Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "Windows services.exe" trojan


  • This topic is locked This topic is locked
28 replies to this topic

#1 SergeantVau

SergeantVau

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 23 March 2016 - 04:35 PM

Avast gave me a warning about a windows service.exe file being a trojan. Avast said it was read only and couldn't remove or repair it. I tried adwcleaner, but after rebooting my pc, I couldn't connect to the internet with anything but 64-bit Internet Explorer. I ran winsock repair as directed to from my original thread, which gave me back full internet access. But the Trojan still remains. I have a screen shot of the avast message.

 

FRST logs

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by Lord Robert (administrator) on IG-88 (23-03-2016 17:20:52)
Running from C:\Users\Lord Robert\Desktop\things
Loaded Profiles: Lord Robert (Available Profiles: Lord Robert)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Acer Incorporated) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
(Acer Group) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
() C:\OEM\USBDECTION\USBS3S4Detection.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
(Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Egis Technology Inc.) C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil64_21_0_0_182_ActiveX.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [mwlDaemon] => C:\Program Files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe [349552 2010-05-26] (Egis Technology Inc.)
HKLM\...\Run: [RtHDVCpl] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [9642528 2010-02-24] (Realtek Semiconductor)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-12-17] (Apple Inc.)
HKLM-x32\...\Run: [IAStorIcon] => C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe [284696 2010-03-04] (Intel Corporation)
HKLM-x32\...\Run: [SuiteTray] => C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe [337264 2010-05-26] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisUpdate] => C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe [201584 2010-03-11] (Egis Technology Inc.)
HKLM-x32\...\Run: [EgisTecPMMUpdate] => C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe [407920 2010-03-11] (Egis Technology Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [60688 2015-12-17] (Apple Inc.)
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
HKLM-x32\...\Run: [BrowserPlugInHelper] => C:\Program Files (x86)\Wondershare\Video Converter Ultimate\BrowserPlugInHelper.exe
HKLM-x32\...\Run: [WinampAgent] => "C:\Program Files (x86)\Winamp\winampa.exe"
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2011-10-28] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7139256 2016-03-19] (AVAST Software)
HKLM-x32\...\Run: [EaseUS EPM tray] => C:\Program Files (x86)\EaseUS\EaseUS Partition Master 10.8\bin\EpmNews.exe
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
Winlogon\Notify\igfxcui:
HKLM\...\Policies\Explorer: [NoShellSearchButton] 0
HKLM\...\Policies\Explorer: [NoFolderOptions] 0x00000000
HKLM\...\Policies\Explorer: [NoTrayContextMenu] 0x00000000
HKLM\...\Policies\Explorer: [NoSetTaskBar] 0
HKLM\...\Policies\Explorer: [NoFileMenu] 0
HKLM\...\Policies\Explorer: [NoNetworkConnections] 0
HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0x00000000
HKLM\...\Policies\Explorer: [NoDesktop] 0x00000000
HKLM\...\Policies\Explorer: [MaxRecentDocs] 0
HKLM\...\Policies\Explorer: [NoNetConnectDisconnect] 0
HKLM\...\Policies\Explorer: [NoRemoteRecursiveEvents] 0
HKLM\...\Policies\Explorer: [NoRecentDocsHistory] 0x00000000
HKLM\...\Policies\Explorer: [NoFind] 0
HKLM\...\Policies\Explorer: [ClearRecentDocsOnExit] 0x00000000
HKLM\...\Policies\Explorer: [NoInternetIcon] 0
HKLM\...\Policies\Explorer: [NoStartBanner] 0x00000000
HKLM\...\Policies\Explorer: [NoNetHood] 0
HKLM\...\Policies\Explorer: [NoViewContextMenu] 0x00000000
HKLM\...\Policies\Explorer: [NoWinKey] 0
HKLM\...\Policies\Explorer: [NoNetConnextDisconnect] 0
HKLM\...\Policies\Explorer: [NoFavoritesMenu] 0
HKLM\...\Policies\Explorer: [NoWindowsUpdate] 0
HKLM\...\Policies\Explorer: [NoSMConfigurePrograms] 0
HKLM\...\Policies\Explorer: [NoControlPanle] 0
HKU\S-1-5-21-1174955219-694782196-2918772750-1001\...\Run: [Spotify] => "C:\Users\Lord Robert\AppData\Roaming\Spotify\Spotify.exe" /uri spotify:autostart
HKU\S-1-5-21-1174955219-694782196-2918772750-1001\...\Run: [SpybotSD TeaTimer] => C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\S-1-5-21-1174955219-694782196-2918772750-1001\...\Run: [GalaxyClient] => [X]
HKU\S-1-5-21-1174955219-694782196-2918772750-1001\...\MountPoints2: {af8fdca3-6eab-11e5-8923-00027222ab86} - E:\VZW_Software_upgrade_assistant.exe
HKU\S-1-5-21-1174955219-694782196-2918772750-1001\...\Winlogon: [Userinit] C:\Windows\system32\userinit.exe [30720 2010-11-20] (Microsoft Corporation)
HKU\S-1-5-21-1174955219-694782196-2918772750-1001\...0c966feabec1\InprocServer32: [Default-shell32] C:\Users\Lord Robert\AppData\Local\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\n. ATTENTION
HKU\S-1-5-18\...\Policies\system: [NoAdminPage] 0
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
ShellExecuteHooks-x32:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-02-10] (AVAST Software)
ShellIconOverlayIdentifiers: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll [2010-05-26] (Egis Technology Inc.)
ShellIconOverlayIdentifiers-x32: [egisPSDP] -> {30A0A3F6-38AC-4C53-BB8B-0D95238E25BA} => C:\Program Files (x86)\EgisTec MyWinLocker\x86\psdprotect.dll [2010-05-26] (Egis Technology Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk [2011-07-14]
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Lord Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Monitor Ink Alerts - HP Officejet 4620 series.lnk [2016-03-23]
ShortcutTarget: Monitor Ink Alerts - HP Officejet 4620 series.lnk -> C:\Program Files\HP\HP Officejet 4620 series\Bin\HPStatusBL.dll (Hewlett-Packard Co.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll No File
Winsock: Catalog9 02 mswsock.dll No File
Winsock: Catalog9 03 mswsock.dll No File
Winsock: Catalog9 04 mswsock.dll No File
Winsock: Catalog9 05 mswsock.dll No File
Winsock: Catalog9 06 mswsock.dll No File
Winsock: Catalog9 07 mswsock.dll No File
Winsock: Catalog9 08 mswsock.dll No File
Winsock: Catalog9 09 mswsock.dll No File
Winsock: Catalog9 10 mswsock.dll No File
Winsock: Catalog5-x64 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll No File
Winsock: Catalog9-x64 02 mswsock.dll No File
Winsock: Catalog9-x64 03 mswsock.dll No File
Winsock: Catalog9-x64 04 mswsock.dll No File
Winsock: Catalog9-x64 05 mswsock.dll No File
Winsock: Catalog9-x64 06 mswsock.dll No File
Winsock: Catalog9-x64 07 mswsock.dll No File
Winsock: Catalog9-x64 08 mswsock.dll No File
Winsock: Catalog9-x64 09 mswsock.dll No File
Winsock: Catalog9-x64 10 mswsock.dll No File
Tcpip\Parameters: [DhcpNameServer] 10.0.0.1
Tcpip\..\Interfaces\{A835D294-AF94-4EDD-9DDE-54D1FE9FBD57}: [DhcpNameServer] 10.0.0.1
Tcpip\..\Interfaces\{DE369CAE-449A-4C64-9231-374D09CFCE5E}: [DhcpNameServer] 10.0.0.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1174955219-694782196-2918772750-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://acer.msn.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com
HKU\S-1-5-21-1174955219-694782196-2918772750-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://acer.msn.com
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=AARTDF&pc=MAAR&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1174955219-694782196-2918772750-1001 -> DefaultScope {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1174955219-694782196-2918772750-1001 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-02-10] (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll [2009-01-26] (Safer Networking Limited)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-02-10] (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2012-04-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2012-04-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2012-04-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2012-04-20] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Lord Robert\AppData\Roaming\Mozilla\Firefox\Profiles\tycxbfmt.default
FF DefaultSearchEngine.US: Google
FF Homepage: hxxp://en.wikipedia.org/wiki/Main_Page
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_182.dll [2016-03-11] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_182.dll [2016-03-11] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1222172.dll [No File]
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @java.com/DTPlugin,version=1.6.0_35 -> C:\Windows\SysWOW64\npdeployJava1.dll [2012-09-18] (Sun Microsystems, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.20913.0\npctrl.dll [2013-09-13] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2011-05-13] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-03-20] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.5\npGoogleUpdate3.dll [2016-03-20] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.8 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1174955219-694782196-2918772750-1001: amazon.com/AmazonMP3DownloaderPlugin -> C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll [2012-10-24] (Amazon.com, Inc.)
FF Extension: Flashblock - C:\Users\Lord Robert\AppData\Roaming\Mozilla\Firefox\Profiles\tycxbfmt.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2016-01-03]
FF Extension: Default - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi [2016-03-15] [not signed]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-02-10]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-02-10]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-02-10]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [237096 2016-02-10] (AVAST Software)
S3 DAUpdaterSvc; C:\Program Files (x86)\Steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe [25832 2014-05-12] (BioWare)
S3 GalaxyClientService; C:\Program Files (x86)\GalaxyClient\GalaxyClientService.exe [1616440 2015-11-15] (GOG.com)
S3 GalaxyCommunication; C:\ProgramData\GOG.com\Galaxy\redists\GalaxyCommunication.exe [7184440 2015-12-09] (GOG.com)
S3 MWLService; C:\Program Files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [305520 2010-05-26] (Egis Technology Inc.)
R2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] ()

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-02-10] (AVAST Software)
S1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-03-23] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-03-09] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-02-10] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-02-10] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-03-09] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [463744 2016-02-23] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [165344 2016-02-10] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [287016 2016-02-10] (AVAST Software)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
U5 GEARAspiWDM; C:\Windows\System32\Drivers\GEARAspiWDM.sys [33240 2012-08-21] (GEAR Software Inc.)
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-23 17:20 - 2016-03-23 17:20 - 00000000 ____D C:\FRST
2016-03-23 12:06 - 2016-03-23 12:06 - 00000000 ____D C:\Users\Lord Robert\AppData\Roaming\Doublefine
2016-03-23 12:01 - 2016-03-23 17:20 - 00000000 ____D C:\Users\Lord Robert\Desktop\things
2016-03-23 11:48 - 2016-03-23 11:48 - 00008496 _____ C:\Users\Lord Robert\.recently-used.xbel
2016-03-23 11:46 - 2016-03-23 11:46 - 00003042 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1458747978
2016-03-23 11:46 - 2016-03-23 11:46 - 00001041 _____ C:\Users\Public\Desktop\Avast SafeZone Browser.lnk
2016-03-23 11:46 - 2016-03-23 11:46 - 00001041 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-03-23 11:46 - 2016-03-23 11:45 - 00037144 _____ (AVAST Software) C:\Windows\system32\Drivers\aswKbd.sys
2016-03-23 11:25 - 2016-03-23 11:25 - 00053248 _____ C:\Windows\SysWOW64\zlib.dll
2016-03-23 11:25 - 2016-03-23 11:25 - 00000000 ____D C:\Support
2016-03-23 02:10 - 2016-03-23 02:10 - 00001123 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-03-23 02:10 - 2016-03-23 02:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-03-23 02:10 - 2016-03-23 02:10 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-03-22 17:36 - 2016-03-22 17:36 - 00705024 _____ C:\Users\Lord Robert\Desktop\FreeISOBurner.exe
2016-03-22 17:26 - 2016-03-22 17:26 - 00000000 _____ C:\asdsetup.exe
2016-03-22 17:14 - 2016-03-22 17:14 - 56885248 _____ C:\Windows\system32\config\software.bhv
2016-03-22 17:14 - 2016-03-22 17:14 - 21757952 _____ C:\Windows\system32\config\system.bhv
2016-03-22 17:14 - 2016-03-22 17:14 - 00524288 _____ C:\Windows\system32\config\default.bhv
2016-03-22 17:14 - 2016-03-22 17:14 - 00262144 _____ C:\Windows\system32\config\security.bhv
2016-03-22 17:14 - 2016-03-22 17:14 - 00262144 _____ C:\Windows\system32\config\sam.bhv
2016-03-22 15:22 - 2016-03-22 18:01 - 00000000 ____D C:\RescueCD Logs
2016-03-20 20:03 - 2016-03-23 17:08 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-03-20 20:03 - 2016-03-23 11:30 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-03-20 20:03 - 2016-03-20 20:03 - 00003904 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-03-20 20:03 - 2016-03-20 20:03 - 00003652 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-03-20 20:03 - 2016-03-20 20:03 - 00000000 ____D C:\Users\Lord Robert\AppData\Local\Google
2016-03-20 20:03 - 2016-03-20 20:03 - 00000000 ____D C:\Users\Lord Robert\AppData\Local\Deployment
2016-03-20 20:03 - 2016-03-20 20:03 - 00000000 ____D C:\Users\Lord Robert\AppData\Local\Apps\2.0
2016-03-20 20:03 - 2016-03-20 20:03 - 00000000 ____D C:\Program Files (x86)\Google
2016-03-20 16:31 - 2016-03-20 16:14 - 00024064 _____ C:\Windows\zoek-delete.exe
2016-03-20 16:14 - 2016-03-20 16:28 - 00000000 ____D C:\zoek_backup
2016-03-15 19:51 - 2016-03-15 19:52 - 01098961 _____ (Igor Pavlov) C:\Users\Lord Robert\Downloads\7z1514.exe
2016-03-15 19:48 - 2016-03-15 19:48 - 00000000 ____D C:\Users\Lord Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-03-15 19:48 - 2016-03-15 19:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR
2016-03-15 19:48 - 2016-03-15 19:48 - 00000000 ____D C:\Program Files\WinRAR
2016-03-15 19:47 - 2016-03-15 19:47 - 01992496 _____ C:\Users\Lord Robert\Downloads\winrar-x64-531.exe
2016-03-05 18:04 - 2016-03-05 18:13 - 00000000 ____D C:\Users\Lord Robert\Documents\SEGA Genesis Classics
2016-03-03 20:32 - 2016-03-03 20:32 - 00000000 ____D C:\Users\Lord Robert\AppData\LocalLow\Daedalic Entertainment GmbH

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-03-23 17:09 - 2013-05-05 15:05 - 00000000 ____D C:\Users\Lord Robert\Desktop\Gaming
2016-03-23 16:57 - 2012-03-31 12:00 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-03-23 13:08 - 2009-07-14 01:13 - 00781124 _____ C:\Windows\system32\PerfStringBackup.INI
2016-03-23 13:08 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-03-23 12:08 - 2009-07-14 01:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-03-23 12:06 - 2013-04-19 16:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com
2016-03-23 12:05 - 2013-04-27 14:06 - 00000000 ____D C:\GOG Games
2016-03-23 12:03 - 2013-04-19 16:24 - 00000000 ____D C:\Users\Lord Robert\Documents\GOG.com Downloads
2016-03-23 11:51 - 2013-02-18 15:00 - 00000000 ____D C:\Program Files (x86)\Steam
2016-03-23 11:49 - 2011-07-09 02:01 - 00000000 ____D C:\Users\Lord Robert\.gimp-2.6
2016-03-23 11:48 - 2011-07-12 15:22 - 00000000 ____D C:\Users\Lord Robert\AppData\Roaming\gtk-2.0
2016-03-23 11:48 - 2011-07-05 03:14 - 00000000 ____D C:\Users\Lord Robert
2016-03-23 11:46 - 2012-08-25 14:22 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-03-23 11:45 - 2011-07-05 16:07 - 00000000 ____D C:\ProgramData\AVAST Software
2016-03-23 11:45 - 2011-07-05 16:07 - 00000000 ____D C:\Program Files\AVAST Software
2016-03-23 11:37 - 2009-07-14 00:45 - 00009920 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-03-23 11:37 - 2009-07-14 00:45 - 00009920 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-03-23 11:30 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-03-23 02:07 - 2016-02-14 13:37 - 00000000 ____D C:\Users\Lord Robert\Desktop\Mozilla Firefox
2016-03-22 23:27 - 2015-02-14 13:18 - 00000000 ____D C:\Users\Lord Robert\AppData\Roaming\CDisplayEx
2016-03-21 18:51 - 2011-07-20 14:47 - 01333128 _____ C:\Windows\ntbtlog.txt
2016-03-21 18:38 - 2015-11-16 02:37 - 00002079 _____ C:\Users\Lord Robert\Desktop\Avast Free Antivirus.lnk
2016-03-20 23:51 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2016-03-20 23:50 - 2011-08-17 11:34 - 00000000 ____D C:\Users\Lord Robert\AppData\Local\ElevatedDiagnostics
2016-03-17 00:47 - 2012-03-20 19:00 - 00000000 ____D C:\Users\Lord Robert\AppData\Roaming\uTorrent
2016-03-16 23:24 - 2012-11-08 20:24 - 00000000 ____D C:\Users\Lord Robert\AppData\Roaming\vlc
2016-03-16 11:06 - 2009-07-14 01:08 - 00032544 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-03-13 17:04 - 2016-02-16 15:06 - 00000000 ____D C:\Users\Lord Robert\Desktop\ebay
2016-03-12 00:16 - 2016-01-11 02:36 - 00000000 ____D C:\Users\Lord Robert\Desktop\sterwers
2016-03-11 19:59 - 2012-03-31 12:00 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-03-11 19:58 - 2012-03-31 12:00 - 00797376 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-03-11 19:58 - 2011-07-06 22:48 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-03-11 13:09 - 2015-12-22 14:36 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2016-03-09 15:05 - 2016-02-10 00:11 - 00000000 ____D C:\Users\Lord Robert\Downloads\Fallout Tactics-GOG
2016-03-09 13:23 - 2011-07-05 16:07 - 01070904 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsnx.sys
2016-03-09 13:23 - 2011-07-05 16:07 - 00107792 _____ (AVAST Software) C:\Windows\system32\Drivers\aswmonflt.sys
2016-03-03 20:47 - 2011-08-29 13:26 - 00000000 ____D C:\Users\Lord Robert\Documents\My Games
2016-02-28 21:43 - 2015-06-10 18:31 - 00000000 ___RD C:\Users\Lord Robert\Desktop\Tabletop Games
2016-02-23 13:18 - 2011-07-05 16:07 - 00463744 _____ (AVAST Software) C:\Windows\system32\Drivers\aswsp.sys

==================== Files in the root of some directories =======

2013-05-07 15:48 - 2013-05-07 15:48 - 0000580 _____ () C:\Users\Lord Robert\AppData\Local\cookies.ini
2011-08-05 00:10 - 2011-08-05 00:10 - 0000099 _____ () C:\Users\Lord Robert\AppData\Local\fusioncache.dat
2014-03-10 17:46 - 2014-03-10 17:46 - 0007609 _____ () C:\Users\Lord Robert\AppData\Local\Resmon.ResmonCfg
2014-05-28 16:55 - 2014-05-28 16:55 - 0000057 _____ () C:\ProgramData\Ament.ini
2011-03-23 05:19 - 2011-03-23 05:22 - 0015545 _____ () C:\ProgramData\ArcadeDeluxe4.log
2011-07-07 00:26 - 2011-07-07 00:28 - 0000306 _____ () C:\ProgramData\hpzinstall.log
2013-07-22 18:07 - 2013-07-22 18:09 - 0000090 _____ () C:\ProgramData\PS.log

ZeroAccess:
C:\Windows\Installer\{93f3aa60-bf95-328b-68a1-311c909f1bd7}
C:\Windows\Installer\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\@
C:\Windows\Installer\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\U\trz28D1.tmp
C:\Windows\Installer\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\U\trz3792.tmp
C:\Windows\Installer\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\U\trzF2F5.tmp
C:\Windows\Installer\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\U\trzF386.tmp
C:\Windows\Installer\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\U\trzF551.tmp
C:\Windows\Installer\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\L\00000004.@
C:\Windows\Installer\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\L\1afb2d56
C:\Windows\Installer\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\L\201d3dde
C:\Windows\Installer\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\L\4cce1f70
C:\Windows\Installer\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\L\55490ac4
C:\Windows\Installer\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\L\76603ac3

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-03-20 01:26

==================== End of FRST.txt ============================

Additional scan result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Lord Robert (2016-03-23 17:21:30)
Running from C:\Users\Lord Robert\Desktop\things
Windows 7 Home Premium Service Pack 1 (X64) (2011-07-05 07:14:52)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-1174955219-694782196-2918772750-500 - Administrator - Disabled)
Guest (S-1-5-21-1174955219-694782196-2918772750-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-1174955219-694782196-2918772750-1002 - Limited - Enabled)
Lord Robert (S-1-5-21-1174955219-694782196-2918772750-1001 - Administrator - Enabled) => C:\Users\Lord Robert

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-1174955219-694782196-2918772750-1001\...\uTorrent) (Version: 3.4.5.41865 - BitTorrent Inc.)
1954 Alcatraz (HKLM-x32\...\GOGPACK1954ALCATRAZ_is1) (Version: 2.0.0.2 - GOG.com)
Acer eRecovery Management (HKLM-x32\...\{7F811A54-5A09-4579-90E1-C93498E230D9}) (Version: 4.05.3013 - Acer Incorporated)
Acer Registration (HKLM-x32\...\Acer Registration) (Version: 1.03.3003 - Acer Incorporated)
Acrobat.com (HKLM-x32\...\{287ECFA4-719A-2143-A09B-D6A12DE54E40}) (Version: 1.6.65 - Adobe Systems Incorporated)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.010.20060 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.0.2.12610 - Adobe Systems Inc.)
Adobe Flash Player 21 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 21.0.0.182 - Adobe Systems Incorporated)
Adobe Flash Player 21 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 21.0.0.182 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.2 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.2.2.172 - Adobe Systems, Inc.)
Age of Booty (HKLM-x32\...\Steam App 21600) (Version:  - Certain Affinity)
Amazon MP3 Downloader 1.0.17 (HKLM-x32\...\Amazon MP3 Downloader) (Version: 1.0.17 - Amazon Services LLC)
Angry Video Game Nerd Adventures (HKLM-x32\...\Steam App 237740) (Version:  - FreakZone Games)
Apple Application Support (32-bit) (HKLM-x32\...\{7FA9ECCF-A2DE-4DA1-BFF3-81260DBDA68F}) (Version: 4.1.2 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{691F30EB-9009-475A-B8A9-E1BF39598FD5}) (Version: 4.1.2 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{3540181E-340A-4E7A-B409-31663472B2F7}) (Version: 9.1.0.6 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
Aqua Kitty - Milk Mine Defender (HKLM-x32\...\GOGPACKAQUAKITTYMMD_is1) (Version: 2.3.0.5 - GOG.com)
Army Builder 3.4 (HKLM-x32\...\{43867B63-C464-4570-823D-D92DC08E3400}_is1) (Version: 3.4 - Lone Wolf Development, Inc.)
Avast Free Antivirus (HKLM-x32\...\avast) (Version: 11.1.2253 - AVAST Software)
Back to the Future - The Game (HKLM-x32\...\1207659097_is1) (Version: 2.1.0.5 - GOG.com)
Baldur's Gate -  The Original Saga (HKLM-x32\...\GOGPACKBALDURSGATE1_is1) (Version: 2.0.0.20 - GOG.com)
Baldur's Gate 2 Complete (HKLM-x32\...\GOGPACKBALDURSGATE2_is1) (Version: 2.0.0.12 - GOG.com)
Bastion (HKLM-x32\...\1423058311_is1) (Version: 2.0.0.6 - GOG.com)
Beneath a Steel Sky (HKLM-x32\...\GOGPACKBENEATH_is1) (Version: 2.0.0.9 - GOG.com)
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
Borderlands (HKLM-x32\...\Steam App 8980) (Version:  - Gearbox Software)
Borderlands 2 (HKLM-x32\...\Steam App 49520) (Version:  - Gearbox Software)
Braveland (HKLM-x32\...\GOGPACKBRAVELAND_is1) (Version: 2.1.0.3 - GOG.com)
calibre (HKLM-x32\...\{AB116F72-C91A-40F2-A25A-949B5D065EBB}) (Version: 2.3.0 - Kovid Goyal)
Capsule (HKLM-x32\...\Capsule) (Version: 1.0.000 - Green Man Gaming Limited)
CastleStorm (HKLM-x32\...\Steam App 241410) (Version:  - Zen Studios)
CDisplayEx 1.10.29 (HKLM-x32\...\CDisplayEx_is1) (Version:  - Progdigy Software S.A.R.L.)
Chaos on Deponia (HKLM-x32\...\1207659124_is1) (Version: 2.2.0.7 - GOG.com)
Cheat Engine 6.4 (HKLM-x32\...\Cheat Engine 6.4_is1) (Version:  - Cheat Engine)
Curse Of Monkey Island (HKLM-x32\...\bgbennyboyCMIReplacementSetup_is1) (Version: 1.0 - Quick and Easy Software)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Daggerfall (HKLM-x32\...\{75118CF3-44B5-411A-B3DD-C10432217693}) (Version: 1.00.0000 - Bethesda Softworks)
Day of the Tentacle Remastered (HKLM-x32\...\1456922969_is1) (Version: 2.0.0.4 - GOG.com)
Demon Stone (HKLM-x32\...\GOGPACKDEMONSTONE_is1) (Version: 2.0.0.9 - GOG.com)
Deponia (HKLM-x32\...\GOGPACKDEPONIA_is1) (Version: 2.1.0.7 - GOG.com)
Dolphin x86 (HKLM-x32\...\Dolphin x86) (Version: 4.0.2 - Dolphin Development Team)
Don't Starve (HKLM-x32\...\GOGPACKDONTSTARVE_is1) (Version: 2.7.0.16 - GOG.com)
doPDF 7.3 printer (HKLM\...\doPDF 7 printer_is1) (Version:  - Softland)
Dragon Age: Origins - Ultimate Edition (HKLM-x32\...\Steam App 47810) (Version:  - BioWare)
Dungeon Keeper 2 (HKLM-x32\...\GOGPACKDUNGEONKEEPER2_is1) (Version: 2.0.0.32 - GOG.com)
Dungeons and Dragons - Dragonshard (HKLM-x32\...\GOGPACKDNDDRAGONSHARD_is1) (Version: 2.0.0.10 - GOG.com)
Escape From Monkey Island (HKLM-x32\...\bgbennyboyEMIReplacementSetup_is1) (Version: 1.0 - Quick and Easy Software)
Far Cry 2 Fortune's Edition (HKLM-x32\...\GOGPACKFARCRY2_is1) (Version: 2.0.0.8 - GOG.com)
GIMP 2.6.11 (HKLM-x32\...\WinGimp-2.0_is1) (Version: 2.6.11 - The GIMP Team)
Goat Simulator (HKLM-x32\...\Steam App 265930) (Version:  - Coffee Stain Studios)
GOG Galaxy (HKLM-x32\...\{7258BA11-600C-430E-A759-27E2C691A335}_is1) (Version:  - GOG.com)
GOG.com Downloader version 3.6.0 (HKLM-x32\...\{456A5815-604D-4D72-94DF-346D2B978A59}_is1) (Version: 3.6.0 - GOG.com)
Goodbye Deponia (HKLM-x32\...\1207660233_is1) (Version: 2.1.0.10 - GOG.com)
Google Update Helper (x32 Version: 1.3.29.5 - Google Inc.) Hidden
Guacamelee! Super Turbo Championship Edition (HKLM-x32\...\1207665733_is1) (Version: 2.0.0.1 - GOG.com)
Hammerwatch (HKLM-x32\...\Steam App 239070) (Version:  - )
HP Officejet 4620 series Basic Device Software (HKLM\...\{B411AD10-1BC9-4939-8848-BC5E66F662B7}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Update (HKLM-x32\...\{6F1C00D2-25C2-4CBA-8126-AE9A6E2E9CD5}) (Version: 5.003.003.001 - Hewlett-Packard)
I Have No Mouth, and I Must Scream (HKLM-x32\...\GOGPACKIHAVENOMOUTH_is1) (Version: 2.0.0.7 - GOG.com)
I.R.I.S. OCR (HKLM-x32\...\{CA6BCA2F-EDEB-408F-850B-31404BE16A61}) (Version: 12.3.4.0 - HP)
Icewind Dale Complete (HKLM-x32\...\GOGPACKICEWINDDALE1_is1) (Version: 2.0.0.11 - GOG.com)
Icewind Dale II (HKLM-x32\...\GOGPACKICEWINDDALE2_is1) (Version: 2.0.0.11 - GOG.com)
Identity Card (HKLM-x32\...\Identity Card) (Version: 1.00.3003 - Acer Incorporated)
ImagXpress (x32 Version: 7.0.74.0 - Nero AG) Hidden
Indiana Jones and the Fate of Atlantis (HKLM-x32\...\Steam App 6010) (Version:  - LucasArts)
Indiana Jones and the Last Crusade (HKLM-x32\...\Steam App 32310) (Version:  - LucasArts)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 8.15.10.2361 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 9.6.0.1014 - Intel Corporation)
Ittle Dew (HKLM-x32\...\GOGPACKITTLEDEW_is1) (Version: 2.0.0.3 - GOG.com)
iTunes (HKLM\...\{FBEB98F8-64E4-4FA3-A15E-4A9F42FF962E}) (Version: 12.3.2.35 - Apple Inc.)
Junk Mail filter update (x32 Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
Lone Survivor - The Director's Cut (HKLM-x32\...\GOGPACKLONESURVIVORDC_is1) (Version: 2.0.0.2 - GOG.com)
Loom (HKLM-x32\...\Steam App 32340) (Version:  - LucasArts)
Machinarium (HKLM-x32\...\GOGPACKMACHINARIUM_is1) (Version: 2.0.0.6 - GOG.com)
Mesh Runtime (x32 Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}) (Version: 3.5.92.0 - Microsoft Corporation)
Microsoft Office 2010 (HKLM-x32\...\{95140000-0070-0000-0000-0000000FF1CE}) (Version: 14.0.4763.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.20913.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM-x32\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148 (HKLM\...\{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM-x32\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 3.1 (HKLM-x32\...\{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}) (Version: 3.1.10527.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 (HKLM-x32\...\{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}) (Version: 4.0.20823.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
Mozilla Firefox 45.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 45.0.1 (x86 en-US)) (Version: 45.0.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.0.1 - Mozilla)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MyWinLocker (x32 Version: 3.1.212.0 - Egis Technology Inc.) Hidden
MyWinLocker Suite (HKLM-x32\...\InstallShield_{738BF5C3-AF7B-4BB0-B7EF-E505EFC756BE}) (Version: 3.1.212.0 - Egis Technology Inc.)
MyWinLocker Suite (x32 Version: 3.1.212.0 - Egis Technology Inc.) Hidden
Nexus Mod Manager (HKLM\...\6af12c54-643b-4752-87d0-8335503010de_is1) (Version: 0.48.2 - Black Tree Gaming)
NOT A HERO (HKLM-x32\...\Steam App 274270) (Version:  - Roll7)
NVIDIA PhysX (HKLM-x32\...\{8B922CF8-8A6C-41CE-A858-F1755D7F5D29}) (Version: 9.12.1031 - NVIDIA Corporation)
Octodad - Dadliest Catch (HKLM-x32\...\1207660553_is1) (Version: 2.2.0.9 - GOG.com)
Octodad (HKLM-x32\...\Octodad) (Version:  - )
On the Rain-Slick Precipice of Darkness, Episode Two (HKLM-x32\...\On the Rain-Slick Precipice of Darkness, Episode Two) (Version: 1.00  - Hothead Games)
OpenAL (HKLM-x32\...\OpenAL) (Version:  - )
OpenOffice.org 3.3 (HKLM-x32\...\{3E171899-0175-47CC-84C4-562ACDD4C021}) (Version: 3.3.9567 - OpenOffice.org)
Overlord and Overlord -  Raising Hell (HKLM-x32\...\GOGPACKOVERLORDPACK_is1) (Version: 2.0.1.10 - GOG.com)
PCSX2 - Playstation 2 Emulator (HKLM-x32\...\pcsx2-r5350) (Version:  - )
PixelJunk Monsters HD (HKLM-x32\...\1207659883_is1) (Version: 2.1.0.6 - GOG.com)
Plants vs. Zombies: Game of the Year (HKLM-x32\...\Steam App 3590) (Version:  - PopCap)
Plastic Beach Carousel Screen Saver (HKLM-x32\...\Plastic Beach Carousel) (Version:  - )
Plastic Beach Swimming Screen Saver (HKLM-x32\...\Plastic Beach Swimming) (Version:  - )
Poker Night 2 (HKLM-x32\...\Steam App 234710) (Version:  - Telltale Games)
Poker Night at the Inventory (HKLM-x32\...\Steam App 31280) (Version:  - Telltale Games)
Project64 1.6 (HKLM-x32\...\{9559F7CA-5E34-4237-A2D9-D856464AD727}) (Version: 1.6 - Project64)
Psychonauts (HKLM-x32\...\Psychonauts_is1) (Version:  - GOG.com)
Quantum Conundrum (HKLM-x32\...\Steam App 200010) (Version:  - Airtight Games)
QuickTime 7 (HKLM-x32\...\{FF59BD75-466A-4D5A-AD23-AAD87C5FD44C}) (Version: 7.79.80.95 - Apple Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.5995 - Realtek Semiconductor Corp.)
Retro City Rampage (HKLM-x32\...\1207659049_is1) (Version: 2.14.0.30 - GOG.com)
Reus (HKLM-x32\...\GOGPACKREUS_is1) (Version: 2.2.0.15 - GOG.com)
Revo Uninstaller Pro 3.1.4 (HKLM\...\{67579783-0FB7-4F7B-B881-E5BE47C9DBE0}_is1) (Version: 3.1.4 - VS Revo Group, Ltd.)
Rogue Legacy (HKLM-x32\...\GOGPACKROGUELEGACY_is1) (Version: 2.2.0.10 - GOG.com)
SafeZone Stable 1.48.2066.44 (x32 Version: 1.48.2066.44 - Avast Software) Hidden
Sam and Max Beyond Space and Time (HKLM-x32\...\Sam and Max Beyond Space and Time_is1) (Version:  - GOG.com)
Sam and Max Save the World (HKLM-x32\...\Sam and Max Save the World_is1) (Version:  - GOG.com)
Sam and Max The - Devil's Playhouse (HKLM-x32\...\Sam and Max The - Devil's Playhouse_is1) (Version:  - GOG.com)
Sang-Froid -  A tale of werewolves (HKLM-x32\...\GOGPACKSANGFROIDTALEWEREWOLVES_is1) (Version: 2.0.0.4 - GOG.com)
ScummVM 1.4.1 (HKLM-x32\...\ScummVM_is1) (Version:  - The ScummVM Team)
SEGA Genesis & Mega Drive Classics (HKLM-x32\...\Steam App 34270) (Version:  - Sega)
Shadowrun Returns (HKLM-x32\...\GOGPACKSHADOWRUNRETURNS_is1) (Version: 2.2.0.10 - GOG.com)
Shovel Knight (HKLM-x32\...\1207664823_is1) (Version: 2.11.0.18 - GOG.com)
Shredder (Version: 2.0.8.3 - Egis Technology Inc.) Hidden
Shredder (x32 Version: 2.0.8.3 - Egis Technology Inc.) Hidden
Sid Meier's Pirates! (HKLM-x32\...\Steam App 3920) (Version:  - Firaxis)
Spelunky (HKLM-x32\...\GOGPACKSPELUNKY_is1) (Version: 2.0.0.6 - GOG.com)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
Star Wars - Jedi Knight II: Jedi Outcast (HKLM-x32\...\Steam App 6030) (Version:  - LucasArts)
Star Wars - Jedi Knight: Mysteries of the Sith (HKLM-x32\...\Steam App 32390) (Version:  - )
Star Wars Empire at War (HKLM-x32\...\{99AE7207-8612-4DBA-A8F8-BAE5C633390D}) (Version: 1.0 - LucasArts)
Star Wars Empire at War Forces of Corruption (HKLM-x32\...\{6592FDEC-2C1A-413A-9985-25FEC2F0848D}) (Version: 1.0 - LucasArts)
Star Wars Jedi Knight: Dark Forces II (HKLM-x32\...\Steam App 32380) (Version:  - )
Star Wars Jedi Knight: Jedi Academy (HKLM-x32\...\Steam App 6020) (Version:  - LucasArts)
Star Wars: Dark Forces (HKLM-x32\...\Steam App 32400) (Version:  - )
Star Wars: Knights of the Old Republic (HKLM-x32\...\Steam App 32370) (Version:  - BioWare)
Star Wars: Knights of the Old Republic II (HKLM-x32\...\Steam App 208580) (Version:  - LucasArts)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
SteamWorld Dig (HKLM-x32\...\GOGPACKSTEAMWORLDDIG_is1) (Version: 2.1.0.3 - GOG.com)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Tales From Space - Mutant Blobs Attack (HKLM-x32\...\GOGPACKMUTANTBLOBSATTACK_is1) (Version: 2.0.0.2 - GOG.com)
Tales of Monkey Island: Chapter 1 - Launch of the Screaming Narwhal (HKLM-x32\...\Steam App 31170) (Version:  - Telltale Games)
Tales of Monkey Island: Chapter 2 - The Siege of Spinner Cay  (HKLM-x32\...\Steam App 31180) (Version:  - Telltale Games)
Tales of Monkey Island: Chapter 3 - Lair of the Leviathan  (HKLM-x32\...\Steam App 31190) (Version:  - Telltale Games)
Tales of Monkey Island: Chapter 4 - The Trial and Execution of Guybrush Threepwood  (HKLM-x32\...\Steam App 31200) (Version:  - Telltale Games)
Tales of Monkey Island: Chapter 5 - Rise of the Pirate God (HKLM-x32\...\Steam App 31210) (Version:  - Telltale Games)
Terraria (HKLM-x32\...\Steam App 105600) (Version:  - Re-Logic)
TES Construction Set (HKLM-x32\...\{DB3C800B-081B-4146-B4E3-EFB5B77AA913}) (Version:  - )
Teslagrad (HKLM-x32\...\GOGPACKTESLAGRAD_is1) (Version: 2.0.0.3 - GOG.com)
The Adventures of Shuggy (HKLM-x32\...\1207659763_is1) (Version: 2.1.0.8 - GOG.com)
The Banner Saga (HKLM-x32\...\1207660483_is1) (Version: 2.2.0.4 - GOG.com)
The Book of Unwritten Tales -  Critter Chronicles (HKLM-x32\...\GOGPACKBOOKOFUNWRITTENTALESCRITTER_is1) (Version: 2.0.0.6 - GOG.com)
The Book of Unwritten Tales (HKLM-x32\...\GOGPACKBOUT_is1) (Version: 2.0.0.4 - GOG.com)
The Dig (HKLM-x32\...\Steam App 6040) (Version:  - LucasArts)
The Elder Scrolls Arena (HKLM-x32\...\{62E2BBFA-BE97-42CD-AE89-A4EEF7F36992}) (Version: 1.00.0000 - Bethesda Softworks)
The Elder Scrolls III: Morrowind (HKLM-x32\...\Steam App 22320) (Version:  - Bethesda Game Studios®)
The Elder Scrolls IV: Oblivion  (HKLM-x32\...\Steam App 22330) (Version:  - Bethesda Game Studios)
The Elder Scrolls V: Skyrim (HKLM-x32\...\Steam App 72850) (Version:  - Bethesda Game Studios)
The Expendabros (HKLM-x32\...\Steam App 312990) (Version:  - Free Lives)
The Inner World (HKLM-x32\...\GOGPACKTHEINNERWORLD_is1) (Version: 2.0.0.2 - GOG.com)
The Swapper (HKLM-x32\...\GOGPACKTHESWAPPER_is1) (Version: 2.0.0.2 - GOG.com)
The Walking Dead (HKLM-x32\...\Steam App 207610) (Version:  - )
The Walking Dead: Season Two (HKLM-x32\...\Steam App 261030) (Version:  - Telltale Games)
Torchlight II (HKLM-x32\...\Steam App 200710) (Version:  - )
Unholy Heights (HKLM-x32\...\1207661823_is1) (Version: 2.1.0.17 - GOG.com)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
VTech Download Agent Library (x32 Version: 1.00.0000 - VTech) Hidden
Waking Mars (HKLM-x32\...\GOGPACKWAKINGMARS_is1) (Version: 2.0.0.3 - GOG.com)
Warhammer 40,000: Dawn of War – Dark Crusade (HKLM-x32\...\Steam App 4580) (Version:  - Relic)
Warhammer 40,000: Dawn of War - Game of the Year Edition (HKLM-x32\...\Steam App 4570) (Version:  - Relic)
Warhammer 40,000: Dawn of War – Soulstorm (HKLM-x32\...\Steam App 9450) (Version:  - Relic)
Warhammer 40,000: Dawn of War – Winter Assault (HKLM-x32\...\Steam App 9310) (Version:  - Relic)
Warhammer® 40,000™: Dawn of War® II - Chaos Rising™ (HKLM-x32\...\Steam App 20570) (Version:  - Relic)
Warhammer® 40,000™: Dawn of War® II – Retribution™ (HKLM-x32\...\Steam App 56400) (Version:  - Relic)
Warhammer® 40,000™: Dawn of War® II (HKLM-x32\...\Steam App 15620) (Version:  - Relic)
Welcome Center (HKLM-x32\...\Acer Welcome Center) (Version: 1.02.3005 - Acer Incorporated)
WIDCOMM Bluetooth Software (HKLM\...\{436E0B79-2CFB-4E5F-9380-E17C1B25D0C5}) (Version: 6.3.0.6300 - Broadcom Corporation)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 15.4.3538.0513 - Microsoft Corporation)
Windows Live Mesh ActiveX Control for Remote Connections (HKLM-x32\...\{2902F983-B4C1-44BA-B85D-5C6D52E2C441}) (Version: 15.4.5722.2 - Microsoft Corporation)
WinRAR 5.31 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.31.0 - win.rar GmbH)
WinX Free AVI to MP4 Converter 4.1.1 (HKLM-x32\...\WinX Free AVI to MP4 Converter_is1) (Version:  - Digiarty Software,Inc.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-1174955219-694782196-2918772750-1001_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 -> C:\Users\Lord Robert\AppData\Local\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\n. => No File

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {161F266F-1498-44A1-BC38-8B842C567AEB} - System32\Tasks\{079AB151-40C8-4C28-BFF3-B132CA095C99} => pcalua.exe -a "C:\GOG Games\Baldur's Gate 2\setup-bgt.exe" -d "C:\GOG Games\Baldur's Gate 2"
Task: {2BD00364-0C12-4EB9-8176-BB7CCC65047A} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-03-20] (Google Inc.)
Task: {2F766E98-086B-4E14-B619-EDC769FDE111} - System32\Tasks\SafeZone scheduled Autoupdate 1458747978 => C:\Program Files\AVAST Software\SZBrowser\launcher.exe [2016-02-01] (Avast Software)
Task: {34D55B20-A259-404D-AEC8-F426E1A77134} - System32\Tasks\avast! Emergency Update => C:\Program Files\AVAST Software\Avast\AvastEmUpdate.exe [2016-02-10] (AVAST Software)
Task: {37141702-8F70-4B25-9D81-EAEECD1BB5ED} - System32\Tasks\{ED5AD045-E0B4-4A58-973E-0070C82519A8} => pcalua.exe -a "C:\GOG Games\Baldur's Gate\setup-bg1ub.exe" -d "C:\GOG Games\Baldur's Gate"
Task: {3FAD2837-BE59-4C8D-A81C-1BB73C0B973C} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe [2016-03-04] (AVAST Software)
Task: {47FE9833-CEB3-4D10-9AB7-476BA85BAFA4} - System32\Tasks\{1FAD1210-F465-4703-9BA9-96B2689B8C71} => pcalua.exe -a D:\setup.exe -d D:\
Task: {53AA1752-1296-4CBA-8E37-7824B0C75515} - System32\Tasks\{5BE20000-CCB6-4942-9415-70FA2EAF9401} => pcalua.exe -a C:\Users\LORDRO~1\AppData\Local\Temp\InstallFlashPlayer.exe -d "C:\Program Files (x86)\Mozilla Firefox"
Task: {570A7B95-ADA4-460C-AE23-8804ABDA2F07} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2015-12-14] (Adobe Systems Incorporated)
Task: {59D16EA1-6D2F-490E-90FD-05D40D43A046} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe [2015-08-27] (Apple Inc.)
Task: {6726466B-C07F-414E-BC39-9415A50E6D31} - System32\Tasks\HP Officejet 4620 series.exe_{A839F83C-83CA-4B8E-A442-521229710E96} => C:\Program Files\HP\HP Officejet 4620 series\Bin\HP Officejet 4620 series.exe [2012-10-17] (Hewlett-Packard Co.)
Task: {69FAE320-335F-4DD7-A0B2-80B34D5C4CFC} - System32\Tasks\{FF82A5E6-ACB0-4DCE-A960-585DC6A65BDF} => pcalua.exe -a "C:\Users\Lord Robert\Documents\GOG.com Downloads\baldurs_gate_the_original_saga\widescreen-v3.05.exe" -d "C:\Users\Lord Robert\Documents\GOG.com Downloads\baldurs_gate_the_original_saga"
Task: {7629F835-F985-4E02-B8A2-DB469DD2542D} - System32\Tasks\{7C1E5AE4-1A6B-47AE-A37C-081B467744EB} => pcalua.exe -a "C:\GOG Games\Baldur's Gate 2\setup-bgtmusic.exe" -d "C:\GOG Games\Baldur's Gate 2"
Task: {7B31A7A4-51CE-4BB3-91E6-765FC41C379A} - System32\Tasks\{1420323D-BC2E-4633-803F-925A424F7987} => pcalua.exe -a "C:\Users\Lord Robert\Downloads\realtek_lan_5782_03212011\PCIE_Install_5782_03212011\setup.exe" -d "C:\Users\Lord Robert\Downloads\realtek_lan_5782_03212011\PCIE_Install_5782_03212011" -c -s
Task: {7EC45343-2135-4EB8-BAE4-8070EA876612} - System32\Tasks\{FC676F26-CED4-43A1-A75C-6C94A3215839} => pcalua.exe -a "C:\Program Files (x86)\Steam\steam.exe" -c steam://uninstall/629
Task: {93205BB4-A99E-437D-B209-639963C64781} - System32\Tasks\{95990C61-60EC-44CC-B70A-4903D7902D21} => pcalua.exe -a "C:\Program Files (x86)\4Media\iPod to PC Transfer\Uninstall.exe"
Task: {C5DFE19A-01A2-4594-A671-77E744C3202E} - System32\Tasks\{DA9F099E-DFDE-4A11-8A87-B92E9048AFAF} => pcalua.exe -a "C:\Program Files (x86)\Steam\steam.exe" -c steam://uninstall/9320
Task: {C63C5C6B-8B75-4112-B7C1-27058F11E409} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-03-20] (Google Inc.)
Task: {DF2F298A-3E9F-4E7E-B326-54E94CBFED91} - System32\Tasks\{264A60F5-1D2E-496D-9063-426CF5EA6DED} => pcalua.exe -a "C:\Program Files (x86)\Hi-Rez Studios\HiRezGamesDiagAndSupport.exe" -c uninstall=17
Task: {EB7B86C3-CF7E-4721-BA99-27912BAFDD62} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-03-11] (Adobe Systems Incorporated)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\Lord Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bethesda Softworks\Daggerfall\Launch Daggerfall (Full Screen).lnk -> C:\Program Files (x86)\Bethesda Softworks\daggerfall\Daggerfall (Full Screen).bat ()
Shortcut: C:\Users\Lord Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bethesda Softworks\Daggerfall\Launch Daggerfall (Windowed).lnk -> C:\Program Files (x86)\Bethesda Softworks\daggerfall\Daggerfall (Windowed).bat ()
Shortcut: C:\Users\Lord Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bethesda Softworks\Arena\Launch Arena (Full Screen).lnk -> C:\Program Files (x86)\Bethesda Softworks\Arena\Arena (Full Screen).bat ()
Shortcut: C:\Users\Lord Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Bethesda Softworks\Arena\Launch Arena (Windowed).lnk -> C:\Program Files (x86)\Bethesda Softworks\Arena\Arena (Windowed).bat ()

==================== Loaded Modules (Whitelisted) ==============

2011-09-08 12:50 - 2010-11-20 09:27 - 00326144 _____ () C:\Windows\system32\mswsock.dll
2011-09-08 12:50 - 2010-11-20 09:27 - 00326144 _____ () C:\Windows\system32\MSWSOCK.dll
2010-07-29 19:39 - 2010-07-29 19:39 - 00173856 _____ () C:\Program Files\WIDCOMM\Bluetooth Software\btkeyind.dll
2015-10-13 06:45 - 2015-10-13 06:45 - 00085800 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2015-10-13 06:45 - 2015-10-13 06:45 - 01328912 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2011-09-08 12:27 - 2011-09-08 12:27 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2009-12-13 22:19 - 2009-12-09 05:24 - 00076320 _____ () C:\OEM\USBDECTION\USBS3S4Detection.exe
2016-02-10 00:05 - 2016-02-10 00:05 - 00113496 _____ () C:\Program Files\AVAST Software\Avast\log.dll
2016-02-10 00:05 - 2016-02-10 00:05 - 00133768 _____ () C:\Program Files\AVAST Software\Avast\JsonRpcServer.dll
2016-03-23 11:28 - 2016-03-23 11:28 - 02857472 _____ () C:\Program Files\AVAST Software\Avast\defs\16032301\algo.dll
2016-02-10 00:05 - 2016-02-10 00:05 - 00480760 _____ () C:\Program Files\AVAST Software\Avast\ffl2.dll
2016-03-23 17:10 - 2016-03-23 17:10 - 02857472 _____ () C:\Program Files\AVAST Software\Avast\defs\16032302\algo.dll
2015-12-09 02:06 - 2015-12-09 02:06 - 40539648 _____ () C:\Program Files\AVAST Software\Avast\libcef.dll
2012-05-10 11:49 - 2012-05-10 11:49 - 00170496 _____ () C:\Windows\assembly\NativeImages_v2.0.50727_32\IsdiInterop\dc45bfd22b86df0074e8e521ada8d55f\IsdiInterop.ni.dll
2010-12-08 22:37 - 2010-03-04 00:08 - 00058880 _____ () C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IsdiInterop.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 22:34 - 2009-06-10 17:00 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-1174955219-694782196-2918772750-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Lord Robert\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 10.0.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
mpsdrv => Firewall Service is not running.
MpsSvc => Firewall Service is not running.
bfe => Firewall Service is not running.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\Services: McAfee SiteAdvisor Service => 2
MSCONFIG\Services: McMPFSvc => 2
MSCONFIG\Services: mcmscsvc => 2
MSCONFIG\Services: McNaiAnn => 2
MSCONFIG\Services: McNASvc => 2
MSCONFIG\Services: McODS => 3
MSCONFIG\Services: McProxy => 2
MSCONFIG\Services: mfefire => 2
MSCONFIG\startupreg: Steam => "C:\Program Files (x86)\Steam\Steam.exe" -silent

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Restore Points =========================

13-03-2016 13:10:24 Scheduled Checkpoint
20-03-2016 15:31:19 Restore Operation
20-03-2016 16:18:44 zoek.exe restore point
23-03-2016 12:06:54 Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
23-03-2016 12:07:36 Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
Check "winmgmt" service or repair WMI.

==================== Faulty Device Manager Devices =============

Name: UMBus Root Bus Enumerator
Description: UMBus Root Bus Enumerator
Class Guid: {4d36e97d-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: umbus
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Unknown Device
Description: Unknown Device
Class Guid: {36fc9e60-c465-11cf-8056-444553540000}
Manufacturer: (Standard USB Host Controller)
Service:
Problem: : Windows has stopped this device because it has reported problems. (Code 43)
Resolution: One of the drivers controlling the device notified the operating system that the device failed in some manner. For more information about how to diagnose the problem, see the hardware documentation.

Name: Microsoft PS/2 Mouse
Description: Microsoft PS/2 Mouse
Class Guid: {4d36e96f-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: i8042prt
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.

==================== Event log errors: =========================

Application errors:
==================
Error: (03/23/2016 11:50:40 AM) (Source: Steam Client Service) (EventID: 1) (User: )
Description: Error: Failed to add firewall exception for C:\Program Files (x86)\Steam\bin\steamwebhelper.exe

Error: (03/23/2016 11:50:40 AM) (Source: Steam Client Service) (EventID: 1) (User: )
Description: Error: Failed to add firewall exception for C:\Program Files (x86)\Steam\steam.exe

Error: (03/23/2016 01:58:54 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program gimp-2.6.exe version 0.0.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 17f0

Start Time: 01d184c9009e348e

Termination Time: 0

Application Path: C:\Program Files (x86)\GIMP-2.0\bin\gimp-2.6.exe

Report Id: 4f1a775f-f0bc-11e5-8fa4-1078d2e25f95

Error: (03/23/2016 12:16:14 AM) (Source: Steam Client Service) (EventID: 1) (User: )
Description: Error: Failed to add firewall exception for C:\Program Files (x86)\Steam\bin\steamwebhelper.exe

Error: (03/23/2016 12:16:14 AM) (Source: Steam Client Service) (EventID: 1) (User: )
Description: Error: Failed to add firewall exception for C:\Program Files (x86)\Steam\steam.exe

Error: (03/20/2016 09:19:55 PM) (Source: Steam Client Service) (EventID: 1) (User: )
Description: Error: Failed to add firewall exception for C:\Program Files (x86)\Steam\bin\steamwebhelper.exe

Error: (03/20/2016 09:19:55 PM) (Source: Steam Client Service) (EventID: 1) (User: )
Description: Error: Failed to add firewall exception for C:\Program Files (x86)\Steam\steam.exe

Error: (03/20/2016 08:37:26 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program iexplore.exe version 8.0.7601.17514 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 930

Start Time: 01d182ff65fd5d23

Termination Time: 0

Application Path: C:\Program Files\Internet Explorer\iexplore.exe

Report Id: fe7d0416-eefc-11e5-99c2-1078d2e25f95

Error: (03/20/2016 03:38:43 PM) (Source: System Restore) (EventID: 8206) (User: )
Description: The restore point selected was damaged or deleted during the restore (Scheduled Checkpoint).

Error: (03/20/2016 03:11:44 PM) (Source: Steam Client Service) (EventID: 1) (User: )
Description: Error: Failed to add firewall exception for C:\Program Files (x86)\Steam\bin\steamwebhelper.exe

System errors:
=============
Error: (03/23/2016 05:09:31 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891

Error: (03/23/2016 05:09:31 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (03/23/2016 02:46:01 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891

Error: (03/23/2016 02:46:01 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (03/23/2016 11:31:20 AM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The HomeGroup Provider service depends on the Function Discovery Resource Publication service which failed to start because of the following error:
%%-2147024891

Error: (03/23/2016 11:31:20 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (03/23/2016 11:30:37 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Function Discovery Resource Publication service terminated with the following error:
%%-2147024891

Error: (03/23/2016 11:30:36 AM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.

Error: (03/23/2016 11:30:36 AM) (Source: Service Control Manager) (EventID: 7003) (User: )
Description: The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.

Error: (03/23/2016 11:30:22 AM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

==================== Memory info ===========================

Processor: Intel® Core™ i3 CPU 550 @ 3.20GHz
Percentage of memory in use: 33%
Total physical RAM: 6071.07 MB
Available physical RAM: 4022.34 MB
Total Virtual: 12140.34 MB
Available Virtual: 10024.5 MB

==================== Drives ================================

Drive c: (Acer) (Fixed) (Total:913.41 GB) (Free:287.32 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: C7B82802)
Partition 1: (Not Active) - (Size=18 GB) - (Type=27)
Partition 2: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=913.4 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:11 AM

Posted 23 March 2016 - 09:17 PM

Greetings SergeantVau and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far.

Please consider and do this.

===================================================

BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Please let me know if you have already noticed evidences of financial institution irregularities. Those accounts should be monitored from this point forward.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
 

Here are some thoughts I have put together for people who ask what they should do in light of the infection. Ultimately each user must decide for themselves what to do and the below are things you might want to consider.

It is necessary for us to at least make you aware of the worse case scenario. This is because of the potential Backdoor Trojans bring with them, but it is not a determination on our part that your situation currently falls within this worse case scenario.

Ultimately it is a personal decision whether to reformat or not. What decision should you make to let you sleep well at night? It is different for different people. I will say whether rightly or wrongly most people decide to clean and not reformat, at least initially.

The only insight I can offer is how I evaluate the issue personally even though I have never had a Backdoor Trojan on my computer. One of the primary purposes for malicious software is to somehow separate you from your money. It seems reasonable to assume that a thief trying to take your money via a Backdoor Trojan will hit you hard, and quickly. Once your computer starts to act up and you become suspicious you have the opportunity to eliminate access to your computer and change the information taken, namely account and password information. The key to this, in my opinion, is whether or not you have noticed any irregularities in your banking or other financial institutions, or things like email and social network accounts (i.e. Facebook). If you have not seen any evidence of that then you may question whether your information has truly been stolen. If it seems it hasn't, and your critical information has been changed, it is reasonable to be more confident you are safe but you must stop short of claiming an absolute guarantee.

If, after careful consideration you decide not to reformat your computer it would be wise to continue monitoring your sensitive data and don't wait to address future symptoms on your computer which seem to be malware related.

The bottom line, the only way to be absolutely sure to be rid of a Backdoor Trojan is to reformat. The decision is yours.

Oh My!


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

===================================================

Peer to Peer (P2P) Warning

--------------------

Going over your logs I noticed that you have µTorrent installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities. .

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.

===================================================

Running Combofix in Vista/7

--------------------
  • Please download ComboFix and save it to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Note: If after disabling Combofix warns you an Antivirus program is still running ignore the warning and run Combofix.
  • Double click on Combofix.exe and follow the prompts. It is important you do not mouse click while the program is running or it may stall.
  • Patiently allow the program to run. At times it may appear nothing is happening
  • Copy and paste the report in your reply
  • If Combofix fails to run completely stop and let me know
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Click Format and check Word Wrap
  • Please copy and paste the contents of the below code box into the open notepad and save it to your Desktop as fixlist.txt. If FRST.exe is not on your Deskptop please move it to that location. (<<<Important)
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-1174955219-694782196-2918772750-1001\...\Run: [GalaxyClient] => [X]
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
ShellExecuteHooks-x32:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll No File
Winsock: Catalog9 02 mswsock.dll No File
Winsock: Catalog9 03 mswsock.dll No File
Winsock: Catalog9 04 mswsock.dll No File
Winsock: Catalog9 05 mswsock.dll No File
Winsock: Catalog9 06 mswsock.dll No File
Winsock: Catalog9 07 mswsock.dll No File
Winsock: Catalog9 08 mswsock.dll No File
Winsock: Catalog9 09 mswsock.dll No File
Winsock: Catalog9 10 mswsock.dll No File
Winsock: Catalog5-x64 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll No File
Winsock: Catalog9-x64 02 mswsock.dll No File
Winsock: Catalog9-x64 03 mswsock.dll No File
Winsock: Catalog9-x64 04 mswsock.dll No File
Winsock: Catalog9-x64 05 mswsock.dll No File
Winsock: Catalog9-x64 06 mswsock.dll No File
Winsock: Catalog9-x64 07 mswsock.dll No File
Winsock: Catalog9-x64 08 mswsock.dll No File
Winsock: Catalog9-x64 09 mswsock.dll No File
Winsock: Catalog9-x64 10 mswsock.dll No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1174955219-694782196-2918772750-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1222172.dll [No File]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
CustomCLSID: HKU\S-1-5-21-1174955219-694782196-2918772750-1001_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 -> C:\Users\Lord Robert\AppData\Local\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\n. => No File
Task: {47FE9833-CEB3-4D10-9AB7-476BA85BAFA4} - System32\Tasks\{1FAD1210-F465-4703-9BA9-96B2689B8C71} => pcalua.exe -a D:\setup.exe -d D:\
cmd: netsh winsock reset
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

AdwCleaner by Xplode - Delete Adware

-------------------
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, click Run, then select I agree if it appears
  • Click Scan
  • Once the scan has completed youi will see Pending. Please check elements you don't want to remove above the progress bar
  • Click on Clean
  • Confirm the cleaning and rebooting of your computer by clicking OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
  • You can also find the logfile at C:\AdwCleaner\AdwCleaner.txt
===================================================

Junkware Removal Tool

-------------------
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply
===================================================

System Summary Information

--------------------
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time
  • Type msinfo32 and press Enter
  • Left click on System Summary
  • Click File, Save, and name the file Summary
  • Zip and attach the file to your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Combofix log
  • Fixlog
  • AdwCleaner log
  • Junkware log
  • System Summary Information
  • Update on computer behavior

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#3 SergeantVau

SergeantVau
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 23 March 2016 - 10:14 PM

Hi, my name is Robert. Thank you for your help. I changed all of my important passwords (although I will be changing everything else just to be safe). I was hoping to get a new computer sometime in the next year, so I'll hold off on reformatting at the moment. I'll go through the list of programs to run tomorrow and let you know how it goes.



#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:11 AM

Posted 23 March 2016 - 10:33 PM

Thanks Robert.

Sorry to give you the bad news but if you haven't noticed any abnormalities and you changed passwords that is reason for some degree of relief.

No problem on posting tomorrow, I am ending for the evening anyway.

G'nite, see you tomorrow.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#5 SergeantVau

SergeantVau
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 26 March 2016 - 10:45 AM

Hello, sorry it took so long, I've been busy the past few days. Here's the combofix log, and I'm doing everything else now.

 

ComboFix 16-03-19.01 - Lord Robert 03/26/2016  11:21:28.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6071.4415 [GMT -4:00]
Running from: c:\users\Lord Robert\Desktop\ComboFix.exe
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\asdsetup.exe
c:\users\Lord Robert\AppData\Roaming\Love
c:\users\Lord Robert\AppData\Roaming\Love\mari0\options.txt
c:\windows\msdownld.tmp
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
.
.
(((((((((((((((((((((((((   Files Created from 2016-02-26 to 2016-03-26  )))))))))))))))))))))))))))))))
.
.
2016-03-23 21:20 . 2016-03-23 21:21 -------- d-----w- C:\FRST
2016-03-23 16:06 . 2016-03-23 16:06 -------- d-----w- c:\users\Lord Robert\AppData\Roaming\Doublefine
2016-03-23 15:46 . 2016-03-23 15:45 37144 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2016-03-23 15:25 . 2016-03-23 15:25 53248 ----a-w- c:\windows\SysWow64\zlib.dll
2016-03-23 15:25 . 2016-03-23 15:25 -------- d-----w- C:\Support
2016-03-23 06:10 . 2016-03-23 06:10 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2016-03-22 19:22 . 2016-03-22 22:01 -------- d---a-w- C:\RescueCD Logs
2016-03-21 00:03 . 2016-03-21 00:03 -------- d-----w- c:\program files (x86)\Google
2016-03-21 00:03 . 2016-03-21 00:03 -------- d-----w- c:\users\Lord Robert\AppData\Local\Google
2016-03-21 00:03 . 2016-03-21 00:03 -------- d-----w- c:\users\Lord Robert\AppData\Local\Deployment
2016-03-21 00:03 . 2016-03-21 00:03 -------- d-----w- c:\users\Lord Robert\AppData\Local\Apps
2016-03-20 20:31 . 2016-03-26 15:34 -------- d-----w- c:\users\Lord Robert\AppData\Local\Temp
2016-03-20 20:31 . 2016-03-20 20:14 24064 ----a-w- c:\windows\zoek-delete.exe
2016-03-20 20:14 . 2016-03-20 20:28 -------- d-----w- C:\zoek_backup
2016-03-15 23:48 . 2016-03-15 23:48 -------- d-----w- c:\program files\WinRAR
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-03-11 23:58 . 2012-03-31 16:00 797376 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2016-03-11 23:58 . 2011-07-07 02:48 142528 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2016-03-09 17:23 . 2011-07-05 20:07 107792 ----a-w- c:\windows\system32\drivers\aswmonflt.sys
2016-03-09 17:23 . 2011-07-05 20:07 1070904 ----a-w- c:\windows\system32\drivers\aswsnx.sys
2016-02-23 17:18 . 2011-07-05 20:07 463744 ----a-w- c:\windows\system32\drivers\aswsp.sys
2016-02-10 19:08 . 2015-11-16 05:01 287016 ----a-w- c:\windows\system32\drivers\aswvmm.sys
2016-02-10 04:05 . 2016-02-10 04:05 398152 ----a-w- c:\windows\system32\aswBoot.exe
2016-02-10 04:05 . 2015-11-16 06:36 165344 ----a-w- c:\windows\system32\drivers\aswStm.sys
2016-02-10 04:05 . 2015-11-16 06:36 37656 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2016-02-10 04:05 . 2015-11-16 05:01 74544 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2016-02-10 04:05 . 2012-08-25 18:22 103064 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2016-02-10 04:05 . 2016-02-10 04:05 52184 ----a-w- c:\windows\avastSS.scr
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2010-05-27 03:40 120176 ----a-w- c:\program files (x86)\EgisTec MyWinLocker\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"IAStorIcon"="c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"SuiteTray"="c:\program files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [2010-05-27 337264]
"EgisUpdate"="c:\program files (x86)\EgisTec IPS\EgisUpdate.exe" [2010-03-11 201584]
"EgisTecPMMUpdate"="c:\program files (x86)\EgisTec IPS\PmmUpdate.exe" [2010-03-11 407920]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2015-12-17 60688]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2011-10-28 49208]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2016-03-23 7139256]
.
c:\users\Lord Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Monitor Ink Alerts - HP Officejet 4620 series.lnk - c:\windows\system32\RunDll32.exe "c:\program files\HP\HP Officejet 4620 series\bin\HPStatusBL.dll",RunDLLEntry SERIALNUMBER=CN26A2303505RT;CONNECTION=USB;MONITOR=1; [2009-7-13 45568]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-7-29 1132320]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"EnableUIADesktopToggle"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 00000000
"NoTrayContextMenu"= 00000000
"NoChangeStartMenu"= 00000000
"NoDesktop"= 00000000
"MaxRecentDocs"= 0 (0x0)
"NoViewContextMenu"= 00000000
"NoWinKey"= 0 (0x0)
"NoNetConnextDisconnect"= 0 (0x0)
"NoWindowsUpdate"= 0 (0x0)
"NoSMConfigurePrograms"= 0 (0x0)
"NoControlPanle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 btwampfl;Bluetooth AMP USB Filter;c:\windows\system32\drivers\btwampfl.sys;c:\windows\SYSNATIVE\drivers\btwampfl.sys [x]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys;c:\windows\SYSNATIVE\DRIVERS\btwl2cap.sys [x]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\Steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe;c:\program files (x86)\Steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe [x]
R3 GalaxyClientService;GalaxyClientService;c:\program files (x86)\GalaxyClient\GalaxyClientService.exe;c:\program files (x86)\GalaxyClient\GalaxyClientService.exe [x]
R3 GalaxyCommunication;GalaxyCommunication;c:\programdata\GOG.com\Galaxy\redists\GalaxyCommunication.exe;c:\programdata\GOG.com\Galaxy\redists\GalaxyCommunication.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
R3 MWLService;MyWinLocker Service;c:\program files (x86)\EgisTec MyWinLocker\x86\MWLService.exe;c:\program files (x86)\EgisTec MyWinLocker\x86\MWLService.exe [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys;c:\windows\SYSNATIVE\DRIVERS\revoflt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe;c:\program files\Windows Live\Mesh\wlcrasvc.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys;c:\windows\SYSNATIVE\drivers\aswKbd.sys [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDFilter.sys [x]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDNServ.sys [x]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys;c:\windows\SYSNATIVE\DRIVERS\mwlPSDVDisk.sys [x]
S2 Apple Mobile Device Service;Apple Mobile Device Service;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe;c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
S2 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe;c:\program files (x86)\Acer\Registration\GREGsvc.exe [x]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
S2 Updater Service;Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe;c:\program files\Acer\Acer Updater\UpdaterService.exe [x]
S2 USBS3S4Detection;USBS3S4Detection;c:\oem\USBDECTION\USBS3S4Detection.exe;c:\oem\USBDECTION\USBS3S4Detection.exe [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys;c:\windows\SYSNATIVE\DRIVERS\netr28x.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{A6EADE66-0000-0000-484E-7E8A45000000}]
2015-12-18 15:42 286904 ----a-w- c:\program files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll
.
Contents of the 'Scheduled Tasks' folder
.
2016-03-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 23:59]
.
2016-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2016-03-21 00:03]
.
2016-03-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2016-03-21 00:03]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2016-02-10 04:05 905248 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2010-05-27 03:42 137584 ----a-w- c:\program files (x86)\EgisTec MyWinLocker\x64\PSDProtect.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mwlDaemon"="c:\program files (x86)\EgisTec MyWinLocker\x86\mwlDaemon.exe" [2010-05-27 349552]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-24 9642528]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-09-08 168216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-09-08 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-09-08 416024]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2015-12-18 170256]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com
mDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\users\Lord Robert\AppData\Roaming\Mozilla\Firefox\Profiles\tycxbfmt.default\
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-Spotify - c:\users\Lord Robert\AppData\Roaming\Spotify\Spotify.exe
Wow6432Node-HKCU-Run-GalaxyClient - (no file)
Wow6432Node-HKLM-Run-Wondershare Helper Compact.exe - c:\program files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe
Wow6432Node-HKLM-Run-BrowserPlugInHelper - c:\program files (x86)\Wondershare\Video Converter Ultimate\BrowserPlugInHelper.exe
Wow6432Node-HKLM-Run-WinampAgent - c:\program files (x86)\Winamp\winampa.exe
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-EaseUS EPM tray - c:\program files (x86)\EaseUS\EaseUS Partition Master 10.8\bin\EpmNews.exe
Notify-igfxcui - (no file)
Toolbar-Locked - (no file)
AddRemove-GOGPACKIHAVENOMOUTH_is1 - c:\gog games\I Have No Mouth
AddRemove-{050d4fc8-5d48-4b8f-8972-47c82c46020f} - c:\programdata\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exe
AddRemove-{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} - c:\programdata\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
AddRemove-{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} - c:\programdata\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
AddRemove-{f65db027-aff3-4070-886a-0d87064aabb1} - c:\programdata\Package Cache\{f65db027-aff3-4070-886a-0d87064aabb1}\vcredist_x86.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1174955219-694782196-2918772750-1001\Software\SecuROM\License information*]
"datasecu"=hex:98,ba,fe,cd,66,6c,1d,5c,03,b8,8e,4a,17,a6,0f,5a,d5,49,b6,e3,e0,
   c5,73,bb,10,75,47,a8,6a,fd,06,61,22,e2,be,75,e9,9c,74,22,3d,b7,7e,f6,b0,81,\
"rkeysecu"=hex:44,bc,ff,63,1d,f4,4b,da,e3,59,37,0f,9a,72,74,ff
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_21_0_0_182_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_21_0_0_182_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_21_0_0_182_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_21_0_0_182_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_182.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.21"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_182.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_182.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_21_0_0_182.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
.
**************************************************************************
.
Completion time: 2016-03-26  11:41:10 - machine was rebooted
ComboFix-quarantined-files.txt  2016-03-26 15:41
.
Pre-Run: 320,996,208,640 bytes free
Post-Run: 320,571,645,952 bytes free
.
- - End Of File - - 7CEB7BBC03DE257CF75E7AB271AA404B



#6 SergeantVau

SergeantVau
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 26 March 2016 - 11:24 AM

Ok, here's the rest.

Fixlog:

Fix result of Farbar Recovery Scan Tool (x64) Version:05-03-2016 01
Ran by Lord Robert (2016-03-26 11:50:55) Run:1
Running from C:\Users\Lord Robert\Desktop
Loaded Profiles: Lord Robert (Available Profiles: Lord Robert)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-1174955219-694782196-2918772750-1001\...\Run: [GalaxyClient] => [X]
ShellExecuteHooks:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
ShellExecuteHooks-x32:  - {AEB6717E-7E19-11d0-97EE-00C04FD91972} -  No File [ ]
Winsock: Catalog5 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9 01 mswsock.dll No File
Winsock: Catalog9 02 mswsock.dll No File
Winsock: Catalog9 03 mswsock.dll No File
Winsock: Catalog9 04 mswsock.dll No File
Winsock: Catalog9 05 mswsock.dll No File
Winsock: Catalog9 06 mswsock.dll No File
Winsock: Catalog9 07 mswsock.dll No File
Winsock: Catalog9 08 mswsock.dll No File
Winsock: Catalog9 09 mswsock.dll No File
Winsock: Catalog9 10 mswsock.dll No File
Winsock: Catalog5-x64 01 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 05 mswsock.dll No File ATTENTION: LibraryPath should be "%SystemRoot%\System32\mswsock.dll"
Winsock: Catalog9-x64 01 mswsock.dll No File
Winsock: Catalog9-x64 02 mswsock.dll No File
Winsock: Catalog9-x64 03 mswsock.dll No File
Winsock: Catalog9-x64 04 mswsock.dll No File
Winsock: Catalog9-x64 05 mswsock.dll No File
Winsock: Catalog9-x64 06 mswsock.dll No File
Winsock: Catalog9-x64 07 mswsock.dll No File
Winsock: Catalog9-x64 08 mswsock.dll No File
Winsock: Catalog9-x64 09 mswsock.dll No File
Winsock: Catalog9-x64 10 mswsock.dll No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1174955219-694782196-2918772750-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1222172.dll [No File]
S3 MBAMSwissArmy; \??\C:\Windows\system32\drivers\MBAMSwissArmy.sys [X]
CustomCLSID: HKU\S-1-5-21-1174955219-694782196-2918772750-1001_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 -> C:\Users\Lord Robert\AppData\Local\{93f3aa60-bf95-328b-68a1-311c909f1bd7}\n. => No File
Task: {47FE9833-CEB3-4D10-9AB7-476BA85BAFA4} - System32\Tasks\{1FAD1210-F465-4703-9BA9-96B2689B8C71} => pcalua.exe -a D:\setup.exe -d D:\
cmd: netsh winsock reset
*****************

Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-1174955219-694782196-2918772750-1001\Software\Microsoft\Windows\CurrentVersion\Run\\GalaxyClient => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => value removed successfully
HKCR\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => value removed successfully
HKCR\Wow6432Node\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972} => key not found.
Winsock: Catalog5 000000000001\\LibraryPath => restored successfully (%SystemRoot%\system32\NLAapi.dll)
Winsock: Catalog5 000000000005\\LibraryPath => restored successfully (%SystemRoot%\System32\mswsock.dll)
The possible legit Catalog entry "000000000001" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000002" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000003" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000004" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000005" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000006" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000007" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000008" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000009" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000010" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
Winsock: Catalog5-x64 000000000001\\LibraryPath => restored successfully (%SystemRoot%\system32\NLAapi.dll)
Winsock: Catalog5-x64 000000000005\\LibraryPath => restored successfully (%SystemRoot%\System32\mswsock.dll)
The possible legit Catalog entry "000000000001" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000002" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000003" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000004" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000005" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000006" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000007" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000008" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000009" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
The possible legit Catalog entry "000000000010" will not be deleted with FRST. Instead, "netsh winsock reset" can be used.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-1174955219-694782196-2918772750-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/ShockwavePlayer" => key removed successfully
MBAMSwissArmy => service removed successfully
"HKU\S-1-5-21-1174955219-694782196-2918772750-1001_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{47FE9833-CEB3-4D10-9AB7-476BA85BAFA4}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{47FE9833-CEB3-4D10-9AB7-476BA85BAFA4}" => key removed successfully
C:\Windows\System32\Tasks\{1FAD1210-F465-4703-9BA9-96B2689B8C71} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1FAD1210-F465-4703-9BA9-96B2689B8C71}" => key removed successfully

=========  netsh winsock reset =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

 

The system needed a reboot.

==== End of Fixlog 11:51:20 ====

 

Adware:

# AdwCleaner v5.105 - Logfile created 26/03/2016 at 12:01:59
# Updated 21/03/2016 by Xplode
# Database : 2016-03-25.2 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Lord Robert - IG-88
# Running from : C:\Users\Lord Robert\Desktop\AdwCleaner.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [711 bytes] - [26/03/2016 12:01:59]
C:\AdwCleaner\AdwCleaner[S1].txt - [772 bytes] - [26/03/2016 11:56:16]
C:\AdwCleaner\AdwCleaner[S2].txt - [844 bytes] - [26/03/2016 12:00:46]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [927 bytes] ##########

 

Junkware:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.4 (03.14.2016)
Operating System: Windows 7 Home Premium x64
Ran by Lord Robert (Administrator) on Sat 03/26/2016 at 12:07:11.98
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

File System: 16

Successfully deleted: C:\Users\Lord Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5AXI8CFF (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Lord Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\99FIH34U (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Lord Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D1EDORE8 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Lord Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IYUZO3WO (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Lord Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KG0V48SJ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Lord Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OCJ79UUS (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Lord Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SLF3UAQU (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Lord Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U6970SI7 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5AXI8CFF (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\99FIH34U (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D1EDORE8 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IYUZO3WO (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KG0V48SJ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OCJ79UUS (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SLF3UAQU (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U6970SI7 (Temporary Internet Files Folder)

 

Registry: 0

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 03/26/2016 at 12:10:04.49
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

Attached Files



#7 SergeantVau

SergeantVau
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 26 March 2016 - 11:25 AM

My PC seems fine so far, thank you for the help.



#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:11 AM

Posted 26 March 2016 - 02:42 PM

Very good, this is next.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Check Uninstall application on close
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply
===================================================

screen317's Security Check

--------------------
  • Please download screen317's Security Check to your desktop
  • Double-click icon to launch the program
  • Click OK
  • Select Run Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
  • Allow the program to run
  • A Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • ESET log
  • Security Check log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:11 AM

Posted 29 March 2016 - 10:19 PM

Greetings,

===================================================

3 Day Bump

It has been 3 days since my last post.
  • Do you still need help with this?
  • If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#10 SergeantVau

SergeantVau
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 30 March 2016 - 06:39 PM

Sorry it took so long to get back to you. I haven't had time to work on my pc. But I ran the new stuff today.

 

ESET log:

C:\Program Files (x86)\Cheat Engine 6.4\standalonephase1.dat a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application cleaned by deleting
C:\Qoobox\Quarantine\C\Windows\System32\Services.exe.vir Win64/Patched.B.Gen trojan deleted
C:\Users\Lord Robert\Downloads\SetupImgBurn_2.5.8.0.exe a variant of Win32/DownloadAdmin.P potentially unwanted application cleaned by deleting

 

Security Check log:

 Results of screen317's Security Check version 1.014 --- 12/23/15 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
``````````````Antivirus/Firewall Check:``````````````
avast! Antivirus  
 Antivirus out of date! 
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Adobe Flash Player 21.0.0.197 
 Mozilla Firefox (45.0.1)
````````Process Check: objlist.exe by Laurent```````` 
 AVAST Software Avast AvastSvc.exe 
 AVAST Software Avast avastui.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````

 

The only problem I'm currently experiencing (that I can see, at least) is that I can't enable my windows firewall still. Again, thank you for your assistance.



#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:11 AM

Posted 30 March 2016 - 07:49 PM

Greetings,

Please go into the Avast Settings and update the program. In addition, do this.

===================================================

Farbar's Service Scanner

--------------------
  • Please download Farbar Service Scanner, save it to your desktop, and run it.
  • Make sure the following options are checked:

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services

  • Press Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Did Avast update?
  • FSS.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#12 SergeantVau

SergeantVau
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 30 March 2016 - 09:28 PM

Avast should be up to date now. Here is the FSS log

 

Farbar Service Scanner Version: 27-01-2016
Ran by Lord Robert (administrator) on 30-03-2016 at 22:24:35
Running from "C:\Users\Lord Robert\Desktop"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is OK.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.

bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Policy:
========================

Action Center:
============

Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.

Windows Defender:
==============

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****



#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:11 AM

Posted 30 March 2016 - 10:06 PM

Thank you, please do this.

===================================================

Manually Importing an Attached Registry Key (.reg) File

-------------------
  • Download to your Desktop
  • Right click on the file and select Merge
  • Once you receive confirmation the information was successfully merged reboot your computer
  • Check your Firewall
  • Run and post a Farbar Service Scanner log
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Firewall?
  • FSS.txt

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#14 SergeantVau

SergeantVau
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:08:11 AM

Posted 31 March 2016 - 12:28 PM

When I clicked merge, I got an error message saying "error accessing the registry"



#15 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:11 AM

Posted 31 March 2016 - 01:16 PM

Greetings,

Please do this.

===================================================

Windows Repair (All in One)

--------------------
  • Boot your computer into Safe Mode with Networking
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Download Windows Repair (All in One) and save it to your desktop
  • Double click the tweaking.com icon and click Run
  • Continually click Next, then Finish
  • Note: If you are unable to complete one of the steps simply continue on with the next step
  • Go to Step 3 and allow it to run See if Check Disk is Needed by clicking on the Check button:
  • If your see Errors Found On The Drive! Check Disk Is Needed click Do It in the Open Check Disk At Next Boot
  • Select the /r option and click Add To Next Boot
  • Close the Check Disk (chkdsk) At Next Boot window
  • Go to Step 4 and click Do It under System File Check
  • Go to Step 5 and click Create under System Restore
  • Go to the Repairs tab and click Open Repairs
  • Leave the default check marks and click Start Repairs
  • Ignore any notice about Desktop Gadgets
  • Click Yes to reboot your computer
  • Attempt to merge the registry file
  • Using Windows Explorer navigate to the following file location

For 64 bit systems - C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs
For 32 bit systems - C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs

  • Please zip and attach the Logs folder to your repy
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Can you merge the registry file?
  • Windows All in One logs

Edited by Oh My!, 31 March 2016 - 01:56 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users