Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BSOD, slow, disabled AV, self-opening browsers, now system restore


  • This topic is locked This topic is locked
2 replies to this topic

#1 Dioxyde

Dioxyde

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:10 PM

Posted 29 October 2015 - 07:29 PM

This is a windows 7 64 bit (ultimate) machine. All started a few days ago with a BSOD. Upon restart the computer was very slow.. insane resources being used by low key processes and could barely use windows. I thought maybe it was hardware, so I reseated the HDD and fiddled with the sata cables, ran a checkdsk. Nope the HDD should be good. Memory good too. Boot it back up and it's still screwed - everything takes forever to load, a folder or a browser. Spybot and Malware bytes could not be used, they were disabled somehow (just dont open). Installing any other spyware programs wouldn't work either. Safe mode or booting from disk made no difference on any of these issues as well.
 
THEN I saw multiple chrome browers being opened automatically from my desktop! All to fake anti malware websites! Now I decided to back up any new data and system restore which has solved the issues with slowness HOWEVER, my firewall is giving my a notification constantly about this file "~f3c7.tmp.exe" attempting to make an outgoing connection - the second I block it another notification pops up. The source is all that changes. When I click "open file location" - Chrome opens this website which you obviously shouldn't open: https://www.virustotal.com/en/file/not/found/
 
Cute right?
 
So here's my log and a screenshot.


\Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:29-10-2015
Ran by Ataraxia (administrator) on ELATIONSTATION (29-10-2015 16:46:47)
Running from C:\Users\Ataraxia\Downloads
Loaded Profiles: Ataraxia (Available Profiles: Ataraxia)
Platform: Windows 7 Ultimate (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
() C:\Program Files\WinArchiver\WAService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
(PACE Anti-Piracy, Inc.) C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe
() C:\Program Files (x86)\Piano Marvel Plugin\PianoMarvel.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamNetworkService.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(BiniSoft.org) C:\Program Files\Windows Firewall Control\wfcs.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamUserAgent.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
() C:\Windows\SysWOW64\DeltaIITray.exe
(Spotify Ltd) C:\Users\Ataraxia\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(BiniSoft.org) C:\Program Files\Windows Firewall Control\wfc.exe
(Apple Inc.) C:\Program Files (x86)\iTunes\iTunesHelper.exe
(Logitech Inc.) C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe
() C:\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
(Apple Computer, Inc.) C:\Program Files (x86)\QuickTime\qttask.exe
() C:\Program Files\Andy\HandyAndy.exe
(Macrovision Corporation) C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe
() C:\Program Files\Andy\AndyPriorityMgr.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
() C:\Windows\Temp\~F3C7.tmp.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SBRegRebootCleaner] => "C:\Program Files (x86)\Ad-Aware Antivirus\SBRC.exe"
HKLM\...\Run: [BCSSync] => C:\Program Files\Microsoft Office\Office14\BCSSync.exe [112512 2010-03-13] (Microsoft Corporation)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [500936 2015-05-26] (Adobe Systems Incorporated)
HKLM\...\Run: [DeltaIITaskbarApp] => C:\Windows\SysWOW64\DeltaIITray.exe [236040 2008-11-04] ()
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2634872 2015-08-26] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-05-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM-x32\...\Run: [LWS] => C:\Program Files (x86)\Logitech\LWS\Webcam Software\LWS.exe [204136 2012-09-13] (Logitech Inc.)
HKLM-x32\...\Run: [SwitchBoard] => C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AdobeCS6ServiceManager] => C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe [1073312 2012-03-09] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\qttask.exe [98304 2015-02-09] (Apple Computer, Inc.)
HKLM-x32\...\Run: [Andy] => C:\Program Files\Andy\HandyAndy.exe [907144 2015-02-03] ()
HKLM-x32\...\Run: [M-Audio Taskbar Icon] => C:\Windows\SysWOW64\DeltaIITray.exe [236040 2008-11-04] ()
HKLM-x32\...\Run: [ISUSScheduler] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\issch.exe [81920 2005-08-11] (Macrovision Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [597552 2015-08-04] (Oracle Corporation)
HKU\S-1-5-21-3489653347-2757803910-4052547008-1000\...\Run: [DAEMON Tools Lite] => C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe [3672640 2013-03-14] (Disc Soft Ltd)
HKU\S-1-5-21-3489653347-2757803910-4052547008-1000\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3489653347-2757803910-4052547008-1000\...\Run: [Google Update] => C:\Users\Ataraxia\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-06-11] (Google Inc.)
HKU\S-1-5-21-3489653347-2757803910-4052547008-1000\...\Run: [Spotify Web Helper] => C:\Users\Ataraxia\AppData\Roaming\Spotify\SpotifyWebHelper.exe [2018360 2015-08-22] (Spotify Ltd)
HKU\S-1-5-21-3489653347-2757803910-4052547008-1000\...\Run: [ISUSPM Startup] => C:\Program Files (x86)\Common Files\InstallShield\UpdateService\ISUSPM.exe [249856 2005-08-11] (Macrovision Corporation)
HKU\S-1-5-21-3489653347-2757803910-4052547008-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7935904 2015-10-23] (SUPERAntiSpyware)
HKU\S-1-5-21-3489653347-2757803910-4052547008-1000\...\MountPoints2: D - D:\Viewer.exe
HKU\S-1-5-21-3489653347-2757803910-4052547008-1000\...\MountPoints2: H - H:\Newst.exe eMedia Piano Keyboard Method v2
HKU\S-1-5-21-3489653347-2757803910-4052547008-1000\...\MountPoints2: {9d6ff105-cbfb-11e2-ba86-0012178fe75f} - H:\Newst.exe eMedia Piano Keyboard Method v2
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt64.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-03-04] (Dropbox, Inc.)
ShellIconOverlayIdentifiers-x32: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Ataraxia\AppData\Roaming\Dropbox\bin\DropboxExt.25.dll [2015-03-04] (Dropbox, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Firewall Control.lnk [2015-01-22]
ShortcutTarget: Windows Firewall Control.lnk -> C:\Program Files\Windows Firewall Control\wfc.exe (BiniSoft.org)
Startup: C:\Users\Ataraxia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UpdaterService.lnk [2014-11-11]
ShortcutTarget: UpdaterService.lnk -> C:\Program Files (x86)\DanuSoft Updater\UpdaterService.exe (Microsoft)
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:49748;https=127.0.0.1:49748;
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{04FB79BE-534D-4515-A85C-E69C7E21F96B}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{63FFECB6-ACE5-4BF5-9B5B-EBE28B18FDC5}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{875C2D96-0966-4613-8141-5941819B47A9}: [DhcpNameServer] 10.1.10.1
Tcpip\..\Interfaces\{A5A8F9D6-29E8-45EB-B82C-7C087532736C}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Internet Explorer:
==================
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com
HKU\S-1-5-21-3489653347-2757803910-4052547008-1000\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKLM-x32 -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL =
SearchScopes: HKU\S-1-5-21-3489653347-2757803910-4052547008-1000 -> {E3BB1F90-9A1D-428C-B867-2A945870A065} URL = hxxp://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=293224&p={searchTerms}
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Blog This in Windows Live v2 -> {3adefb8e-b923-35e6-86e2-2b7841f5d2a7} -> C:\Windows\SysWOW64\mscoree.dll [2009-11-25] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\ssv.dll [2015-09-05] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2012-07-17] (Microsoft Corp.)
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL [2010-02-28] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\jp2ssv.dll [2015-09-05] (Oracle Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-13] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-13] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2009-07-13] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2009-07-13] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Ataraxia\AppData\Roaming\Mozilla\Firefox\Profiles\wrgac85q.default
FF DefaultSearchUrl:
FF SelectedSearchEngine: Google
FF Homepage: hxxps://www.google.com/
FF Keyword.URL: hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=293224&p=
FF NetworkProxy: "type", 5
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_202.dll [2013-06-02] ()
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [2015-03-09] (Adobe Systems)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll [2013-06-02] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2013-04-08] ()
FF Plugin-x32: @java.com/DTPlugin,version=10.25.2 -> C:\Windows\SysWOW64\npDeployJava1.dll [2013-06-24] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.60.2 -> C:\Program Files (x86)\Java\jre1.8.0_60\bin\plugin2\npjp2.dll [2015-09-05] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL [2010-01-09] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2015-08-17] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2015-08-17] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.0.6 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2013-04-14] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2013-05-11] (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll [2015-03-09] (Adobe Systems)
FF Plugin HKU\S-1-5-21-3489653347-2757803910-4052547008-1000: @talk.google.com/GoogleTalkPlugin -> C:\Users\Ataraxia\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-3489653347-2757803910-4052547008-1000: @talk.google.com/O1DPlugin -> C:\Users\Ataraxia\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF Plugin HKU\S-1-5-21-3489653347-2757803910-4052547008-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Ataraxia\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin HKU\S-1-5-21-3489653347-2757803910-4052547008-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Ataraxia\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll [2015-09-17] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Ataraxia\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-04-17] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Ataraxia\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-04-17] (Google)
FF Extension: turkopticon - C:\Users\Ataraxia\AppData\Roaming\Mozilla\Firefox\Profiles\wrgac85q.default\Extensions\{4324f4a6-3a89-477e-b388-6bca032df78b}.xpi [2013-08-22] [not signed]
FF Extension: Firefox Helper - C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\a949ea8b2ccd6e0fb051f29334f9d183 [2014-11-09] [not signed]
FF Extension: ffChromeHelper - C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\{3018E066E29024DC640B16DFE5F7E2B9} [2014-10-28] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [hotfix@mozilla.org] - C:\Users\Ataraxia\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix
FF Extension: Mozilla hotfix - C:\Users\Ataraxia\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix [2013-12-03] [not signed]
FF HKU\S-1-5-21-3489653347-2757803910-4052547008-1000\...\Firefox\Extensions: [hotfix@mozilla.org] - C:\Users\Ataraxia\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2013-06-02] <==== ATTENTION

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\pdf.dll ()
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll => No File
CHR Plugin: (Java™ Platform SE 7 U25) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll => No File
CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)
CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)
CHR Plugin: (VLC Web Plugin) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
CHR Plugin: (Shockwave Flash) - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_7_700_202.dll ()
CHR Plugin: (Java Deployment Toolkit 7.0.250.17) - C:\Windows\SysWOW64\npDeployJava1.dll (Oracle Corporation)
CHR Profile: C:\Users\Ataraxia\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Web Store) - C:\Users\Ataraxia\AppData\Local\Google\Chrome\User Data\Default\Extensions\djcfdncoelnlbldjfhinnjlhdjlikmph [2015-09-24]
CHR Extension: (Web Store) - C:\Users\Ataraxia\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgobopgcnapcnblkpelgjjblnjjpgejk [2015-09-30]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Ataraxia\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-07-25]
CHR HKLM-x32\...\Chrome\Extension: [phegaokedjdajgnfphbnpkcfdgjbidko] - C:\ProgramData\adawaretb\toolbar\chrome\toolbar.crx <not found>

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1155192 2015-08-26] (NVIDIA Corporation)
S2 McxSvc; C:\Windows\SysWOW64\wbem\msds.exe [3874913 2013-11-26] (Oracle Corporation) [File not signed]
R2 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1872504 2015-08-26] (NVIDIA Corporation)
R2 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe [5544568 2015-08-26] (NVIDIA Corporation)
R2 PaceLicenseDServices; C:\Program Files (x86)\Common Files\PACE\Services\LicenseServices\LDSvc.exe [2938880 2012-05-18] (PACE Anti-Piracy, Inc.) [File not signed]
R2 Piano Marvel Plugin; C:\Program Files (x86)\Piano Marvel Plugin\PianoMarvel.exe [1559280 2015-01-29] ()
S3 SwitchBoard; C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [517096 2010-02-19] (Adobe Systems Incorporated) [File not signed]
R2 WinArchiver Service; C:\Program Files\WinArchiver\WAService.exe [257336 2014-12-18] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
R2 _wfcs; C:\Program Files\Windows Firewall Control\wfcs.exe [97280 2015-01-22] (BiniSoft.org) [File not signed]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2013-06-02] (DT Soft Ltd)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
S3 gfiark; C:\Windows\System32\drivers\gfiark.sys [39504 2013-04-11] (ThreatTrack Security)
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2013-06-02] (GFI Software)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2014-12-06] ()
S3 MADFUAXIOMPRO; C:\Windows\System32\DRIVERS\MAudioAxiomPro_DFU.sys [47920 2011-05-20] (M-Audio)
S3 MAUSBAXIOMPRO; C:\Windows\System32\DRIVERS\MAudioAxiomPro.sys [189744 2011-05-20] (Avid Technology, Inc.)
R3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19576 2015-08-26] (NVIDIA Corporation)
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [50472 2015-08-10] (NVIDIA Corporation)
R3 RT2500USB; C:\Windows\System32\DRIVERS\rt2500usb.sys [245248 2006-11-08] (Ralink Technology Inc.)
S3 RTCore64; C:\Program Files (x86)\EVGA Precision X\RTCore64.sys [15176 2013-05-22] ()
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R0 waemu; C:\Windows\System32\Drivers\waemu.sys [142096 2014-12-18] (Power Software Ltd)
S4 NVHDA; system32\drivers\nvhda64v.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2060-01-19 21:17 - 2015-05-29 19:27 - 00000000 ____D C:\Users\Ataraxia\Documents\Steinberg
2060-01-19 21:16 - 2015-09-01 17:46 - 00000000 ____D C:\Users\Ataraxia\Documents\VST3 Presets
2060-01-19 21:14 - 2060-01-19 21:14 - 00000000 ____D C:\Program Files\Common Files\Steinberg
2060-01-19 21:13 - 2060-01-19 21:13 - 00000000 ____D C:\ProgramData\Steinberg
2060-01-19 21:12 - 2060-01-19 21:18 - 00000049 _____ C:\Windows\SysWOW64\SYNSOPOS.exe.cfg
2060-01-19 21:12 - 2060-01-19 21:18 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eLicenser
2060-01-19 21:12 - 2060-01-19 21:17 - 00000000 ____D C:\Users\Ataraxia\AppData\Roaming\Steinberg
2060-01-19 21:12 - 2060-01-19 21:12 - 00002892 _____ () C:\Windows\SysWOW64\audcon.sys
2060-01-19 21:12 - 2060-01-19 21:12 - 00002285 _____ C:\Users\Ataraxia\Desktop\Cubase LE AI Elements 7 64bit.lnk
2060-01-19 21:12 - 2060-01-19 21:12 - 00000000 ____D C:\Users\Ataraxia\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steinberg Cubase LE AI Elements 7 64bit
2060-01-19 21:12 - 2060-01-19 21:12 - 00000000 ____D C:\ProgramData\Syncrosoft
2060-01-19 21:12 - 2060-01-19 21:12 - 00000000 ____D C:\Program Files\Common Files\Propellerhead Software
2060-01-19 21:12 - 2060-01-19 21:12 - 00000000 ____D C:\Program Files (x86)\Syncrosoft
2060-01-19 21:12 - 2015-02-09 00:06 - 00000000 ____D C:\Program Files\Steinberg
2060-01-19 21:12 - 2011-12-14 12:21 - 00086016 _____ C:\Windows\SysWOW64\SYNSOPOS.exe
2060-01-19 21:11 - 2060-01-19 21:18 - 00009506 _____ C:\Windows\DPINST.LOG
2060-01-19 21:11 - 2060-01-19 21:12 - 00000000 ____D C:\ProgramData\eLicenser
2060-01-19 21:11 - 2060-01-19 21:12 - 00000000 ____D C:\Program Files (x86)\eLicenser
2060-01-19 21:11 - 2060-01-19 21:11 - 00000000 ____D C:\Program Files\eLicenser
2060-01-19 21:11 - 2012-12-07 08:48 - 01714176 _____ (Steinberg Media Technologies GmbH) C:\Windows\system32\SYNSOACC.dll
2060-01-19 21:11 - 2012-12-07 08:48 - 01277952 _____ (Steinberg Media Technologies GmbH) C:\Windows\SysWOW64\SYNSOACC.dll
2060-01-19 21:05 - 2060-01-19 21:05 - 00000000 ____D C:\Users\Ataraxia\Downloads\Cubase_Elements_7_Trial_Installer_win
2015-10-29 16:46 - 2015-10-29 16:47 - 00025252 _____ C:\Users\Ataraxia\Downloads\FRST.txt
2015-10-29 16:45 - 2015-10-29 16:46 - 00000000 ____D C:\FRST
2015-10-29 16:45 - 2015-10-29 16:45 - 00000000 ____D C:\Users\Ataraxia\AppData\Roaming\SUPERAntiSpyware.com
2015-10-29 16:44 - 2015-10-29 16:45 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-10-29 16:44 - 2015-10-29 16:44 - 00001808 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2015-10-29 16:44 - 2015-10-29 16:44 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2015-10-29 16:44 - 2015-10-29 16:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2015-10-29 16:43 - 2015-10-29 16:43 - 02198016 _____ (Farbar) C:\Users\Ataraxia\Downloads\FRST64.exe
2015-10-29 16:37 - 2015-10-29 16:37 - 00000000 ____D C:\Windows\System32\Tasks\Safer-Networking
2015-10-29 16:35 - 2015-10-29 16:35 - 23795112 _____ (SUPERAntiSpyware) C:\Users\Ataraxia\Downloads\SUPERAntiSpyware.exe
2015-10-29 16:30 - 2015-10-29 16:30 - 00493681 __RSH C:\JOHZX
2015-10-29 00:35 - 2015-10-29 00:35 - 00364400 __RSH C:\ZDOGP
2015-10-29 00:32 - 2015-10-29 00:32 - 00000000 ____D C:\Users\Ataraxia\Downloads\Windows Loader v2.2.1. DAZ crack 7 DeGun TPB
2015-10-29 00:21 - 2015-10-29 00:21 - 01706667 ____R C:\Users\Ataraxia\Downloads\Windows Loader v2.2.1. DAZ crack 7 DeGun TPB.zip
2015-10-29 00:20 - 2015-10-29 16:30 - 03310500 _____ C:\Windows\system32\CFG2486421868
2015-10-28 23:46 - 2015-10-29 00:00 - 00000922 _____ C:\Users\Ataraxia\Desktop\New Text Document (7).txt
2015-10-28 20:37 - 2015-10-28 20:42 - 00000000 ____D C:\Users\Ataraxia\AppData\Roaming\tor
2015-10-27 18:03 - 2015-10-27 18:03 - 06392130 _____ C:\Users\Ataraxia\Downloads\mbam-chameleon-3.1.28.0.zip
2015-10-27 18:03 - 2015-10-27 18:03 - 00000000 ____D C:\Chameleon
2015-10-26 17:52 - 2015-10-26 17:52 - 00000000 ____D C:\Program Files\Common Files\AV
2015-10-25 20:48 - 2015-10-25 21:46 - 00000000 ____D C:\Users\Ataraxia\Downloads\The.Walking.Dead.S06E03.HDTV.x264-KILLERS[ettv]
2015-10-25 19:35 - 2015-10-27 18:43 - 00007607 _____ C:\Users\Ataraxia\AppData\Local\Resmon.ResmonCfg
2015-10-25 19:24 - 2015-10-29 01:14 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-10-25 19:24 - 2015-10-29 01:14 - 00000000 ____D C:\Users\Ataraxia\AppData\Local\EidUglu
2015-10-25 19:22 - 2015-10-29 01:14 - 00000000 ____D C:\Users\Ataraxia\Downloads\Fear.The.Walking.Dead.S01E02.HDTV.x264-KILLERS[ettv]
2015-10-25 19:22 - 2015-10-29 00:21 - 00000000 ____D C:\Users\Ataraxia\Downloads\Fear.The.Walking.Dead.S01E01.HDTV.x264-KILLERS[ettv]
2015-10-21 19:49 - 2015-10-23 01:27 - 00001499 _____ C:\Users\Ataraxia\Desktop\bandandsongnames.txt
2015-10-21 19:48 - 2015-10-21 19:48 - 00000983 _____ C:\Users\Public\Desktop\Mp3tag.lnk
2015-10-21 19:48 - 2015-10-21 19:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mp3tag
2015-10-21 19:48 - 2015-10-21 19:48 - 00000000 ____D C:\Program Files (x86)\Mp3tag
2015-10-21 19:47 - 2015-10-21 19:48 - 02910856 _____ C:\Users\Ataraxia\Downloads\mp3tagv272setup.exe
2015-10-21 14:17 - 2015-10-21 14:17 - 03946327 _____ C:\Users\Ataraxia\Downloads\bandpics.zip
2015-10-21 14:17 - 2015-10-21 14:17 - 00595293 _____ C:\Users\Ataraxia\Downloads\pics (1).zip
2015-10-20 23:27 - 2015-10-23 01:35 - 00000000 ____D C:\Users\Ataraxia\Downloads\American Horror Story Season 4 HDTV.XviD-AFG[Pawulon]
2015-10-20 23:27 - 2015-10-23 00:35 - 00000000 ____D C:\Users\Ataraxia\Downloads\American.Horror.Story.S05E02.PROPER.HDTV.x264-KILLERS[ettv]
2015-10-20 23:27 - 2015-10-22 00:25 - 00000000 ____D C:\Users\Ataraxia\Downloads\American.Horror.Story.S05E01.HDTV.x264-KILLERS[ettv]
2015-10-19 20:52 - 2015-10-19 21:06 - 00000000 ____D C:\Users\Ataraxia\Downloads\The.Simpsons.S27E04.PROPER.HDTV.x264-KILLERS[ettv]
2015-10-19 20:52 - 2015-10-19 21:00 - 00000000 ____D C:\Users\Ataraxia\Downloads\The.Walking.Dead.S06E02.HDTV.x264-FUM[ettv]
2015-10-16 21:56 - 2015-10-16 21:56 - 00000020 _____ C:\Users\Ataraxia\Desktop\New WinRAR archive (2).rar
2015-10-12 20:08 - 2015-10-12 20:14 - 51340842 _____ C:\Users\Ataraxia\Desktop\Slave_Machine8.wav
2015-10-12 19:40 - 2015-10-12 19:46 - 50966482 _____ C:\Users\Ataraxia\Desktop\Slave_Machine5.wav
2015-10-12 01:38 - 2015-10-12 01:44 - 00000000 ____D C:\Users\Ataraxia\Downloads\The.Simpsons.S27E03.INTERNAL.HDTV.x264-BATV[ettv]
2015-10-12 01:30 - 2015-10-12 01:32 - 00000000 ____D C:\Users\Ataraxia\Downloads\The.Simpsons.S27E02.HDTV.x264-KILLERS[ettv]
2015-10-12 01:29 - 2015-10-12 01:31 - 00000000 ____D C:\Users\Ataraxia\Downloads\The.Simpsons.S27E01.HDTV.x264-BATV[rarbg]
2015-10-12 01:28 - 2015-10-12 01:37 - 00000000 ____D C:\Users\Ataraxia\Downloads\The.Walking.Dead.S06E01.HDTV.XviD-FUM[ettv]
2015-10-12 01:28 - 2015-10-12 01:28 - 00000000 ____D C:\Users\Ataraxia\Downloads\The.Walking.Dead.S06E01.PROPER.HDTV.x264-KILLERS[ettv]
2015-10-05 22:16 - 2015-10-05 22:33 - 00000645 _____ C:\Users\Ataraxia\Desktop\New Text Document (6).txt
2015-10-05 20:20 - 2015-10-05 20:20 - 00000020 _____ C:\Users\Ataraxia\Desktop\New WinRAR archive.rar
2015-10-04 23:36 - 2015-10-04 23:36 - 00000000 ____D C:\Users\Ataraxia\Downloads\The.Simpsons.S27E01.HDTV.x264-BATV[ettv]
2015-10-03 23:07 - 2015-10-03 23:09 - 00000000 ____D C:\Users\Ataraxia\Downloads\Rick and Morty Season 1 [1080p] [HEVC]
2015-10-02 17:28 - 2015-10-21 15:01 - 00001915 _____ C:\Users\Ataraxia\Desktop\New Text Document (5).txt
2015-10-02 11:37 - 2015-10-02 11:37 - 00008163 _____ C:\Users\Ataraxia\Desktop\facepalm.jpg~c200

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-29 16:37 - 2014-11-08 22:03 - 00029524 _____ C:\Windows\wininit.ini
2015-10-29 16:37 - 2014-10-22 17:29 - 00000000 ____D C:\ProgramData\Spybot - Search & Destroy
2015-10-29 16:37 - 2014-10-22 17:29 - 00000000 ____D C:\Program Files (x86)\Spybot - Search & Destroy 2
2015-10-29 16:32 - 2013-06-02 17:06 - 01127354 _____ C:\Windows\WindowsUpdate.log
2015-10-29 16:30 - 2009-07-13 21:45 - 00018768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-10-29 16:30 - 2009-07-13 21:45 - 00018768 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-10-29 16:29 - 2014-04-27 18:30 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-10-29 16:29 - 2013-06-17 21:48 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-29 16:27 - 2013-06-17 21:48 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-29 16:26 - 2015-08-29 16:41 - 00014073 _____ C:\Windows\setupact.log
2015-10-29 16:26 - 2013-06-02 18:12 - 00000000 ____D C:\ProgramData\NVIDIA
2015-10-29 16:26 - 2009-07-13 22:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-10-29 06:26 - 2015-06-11 12:05 - 00000920 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3489653347-2757803910-4052547008-1000UA.job
2015-10-29 02:00 - 2013-06-02 19:09 - 00000000 ____D C:\Users\Ataraxia\AppData\Local\Adobe
2015-10-29 01:14 - 2015-05-30 15:06 - 00000000 ____D C:\Users\Ataraxia\AppData\Roaming\Andy
2015-10-29 01:14 - 2013-06-02 18:43 - 00000000 ____D C:\Users\Ataraxia\AppData\Roaming\vlc
2015-10-29 01:14 - 2013-06-02 18:39 - 00000000 ____D C:\Users\Ataraxia\AppData\Roaming\IrfanView
2015-10-29 01:14 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\registration
2015-10-29 01:14 - 2009-07-13 20:20 - 00000000 ____D C:\Windows\AppCompat
2015-10-29 01:13 - 2015-04-19 17:04 - 00000000 ____D C:\Music Projects
2015-10-29 00:36 - 2013-06-02 19:04 - 00000000 ____D C:\Users\Ataraxia\AppData\Roaming\uTorrent
2015-10-29 00:16 - 2013-06-02 17:15 - 00000000 ____D C:\Users\Ataraxia
2015-10-22 20:56 - 2009-07-13 19:34 - 00000428 _____ C:\Windows\win.ini
2015-10-22 20:56 - 2009-07-13 19:34 - 00000262 _____ C:\Windows\system.ini
2015-10-22 18:26 - 2015-06-11 12:05 - 00000868 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3489653347-2757803910-4052547008-1000Core.job
2015-10-22 12:16 - 2015-01-23 00:36 - 00000000 ____D C:\Users\Ataraxia\AppData\Local\Spectrasonics
2015-10-21 18:43 - 2015-09-07 10:41 - 00000000 ____D C:\Users\Ataraxia\AppData\Roaming\NVIDIA
2015-10-21 12:00 - 2015-08-09 13:39 - 00003745 _____ C:\Users\Ataraxia\Desktop\Age of Kali.txt
2015-10-12 19:55 - 2015-01-19 15:32 - 00000000 ____D C:\Program Files (x86)\coolpro2
2015-10-10 18:49 - 2014-12-31 20:33 - 00000000 ___RD C:\Users\Ataraxia\Dropbox
2015-10-04 19:18 - 2015-01-23 00:33 - 00000000 ____D C:\Users\Ataraxia\Documents\Cubase LE AI Elements Projects
2015-10-04 19:16 - 2015-01-22 21:14 - 00000000 ____D C:\Program Files (x86)\VstPlugins
2015-10-02 11:03 - 2009-07-13 22:08 - 00032584 _____ C:\Windows\Tasks\SCHEDLGU.TXT

==================== Files in the root of some directories =======

2014-07-22 19:19 - 2014-07-22 19:19 - 0000132 _____ () C:\Users\Ataraxia\AppData\Roaming\Adobe PNG Format CS6 Prefs
2014-04-24 18:28 - 2015-01-19 14:18 - 0006144 _____ () C:\Users\Ataraxia\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-10-25 19:35 - 2015-10-27 18:43 - 0007607 _____ () C:\Users\Ataraxia\AppData\Local\Resmon.ResmonCfg
2014-04-08 21:01 - 2014-04-08 21:01 - 1552389 _____ () C:\Users\Ataraxia\AppData\Local\soulseek-client.dat.1397016068078
2014-04-09 19:27 - 2014-04-09 19:27 - 1552389 _____ () C:\Users\Ataraxia\AppData\Local\soulseek-client.dat.1397096866545
2014-04-09 19:55 - 2014-04-09 19:55 - 1552389 _____ () C:\Users\Ataraxia\AppData\Local\soulseek-client.dat.1397098507085
2015-05-30 15:05 - 2015-05-30 15:05 - 0740775 _____ () C:\ProgramData\AndyDrivers.zip

Some files in TEMP:
====================
C:\Users\Ataraxia\AppData\Local\Temp\ose00000.exe


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-10-21 01:22

==================== End of FRST.txt ============================

Attached Files


Edited by nasdaq, 01 November 2015 - 09:44 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:10 PM

Posted 01 November 2015 - 10:17 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

() C:\Windows\Temp\~F3C7.tmp.exe
HKU\S-1-5-21-3489653347-2757803910-4052547008-1000\...\Run: [AdobeBridge] => [X]
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope {EEE6C360-6118-11DC-9C72-001320C79847} URL =
BHO-x32: Blog This in Windows Live v2 -> {3adefb8e-b923-35e6-86e2-2b7841f5d2a7} -> C:\Windows\SysWOW64\mscoree.dll [2009-11-25] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.5\npGoogleUpdate3.dll [No File]
FF Extension: turkopticon - C:\Users\Ataraxia\AppData\Roaming\Mozilla\Firefox\Profiles\wrgac85q.default\Extensions\{4324f4a6-3a89-477e-b388-6bca032df78b}.xpi [2013-08-22] [not signed]
FF Extension: Firefox Helper - C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\a949ea8b2ccd6e0fb051f29334f9d183 [2014-11-09] [not signed]
FF Extension: ffChromeHelper - C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\{3018E066E29024DC640B16DFE5F7E2B9} [2014-10-28] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [hotfix@mozilla.org] - C:\Users\Ataraxia\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix
FF Extension: Mozilla hotfix - C:\Users\Ataraxia\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix [2013-12-03] [not signed]
FF HKU\S-1-5-21-3489653347-2757803910-4052547008-1000\...\Firefox\Extensions: [hotfix@mozilla.org] - C:\Users\Ataraxia\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\38.0.2125.111\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll => No File
CHR Plugin: (Java Platform SE 7 U25) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll => No File
CHR Extension: (Web Store) - C:\Users\Ataraxia\AppData\Local\Google\Chrome\User Data\Default\Extensions\djcfdncoelnlbldjfhinnjlhdjlikmph [2015-09-24]
CHR Extension: (Web Store) - C:\Users\Ataraxia\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgobopgcnapcnblkpelgjjblnjjpgejk [2015-09-30]
CHR HKLM-x32\...\Chrome\Extension: [phegaokedjdajgnfphbnpkcfdgjbidko] - C:\ProgramData\adawaretb\toolbar\chrome\toolbar.crx <not found>
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S4 NVHDA; system32\drivers\nvhda64v.sys [X]
C:\Users\Ataraxia\AppData\Roaming\Mozilla\Firefox\Profiles\wrgac85q.default\Extensions\{4324f4a6-3a89-477e-b388-6bca032df78b}.xpi
CustomCLSID: HKU\S-1-5-21-3489653347-2757803910-4052547008-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Ataraxia\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3489653347-2757803910-4052547008-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Ataraxia\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3489653347-2757803910-4052547008-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Ataraxia\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
Task: {BF2BD5AC-4E1B-4A1E-A919-1DEDDF0937EE} - \Jelbrus Secure Web Task -> No File <==== ATTENTION
Task: {DCC257A4-4392-4D79-98D5-31ABAE0B5027} - \GPUP -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:85AA7074
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Register Baldur's Gate: Tales of the Sword Coast.lnk
AlternateDataStreams: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\View Baldur's Gate: Tales of The Sword Coast Readme.lnk
C:\Users\Ataraxia\AppData\Local\Temp\ose00000.exe
C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\a949ea8b2ccd6e0fb051f29334f9d183
C:\Program Files (x86)\Mozilla Firefox\distribution\bundles\{3018E066E29024DC640B16DFE5F7E2B9}
C:\Users\Ataraxia\AppData\Roaming\Mozilla\Firefox\Extensions\MozillaHotfix
C:\Users\Ataraxia\AppData\Local\Google\Chrome\User Data\Default\Extensions\djcfdncoelnlbldjfhinnjlhdjlikmph
C:\Users\Ataraxia\AppData\Local\Google\Chrome\User Data\Default\Extensions\kgobopgcnapcnblkpelgjjblnjjpgejk

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

CHR dev: Chrome dev build detected! <======= ATTENTION

Your copy of Chrome has been compromised

Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants.

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

===

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

If you want to save your passwords as well see here: http://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/

Re-install Chrome and the Bookmarks.

<<<>>>

How is the computer running now?

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:10 PM

Posted 06 November 2015 - 11:05 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users