Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PROBLEM! Fake svchost.exe and isass.exe consuming all CPU and GPU memories :(


  • This topic is locked This topic is locked
7 replies to this topic

#1 SarbajitHellboy

SarbajitHellboy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 24 September 2015 - 08:51 AM

Hi,
 
Fake svchost.exe and isass.exe consuming all CPU and GPU memories in my computer.
Also, there is a long standing issue with my internet browsers, all of IE, Chrome and Firefox, where pages automatically redirect on every alternate click. Add to that ads on all sides of the browsers.
I am a novice and would like you to help me.
I read on one forum, and downloaded and installed FRST and did the scan, attaching the logs.
Please help me out and tell me what to do.
 
Regards,
Sarbajit

Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:23-09-2015
Ran by HellboY (administrator) on HELLMACHINE (24-09-2015 19:08:06)
Running from G:\Downloads
Loaded Profiles: HellboY (Available Profiles: HellboY)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser not detected!)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Advanced Micro Devices) C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe
() C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(BitTorrent Inc.) C:\Users\HellboY\AppData\Roaming\BitTorrent\BitTorrent.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(Microsoft) C:\Windows\wnavga.exe
(ATI Technologies Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
(BitTorrent Inc.) C:\Users\HellboY\AppData\Roaming\BitTorrent\updates\7.9.5_41074\utorrentie.exe
(BitTorrent Inc.) C:\Users\HellboY\AppData\Roaming\BitTorrent\updates\7.9.5_41074\utorrentie.exe
(Microsoft Corporation) C:\Windows\System32\schtasks.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Groom-A-Zebu ™ ) C:\Windows\cygavb.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_19_0_0_185.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_19_0_0_185.exe
(Groom-A-Zebu ™ ) C:\Windows\cygavb.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7634288 2014-06-13] (Realtek Semiconductor)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2014-11-20] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2014-02-21] (Intel Corporation)
HKU\S-1-5-21-2823783346-2320787970-324535078-1000\...\Run: [BitTorrent] => C:\Users\HellboY\AppData\Roaming\BitTorrent\BitTorrent.exe [1906536 2015-09-23] (BitTorrent Inc.)
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

AutoConfigURL: [HKLM-x32] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [.DEFAULT] => file://C:\Windows\System32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-19] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-20] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-21-2823783346-2320787970-324535078-1000] => file://C:\Windows\System32\Drivers\winpacket.pac
Hosts: Hosts file not detected in the default directory
Tcpip\..\Interfaces\{09769D41-7725-406F-B49B-45D2A67D029F}: [NameServer] 172.16.0.1,4.2.2.2,8.8.8.8,10.10.0.1,121.242.190.210,121.242.190.181,202.54.1.63,202.54.1.64

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.sweet-page.com/web/?type=ds&ts=1411201421&from=cor&uid=WDCXWD20PURX-64P6ZY0_WD-WCC4M6JF60X8F60X8&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.sweet-page.com/web/?type=ds&ts=1411201421&from=cor&uid=WDCXWD20PURX-64P6ZY0_WD-WCC4M6JF60X8F60X8&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.sweet-page.com/web/?type=ds&ts=1411201421&from=cor&uid=WDCXWD20PURX-64P6ZY0_WD-WCC4M6JF60X8F60X8&q={searchTerms}
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.sweet-page.com/web/?type=ds&ts=1411201421&from=cor&uid=WDCXWD20PURX-64P6ZY0_WD-WCC4M6JF60X8F60X8&q={searchTerms}
HKU\S-1-5-21-2823783346-2320787970-324535078-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://taplika.com/?f=1&a=tpl_tuto_15_14&cd=2XzuyEtN2Y1L1QzutCtD0CtAyB0Bzy0F0FtB0CyE0F0A0B0CtN0D0Tzu0StCtCzzyDtN1L2XzutAtFzztFtAtFyDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyEyEtD0EyDyDyD0CtGzyyCyCyCtGtAtD0EyEtGtByBtD0DtGyEyD0AyDtByEyD0A0F0B0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzzyB0ByE0AyCyEtGtAzy0BzztGyEyEyC0AtG0AtBzzyDtG0F0FyCzy0EyBtAyEyCtDyEtC2QtN1B2Z1V1T1S1NzuyCtDyC&cr=1030183157&ir=
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://taplika.com/results.php?f=4&q={searchTerms}&a=tpl_tuto_15_13&cd=2XzuyEtN2Y1L1QzutCtD0CtAyB0Bzy0F0FtB0CyE0F0A0B0CtN0D0Tzu0StCtCzztCtN1L2XzutAtFzztFtAtFyDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2StBzztBtD0AyDtBtDtGzy0Dzy0FtGtDyCtD0DtGyEtDzz0FtGtD0E0E0DtBtC0D0EtB0EtBtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzzyB0ByE0AyCyEtGtAzy0BzztGyEyEyC0AtG0AtBzzyDtG0F0FyCzy0EyBtAyEyCtDyEtC2QtN1B2Z1V1T1S1NzuyCtDyC&cr=817711647&ir=
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://taplika.com/results.php?f=4&q={searchTerms}&a=tpl_tuto_15_13&cd=2XzuyEtN2Y1L1QzutCtD0CtAyB0Bzy0F0FtB0CyE0F0A0B0CtN0D0Tzu0StCtCzztCtN1L2XzutAtFzztFtAtFyDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2StBzztBtD0AyDtBtDtGzy0Dzy0FtGtDyCtD0DtGyEtDzz0FtGtD0E0E0DtBtC0D0EtB0EtBtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzzyB0ByE0AyCyEtGtAzy0BzztGyEyEyC0AtG0AtBzzyDtG0F0FyCzy0EyBtAyEyCtDyEtC2QtN1B2Z1V1T1S1NzuyCtDyC&cr=817711647&ir=
SearchScopes: HKLM -> {589B893E-773C-4941-88C2-0DCC718E621C} URL = hxxp://taplika.com/results.php?f=4&q={searchTerms}&a=tpl_tuto_15_14&cd=2XzuyEtN2Y1L1QzutCtD0CtAyB0Bzy0F0FtB0CyE0F0A0B0CtN0D0Tzu0StCtCzzyDtN1L2XzutAtFzztFtAtFyDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyEyEtD0EyDyDyD0CtGzyyCyCyCtGtAtD0EyEtGtByBtD0DtGyEyD0AyDtByEyD0A0F0B0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzzyB0ByE0AyCyEtGtAzy0BzztGyEyEyC0AtG0AtBzzyDtG0F0FyCzy0EyBtAyEyCtDyEtC2QtN1B2Z1V1T1S1NzuyCtDyC&cr=1030183157&ir=
SearchScopes: HKU\S-1-5-21-2823783346-2320787970-324535078-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://taplika.com/results.php?f=4&q={searchTerms}&a=tpl_tuto_15_13&cd=2XzuyEtN2Y1L1QzutCtD0CtAyB0Bzy0F0FtB0CyE0F0A0B0CtN0D0Tzu0StCtCzztCtN1L2XzutAtFzztFtAtFyDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2StBzztBtD0AyDtBtDtGzy0Dzy0FtGtDyCtD0DtGyEtDzz0FtGtD0E0E0DtBtC0D0EtB0EtBtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzzyB0ByE0AyCyEtGtAzy0BzztGyEyEyC0AtG0AtBzzyDtG0F0FyCzy0EyBtAyEyCtDyEtC2QtN1B2Z1V1T1S1NzuyCtDyC&cr=817711647&ir=
SearchScopes: HKU\S-1-5-21-2823783346-2320787970-324535078-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://taplika.com/results.php?f=4&q={searchTerms}&a=tpl_tuto_15_13&cd=2XzuyEtN2Y1L1QzutCtD0CtAyB0Bzy0F0FtB0CyE0F0A0B0CtN0D0Tzu0StCtCzztCtN1L2XzutAtFzztFtAtFyDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2StBzztBtD0AyDtBtDtGzy0Dzy0FtGtDyCtD0DtGyEtDzz0FtGtD0E0E0DtBtC0D0EtB0EtBtC2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzzyB0ByE0AyCyEtGtAzy0BzztGyEyEyC0AtG0AtBzzyDtG0F0FyCzy0EyBtAyEyCtDyEtC2QtN1B2Z1V1T1S1NzuyCtDyC&cr=817711647&ir=
SearchScopes: HKU\S-1-5-21-2823783346-2320787970-324535078-1000 -> {589B893E-773C-4941-88C2-0DCC718E621C} URL = hxxp://taplika.com/results.php?f=4&q={searchTerms}&a=tpl_tuto_15_14&cd=2XzuyEtN2Y1L1QzutCtD0CtAyB0Bzy0F0FtB0CyE0F0A0B0CtN0D0Tzu0StCtCzzyDtN1L2XzutAtFzztFtAtFyDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyEyEtD0EyDyDyD0CtGzyyCyCyCtGtAtD0EyEtGtByBtD0DtGyEyD0AyDtByEyD0A0F0B0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzzyB0ByE0AyCyEtGtAzy0BzztGyEyEyC0AtG0AtBzzyDtG0F0FyCzy0EyBtAyEyCtDyEtC2QtN1B2Z1V1T1S1NzuyCtDyC&cr=1030183157&ir=
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation)
BHO-x32: SmarterPower -> {bd7c9b62-a7d9-4405-be51-7fd633f08791} -> C:\Program Files (x86)\SmarterPower\SmarterPowerbho.dll [2014-09-20] (SmarterPower)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default
FF Homepage: about:home
FF NetworkProxy: "type", 4
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_185.dll [2015-09-23] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-23] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-03-20] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-03-20] (Intel Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> G:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF user.js: detected! => C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\user.js [2014-09-20]
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npatgpc.dll [2014-12-01] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Users\HellboY\AppData\Roaming\mozilla\plugins\npatgpc.dll [2014-12-01] (Cisco WebEx LLC)
FF SearchPlugin: C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\searchplugins\taplika.xml [2015-03-28]
FF Extension: Mozilla Firefox Hotfixer - C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\Extensions\veggy@veggyAddon.com [2015-03-29]
FF Extension: Firefox Security Update - C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\Extensions\jid1-aMet0JAAbFecLw@jetpack.xpi [2015-03-12]
FF Extension: Adblock Plus - C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-03-28]
FF Extension: Firefox Security Update - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\jid1-aMet0JAAbFecLw@jetpack.xpi [2015-08-27]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\browser\defaults\preferences\prefs.js [2015-08-27]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.co.in/
CHR StartupUrls: Default -> "hxxp://www.google.co.in/","hxxp://www.sweet-page.com/?type=hp&ts=1399745718&from=cor&uid=ST3500418AS_5VM7XGY2XXXX5VM7XGY2","hxxp://www.search.ask.com/?o=APN11459&gct=hp&d=488-209&v=n12521-389&t=4","hxxp://www.search.ask.com/?o=APN11459&gct=hp&d=488-209&v=a12834-389&t=4","hxxp://www.search.ask.com/?o=APN11459&gct=hp&d=488-209&v=a13277-389&t=4","hxxp://rts.dsrlte.com?affID=na","hxxp://www.google.com","hxxp://taplika.com/?f=7&a=&cd=&cr=&ir=","hxxp://taplika.com/?f=7&a=tpl_tuto_15_14&cd=2XzuyEtN2Y1L1QzutCtD0CtAyB0Bzy0F0FtB0CyE0F0A0B0CtN0D0Tzu0StCtCzzyDtN1L2XzutAtFzztFtAtFyDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyEyEtD0EyDyDyD0CtGzyyCyCyCtGtAtD0EyEtGtByBtD0DtGyEyD0AyDtByEyD0A0F0B0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzzyB0ByE0AyCyEtGtAzy0BzztGyEyEyC0AtG0AtBzzyDtG0F0FyCzy0EyBtAyEyCtDyEtC2QtN1B2Z1V1T1S1NzuyCtDyC&cr=1030183157&ir="
CHR DefaultSearchURL: Default -> hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
CHR DefaultSearchKeyword: Default -> google.com__
CHR Profile: C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-09-20]
CHR Extension: (Angry Birds) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj [2015-02-21]
CHR Extension: (Forge of Empires) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\anaphblkfplenhkephgneolhnmjminjg [2015-02-21]
CHR Extension: (Google Docs) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-09-20]
CHR Extension: (Google Drive) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-09-20]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-03-13]
CHR Extension: (EverSave) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\bghejdcdajlenjngcknlkkoakmmjfanb [2015-07-04]
CHR Extension: (YouTube) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-09-20]
CHR Extension: (Рашка) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\chhdogkpkeolfmbdonbapmbgnleekgjn [2015-02-21]
CHR Extension: (Google Search) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-09-20]
CHR Extension: (The Godfather: Five Families) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\edfkoljdeffeedleidebkmmamepgbnbl [2015-02-21]
CHR Extension: (Google Sheets) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-09-20]
CHR Extension: (Google Docs Offline) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-05]
CHR Extension: (MS Updater) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\iadddcofhgaeeniecnhpopipbhijnphj [2015-06-03]
CHR Extension: (ijacdiajfhmmglphbglbgjjldcpfkglj) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijacdiajfhmmglphbglbgjjldcpfkglj [2015-06-07]
CHR Extension: (EverSave) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\jddmfogomafbmjkfcpfpnjfgecnjffng [2015-06-13]
CHR Extension: (Cisco WebEx Extension) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2015-02-21]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Bleaner) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\lkadffjmnaiokkdncgdlecdegajoiemi [2015-06-03]
CHR Extension: (Furniture Guru) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\lopcjmbilgeapfldddijpgpahphngjdk [2015-09-01]
CHR Extension: (Chrome Web Store Payments) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-20]
CHR Extension: (Search People) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\papbadoldddalgcjcicnikcfenodpghp [2015-04-28]
CHR Extension: (Gmail) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-09-20]
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - D:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
CHR HKLM\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - hxxps://clients2.google.com/service/update2/crx

Opera:
=======
OPR Extension: (ijacdiajfhmmglphbglbgjjldcpfkglj) - C:\Users\HellboY\AppData\Roaming\Opera Software\Opera Stable\Extensions\ijacdiajfhmmglphbglbgjjldcpfkglj [2015-06-07]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 amdacpusrsvc; C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe [116224 2014-11-20] (Advanced Micro Devices) [File not signed]
R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe [936728 2014-06-18] ()
S4 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe [1360016 2014-06-18] () [File not signed]
S4 IePluginServices; C:\ProgramData\IePluginServices\PluginService.exe [715656 2014-09-20] (Cherished Technololgy LIMITED)
S4 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887232 2014-01-31] (Intel® Corporation)
S4 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-03-20] (Intel Corporation)
S4 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.285\McCHSvc.exe [234776 2012-09-05] (McAfee, Inc.)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2077192 2015-09-16] (Electronic Arts)
S3 PAExec; C:\Windows\PAExec.exe [207872 2014-12-20] (Power Admin LLC) [File not signed]
S4 Update SmarterPower; C:\Program Files (x86)\SmarterPower\updateSmarterPower.exe [325368 2014-09-22] ()
S4 Util SmarterPower; C:\Program Files (x86)\SmarterPower\bin\utilSmarterPower.exe [325368 2014-09-22] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
R2 WinGraph; C:\Windows\wnavga.exe [8192 2015-04-23] (Microsoft) [File not signed]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 amdacpksd; C:\Windows\system32\drivers\amdacpksd.sys [294600 2014-11-21] (Advanced Micro Devices)
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2014-06-18] ()
R1 CLVirtualDrive1.1; C:\Windows\System32\DRIVERS\CLVirtualDrive1_1.sys [91912 2013-06-03] (CyberLink)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2014-09-20] (Disc Soft Ltd)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [487704 2014-03-14] (Intel Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [118272 2014-03-20] (Intel Corporation)
R1 {5eeb83d0-96ea-4249-942c-beead6847053}Gw64; C:\Windows\System32\drivers\{5eeb83d0-96ea-4249-942c-beead6847053}Gw64.sys [44696 2014-09-19] (StdLib)
S1 BAPIDRV; system32\DRIVERS\BAPIDRV64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-24 19:08 - 2015-09-24 19:08 - 00000000 ____D C:\FRST
2015-09-24 18:02 - 2015-09-24 18:41 - 00000336 _____ C:\Windows\setupact.log
2015-09-24 18:02 - 2015-09-24 18:02 - 00000000 _____ C:\Windows\setuperr.log
2015-09-23 11:42 - 2015-09-23 12:33 - 00000000 ____D C:\Users\HellboY\Documents\FIFA 16
2015-09-23 10:46 - 2015-09-23 10:46 - 00001147 _____ C:\Users\Public\Desktop\FIFA 16.lnk
2015-09-23 10:46 - 2015-09-23 10:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FIFA 16
2015-09-23 09:59 - 2015-09-23 09:59 - 18819272 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2015-09-17 12:40 - 2015-09-17 12:40 - 00018990 _____ C:\Users\HellboY\Desktop\Top Potential FIFA 16.xlsx
2015-09-13 13:06 - 2015-09-13 13:11 - 00000000 ____D C:\Users\HellboY\Documents\FIFA 16 Demo
2015-09-13 10:18 - 2015-09-13 10:18 - 00000000 ____D C:\Users\HellboY\Documents\Adobe
2015-08-27 23:48 - 2015-08-28 10:47 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-24 19:06 - 2014-09-20 11:11 - 00000000 ____D C:\Users\HellboY\AppData\Roaming\BitTorrent
2015-09-24 18:59 - 2014-12-28 13:18 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-09-24 18:47 - 2009-07-14 10:43 - 00779724 _____ C:\Windows\system32\PerfStringBackup.INI
2015-09-24 18:46 - 2009-07-14 10:15 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-09-24 18:46 - 2009-07-14 10:15 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-09-24 18:43 - 2015-05-29 09:10 - 00841161 _____ C:\Windows\WindowsUpdate.log
2015-09-24 18:43 - 2014-09-20 13:25 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-09-24 18:41 - 2014-09-20 13:25 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-09-24 18:41 - 2009-07-14 10:38 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-24 18:40 - 2014-12-20 17:55 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2015-09-24 18:18 - 2014-09-20 14:13 - 00000000 ____D C:\Windows\pss
2015-09-24 17:59 - 2014-09-21 13:38 - 00000000 ____D C:\Windows\Panther
2015-09-24 17:59 - 2014-09-20 14:16 - 00000000 ____D C:\Users\HellboY\AppData\Roaming\DAEMON Tools Lite
2015-09-24 17:52 - 2014-09-20 11:37 - 00000000 ____D C:\ProgramData\Origin
2015-09-24 12:08 - 2014-09-23 21:48 - 00000000 ____D C:\Users\HellboY\AppData\Roaming\vlc
2015-09-24 00:14 - 2014-09-23 00:22 - 00000000 ____D C:\Program Files (x86)\Origin Games
2015-09-24 00:14 - 2009-07-14 11:02 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-09-23 12:14 - 2014-09-20 11:22 - 00000000 ____D C:\Users\HellboY\Desktop\Hell Games
2015-09-23 09:59 - 2014-12-28 13:18 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2015-09-23 09:59 - 2014-09-20 12:25 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-09-23 09:59 - 2014-09-20 12:25 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-09-23 09:47 - 2015-04-27 13:03 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-09-16 23:38 - 2014-09-20 13:25 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-09-16 23:38 - 2014-09-20 13:25 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-09-16 02:36 - 2014-09-22 23:21 - 00000000 ____D C:\Program Files (x86)\Origin
2015-09-16 00:19 - 2014-09-20 13:25 - 00000000 ____D C:\Users\HellboY\AppData\Local\Google
2015-09-13 12:09 - 2014-09-20 09:58 - 00000000 ____D C:\ProgramData\Package Cache
2015-09-13 10:18 - 2014-09-20 12:34 - 00000000 ____D C:\Users\HellboY\AppData\Roaming\Adobe
2015-09-13 09:48 - 2015-04-18 19:50 - 00036433 _____ C:\ProgramData\GeorgeYohngVST.ini
2015-09-13 09:48 - 2015-01-01 18:14 - 00000000 ____D C:\Users\HellboY\AppData\Roaming\foobar2000
2015-08-31 14:32 - 2014-09-20 11:46 - 00000771 _____ C:\Users\HellboY\Documents\Puja Expense Original.txt
2015-08-28 23:59 - 2014-09-20 10:22 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2015-08-27 23:26 - 2014-09-20 11:34 - 00014666 _____ C:\Users\HellboY\Desktop\Dadan Shares.xlsx

==================== Files in the root of some directories =======

2015-03-27 00:44 - 2015-03-27 00:44 - 0004185 _____ () C:\Users\HellboY\AppData\Roaming\GRWPM
2015-04-20 08:53 - 2015-04-20 08:53 - 1339904 _____ (Plus HDV19.04) C:\Users\HellboY\AppData\Roaming\GRWPM.exe
2015-04-01 09:13 - 2015-04-01 09:13 - 1497600 _____ (Plus HDV30.03) C:\Users\HellboY\AppData\Roaming\ICZVOKY.exe
2015-05-06 20:55 - 2015-05-06 20:55 - 0000268 ___RH () C:\Users\HellboY\AppData\Roaming\Phaser
2015-05-06 20:56 - 2015-05-06 20:56 - 0000268 ___RH () C:\Users\HellboY\AppData\Roaming\Piano
2015-05-06 20:55 - 2015-05-06 20:55 - 0000268 ___RH () C:\Users\HellboY\AppData\Roaming\Piano Hard
2015-05-06 20:55 - 2015-05-06 20:55 - 0000268 ___RH () C:\Users\HellboY\AppData\Roaming\Pop Flute
2015-03-27 23:49 - 2015-03-27 23:49 - 1947136 _____ (Plus HDV26.03) C:\Users\HellboY\AppData\Roaming\SYUQNQDX.exe
2014-11-01 19:07 - 2015-05-22 12:15 - 0000145 _____ () C:\Users\HellboY\AppData\Roaming\WB.CFG
2015-03-28 00:49 - 2015-03-28 00:49 - 0000001 _____ () C:\Users\HellboY\AppData\Local\DSI.DAT
2014-10-08 18:19 - 2014-10-08 18:19 - 0000000 _____ () C:\Users\HellboY\AppData\Local\{F5F725E5-DFE7-4D75-AD51-829F8A3E09C2}
2014-09-20 10:01 - 2014-09-20 10:01 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-04-18 19:50 - 2015-09-13 09:48 - 0036433 _____ () C:\ProgramData\GeorgeYohngVST.ini
2015-05-06 20:55 - 2015-05-06 20:55 - 0000268 ___RH () C:\ProgramData\Pianos and Keyboards
2015-05-06 20:56 - 2015-05-06 20:56 - 0000268 ___RH () C:\ProgramData\Pick Bass
2015-05-06 20:55 - 2015-05-06 20:55 - 0000268 ___RH () C:\ProgramData\Pipe Organ
2015-05-06 20:55 - 2015-05-06 20:55 - 0000020 ____H () C:\ProgramData\PKP_DLeo.DAT
2015-05-06 20:56 - 2015-05-06 20:56 - 0000020 ____H () C:\ProgramData\PKP_DLes.DAT
2015-05-06 20:55 - 2015-05-06 20:55 - 0000020 ____H () C:\ProgramData\PKP_DLet.DAT
2015-05-06 20:55 - 2015-05-06 20:55 - 0000020 ____H () C:\ProgramData\PKP_DLev.DAT
2015-05-06 20:55 - 2015-05-06 20:55 - 0000268 ___RH () C:\ProgramData\Printers

Files to move or delete:
====================
C:\Users\HellboY\AppData\Roaming\Origin\update.vbe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-09-24 11:59

==================== End of FRST.txt ============================

Attached Files


Edited by nasdaq, 27 September 2015 - 08:00 AM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:32 PM

Posted 27 September 2015 - 04:02 PM

Hello 

SarbajitHellboy

,

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.

 

1.

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool .
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer.
  • After the scan has finished...
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

2.

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close

 

3.

Please delete the copy of FRST you have and follow these directions.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called [b]FRST.txt in the same directory the tool is run from.
  • Please copy and paste log back here.
  • The first time the tool is run it generates another log ([b]Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 SarbajitHellboy

SarbajitHellboy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 28 September 2015 - 01:57 PM

Hi fireman4it,

 

Thanks lot for helping me on this! And thanks to BleepingComputer!

 

The ad problem on my browser is still there as well as the constant redirection to unwanted pages. Also had to give space for the B in the brackets of Emnisoft Emergency Kit log as they were coming as emoticons and I wasnt being allowed to post.

I havent seen the CPU and GPU killing process yet after tarting the steps though.

PFB the logs. Please let me know the set of actions.

 

ADWCleaner

 

# AdwCleaner v5.009 - Logfile created 28/09/2015 at 23:51:28
# Updated 27/09/2015 by Xplode
# Database : 2015-09-27.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : HellboY - HELLMACHINE
# Running from : G:\Downloads\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

[-] Service Deleted : IePluginServices

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\globalUpdate
[-] Folder Deleted : C:\Program Files (x86)\predm
[-] Folder Deleted : C:\Program Files (x86)\SmarterPower
[-] Folder Deleted : C:\Program Files (x86)\GUPlayer
[-] Folder Deleted : C:\ProgramData\Browser
[-] Folder Deleted : C:\ProgramData\IePluginServices
[-] Folder Deleted : C:\ProgramData\WindowsMangerProtect
[-] Folder Deleted : C:\ProgramData\radio
[!] Folder Not Deleted : C:\ProgramData\IePluginServices
[-] Folder Deleted : C:\Users\HellboY\AppData\Local\globalUpdate
[-] Folder Deleted : C:\Users\HellboY\AppData\Local\pdfforge
[-] Folder Deleted : C:\Users\HellboY\AppData\Local\PriceFountain
[-] Folder Deleted : C:\Users\HellboY\AppData\Local\Motion_Apps
[-] Folder Deleted : C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\papbadoldddalgcjcicnikcfenodpghp
[-] Folder Deleted : C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\lkadffjmnaiokkdncgdlecdegajoiemi
[-] Folder Deleted : C:\Users\HellboY\AppData\Roaming\PriceFountain
[-] Folder Deleted : C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\Extensions\veggy@veggyAddon.com
[-] Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\speed browser

***** [ Files ] *****

[-] File Deleted : C:\END
[-] File Deleted : C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\invalidprefs.js
[-] File Deleted : C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\searchplugins\Taplika.xml
[-] File Deleted : C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\user.js
[-] File Deleted : C:\Windows\Sysnative\drivers\{5eeb83d0-96ea-4249-942c-beead6847053}Gw64.sys

***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

[-] Task Deleted : Winupdate
[-] Task Deleted : EssentialUpdateMachine
[-] Task Deleted : Adobe Flash Player Updater

***** [ Registry ] *****

[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\IePluginServices
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WindowsMangerProtect
[-] Key Deleted : HKCU\Software\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BD7C9B62-A7D9-4405-BE51-7FD633F08791}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A07E5BFF-B16C-4ABA-A30F-514213A945E6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BD7C9B62-A7D9-4405-BE51-7FD633F08791}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD7C9B62-A7D9-4405-BE51-7FD633F08791}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BD7C9B62-A7D9-4405-BE51-7FD633F08791}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A07E5BFF-B16C-4ABA-A30F-514213A945E6}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
[-] Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{589B893E-773C-4941-88C2-0DCC718E621C}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{589B893E-773C-4941-88C2-0DCC718E621C}
[-] Key Deleted : HKU\.DEFAULT\Software\Browser
[-] Key Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
[-] Key Deleted : HKCU\Software\GlobalUpdate
[-] Key Deleted : HKCU\Software\InstallCore
[-] Key Deleted : HKCU\Software\SupHpUISoft
[-] Key Deleted : HKCU\Software\GAMESDESKTOP
[-] Key Deleted : HKCU\Software\YorkNewCin
[-] Key Deleted : HKCU\Software\HighDefAction
[-] Key Deleted : HKCU\Software\ArenaHD
[-] Key Deleted : HKCU\Software\Ebon
[-] Key Deleted : HKCU\Software\Browser
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
[-] Key Deleted : HKCU\Software\AppDataLow\Software\DynConIE
[-] Key Deleted : HKLM\SOFTWARE\AppDataLow\SOFTWARE\Crossrider
[-] Key Deleted : HKLM\SOFTWARE\AppDataLow\SOFTWARE\_CrossriderRegNamePlaceHolder_
[-] Key Deleted : HKLM\SOFTWARE\GlobalUpdate
[-] Key Deleted : HKLM\SOFTWARE\SupTab
[-] Key Deleted : HKLM\SOFTWARE\supWindowsMangerProtect
[-] Key Deleted : HKLM\SOFTWARE\sweet-pageSoftware
[-] Key Deleted : HKLM\SOFTWARE\Tutorials
[-] Key Deleted : HKLM\SOFTWARE\SpeedBrowser
[-] Key Deleted : HKLM\SOFTWARE\SiteSee
[-] Key Deleted : HKLM\SOFTWARE\YorkNewCin
[-] Key Deleted : HKLM\SOFTWARE\HighDefAction
[-] Key Deleted : HKLM\SOFTWARE\ArenaHD
[-] Key Deleted : HKLM\SOFTWARE\Ebon
[-] Key Deleted : HKLM\SOFTWARE\ebon.org
[!] Key Not Deleted : [x64] HKCU\Software\GlobalUpdate
[!] Key Not Deleted : [x64] HKCU\Software\InstallCore
[!] Key Not Deleted : [x64] HKCU\Software\SupHpUISoft
[!] Key Not Deleted : [x64] HKCU\Software\GAMESDESKTOP
[!] Key Not Deleted : [x64] HKCU\Software\YorkNewCin
[!] Key Not Deleted : [x64] HKCU\Software\HighDefAction
[!] Key Not Deleted : [x64] HKCU\Software\ArenaHD
[!] Key Not Deleted : [x64] HKCU\Software\Ebon
[!] Key Not Deleted : [x64] HKCU\Software\Browser
[-] Key Deleted : [x64] HKLM\SOFTWARE\YorkNewCin
[-] Key Deleted : [x64] HKLM\SOFTWARE\HighDefAction
[-] Key Deleted : [x64] HKLM\SOFTWARE\ArenaHD
[-] Key Deleted : [x64] HKLM\SOFTWARE\Ebon
[-] Key Deleted : [x64] HKLM\SOFTWARE\Ebonmedia
[!] Key Not Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
[!] Key Not Deleted : HKU\S-1-5-21-2823783346-2320787970-324535078-1000\Software\AppDataLow\Software\Crossrider
[!] Key Not Deleted : HKU\S-1-5-21-2823783346-2320787970-324535078-1000\Software\AppDataLow\Software\DynConIE
[!] Key Not Deleted : HKU\S-1-5-18\Software\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GLOBALUPDATE.EXE
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Data Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
[-] Data Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
[-] Data Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
[-] Data Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
[-] Data Restored : HKU\S-1-5-21-2823783346-2320787970-324535078-1000\Software\Microsoft\Internet Explorer\Main [Start Page]
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[!] Key Not Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{589B893E-773C-4941-88C2-0DCC718E621C}
[!] Key Not Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data Restored : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[!] Key Not Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{589B893E-773C-4941-88C2-0DCC718E621C}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{589B893E-773C-4941-88C2-0DCC718E621C}
[!] Key Not Deleted : HKU\S-1-5-21-2823783346-2320787970-324535078-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
[-] Data Restored : HKU\S-1-5-21-2823783346-2320787970-324535078-1000\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope]
[!] Key Not Deleted : HKU\S-1-5-21-2823783346-2320787970-324535078-1000\Software\Microsoft\Internet Explorer\SearchScopes\{589B893E-773C-4941-88C2-0DCC718E621C}

***** [ Web browsers ] *****

[-] [C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\prefs.js] [Preference] Deleted : user_pref("extensions.crossrider.bic", "14c5fc1a95aec3a40551def97eaec016");
[-] [C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\prefs.js] [Preference] Deleted : user_pref("extensions.quick_start.enable_search1", false);
[-] [C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\prefs.js] [Preference] Deleted : user_pref("extensions.quick_start.sd.closeWindowWithLastTab_prev_state", false);
[-] [C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : yahoo! search
[-] [C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : taplika.com
[-] [C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : taplika.com_
[-] [C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://www.sweet-page.com/?type=hp&ts=1399745718&from=cor&uid=ST3500418AS_5VM7XGY2XXXX5VM7XGY2
[-] [C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://www.search.ask.com/?o=APN11459&gct=hp&d=488-209&v=n12521-389&t=4
[-] [C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://www.search.ask.com/?o=APN11459&gct=hp&d=488-209&v=a12834-389&t=4
[-] [C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://www.search.ask.com/?o=APN11459&gct=hp&d=488-209&v=a13277-389&t=4
[-] [C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://rts.dsrlte.com?affID=na
[-] [C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://taplika.com/?f=7&a=&cd=&cr=&ir=
[-] [C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Startup_URLs] Deleted : hxxp://taplika.com/?f=7&a=tpl_tuto_15_14&cd=2XzuyEtN2Y1L1QzutCtD0CtAyB0Bzy0F0FtB0CyE0F0A0B0CtN0D0Tzu0StCtCzzyDtN1L2XzutAtFzztFtAtFyDtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyEyEtD0EyDyDyD0CtGzyyCyCyCtGtAtD0EyEtGtByBtD0DtGyEyD0AyDtByEyD0A0F0B0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2StBzzyB0ByE0AyCyEtGtAzy0BzztGyEyEyC0AtG0AtBzzyDtG0F0FyCzy0EyBtAyEyCtDyEtC2QtN1B2Z1V1T1S1NzuyCtDyC&cr=1030183157&ir=
[-] [C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : lfkjojacgdjkninepeghaamnapdjmlfn
[-] [C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : lkadffjmnaiokkdncgdlecdegajoiemi
[-] [C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : papbadoldddalgcjcicnikcfenodpghp

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [12508 bytes] ##########
 

 

Emnisot Emergency Kit

 

Emsisoft Emergency Kit - Version 10.0
Last update: 29-09-2015 00:13:51
User account: HellmachinE\HellboY

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    29-09-2015 00:17:52
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\MNTZ_INSTALLER_RASAPI32     detected: Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\MNTZ_INSTALLER_RASMANCS     detected: Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AU__RASAPI32     detected: Application.Win32.InstallExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AU__RASMANCS     detected: Application.Win32.InstallExt (A)
C:\Program Files (x86)\Mozilla Firefox\cfg     detected: Adware.Mplug.JX (B )
C:\Users\HellboY\AppData\Roaming\GRWPM.exe     detected: Gen:Application.Heur.rv0@mWAMAloO (B )
C:\Users\HellboY\AppData\Roaming\ICZVOKY.exe     detected: Gen:Application.Heur.Bv0@mWXOD5gO (B )
C:\Users\HellboY\AppData\Roaming\Origin\update.vbe     detected: Trojan.Downloader.VBS.EZ (B )
C:\Users\HellboY\AppData\Roaming\SYUQNQDX.exe     detected: Gen:Application.Heur.2v0@miWl17dO (B )
C:\Windows\memupdate.exe     detected: Trojan.Agent.BKKM (B )
C:\Windows\wuappl.exe     detected: Trojan.Agent.BKKM (B )

Scanned    72270
Found    11

Scan end:    29-09-2015 00:18:05
Scan time:    0:00:13

C:\Windows\wuappl.exe    Quarantined Trojan.Agent.BKKM (B )
C:\Windows\memupdate.exe    Quarantined Trojan.Agent.BKKM (B )
C:\Users\HellboY\AppData\Roaming\SYUQNQDX.exe    Quarantined Gen:Application.Heur.2v0@miWl17dO (B )
C:\Users\HellboY\AppData\Roaming\Origin\update.vbe    Quarantined Trojan.Downloader.VBS.EZ (B )
C:\Users\HellboY\AppData\Roaming\ICZVOKY.exe    Quarantined Gen:Application.Heur.Bv0@mWXOD5gO (B )
C:\Users\HellboY\AppData\Roaming\GRWPM.exe    Quarantined Gen:Application.Heur.rv0@mWAMAloO (B )
C:\Program Files (x86)\Mozilla Firefox\cfg    Quarantined Adware.Mplug.JX (B )
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AU__RASMANCS    Quarantined Application.Win32.InstallExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AU__RASAPI32    Quarantined Application.Win32.InstallExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\MNTZ_INSTALLER_RASMANCS    Quarantined Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\MNTZ_INSTALLER_RASAPI32    Quarantined Application.Toolbar (A)

Quarantined    11
 

 

FRST

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-09-2015 01
Ran by HellboY (administrator) on HELLMACHINE (29-09-2015 00:19:57)
Running from G:\Downloads
Loaded Profiles: HellboY (Available Profiles: HellboY)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser not detected!)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Advanced Micro Devices) C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe
() C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Program Files\Windows Sidebar\sidebar.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\MOM.exe
(Microsoft) C:\Windows\wnavga.exe
(ATI Technologies Inc.) C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\System32\schtasks.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_19_0_0_185.exe
(Adobe Systems, Inc.) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_19_0_0_185.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Emsisoft Ltd) C:\EEK\bin\a2emergencykit.exe
(Microsoft Corporation) C:\Windows\SysWOW64\notepad.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7634288 2014-06-13] (Realtek Semiconductor)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\AMD\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2014-11-20] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [292848 2014-02-21] (Intel Corporation)
HKU\S-1-5-21-2823783346-2320787970-324535078-1000\...\Run: [BitTorrent] => C:\Users\HellboY\AppData\Roaming\BitTorrent\BitTorrent.exe [1832808 2015-09-26] (BitTorrent Inc.)
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

AutoConfigURL: [HKLM-x32] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [.DEFAULT] => file://C:\Windows\System32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-19] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-20] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-21-2823783346-2320787970-324535078-1000] => file://C:\Windows\System32\Drivers\winpacket.pac
Hosts: Hosts file not detected in the default directory
Tcpip\..\Interfaces\{09769D41-7725-406F-B49B-45D2A67D029F}: [NameServer] 172.16.0.1,4.2.2.2,8.8.8.8,10.10.0.1,121.242.190.210,121.242.190.181,202.54.1.63,202.54.1.64

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2823783346-2320787970-324535078-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2006-10-27] (Microsoft Corporation)
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
StartMenuInternet: IEXPLORE.EXE - iexplore.exe

FireFox:
========
FF ProfilePath: C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default
FF Homepage: about:home
FF NetworkProxy: "type", 4
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_185.dll [2015-09-23] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll [2015-09-23] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=4.0.5 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2014-03-20] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2014-03-20] (Intel Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-16] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> G:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2015-06-29] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npatgpc.dll [2014-12-01] (Cisco WebEx LLC)
FF Plugin ProgramFiles/Appdata: C:\Users\HellboY\AppData\Roaming\mozilla\plugins\npatgpc.dll [2014-12-01] (Cisco WebEx LLC)
FF Extension: Firefox Security Update - C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\Extensions\jid1-aMet0JAAbFecLw@jetpack.xpi [2015-03-12]
FF Extension: Adblock Plus - C:\Users\HellboY\AppData\Roaming\Mozilla\Firefox\Profiles\8xepv2wb.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-03-28]
FF Extension: Firefox Security Update - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\jid1-aMet0JAAbFecLw@jetpack.xpi [2015-08-27]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\browser\defaults\preferences\prefs.js [2015-08-27]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.co.in/
CHR StartupUrls: Default -> "hxxp://www.google.co.in/","hxxp://www.google.com"
CHR DefaultSearchURL: Default -> hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
CHR DefaultSearchKeyword: Default -> google.com__
CHR Profile: C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2014-09-20]
CHR Extension: (Angry Birds) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj [2015-02-21]
CHR Extension: (Forge of Empires) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\anaphblkfplenhkephgneolhnmjminjg [2015-02-21]
CHR Extension: (Google Docs) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2014-09-20]
CHR Extension: (Google Drive) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-09-20]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-03-13]
CHR Extension: (EverSave) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\bghejdcdajlenjngcknlkkoakmmjfanb [2015-07-04]
CHR Extension: (YouTube) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2014-09-20]
CHR Extension: (Рашка) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\chhdogkpkeolfmbdonbapmbgnleekgjn [2015-02-21]
CHR Extension: (Google Search) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-09-20]
CHR Extension: (The Godfather: Five Families) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\edfkoljdeffeedleidebkmmamepgbnbl [2015-02-21]
CHR Extension: (Google Sheets) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2014-09-20]
CHR Extension: (Google Docs Offline) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-09-05]
CHR Extension: (MS Updater) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\iadddcofhgaeeniecnhpopipbhijnphj [2015-06-03]
CHR Extension: (ijacdiajfhmmglphbglbgjjldcpfkglj) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijacdiajfhmmglphbglbgjjldcpfkglj [2015-06-07]
CHR Extension: (EverSave) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\jddmfogomafbmjkfcpfpnjfgecnjffng [2015-06-13]
CHR Extension: (Cisco WebEx Extension) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2015-02-21]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-13]
CHR Extension: (Furniture Guru) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\lopcjmbilgeapfldddijpgpahphngjdk [2015-09-01]
CHR Extension: (Chrome Web Store Payments) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-09-20]
CHR Extension: (Gmail) - C:\Users\HellboY\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-09-20]
CHR HKLM\...\Chrome\Extension: [jeaohhlajejodfjadcponpnjgkiikocn] - D:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
CHR HKLM\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [akhdblbjebmbllhinponghfmaekhlhob] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bghejdcdajlenjngcknlkkoakmmjfanb] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cckdoammdligdedbakcgnmegjljgipjb] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [clmghkfhfkcfhpccgbafbailibgogkbi] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eajjckckolcbgmmenaiiigegbadpeghb] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [eoepodkgpakekgncgnfnijcippobokhp] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iadddcofhgaeeniecnhpopipbhijnphj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iedokolghlgkcnafplkbjeokfamliokd] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jddmfogomafbmjkfcpfpnjfgecnjffng] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [kpmccjcnkhkgcipodalpmbpighkgiaif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lfkjojacgdjkninepeghaamnapdjmlfn] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lopcjmbilgeapfldddijpgpahphngjdk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [mhgliccaogcekoldfmachhehepjdfobj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [nfkbfmjkmioenefhjdonleflegoephgm] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [pedogdjgmjlabbbdhokgdafpglnjinhc] - hxxps://clients2.google.com/service/update2/crx

Opera:
=======
OPR Extension: (ijacdiajfhmmglphbglbgjjldcpfkglj) - C:\Users\HellboY\AppData\Roaming\Opera Software\Opera Stable\Extensions\ijacdiajfhmmglphbglbgjjldcpfkglj [2015-06-07]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 amdacpusrsvc; C:\Program Files\AMD\{920DEC42-4CA5-4d1d-9487-67BE645CDDFC}\amdacpusrsvc.exe [116224 2014-11-20] (Advanced Micro Devices) [File not signed]
R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe [936728 2014-06-18] ()
S4 AsSysCtrlService; C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.22\AsSysCtrlService.exe [1360016 2014-06-18] () [File not signed]
S4 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887232 2014-01-31] (Intel® Corporation)
S4 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-03-20] (Intel Corporation)
S4 McComponentHostService; C:\Program Files (x86)\McAfee Security Scan\3.0.285\McCHSvc.exe [234776 2012-09-05] (McAfee, Inc.)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2078216 2015-09-26] (Electronic Arts)
S3 PAExec; C:\Windows\PAExec.exe [207872 2014-12-20] (Power Admin LLC) [File not signed]
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
R2 WinGraph; C:\Windows\wnavga.exe [8192 2015-04-23] (Microsoft) [File not signed]
S4 Update SmarterPower; "C:\Program Files (x86)\SmarterPower\updateSmarterPower.exe" [X]
S4 Util SmarterPower; "C:\Program Files (x86)\SmarterPower\bin\utilSmarterPower.exe" [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 amdacpksd; C:\Windows\system32\drivers\amdacpksd.sys [294600 2014-11-21] (Advanced Micro Devices)
R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2014-06-18] ()
R1 CLVirtualDrive1.1; C:\Windows\System32\DRIVERS\CLVirtualDrive1_1.sys [91912 2013-06-03] (CyberLink)
R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283064 2014-09-20] (Disc Soft Ltd)
R3 e1dexpress; C:\Windows\System32\DRIVERS\e1d62x64.sys [487704 2014-03-14] (Intel Corporation)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
R1 epp64; C:\EEK\bin\epp64.sys [136456 2015-09-23] (Emsisoft GmbH)
R3 MEIx64; C:\Windows\System32\DRIVERS\TeeDriverx64.sys [118272 2014-03-20] (Intel Corporation)
S1 {5eeb83d0-96ea-4249-942c-beead6847053}Gw64; system32\drivers\{5eeb83d0-96ea-4249-942c-beead6847053}Gw64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-29 00:07 - 2015-09-29 00:07 - 00000743 _____ C:\Users\HellboY\Desktop\Start Emsisoft Emergency Kit.lnk
2015-09-29 00:07 - 2015-09-29 00:07 - 00000000 ____D C:\EEK
2015-09-28 23:57 - 2015-09-28 23:57 - 00012716 _____ C:\Users\HellboY\Documents\AdwCleaner[C1].txt
2015-09-28 23:53 - 2015-09-28 23:47 - 01670656 _____ C:\Users\HellboY\Desktop\AdwCleaner.exe
2015-09-28 23:50 - 2015-09-28 23:51 - 00000000 ____D C:\AdwCleaner
2015-09-24 19:34 - 2015-05-25 04:39 - 00680600 _____ (Sysinternals - www.sysinternals.com) C:\Autoruns.exe
2015-09-24 19:08 - 2015-09-29 00:19 - 00000000 ____D C:\FRST
2015-09-24 18:02 - 2015-09-28 23:56 - 00001120 _____ C:\Windows\setupact.log
2015-09-24 18:02 - 2015-09-24 18:02 - 00000000 _____ C:\Windows\setuperr.log
2015-09-23 11:42 - 2015-09-27 14:51 - 00000000 ____D C:\Users\HellboY\Documents\FIFA 16
2015-09-23 10:46 - 2015-09-23 10:46 - 00001147 _____ C:\Users\Public\Desktop\FIFA 16.lnk
2015-09-23 10:46 - 2015-09-23 10:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FIFA 16
2015-09-23 09:59 - 2015-09-23 09:59 - 18819272 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2015-09-17 12:40 - 2015-09-17 12:40 - 00018990 _____ C:\Users\HellboY\Desktop\Top Potential FIFA 16.xlsx
2015-09-13 13:06 - 2015-09-13 13:11 - 00000000 ____D C:\Users\HellboY\Documents\FIFA 16 Demo
2015-09-13 10:18 - 2015-09-13 10:18 - 00000000 ____D C:\Users\HellboY\Documents\Adobe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-29 00:18 - 2015-08-27 23:48 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-09-29 00:18 - 2014-09-20 12:19 - 00000000 ___HD C:\Users\HellboY\AppData\Roaming\Origin
2015-09-29 00:11 - 2009-07-14 10:43 - 00779724 _____ C:\Windows\system32\PerfStringBackup.INI
2015-09-29 00:01 - 2009-07-14 10:15 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-09-29 00:01 - 2009-07-14 10:15 - 00014016 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-09-28 23:59 - 2015-05-29 09:10 - 00881098 _____ C:\Windows\WindowsUpdate.log
2015-09-28 23:57 - 2014-09-20 11:11 - 00000000 ____D C:\Users\HellboY\AppData\Roaming\BitTorrent
2015-09-28 23:56 - 2014-12-20 17:55 - 00065536 _____ C:\Windows\system32\spu_storage.bin
2015-09-28 23:56 - 2014-09-20 13:25 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-09-28 23:56 - 2009-07-14 10:38 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-28 23:43 - 2014-09-20 13:25 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-09-28 01:10 - 2014-09-23 21:48 - 00000000 ____D C:\Users\HellboY\AppData\Roaming\vlc
2015-09-27 16:44 - 2015-04-27 13:03 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2015-09-27 14:55 - 2014-09-20 11:37 - 00000000 ____D C:\ProgramData\Origin
2015-09-26 03:38 - 2015-04-18 19:50 - 00036396 _____ C:\ProgramData\GeorgeYohngVST.ini
2015-09-26 03:38 - 2015-01-01 18:14 - 00000000 ____D C:\Users\HellboY\AppData\Roaming\foobar2000
2015-09-26 00:14 - 2014-09-22 23:21 - 00000000 ____D C:\Program Files (x86)\Origin
2015-09-24 18:18 - 2014-09-20 14:13 - 00000000 ____D C:\Windows\pss
2015-09-24 17:59 - 2014-09-21 13:38 - 00000000 ____D C:\Windows\Panther
2015-09-24 17:59 - 2014-09-20 14:16 - 00000000 ____D C:\Users\HellboY\AppData\Roaming\DAEMON Tools Lite
2015-09-24 00:14 - 2014-09-23 00:22 - 00000000 ____D C:\Program Files (x86)\Origin Games
2015-09-24 00:14 - 2009-07-14 11:02 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2015-09-23 12:14 - 2014-09-20 11:22 - 00000000 ____D C:\Users\HellboY\Desktop\Hell Games
2015-09-23 09:59 - 2014-09-20 12:25 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-09-23 09:59 - 2014-09-20 12:25 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-09-16 23:38 - 2014-09-20 13:25 - 00003894 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2015-09-16 23:38 - 2014-09-20 13:25 - 00003642 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2015-09-16 00:19 - 2014-09-20 13:25 - 00000000 ____D C:\Users\HellboY\AppData\Local\Google
2015-09-13 12:09 - 2014-09-20 09:58 - 00000000 ____D C:\ProgramData\Package Cache
2015-09-13 10:18 - 2014-09-20 12:34 - 00000000 ____D C:\Users\HellboY\AppData\Roaming\Adobe
2015-08-31 14:32 - 2014-09-20 11:46 - 00000771 _____ C:\Users\HellboY\Documents\Puja Expense Original.txt

==================== Files in the root of some directories =======

2015-03-27 00:44 - 2015-03-27 00:44 - 0004185 _____ () C:\Users\HellboY\AppData\Roaming\GRWPM
2015-05-06 20:55 - 2015-05-06 20:55 - 0000268 ___RH () C:\Users\HellboY\AppData\Roaming\Phaser
2015-05-06 20:56 - 2015-05-06 20:56 - 0000268 ___RH () C:\Users\HellboY\AppData\Roaming\Piano
2015-05-06 20:55 - 2015-05-06 20:55 - 0000268 ___RH () C:\Users\HellboY\AppData\Roaming\Piano Hard
2015-05-06 20:55 - 2015-05-06 20:55 - 0000268 ___RH () C:\Users\HellboY\AppData\Roaming\Pop Flute
2014-11-01 19:07 - 2015-05-22 12:15 - 0000145 _____ () C:\Users\HellboY\AppData\Roaming\WB.CFG
2015-03-28 00:49 - 2015-03-28 00:49 - 0000001 _____ () C:\Users\HellboY\AppData\Local\DSI.DAT
2014-10-08 18:19 - 2014-10-08 18:19 - 0000000 _____ () C:\Users\HellboY\AppData\Local\{F5F725E5-DFE7-4D75-AD51-829F8A3E09C2}
2014-09-20 10:01 - 2014-09-20 10:01 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2015-04-18 19:50 - 2015-09-26 03:38 - 0036396 _____ () C:\ProgramData\GeorgeYohngVST.ini
2015-05-06 20:55 - 2015-05-06 20:55 - 0000268 ___RH () C:\ProgramData\Pianos and Keyboards
2015-05-06 20:56 - 2015-05-06 20:56 - 0000268 ___RH () C:\ProgramData\Pick Bass
2015-05-06 20:55 - 2015-05-06 20:55 - 0000268 ___RH () C:\ProgramData\Pipe Organ
2015-05-06 20:55 - 2015-05-06 20:55 - 0000020 ____H () C:\ProgramData\PKP_DLeo.DAT
2015-05-06 20:56 - 2015-05-06 20:56 - 0000020 ____H () C:\ProgramData\PKP_DLes.DAT
2015-05-06 20:55 - 2015-05-06 20:55 - 0000020 ____H () C:\ProgramData\PKP_DLet.DAT
2015-05-06 20:55 - 2015-05-06 20:55 - 0000020 ____H () C:\ProgramData\PKP_DLev.DAT
2015-05-06 20:55 - 2015-05-06 20:55 - 0000268 ___RH () C:\ProgramData\Printers

Some files in TEMP:
====================
C:\Users\HellboY\AppData\Local\Temp\sqlite3.dll


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-09-24 11:59

==================== End of FRST.txt ============================

 

 

FRST Addition

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version:27-09-2015 01
Ran by HellboY (2015-09-29 00:20:08)
Running from G:\Downloads
Windows 7 Ultimate Service Pack 1 (X64) (2014-09-20 18:39:46)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2823783346-2320787970-324535078-500 - Administrator - Disabled)
Guest (S-1-5-21-2823783346-2320787970-324535078-501 - Limited - Disabled)
HellboY (S-1-5-21-2823783346-2320787970-324535078-1000 - Administrator - Enabled) => C:\Users\HellboY

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

ACP Application (Version: 2.15.10.0003 - Advanced Micro Devices, Inc.) Hidden
Adobe Flash Player 19 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 19.0.0.185 - Adobe Systems Incorporated)
Adobe Photoshop Lightroom 5.6 64-bit (HKLM\...\{D19E99C2-6D9D-4075-B446-B4387EAF70A5}) (Version: 5.6.0 - Adobe Systems Incorporated)
Adobe Reader XI (11.0.12) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.12 - Adobe Systems Incorporated)
AMD Catalyst Install Manager (HKLM\...\{F2A7CE36-57BF-5C86-952D-90DBF3746D82}) (Version: 8.0.916.0 - Advanced Micro Devices, Inc.)
Ashes Cricket 2009 (HKLM-x32\...\InstallShield_{8B39736E-7C8C-4A32-82C1-F94245F20D85}) (Version: 1.00.0000 - Codemasters)
Ashes Cricket 2009 (x32 Version: 1.00.0000 - Codemasters) Hidden
ASIO4ALL (HKLM-x32\...\ASIO4ALL) (Version: 2.12 - Michael Tippach)
Assassin's Creed Rogue (HKLM-x32\...\Uplay Install 895) (Version:  - Ubisoft)
AVCWare Ringtone Maker (HKLM-x32\...\AVCWare Ringtone Maker) (Version: 2.0.5.20120712 - AVCWare)
BitTorrent (HKU\S-1-5-21-2823783346-2320787970-324535078-1000\...\BitTorrent) (Version: 7.9.5.41163 - BitTorrent Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 4.15 - Piriform)
Cisco WebEx Meetings (HKLM-x32\...\ActiveTouchMeetingClient) (Version:  - Cisco WebEx LLC)
CyberLink Power2Go 9 (HKLM-x32\...\InstallShield_{57D68FAE-CB5E-4fd6-AE3B-A0B43375AF18}) (Version: 9.0.1002.0 - CyberLink Corp.)
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.49.1.0356 - Disc Soft Ltd)
EA SPORTS™ FIFA 15 (HKLM-x32\...\{3D4ADA2B-F028-4307-ADF4-6F9AA44725DA}) (Version: 1.8.0.0 - Electronic Arts)
FIFA 16 (HKLM-x32\...\{28FA2805-7992-4A28-844B-040C57204718}) (Version: 1.0.3.0 - Electronic Arts)
foobar2000 v1.3.6 (HKLM-x32\...\foobar2000) (Version: 1.3.6 - Peter Pawlowski)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 45.0.2454.101 - Google Inc.)
Google Update Helper (x32 Version: 1.3.28.15 - Google Inc.) Hidden
Intel® Chipset Device Software (x32 Version: 10.0.17 - Intel® Corporation) Hidden
Intel® Management Engine Components (HKLM\...\{1CEAC85D-2590-4760-800F-8DE5E91F3700}) (Version: 10.0.0.1204 - Intel Corporation)
Intel® Network Connections 19.1.51.0 (HKLM\...\PROSetDX) (Version: 19.1.51.0 - Intel)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 3.0.0.16 - Intel Corporation)
McAfee Security Scan Plus (HKLM-x32\...\McAfee Security Scan) (Version: 3.0.285.6 - McAfee, Inc.)
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.4518.1014 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x64 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010 Redistributable - x86 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{a2199617-3609-410f-a8e8-e8806c73545b}) (Version: 11.0.61030.0 - Корпорация Майкрософт)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{f0080ca2-80ae-4958-b6eb-e8fa916d744a}) (Version: 11.0.61030.0 - Корпорация Майкрософт)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft WSE 3.0 Runtime (HKLM-x32\...\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}) (Version: 3.0.5305.0 - Microsoft Corp.)
Mozilla Firefox 40.0.3 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 40.0.3 (x86 en-US)) (Version: 40.0.3 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 40.0.3.5716 - Mozilla)
Napoleon: Total War (HKLM-x32\...\Steam App 34030) (Version:  - The Creative Assembly)
Nikon Message Center 2 (HKLM-x32\...\{B014EE44-9197-4513-9613-71E6EB1B514E}) (Version: 2.1.0 - Nikon)
Nikon Movie Editor (HKLM-x32\...\{5CAD3393-EEC0-44CE-9F93-BCAA365B77FB}) (Version: 2.6.0 - Nikon)
NVIDIA PhysX (HKLM-x32\...\{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}) (Version: 9.12.1031 - NVIDIA Corporation)
Origin (HKLM-x32\...\Origin) (Version: 9.4.22.2815 - Electronic Arts, Inc.)
Picture Control Utility x64 (HKLM\...\{11953C65-BB4E-4CA4-B0F0-2600A4B20040}) (Version: 1.4.7 - Nikon)
Raptr (HKLM-x32\...\Raptr) (Version:  - )
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7272 - Realtek Semiconductor Corp.)
Setup - WWE 2K15 © 2K ... (HKLM-x32\...\Setup - WWE 2K15 © 2K ...) (Version: ... - 2K Games)
Sid Meiers Civilization Beyond Earth (HKLM-x32\...\U2lkTWVpZXJzQ2l2aWxpemF0aW9uQmV5b25kRWFydGg=_is1) (Version: 1 - )
Skype™ 7.2 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.2.103 - Skype Technologies S.A.)
SmarterPower (HKLM\...\SmarterPower) (Version: 2014.09.20.161844 - SmarterPower) <==== ATTENTION
Sonic Radar II (HKLM\...\{203BCA8D-BC00-4DD5-85DF-2F84DB803B57}) (Version: 2.1.101 - ASUSTeKcomputer.Inc)
Steam (HKLM-x32\...\Steam) (Version: 2.10.91.91 - Valve Corporation)
The Sims 4 (HKLM-x32\...\The Sims 4_R.G. Mechanics_is1) (Version:  - R.G. Mechanics, ProZorg_tm)
The Sims Medieval (HKLM-x32\...\{83BEEFB4-8C28-4F4F-8A9D-E0D1ADCE335B}) (Version: 1.0.0 - Electronic Arts)
Total War: SHOGUN 2 (HKLM-x32\...\Steam App 34330) (Version:  - The Creative Assembly)
TriDef 3D (LG 3D Monitor) 1.8.5 (HKLM-x32\...\experience-lge-mon-bundle) (Version: 1.8.5 - Dynamic Digital Depth Australia Pty Ltd)
Ubisoft Game Launcher (HKLM-x32\...\{888F1505-C2B3-4FDE-835D-36353EBD4754}) (Version: 1.0.0.0 - UBISOFT)
Uplay (HKLM-x32\...\Uplay) (Version: 4.9 - Ubisoft)
ViewNX 2 (HKLM\...\{635BE602-BB9C-4C59-8CC5-93F9366E8A21}) (Version: 2.6.0 - Nikon)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WinRAR 5.00 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.00.0 - win.rar GmbH)
Winrar Activator version 1.2 (HKLM-x32\...\{AE0B3F2A-EB65-4D01-A3E1-6D879C6AAF2A}_is1) (Version: 1.2 - Rarlab)
WinZip 18.5 (HKLM\...\{CD95F661-A5C4-44F5-A6AA-ECDD91C240E3}) (Version: 18.5.11111 - WinZip Computing, S.L. )
WWE 2K15 DLC Pack Addon (HKLM-x32\...\V1dFMksxNQ==_is1) (Version: 1 - )

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

06-09-2015 21:19:31 Scheduled Checkpoint
13-09-2015 12:08:57 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610
16-09-2015 02:36:38 Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501
16-09-2015 02:36:43 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501
23-09-2015 10:46:34 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {239993E2-9A5B-4818-9473-0078E8F8ECF5} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-06-24] (Piriform Ltd)
Task: {431C65BC-6071-4D1B-9E41-29783DD78CB8} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)
Task: {5BBE5C06-3BB8-4F56-8ECD-07FFB700A96A} - System32\Tasks\ASUS\i-Setup095543 => C:\Windows\Chipset\AsusSetup.exe [2013-09-09] (ASUSTeK Computer Inc.)
Task: {9B32FDC0-B333-473B-ABB6-C892F9620F32} - System32\Tasks\Origin => C:\Users\HellboY\AppData\Roaming\Origin\update.vbe <==== ATTENTION
Task: {A3FD2A8A-338E-48E9-B888-D1E84B8E3E4B} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2014-09-20] ()
Task: {B2B5245D-375E-4385-80AD-6CAB8E392510} - System32\Tasks\ASUS\i-Setup100540 => C:\Windows\MEI\AsusSetup.exe [2013-09-09] (ASUSTeK Computer Inc.)
Task: {B6C692DE-9AA5-4D56-8954-24E4B9E55262} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-07-07] (Adobe Systems Incorporated)
Task: {FAF91D01-BCB4-4E58-BB90-017FF50D0BFF} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-08-27] (Google Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (Whitelisted) ==============

2014-06-18 11:23 - 2014-06-18 11:23 - 00936728 ____R () C:\Program Files (x86)\ASUS\AXSP\1.02.00\atkexComSvc.exe
2014-09-20 10:00 - 2015-09-28 23:56 - 00032256 _____ () C:\Program Files (x86)\ASUS\AXSP\1.02.00\PEbiosinterface32.dll
2014-09-20 10:00 - 2014-06-18 11:23 - 00104448 ____R () C:\Program Files (x86)\ASUS\AXSP\1.02.00\ATKEX.dll
2015-09-23 09:59 - 2015-09-23 09:59 - 17592008 _____ () C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_185.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)


==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2823783346-2320787970-324535078-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\HellboY\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 172.16.0.1 - 4.2.2.2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 0) (ConsentPromptBehaviorUser: 3) (EnableLUA: 0)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: AdobeARMservice => 2
MSCONFIG\Services: AMD External Events Utility => 2
MSCONFIG\Services: asComSvc => 2
MSCONFIG\Services: AsSysCtrlService => 2
MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3
MSCONFIG\Services: IePluginServices => 2
MSCONFIG\Services: Intel® Capability Licensing Service TCP IP Interface => 3
MSCONFIG\Services: Intel® PROSet Monitoring Service => 2
MSCONFIG\Services: jhi_service => 2
MSCONFIG\Services: LMS => 2
MSCONFIG\Services: McComponentHostService => 3
MSCONFIG\Services: MozillaMaintenance => 3
MSCONFIG\Services: Update SmarterPower => 2
MSCONFIG\Services: Util SmarterPower => 2
MSCONFIG\Services: WindowsMangerProtect => 2
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk => C:\Windows\pss\McAfee Security Scan Plus.lnk.CommonStartup
MSCONFIG\startupfolder: C:^Users^HellboY^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk => C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: BitTorrent => "C:\Users\HellboY\AppData\Roaming\BitTorrent\BitTorrent.exe"  /MINIMIZED
MSCONFIG\startupreg: CLMLServer_For_P2G9 => "D:\Program Files (x86)\CyberLink\Power2Go9\Power2Go9\CLMLSvc_P2G9.exe"
MSCONFIG\startupreg: CLVirtualDrive9 => "D:\Program Files (x86)\CyberLink\Power2Go9\Power2Go9\VirtualDrive9.exe" /R
MSCONFIG\startupreg: CMD => cmd.exe /c start http://zenigameblinger.org && exit
MSCONFIG\startupreg: DAEMON Tools Lite => "G:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
MSCONFIG\startupreg: EADM => "C:\Program Files (x86)\Origin\Origin.exe" -AutoStart
MSCONFIG\startupreg: gmsd_in_274 =>
MSCONFIG\startupreg: GoogleChromeAutoLaunch_50939CAFD6E0F0936342A562BB166352 => "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
MSCONFIG\startupreg: GrooveMonitor => "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
MSCONFIG\startupreg: IDMan => C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
MSCONFIG\startupreg: Nikon Message Center 2 => C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
MSCONFIG\startupreg: Power2GoExpress9 => "D:\Program Files (x86)\CyberLink\Power2Go9\Power2Go9\Power2GoExpress9.exe" /Startup
MSCONFIG\startupreg: pricefountainw.exe => C:\Users\HellboY\AppData\Local\PriceFountain\pricefountainw.exe HKEY_CURRENT_USER Software\PriceFountain
MSCONFIG\startupreg: RTHDVCPL => "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
MSCONFIG\startupreg: Sidebar => C:\Program Files (x86)\Windows Sidebar\sidebar.exe /autoRun
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: StartCCC => "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
MSCONFIG\startupreg: upgmsd_in_274.exe => C:\Users\HellboY\AppData\Local\gmsd_in_274\upgmsd_in_274.exe -runonce
MSCONFIG\startupreg: Wse_taplika => C:\Windows\SysWOW64\wscript.exe /E:vbscript /B "C:\Users\HellboY\AppData\Roaming\Wse_taplika\UpdateProc\bkup.dat"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{0DF99B81-4C49-42DB-9CFC-265C6F70CE51}] => (Allow) C:\Users\HellboY\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [{FA61D6F1-59BE-4DDC-936D-5B4DD099A5A0}] => (Allow) C:\Users\HellboY\AppData\Roaming\BitTorrent\BitTorrent.exe
FirewallRules: [TCP Query User{0CFE5246-B893-4DD0-B75D-8BD291A313C5}H:\softwares\microsoft office 2013 professional plus activation crack\microsoft toolkit 2.4.5.exe] => (Allow) H:\softwares\microsoft office 2013 professional plus activation crack\microsoft toolkit 2.4.5.exe
FirewallRules: [UDP Query User{11E5341B-6F9F-454F-B950-081539EC35EC}H:\softwares\microsoft office 2013 professional plus activation crack\microsoft toolkit 2.4.5.exe] => (Allow) H:\softwares\microsoft office 2013 professional plus activation crack\microsoft toolkit 2.4.5.exe
FirewallRules: [{29476417-DB04-4B4F-B071-E6508C27CA79}] => (Allow) G:\Program Files (x86)\Codemasters\Ashes Cricket 2009\Cricket2009.exe
FirewallRules: [{BA448FB0-DF2B-4CDD-95A7-B73D0352581B}] => (Allow) G:\Program Files (x86)\Codemasters\Ashes Cricket 2009\Cricket2009.exe
FirewallRules: [{63BC7699-9402-4183-9A7C-7189AA0A8177}] => (Allow) C:\Program Files (x86)\Origin Games\FIFA 15\fifasetup\fifaconfig.exe
FirewallRules: [{A3C502D7-063C-4F8D-8D8F-56BB84AEF6A0}] => (Allow) C:\Program Files (x86)\Origin Games\FIFA 15\fifasetup\fifaconfig.exe
FirewallRules: [{266C5D8E-E62E-477D-97F9-09E4836D54E4}] => (Allow) C:\Program Files (x86)\Origin\Origin.exe
FirewallRules: [{0A2DF82F-BCB6-4F2A-AD12-04547BB80523}] => (Allow) C:\Program Files (x86)\Origin\Origin.exe
FirewallRules: [{1015CD9D-A5BB-4E5E-8402-C5A84680C793}] => (Allow) C:\Program Files (x86)\Origin\Origin.exe
FirewallRules: [{8880B2C1-C270-40E7-91CC-DDD7A980DC0D}] => (Allow) C:\Program Files (x86)\Origin\Origin.exe
FirewallRules: [{D6430D34-D1B9-4B08-9415-4D0F20B284A0}] => (Allow) C:\Program Files (x86)\Origin\OriginER.exe
FirewallRules: [{917A18FD-0247-4BCC-96E9-85CC458A44BA}] => (Allow) C:\Program Files (x86)\Origin\OriginER.exe
FirewallRules: [{29893613-5293-41AA-B5FC-BB212AD97242}] => (Allow) C:\Program Files (x86)\Origin\OriginER.exe
FirewallRules: [{6E242092-EF05-4A27-AA7F-AD8710087ABF}] => (Allow) C:\Program Files (x86)\Origin\OriginER.exe
FirewallRules: [TCP Query User{9167C7EA-1880-4AE6-AD68-F1AB481963AE}C:\program files (x86)\origin games\fifa 15\fifa15.exe] => (Allow) C:\program files (x86)\origin games\fifa 15\fifa15.exe
FirewallRules: [UDP Query User{02540759-FB56-4221-BBC8-7D05C0764B57}C:\program files (x86)\origin games\fifa 15\fifa15.exe] => (Allow) C:\program files (x86)\origin games\fifa 15\fifa15.exe
FirewallRules: [{AC3B0D28-FD6F-4347-BA07-B6740F13DA59}] => (Allow) D:\Program Files (x86)\SimCity\SimCity 2013 Offline\SimCity\SimCity.exe
FirewallRules: [{24E7487B-EA4E-4AB0-B631-8F1B67F7C809}] => (Allow) D:\Program Files (x86)\SimCity\SimCity 2013 Offline\SimCity\SimCity.exe
FirewallRules: [{C4B340AC-E73B-4FF2-A806-1B7173D77C7B}] => (Allow) C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe
FirewallRules: [{1DEA68C0-3E92-49A2-B1AB-57747D70B00A}] => (Allow) C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\UbisoftGameLauncher.exe
FirewallRules: [{06414F23-B713-4B9B-BFFD-7DA0C91E37A8}] => (Allow) D:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{8F504AF0-3F43-4087-8614-3014481756F0}] => (Allow) D:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{3ACB9F96-699F-42F4-9CE5-07D01797C1EE}] => (Allow) D:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{CC90A78A-8064-453A-B417-22AD85A2C216}] => (Allow) D:\Program Files (x86)\Steam\bin\steamwebhelper.exe
FirewallRules: [{94E46213-00CF-4C3F-944E-9AEEDA949A8F}] => (Allow) D:\Program Files (x86)\Steam\steamapps\common\Napoleon Total War\Napoleon.exe
FirewallRules: [{1603C2B7-0BEC-485D-9657-C99615967837}] => (Allow) D:\Program Files (x86)\Steam\steamapps\common\Napoleon Total War\Napoleon.exe
FirewallRules: [{A72590AE-CCC8-47A2-A0A5-34D3EED53F6C}] => (Allow) D:\Program Files (x86)\Steam\steamapps\common\Total War SHOGUN 2\Shogun2.exe
FirewallRules: [{92D2E354-66BA-4EDF-9A37-5DE69303B015}] => (Allow) D:\Program Files (x86)\Steam\steamapps\common\Total War SHOGUN 2\Shogun2.exe
FirewallRules: [{469D3E8E-6695-4A58-A2C3-C4C78E15D059}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{A66EDE4C-2D6B-4D99-B541-E5C508D22A2F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{7E7F658F-3559-4179-B66C-C3023697D336}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{7A590500-A300-4EE7-92F0-4567695FABBA}C:\program files (x86)\mozilla firefox\firefox.exe] => (Allow) C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [{D9516CD4-92CE-4C7B-8301-9248CC3B250F}] => (Allow) D:\Program Files (x86)\Ubisoft\Assassin's Creed Rogue\ACC.exe
FirewallRules: [{5FC448DC-6EFD-48C9-9AD8-77F15CE6129E}] => (Allow) D:\Program Files (x86)\Ubisoft\Assassin's Creed Rogue\ACC.exe
FirewallRules: [{9A8721CC-E80B-4F66-96A9-839DFCECD38A}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{961289F4-9586-4DA5-A755-A074C5B6D815}] => (Allow) C:\Program Files (x86)\Origin Games\FIFA 15\fifasetup\fifaconfig.exe
FirewallRules: [{221B1EDC-C94A-4511-B3DA-E9C21DAB7EAF}] => (Allow) C:\Program Files (x86)\Origin Games\FIFA 15\fifasetup\fifaconfig.exe
FirewallRules: [{7881BB14-70E2-4C7A-9256-28826C55DDC1}] => (Allow) C:\Program Files (x86)\Origin Games\FIFA 16\fifasetup\fifaconfig.exe
FirewallRules: [{981E41C3-53D6-42FA-94E0-DE11884B93A1}] => (Allow) C:\Program Files (x86)\Origin Games\FIFA 16\fifasetup\fifaconfig.exe
FirewallRules: [TCP Query User{F2818FFF-EE00-4DF8-880E-C193877857AE}C:\program files (x86)\origin games\fifa 16\fifa16.exe] => (Allow) C:\program files (x86)\origin games\fifa 16\fifa16.exe
FirewallRules: [UDP Query User{E30B76E0-67A2-4E32-A63D-704BE3928769}C:\program files (x86)\origin games\fifa 16\fifa16.exe] => (Allow) C:\program files (x86)\origin games\fifa 16\fifa16.exe
FirewallRules: [TCP Query User{C1A60F1F-C3EF-4607-B5CE-5AFBB0444C8A}C:\program files (x86)\origin games\fifa 16\fifa16.exe] => (Allow) C:\program files (x86)\origin games\fifa 16\fifa16.exe
FirewallRules: [UDP Query User{51CC3DC4-5BAA-4304-B914-283C1DB670E6}C:\program files (x86)\origin games\fifa 16\fifa16.exe] => (Allow) C:\program files (x86)\origin games\fifa 16\fifa16.exe
FirewallRules: [{2493097D-1F2E-40C7-A996-323437915B21}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
StandardProfile\AuthorizedApplications: [G:\Program Files (x86)\TriDef 3D\TriDef\TriDefMediaPlayer\TriDefMediaPlayer.exe] => Enabled:TriDef 3D Media Player

==================== Faulty Device Manager Devices =============

Name: {5eeb83d0-96ea-4249-942c-beead6847053}Gw64
Description: {5eeb83d0-96ea-4249-942c-beead6847053}Gw64
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: {5eeb83d0-96ea-4249-942c-beead6847053}Gw64
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.


==================== Event log errors: =========================

Application errors:
==================
Error: (09/27/2015 02:51:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: fifa16.exe, version: 1.0.0.0, time stamp: 0x55fc7502
Faulting module name: fifa16.exe, version: 1.0.0.0, time stamp: 0x55fc7502
Exception code: 0xc0000005
Fault offset: 0x000000000485108b
Faulting process id: 0x19a0
Faulting application start time: 0xfifa16.exe0
Faulting application path: fifa16.exe1
Faulting module path: fifa16.exe2
Report Id: fifa16.exe3

Error: (09/24/2015 06:39:54 PM) (Source: Wininit) (EventID: 1015) (User: )
Description: A critical system process, C:\Windows\system32\lsass.exe, failed with status code 1.  The machine must now be restarted.

Error: (09/23/2015 12:55:15 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: vlc.exe, version: 2.1.5.0, time stamp: 0x00000004
Faulting module name: vlc.exe, version: 2.1.5.0, time stamp: 0x00000004
Exception code: 0xc0000005
Fault offset: 0x000018c5
Faulting process id: 0x968
Faulting application start time: 0xvlc.exe0
Faulting application path: vlc.exe1
Faulting module path: vlc.exe2
Report Id: vlc.exe3

Error: (09/02/2015 12:20:39 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Explorer.EXE version 6.1.7601.17514 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 684

Start Time: 01d0e4de2d9aca53

Termination Time: 8495

Application Path: C:\Windows\Explorer.EXE

Report Id: 4e97f5d6-50da-11e5-9a79-10c37b9ff2c4

Error: (08/31/2015 10:50:49 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 40.0.3.5716 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 123c

Start Time: 01d0e3986c1e3269

Termination Time: 95

Application Path: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Report Id: 0561fe4c-4fa0-11e5-8d17-10c37b9ff2c4

Error: (08/31/2015 10:50:49 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: plugin-container.exe, version: 40.0.3.5716, time stamp: 0x55ddb213
Faulting module name: mozglue.dll, version: 40.0.3.5716, time stamp: 0x55dda062
Exception code: 0x80000003
Fault offset: 0x0000e250
Faulting process id: 0x13a0
Faulting application start time: 0xplugin-container.exe0
Faulting application path: plugin-container.exe1
Faulting module path: plugin-container.exe2
Report Id: plugin-container.exe3

Error: (08/22/2015 03:47:47 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: Origin.exe, version: 9.7.2.53208, time stamp: 0x55b30183
Faulting module name: MSVCR100.dll, version: 10.0.40219.325, time stamp: 0x4df2be1e
Exception code: 0xc0000417
Fault offset: 0x0008af3e
Faulting process id: 0x1274
Faulting application start time: 0xOrigin.exe0
Faulting application path: Origin.exe1
Faulting module path: Origin.exe2
Report Id: Origin.exe3

Error: (08/09/2015 07:55:28 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: BatmanAK.exe, version: 1.0.4.5, time stamp: 0x558cc218
Faulting module name: BatmanAK.exe, version: 1.0.4.5, time stamp: 0x558cc218
Exception code: 0xc0000005
Fault offset: 0x000000000587945c
Faulting process id: 0xa00
Faulting application start time: 0xBatmanAK.exe0
Faulting application path: BatmanAK.exe1
Faulting module path: BatmanAK.exe2
Report Id: BatmanAK.exe3

Error: (07/23/2015 12:35:10 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Explorer.EXE version 6.1.7601.17514 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 6bc

Start Time: 01d0c4acbb767d33

Termination Time: 32498

Application Path: C:\Windows\Explorer.EXE

Report Id: 7c0939c4-30a4-11e5-b3d7-10c37b9ff2c4

Error: (07/10/2015 01:47:07 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 39.0.0.5659 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 12e8

Start Time: 01d0ba780c2bda3a

Termination Time: 40

Application Path: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Report Id: 767f857b-2677-11e5-a713-10c37b9ff2c4


System errors:
=============
Error: (09/28/2015 11:56:32 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.

Error: (09/28/2015 11:56:31 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
{5eeb83d0-96ea-4249-942c-beead6847053}Gw64

Error: (09/28/2015 11:56:30 PM) (Source: Microsoft-Windows-DNS-Client) (EventID: 1012) (User: NT AUTHORITY)
Description: There was an error while attempting to read the local hosts file.

Error: (09/28/2015 11:51:58 PM) (Source: Service Control Manager) (EventID: 7032) (User: )
Description: The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error:
%%1056

Error: (09/28/2015 11:51:28 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Media Player Network Sharing Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (09/28/2015 11:51:28 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (09/28/2015 11:51:28 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Graphics Accelerator service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.

Error: (09/28/2015 11:51:28 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The ASUS Com Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/28/2015 11:51:28 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The ACP User Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (09/28/2015 11:51:28 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Adobe Acrobat Update Service service terminated unexpectedly.  It has done this 1 time(s).


==================== Memory info ===========================

Processor: Intel® Core™ i5-4690 CPU @ 3.50GHz
Percentage of memory in use: 35%
Total physical RAM: 8135.15 MB
Available physical RAM: 5236.05 MB
Total Virtual: 16268.5 MB
Available Virtual: 13133.57 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.69 GB) (Free:37.88 GB) NTFS
Drive d: (New Volume) (Fixed) (Total:465.75 GB) (Free:154.67 GB) NTFS
Drive e: (New Volume) (Fixed) (Total:465.75 GB) (Free:422.35 GB) NTFS
Drive f: (New Volume) (Fixed) (Total:465.76 GB) (Free:73.94 GB) NTFS
Drive g: (New Volume) (Fixed) (Total:465.75 GB) (Free:290.72 GB) NTFS
Drive i: (HELL PEN) (Removable) (Total:28.96 GB) (Free:4.74 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 84C76977)
Partition 1: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=465.8 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=465.8 GB) - (Type=OF Extended)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: 17F0AAE5)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=111.7 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 29 GB) (Disk ID: 00000000)

Partition: GPT.

==================== End of Addition.txt ============================

 

 

Thanks and Regards,

Sarbajit



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:32 PM

Posted 03 October 2015 - 03:11 PM

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Attached File  fixlist.txt   1.08KB   6 downloads

 

is your issue fixed after this?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:32 PM

Posted 06 October 2015 - 01:46 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 SarbajitHellboy

SarbajitHellboy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:02 AM

Posted 07 October 2015 - 01:11 AM

Hi Fireman4it,

 

Apologies for the delayed response.

I was out of station and returned today morning itself.

 

The issue isnt happening yet, but not sure if its fully cured. Will wait for your suggestion :)

 

PFB the fixlog:

 

 Fix result of Farbar Recovery Scan Tool (x64) Version:27-09-2015 01

Ran by HellboY (2015-10-07 11:39:18) Run:1
Running from G:\Downloads
Loaded Profiles: HellboY (Available Profiles: HellboY)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
AutoConfigURL: [HKLM-x32] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [.DEFAULT] => file://C:\Windows\System32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-19] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-20] => file://C:\Windows\system32\Drivers\winpacket.pac
AutoConfigURL: [S-1-5-21-2823783346-2320787970-324535078-1000] => file://C:\Windows\System32\Drivers\winpacket.pac
Tcpip\..\Interfaces\{09769D41-7725-406F-B49B-45D2A67D029F}: [NameServer] 172.16.0.1,4.2.2.2,8.8.8.8,10.10.0.1,121.242.190.210,121.242.190.181,202.54.1.63,202.54.1.64
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2823783346-2320787970-324535078-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
S4 Update SmarterPower; "C:\Program Files (x86)\SmarterPower\updateSmarterPower.exe" [X]
S4 Util SmarterPower; "C:\Program Files (x86)\SmarterPower\bin\utilSmarterPower.exe" [X]
S1 {5eeb83d0-96ea-4249-942c-beead6847053}Gw64; system32\drivers\{5eeb83d0-96ea-4249-942c-beead6847053}Gw64.sys [X]
 
*****************
 
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value removed successfully
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value removed successfully
HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value removed successfully
HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value removed successfully
HKU\S-1-5-21-2823783346-2320787970-324535078-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{09769D41-7725-406F-B49B-45D2A67D029F}\\NameServer => value removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-2823783346-2320787970-324535078-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
Update SmarterPower => service removed successfully
Util SmarterPower => service removed successfully
{5eeb83d0-96ea-4249-942c-beead6847053}Gw64 => service removed successfully
 
==== End of Fixlog 11:39:18 ====
 
Thanks and Regards,
 
Sarbajit


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:32 PM

Posted 13 October 2015 - 06:04 PM

Please download Malwarebytes Anti-Malware photo.jpg?sz=48 and save it to your desktop.

  • Double-click on the setup file (mbam-setup.exe), then click on Run to install.
  • Malwarebytes will automatically open to it's Dashboard. If you have never run this version, you should see a red note at the top indicating "A scan has never been run on your system"
     
    malwarebytes-anti-malware-fix-now.jpg
    .
  • Click on Update Now to download the current database definitions, then click the Scan Now >> button.
    .
  • If you have run this version before, you should see a green note at the top indicating "Your system is fully protected".
  • You will be prompted to update Malwarebytes...click on the Update Now button.
     
    malwarebytes-anti-malware-2-0-update-now
    .
  • The THREAT SCAN will automatically begin.
     
    malwarebytes-anti-malware-scan.jpg
    .
  • When the scan has completed, the results will be displayed. Click on Quarantine All, then click on Apply Actions.
     
    malwarebytes-anti-malware-potential-thre
    .
  • To complete any actions taken you will be prompted to restart your computer...click on Yes. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
     
    mbam4_zps490948cc.png
    .
  • After rebooting the computer, copy and past the mbam.log in your next reply.

.
To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)
  • Open Malwarebytes Anti-Malware.
  • Click the History Tab at the top and select Application Logs.
  • Select (check) the box next to Scan Log. Choose the most current scan.
  • Click the View button.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2)
  • Open Malwarebytes Anti-Malware.
  • Click the Scan Tab at the top.
  • Click the View detailed log link on the right.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7/8: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:32 PM

Posted 23 October 2015 - 05:33 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users