUN 2\Shogun2.exe
FirewallRules: [{C39D458C-60F0-496A-a783-FA7A390BAFA9}] => (Allow) C:\ProgramData\IcyCarje\gigoamaw.exe
FirewallRules: [{254C71C4-2D63-4442-B4EC-E1B66A403B55}] => (Allow) C:\ProgramData\IcyCarje\gigoamaw.exe
FirewallRules: [{FCD9975C-D9F5-4DBF-898E-08B6FA022FCE}] => (Allow) C:\ProgramData\IcyCarje\gigoamaw.exe
FirewallRules: [{E47D458B-AAB1-4751-8D04-52EF16EE1B6F}] => (Allow) C:\ProgramData\IcyCarje\gigoamaw.exe
FirewallRules: [{11770E45-4B01-4D8A-9289-F61EE34E6A61}] => (Allow) C:\ProgramData\IcyCarje\gigoamaw.exe
FirewallRules: [{3E92EAF8-59A0-4E21-89B8-E7F773875F9D}] => (Allow) C:\Users\Samsung 5 Ultra\AppData\Roaming\IQIYI Video\LStyle\GpUpdate.exe
FirewallRules: [{591B4EC3-53EB-4777-A0C8-045BE3E2470E}] => (Allow) C:\IQIYI Video\GeePlayer\GeePlayer.exe
FirewallRules: [{8E042382-0494-463B-8F55-FDF70A557CE9}] => (Allow) C:\Users\Samsung 5 Ultra\AppData\Roaming\IQIYI Video\LStyle\QyUpdate.exe
FirewallRules: [{37912AB7-CA3F-457E-B1EA-C92F4190FD5A}] => (Allow) C:\IQIYI Video\LStyle\QyClient.exe
FirewallRules: [{C3F1ECB9-D593-4FA6-A0C5-085CC2DC5E8C}] => (Allow) C:\IQIYI Video\LStyle\QyWebPlayer.exe
FirewallRules: [{1B1222D4-CFA0-48E2-BB2E-7CC487B47D62}] => (Allow) C:\IQIYI Video\Common\QyKernel.exe
FirewallRules: [{141E23C0-5B17-46DD-8642-F1F537B62978}] => (Allow) C:\IQIYI Video\LStyle\QyPlayer.exe
FirewallRules: [{166CC2BC-1627-44BC-BE91-49DE8AFC9D86}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\130\tencentdl.exe
FirewallRules: [{FA594D22-0392-43CB-B70F-216051AFA13A}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\130\bugreport_xf.exe
FirewallRules: [{C83D2285-EAAA-43A2-84A9-563D1D837C33}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\130\tencentdl.exe
FirewallRules: [{D0728FE5-228B-4774-A1DC-94C98CDFBFEF}] => (Allow) C:\program files (x86)\common files\tencent\qqdownload\130\bugreport_xf.exe
FirewallRules: [{ECE197FE-A636-46F6-8C1A-89A54430332D}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (08/30/2015 01:04:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: chrome.exe, version: 44.0.2403.157, time stamp: 0x55d29eef
Faulting module name: Zoomcore.dll, version: 1.0.0.24846, time stamp: 0x55d5c8fb
Exception code: 0xc0000005
Fault offset: 0x000049d8
Faulting process id: 0x1834
Faulting application start time: 0xchrome.exe0
Faulting application path: chrome.exe1
Faulting module path: chrome.exe2
Report Id: chrome.exe3
Faulting package full name: chrome.exe4
Faulting package-relative application ID: chrome.exe5
 
Error: (08/30/2015 12:59:04 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Java_Update.8.0.450.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
 
Process ID: 4a4
 
Start Time: 01d0e2e8f0b665d9
 
Termination Time: 4294967295
 
Application Path: C:\Program Files\NixSrv\packages\21363b31-a91e-4507-96ff-da5bf2eb3159\setup\Java_Update.8.0.450.exe
 
Report Id: 36e3b3e7-4edc-11e5-8296-1867b0570cbb
 
Faulting package full name: 
 
Faulting package-relative application ID:
 
Error: (08/30/2015 12:29:04 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (08/30/2015 12:29:03 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (08/30/2015 12:13:09 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: FalloutNV.exe, version: 1.4.0.525, time stamp: 0x4e0d50ed
Faulting module name: FalloutNV.exe, version: 1.4.0.525, time stamp: 0x4e0d50ed
Exception code: 0xc0000005
Fault offset: 0x006615de
Faulting process id: 0xc0
Faulting application start time: 0xFalloutNV.exe0
Faulting application path: FalloutNV.exe1
Faulting module path: FalloutNV.exe2
Report Id: FalloutNV.exe3
Faulting package full name: FalloutNV.exe4
Faulting package-relative application ID: FalloutNV.exe5
 
Error: (08/30/2015 11:19:13 AM) (Source: Perflib) (EventID: 1023) (User: )
Description: rdyboost4
 
Error: (08/30/2015 10:04:05 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (08/30/2015 10:04:04 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=UserLogon;SessionId=4
 
Error: (08/29/2015 08:48:59 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (08/29/2015 08:48:57 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: License Activation (slui.exe) failed with the following error code:
hr=0xC004F074
Command-line arguments:
RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=UserLogon;SessionId=3
 
 
System errors:
=============
Error: (08/30/2015 12:40:31 PM) (Source: DCOM) (EventID: 10010) (User: MOTHERSHIP)
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}
 
Error: (08/30/2015 12:40:00 PM) (Source: DCOM) (EventID: 10010) (User: MOTHERSHIP)
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}
 
Error: (08/30/2015 12:28:43 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Delete Exit service failed to start due to the following error: 
%%2
 
Error: (08/30/2015 12:28:43 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The SSFK service failed to start due to the following error: 
%%3
 
Error: (08/30/2015 12:28:43 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The sihkahtaa service failed to start due to the following error: 
%%3
 
Error: (08/30/2015 12:28:40 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The PDA Backward Slash service failed to start due to the following error: 
%%2
 
Error: (08/30/2015 12:28:34 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Cool Barcode service failed to start due to the following error: 
%%2
 
Error: (08/30/2015 12:28:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Kerning Down service failed to start due to the following error: 
%%3
 
Error: (08/30/2015 12:28:31 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The atuvpazpa service failed to start due to the following error: 
%%2
 
Error: (08/30/2015 12:28:15 PM) (Source: BTHUSB) (EventID: 5) (User: )
Description: The Bluetooth driver expected an HCI event with a certain size but did not receive it.
 
 
Microsoft Office:
=========================
Error: (08/30/2015 01:04:06 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe44.0.2403.15755d29eefZoomcore.dll1.0.0.2484655d5c8fbc0000005000049d8183401d0e2e9ac712d91C:\Program Files (x86)\Google\Chrome\Application\chrome.exeC:\ProgramData\Saophase\Zoomcore.dlleba85538-4edc-11e5-8296-1867b0570cbb
 
Error: (08/30/2015 12:59:04 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: Java_Update.8.0.450.exe0.0.0.04a401d0e2e8f0b665d94294967295C:\Program Files\NixSrv\packages\21363b31-a91e-4507-96ff-da5bf2eb3159\setup\Java_Update.8.0.450.exe36e3b3e7-4edc-11e5-8296-1867b0570cbb
 
Error: (08/30/2015 12:29:04 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: hr=0xC004F074RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (08/30/2015 12:29:03 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: hr=0xC004F074RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=UserLogon;SessionId=1
 
Error: (08/30/2015 12:13:09 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: FalloutNV.exe1.4.0.5254e0d50edFalloutNV.exe1.4.0.5254e0d50edc0000005006615dec001d0e2dba2cbee0eD:\SteamLibrary\steamapps\common\Fallout New Vegas\FalloutNV.exeD:\SteamLibrary\steamapps\common\Fallout New Vegas\FalloutNV.execd13f5d0-4ed5-11e5-8295-1867b0570cbb
 
Error: (08/30/2015 11:19:13 AM) (Source: Perflib) (EventID: 1023) (User: )
Description: rdyboost4
 
Error: (08/30/2015 10:04:05 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: hr=0xC004F074RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (08/30/2015 10:04:04 AM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: hr=0xC004F074RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=UserLogon;SessionId=4
 
Error: (08/29/2015 08:48:59 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: hr=0xC004F074RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=NetworkAvailable
 
Error: (08/29/2015 08:48:57 PM) (Source: Software Protection Platform Service) (EventID: 8198) (User: )
Description: hr=0xC004F074RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=c06b6981-d7fd-4a35-b7b4-054742b7af67;NotificationInterval=1440;Trigger=UserLogon;SessionId=3
 
 
CodeIntegrity:
===================================
  Date: 2015-08-28 08:46:34.354
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-08-28 08:39:15.547
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Windows\System32\services.exe) attempted to load \Device\HarddiskVolume2\Program Files\Windows Defender\NisSrv.exe that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-08-28 08:36:26.103
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
 
  Date: 2015-08-16 16:59:44.790
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-08-16 16:59:44.780
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-08-16 16:57:55.127
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-08-16 16:57:55.103
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-05-14 11:10:18.939
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
  Date: 2015-05-14 11:10:18.915
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Bonjour\mdnsNSP.dll that did not meet the Custom 3 / Antimalware signing level requirements.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Core™ i5-3337U CPU @ 1.80GHz
Percentage of memory in use: 39%
Total physical RAM: 8073.68 MB
Available physical RAM: 4861.96 MB
Total Virtual: 9353.69 MB
Available Virtual: 5883.61 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:100.87 GB) (Free:29.4 GB) NTFS
Drive d: (Data) (Fixed) (Total:364.55 GB) (Free:91.24 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: E4F499D3)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=100.9 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=364.6 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 22.4 GB) (Disk ID: 7A4E441F)
 
Partition: GPT.
 
==================== End of Addition.txt ============================

Attached Files


Edited by xXToffeeXx, 30 August 2015 - 06:05 AM.
Posted Addition.txt~


BC AdBot (Login to Remove)

 


#2 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 30 August 2015 - 08:56 AM

Hello :)

I'm currently reviewing your logs and preparing a fix. However, I cannot find information on one of the items, and I'd like you to upload the file to VirusTotal for scanning. We'll also uninstall some programs that are adware/malware related. :thumbup2:

Step 1: Upload file to VirusTotal
  • Please go to VirusTotal.org by clicking here
  • Please click on Choose File
  • When the window opens, navigate to the location listed in the box below and select file that is listed in that location.

    C:\Program Files\Common Files\b1lu1epr\18080nf4avaun.exe

  • Once you have selected the file, click the blue Scan It! button.
  • VirusTotal will scan the file and produce a report for you. Please copy the link the address bar when it shows you the report and post it in your next reply.
Step 2:P2P Warning and Program Uninstalls

The Dangers of P2P Programs

I noticed that you have a P2P file sharing program on your computer . I cannot stress highly enough the danger in using these types of programs. P2P programs are one of the major avenues of infection these days. The files downloaded with these programs are more likely than not infected with trojans, malware, rootkits, etc.

You run the risk of getting an infection that can compromise your sensitive data, such as financial records, personal information, etc. That is just the infection aspect of using P2P programs. You also run the risk of possible arrest, fines, or in severe cases, jail time for illegal downloading of copyrighted material.

There are also new infections out there such as CryptoWall 3.0 and CryptoLocker. When infected with these, all of your personal files on any drive connected to your computer will be affected. These infections copy all your files, encrypt them, and then delete the originals, leaving you with the encrypted copies. You are then presented with a screen telling you you have a certain amount of time to pay the ransom for the decryption code to decrypt your files. Even if you pay the ransom, there decryption process usually results in corrupt and unusable files.

There is nothing we can do to decrypt the files, as they use very sophisticated encryption techniques. Please consider this when using P2P programs. Malware and ransomware writers use P2P to spread their infections.


Here are some information sources about the dangers of P2P programs:

FBI - Peer to Peer Scams

USA Today Artticle on P2P Programs

File Sharing Infects 500,000 Computers

I very much recommend you uninstall this program from your machine. If not, I can guarantee you will be back needing help with your machine again. The risks of infections from content downloaded with P2P programs far outweigh any benefit of using them.

It is, of course, your choice as to whether or not you remove the program from your machine. It is my duty though, to point out how dangerous it is to use these programs. However, I must request that you do not use it while we are cleaning your machine.


Program Uninstalls

Please uninstall the following programs from your machine as they are adware/malware related. If one of the programs fails to uninstall, please move on to the next one in the list.
  • adblocker
  • Software Version Updater
  • YTD Video Downloader 4.9
Things I need to see in your next post:

VirusTotal Report

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#3 meister99

meister99
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 30 August 2015 - 12:31 PM

Hello,

 

 

Here's the link to my VirusTotal Report:

https://www.virustotal.com/en/file/e64a3e72c0b2850c8886d4c3efbf9dddf1474b29c7966cf2a34a4bfc1840e556/analysis/1440955378/

 

I've uninstalled my P2P program. You are right, all this problem began while i left the program running. I've also uninstalled YTD Video Downloader but I can't uninstall adblocker. Nothing happens when i click uninstall from Programs and Features window. Also, it says that Software Version Updater is already uninstalled when I tried to uninstall it (i have been going on an uninstall spree before coming here).



#4 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 30 August 2015 - 01:05 PM

Hello,
 
 
Here's the link to my VirusTotal Report:
https://www.virustotal.com/en/file/e64a3e72c0b2850c8886d4c3efbf9dddf1474b29c7966cf2a34a4bfc1840e556/analysis/1440955378/
 
I've uninstalled my P2P program. You are right, all this problem began while i left the program running. I've also uninstalled YTD Video Downloader but I can't uninstall adblocker. Nothing happens when i click uninstall from Programs and Features window. Also, it says that Software Version Updater is already uninstalled when I tried to uninstall it (i have been going on an uninstall spree before coming here).


Hello :)

Thank you for the report, it does show that file is infected. We'll be getting rid of it as well. No worries if they are telling you they're already uninstalled. I'll also remove what it shows of them in the logs. We'll have more steps to go after these, but please give me an update on how the machine is running upon completion of these steps.

Let's get started showing your uninvited guests the door. :)


Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.

Step 1: Fix with FRST

Note: Before performing this step, please move FRST64.exe from C:\Users\Samsung 5 Ultra\Downloads to your Desktop. All tools must be run from the Desktop for maximum efficiency.
  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the desktop as fixlist.txt

    NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Start
CreateRestorePoint:
CloseProcesses:
() C:\Program Files\NixSrv\NixSrv.exe
C:\Program Files\NixSrv
() C:\ProgramData\Saophase\Saophase.exe
C:\ProgramData\Saophases
C:\ProgramData\Saophase
() C:\Program Files\NixSrv\packages\21363b31-a91e-4507-96ff-da5bf2eb3159\NixHost.exe
C:\Program Files\NixSrv
() C:\ProgramData\Saophase\Redkix.exe
() C:\ProgramData\ExtTag\ExtTag.exe
() C:\ProgramData\ExtTag
() C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nssCB3E.exe
() C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nssCB3F.exe
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [apphide] => C:\Program Files (x86)\baidu\pps.exe
C:\Program Files (x86)\baidu
AppInit_DLLs: C:\ProgramData\ExtTag\Tech-Core.dll => C:\ProgramData\ExtTag\Tech-Core.dll [212992 2015-08-30] ()
AppInit_DLLs-x32: C:\ProgramData\ExtTag\Lamtech.dll => C:\ProgramData\ExtTag\Lamtech.dll [194560 2015-08-30] ()
GroupPolicyScripts: Group Policy detected <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.hao123.com/?tn=92280131_hao_pg
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
Winsock: Catalog9 01 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9 02 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9 03 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9 04 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9 16 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9-x64 01 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
Winsock: Catalog9-x64 02 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
Winsock: Catalog9-x64 03 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
Winsock: Catalog9-x64 04 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
Winsock: Catalog9-x64 16 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
C:\Windows\SysWOW64\Ooteeotoor.dll
C:\Windows\system32\Ooteeotoor64.dll
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.istartsurf.com/?type=sc&ts=1440693660&z=a2a8e2f57c0a90f30b2d997gezbzfe3q2t0c6w1zcq&from=obw&uid=ST500LT012-9WS142_W0V5A168XXXXW0V5A168
FF Homepage: C:\ProgramData\ExtTags\ff.HP
FF NewTab: C:\ProgramData\ExtTags\ff.NT
FF Plugin-x32: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [No File]
FF Plugin HKU\S-1-5-21-2081238159-1021517717-438538016-1001: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll No File
FF user.js: detected! => C:\Users\Samsung 5 Ultra\AppData\Roaming\Mozilla\Firefox\Profiles\dzt5shd3.default\user.js [2015-08-28]
FF HKLM\...\Firefox\Extensions: [{0420BEC0-F2C1-4578-8F19-471B9E5C63A5}] - C:\Program Files\shopperz240820151333\Firefox
FF HKLM-x32\...\Firefox\Extensions: [{0420BEC0-F2C1-4578-8F19-471B9E5C63A5}] - C:\Program Files\shopperz240820151333\Firefox
C:\Program Files\shopperz240820151333
R2 ExtTag; C:\ProgramData\ExtTag\ExtTag.exe [33792 2015-08-27] () [File not signed]
R2 NixSrv; C:\Program Files\NixSrv\NixSrv.exe [379904 2015-08-27] () [File not signed]
R2 Saophase; C:\ProgramData\Saophase\Saophase.exe [33792 2015-08-27] () [File not signed]
S2 atuvpazpa; "C:\ProgramData\IcyCarje\gigoamaw.exe" /ts2=1 [X]
S2 gopibeko; no ImagePath
S2 jimocoso; C:\Program Files (x86)\271D2900-1440693668-11E2-9ABD-B08B03FE1D00\jnssCB91.tmp [X]
S2 qivihofe; C:\Program Files (x86)\271D2900-1440693668-11E2-9ABD-B08B03FE1D00\knso9B7F.tmp [X]
S2 sihkahtaa; no ImagePath
S2 SSFK; no ImagePath
S2 totyseku; C:\Program Files (x86)\271D2900-1440693668-11E2-9ABD-B08B03FE1D00\hnsgF989.tmp [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S1 QMUdisk; \??\C:\Program Files (x86)\Tencent\QQPCMgr\10.10.16443.223\QMUdisk64.sys [X]
S3 TS888x64; \??\C:\Program Files (x86)\Tencent\QQPCMgr\10.10.16443.223\TS888x64.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
S3 xspirit; \??\C:\Windows\xspirit.sys [X]
C:\ProgramData\Saophases
C:\Program Files\Common Files\jjo4znmu.exe
2015-08-28 00:22 - 2015-08-28 00:22 - 00004816 _____ C:\Windows\SysWOW64\Ooteeotoor.ini
2015-08-28 00:22 - 2015-08-28 00:22 - 00002536 _____ C:\Windows\SysWOW64\OoteeotoorOff.ini
2015-08-28 00:22 - 2015-08-28 00:22 - 00002536 _____ C:\Windows\system32\OoteeotoorOff.ini
2015-08-28 00:22 - 2015-08-24 17:36 - 00353656 _____ C:\Windows\system32\Ooteeotoor64.dll
2015-08-28 00:22 - 2015-08-24 17:36 - 00283512 _____ C:\Windows\SysWOW64\Ooteeotoor.dll
2015-08-28 00:19 - 2015-08-28 06:48 - 00000000 ____D C:\Program Files (x86)\baidu
C:\Program Files\Common Files\b1lu1epr\18080nf4avaun.exe
C:\Program Files\Common Files\b1lu1epr
Task: {F30DF902-9386-4CB3-AA20-4B55A3DDD71D} - System32\Tasks\2dlfjddd => C:\Program Files\Common Files\b1lu1epr\18080nf4avaun.exe [2015-08-18] ()
C:\Windows\System32\Tasks\2dlfjddd
C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
Task: {09C7CA9B-5DE3-4F96-8AB9-77BB43F98AA4} - System32\Tasks\APSnotifierPP2 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
C:\Program Files (x86)\AnyProtectEx
Task: {B0E53EE1-1975-466E-8472-28E305E47C96} - System32\Tasks\APSnotifierPP1 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {B7B5FAA4-D124-444C-98A2-1C27660C4075} - System32\Tasks\APSnotifierPP3 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {DD2AB9B6-36A5-440C-A6FE-ABD4F7DE8416} - System32\Tasks\CB3FF984-5FD6-4973-A9EB-B73B627DB5D6 => C:\Users\Samsung 5 Ultra\AppData\Local\CB3FF984-5FD6-4973-A9EB-B73B627DB5D6\CB3FF984-5FD6-4973-A9EB-B73B627DB5D6.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP3.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {D26B2B8F-CB8A-4B58-9166-1551A4E5AE9C} - System32\Tasks\runTask => %TEMP%/Updater.exe
Task: {FA9D03BA-51C6-42EF-BED3-92FFAAD262D9} - System32\Tasks\updateTask => c:\task.vbs
C:\task.vbs
CMD: netsh winsock reset catalog
CMD: bitsadmin /reset /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:
Hosts:
End


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.


Run FRST and press the Fix button just once and wait. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.


Step 2: Junkware Removal Tool

thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
Step 3: Adwcleaner

Download ADWcleaner by clicking here. Please save it to your Desktop


adwcleanerscreen_zpsm6wq1ei9.jpg
  • Double click (Vista and 7 Users)right click the adwcleaner.exe file and click Run as Adminstrator and accept the UAC prompt to run AdwCleaner
  • Once AdwCleaner's control panel is open and it says "Waiting for Action", click on Options at the top of the control panel.
  • Please Check the following options:
    • Reset Proxy Settings
    • Reset Winsock Settings
    • Reset TCP/IP Settings
    • Reset Firewall Settings
    • Reset IPSec Settings
    • Reset BITS Queue
    • Reset Internet Explorer Policies
    • Reset Chrome Policies
  • Close any open windows or browsers.
  • Pause your Anti-Virus program if it is running.
  • Once it starts, click on the Scan button.
  • Let the scan complete itself. This may take a few minutes.
  • Once the scan has finished, it will say "Pending, uncheck elements you don't want to remove.", don't worry about unchecking anything and then click the Cleaning button. When finished, it will ask to reboot. Please reboot.
  • When the machine has rebooted, a log will be produced. Please copy/paste that in your next reply. Here's how:
    • Click the Logfile button and the log will open. Copy and Paste the contents of the log file into your next reply.
    This report is also saved at C:\
Step 4: Fresh FRST Scan
  • Start Farbar's Recovery Scan Tool and press the Scan button.
  • FRST will scan your system and produce one log this time. Please post it in your next reply.
Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

Fixlog.txt Log

Junkware Removal Tool Log

AdwCleaner Log

Fresh FRST.txt Log

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#5 meister99

meister99
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 31 August 2015 - 08:04 AM

Hello  :)

 

Here's the contents of FSRT Fixlog.txt . No noticeable change after doing the fix, search engine and homepage is still hijacked

 

Fix result of Farbar Recovery Scan Tool (x64) Version:30-08-2015

Ran by Samsung 5 Ultra (2015-08-31 19:36:59) Run:1
Running from C:\Users\Samsung 5 Ultra\Desktop
Loaded Profiles: Samsung 5 Ultra (Available Profiles: Samsung 5 Ultra & Gede A)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
() C:\Program Files\NixSrv\NixSrv.exe
C:\Program Files\NixSrv
() C:\ProgramData\Saophase\Saophase.exe
C:\ProgramData\Saophases
C:\ProgramData\Saophase
() C:\Program Files\NixSrv\packages\21363b31-a91e-4507-96ff-da5bf2eb3159\NixHost.exe
C:\Program Files\NixSrv
() C:\ProgramData\Saophase\Redkix.exe
() C:\ProgramData\ExtTag\ExtTag.exe
() C:\ProgramData\ExtTag
() C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nssCB3E.exe
() C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nssCB3F.exe
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [apphide] => C:\Program Files (x86)\baidu\pps.exe
C:\Program Files (x86)\baidu
AppInit_DLLs: C:\ProgramData\ExtTag\Tech-Core.dll => C:\ProgramData\ExtTag\Tech-Core.dll [212992 2015-08-30] ()
AppInit_DLLs-x32: C:\ProgramData\ExtTag\Lamtech.dll => C:\ProgramData\ExtTag\Lamtech.dll [194560 2015-08-30] ()
GroupPolicyScripts: Group Policy detected <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.hao123.com/?tn=92280131_hao_pg
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwJ2vW20TLo0fprQhMxBFoXreFmNAkvYVN5ypycTOGmiJjVMxX2To31f89r&q={searchTerms}
Winsock: Catalog9 01 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9 02 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9 03 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9 04 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9 16 C:\Windows\SysWOW64\Ooteeotoor.dll [283512 2015-08-28] ()
Winsock: Catalog9-x64 01 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
Winsock: Catalog9-x64 02 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
Winsock: Catalog9-x64 03 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
Winsock: Catalog9-x64 04 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
Winsock: Catalog9-x64 16 C:\Windows\system32\Ooteeotoor64.dll [353656 2015-08-28] ()
C:\Windows\SysWOW64\Ooteeotoor.dll
C:\Windows\system32\Ooteeotoor64.dll
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.istartsurf.com/?type=sc&ts=1440693660&z=a2a8e2f57c0a90f30b2d997gezbzfe3q2t0c6w1zcq&from=obw&uid=ST500LT012-9WS142_W0V5A168XXXXW0V5A168
FF Homepage: C:\ProgramData\ExtTags\ff.HP
FF NewTab: C:\ProgramData\ExtTags\ff.NT
FF Plugin-x32: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [No File]
FF Plugin HKU\S-1-5-21-2081238159-1021517717-438538016-1001: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll No File
FF user.js: detected! => C:\Users\Samsung 5 Ultra\AppData\Roaming\Mozilla\Firefox\Profiles\dzt5shd3.default\user.js [2015-08-28]
FF HKLM\...\Firefox\Extensions: [{0420BEC0-F2C1-4578-8F19-471B9E5C63A5}] - C:\Program Files\shopperz240820151333\Firefox
FF HKLM-x32\...\Firefox\Extensions: [{0420BEC0-F2C1-4578-8F19-471B9E5C63A5}] - C:\Program Files\shopperz240820151333\Firefox
C:\Program Files\shopperz240820151333
R2 ExtTag; C:\ProgramData\ExtTag\ExtTag.exe [33792 2015-08-27] () [File not signed]
R2 NixSrv; C:\Program Files\NixSrv\NixSrv.exe [379904 2015-08-27] () [File not signed]
R2 Saophase; C:\ProgramData\Saophase\Saophase.exe [33792 2015-08-27] () [File not signed]
S2 atuvpazpa; "C:\ProgramData\IcyCarje\gigoamaw.exe" /ts2=1 [X]
S2 gopibeko; no ImagePath
S2 jimocoso; C:\Program Files (x86)\271D2900-1440693668-11E2-9ABD-B08B03FE1D00\jnssCB91.tmp [X]
S2 qivihofe; C:\Program Files (x86)\271D2900-1440693668-11E2-9ABD-B08B03FE1D00\knso9B7F.tmp [X]
S2 sihkahtaa; no ImagePath
S2 SSFK; no ImagePath
S2 totyseku; C:\Program Files (x86)\271D2900-1440693668-11E2-9ABD-B08B03FE1D00\hnsgF989.tmp [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S1 QMUdisk; \??\C:\Program Files (x86)\Tencent\QQPCMgr\10.10.16443.223\QMUdisk64.sys [X]
S3 TS888x64; \??\C:\Program Files (x86)\Tencent\QQPCMgr\10.10.16443.223\TS888x64.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
S3 xspirit; \??\C:\Windows\xspirit.sys [X]
C:\ProgramData\Saophases
C:\Program Files\Common Files\jjo4znmu.exe
2015-08-28 00:22 - 2015-08-28 00:22 - 00004816 _____ C:\Windows\SysWOW64\Ooteeotoor.ini
2015-08-28 00:22 - 2015-08-28 00:22 - 00002536 _____ C:\Windows\SysWOW64\OoteeotoorOff.ini
2015-08-28 00:22 - 2015-08-28 00:22 - 00002536 _____ C:\Windows\system32\OoteeotoorOff.ini
2015-08-28 00:22 - 2015-08-24 17:36 - 00353656 _____ C:\Windows\system32\Ooteeotoor64.dll
2015-08-28 00:22 - 2015-08-24 17:36 - 00283512 _____ C:\Windows\SysWOW64\Ooteeotoor.dll
2015-08-28 00:19 - 2015-08-28 06:48 - 00000000 ____D C:\Program Files (x86)\baidu
C:\Program Files\Common Files\b1lu1epr\18080nf4avaun.exe
C:\Program Files\Common Files\b1lu1epr
Task: {F30DF902-9386-4CB3-AA20-4B55A3DDD71D} - System32\Tasks\2dlfjddd => C:\Program Files\Common Files\b1lu1epr\18080nf4avaun.exe [2015-08-18] ()
C:\Windows\System32\Tasks\2dlfjddd
C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
Task: {09C7CA9B-5DE3-4F96-8AB9-77BB43F98AA4} - System32\Tasks\APSnotifierPP2 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
C:\Program Files (x86)\AnyProtectEx
Task: {B0E53EE1-1975-466E-8472-28E305E47C96} - System32\Tasks\APSnotifierPP1 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {B7B5FAA4-D124-444C-98A2-1C27660C4075} - System32\Tasks\APSnotifierPP3 => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {DD2AB9B6-36A5-440C-A6FE-ABD4F7DE8416} - System32\Tasks\CB3FF984-5FD6-4973-A9EB-B73B627DB5D6 => C:\Users\Samsung 5 Ultra\AppData\Local\CB3FF984-5FD6-4973-A9EB-B73B627DB5D6\CB3FF984-5FD6-4973-A9EB-B73B627DB5D6.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP1.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP2.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: C:\Windows\Tasks\APSnotifierPP3.job => C:\Program Files (x86)\AnyProtectEx\AnyProtect.exe <==== ATTENTION
Task: {D26B2B8F-CB8A-4B58-9166-1551A4E5AE9C} - System32\Tasks\runTask => %TEMP%/Updater.exe
Task: {FA9D03BA-51C6-42EF-BED3-92FFAAD262D9} - System32\Tasks\updateTask => c:\task.vbs
C:\task.vbs
CMD: netsh winsock reset catalog
CMD: bitsadmin /reset /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:
Hosts:
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
[4188] C:\Program Files\NixSrv\NixSrv.exe => process closed successfully.
C:\Program Files\NixSrv => moved successfully
C:\ProgramData\Saophase\Saophase.exe => No running process found
C:\ProgramData\Saophases => moved successfully
C:\ProgramData\Saophase => moved successfully
C:\Program Files\NixSrv\packages\21363b31-a91e-4507-96ff-da5bf2eb3159\NixHost.exe => No running process found
"C:\Program Files\NixSrv" => File/Folder not found.
C:\ProgramData\Saophase\Redkix.exe => No running process found
C:\ProgramData\ExtTag\ExtTag.exe => No running process found
C:\ProgramData\ExtTag => No running process found
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nssCB3E.exe => No running process found
C:\Users\Samsung 5 Ultra\AppData\Local\Temp\nssCB3F.exe => No running process found
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Windows\CurrentVersion\Run\\apphide => value removed successfully
C:\Program Files (x86)\baidu => moved successfully
"C:\ProgramData\ExtTag\Tech-Core.dll" => Value data removed successfully.
"C:\ProgramData\ExtTag\Lamtech.dll" => Value data removed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main\\Search Bar => value removed successfully
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main\\SearchAssistant => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\ielnksrch" => key removed successfully
HKCR\Wow6432Node\CLSID\ielnksrch => key not found. 
"HKU\S-1-5-21-2081238159-1021517717-438538016-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{ielnksrch}" => key removed successfully
HKCR\CLSID\{ielnksrch} => key not found. 
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000001" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000002" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000003" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000004" => key removed successfully
"HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries64\000000000016" => key removed successfully
C:\Windows\SysWOW64\Ooteeotoor.dll => moved successfully
C:\Windows\system32\Ooteeotoor64.dll => moved successfully
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully
Firefox "homepage" removed successfully
Firefox "newtab" removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@iqiyi.com/npWebPlayer" => key removed successfully
"HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\MozillaPlugins\@iqiyi.com/npWebPlayer" => key removed successfully
C:\IQIYI Video\LStyle\npWebPlayer.dll => not found.
C:\Users\Samsung 5 Ultra\AppData\Roaming\Mozilla\Firefox\Profiles\dzt5shd3.default\user.js => moved successfully
HKLM\Software\Mozilla\Firefox\Extensions\\{0420BEC0-F2C1-4578-8F19-471B9E5C63A5} => value removed successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{0420BEC0-F2C1-4578-8F19-471B9E5C63A5} => value removed successfully
"C:\Program Files\shopperz240820151333" => File/Folder not found.
ExtTag => service removed successfully
NixSrv => service removed successfully
Saophase => service removed successfully
atuvpazpa => service removed successfully
gopibeko => service removed successfully
jimocoso => service removed successfully
qivihofe => service removed successfully
sihkahtaa => service removed successfully
SSFK => service removed successfully
totyseku => service removed successfully
EagleX64 => service removed successfully
QMUdisk => service removed successfully
TS888x64 => service removed successfully
xhunter1 => service removed successfully
xspirit => service removed successfully
"C:\ProgramData\Saophases" => File/Folder not found.
C:\Program Files\Common Files\jjo4znmu.exe => moved successfully
C:\Windows\SysWOW64\Ooteeotoor.ini => moved successfully
C:\Windows\SysWOW64\OoteeotoorOff.ini => moved successfully
C:\Windows\system32\OoteeotoorOff.ini => moved successfully
"C:\Windows\system32\Ooteeotoor64.dll" => File/Folder not found.
"C:\Windows\SysWOW64\Ooteeotoor.dll" => File/Folder not found.
"C:\Program Files (x86)\baidu" => File/Folder not found.
C:\Program Files\Common Files\b1lu1epr\18080nf4avaun.exe => moved successfully
C:\Program Files\Common Files\b1lu1epr => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F30DF902-9386-4CB3-AA20-4B55A3DDD71D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F30DF902-9386-4CB3-AA20-4B55A3DDD71D}" => key removed successfully
C:\Windows\System32\Tasks\2dlfjddd => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\2dlfjddd" => key removed successfully
"C:\Windows\System32\Tasks\2dlfjddd" => File/Folder not found.
C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{09C7CA9B-5DE3-4F96-8AB9-77BB43F98AA4}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{09C7CA9B-5DE3-4F96-8AB9-77BB43F98AA4}" => key removed successfully
C:\Windows\System32\Tasks\APSnotifierPP2 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\APSnotifierPP2" => key removed successfully
"C:\Program Files (x86)\AnyProtectEx" => File/Folder not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B0E53EE1-1975-466E-8472-28E305E47C96}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0E53EE1-1975-466E-8472-28E305E47C96}" => key removed successfully
C:\Windows\System32\Tasks\APSnotifierPP1 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\APSnotifierPP1" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B7B5FAA4-D124-444C-98A2-1C27660C4075}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B7B5FAA4-D124-444C-98A2-1C27660C4075}" => key removed successfully
C:\Windows\System32\Tasks\APSnotifierPP3 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\APSnotifierPP3" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{DD2AB9B6-36A5-440C-A6FE-ABD4F7DE8416}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DD2AB9B6-36A5-440C-A6FE-ABD4F7DE8416}" => key removed successfully
C:\Windows\System32\Tasks\CB3FF984-5FD6-4973-A9EB-B73B627DB5D6 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CB3FF984-5FD6-4973-A9EB-B73B627DB5D6" => key removed successfully
C:\Windows\Tasks\APSnotifierPP1.job => moved successfully
C:\Windows\Tasks\APSnotifierPP2.job => moved successfully
C:\Windows\Tasks\APSnotifierPP3.job => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D26B2B8F-CB8A-4B58-9166-1551A4E5AE9C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D26B2B8F-CB8A-4B58-9166-1551A4E5AE9C}" => key removed successfully
C:\Windows\System32\Tasks\runTask => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\runTask" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FA9D03BA-51C6-42EF-BED3-92FFAAD262D9}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA9D03BA-51C6-42EF-BED3-92FFAAD262D9}" => key removed successfully
C:\Windows\System32\Tasks\updateTask => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\updateTask" => key removed successfully
"C:\task.vbs" => File/Folder not found.
 
=========  netsh winsock reset catalog =========
 
Initialization Function InitHelperDll in NSHHTTP.DLL failed to start with error code 10107
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
=========  bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
0 out of 0 jobs canceled.
 
========= End of CMD: =========
 
 
=========  netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
=========  netsh advfirewall set allprofiles state on =========
 
Ok.
 
 
========= End of CMD: =========
 
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
EmptyTemp: => 979.1 MB temporary data Removed.
 
 
The system needed a reboot.. 
 
==== End of Fixlog 19:37:47 ====


#6 meister99

meister99
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 31 August 2015 - 08:06 AM

This one is the contents of JRT.txt log. Homepage and search engine no longer hijacked and back to normal after running JRT.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.5.9 (08.27.2015:1)
OS: Windows 8.1 Pro x64
Ran by Samsung 5 Ultra on Mon 08/31/2015 at 19:44:38.21
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
Successfully deleted: [Service] cherimoya [Reboot required]
Successfully deleted: [Service] Service Mgr ResultsHub [Reboot required]
Successfully deleted: [Service] Update Mgr ResultsHub [Reboot required]
 
 
 
~~~ Tasks
 
Successfully deleted: [Task] C:\Windows\system32\tasks\LaunchPreSignup
Successfully deleted: [Task] C:\Windows\system32\tasks\posuownooa
 
 
 
~~~ Registry Values
 
Successfully deleted: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_FE12F96DA070CFADCEB210CFE73E3C6E
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\\Default_Search_URL
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\\Default
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchURL\\Default
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main\\Start Page
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\globalupdate.exe
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Application\windowsmangerprotect
 
 
 
~~~ Files
 
Successfully deleted: [File] C:\Windows\system32\drivers\tfsfltx64.sys
Successfully deleted: [File] C:\Users\Samsung 5 Ultra\Appdata\Local\nspF0E2.tmp
Successfully deleted: [File] C:\Windows\SysWOW64\findit.xml
Successfully deleted: [File] C:\Users\Samsung 5 Ultra\desktop\continue live installation.lnk
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] C:\Program Files (x86)\Common Files\3929cb63-cbbd-4b9c-8b92-a50fbd04e656
Successfully deleted: [Folder] C:\Program Files (x86)\Common Files\tencent
Successfully deleted: [Folder] C:\Program Files (x86)\globalupdate
Successfully deleted: [Folder] C:\Program Files (x86)\results hub
Successfully deleted: [Folder] C:\Program Files (x86)\tencent
Successfully deleted: [Folder] C:\Program Files\Common Files\tencent
Successfully deleted: [Folder] C:\ProgramData\exttag
Successfully deleted: [Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\results hub
Successfully deleted: [Folder] C:\ProgramData\results hub
Successfully deleted: [Folder] C:\ProgramData\tencent
Successfully deleted: [Folder] C:\ProgramData\txqmpc
Successfully deleted: [Folder] C:\Users\Public\qiyi
Successfully deleted: [Folder] C:\Users\Samsung 5 Ultra\Appdata\Local\crashrpt
Successfully deleted: [Folder] C:\Users\Samsung 5 Ultra\Appdata\Local\globalupdate
Successfully deleted: [Folder] C:\Users\Samsung 5 Ultra\Appdata\Local\sysassistbyhotwheel
Successfully deleted: [Folder] C:\Users\Samsung 5 Ultra\Appdata\LocalLow\company
Successfully deleted: [Folder] C:\Users\Samsung 5 Ultra\AppData\Roaming\iqiyi video
Successfully deleted: [Folder] C:\Users\Samsung 5 Ultra\AppData\Roaming\opencandy
Successfully deleted: [Folder] C:\Users\Samsung 5 Ultra\AppData\Roaming\tencent
Successfully deleted: [Folder] C:\Users\Samsung 5 Ultra\AppData\Roaming\vopackage
Successfully deleted: [Folder] C:\ProgramData\3929cb63-cbbd-4b9c-8b92-a50fbd04e656
Successfully deleted: [Folder] C:\ProgramData\MWinManProM
Successfully deleted: [Folder] C:\Users\Samsung 5 Ultra\Appdata\Local\10182
 
 
 
~~~ Chrome
 
 
[C:\Users\Samsung 5 Ultra\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
 
[C:\Users\Samsung 5 Ultra\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
 
[C:\Users\Samsung 5 Ultra\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
 
[C:\Users\Samsung 5 Ultra\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 08/31/2015 at 19:46:15.73
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#7 meister99

meister99
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 31 August 2015 - 08:08 AM

This one is AdwCleaner[S1].txt log file. I started up AdwCleaner again but logfile button is greyed out. Found two logs at C:/ so I'm posting both. System looks normal now, trusted programs that ask for permission at every boot up is now asking for permission again (it wasn't for the past few days).

 

# AdwCleaner v5.004 - Logfile created 31/08/2015 at 19:51:28
# Updated 26/08/2015 by Xplode
# Database : 2015-08-30.1 [Server]
# Operating system : Windows 8.1 Pro  (x64)
# Username : Samsung 5 Ultra - MOTHERSHIP
# Running from : C:\Users\Samsung 5 Ultra\Desktop\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
Service Found : cherimoya
 
***** [ Folders ] *****
 
Folder Found : C:\Program Files (x86)\SFK
Folder Found : C:\ProgramData\ExtTags
Folder Found : C:\ProgramData\{2889c22f-91d7-6b43-2889-9c22f91d08be}
Folder Found : C:\Users\Samsung 5 Ultra\AppData\Roaming\AnyProtectEx
Folder Found : C:\Users\Samsung 5 Ultra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\????
Folder Found : C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tencent
 
***** [ Files ] *****
 
File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ResultsHubDesktopSearch.lnk
File Found : C:\Users\Samsung 5 Ultra\AppData\Roaming\Mozilla\Firefox\Profiles\dzt5shd3.default\searchplugins\findit.xml
File Found : C:\Windows\SysWOW64\drivers\TS888x64.sys
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
Task Found : amiupdaterExd
Task Found : amiupdaterExi
 
***** [ Registry ] *****
 
Key Found : HKLM\SOFTWARE\Classes\AppID\DownloadProxy.EXE
Key Found : HKLM\SOFTWARE\CLASSES\METNSD
Key Found : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\QQPCRTP
Key Found : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\QQPCRTP
Key Found : HKLM\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}
Key Found : HKLM\SOFTWARE\Classes\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{70DE12EA-79F4-46BC-9812-86DB50A2FD64}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D96C1D26-5CDF-4506-9244-57233C3984DF}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F83D1872-D9FF-47F8-B5A0-49CC51E24EE8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{99415057-7C50-439D-AA20-02D83C071B61}
Key Found : HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
Key Found : HKLM\SOFTWARE\Classes\Interface\{D96C1D26-5CDF-4506-9244-57233C3984DF}
Key Found : HKLM\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
Key Found : HKLM\SOFTWARE\Classes\Interface\{EAC7DE5C-9520-435D-91AA-4A02E4773CEA}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{E6F928E4-B672-4F3A-8CA2-53C4259235DE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{B0660298-91AA-421F-BF0D-BFF6BB8BF3AE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{D96C1D26-5CDF-4506-9244-57233C3984DF}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{EAC7DE5C-9520-435D-91AA-4A02E4773CEA}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}
Key Found : HKU\.DEFAULT\Software\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
Key Found : HKCU\Software\AnyProtect
Key Found : HKCU\Software\GlobalUpdate
Key Found : HKCU\Software\CrossBrowser
Key Found : HKCU\Software\Crossbrowse
Key Found : HKCU\Software\AppDataLow\Software\Crossrider
Key Found : HKLM\SOFTWARE\AppDataLow\SOFTWARE\Crossrider
Key Found : HKLM\SOFTWARE\GlobalUpdate
Key Found : HKLM\SOFTWARE\istartsurfSoftware
Key Found : HKLM\SOFTWARE\SupDp
Key Found : HKLM\SOFTWARE\supWindowsMangerProtect
Key Found : HKLM\SOFTWARE\mystartsearchSoftware
Key Found : HKLM\SOFTWARE\IHProtect
Key Found : HKLM\SOFTWARE\Crossbrowse
Key Found : HKLM\SOFTWARE\downchecker
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IM
Key Found : [x64] HKCU\Software\AnyProtect
Key Found : [x64] HKCU\Software\GlobalUpdate
Key Found : [x64] HKCU\Software\CrossBrowser
Key Found : [x64] HKCU\Software\Crossbrowse
Key Found : [x64] HKLM\SOFTWARE\downchecker
Key Found : HKU\.DEFAULT\Software\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
Key Found : HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\AppDataLow\Software\Crossrider
Key Found : HKU\S-1-5-18\Software\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
 
***** [ Web browsers ] *****
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [5690 bytes] ##########
 

Edited by meister99, 31 August 2015 - 08:11 AM.


#8 meister99

meister99
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 31 August 2015 - 08:11 AM

This one is AdwCleaner[C1].txt log file.

 

# AdwCleaner v5.004 - Logfile created 31/08/2015 at 19:53:11
# Updated 26/08/2015 by Xplode
# Database : 2015-08-30.1 [Server]
# Operating system : Windows 8.1 Pro  (x64)
# Username : Samsung 5 Ultra - MOTHERSHIP
# Running from : C:\Users\Samsung 5 Ultra\Desktop\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
[-] Service Deleted : cherimoya
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\Program Files (x86)\SFK
[-] Folder Deleted : C:\ProgramData\ExtTags
[-] Folder Deleted : C:\ProgramData\{2889c22f-91d7-6b43-2889-9c22f91d08be}
[-] Folder Deleted : C:\Users\Samsung 5 Ultra\AppData\Roaming\AnyProtectEx
[-] Folder Deleted : C:\Users\Samsung 5 Ultra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\????
[-] Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\tencent
 
***** [ Files ] *****
 
[-] File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ResultsHubDesktopSearch.lnk
[-] File Deleted : C:\Users\Samsung 5 Ultra\AppData\Roaming\Mozilla\Firefox\Profiles\dzt5shd3.default\searchplugins\findit.xml
[-] File Deleted : C:\Windows\SysWOW64\drivers\TS888x64.sys
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
[-] Task Deleted : amiupdaterExd
[-] Task Deleted : amiupdaterExi
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\DownloadProxy.EXE
[-] Key Deleted : HKLM\SOFTWARE\CLASSES\METNSD
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\QQPCRTP
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\QQPCRTP
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{70DE12EA-79F4-46BC-9812-86DB50A2FD64}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D96C1D26-5CDF-4506-9244-57233C3984DF}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F83D1872-D9FF-47F8-B5A0-49CC51E24EE8}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{99415057-7C50-439D-AA20-02D83C071B61}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D96C1D26-5CDF-4506-9244-57233C3984DF}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAC7DE5C-9520-435D-91AA-4A02E4773CEA}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E6F928E4-B672-4F3A-8CA2-53C4259235DE}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B0660298-91AA-421F-BF0D-BFF6BB8BF3AE}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{5EC7C511-CD0F-42E6-830C-1BD9882F3458}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{D96C1D26-5CDF-4506-9244-57233C3984DF}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAC7DE5C-9520-435D-91AA-4A02E4773CEA}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1E6A8DA1-1731-465B-B036-B9E16EF26CAC}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2E6A8DA1-2731-465B-B036-B9E16EF26CAC}
[-] Key Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
[-] Key Deleted : HKCU\Software\AnyProtect
[-] Key Deleted : HKCU\Software\GlobalUpdate
[-] Key Deleted : HKCU\Software\CrossBrowser
[-] Key Deleted : HKCU\Software\Crossbrowse
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
[-] Key Deleted : HKLM\SOFTWARE\AppDataLow\SOFTWARE\Crossrider
[-] Key Deleted : HKLM\SOFTWARE\GlobalUpdate
[-] Key Deleted : HKLM\SOFTWARE\istartsurfSoftware
[-] Key Deleted : HKLM\SOFTWARE\SupDp
[-] Key Deleted : HKLM\SOFTWARE\supWindowsMangerProtect
[-] Key Deleted : HKLM\SOFTWARE\mystartsearchSoftware
[-] Key Deleted : HKLM\SOFTWARE\IHProtect
[-] Key Deleted : HKLM\SOFTWARE\Crossbrowse
[-] Key Deleted : HKLM\SOFTWARE\downchecker
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IM
[!] Key Not Deleted : [x64] HKCU\Software\AnyProtect
[!] Key Not Deleted : [x64] HKCU\Software\GlobalUpdate
[!] Key Not Deleted : [x64] HKCU\Software\CrossBrowser
[!] Key Not Deleted : [x64] HKCU\Software\Crossbrowse
[-] Key Deleted : [x64] HKLM\SOFTWARE\downchecker
[!] Key Not Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
[!] Key Not Deleted : HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\AppDataLow\Software\Crossrider
[!] Key Not Deleted : HKU\S-1-5-18\Software\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
 
***** [ Web browsers ] *****
 
 
*************************
 
:: Proxy settings cleared
:: Winsock settings cleared
:: TCP/IP settings cleared
:: Firewall settings cleared
:: IPSec settings cleared
:: BITS queue cleared
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [6343 bytes] ##########


#9 meister99

meister99
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 31 August 2015 - 08:15 AM

And this one is the Fresh FRST.txt logfile :)

It also produced an Addition.txt though. I'm attaching it in case you want to take a look at it. 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:30-08-2015
Ran by Samsung 5 Ultra (administrator) on MOTHERSHIP (31-08-2015 20:12:03)
Running from C:\Users\Samsung 5 Ultra\Desktop
Loaded Profiles: Samsung 5 Ultra (Available Profiles: Samsung 5 Ultra & Gede A)
Platform: Windows 8.1 Pro (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
() C:\Program Files (x86)\Garena Plus\ggdllhost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(SafeNet Inc.) C:\Windows\System32\hasplms.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(INNORIX) C:\Windows\SysWOW64\innosvcd.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
() C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe
(Mentor Graphics Corporation) C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\remotesolverdispatcherservice.exe
(Mentor Graphics Corporation) C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\dispatcher.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDTouch.exe
() C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
(LINE Corporation) C:\Program Files (x86)\Naver\LINE\Line.exe
(Dassault Systèmes SolidWorks Corp.) C:\Program Files\SolidWorks Corp\SolidWorks\sldworks_fs.exe
(Power Software Ltd) C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) C:\Windows\WinStore\WSHost.exe
(Microsoft Corporation) C:\Program Files (x86)\Internet Explorer\ielowutil.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3274056 2013-11-25] (ELAN Microelectronics Corp.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [336992 2012-08-17] (Power Software Ltd)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-03-07] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31087200 2015-01-23] (Skype Technologies S.A.)
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [GarenaPlus] => C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe [10014656 2015-08-06] ()
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [LINE] => C:\Program Files (x86)\Naver\LINE\Line.exe [15664152 2015-08-18] (LINE Corporation)
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [GoogleChromeAutoLaunch_FE12F96DA070CFADCEB210CFE73E3C6E] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [813896 2015-08-18] (Google Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2015-03-12]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SolidWorks 2013 Fast Start.lnk [2015-03-27]
ShortcutTarget: SolidWorks 2013 Fast Start.lnk -> C:\Windows\Installer\{B6B5EA7E-B91F-443D-A958-B0062FB53804}\NewShortcut2_87EDF6C81D0A4B7B84F42FE0C6A9D608.exe (Flexera Software, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{0AEAFFA0-A462-42E5-A94F-9E09E7BEA8E5}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{351B2076-CEB6-4281-808E-32A0F800D9A8}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://id.search.yahoo.com/?fr=hp-ddc-bd&type=bl-bir-sw-rhb-35__alt__ddc_dsssyc_bd_com
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://u.msn.com/id-id/?ocid=iehp
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://id.search.yahoo.com/yhs/search?hspart=ddc&hsimp=yhs-ddc_bd&type=bl-bir-sw-rhb-35__alt__ddc_dss_bd_com&p={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://id.search.yahoo.com/yhs/search?hspart=ddc&hsimp=yhs-ddc_bd&type=bl-bir-sw-rhb-35__alt__ddc_dss_bd_com&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> DefaultScope {56304CC1-F182-44BC-B8B8-A7A42B96DB1C} URL = hxxp://id.search.yahoo.com/yhs/search?hspart=ddc&hsimp=yhs-ddc_bd&type=bl-bir-sw-rhb-35__alt__ddc_dss_bd_com&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> OldSearch URL = hxxps://id.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> {56304CC1-F182-44BC-B8B8-A7A42B96DB1C} URL = hxxp://id.search.yahoo.com/yhs/search?hspart=ddc&hsimp=yhs-ddc_bd&type=bl-bir-sw-rhb-35__alt__ddc_dss_bd_com&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> {5F1F8852-2D37-4640-A4AD-B50631A1AC84} URL = hxxp://search.yahoo.com/yhs/search?hspart=ddc&hsimp=yhs-ddc_bd&type=bl-bir-dd__alt__ddc_dss_bd_com&p={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2011-02-12] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-09-24] (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-26] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\ssv.dll [2015-03-29] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-29] (Oracle Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Samsung 5 Ultra\AppData\Roaming\Mozilla\Firefox\Profiles\dzt5shd3.default
FF NetworkProxy: "type", 5
FF Homepage: C:\ProgramData\ExtTags\ff.HP
FF Plugin: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-09-23] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-09-23] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll [2015-08-13] ()
FF Plugin-x32: @esn.me/esnsonar,version=0.70.4 -> C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll [2011-11-03] (ESN Social Software AB)
FF Plugin-x32: @esn/esnlaunch,version=2.3.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.3.0\npesnlaunch.dll [2013-09-16] (ESN Social Software AB)
FF Plugin-x32: @innorix.com/innogmp -> C:\Program Files (x86)\INNORIX\npinnogmp.dll [2013-04-04] (INNORIX)
FF Plugin-x32: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-29] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-29] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-25] (Microsoft Corporation)
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [2015-07-07] ( Garena)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-30] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-30] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2012-12-19] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2081238159-1021517717-438538016-1001: @innorix.com/innogmp -> C:\Program Files (x86)\INNORIX\npinnogmp.dll [2013-04-04] (INNORIX)
FF Plugin HKU\S-1-5-21-2081238159-1021517717-438538016-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Samsung 5 Ultra\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2014-12-05] (Unity Technologies ApS)
 
Chrome: 
=======
CHR Profile: C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-08-28]
CHR Extension: (Google Docs) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-01]
CHR Extension: (Google Drive) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-08-28]
CHR Extension: (YouTube) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-08-28]
CHR Extension: (Adblock Plus) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2015-08-28]
CHR Extension: (Google Search) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-08-28]
CHR Extension: (Google Sheets) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-08-28]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-04]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-01]
CHR Extension: (Browsec) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\omghfjlpggmjjaagoclmmobgdodcjboh [2015-08-28]
CHR Extension: (Gmail) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-28]
CHR Profile: C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (YouTube) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-01]
CHR Extension: (Gmail) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-01]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 hasplms; C:\Windows\system32\hasplms.exe [4609928 2013-08-01] (SafeNet Inc.)
R2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2011-08-18] (Hewlett-Packard Co.) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 Innosvcd; C:\Windows\SysWOW64\innosvcd.exe [193144 2013-04-04] (INNORIX)
R2 Net Driver HPZ12; C:\Windows\System32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\System32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76152 2015-05-30] ()
R2 pyodqct; C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe [52736 2015-08-27] () [File not signed]
R2 RemoteSolverDispatcher; C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\remotesolverdispatcherservice.exe [52360 2012-11-22] (Mentor Graphics Corporation) [File not signed]
S3 SolidWorks Licensing Service; C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2015-02-16] (SolidWorks) [File not signed]
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [36608 2013-12-12] (Advanced Micro Devices, Inc.)
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3855872 2013-09-25] (Qualcomm Atheros Communications, Inc.)
S3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-09-25] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [27040 2012-09-25] (Windows ® Win 7 DDK provider)
R3 ETDSMBus; C:\Windows\system32\DRIVERS\ETDSMBus.sys [23344 2013-11-22] (ELAN Microelectronic Corp.)
R2 hardlock; C:\Windows\system32\drivers\hardlock.sys [331328 2013-08-01] (SafeNet Inc.)
R3 irstrtdv; C:\Windows\System32\drivers\irstrtdv.sys [20192 2013-11-25] (Intel Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation)
R3 RadioHIDMini; C:\Windows\System32\drivers\RadioHIDMini.sys [23408 2012-07-28] (Windows ® Win 7 DDK provider)
S3 SDGame; C:\Windows\System32\svchost.exe [37768 2013-08-22] (Microsoft Corporation)
S3 usbrndis6; C:\Windows\system32\DRIVERS\usb80236.sys [20992 2013-08-22] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-31 20:12 - 2015-08-31 20:12 - 00017454 _____ C:\Users\Samsung 5 Ultra\Desktop\FRST.txt
2015-08-31 19:51 - 2015-08-31 19:53 - 00000000 ____D C:\AdwCleaner
2015-08-31 19:47 - 2015-08-31 19:47 - 01618432 _____ C:\Users\Samsung 5 Ultra\Desktop\AdwCleaner.exe
2015-08-31 19:46 - 2015-08-31 19:46 - 00005012 _____ C:\Users\Samsung 5 Ultra\Desktop\JRT.txt
2015-08-31 19:43 - 2015-08-31 19:43 - 01798640 _____ (Malwarebytes Corporation) C:\Users\Samsung 5 Ultra\Desktop\JRT.exe
2015-08-31 19:42 - 2015-08-31 19:42 - 00003156 _____ C:\Windows\System32\Tasks\a0m0mkcn
2015-08-31 19:42 - 2015-08-31 19:42 - 00000000 ____D C:\Program Files\Common Files\ariilocx
2015-08-31 19:36 - 2015-08-31 19:36 - 00000000 ____D C:\Users\Samsung 5 Ultra\Desktop\FRST-OlderVersion
2015-08-30 14:18 - 2015-08-30 14:18 - 00000102 _____ C:\Users\Samsung 5 Ultra\Downloads\FRST.txt
2015-08-30 14:17 - 2015-08-30 14:18 - 00061745 _____ C:\Users\Samsung 5 Ultra\Downloads\Addition.txt
2015-08-30 14:02 - 2015-08-30 14:02 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\TuneUp Software
2015-08-30 14:02 - 2015-08-30 14:02 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\TuneUp Software
2015-08-30 14:01 - 2015-08-30 14:03 - 00000000 ____D C:\ProgramData\TuneUp Software
2015-08-30 13:55 - 2015-08-30 13:55 - 00059624 _____ C:\Users\Samsung 5 Ultra\Downloads\Addition1.txt
2015-08-30 13:54 - 2015-08-31 20:12 - 00000000 ____D C:\FRST
2015-08-30 13:54 - 2015-08-30 14:23 - 00045947 _____ C:\Users\Samsung 5 Ultra\Downloads\FRST1.txt
2015-08-30 13:53 - 2015-08-31 19:36 - 02188288 _____ (Farbar) C:\Users\Samsung 5 Ultra\Desktop\FRST64.exe
2015-08-30 13:37 - 2015-08-30 13:38 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\NPE
2015-08-30 13:37 - 2015-08-30 13:37 - 00000000 ____D C:\ProgramData\Norton
2015-08-30 13:04 - 2015-08-30 13:04 - 00002265 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-08-30 13:04 - 2015-08-30 13:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-08-30 13:01 - 2015-08-31 20:06 - 00001052 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-30 13:01 - 2015-08-31 19:56 - 00001048 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-30 13:01 - 2015-08-30 13:01 - 00004024 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-08-30 13:01 - 2015-08-30 13:01 - 00003788 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-08-30 12:20 - 2015-08-30 12:21 - 51076312 _____ (Microsoft Corporation) C:\Users\Samsung 5 Ultra\Downloads\Windows-KB890830-x64-V5.27 (1).exe
2015-08-28 19:45 - 2015-08-28 19:45 - 01995622 _____ C:\Users\Samsung 5 Ultra\Downloads\HoxHud P9.1.5 Self-installer.exe
2015-08-28 09:04 - 2015-07-28 10:59 - 132483416 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-08-28 08:51 - 2015-08-28 08:54 - 51076312 _____ (Microsoft Corporation) C:\Users\Samsung 5 Ultra\Downloads\Windows-KB890830-x64-V5.27.exe
2015-08-28 08:43 - 2015-08-28 08:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-08-28 08:43 - 2015-08-28 08:43 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-08-28 08:43 - 2015-08-28 08:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-08-28 08:34 - 2015-08-28 08:35 - 13155552 _____ (Microsoft Corporation) C:\Users\Samsung 5 Ultra\Downloads\Silverlight_x64.exe
2015-08-28 06:21 - 2015-08-28 06:21 - 00003148 _____ C:\Windows\System32\Tasks\{E2F4F4E6-58B2-48C5-BEEA-26ABBA3C38FE}
2015-08-28 02:05 - 2015-08-28 02:05 - 00000000 ____D C:\ProgramData\KingSoft
2015-08-28 00:44 - 2015-08-28 00:44 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\Unity
2015-08-28 00:18 - 2015-08-28 00:18 - 00000000 ____D C:\Windows\system32\abis
2015-08-28 00:13 - 2015-08-28 00:13 - 00000000 ____D C:\ProgramData\1WinManPro1
2015-08-27 23:54 - 2015-08-27 23:54 - 00000000 ____D C:\ProgramData\cWinManProc
2015-08-27 23:53 - 2015-08-28 06:36 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\Opera Software
2015-08-27 23:51 - 2015-08-28 01:51 - 00000004 _____ C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-08-27 23:42 - 2015-08-27 23:56 - 00000000 ____D C:\ProgramData\update
2015-08-27 23:42 - 2013-08-22 20:25 - 00000824 _____ C:\Windows\system32\Drivers\etc\hp.bak
2015-08-27 23:41 - 2015-08-27 23:41 - 00052736 _____ C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe
2015-08-27 23:39 - 2015-08-28 06:34 - 00000000 ____D C:\ProgramData\IcyCarje
2015-08-27 23:08 - 2015-08-27 23:09 - 01850119 _____ C:\Windows\chromebrowser.exe
2015-08-26 17:57 - 2015-08-30 15:29 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\OSP
2015-08-26 15:02 - 2015-08-31 19:58 - 00003476 _____ C:\Windows\System32\Tasks\gg_uac_daemon_Samsung 5 Ultra
2015-08-13 19:03 - 2015-08-13 19:03 - 00001148 _____ C:\Users\Samsung 5 Ultra\Desktop\Universe Sandbox 2.lnk
2015-08-13 01:03 - 2015-08-13 01:05 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\Universe Sandbox ²
2015-08-13 00:02 - 2015-08-13 13:25 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\Universe Sandbox
2015-08-13 00:02 - 2015-08-13 00:02 - 00000000 __SHD C:\Users\Samsung 5 Ultra\AppData\Roaming\wyUpdate AU
2015-08-13 00:02 - 2015-08-13 00:02 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\System
2015-08-13 00:02 - 2015-08-13 00:02 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\Universe Sandbox
2015-08-11 22:31 - 2015-08-11 22:31 - 00000221 _____ C:\Users\Samsung 5 Ultra\Desktop\Total War SHOGUN 2.url
2015-08-07 13:45 - 2015-08-07 13:45 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\Klei
2015-08-07 11:52 - 2015-08-07 11:52 - 00000222 _____ C:\Users\Samsung 5 Ultra\Desktop\Invisible, Inc..url
2015-08-07 06:10 - 2015-08-07 06:10 - 00188104 _____ C:\ods.exe
2015-08-05 20:18 - 2015-08-05 20:18 - 00001475 _____ C:\Users\Samsung 5 Ultra\Desktop\nvse_loader.exe - Shortcut.lnk
2015-08-04 16:12 - 2015-08-04 16:12 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\FOMM
2015-08-04 16:09 - 2015-08-30 12:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fallout Mod Manager
2015-08-04 16:09 - 2015-08-04 16:09 - 00000516 _____ C:\Users\Samsung 5 Ultra\Desktop\Fallout Mod Manager.lnk
2015-08-04 16:09 - 2015-08-04 16:09 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\FOMM
2015-08-04 15:53 - 2015-08-04 16:02 - 00000000 ____D C:\Users\Samsung 5 Ultra\Downloads\FNV modding tools
2015-08-02 08:19 - 2015-08-02 08:19 - 00000000 __SHD C:\ProgramData\SecuROM
2015-08-02 08:17 - 2015-08-02 08:17 - 00178800 _____ (Sony DADC Austria AG.) C:\Windows\SysWOW64\CmdLineExt_x64.dll
2015-08-02 08:17 - 2015-08-02 08:17 - 00000000 __RHD C:\Users\Samsung 5 Ultra\AppData\Roaming\SecuROM
2015-08-02 07:56 - 2015-08-02 07:56 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\SCE
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-08-31 20:03 - 2015-01-01 04:51 - 02008475 _____ C:\Windows\WindowsUpdate.log
2015-08-31 20:02 - 2013-08-22 22:36 - 00000000 ____D C:\Windows\system32\sru
2015-08-31 20:01 - 2015-01-01 05:12 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2081238159-1021517717-438538016-1001
2015-08-31 19:59 - 2015-07-24 14:09 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\GarenaPlus
2015-08-31 19:59 - 2015-07-24 14:07 - 00000000 ____D C:\ProgramData\GarenaMessenger
2015-08-31 19:56 - 2015-01-26 08:26 - 00000657 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2015-08-31 19:56 - 2013-08-22 21:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-08-31 19:53 - 2013-08-22 20:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2015-08-31 19:40 - 2015-01-01 04:47 - 00186982 _____ C:\Windows\PFRO.log
2015-08-31 19:37 - 2013-08-22 22:36 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2015-08-31 00:57 - 2015-03-18 21:48 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\vlc
2015-08-30 15:29 - 2015-01-03 00:13 - 00000000 ____D C:\Program Files (x86)\Steam
2015-08-30 15:08 - 2015-01-01 05:03 - 00863592 _____ C:\Windows\system32\PerfStringBackup.INI
2015-08-30 13:03 - 2015-01-01 08:37 - 00000000 ____D C:\Program Files (x86)\Google
2015-08-30 13:01 - 2015-01-01 11:52 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\Deployment
2015-08-30 12:29 - 2015-01-01 08:13 - 00001430 _____ C:\Users\Gede A\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-08-30 12:29 - 2015-01-01 04:51 - 00001430 _____ C:\Users\Samsung 5 Ultra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-08-29 22:31 - 2015-01-01 05:22 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\AIMP3
2015-08-28 08:15 - 2013-08-22 17:06 - 00655872 _____ (Microsoft Corporation) C:\Windows\system32\dnsapi.dll
2015-08-28 08:15 - 2013-08-22 09:55 - 00492032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dnsapi.dll
2015-08-28 08:03 - 2015-01-01 04:51 - 00000000 ____D C:\Users\Samsung 5 Ultra
2015-08-28 06:49 - 2015-01-01 05:17 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-08-28 06:32 - 2015-01-01 04:52 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-08-28 06:31 - 2013-08-22 21:44 - 00503480 _____ C:\Windows\system32\FNTCACHE.DAT
2015-08-28 06:07 - 2015-04-13 19:01 - 00000754 _____ C:\Users\Samsung 5 Ultra\Desktop\Phantasy Star Online 2.lnk
2015-08-28 06:06 - 2013-08-23 02:11 - 00000000 ____D C:\Windows\ShellNew
2015-08-28 02:03 - 2015-01-01 04:51 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\VirtualStore
2015-08-27 19:59 - 2013-08-22 21:46 - 00116979 _____ C:\Windows\setupact.log
2015-08-26 15:05 - 2013-08-22 22:36 - 00000000 ____D C:\Windows\LiveKernelReports
2015-08-25 11:29 - 2015-07-30 15:37 - 00000368 _____ C:\Users\Samsung 5 Ultra\Desktop\songs to download.txt
2015-08-23 01:06 - 2015-01-24 20:57 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\DragonNest
2015-08-18 19:31 - 2015-03-16 20:30 - 00001079 _____ C:\ProgramData\Microsoft\Windows\Start Menu\LINE.lnk
2015-08-18 19:31 - 2015-03-16 20:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LINE
2015-08-18 14:06 - 2015-07-24 14:07 - 00000000 ____D C:\Program Files (x86)\Garena Plus
2015-08-18 10:03 - 2013-08-22 20:25 - 00000202 _____ C:\Windows\win.ini
2015-08-13 00:42 - 2013-08-22 22:38 - 00414368 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-08-13 00:41 - 2015-01-01 08:32 - 00225234 _____ C:\Windows\DirectX.log
2015-08-07 18:02 - 2015-04-16 19:50 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\BPA
2015-08-02 08:20 - 2015-07-31 09:37 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\Rockstar Games
 
==================== Files in the root of some directories =======
 
2015-06-29 13:16 - 2015-06-29 13:16 - 0007602 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Resmon.ResmonCfg
2015-03-29 14:59 - 2015-05-14 20:55 - 0000000 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Temptable.xml
2015-08-27 23:41 - 2015-08-27 23:41 - 0052736 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe
2015-08-27 23:41 - 2015-08-27 23:41 - 0000187 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe.config
2015-01-01 05:44 - 2015-01-01 05:44 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-03-12 08:41 - 2015-03-12 08:52 - 0000838 _____ () C:\ProgramData\hpzinstall.log
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-08-25 11:18
 
==================== End of FRST.txt ============================

Attached Files


Edited by meister99, 31 August 2015 - 08:18 AM.


#10 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 31 August 2015 - 06:15 PM

This one is the contents of JRT.txt log. Homepage and search engine no longer hijacked and back to normal after running JRT.


Hi :)

Good to hear that, we're making progress. :thumbsup:

I'd like to run a small fix with FRST to clear out a couple of items and remove a program that's showing in the fresh Addition.txt log. Good call on posting that Addition.txt log.

Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Step 1: Program Removal

Please uninstall Results Hub from the machine and let's let Revo Uninstaller have a go at getting rid of adblocker
  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on adblocker
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • When the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • When prompted click on Yes and then on next.
  • Put a check on any folders that are found and select delete
  • When prompted select yes then on next
  • Once done click Finish.
Step 2: Fix with FRST
  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the desktop as fixlist.txt

    NOTE: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

Start
CreateRestorePoint:
FF NetworkProxy: "type", 5
FF Homepage: C:\ProgramData\ExtTags\ff.HP
RemoveProxy:
Emptytemp:
End


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.


Run FRST and press the Fix button just once and wait. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.]


Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

Fixlog.txt Log

Was Revo successful in removing adblocker?

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#11 meister99

meister99
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 31 August 2015 - 10:08 PM

Hi :)

 

I should tell you first that the browser hijack returned. My homepage and search engine got redirected again, to the same page as before. :( I didn't open any suspicious websites or plugged any devices though.

 

Revo was successful in removing adblocker, and here's the fresh Fixlog.txt

 

Fix result of Farbar Recovery Scan Tool (x64) Version:31-08-2015
Ran by Samsung 5 Ultra (2015-09-01 09:56:17) Run:2
Running from C:\Users\Samsung 5 Ultra\Desktop
Loaded Profiles: Samsung 5 Ultra (Available Profiles: Samsung 5 Ultra & Gede A)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
FF NetworkProxy: "type", 5
FF Homepage: C:\ProgramData\ExtTags\ff.HP
RemoveProxy:
Emptytemp:
End
*****************
 
Restore point was successfully created.
Firefox Proxy settings were reset.
Firefox "homepage" removed successfully
 
========= RemoveProxy: =========
 
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
 
 
========= End of RemoveProxy: =========
 
EmptyTemp: => 165.3 MB temporary data Removed.
 
 
The system needed a reboot.. 
 
==== End of Fixlog 09:56:37 ====


#12 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 01 September 2015 - 07:37 AM

Hi :)



I should tell you first that the browser hijack returned. My homepage and search engine got redirected again, to the same page as before. :( I didn't open any suspicious websites or plugged any devices though.


Hello :)

Ok, let's get a fresh look with FRST and see what's come back. Also, is it happening in FireFox?


Start FRST, place a checkmark in the Addition.txt box and press Scan.

FRST will scan your system and produce 2 logs, please post them both in your next reply.

Things I need to see in your next post

FRST.txt Log

Addition.txt Log

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#13 meister99

meister99
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 01 September 2015 - 07:43 AM

Hello :)

 

I don't have firefox installed, but it's also happening in Internet Explorer.

 

Here's the FRST.txt log. The Addition.txt log is attached as usual

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:31-08-2015
Ran by Samsung 5 Ultra (administrator) on MOTHERSHIP (01-09-2015 19:39:47)
Running from C:\Users\Samsung 5 Ultra\Desktop
Loaded Profiles: Samsung 5 Ultra (Available Profiles: Samsung 5 Ultra & Gede A)
Platform: Windows 8.1 Pro (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(SafeNet Inc.) C:\Windows\System32\hasplms.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(INNORIX) C:\Windows\SysWOW64\innosvcd.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
() C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe
(Mentor Graphics Corporation) C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\remotesolverdispatcherservice.exe
() C:\ProgramData\Saophase\Saophase.exe
(Mentor Graphics Corporation) C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\dispatcher.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Program Files (x86)\Garena Plus\ggdllhost.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\WinStore\WSHost.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\igfxsrvc.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrl.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDTouch.exe
(ELAN Microelectronics Corp.) C:\Program Files\Elantech\ETDCtrlHelper.exe
() C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe
(LINE Corporation) C:\Program Files (x86)\Naver\LINE\Line.exe
(Dassault Systèmes SolidWorks Corp.) C:\Program Files\SolidWorks Corp\SolidWorks\sldworks_fs.exe
(Power Software Ltd) C:\Program Files (x86)\PowerISO\PWRISOVM.EXE
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Microsoft Corporation) C:\Program Files (x86)\Internet Explorer\ielowutil.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [ETDCtrl] => C:\Program Files\Elantech\ETDCtrl.exe [3274056 2013-11-25] (ELAN Microelectronics Corp.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [946352 2012-12-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [PWRISOVM.EXE] => C:\Program Files (x86)\PowerISO\PWRISOVM.EXE [336992 2012-08-17] (Power Software Ltd)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [335232 2015-03-07] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [31087200 2015-01-23] (Skype Technologies S.A.)
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [GarenaPlus] => C:\Program Files (x86)\Garena Plus\GarenaMessenger.exe [10014656 2015-08-06] ()
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [LINE] => C:\Program Files (x86)\Naver\LINE\Line.exe [15664152 2015-08-18] (LINE Corporation)
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\...\Run: [GoogleChromeAutoLaunch_FE12F96DA070CFADCEB210CFE73E3C6E] => C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [813896 2015-08-18] (Google Inc.)
AppInit_DLLs: C:\ProgramData\Saophase\Stanwarm.dll => C:\ProgramData\Saophase\Stanwarm.dll [212992 2015-08-31] ()
AppInit_DLLs-x32: C:\ProgramData\Saophase\Hotcore.dll => C:\ProgramData\Saophase\Hotcore.dll [194560 2015-08-31] ()
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2015-03-12]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SolidWorks 2013 Fast Start.lnk [2015-03-27]
ShortcutTarget: SolidWorks 2013 Fast Start.lnk -> C:\Windows\Installer\{B6B5EA7E-B91F-443D-A958-B0062FB53804}\NewShortcut2_87EDF6C81D0A4B7B84F42FE0C6A9D608.exe (Flexera Software, Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{0AEAFFA0-A462-42E5-A94F-9E09E7BEA8E5}: [DhcpNameServer] 192.168.42.129
Tcpip\..\Interfaces\{351B2076-CEB6-4281-808E-32A0F800D9A8}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://id.search.yahoo.com/?fr=hp-ddc-bd&type=bl-bir-sw-rhb-35__alt__ddc_dsssyc_bd_com
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwIQzteecWs1iUOzww2Zzy72HOFs9BD5uWSbAaV7I8H_aYE-l1aD7HQ2OYG&q={searchTerms}
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEaJfe4PPH_-wnnVNsPmqTk3NEVkh92DPtvv7kYUO_FKKdkDKqJVqpA7u8g_PC2gvvI_9fxpZPgkF6_C
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://u.msn.com/id-id/?ocid=iehp
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwIQzteecWs1iUOzww2Zzy72HOFs9BD5uWSbAaV7I8H_aYE-l1aD7HQ2OYG&q={searchTerms}
HKU\S-1-5-21-2081238159-1021517717-438538016-1001\Software\Microsoft\Internet Explorer\Main,SearchAssistant = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwIQzteecWs1iUOzww2Zzy72HOFs9BD5uWSbAaV7I8H_aYE-l1aD7HQ2OYG&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://id.search.yahoo.com/yhs/search?hspart=ddc&hsimp=yhs-ddc_bd&type=bl-bir-sw-rhb-35__alt__ddc_dss_bd_com&p={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://id.search.yahoo.com/yhs/search?hspart=ddc&hsimp=yhs-ddc_bd&type=bl-bir-sw-rhb-35__alt__ddc_dss_bd_com&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL = 
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwIQzteecWs1iUOzww2Zzy72HOFs9BD5uWSbAaV7I8H_aYE-l1aD7HQ2OYG&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> DefaultScope {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwIQzteecWs1iUOzww2Zzy72HOFs9BD5uWSbAaV7I8H_aYE-l1aD7HQ2OYG&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> OldSearch URL = hxxps://id.search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=937811&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> {56304CC1-F182-44BC-B8B8-A7A42B96DB1C} URL = hxxp://id.search.yahoo.com/yhs/search?hspart=ddc&hsimp=yhs-ddc_bd&type=bl-bir-sw-rhb-35__alt__ddc_dss_bd_com&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> {5F1F8852-2D37-4640-A4AD-B50631A1AC84} URL = hxxp://search.yahoo.com/yhs/search?hspart=ddc&hsimp=yhs-ddc_bd&type=bl-bir-dd__alt__ddc_dss_bd_com&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2081238159-1021517717-438538016-1001 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBUTxkij9_Bx0liE5oIa3KWnK4od4nJuqT2swfCGrNeH4xNJLNsmU9gk3kVhxQlTXpurBFYcsD4BCGs0SpfOAcOoEoQYGinQi-sVwBt7-9pJPwIQzteecWs1iUOzww2Zzy72HOFs9BD5uWSbAaV7I8H_aYE-l1aD7HQ2OYG&q={searchTerms}
BHO: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL [2011-02-12] (Microsoft Corporation)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2012-09-24] (Adobe Systems Incorporated)
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL [2010-03-26] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\ssv.dll [2015-03-29] (Oracle Corporation)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-12-21] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-29] (Oracle Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Samsung 5 Ultra\AppData\Roaming\Mozilla\Firefox\Profiles\dzt5shd3.default
FF NewTab: C:\ProgramData\Saophases\ff.NT
FF Plugin: @iqiyi.com/npWebPlayer -> C:\IQIYI Video\LStyle\npWebPlayer.dll [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin: @videolan.org/vlc,version=2.1.0 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-09-23] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2014-09-23] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll [2015-08-13] ()
FF Plugin-x32: @esn.me/esnsonar,version=0.70.4 -> C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll [2011-11-03] (ESN Social Software AB)
FF Plugin-x32: @esn/esnlaunch,version=2.3.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.3.0\npesnlaunch.dll [2013-09-16] (ESN Social Software AB)
FF Plugin-x32: @innorix.com/innogmp -> C:\Program Files (x86)\INNORIX\npinnogmp.dll [2013-04-04] (INNORIX)
FF Plugin-x32: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-29] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-29] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-25] (Microsoft Corporation)
FF Plugin-x32: @t.garena.com/garenatalk -> C:\Program Files (x86)\Garena Plus\bbtalk\plugins\npPlugin\npGarenaTalkPlugin.dll [2015-07-07] ( Garena)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-30] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.13\npGoogleUpdate3.dll [2015-08-30] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2012-12-19] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-2081238159-1021517717-438538016-1001: @innorix.com/innogmp -> C:\Program Files (x86)\INNORIX\npinnogmp.dll [2013-04-04] (INNORIX)
FF Plugin HKU\S-1-5-21-2081238159-1021517717-438538016-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Samsung 5 Ultra\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2014-12-05] (Unity Technologies ApS)
FF SearchPlugin: C:\Users\Samsung 5 Ultra\AppData\Roaming\Mozilla\Firefox\Profiles\dzt5shd3.default\searchplugins\findit.xml [2015-08-31]
 
Chrome: 
=======
CHR StartupUrls: Default -> "https://www.google.co.id/"
CHR Profile: C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-08-28]
CHR Extension: (Google Docs) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-01]
CHR Extension: (Google Drive) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-08-28]
CHR Extension: (YouTube) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-08-28]
CHR Extension: (Google Search) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-08-28]
CHR Extension: (Google Sheets) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-08-28]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-04]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-01]
CHR Extension: (Browsec) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\omghfjlpggmjjaagoclmmobgdodcjboh [2015-08-28]
CHR Extension: (Gmail) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-08-28]
CHR Profile: C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (YouTube) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-01]
CHR Extension: (Gmail) - C:\Users\Samsung 5 Ultra\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-01]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 hasplms; C:\Windows\system32\hasplms.exe [4609928 2013-08-01] (SafeNet Inc.)
R2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2011-08-18] (Hewlett-Packard Co.) [File not signed]
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-04] (Macrovision Corporation) [File not signed]
R2 Innosvcd; C:\Windows\SysWOW64\innosvcd.exe [193144 2013-04-04] (INNORIX)
S2 Net Driver HPZ12; C:\Windows\System32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
S2 Pml Driver HPZ12; C:\Windows\System32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76152 2015-05-30] ()
R2 pyodqct; C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe [52736 2015-08-27] () [File not signed]
R2 RemoteSolverDispatcher; C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\remotesolverdispatcherservice.exe [52360 2012-11-22] (Mentor Graphics Corporation) [File not signed]
R2 Saophase; C:\ProgramData\Saophase\Saophase.exe [33792 2015-08-27] () [File not signed]
S3 SolidWorks Licensing Service; C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe [79360 2015-02-16] (SolidWorks) [File not signed]
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [346872 2013-08-22] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23840 2013-08-22] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R0 amdkmpfd; C:\Windows\System32\drivers\amdkmpfd.sys [36608 2013-12-12] (Advanced Micro Devices, Inc.)
R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [3855872 2013-09-25] (Qualcomm Atheros Communications, Inc.)
S3 dot4; C:\Windows\system32\DRIVERS\Dot4.sys [151968 2012-09-25] (Windows ® Win 7 DDK provider)
S3 Dot4Print; C:\Windows\System32\drivers\Dot4Prt.sys [27040 2012-09-25] (Windows ® Win 7 DDK provider)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 ETDSMBus; C:\Windows\system32\DRIVERS\ETDSMBus.sys [23344 2013-11-22] (ELAN Microelectronic Corp.)
R2 hardlock; C:\Windows\system32\drivers\hardlock.sys [331328 2013-08-01] (SafeNet Inc.)
R3 irstrtdv; C:\Windows\System32\drivers\irstrtdv.sys [20192 2013-11-25] (Intel Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [100312 2013-12-10] (Intel Corporation)
R3 RadioHIDMini; C:\Windows\System32\drivers\RadioHIDMini.sys [23408 2012-07-28] (Windows ® Win 7 DDK provider)
S3 SDGame; C:\Windows\System32\svchost.exe [37768 2013-08-22] (Microsoft Corporation)
S3 usbrndis6; C:\Windows\system32\DRIVERS\usb80236.sys [20992 2013-08-22] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-09-01 09:47 - 2015-09-01 09:47 - 02623656 _____ (VS Revo Group Ltd.) C:\Users\Samsung 5 Ultra\Downloads\revosetup.exe
2015-09-01 09:47 - 2015-09-01 09:47 - 00001280 _____ C:\Users\Samsung 5 Ultra\Desktop\Revo Uninstaller.lnk
2015-09-01 09:47 - 2015-09-01 09:47 - 00000000 ____D C:\Program Files (x86)\VS Revo Group
2015-08-31 21:12 - 2015-09-01 19:33 - 00000000 ____D C:\ProgramData\Saophase
2015-08-31 21:12 - 2015-08-31 21:12 - 04241742 _____ (Bycatch) C:\Program Files\Common Files\ug24iysq.exe
2015-08-31 21:12 - 2015-08-31 21:12 - 00002377 _____ C:\Windows\SysWOW64\findit.xml
2015-08-31 21:12 - 2015-08-31 21:12 - 00000000 ____D C:\ProgramData\Saophases
2015-08-31 20:56 - 2015-08-31 20:56 - 00003156 _____ C:\Windows\System32\Tasks\44nzygsj
2015-08-31 20:56 - 2015-08-31 20:56 - 00000000 ____D C:\Program Files\Common Files\3jpqppjq
2015-08-31 20:12 - 2015-09-01 19:40 - 00020205 _____ C:\Users\Samsung 5 Ultra\Desktop\FRST.txt
2015-08-31 20:12 - 2015-08-31 20:12 - 00038406 _____ C:\Users\Samsung 5 Ultra\Desktop\Addition.txt
2015-08-31 19:51 - 2015-08-31 19:53 - 00000000 ____D C:\AdwCleaner
2015-08-31 19:47 - 2015-08-31 19:47 - 01618432 _____ C:\Users\Samsung 5 Ultra\Desktop\AdwCleaner.exe
2015-08-31 19:46 - 2015-08-31 19:46 - 00005012 _____ C:\Users\Samsung 5 Ultra\Desktop\JRT.txt
2015-08-31 19:43 - 2015-08-31 19:43 - 01798640 _____ (Malwarebytes Corporation) C:\Users\Samsung 5 Ultra\Desktop\JRT.exe
2015-08-31 19:42 - 2015-08-31 19:42 - 00003156 _____ C:\Windows\System32\Tasks\a0m0mkcn
2015-08-31 19:42 - 2015-08-31 19:42 - 00000000 ____D C:\Program Files\Common Files\ariilocx
2015-08-31 19:36 - 2015-09-01 09:56 - 00000000 ____D C:\Users\Samsung 5 Ultra\Desktop\FRST-OlderVersion
2015-08-30 14:18 - 2015-08-30 14:18 - 00000102 _____ C:\Users\Samsung 5 Ultra\Downloads\FRST.txt
2015-08-30 14:17 - 2015-08-30 14:18 - 00061745 _____ C:\Users\Samsung 5 Ultra\Downloads\Addition.txt
2015-08-30 14:02 - 2015-08-30 14:02 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\TuneUp Software
2015-08-30 14:02 - 2015-08-30 14:02 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\TuneUp Software
2015-08-30 14:01 - 2015-08-30 14:03 - 00000000 ____D C:\ProgramData\TuneUp Software
2015-08-30 13:55 - 2015-08-30 13:55 - 00059624 _____ C:\Users\Samsung 5 Ultra\Downloads\Addition1.txt
2015-08-30 13:54 - 2015-09-01 19:39 - 00000000 ____D C:\FRST
2015-08-30 13:54 - 2015-08-30 14:23 - 00045947 _____ C:\Users\Samsung 5 Ultra\Downloads\FRST1.txt
2015-08-30 13:53 - 2015-09-01 09:56 - 02188800 _____ (Farbar) C:\Users\Samsung 5 Ultra\Desktop\FRST64.exe
2015-08-30 13:37 - 2015-08-30 13:38 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\NPE
2015-08-30 13:37 - 2015-08-30 13:37 - 00000000 ____D C:\ProgramData\Norton
2015-08-30 13:04 - 2015-08-31 21:12 - 00002277 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-08-30 13:04 - 2015-08-30 13:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-08-30 13:01 - 2015-09-01 19:32 - 00001048 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-08-30 13:01 - 2015-09-01 10:06 - 00001052 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-08-30 13:01 - 2015-08-30 13:01 - 00004024 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-08-30 13:01 - 2015-08-30 13:01 - 00003788 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-08-30 12:20 - 2015-08-30 12:21 - 51076312 _____ (Microsoft Corporation) C:\Users\Samsung 5 Ultra\Downloads\Windows-KB890830-x64-V5.27 (1).exe
2015-08-28 19:45 - 2015-08-28 19:45 - 01995622 _____ C:\Users\Samsung 5 Ultra\Downloads\HoxHud P9.1.5 Self-installer.exe
2015-08-28 09:04 - 2015-07-28 10:59 - 132483416 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-08-28 08:51 - 2015-08-28 08:54 - 51076312 _____ (Microsoft Corporation) C:\Users\Samsung 5 Ultra\Downloads\Windows-KB890830-x64-V5.27.exe
2015-08-28 08:43 - 2015-08-28 08:43 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2015-08-28 08:43 - 2015-08-28 08:43 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2015-08-28 08:43 - 2015-08-28 08:43 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2015-08-28 08:34 - 2015-08-28 08:35 - 13155552 _____ (Microsoft Corporation) C:\Users\Samsung 5 Ultra\Downloads\Silverlight_x64.exe
2015-08-28 06:21 - 2015-08-28 06:21 - 00003148 _____ C:\Windows\System32\Tasks\{E2F4F4E6-58B2-48C5-BEEA-26ABBA3C38FE}
2015-08-28 02:05 - 2015-08-28 02:05 - 00000000 ____D C:\ProgramData\KingSoft
2015-08-28 00:44 - 2015-08-28 00:44 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\Unity
2015-08-28 00:18 - 2015-08-28 00:18 - 00000000 ____D C:\Windows\system32\abis
2015-08-28 00:13 - 2015-08-28 00:13 - 00000000 ____D C:\ProgramData\1WinManPro1
2015-08-27 23:54 - 2015-08-27 23:54 - 00000000 ____D C:\ProgramData\cWinManProc
2015-08-27 23:53 - 2015-08-28 06:36 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\Opera Software
2015-08-27 23:51 - 2015-08-28 01:51 - 00000004 _____ C:\Windows\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-08-27 23:42 - 2015-08-27 23:56 - 00000000 ____D C:\ProgramData\update
2015-08-27 23:42 - 2013-08-22 20:25 - 00000824 _____ C:\Windows\system32\Drivers\etc\hp.bak
2015-08-27 23:41 - 2015-08-27 23:41 - 00052736 _____ C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe
2015-08-27 23:08 - 2015-08-27 23:09 - 01850119 _____ C:\Windows\chromebrowser.exe
2015-08-26 17:57 - 2015-08-30 15:29 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\OSP
2015-08-26 15:02 - 2015-09-01 19:32 - 00003476 _____ C:\Windows\System32\Tasks\gg_uac_daemon_Samsung 5 Ultra
2015-08-13 19:03 - 2015-08-13 19:03 - 00001148 _____ C:\Users\Samsung 5 Ultra\Desktop\Universe Sandbox 2.lnk
2015-08-13 01:03 - 2015-08-13 01:05 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\Universe Sandbox ²
2015-08-13 00:02 - 2015-08-13 13:25 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\Universe Sandbox
2015-08-13 00:02 - 2015-08-13 00:02 - 00000000 __SHD C:\Users\Samsung 5 Ultra\AppData\Roaming\wyUpdate AU
2015-08-13 00:02 - 2015-08-13 00:02 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\System
2015-08-13 00:02 - 2015-08-13 00:02 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\Universe Sandbox
2015-08-11 22:31 - 2015-08-11 22:31 - 00000221 _____ C:\Users\Samsung 5 Ultra\Desktop\Total War SHOGUN 2.url
2015-08-07 13:45 - 2015-08-07 13:45 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\Klei
2015-08-07 11:52 - 2015-08-07 11:52 - 00000222 _____ C:\Users\Samsung 5 Ultra\Desktop\Invisible, Inc..url
2015-08-07 06:10 - 2015-08-07 06:10 - 00188104 _____ C:\ods.exe
2015-08-05 20:18 - 2015-08-05 20:18 - 00001475 _____ C:\Users\Samsung 5 Ultra\Desktop\nvse_loader.exe - Shortcut.lnk
2015-08-04 16:12 - 2015-08-04 16:12 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\FOMM
2015-08-04 16:09 - 2015-08-30 12:29 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Fallout Mod Manager
2015-08-04 16:09 - 2015-08-04 16:09 - 00000516 _____ C:\Users\Samsung 5 Ultra\Desktop\Fallout Mod Manager.lnk
2015-08-04 16:09 - 2015-08-04 16:09 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\FOMM
2015-08-04 15:53 - 2015-08-04 16:02 - 00000000 ____D C:\Users\Samsung 5 Ultra\Downloads\FNV modding tools
2015-08-02 08:19 - 2015-08-02 08:19 - 00000000 __SHD C:\ProgramData\SecuROM
2015-08-02 08:17 - 2015-08-02 08:17 - 00178800 _____ (Sony DADC Austria AG.) C:\Windows\SysWOW64\CmdLineExt_x64.dll
2015-08-02 08:17 - 2015-08-02 08:17 - 00000000 __RHD C:\Users\Samsung 5 Ultra\AppData\Roaming\SecuROM
2015-08-02 07:56 - 2015-08-02 07:56 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\SCE
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2015-09-01 19:36 - 2015-01-01 05:12 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2081238159-1021517717-438538016-1001
2015-09-01 19:35 - 2015-07-24 14:09 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\GarenaPlus
2015-09-01 19:35 - 2015-07-24 14:07 - 00000000 ____D C:\ProgramData\GarenaMessenger
2015-09-01 19:33 - 2013-08-22 22:36 - 00000000 ____D C:\Windows\system32\sru
2015-09-01 19:32 - 2015-01-01 04:51 - 02018791 _____ C:\Windows\WindowsUpdate.log
2015-09-01 15:19 - 2015-01-26 08:26 - 00000657 _____ C:\Windows\system32\Drivers\etc\hosts.ics
2015-09-01 15:19 - 2013-08-22 21:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-01 10:15 - 2013-08-22 20:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2015-09-01 09:23 - 2015-01-01 05:03 - 00863592 _____ C:\Windows\system32\PerfStringBackup.INI
2015-09-01 09:21 - 2013-08-22 21:46 - 00117773 _____ C:\Windows\setupact.log
2015-09-01 01:15 - 2015-01-03 00:13 - 00000000 ____D C:\Program Files (x86)\Steam
2015-09-01 01:15 - 2015-01-01 05:22 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\AIMP3
2015-08-31 21:12 - 2015-01-01 08:13 - 00001430 _____ C:\Users\Gede A\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-08-31 21:12 - 2015-01-01 04:51 - 00001430 _____ C:\Users\Samsung 5 Ultra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2015-08-31 19:40 - 2015-01-01 04:47 - 00186982 _____ C:\Windows\PFRO.log
2015-08-31 19:37 - 2013-08-22 22:36 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2015-08-31 00:57 - 2015-03-18 21:48 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Roaming\vlc
2015-08-30 13:03 - 2015-01-01 08:37 - 00000000 ____D C:\Program Files (x86)\Google
2015-08-30 13:01 - 2015-01-01 11:52 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\Deployment
2015-08-28 08:15 - 2013-08-22 17:06 - 00655872 _____ (Microsoft Corporation) C:\Windows\system32\dnsapi.dll
2015-08-28 08:15 - 2013-08-22 09:55 - 00492032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dnsapi.dll
2015-08-28 08:03 - 2015-01-01 04:51 - 00000000 ____D C:\Users\Samsung 5 Ultra
2015-08-28 06:49 - 2015-01-01 05:17 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-08-28 06:32 - 2015-01-01 04:52 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2015-08-28 06:31 - 2013-08-22 21:44 - 00503480 _____ C:\Windows\system32\FNTCACHE.DAT
2015-08-28 06:07 - 2015-04-13 19:01 - 00000754 _____ C:\Users\Samsung 5 Ultra\Desktop\Phantasy Star Online 2.lnk
2015-08-28 06:06 - 2013-08-23 02:11 - 00000000 ____D C:\Windows\ShellNew
2015-08-28 02:03 - 2015-01-01 04:51 - 00000000 ____D C:\Users\Samsung 5 Ultra\AppData\Local\VirtualStore
2015-08-26 15:05 - 2013-08-22 22:36 - 00000000 ____D C:\Windows\LiveKernelReports
2015-08-25 11:29 - 2015-07-30 15:37 - 00000368 _____ C:\Users\Samsung 5 Ultra\Desktop\songs to download.txt
2015-08-23 01:06 - 2015-01-24 20:57 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\DragonNest
2015-08-18 19:31 - 2015-03-16 20:30 - 00001079 _____ C:\ProgramData\Microsoft\Windows\Start Menu\LINE.lnk
2015-08-18 19:31 - 2015-03-16 20:30 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LINE
2015-08-18 14:06 - 2015-07-24 14:07 - 00000000 ____D C:\Program Files (x86)\Garena Plus
2015-08-18 10:03 - 2013-08-22 20:25 - 00000202 _____ C:\Windows\win.ini
2015-08-13 00:42 - 2013-08-22 22:38 - 00414368 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-08-13 00:41 - 2015-01-01 08:32 - 00225234 _____ C:\Windows\DirectX.log
2015-08-07 18:02 - 2015-04-16 19:50 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\BPA
2015-08-02 08:20 - 2015-07-31 09:37 - 00000000 ____D C:\Users\Samsung 5 Ultra\Documents\Rockstar Games
 
==================== Files in the root of some directories =======
 
2015-08-31 21:12 - 2015-08-31 21:12 - 4241742 _____ (Bycatch) C:\Program Files\Common Files\ug24iysq.exe
2015-06-29 13:16 - 2015-06-29 13:16 - 0007602 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Resmon.ResmonCfg
2015-03-29 14:59 - 2015-05-14 20:55 - 0000000 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Temptable.xml
2015-08-27 23:41 - 2015-08-27 23:41 - 0052736 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe
2015-08-27 23:41 - 2015-08-27 23:41 - 0000187 _____ () C:\Users\Samsung 5 Ultra\AppData\Local\Volity.exe.config
2015-01-01 05:44 - 2015-01-01 05:44 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-03-12 08:41 - 2015-03-12 08:52 - 0000838 _____ () C:\ProgramData\hpzinstall.log
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-08-25 11:18
 
==================== End of FRST.txt ============================

Attached Files



#14 pystryker

pystryker

  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:51 PM

Posted 01 September 2015 - 08:48 PM

Hi :)

There are some new files that we need to have VirusTotal analyze. I'm almost positive they are malware, but I have to be sure before I remove them. Please follow the instructions below to scan each one of the files. You'll have to have VirusTotal scan them one at a time, so follow the instructions for each file. :thumbsup:
  • Please go to VirusTotal.org by clicking here
  • Please click on Choose File
  • When the window opens, navigate to the location listed in the first box and select file that is listed in that location.

    C:\Program Files\Common Files\ariilocx\afe8fsbzgvar5.exe


    C:\ProgramData\IcyCarje\Uninstaller.exe


    C:\Program Files\Common Files\3jpqppjq\ad098olkmz0ew.exe


    C:\Program Files\Common Files\ug24iysq.exe

  • Once you have selected the file, click the blue Scan It! button.
  • VirusTotal will scan the file and produce a report for you. Please copy the link the address bar when it shows you the report and post it in your next reply.
  • Please repeat the instructions for each one of the files in the boxes.
Things I need to see in your next post:

Links to the 4 VirusTotal Reports

I close my topics if there is no response after 3 days. Please PM a moderator or myself to reopen your topic.

Please PM me only if I'm helping you with your computer issues and I have not responded in 2 days. Please remember, I'm a volunteer and sometimes life does get in the way. :)

Please stay with me until I declare your machine clean. Absence of symptoms does not ensure your machine is clean.

If you'd like to make a donation via Paypal, please click here.





#15 meister99

meister99
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:51 AM

Posted 02 September 2015 - 09:56 AM

Hi again :)

 

Here's the links to VirusTotal reports. I couldn't find the uninstaller.exe though, i've searched the whole computer.

 

C:\Program Files\Common Files\ariilocx\afe8fsbzgvar5.exe
 
C:\ProgramData\IcyCarje\Uninstaller.exe
 
C:\Program Files\Common Files\3jpqppjq\ad098olkmz0ew.exe
 
C:\Program Files\Common Files\ug24iysq.exe





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users