Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mshta.exe, powershell.exe and regsvr32.exe, Kovter Trojan, system also crashes


  • This topic is locked This topic is locked
22 replies to this topic

#1 AdamsComputer

AdamsComputer

  • Members
  • 24 posts
  • OFFLINE
  •  

Posted 14 February 2017 - 06:23 AM

The mshta.exe, powershell.exe, and regsvr32.exe processes are showing up multiple times in Task manager.  One triggers another to start and eventually the first 2 dissappear leaving 2 instances of regsvr32.exe running.  None of these use to ever show up in my task manager and I don't recall making any major changes on purpose.  Since I noticed this, I have also seen regular everyday processes now being split into multiple processes which didn't use to happen either.  There are now 2 firefox.exe's running instead of one.  There were some others that have either tapered off or I disabled the initial process thinking it was broken.  The 2 instances of regsvr32.exe start to eat up memory and I have to manually end their processes, but ending only one of them will do it as the other goes away for a second and then comes back.  Since coming to this forum, I have run Rkill and Malwarebytes.  I will attach the logs from FRST in this post.  I followed the steps to make sure I have backed up my entire C drive on usb drive, firewall on, etc.  The synsative file is listed below in "my initial topic".

 

My initial topic: https://www.bleepingcomputer.com/forums/t/635324/reset-upon-loading-game-no-blue-screen-straight-reset/

Follow up topic:  https://www.bleepingcomputer.com/forums/t/639796/possible-malware-in-startup-entries/

Specs:  http://speccy.piriform.com/results/xMOI8yD0k2s2SzcDcaFHVpq

 

Edit:  (copy and pasted these as well)

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 14-02-2017
Ran by AnusTickler (administrator) on PANZER (14-02-2017 02:02:02)
Running from C:\Users\AnusTickler\Downloads
Loaded Profiles: AnusTickler & Second (Available Profiles: AnusTickler & Second)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Creative Technology Ltd) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
(Creative Technology Ltd) C:\Windows\SysWOW64\CTSVCCDA.EXE
(Micro-Star INT'L CO., LTD.) C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Logitech, Inc.) C:\Program Files\Logitech\SetPointP\SetPoint.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Renesas Electronics Corporation) C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
(Creative Technology Ltd) C:\Windows\SysWOW64\CtHelper.exe
(Logitech, Inc.) C:\Program Files\Common Files\Logishrd\KHAL3\KHALMNPR.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(CobianSoft, Luis Cobian) C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\Cobian.exe
(Luis Cobian, CobianSoft) C:\Program Files (x86)\Cobian Backup 11\cbInterface.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [EvtMgr6] => C:\Program Files\Logitech\SetPointP\SetPoint.exe [1744152 2011-06-23] (Logitech, Inc.)
HKLM\...\Run: [MSC] => c:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2780112 2017-01-20] (Malwarebytes)
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-11-17] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [CTxfiHlp] => CTXFIHLP.EXE
HKLM-x32\...\Run: [CTHelper] => C:\Windows\SysWOW64\CTHELPER.EXE [19456 2010-03-18] (Creative Technology Ltd)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-12-12] (Oracle Corporation)
HKLM-x32\...\Run: [Live Update] => C:\Program Files (x86)\MSI\Live Update\Live Update.exe [13396944 2017-01-24] (Micro-Star INT'L CO., LTD.)
Winlogon\Notify\LBTWlgn: c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll (Logitech, Inc.)
HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7394584 2014-12-12] (Piriform Ltd)
HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\MountPoints2: D - D:\Autorun.exe
HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\MountPoints2: {3534dbce-bbda-11e0-aeee-6c626db6dae7} - E:\TL-Bootstrap.exe
HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\MountPoints2: {b174ab3f-2442-11e4-aba1-6c626db6dae7} - D:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\Run: [Creative Detector] => C:\Program Files (x86)\Creative\MediaSource\Detector\CTDetect.exe [102400 2004-12-02] (Creative Technology Ltd)
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\Run: [Overwolf] => C:\Program Files (x86)\Overwolf\Overwolf.exe -silent
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\Run: [DAEMON Tools Lite] => "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\Run: [AVG-Secure-Search-Update_JUNE2013_TB] => "C:\Program Files (x86)\AVG Secure Search\AVG-Secure-Search-Update_JUNE2013_TB.exe"  /PROMPT /CMPID=JUNE2013_TB
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\Run: [AVG-Secure-Search-Update_JUNE2013_HP] => "C:\Program Files (x86)\AVG Secure Search\AVG-Secure-Search-Update_JUNE2013_HP.exe"  /PROMPT /CMPID=JUNE2013_HP
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\Run: [Desura] => C:\Program Files (x86)\Desura\desura.exe -autostart
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [7394584 2014-12-12] (Piriform Ltd)
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\MountPoints2: D - D:\Setup.now.exe
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\MountPoints2: E - E:\setup.exe
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\MountPoints2: {3534dbce-bbda-11e0-aeee-6c626db6dae7} - E:\TL-Bootstrap.exe
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\MountPoints2: {b174ab3f-2442-11e4-aba1-6c626db6dae7} - D:\VerizonSWUpgradeAssistantLauncher.exe
HKU\S-1-5-18\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-18\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
AppInit_DLLs-x32: ȅ噎䵒판ঋ阠ٽ => No File
BootExecute: autocheck autochk * sdnclean64.exe
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{C8FBD618-A192-4DF9-9690-24434B3E422A}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{FF6EDC91-DE2B-4140-866C-0362C625F865}: [DhcpNameServer] 192.168.42.129

Internet Explorer:
==================
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\ssv.dll [2017-02-12] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\jp2ssv.dll [2017-02-12] (Oracle Corporation)
Toolbar: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: HKLM-x32 {17492023-C23A-453E-A040-C7C580BBF700} hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: HKLM-x32 {D4B68B83-8710-488B-A692-D74B50BA558E} hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: HKLM-x32 {E705A591-DA3C-4228-B0D5-A356DBA42FBF} hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: HKLM-x32 {F6ACF75C-C32C-447B-9BEF-46B766368D29} hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/130321/CTPID.cab

FireFox:
========
FF ProfilePath: C:\Users\AnusTickler\AppData\Roaming\Prism\IG-Marauders\Profiles\80x7g8ty.default [2011-10-03]
FF Homepage: Prism\IG-Marauders\Profiles\80x7g8ty.default -> hxxps://webstore.isotx.com/igmaraudersL.html
FF ProfilePath: C:\Users\AnusTickler\AppData\Roaming\Mozilla\Firefox\Profiles\xeqjkcal.default-1432288339924 [2017-02-14]
FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\xeqjkcal.default-1432288339924 -> Default
FF Extension: (No Name) - C:\Program Files (x86)\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} [2014-12-09] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_24_0_0_194.dll [2017-01-22] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_194.dll [2017-01-22] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\dtplugin\npDeployJava1.dll [2017-02-12] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.121.2 -> C:\Program Files (x86)\Java\jre1.8.0_121\bin\plugin2\npjp2.dll [2017-02-12] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [No File]
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [No File]
FF Plugin-x32: @ogplanet.com/npOGPPlugin -> C:\Windows\system32\npOGPPlugin.dll [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @veetle.com/veetleCorePlugin,version=0.9.18 -> C:\Program Files (x86)\Veetle\plugins\npVeetle.dll [No File]
FF Plugin-x32: @veetle.com/veetlePlayerPlugin,version=0.9.18 -> C:\Program Files (x86)\Veetle\Player\npvlc.dll [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2016-12-23] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin.dll [2015-02-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin2.dll [2015-02-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin3.dll [2015-02-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin4.dll [2015-02-13] (Apple Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npqtplugin5.dll [2015-02-13] (Apple Inc.)

Chrome:
=======
CHR DefaultProfile: Default
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [1447944 2016-12-12] ()
R2 cbVSCService11; C:\Program Files (x86)\Cobian Backup 11\cbVSCService11.exe [67584 2013-03-07] (CobianSoft, Luis Cobian) [File not signed]
S3 Creative ALchemy AL6 Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [79360 2011-10-07] (Creative Labs) [File not signed]
S3 Creative Audio Engine Licensing Service; C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [79360 2013-06-23] (Creative Labs) [File not signed]
R2 Creative Service for CDROM Access; C:\Windows\SysWOW64\CTsvcCDA.EXE [44032 1999-12-13] (Creative Technology Ltd) [File not signed]
R2 CTAudSvcService; C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe [286720 2010-02-12] (Creative Technology Ltd) [File not signed]
S4 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [69632 2005-04-03] (Macrovision Corporation) [File not signed]
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4355024 2017-01-20] (Malwarebytes)
R2 MSI_LiveUpdate_Service; C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe [2286032 2017-01-23] (Micro-Star INT'L CO., LTD.)
R2 MsMpSvc; c:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation)
R3 NisSrv; c:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation)
S3 npggsvc; C:\Windows\SysWOW64\GameMon.des [3358912 2014-09-21] (INCA Internet Co., Ltd.)
R2 NVDisplay.ContainerLocalSystem; C:\Program Files\NVIDIA Corporation\Display.NvContainer\NVDisplay.Container.exe [459832 2016-12-11] (NVIDIA Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 atksgt; C:\Windows\System32\DRIVERS\atksgt.sys [314016 2011-09-29] ()
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2013-03-19] (GFI Software)
R2 lirsgt; C:\Windows\System32\DRIVERS\lirsgt.sys [43680 2011-09-29] ()
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [251848 2017-02-13] (Malwarebytes)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
S3 NPPTNT2; C:\Windows\SysWOW64\npptNT2.sys [4682 2005-01-02] (INCA Internet Co., Ltd.) [File not signed]
S3 NTIOLib_1_0_6; C:\Program Files (x86)\Setup Files\Ms7522vP10\NTIOLib_X64.sys [11888 2011-01-06] (MSI) [File not signed]
S3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad64v.sys [46016 2017-01-05] (NVIDIA Corporation)
S3 nvvhci; C:\Windows\System32\DRIVERS\nvvhci.sys [57792 2017-01-05] (NVIDIA Corporation)
R0 sptd; C:\Windows\System32\Drivers\sptd.sys [834544 2011-09-24] () [File not signed]
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [15712 2013-05-05] ()
S3 TKCtrl; C:\Windows\system32\TKCtrl2k64.sys [87872 2012-07-03] (INCA Internet Co., Ltd.)
S3 TKFsAvM; C:\Windows\system32\TKFsAv64.sys [139136 2012-12-26] (INCA Internet Co., Ltd.)
S3 TKFsFtM; C:\Windows\system32\TKFsFt64.sys [23392 2012-11-06] (INCA Internet Co., Ltd.)
S1 TKFWFV; C:\Windows\System32\TKFWFV64.sys [34400 2011-03-29] (INCA Internet Co., Ltd.)
S3 TKFWVT; C:\Windows\system32\TKFWVT64.sys [183112 2012-10-23] (INCA Internet Co.,Ltd.)
S3 TkIdsVt; C:\Windows\system32\TkIdsVt64.sys [99168 2012-07-31] (INCA Internet Co.,Ltd.)
S3 TKPcFt; C:\Windows\system32\TKPcFtCb64.sys [29024 2012-11-06] (INCA Internet Co., Ltd.)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2017-01-11] ()
S3 WinRing0_1_2_0; C:\Program Files (x86)\Steam\steamapps\common\EVGA PrecisionX\WinRing0\WinRing0x64.sys [14536 2015-11-10] (OpenLibSys.org)
U3 aac7hnjr; no ImagePath
S3 BRDriver64_1_3_3_7ECFDFEA; \??\C:\ProgramData\BitRaider\support\1.3.3\7ECFDFEA\BRDriver64.sys [X]
S3 COMMONFX.DLL; system32\COMMONFX.DLL [X]
S3 CT20XUT.DLL; system32\CT20XUT.DLL [X]
S3 CTAUDFX.DLL; system32\CTAUDFX.DLL [X]
S3 CTEAPSFX.DLL; system32\CTEAPSFX.DLL [X]
S3 CTEDSPFX.DLL; system32\CTEDSPFX.DLL [X]
S3 CTEDSPIO.DLL; system32\CTEDSPIO.DLL [X]
S3 CTEDSPSY.DLL; system32\CTEDSPSY.DLL [X]
S3 CTERFXFX.DLL; system32\CTERFXFX.DLL [X]
S3 CTEXFIFX.DLL; system32\CTEXFIFX.DLL [X]
S3 CTHWIUT.DLL; system32\CTHWIUT.DLL [X]
S3 CTSBLFX.DLL; system32\CTSBLFX.DLL [X]
S3 dump_wmimmc; \??\C:\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 MBAMWebProtection; \??\C:\Windows\system32\drivers\mwac.sys [X]
S3 MSI_MSIBIOS_010507; \??\C:\Program Files (x86)\MSI\Live Update 5\msibios64_100507.sys [X]
S3 NTIOLib_1_0_3; \??\C:\Program Files (x86)\MSI\Super Charger\NTIOLib_X64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-14 02:02 - 2017-02-14 02:05 - 00018815 _____ C:\Users\AnusTickler\Downloads\FRST.txt
2017-02-14 01:59 - 2017-02-14 02:02 - 00000000 ____D C:\FRST
2017-02-14 01:58 - 2017-02-14 01:58 - 02422272 _____ (Farbar) C:\Users\AnusTickler\Downloads\FRST64.exe
2017-02-14 01:40 - 2017-02-14 01:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Cobian Backup 11
2017-02-14 01:40 - 2017-02-14 01:40 - 00000000 ____D C:\Program Files (x86)\Cobian Backup 11
2017-02-14 01:38 - 2017-02-14 01:38 - 19709440 _____ (Luis Cobian, CobianSoft) C:\Users\AnusTickler\Downloads\cbSetup.exe
2017-02-13 18:42 - 2017-02-13 18:42 - 00001042 _____ C:\Users\AnusTickler\Desktop\Folder Size.lnk
2017-02-13 18:42 - 2017-02-13 18:42 - 00000000 ____D C:\ProgramData\MindGems
2017-02-13 18:42 - 2017-02-13 18:42 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Folder Size
2017-02-13 18:42 - 2017-02-13 18:42 - 00000000 ____D C:\Program Files (x86)\Folder Size
2017-02-13 18:40 - 2017-02-13 18:40 - 02301330 _____ (MindGems, Inc. ) C:\Users\AnusTickler\Downloads\FolderSize.exe
2017-02-13 18:39 - 2017-02-13 18:39 - 00448512 _____ (OldTimer Tools) C:\Users\AnusTickler\Downloads\TFC.exe
2017-02-13 17:55 - 2017-02-13 17:55 - 00119129 _____ C:\Users\AnusTickler\Desktop\MBAM.txt
2017-02-13 17:20 - 2017-02-13 18:05 - 00251848 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2017-02-13 17:19 - 2017-02-13 17:19 - 00001867 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2017-02-13 17:19 - 2017-02-13 17:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2017-02-13 17:19 - 2017-01-20 07:47 - 00077416 _____ C:\Windows\system32\Drivers\mbae64.sys
2017-02-13 17:18 - 2017-02-13 17:18 - 55566792 _____ (Malwarebytes ) C:\Users\AnusTickler\Downloads\mb3-setup-consumer-3.0.6.1469.exe
2017-02-13 17:01 - 2017-02-13 17:01 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\AnusTickler\Downloads\rkill.com
2017-02-13 17:01 - 2017-02-13 17:01 - 01106888 _____ (Bleeping Computer, LLC) C:\Users\AnusTickler\Downloads\rkill64.com
2017-02-13 17:01 - 2017-02-13 17:01 - 00001058 _____ C:\Users\AnusTickler\Desktop\Rkill.txt
2017-02-13 03:26 - 2017-02-13 03:26 - 00001959 _____ C:\Users\Public\Desktop\MSI Live Update 6.lnk
2017-02-12 23:15 - 2017-02-12 23:15 - 00738880 _____ (Oracle Corporation) C:\Users\AnusTickler\Downloads\jxpiinstall(3).exe
2017-02-12 23:05 - 2017-02-12 23:05 - 00000000 ____D C:\Users\AnusTickler\AppData\Roaming\Haven and Hearth
2017-01-25 11:35 - 2017-01-25 11:35 - 00000222 _____ C:\Users\AnusTickler\Desktop\H1Z1 Just Survive.url
2017-01-20 04:26 - 2017-01-20 04:26 - 00000000 _____ C:\Users\AnusTickler\Documents\AutoHotkey.ahk
2017-01-20 04:21 - 2017-01-20 04:21 - 03118542 _____ C:\Users\AnusTickler\Downloads\AutoHotkey_1.1.24.04_setup(1).exe
2017-01-20 04:16 - 2017-01-20 04:16 - 03118542 _____ C:\Users\AnusTickler\Downloads\AutoHotkey_1.1.24.04_setup.exe

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-02-14 01:52 - 2009-07-13 21:13 - 00795818 _____ C:\Windows\system32\PerfStringBackup.INI
2017-02-14 01:52 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2017-02-14 01:16 - 2016-11-18 16:31 - 00000000 ____D C:\Users\AnusTickler\AppData\LocalLow\Mozilla
2017-02-14 01:02 - 2011-08-03 03:53 - 00000000 ____D C:\Program Files (x86)\Steam
2017-02-13 19:20 - 2013-05-05 20:41 - 00000000 ____D C:\Users\Public\Games
2017-02-13 19:18 - 2011-08-03 04:50 - 00000000 ____D C:\Games
2017-02-13 19:17 - 2011-08-03 15:05 - 00000000 ____D C:\Download
2017-02-13 18:12 - 2009-07-13 20:45 - 00014736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-02-13 18:12 - 2009-07-13 20:45 - 00014736 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-02-13 18:03 - 2016-08-18 01:39 - 00000000 ____D C:\ProgramData\NVIDIA
2017-02-13 18:02 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2017-02-13 18:01 - 2013-06-23 08:36 - 00032448 _____ C:\Windows\system32\BMXCtrlState-{00000008-00000000-00000000-00001102-00000004-20021102}.rfx
2017-02-13 18:01 - 2013-06-23 08:36 - 00032448 _____ C:\Windows\system32\BMXBkpCtrlState-{00000008-00000000-00000000-00001102-00000004-20021102}.rfx
2017-02-13 18:01 - 2013-06-23 08:36 - 00011564 _____ C:\Windows\system32\DVCState-{00000008-00000000-00000000-00001102-00000004-20021102}.rfx
2017-02-13 18:01 - 2011-08-09 00:54 - 00036760 _____ C:\Windows\system32\BMXStateBkp-{00000008-00000000-00000000-00001102-00000004-20021102}.rfx
2017-02-13 18:01 - 2011-08-09 00:54 - 00036760 _____ C:\Windows\system32\BMXState-{00000008-00000000-00000000-00001102-00000004-20021102}.rfx
2017-02-13 18:00 - 2015-09-14 21:50 - 00000000 ____D C:\Users\AnusTickler\AppData\Local\PC_Drivers_Headquarters
2017-02-13 17:57 - 2015-09-14 21:50 - 00000000 ____D C:\ProgramData\PC Drivers HeadQuarters
2017-02-13 17:57 - 2015-01-05 14:38 - 00000000 ____D C:\Users\AnusTickler\AppData\LocalLow\Company
2017-02-13 17:57 - 2014-11-15 05:14 - 00000000 ____D C:\ProgramData\iolo
2017-02-13 17:56 - 2011-09-07 06:21 - 00000000 ____D C:\Users\Second
2017-02-13 17:56 - 2011-07-31 12:18 - 00000000 ____D C:\Users\AnusTickler
2017-02-13 04:18 - 2009-07-13 23:46 - 00000000 ____D C:\Windows\ShellNew
2017-02-13 03:26 - 2014-04-22 18:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSI
2017-02-13 03:25 - 2016-12-26 10:30 - 00000000 ____D C:\Users\AnusTickler\AppData\Roaming\discord
2017-02-12 23:19 - 2013-10-24 09:08 - 00000000 ____D C:\ProgramData\Oracle
2017-02-12 23:18 - 2016-10-31 13:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2017-02-12 23:17 - 2016-10-31 13:16 - 00097856 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2017-02-12 23:16 - 2011-07-31 12:38 - 00000000 ____D C:\Program Files (x86)\Java
2017-02-02 14:48 - 2016-02-28 04:05 - 00000000 ____D C:\Users\AnusTickler\AppData\Local\CrashDumps
2017-01-28 08:22 - 2014-12-09 12:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-01-25 10:25 - 2009-07-13 21:09 - 00000000 ____D C:\Windows\System32\Tasks\WPD
2017-01-22 09:21 - 2012-04-23 14:49 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2017-01-22 06:00 - 2011-08-08 17:28 - 00000000 ____D C:\Users\AnusTickler\AppData\Local\Adobe
2017-01-22 05:59 - 2012-04-23 14:49 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2017-01-22 05:59 - 2012-04-23 14:49 - 00003770 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2017-01-22 05:59 - 2011-07-31 12:41 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2017-01-22 05:58 - 2012-04-23 14:49 - 00000000 ____D C:\Windows\system32\Macromed
2017-01-22 05:58 - 2011-07-31 12:41 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2017-01-22 01:00 - 2011-09-15 17:37 - 00000000 ____D C:\Users\AnusTickler\AppData\Local\ElevatedDiagnostics
2017-01-20 14:20 - 2015-12-04 15:58 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk

==================== Files in the root of some directories =======

2014-06-07 01:49 - 2014-05-26 23:56 - 34893187 _____ () C:\Users\AnusTickler\AppData\Roaming\Game.of.Thrones.S04E08.HDTV.x264-KILLERS.mp4
2014-09-01 00:18 - 2014-09-01 00:18 - 0001248 _____ () C:\Users\AnusTickler\AppData\Roaming\QXEB
2013-06-21 09:03 - 2013-06-21 09:03 - 0003584 _____ () C:\Users\AnusTickler\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2011-09-06 09:31 - 2016-12-15 23:11 - 0007614 _____ () C:\Users\AnusTickler\AppData\Local\Resmon.ResmonCfg
2015-05-07 00:59 - 2015-05-07 00:59 - 0000806 _____ () C:\Users\AnusTickler\AppData\Local\Temp-log.txt
2015-05-18 12:23 - 2015-05-18 12:23 - 0000000 _____ () C:\Users\AnusTickler\AppData\Local\Temp.dat
2013-09-29 10:09 - 2013-09-29 10:09 - 0000000 _____ () C:\ProgramData\38283d2e2a20_c
2011-08-11 09:50 - 2011-06-12 09:50 - 0000032 ____R () C:\ProgramData\hash.dat
2016-12-14 23:21 - 2016-12-20 16:13 - 0005528 _____ () C:\ProgramData\NvTelemetryContainer.log
2016-12-14 23:21 - 2016-12-20 14:22 - 0002938 _____ () C:\ProgramData\NvTelemetryContainer.log_backup1

Files to move or delete:
====================
C:\ProgramData\hash.dat
C:\Users\AnusTickler\DSETUP.dll
C:\Users\AnusTickler\dsetup32.dll
C:\Users\AnusTickler\DXSETUP.exe


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-02-12 05:56

==================== End of FRST.txt ============================

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 14-02-2017
Ran by AnusTickler (14-02-2017 02:07:19)
Running from C:\Users\AnusTickler\Downloads
Windows 7 Ultimate Service Pack 1 (X64) (2011-07-31 20:18:31)
Boot Mode: Normal
==========================================================


==================== Accounts: =============================

Administrator (S-1-5-21-2042302623-1599180195-1203687678-500 - Administrator - Disabled)
AnusTickler (S-1-5-21-2042302623-1599180195-1203687678-1000 - Administrator - Enabled) => C:\Users\AnusTickler
Guest (S-1-5-21-2042302623-1599180195-1203687678-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-2042302623-1599180195-1203687678-1003 - Limited - Enabled)
Second (S-1-5-21-2042302623-1599180195-1203687678-1004 - Limited - Enabled) => C:\Users\Second

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
AS: Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.023.20056 - Adobe Systems Incorporated)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 2.7.0.19530 - Adobe Systems Incorporated)
Adobe Flash Player 24 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 24.0.0.186 - Adobe Systems Incorporated)
Adobe Flash Player 24 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 24.0.0.194 - Adobe Systems Incorporated)
Ansel (Version: 376.33 - NVIDIA Corporation) Hidden
AOL Uninstaller (Choose which Products to Remove) (HKLM-x32\...\AOL Uninstaller) (Version:  - AOL Inc.)
Apple Application Support (32-bit) (HKLM-x32\...\{649A1FD9-5892-46AD-8DF0-C4A43FF61CB7}) (Version: 4.1 - Apple Inc.)
Apple Application Support (64-bit) (HKLM\...\{0DE0A178-AC7B-4650-806C-CF226DE03766}) (Version: 4.1 - Apple Inc.)
Apple Software Update (HKLM-x32\...\{FFD1F7F1-1AC9-4BC4-A908-0686D635ABAF}) (Version: 2.1.4.131 - Apple Inc.)
Ask Toolbar Updater (HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\{79A765E1-C399-405B-85AF-466F52E918B0}) (Version: 1.2.1.23037 - Ask.com) <==== ATTENTION
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
BitTorrent (HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\BitTorrent) (Version: 7.8.2.30332 - BitTorrent Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.01 - Piriform)
Cobian Backup 11 Gravity (HKLM-x32\...\CobBackup11) (Version:  - )
ControlCenter (HKLM-x32\...\{009E5DF2-3F97-480B-89DA-F2D5E672E14A}_is1) (Version: 1.0.230 - MSI)
CPUID HWMonitor 1.30 (HKLM\...\CPUID HWMonitor_is1) (Version:  - )
Creative ALchemy (HKLM-x32\...\ALchemy) (Version: 1.41 - Creative Technology Limited)
Creative Audio Console (HKLM-x32\...\AudioCS) (Version: 1.33 - Creative Technology Limited)
Creative MediaSource (HKLM-x32\...\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}) (Version: 3.00 - )
Creative MediaSource 5 (HKLM-x32\...\{BEEFC4F8-2909-48B3-AFAA-55D3533FDEDD}) (Version: 5.26 - Creative Technology Limited)
Creative Software AutoUpdate (HKLM-x32\...\Creative Software AutoUpdate) (Version: 1.40 - Creative Technology Limited)
Creative WaveStudio 7 (HKLM-x32\...\WaveStudio 7) (Version: 7.12 - Creative Technology Limited)
Discord (HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\Discord) (Version: 0.0.297 - Hammer & Chisel, Inc.)
eReg (x32 Version: 1.20.138.34 - Logitech, Inc.) Hidden
Europa Universalis IV (HKLM\...\Steam App 236850) (Version:  - Paradox Development Studio)
EVGA PrecisionX 16 (HKLM-x32\...\Steam App 268850) (Version:  - EVGA)
Factorio version 0.12.18 (HKLM\...\Factorio_is1) (Version:  - )
Folder Size 3.4.0.0 (HKLM-x32\...\{2DFA85ED-588F-4CE3-A175-29E52C3804A8}_is1) (Version: 3.4.0.0 - MindGems, Inc.)
Fraps (remove only) (HKLM-x32\...\Fraps) (Version:  - )
H1Z1: Just Survive (HKLM\...\Steam App 295110) (Version:  - Daybreak Game Company)
Hero Lab 7.6b (HKLM-x32\...\{760AA190-82DF-4A80-BE05-B9FEEC88946D}_is1) (Version: 7.6b - LWD Technology, Inc.)
IGG Web3D Player version 1.0.0.38 (HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\IGG Web3D Player_is1) (Version: 1.0.0.38 - IGG, Inc.)
Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
League of Legends (HKLM-x32\...\League of Legends 4.1.2) (Version: 4.1.2 - Riot Games)
League of Legends (x32 Version: 4.1.2 - Riot Games) Hidden
Logitech SetPoint 6.30 (HKLM\...\sp6) (Version: 6.30.43 - Logitech)
Malwarebytes version 3.0.6.1469 (HKLM\...\{35065F43-4BB2-439A-BFF7-0F1014F2E0CD}_is1) (Version: 3.0.6.1469 - Malwarebytes)
marvell 91xx driver (HKLM-x32\...\MagniDriver) (Version: 1.0.0.1047 - Marvell)
Microsoft .NET Framework 1.1 (HKLM-x32\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft .NET Framework 4.5.2 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.51209 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-00A1-0000-0000-0000000FF1CE}_ONENOTE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office OneNote 2007 (HKLM-x32\...\ONENOTE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office SharePoint Designer 2007 (HKLM-x32\...\SharePointDesigner) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Office SharePoint Designer 2007 Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0017-0000-0000-0000000FF1CE}_SharePointDesigner_{4B4DF6E2-5E40-422B-82DD-205FD7E79226}) (Version:  - Microsoft)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.10.209.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.50901.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{7299052b-02a4-4627-81f2-1818da5d550d}) (Version: 8.0.56336 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{A49F249F-0C91-497F-86DF-B2585E8E76B7}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6ce5bae9-d3ca-4b99-891a-1dc6c118a5fc}) (Version: 8.0.59192 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (x64) (HKLM\...\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}) (Version: 8.0.61000 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022 (HKLM\...\{350AA351-21FA-3270-8B7A-835434E766AD}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24210 (HKLM-x32\...\{f144e08f-9cbe-4f09-9a8c-f2b858b7ee7f}) (Version: 14.0.24210.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24210 (HKLM-x32\...\{23658c02-145e-483d-ba6b-1eb82c580529}) (Version: 14.0.24210.0 - Microsoft Corporation)
Microsoft Visual J# .NET Redistributable Package 1.1 (HKLM-x32\...\{1A655D51-1423-48A3-B748-8F5A0BE294C8}) (Version: 1.1.4322 - Microsoft)
Microsoft XNA Framework Redistributable 3.1 (HKLM-x32\...\{19BFDA5D-1FE2-4F25-97F9-1A79DD04EE20}) (Version: 3.1.10527.0 - Microsoft Corporation)
Microsoft XNA Framework Redistributable 4.0 Refresh (HKLM-x32\...\{D69C8EDE-BBC5-436B-8E0E-C5A6D311CF4F}) (Version: 4.0.30901.0 - Microsoft Corporation)
Mount & Blade: Warband (HKLM\...\Steam App 48700) (Version:  - TaleWorlds Entertainment)
Mozilla Firefox 51.0.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 51.0.1 (x86 en-US)) (Version: 51.0.1 - Mozilla)
MSI Live Update 6 (HKLM-x32\...\{4F46CF54-47D2-41F4-B230-B0954C544420}}_is1) (Version: 6.2.0.07 - MSI)
MSXML 4.0 SP2 (KB954430) (HKLM-x32\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM-x32\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM-x32\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
nProtect Security Platform (x32 Version: 3.00.0000 - INCAInternet) Hidden
NVIDIA Graphics Driver 376.33 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 376.33 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.16.0318 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.16.0318 - NVIDIA Corporation)
Pillars of Eternity version 1.0 (HKLM-x32\...\Pillars of Eternity_is1) (Version: 1.0 - )
PowerISO (HKLM-x32\...\PowerISO) (Version: 6.1 - Power Software Ltd)
QuickTime 7 (HKLM-x32\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.77.1126.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7246 - Realtek Semiconductor Corp.)
Renesas Electronics USB 3.0 Host Controller Driver (HKLM-x32\...\InstallShield_{5442DAB8-7177-49E1-8B22-09A049EA5996}) (Version: 2.0.34.0 - Renesas Electronics Corporation)
Renesas Electronics USB 3.0 Host Controller Driver (x32 Version: 2.0.34.0 - Renesas Electronics Corporation) Hidden
RogueKiller version 12.8.6.0 (HKLM\...\8B3D7924-ED89-486B-8322-E8594065D5CB_is1) (Version: 12.8.6.0 - Adlice Software)
Rome - Total War™ (HKLM-x32\...\InstallShield_{A642BB6B-CA1D-4142-8DD4-318C3F3DC834}) (Version: 1.0 - Activision)
Rome - Total War™ (x32 Version: 1.0 - Activision) Hidden
SketchUp 2015 (HKLM\...\{350488A4-1540-4103-8F01-B27503891EB0}) (Version: 15.3.331 - Trimble Navigation Limited)
Skype Click to Call (HKLM-x32\...\{873F8E7C-10E6-449F-BD7E-5FBA7C8E1C9B}) (Version: 8.5.0.9167 - Microsoft Corporation)
Skype™ 7.30 (HKLM-x32\...\{FC965A47-4839-40CA-B618-18F486F042C6}) (Version: 7.30.105 - Skype Technologies S.A.)
Speccy (HKLM\...\Speccy) (Version: 1.30 - Piriform)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
swMSM (x32 Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.15 - TeamSpeak Systems GmbH)
TechPowerUp GPU-Z (HKLM-x32\...\TechPowerUp GPU-Z) (Version:  - TechPowerUp)
TripleA_1.9.0.0.3307 1.9.0.0.3307 (HKLM\...\5251-3669-9623-1649) (Version: 1.9.0.0.3307 - TripleA Developer Team)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0017-0000-0000-0000000FF1CE}_SharePointDesigner_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{90120000-00A1-0000-0000-0000000FF1CE}_ONENOTE_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VC80CRTRedist - 8.0.50727.6195 (x32 Version: 1.2.0 - DivX, Inc) Hidden
Ventrilo Client for Windows x64 (HKLM\...\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}) (Version: 3.0.8.0 - Flagship Industries, Inc.)
ViewSonic Monitor Drivers x64 (HKLM-x32\...\{48963B63-7A10-49D6-8B08-61E6132453D0}) (Version:  - )
ViewSonic Windows 7 Signed Files (HKLM-x32\...\{FC47C7A5-BE63-11D5-B7C9-005004566E4D}) (Version:  - )
Vulkan Run Time Libraries 1.0.26.0 (HKLM\...\VulkanRT1.0.26.0) (Version: 1.0.26.0 - LunarG, Inc.)
WhoCrashed 5.53 (HKLM\...\WhoCrashed_is1) (Version:  - Resplendence Software Projects Sp.)
Windows Live ID Sign-in Assistant (HKLM\...\{9B48B0AC-C813-4174-9042-476A887592C7}) (Version: 6.500.3165.0 - Microsoft Corporation)
Windows Media Encoder 9 Series (HKLM-x32\...\Windows Media Encoder 9) (Version:  - )
Windows Media Player Firefox Plugin (HKLM-x32\...\{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}) (Version: 1.0.0.8 - Microsoft Corp)
WindowsApplication180 (HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\ad32fae3edc4a168) (Version: 1.0.0.0 - WindowsApplication180)
WinRAR 4.01 (32-bit) (HKLM-x32\...\WinRAR archiver) (Version: 4.01.0 - win.rar GmbH)
WinRAR 4.01 (64-bit) (HKLM\...\WinRAR archiver) (Version: 4.01.0 - win.rar GmbH)
World of Warships (HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\{1EAC1D02-C6AC-4FA6-9A44-96258C37C814na}_is1) (Version:  - Wargaming.net)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000_Classes\CLSID\{630641d5-1820-4702-b76d-6797e17052c3}\InprocServer32 -> c:\windows\system32\dfshim.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000_Classes\CLSID\{eff79f65-acde-4277-9c26-22695a4a35a2}\InprocServer32 -> c:\windows\system32\dfshim.dll (Microsoft Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {27DFEDAA-4336-4264-8464-90B771CCC7F3} - System32\Tasks\Ad-Aware Update (Weekly) => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: {2F05BB89-7BB1-4A04-85BD-FDF50EEB4288} - System32\Tasks\{AB203646-0C97-44AC-ACC2-6EA1894AB990} => Firefox.exe hxxp://ui.skype.com/ui/0/7.18.0.103/en/go/help.faq.installer?source=lightinstaller&amp;LastError=1603
Task: {47F1AE12-1986-488B-8221-DB96D1AEB9F8} - System32\Tasks\{BB0F77DA-7AFB-4ECD-A6F2-EE984B31E697} => Firefox.exe hxxp://ui.skype.com/ui/0/7.18.0.103/en/abandoninstall?source=lightinstaller&amp;page=tsProgressBar
Task: {4BA9E0B2-D95B-461A-A224-35C44DD51B3E} - System32\Tasks\Microsoft_Hardware_Launch_IPoint_exe => c:\Program Files\Microsoft IntelliPoint\IPoint.exe
Task: {4C853F4A-8D71-4C63-8A56-7C414C0DC035} - System32\Tasks\Alarm => C:\Users\AnusTickler\Videos\RealPlayer Downloads\crystal maze (opening theme) series 3 1992 - YouTube.flv
Task: {54F7A88C-6E17-439B-B6AA-6645944521A2} - System32\Tasks\{C86D9D1D-B22B-49D2-9946-AA84CCAC8FE9} => pcalua.exe -a C:\Users\AnusTickler\Downloads\SBA2_WEBUP_EAXC_031230.exe -d "C:\Program Files (x86)\Mozilla Firefox"
Task: {758415A6-D331-4EDA-B673-1BEDDFB9F8A2} - System32\Tasks\{2412FC0A-335C-4238-BF35-AB16116BD8EB} => pcalua.exe -a E:\setup.exe -d E:\
Task: {835F1CF2-9341-4FF6-AFAD-3E92DCC91BDB} - System32\Tasks\{991210DE-FD31-4622-AEDC-87763E46B26C} => pcalua.exe -a "C:\Program Files (x86)\Steam\steam.exe" -c steam://uninstall/6370
Task: {920191C5-B202-4638-BF7E-FC0477FEC236} - System32\Tasks\{84CF988E-BBA5-4453-9737-4D59DDEDAA99} => pcalua.exe -a "C:\Program Files (x86)\MSI\Live Update 5\LU5\DL_FILE\Realtek_HD_Audio_Drivers_6.0.1.6402.exe" -d "C:\Program Files (x86)\MSI\Live Update 5\LU5\DL_FILE"
Task: {B646045D-CCA5-4762-BB96-E4B5097C68A6} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2014-12-12] (Piriform Ltd)
Task: {BE4B0A5A-3FA7-44AE-AB66-0FACE2A91A0A} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe
Task: {C2FA47E4-DE83-4C5D-BFF4-0476C0DAFF5C} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2017-01-22] (Adobe Systems Incorporated)
Task: {C735C0ED-F75B-4102-8714-4FF44C12C96F} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2042302623-1599180195-1203687678-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe
Task: {CA77680D-3604-40B7-A04C-578A0DEB8A88} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2042302623-1599180195-1203687678-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe
Task: {CB4F4356-9970-4E18-9C7A-63DF2D3836D1} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-2042302623-1599180195-1203687678-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe
Task: {DA05D048-7242-4CA4-A581-B52DB080593F} - System32\Tasks\Adobe Acrobat Update Task => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2016-12-19] (Adobe Systems Incorporated)
Task: {F31A1F1C-98D5-4D64-B3B0-04F96EECD8C1} - System32\Tasks\{E50D3574-7354-4B8B-982B-1D63BF66F03C} => pcalua.exe -a D:\SETUP.EXE -d D:\
Task: {F4954091-7821-4EA8-AC38-8804B00565F2} - System32\Tasks\{F5716EA9-3351-48D0-AA62-8462BA44354B} => Firefox.exe hxxp://ui.skype.com/ui/0/7.9.85.103/en/abandoninstall?page=tsProgressBar
Task: {F4E657EF-B4FB-40DE-8D99-57350F7C197A} - System32\Tasks\RealUpgradeLogonTaskS-1-5-21-2042302623-1599180195-1203687678-1000 => C:\Program Files (x86)\Real\RealUpgrade\RealUpgrade.exe

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Ad-Aware Update (Weekly).job => C:\Program Files (x86)\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\AnusTickler\AppData\Local\a5fe0951\4899548a.lnk -> C:\Users\AnusTickler\AppData\Local\a5fe0951\afcd9850.bat (No File)

==================== Loaded Modules (Whitelisted) ==============

2016-12-15 09:35 - 2017-01-20 07:47 - 02264352 _____ () C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\PoliciesControllerImpl.dll
2011-06-23 15:42 - 2011-06-23 15:42 - 01302808 _____ () C:\Program Files\Logitech\SetPointP\Macros\MacroCore.dll
2016-12-20 17:05 - 2016-12-11 10:47 - 00134712 _____ () C:\Program Files\NVIDIA Corporation\Display\NvSmartMax64.dll
2017-02-13 03:26 - 2005-07-18 13:43 - 00160256 _____ () C:\Program Files (x86)\MSI\Live Update\unrar.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]
AlternateDataStreams: C:\ProgramData\TEMP:3B07E6F4 [127]

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\MBAMService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\myradioplayer => ""="service"

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\.DEFAULT\...\007guard.com -> install.007guard.com
IE restricted site: HKU\.DEFAULT\...\008i.com -> 008i.com
IE restricted site: HKU\.DEFAULT\...\008k.com -> www.008k.com
IE restricted site: HKU\.DEFAULT\...\00hq.com -> www.00hq.com
IE restricted site: HKU\.DEFAULT\...\010402.com -> 010402.com
IE restricted site: HKU\.DEFAULT\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\.DEFAULT\...\0scan.com -> www.0scan.com
IE restricted site: HKU\.DEFAULT\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\.DEFAULT\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\.DEFAULT\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\.DEFAULT\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\.DEFAULT\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\.DEFAULT\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\.DEFAULT\...\10sek.com -> www.10sek.com
IE restricted site: HKU\.DEFAULT\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\.DEFAULT\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\.DEFAULT\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\.DEFAULT\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\.DEFAULT\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\.DEFAULT\...\123simsen.com -> www.123simsen.com

There are 7866 more sites.

IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\clonewarsadventures.com -> clonewarsadventures.com
IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\driversupport.com -> hxxp://apps.driversupport.com
IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\driversupport.com -> hxxps://apps.driversupport.com
IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\freerealms.com -> freerealms.com
IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\soe.com -> soe.com
IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\sony.com -> sony.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\123simsen.com -> www.123simsen.com

There are 7867 more sites.

IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\clonewarsadventures.com -> clonewarsadventures.com
IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\freerealms.com -> freerealms.com
IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\soe.com -> soe.com
IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\sony.com -> sony.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\007guard.com -> install.007guard.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\008i.com -> 008i.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\008k.com -> www.008k.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\00hq.com -> www.00hq.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\010402.com -> 010402.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\032439.com -> 80gw6ry3i3x3qbrkwhxhw.032439.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\0scan.com -> www.0scan.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\1-2005-search.com -> www.1-2005-search.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\1-domains-registrations.com -> www.1-domains-registrations.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\1000gratisproben.com -> www.1000gratisproben.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\1001namen.com -> www.1001namen.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\100888290cs.com -> mir.100888290cs.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\100sexlinks.com -> www.100sexlinks.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\10sek.com -> www.10sek.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\12-26.net -> user1.12-26.net
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\12-27.net -> user1.12-27.net
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\123fporn.info -> www.123fporn.info
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\123haustiereundmehr.com -> www.123haustiereundmehr.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\123moviedownload.com -> www.123moviedownload.com
IE restricted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\123simsen.com -> www.123simsen.com

There are 7867 more sites.


==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 18:34 - 2015-09-19 03:08 - 00451417 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1    activate.adobe.com
127.0.0.1    practivate.adobe.com
127.0.0.1    ereg.adobe.com
127.0.0.1    activate.wip3.adobe.com
127.0.0.1    wip3.adobe.com
127.0.0.1    3dns-3.adobe.com
127.0.0.1    3dns-2.adobe.com
127.0.0.1    adobe-dns.adobe.com
127.0.0.1    adobe-dns-2.adobe.com
127.0.0.1    adobe-dns-3.adobe.com
127.0.0.1    ereg.wip3.adobe.com
127.0.0.1    activate-sea.adobe.com
127.0.0.1    wwis-dubc1-vip60.adobe.com
127.0.0.1    activate-sjc0.adobe.com
127.0.0.1    adobe.activate.com
127.0.0.1    adobeereg.com
127.0.0.1    www.adobeereg.com
127.0.0.1    wwis-dubc1-vip60.adobe.com
127.0.0.1    125.252.224.90
127.0.0.1    125.252.224.91
127.0.0.1    hl2rcv.adobe.com127.0.0.1    www.007guard.com
127.0.0.1    007guard.com
127.0.0.1    008i.com
127.0.0.1    www.008k.com
127.0.0.1    008k.com
127.0.0.1    www.00hq.com
127.0.0.1    00hq.com
127.0.0.1    010402.com
127.0.0.1    www.032439.com
127.0.0.1    032439.com

There are 15483 more lines.


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\Control Panel\Desktop\\Wallpaper ->
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\Control Panel\Desktop\\Wallpaper -> C:\Users\Second\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 75.75.75.75 - 75.75.76.76
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

MSCONFIG\Services: AOL ACS => 3
MSCONFIG\Services: Desura Install Service => 3
MSCONFIG\Services: GlobalUpdater => 2
MSCONFIG\Services: IDriverT => 3
MSCONFIG\Services: insvc_1.10.0.14 => 2
MSCONFIG\startupfolder: C:^Users^AnusTickler^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^f8b0cc24.lnk => C:\Windows\pss\f8b0cc24.lnk.Startup
MSCONFIG\startupfolder: C:^Users^AnusTickler^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^fd3cdf9a.lnk => C:\Windows\pss\fd3cdf9a.lnk.Startup
MSCONFIG\startupreg: Ad-Aware Antivirus => "C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
MSCONFIG\startupreg: Ad-Aware Browsing Protection => "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
MSCONFIG\startupreg: Adobe ARM => "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
MSCONFIG\startupreg: AdobeAAMUpdater-1.0 => "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
MSCONFIG\startupreg: APSDaemon => "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
MSCONFIG\startupreg: AsioThk32Reg => REGSVR32.EXE /S CTASIO.DLL
MSCONFIG\startupreg: CCleaner Monitoring => "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
MSCONFIG\startupreg: Live Update => C:\Program Files (x86)\MSI\Live Update\Live Update.exe /REMINDER
MSCONFIG\startupreg: PWRISOVM.EXE => C:\Program Files\PowerISO\PWRISOVM.EXE -startup
MSCONFIG\startupreg: QuickTime Task => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
MSCONFIG\startupreg: RTHDVCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
MSCONFIG\startupreg: SDTray => "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
MSCONFIG\startupreg: ShadowPlay => "C:\Windows\system32\rundll32.exe" C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
MSCONFIG\startupreg: Sidebar => C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
MSCONFIG\startupreg: Skype => "C:\Program Files (x86)\Skype\Phone\Skype.exe" /minimized /regrun
MSCONFIG\startupreg: Spybot-S&D Cleaning => "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDCleaner.exe" /autoclean
MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
MSCONFIG\startupreg: Super Charger => C:\Program Files (x86)\MSI\Super Charger\Super Charger.exe

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [{FFE6009D-7827-4859-80F8-B39E149A16DA}] => C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [{0FBB2411-9497-4B2C-942C-D0C0B2C480E1}] => C:\Program Files (x86)\Steam\Steam.exe
FirewallRules: [TCP Query User{573E8095-5E70-4317-AB94-DF41CBC1B8D0}C:\program files (x86)\steam\steamapps\hoganhulk\team fortress 2\hl2.exe] => C:\program files (x86)\steam\steamapps\hoganhulk\team fortress 2\hl2.exe
FirewallRules: [UDP Query User{059A0D87-26CB-4529-8238-6E6311F88E5A}C:\program files (x86)\steam\steamapps\hoganhulk\team fortress 2\hl2.exe] => C:\program files (x86)\steam\steamapps\hoganhulk\team fortress 2\hl2.exe
FirewallRules: [TCP Query User{037922A7-7975-4F7F-B63E-B6CB5CD90817}C:\windows\syswow64\dplaysvr.exe] => C:\windows\syswow64\dplaysvr.exe
FirewallRules: [UDP Query User{BD560E9A-0328-471F-9702-330B9891DA48}C:\windows\syswow64\dplaysvr.exe] => C:\windows\syswow64\dplaysvr.exe
FirewallRules: [{FF59598B-27AE-4F5B-AC75-306E6C1D1118}] => C:\windows\syswow64\dplaysvr.exe
FirewallRules: [{C3E4232F-1FA1-4A64-84E1-78675A6A693A}] => C:\windows\syswow64\dplaysvr.exe
FirewallRules: [TCP Query User{AC3F18BB-0418-47A5-9924-77975FB84CB5}C:\windows\syswow64\rundll32.exe] => C:\windows\syswow64\rundll32.exe
FirewallRules: [UDP Query User{052DECE4-E7D0-40FE-9877-99C1F69C19FF}C:\windows\syswow64\rundll32.exe] => C:\windows\syswow64\rundll32.exe
FirewallRules: [{19E6F2A6-8C2D-4FCB-9901-98267CC899F6}] => C:\windows\syswow64\rundll32.exe
FirewallRules: [{4440487F-B8DB-488A-B2DD-A113362010A6}] => C:\windows\syswow64\rundll32.exe
FirewallRules: [{DDFE7EF4-478D-4173-AA09-C6FF2B759851}] => C:\Program Files\Ventrilo\Ventrilo.exe
FirewallRules: [{B26A7DED-B8E7-43D9-8C0B-E2E915B490E2}] => C:\Program Files\Ventrilo\Ventrilo.exe
FirewallRules: [TCP Query User{8AC19960-7477-4D0E-9D6A-71C596A6E4C1}C:\program files (x86)\mozilla firefox\plugin-container.exe] => C:\program files (x86)\mozilla firefox\plugin-container.exe
FirewallRules: [UDP Query User{F6F090E2-9B3A-44BB-801D-D2399F0DD274}C:\program files (x86)\mozilla firefox\plugin-container.exe] => C:\program files (x86)\mozilla firefox\plugin-container.exe
FirewallRules: [{4A82718B-0715-4D78-86F8-0F45203D356D}] => C:\Program Files (x86)\Ventrilo\Ventrilo.exe
FirewallRules: [{548D91E2-817E-4EA1-9EE6-CD877545A5F9}] => C:\Program Files (x86)\Ventrilo\Ventrilo.exe
FirewallRules: [{1EF880B9-E6A0-4C3E-B15A-F0370C0BF4DA}] => C:\Program Files (x86)\Hero Lab\HeroLab.exe
FirewallRules: [{C991C35C-D2C0-4473-9C6B-3C3901E120B7}] => C:\Program Files (x86)\Hero Lab\HeroLab.exe
FirewallRules: [{51EFD68C-1656-40D5-B027-617B1780AC98}] => LPort=80
FirewallRules: [{1ADA0B6D-175E-4160-98D7-F02887160752}] => LPort=443
FirewallRules: [{ADDDC433-EDEE-4237-8064-252E206F32CC}] => LPort=20010
FirewallRules: [{26D30559-4A80-4953-8C23-2689379A4DC9}] => LPort=3478
FirewallRules: [{85C2E2FD-2100-4CEE-9D30-A616326A3E5C}] => LPort=7850
FirewallRules: [{B9A2BD61-385B-4067-BC35-2DF1159AC1CB}] => LPort=27022
FirewallRules: [{3C31D2F9-E0AE-4632-9D80-237D9FFC8EDA}] => LPort=6881
FirewallRules: [{6E30B051-8910-460D-9C8A-BD50FE762FBC}] => LPort=33333
FirewallRules: [{F112DDDB-141A-49E4-A03B-84AD690AC9FB}] => LPort=20443
FirewallRules: [{746D133A-6394-48DD-87A9-A682F602226B}] => LPort=8090
FirewallRules: [{AFF9896E-5B6B-466B-8DCD-9824417ADBE6}] => C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{D20B10F1-C745-4523-B138-A8EB4B61564D}] => C:\Program Files (x86)\Battle.net\Battle.net.exe
FirewallRules: [{C25C5247-27FC-4054-A6E3-2B28EC248283}] => C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{84BE116C-D64C-45BC-BABA-3307A2190C83}] => C:\Program Files (x86)\Common Files\AOL\acs\AOLDial.exe
FirewallRules: [{D3AA831C-5BE5-4F7C-BA79-8B0444DBD79A}] => C:\Program Files (x86)\Common Files\AOL\acs\AOLDial.exe
FirewallRules: [{D39E86BF-555F-4666-993C-F8563BF1CCE1}] => C:\Program Files (x86)\Common Files\AOL\acs\AOLacsd.exe
FirewallRules: [{B429072B-EC4E-478A-8EE2-BE2B57209F84}] => C:\Program Files (x86)\Common Files\AOL\acs\AOLacsd.exe
FirewallRules: [{F741E48C-644E-4922-A817-B72D54EB7430}] => C:\Program Files (x86)\Common Files\AOL\1421460429\ee\aolsoftware.exe
FirewallRules: [{F5BDBA69-D2BD-46B0-A00A-8A07FB38E424}] => C:\Program Files (x86)\Common Files\AOL\1421460429\ee\aolsoftware.exe
FirewallRules: [{CB26F62C-C68D-48F1-AEC2-BE7F98D118F6}] => C:\Program Files (x86)\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe
FirewallRules: [{04127511-86CC-4B48-B8E3-587CCA3FEB6E}] => C:\Program Files (x86)\Common Files\AOL\TopSpeed\3.0\aoltpsd3.exe
FirewallRules: [{7ECEBA7D-1C1D-407E-A533-87063378AED2}] => C:\Program Files (x86)\Common Files\AOL\Loader\aolload.exe
FirewallRules: [{BB5FD951-3EFC-44CB-A7F8-16DC9BA97263}] => C:\Program Files (x86)\Common Files\AOL\Loader\aolload.exe
FirewallRules: [{9132F99D-54A8-4EDC-81BD-7F0700834100}] => C:\Program Files (x86)\Common Files\AOL\System Information\sinf.exe
FirewallRules: [{62AC8FE0-9464-40DE-A9F2-B95237B96203}] => C:\Program Files (x86)\Common Files\AOL\System Information\sinf.exe
FirewallRules: [{6524C4DE-FE00-494E-9FBE-943FC6A1F6E5}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{05C66A4E-FA85-4805-AE36-2DE0DA46691A}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{F488D8BC-060C-4D70-A78D-FCB1EEBA025A}C:\program files (x86)\mozilla firefox\firefox.exe] => C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [UDP Query User{561C595F-0F5B-4584-8D66-B8428C56CC85}C:\program files (x86)\mozilla firefox\firefox.exe] => C:\program files (x86)\mozilla firefox\firefox.exe
FirewallRules: [TCP Query User{B347A99D-E76E-4EA7-B09D-239A626C1359}C:\games\world_of_warships\wowslauncher.exe] => C:\games\world_of_warships\wowslauncher.exe
FirewallRules: [UDP Query User{2DC8C152-510A-4471-BF79-E7039AF40A20}C:\games\world_of_warships\wowslauncher.exe] => C:\games\world_of_warships\wowslauncher.exe
FirewallRules: [{8B0CAF6F-2B3F-4AFD-9C8F-FA1B893D08F1}] => C:\Program Files (x86)\Steam\steamapps\common\EVGA PrecisionX\PrecisionX_x64.exe
FirewallRules: [{5E175DCE-60EC-4B3C-9C4C-F9F4E8CC8FC8}] => C:\Program Files (x86)\Steam\steamapps\common\EVGA PrecisionX\PrecisionX_x64.exe
FirewallRules: [{DACE0623-57C0-408C-82AE-6A0924BA8E5F}] => C:\Program Files (x86)\Steam\steamapps\common\EVGA PrecisionX\Skins\UxfTool.exe
FirewallRules: [{F87F49AA-A8D6-417E-951C-9C2DD0616313}] => C:\Program Files (x86)\Steam\steamapps\common\EVGA PrecisionX\Skins\UxfTool.exe
FirewallRules: [{C093FEE3-5EB8-4761-8477-F37FF452C185}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{B669ACBF-AE7A-4071-B1C6-A70BD582C3F8}] => C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{AD9EA344-1638-47C8-8F57-A0D0FD132E8A}C:\program files\factorio\bin\x64\factorio.exe] => C:\program files\factorio\bin\x64\factorio.exe
FirewallRules: [UDP Query User{3A6E4477-05A5-4D79-8DE8-4445D99AF358}C:\program files\factorio\bin\x64\factorio.exe] => C:\program files\factorio\bin\x64\factorio.exe
FirewallRules: [{D7F17E9F-2097-49E6-8555-4F9DB2280341}] => C:\Program Files (x86)\Hero Lab\HeroLab.exe
FirewallRules: [{EC38878D-7234-4861-B670-6166E4576CFF}] => C:\Program Files (x86)\Hero Lab\HeroLab.exe
FirewallRules: [{29ABBF92-D909-4A68-AB91-8D4EC03F0616}] => LPort=7852
FirewallRules: [{580C4E32-1578-4027-B3A4-BF3826761C4A}] => LPort=7853
FirewallRules: [{F4F1267C-10D8-4802-80C3-7DE93C517E63}] => C:\Program Files (x86)\Steam\steamapps\common\MountBlade Warband\mb_warband.exe
FirewallRules: [{6996E535-7AC2-4C76-84B3-BA9BF9FD8983}] => C:\Program Files (x86)\Steam\steamapps\common\MountBlade Warband\mb_warband.exe
FirewallRules: [{6AC7AF44-2968-4F1E-8EB9-57B88350F5E5}] => C:\Program Files (x86)\Steam\steamapps\common\Europa Universalis IV\eu4.exe
FirewallRules: [{B5B50030-CE2E-4533-8F27-42CAB8C48BFB}] => C:\Program Files (x86)\Steam\steamapps\common\Europa Universalis IV\eu4.exe
FirewallRules: [{76919C91-0D93-4EE2-8BE9-D028B8BA1DBB}] => C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{422B9101-7E05-4679-B27A-38C39761FD89}] => C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [TCP Query User{B6782F8B-4D5A-4EE7-9464-27BC76B6F892}C:\program files (x86)\steam\steamapps\common\h1z1\h1z1.exe] => C:\program files (x86)\steam\steamapps\common\h1z1\h1z1.exe
FirewallRules: [UDP Query User{EC91855A-0F97-44CA-9CAA-411FA612EF0C}C:\program files (x86)\steam\steamapps\common\h1z1\h1z1.exe] => C:\program files (x86)\steam\steamapps\common\h1z1\h1z1.exe
FirewallRules: [{991133A0-0984-4655-98DA-7F9BFEF51AEA}] => C:\Program Files (x86)\Steam\steamapps\common\H1Z1\LaunchPad.exe
FirewallRules: [{4E9F9387-3021-4937-95F4-D9F27DAA53EC}] => C:\Program Files (x86)\Steam\steamapps\common\H1Z1\LaunchPad.exe

==================== Restore Points =========================


==================== Faulty Device Manager Devices =============

Name: Creative Game Port
Description: Creative Game Port
Class Guid: {4d36e96c-e325-11ce-bfc1-08002be10318}
Manufacturer: Creative
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: AYZ6EUVU IDE Controller
Description: AYZ6EUVU IDE Controller
Class Guid: {4D36E97B-E325-11CE-BFC1-08002BE10318}
Manufacturer: (Standard mass storage controllers)
Service: aac7hnjr
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: nProtect Firewall Core Driver
Description: nProtect Firewall Core Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: TKFWFV
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


==================== Event log errors: =========================

Application errors:
==================
Error: (02/13/2017 03:53:05 AM) (Source: VSS) (EventID: 8194) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {78d679a8-ac87-4cd9-8827-fbaa89774782}

Error: (02/04/2017 02:29:39 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 51.0.1.6234 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 918

Start Time: 01d27e4235d9ad11

Termination Time: 0

Application Path: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Report Id: 99c88e4a-eac4-11e6-9fc0-00038a000015

Error: (02/02/2017 05:27:57 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: MSI_LiveUpdate_Service.exe, version: 1.0.0.37, time stamp: 0x582449b8
Faulting module name: MSI_LiveUpdate_Service.exe, version: 1.0.0.37, time stamp: 0x582449b8
Exception code: 0xc0000005
Fault offset: 0x00002db9
Faulting process id: 0x70c
Faulting application start time: 0x01d27d1aeaf8f8cc
Faulting application path: C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe
Faulting module path: C:\Program Files (x86)\MSI\Live Update\MSI_LiveUpdate_Service.exe
Report Id: 684a31d7-e94b-11e6-a98e-00038a000015

Error: (01/28/2017 03:35:36 PM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (01/28/2017 03:35:36 PM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (01/28/2017 03:35:36 PM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (01/28/2017 03:35:36 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    Element not found.  (HRESULT : 0x80070490) (0x80070490)

Error: (01/28/2017 03:35:30 PM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.JetPropStore> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (01/28/2017 03:35:30 PM) (Source: Windows Search Service) (EventID: 9002) (User: )
Description: The Windows Search Service cannot load the property store information.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index database is corrupt.  (HRESULT : 0xc0041800) (0xc0041800)

Error: (01/28/2017 03:35:30 PM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)


System errors:
=============
Error: (02/14/2017 01:30:19 AM) (Source: volsnap) (EventID: 36) (User: )
Description: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.

Error: (02/13/2017 06:02:45 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom
TKFWFV

Error: (02/13/2017 05:01:43 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Creative Service for CDROM Access service terminated unexpectedly.  It has done this 1 time(s).

Error: (02/13/2017 05:03:25 AM) (Source: bowser) (EventID: 8003) (User: )
Description: The master browser has received a server announcement from the computer AL
that believes that it is the master browser for the domain on transport NetBT_Tcpip_{C8FBD618-A192-4DF9-9690-24434B3E422A}.
The master browser is stopping or an election is being forced.

Error: (02/13/2017 04:33:10 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: The server {752073A1-23F2-4396-85F0-8FDB879ED0ED} did not register with DCOM within the required timeout.

Error: (02/13/2017 04:27:44 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom
TKFWFV

Error: (02/13/2017 03:21:50 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom
TKFWFV

Error: (02/13/2017 03:20:56 AM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 3:18:31 AM on ‎2/‎13/‎2017 was unexpected.

Error: (02/12/2017 11:29:35 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Windows Update service hung on starting.

Error: (02/12/2017 11:22:58 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom
TKFWFV


CodeIntegrity:
===================================
  Date: 2012-01-06 13:58:17.606
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2012-01-06 13:58:17.557
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-11 11:44:26.740
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-11 11:44:26.728
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-11 02:11:09.123
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-11 02:11:09.111
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-09 17:33:26.682
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-09 17:33:26.670
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-09 14:03:33.870
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-09 14:03:33.857
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


==================== Memory info ===========================

Processor: Intel® Core™ i7 CPU 965 @ 3.20GHz
Percentage of memory in use: 39%
Total physical RAM: 6135.11 MB
Available physical RAM: 3731.17 MB
Total Virtual: 12268.41 MB
Available Virtual: 9608.91 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:232.73 GB) (Free:66.95 GB) NTFS
Drive e: (Expansion Drive) (Fixed) (Total:232.88 GB) (Free:224.97 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 232.8 GB) (Disk ID: BD4A6DE5)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=232.7 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 232.9 GB) (Disk ID: 0C71FEED)
Partition 1: (Active) - (Size=232.9 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Attached Files


Edited by AdamsComputer, 14 February 2017 - 07:27 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:11 AM

Posted 14 February 2017 - 09:31 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs via the Control Panel > Programs > Programs and Features.
Ask Toolbar Updater (HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\{79A765E1-C399-405B-85AF-466F52E918B0}) (Version: 1.2.1.23037 - Ask.com) <==== ATTENTION
JavaFX 2.1.1 (HKLM-x32\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\Run: [AVG-Secure-Search-Update_JUNE2013_TB] => "C:\Program Files (x86)\AVG Secure Search\AVG-Secure-Search-Update_JUNE2013_TB.exe"  /PROMPT /CMPID=JUNE2013_TB
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\Run: [AVG-Secure-Search-Update_JUNE2013_HP] => "C:\Program Files (x86)\AVG Secure Search\AVG-Secure-Search-Update_JUNE2013_HP.exe"  /PROMPT /CMPID=JUNE2013_HP
AppInit_DLLs-x32: ??????? => No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [No File]
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [No File]
FF Plugin-x32: @ogplanet.com/npOGPPlugin -> C:\Windows\system32\npOGPPlugin.dll [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @veetle.com/veetleCorePlugin,version=0.9.18 -> C:\Program Files (x86)\Veetle\plugins\npVeetle.dll [No File]
FF Plugin-x32: @veetle.com/veetlePlayerPlugin,version=0.9.18 -> C:\Program Files (x86)\Veetle\Player\npvlc.dll [No File]
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [15712 2013-05-05] ()
U3 aac7hnjr; no ImagePath
S3 BRDriver64_1_3_3_7ECFDFEA; \??\C:\ProgramData\BitRaider\support\1.3.3\7ECFDFEA\BRDriver64.sys [X]
S3 COMMONFX.DLL; system32\COMMONFX.DLL [X]
S3 CT20XUT.DLL; system32\CT20XUT.DLL [X]
S3 CTAUDFX.DLL; system32\CTAUDFX.DLL [X]
S3 CTEAPSFX.DLL; system32\CTEAPSFX.DLL [X]
S3 CTEDSPFX.DLL; system32\CTEDSPFX.DLL [X]
S3 CTEDSPIO.DLL; system32\CTEDSPIO.DLL [X]
S3 CTEDSPSY.DLL; system32\CTEDSPSY.DLL [X]
S3 CTERFXFX.DLL; system32\CTERFXFX.DLL [X]
S3 CTEXFIFX.DLL; system32\CTEXFIFX.DLL [X]
S3 CTHWIUT.DLL; system32\CTHWIUT.DLL [X]
S3 CTSBLFX.DLL; system32\CTSBLFX.DLL [X]
S3 dump_wmimmc; \??\C:\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 MBAMWebProtection; \??\C:\Windows\system32\drivers\mwac.sys [X]
S3 MSI_MSIBIOS_010507; \??\C:\Program Files (x86)\MSI\Live Update 5\msibios64_100507.sys [X]
S3 NTIOLib_1_0_3; \??\C:\Program Files (x86)\MSI\Super Charger\NTIOLib_X64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {2F05BB89-7BB1-4A04-85BD-FDF50EEB4288} - System32\Tasks\{AB203646-0C97-44AC-ACC2-6EA1894AB990} => Firefox.exe hxxp://ui.skype.com/ui/0/7.18.0.103/en/go/help.faq.installer?source=lightinstaller&amp;LastError=1603
Shortcut: C:\Users\AnusTickler\AppData\Local\a5fe0951\4899548a.lnk -> C:\Users\AnusTickler\AppData\Local\a5fe0951\afcd9850.bat (No File)
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]
AlternateDataStreams: C:\ProgramData\TEMP:3B07E6F4 [127]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\myradioplayer => ""="service"
IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\driversupport.com -> hxxp://apps.driversupport.com
IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\driversupport.com -> hxxps://apps.driversupport.com
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services: insvc_1.10.0.14
C:\Windows\System32\DRIVERS\SWDUMon.sys
C:\Windows\pss\f8b0cc24.lnk.Startup
C:\Windows\pss\fd3cdf9a.lnk.Startup
C:\Windows\pss\f8b0cc24.lnk
C:\Windows\pss\fd3cdf9a.lnk
C:\Users\AnusTickler\AppData\Local\a5fe0951

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your
===

CHR dev: Chrome dev build detected! <======= ATTENTION

Your copy of Chrome has been compromised

Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants.


Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Re-install Chrome and the Bookmarks.

If you want to save all your settings refer to this page.
Follow the instructions before removing Chrome.
http://juan2geek.com/how-to-backup-and-restore-entire-google-chrome-setting/
<<<>>>


If you Sync your data.
How To Delete Your Google Chrome Browser Sync Data
http://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/
<<<>>>


Please let me know what problem persists with this computer.

#3 AdamsComputer

AdamsComputer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  

Posted 14 February 2017 - 11:05 AM

Asktoolbar and Chrome do not show in the programs when I go to uninstall.  Javafx is now uninstalled.  How long will the FRST take as its been running for an hour now?



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:11 AM

Posted 14 February 2017 - 11:19 AM

Close the Farbar process.

Look if a log has been created and post it if you have one.

If no log then run the Fix again.
It should not take more that 15 minutes.

#5 AdamsComputer

AdamsComputer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  

Posted 14 February 2017 - 11:26 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 14-02-2017
Ran by AnusTickler (14-02-2017 07:34:54) Run:1
Running from C:\Users\AnusTickler\Downloads
Loaded Profiles: AnusTickler (Available Profiles: AnusTickler & Second)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\Run: [AVG-Secure-Search-Update_JUNE2013_TB] => "C:\Program Files (x86)\AVG Secure Search\AVG-Secure-Search-Update_JUNE2013_TB.exe"  /PROMPT /CMPID=JUNE2013_TB
HKU\S-1-5-21-2042302623-1599180195-1203687678-1004\...\Run: [AVG-Secure-Search-Update_JUNE2013_HP] => "C:\Program Files (x86)\AVG Secure Search\AVG-Secure-Search-Update_JUNE2013_HP.exe"  /PROMPT /CMPID=JUNE2013_HP
AppInit_DLLs-x32: ??????? => No File
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-2042302623-1599180195-1203687678-1004 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @nexon.net/NxGame -> C:\ProgramData\NexonUS\NGM\npNxGameUS.dll [No File]
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [No File]
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [No File]
FF Plugin-x32: @ogplanet.com/npOGPPlugin -> C:\Windows\system32\npOGPPlugin.dll [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @veetle.com/veetleCorePlugin,version=0.9.18 -> C:\Program Files (x86)\Veetle\plugins\npVeetle.dll [No File]
FF Plugin-x32: @veetle.com/veetlePlayerPlugin,version=0.9.18 -> C:\Program Files (x86)\Veetle\Player\npvlc.dll [No File]
S3 SWDUMon; C:\Windows\System32\DRIVERS\SWDUMon.sys [15712 2013-05-05] ()
U3 aac7hnjr; no ImagePath
S3 BRDriver64_1_3_3_7ECFDFEA; \??\C:\ProgramData\BitRaider\support\1.3.3\7ECFDFEA\BRDriver64.sys [X]
S3 COMMONFX.DLL; system32\COMMONFX.DLL [X]
S3 CT20XUT.DLL; system32\CT20XUT.DLL [X]
S3 CTAUDFX.DLL; system32\CTAUDFX.DLL [X]
S3 CTEAPSFX.DLL; system32\CTEAPSFX.DLL [X]
S3 CTEDSPFX.DLL; system32\CTEDSPFX.DLL [X]
S3 CTEDSPIO.DLL; system32\CTEDSPIO.DLL [X]
S3 CTEDSPSY.DLL; system32\CTEDSPSY.DLL [X]
S3 CTERFXFX.DLL; system32\CTERFXFX.DLL [X]
S3 CTEXFIFX.DLL; system32\CTEXFIFX.DLL [X]
S3 CTHWIUT.DLL; system32\CTHWIUT.DLL [X]
S3 CTSBLFX.DLL; system32\CTSBLFX.DLL [X]
S3 dump_wmimmc; \??\C:\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 MBAMWebProtection; \??\C:\Windows\system32\drivers\mwac.sys [X]
S3 MSI_MSIBIOS_010507; \??\C:\Program Files (x86)\MSI\Live Update 5\msibios64_100507.sys [X]
S3 NTIOLib_1_0_3; \??\C:\Program Files (x86)\MSI\Super Charger\NTIOLib_X64.sys [X]
S3 Synth3dVsc; System32\drivers\synth3dvsc.sys [X]
S3 tsusbhub; system32\drivers\tsusbhub.sys [X]
S3 VBoxNetFlt; system32\DRIVERS\VBoxNetFlt.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {2F05BB89-7BB1-4A04-85BD-FDF50EEB4288} - System32\Tasks\{AB203646-0C97-44AC-ACC2-6EA1894AB990} => Firefox.exe hxxp://ui.skype.com/ui/0/7.18.0.103/en/go/help.faq.installer?source=lightinstaller&amp;LastError=1603
Shortcut: C:\Users\AnusTickler\AppData\Local\a5fe0951\4899548a.lnk -> C:\Users\AnusTickler\AppData\Local\a5fe0951\afcd9850.bat (No File)
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]
AlternateDataStreams: C:\ProgramData\TEMP:3B07E6F4 [127]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\myradioplayer => ""="service"
IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\driversupport.com -> hxxp://apps.driversupport.com
IE trusted site: HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\...\driversupport.com -> hxxps://apps.driversupport.com
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services: insvc_1.10.0.14
C:\Windows\System32\DRIVERS\SWDUMon.sys
C:\Windows\pss\f8b0cc24.lnk.Startup
C:\Windows\pss\fd3cdf9a.lnk.Startup
C:\Windows\pss\f8b0cc24.lnk
C:\Windows\pss\fd3cdf9a.lnk
C:\Users\AnusTickler\AppData\Local\a5fe0951

Reboot:

End
*****************

Restore point was successfully created.
Processes closed successfully.
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:11 AM

Posted 14 February 2017 - 11:44 AM

Please run the fix again but remove the line

EmptyTemp: from the Fixlist.txt file.

There may be too many files to remove.

Post a fresh Fixlog.txt log for my review.

Let me know what problem persists.

#7 AdamsComputer

AdamsComputer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  

Posted 14 February 2017 - 12:28 PM

Its still not finishing after removing that line.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:11 AM

Posted 14 February 2017 - 02:03 PM

Run this cleaning tool for now.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#9 AdamsComputer

AdamsComputer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  

Posted 14 February 2017 - 10:21 PM

Here is the log for zoek.  I am getting BSOD IRQL not less or equal when trying to start a game.

 

Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by AnusTickler on Tue 02/14/2017 at 13:07:55.83.
Microsoft Windows 7 Ultimate  6.1.7601 Service Pack 1 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\AnusTickler\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

2/14/2017 6:31:38 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\TripleA deleted successfully
C:\PROGRA~3\1887373585 deleted successfully
C:\PROGRA~3\2355320829 deleted successfully
C:\PROGRA~3\PC Drivers HeadQuarters deleted successfully
C:\PROGRA~3\Symantec deleted successfully
C:\Users\AnusTickler\AppData\Roaming\Darkfall RoA deleted successfully
C:\Users\AnusTickler\AppData\Roaming\Dwarfs deleted successfully
C:\Users\AnusTickler\AppData\Roaming\Publish Providers deleted successfully
C:\Users\AnusTickler\AppData\Local\CrashDumps deleted successfully
C:\Users\AnusTickler\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\AnusTickler\AppData\Local\EmieSiteList deleted successfully
C:\Users\AnusTickler\AppData\Local\EmieUserList deleted successfully
C:\Users\AnusTickler\AppData\Local\PC_Drivers_Headquarters deleted successfully
C:\Users\AnusTickler\AppData\Local\Pirates deleted successfully
C:\Users\AnusTickler\AppData\Local\Skype deleted successfully
C:\Users\AnusTickler\AppData\Local\Unity deleted successfully
C:\Users\AnusTickler\AppData\Local\WarThunder deleted successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\CrashDumps deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-2042302623-1599180195-1203687678-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E6C8C7D9-CE4E-406e-8D98-2B84BBE5E897} deleted successfully

==== Deleting CLSID Registry Values ======================

HKEY_USERS\S-1-5-21-2042302623-1599180195-1203687678-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully
HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions\{ABDE892B-13A8-4d1b-88E6-365A6E755758} deleted successfully

==== Deleting Services ======================


==== FireFox Fix ======================

Deleted from C:\Users\ANUSTI~1\AppData\Roaming\Mozilla\Firefox\Profiles\b4aapdia.default-1487067992276\prefs.js:

Added to C:\Users\ANUSTI~1\AppData\Roaming\Mozilla\Firefox\Profiles\b4aapdia.default-1487067992276\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

Deleted from C:\Users\ANUSTI~1\AppData\Roaming\Prism\IG-Marauders\Profiles\80x7g8ty.default\prefs.js:
user_pref("browser.startup.homepage", "https://webstore.isotx.com/igmaraudersL.html");

Added to C:\Users\ANUSTI~1\AppData\Roaming\Prism\IG-Marauders\Profiles\80x7g8ty.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

Deleted from C:\Users\Second\AppData\Roaming\Mozilla\Firefox\Profiles\a9pr9i2y.default\prefs.js:
user_pref("browser.startup.homepage", "http://securesearch.lavasoft.com/?source=f439e2c0&tbp=homepage&toolbarid=adawaretb&v=2_5&u=E264FE8B50F305564034E95149569C7B");
user_pref("browser.search.selectedEngine", "SecureSearch");

Added to C:\Users\Second\AppData\Roaming\Mozilla\Firefox\Profiles\a9pr9i2y.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\ANUSTI~1\AppData\Roaming\Mozilla\Firefox\Profiles\b4aapdia.default-1487067992276

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20170214_0652_.backup

ProfilePath: C:\Users\ANUSTI~1\AppData\Roaming\Prism\IG-Marauders\Profiles\80x7g8ty.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_20170214_0652_.backup

ProfilePath: C:\Users\Second\AppData\Roaming\Mozilla\Firefox\Profiles\a9pr9i2y.default

user.js not found
---- Lines browser.startup.page removed from prefs.js ----
user_pref("browser.startup.page", 1);
---- Lines {ABDE892B-13A8-4d1b-88E6-365A6E755758} modified from prefs.js ----

user_pref("extensions.installCache", "[{\"name\":\"winreg-app-global\",\"addons\":{\"{ABDE892B-13A8-4d1b-88E6-365A6E755758}\":{\"descriptor\":\"C:\\\\
---- FireFox user.js and prefs.js backups ----

prefs_20170214_0652_.backup

==== Batch Command(s) Run By Tool======================


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


==== Deleting Files \ Folders ======================

C:\PROGRA~2\TripleA not found
C:\Users\AnusTickler\AppData\Roaming\7DaysToDie deleted
C:\Users\AnusTickler\AppData\Roaming\discord deleted
C:\Users\AnusTickler\AppData\Roaming\Factorio deleted
C:\Users\AnusTickler\AppData\Roaming\Unity of Command deleted
C:\PROGRA~3\42954577758484832 deleted
C:\PROGRA~3\DivX deleted
C:\Users\AnusTickler\AppData\Roaming\GetRightToGo deleted
C:\Users\AnusTickler\DSETUP.dll deleted
C:\Users\AnusTickler\dsetup32.dll deleted
C:\PROGRA~3\hash.dat deleted
C:\PROGRA~3\InstallMate deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\AnusTickler\AppData\Local\adawarebp deleted
C:\Users\AnusTickler\AppData\Local\CrashRpt deleted
C:\Users\AnusTickler\AppData\LocalLow\Unity deleted
C:\Users\AnusTickler\AppData\LocalLow\Company deleted
C:\Windows\sysWoW64\config\systemprofile\AppData\LocalLow\AVG Secure Search deleted
C:\Windows\wininit.ini deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\gpt.ini deleted
C:\Windows\Syswow64\SET4ACB.tmp deleted
C:\Windows\Syswow64\SET4AFB.tmp deleted
C:\Windows\Syswow64\SET4B1B.tmp deleted
C:\Windows\SysWOW64\LavasoftTcpService.dll deleted
C:\Windows\SysWow64\AI_RecycleBin deleted
C:\Users\Second\AppData\Roaming\Mozilla\Firefox\Profiles\a9pr9i2y.default\extensions\staged deleted
C:\Users\AnusTickler\DXSETUP.exe deleted
C:\Users\AnusTickler\Downloads\Setup(1).exe deleted
"C:\Windows\Installer\367dacf.msi" deleted
"C:\Users\AnusTickler\AppData\Roaming\QXEB" deleted
"C:\ProgramData\38283d2e2a20_c" deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\ANUSTI~1\AppData\Roaming\Mozilla\Firefox\Profiles\b4aapdia.default-1487067992276
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\ANUSTI~1\AppData\Roaming\Prism\IG-Marauders\Profiles\80x7g8ty.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\Second\AppData\Roaming\Mozilla\Firefox\Profiles\a9pr9i2y.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Firefox Extensions ======================

ProfilePath: C:\Users\Second\AppData\Roaming\Mozilla\Firefox\Profiles\a9pr9i2y.default
- Undetermined - %ProfilePath%\extensions\jid1-yZwVFzbsyfMrqQ@jetpack

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Undetermined - %AppDir%\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi

==== Firefox Plugins ======================

Profilepath: C:\Users\AnusTickler\AppData\Roaming\Mozilla\Firefox\Profiles\b4aapdia.default-1487067992276
517021D1BCA1962ABF09099014A7D87D    - C:\Windows\SysWoW64\npOGPPlugin.dll -    OGPlanet Game Plugin
9E602A9634AC3EFA8CD5BC4CD943416B    - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_24_0_0_194.dll -    Shockwave Flash
15E298B5EC5B89C5994A59863969D9FF    - C:\Windows\system32\npmproxy.dll -    Microsoft® Windows® Operating System


==== Fake Chromium Profiles Check ======================

Fake profile C:\Users\Second\AppData\Local\Google\Chrome deleted

==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
efaidnbmnnnibpcajpcglclefindmkaj - No path found[]
lifbcibllhkdhoafpjfnlhfpfgnpldfl - No path found[]


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE09&ocid=UE09DHP"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}] not found

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE09&ocid=UE09DHP"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

==== Reset Google Chrome ======================

C:\Users\AnusTickler\AppData\Local\Chromium\User Data\Default\Preferences was reset successfully
C:\Users\AnusTickler\AppData\Local\Chromium\User Data\Default\Web Data was reset successfully
C:\Users\AnusTickler\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\AnusTickler\AppData\Local\Google\Chrome\User Data\Default\Web Data copy was reset successfully

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4 deleted successfully
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{30C32EF7-DBAB-7427-360B-7B544F6C73EE} deleted successfully
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{4334C831-16FC-B0CD-F4C9-9725349729B6} deleted successfully
HKEY_LOCAL_MACHINE\Software\wow6432node\Policies\Google deleted successfully
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\07F523B1489AE12448706086E3E60FB3 deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4 deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware Browsing Protection deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spybot-S&D Cleaning deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Super Charger deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\AnusTickler\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\AnusTickler\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\Second\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Second\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\Second\AppData\Local\Temp\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

C:\Users\AnusTickler\AppData\Local\Mozilla\Firefox\Profiles\b4aapdia.default-1487067992276\cache2 emptied successfully
C:\Users\AnusTickler\AppData\Roaming\Mozilla\Firefox\Profiles\b4aapdia.default-1487067992276\storage\default\https+++www.youtube.com\cache emptied successfully
C:\Users\AnusTickler\AppData\Roaming\Mozilla\Firefox\Profiles\xeqjkcal.default-1432288339924\storage\default\https+++www.nfl.com\cache emptied successfully
C:\Users\Second\AppData\Local\Mozilla\Firefox\Profiles\a9pr9i2y.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\AnusTickler\AppData\Local\Chromium\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=4201 folders=195 527714342 bytes)

==== Empty Temp Folders ======================

C:\Users\AnusTickler\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Second\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\ANUSTI~1\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on Tue 02/14/2017 at 19:11:43.64 ======================
 


Edited by AdamsComputer, 15 February 2017 - 07:41 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:11 AM

Posted 15 February 2017 - 08:56 AM


Please check if you also get a BSOD while using this profile.
AnusTickler (S-1-5-21-2042302623-1599180195-1203687678-1000 - Administrator - Enabled) => C:\Users\AnusTickler
===

A Guide to the IRQL Not Less Or Equal Blue Screen of Death Error
http://www.reviversoft.com/blog/2012/09/irql-not-less-or-equal/

Does the blue screen indicate which driver is causing this.
This could well be the reason.The TKFWFV service is associated with the Tachyon Firewall LW Filter Driver from INCA Internet Co., Ltd.

Quoted from your Addition.txt log.

Name: nProtect Firewall Core Driver
Description: nProtect Firewall Core Driver
Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Manufacturer:
Service: TKFWFV
Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)
Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.
Devices stay in this state if they have been prepared for removal.
After you remove the device, this error disappears.Remove the device, and this error should be resolved.


If this is the case then reinstall the Firewall or Disable it and see if the problem persists.
===

Please download MiniToolBox to Desktop and run it.
Lets find out what the Event viewer will report.

Check mark the following boxes:
  • List last 10 Event Viewer log
  • Click Go and copy/paste the log (MTB.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
---

It might also be proper to check for outdated drivers.

How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector (PSI)
Follow the instructions on this page.

http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/

Run the application and updates all the programs/drivers that needs to be updated.

p.s.

Secunia will start looking for new updates every time you boot the system.
This is an overkill. When all is well you can remove it using the Add/Remove programs applet.
===

Keep me posted.

#11 AdamsComputer

AdamsComputer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  

Posted 16 February 2017 - 11:29 AM

There does seem to be something going on with that nprotect/netmarble/gameguard thing.  That was from an old game that is no longer installed on my system called Uncharted Waters Online.  I'd like to get rid of everything related to it.  Yes, I only use the admin account "anustickler" which my friend who built the pc for me decided would be a good name and I don't know if I can change it.  I can't use Secunia PSI as it gives me an error message about my connection being a proxy and it can't accept it.  Used verifier, it didn't show any specific driver.  I ran driver reviver and it says 21 drivers need updated but it wants me to buy their software.

 

MiniToolBox by Farbar  Version: 17-06-2016
Ran by AnusTickler (administrator) on 16-02-2017 at 08:16:35
Running from "C:\Users\AnusTickler\Downloads"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Model: MS-7522 Manufacturer: MSI
Boot Mode: Normal
***************************************************************************

========================= Event log errors: ===============================

Application errors:
==================
Error: (02/14/2017 07:34:58 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {b9f7f4d2-3b29-447c-89b7-7d19a4737d72}

Error: (02/14/2017 06:21:12 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary SCDEmu.

System Error:
The system cannot find the file specified.
.

Error: (02/14/2017 06:14:35 AM) (Source: Microsoft-Windows-CAPI2) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.


Details:
AddLegacyDriverFiles: Unable to back up image of binary SCDEmu.

System Error:
The system cannot find the file specified.
.

Error: (02/14/2017 04:26:26 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {25af1efd-d7c6-44f6-b671-26ad723d5ab0}

Error: (02/14/2017 02:11:44 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {25af1efd-d7c6-44f6-b671-26ad723d5ab0}

Error: (02/13/2017 03:53:05 AM) (Source: VSS) (User: )
Description: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005, Access is denied.
.
This is often caused by incorrect security settings in either the writer or requestor process.


Operation:
   Gathering Writer Data

Context:
   Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
   Writer Name: System Writer
   Writer Instance ID: {78d679a8-ac87-4cd9-8827-fbaa89774782}

Error: (02/04/2017 02:29:39 AM) (Source: Application Hang) (User: )
Description: The program firefox.exe version 51.0.1.6234 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 918

Start Time: 01d27e4235d9ad11

Termination Time: 0

Application Path: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Report Id: 99c88e4a-eac4-11e6-9fc0-00038a000015

Error: (02/02/2017 05:27:57 AM) (Source: Application Error) (User: )
Description: Faulting application name: MSI_LiveUpdate_Service.exe, version: 1.0.0.37, time stamp: 0x582449b8
Faulting module name: MSI_LiveUpdate_Service.exe, version: 1.0.0.37, time stamp: 0x582449b8
Exception code: 0xc0000005
Fault offset: 0x00002db9
Faulting process id: 0x70c
Faulting application start time: 0xMSI_LiveUpdate_Service.exe0
Faulting application path: MSI_LiveUpdate_Service.exe1
Faulting module path: MSI_LiveUpdate_Service.exe2
Report Id: MSI_LiveUpdate_Service.exe3

Error: (01/28/2017 03:35:36 PM) (Source: Windows Search Service) (User: )
Description: The index cannot be initialized.


Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (01/28/2017 03:35:36 PM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application


Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)


System errors:
=============
Error: (02/15/2017 05:10:43 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom
TKFWFV

Error: (02/15/2017 04:20:44 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom
TKFWFV

Error: (02/15/2017 04:19:22 AM) (Source: EventLog) (User: )
Description: The previous system shutdown at 4:16:28 AM on ‎2/‎15/‎2017 was unexpected.

Error: (02/15/2017 04:14:17 AM) (Source: Service Control Manager) (User: )
Description: The Windows Update service hung on starting.

Error: (02/15/2017 04:08:11 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom
TKFWFV

Error: (02/15/2017 04:07:43 AM) (Source: EventLog) (User: )
Description: The previous system shutdown at 4:05:39 AM on ‎2/‎15/‎2017 was unexpected.

Error: (02/15/2017 03:14:06 AM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom
TKFWFV

Error: (02/14/2017 07:10:22 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
cdrom
TKFWFV

Error: (02/14/2017 06:52:30 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.

Error: (02/14/2017 06:52:30 PM) (Source: Service Control Manager) (User: )
Description: The PEVSystemStart service is marked as an interactive service.  However, the system is configured to not allow interactive services.  This service may not function properly.


Microsoft Office Sessions:
=========================
Error: (11/17/2015 01:39:18 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6735.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 25 seconds with 0 seconds of active time.  This session ended with a crash.

Error: (11/03/2015 08:26:15 AM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6732.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 296 seconds with 180 seconds of active time.  This session ended with a crash.


CodeIntegrity Errors:
===================================
  Date: 2012-01-06 13:58:17.606
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2012-01-06 13:58:17.557
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-11 11:44:26.740
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-11 11:44:26.728
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-11 02:11:09.123
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-11 02:11:09.111
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-09 17:33:26.682
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-09 17:33:26.670
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-09 14:03:33.870
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2011-11-09 14:03:33.857
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\NetmarbleGlobal\GV Online Eg\GameGuard\dump_wmimmc.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.


**** End of log ****


Edited by AdamsComputer, 16 February 2017 - 11:58 AM.


#12 AdamsComputer

AdamsComputer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  

Posted 16 February 2017 - 12:25 PM

After verifier it rebooted fine.  Just tried to load a game and got a BSOD saying that a device driver was caught trying to corrupt the system, or something of that nature.  I didn't see it name a specific driver.  When the system came back up the screen was messed up and all blurry as soon as windows started loading(the initial windows screen before user login).  Had to turn the power off and restart.  Device Manager seems to think everything is up to date, I can't think of what other one to check.  Ran the same game and didn't get the error second time. 


Edited by AdamsComputer, 16 February 2017 - 01:07 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:11 AM

Posted 17 February 2017 - 08:17 AM


That was from an old game that is no longer installed on my system called Uncharted Waters Online. I'd like to get rid of everything related to it.

Download and run the Revo Unistaller.
http://www.revouninstaller.com/revo_uninstaller_free_download.html

Remove everything associated with that game.

===

I can't use Secunia PSI as it gives me an error message about my connection being a proxy and it can't accept it


Clean the Proxy settings. Try the Securnia service again.


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
CloseProcesses:
RemoveProxy:

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Description: The program firefox.exe version 51.0.1.6234 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

If you have any problems with Firefox I suggest you reset it.

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

Ran the same game and didn't get the error second time.

Any more problem with the game?

#14 AdamsComputer

AdamsComputer
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  

Posted 17 February 2017 - 12:36 PM

Revo doesn't do anything for me, only shows like 10 programs.  That game was uninstalled a long time ago, so not sure why that stuff is showing up in reports.  Still can't connect to securnia.  I reset firefox again and cleared cache again.  Computer still crashes when loading into a game.  One of my vid cards can run the furmark stress test, the other crashes immediately.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-02-2017 02
Ran by AnusTickler (17-02-2017 09:19:04) Run:3
Running from C:\Users\AnusTickler\Downloads
Loaded Profiles: AnusTickler (Available Profiles: AnusTickler & Second)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start


CreateRestorePoint:
CloseProcesses:
RemoveProxy:

Reboot:

End
*****************

Restore point was successfully created.
Processes closed successfully.

========= RemoveProxy: =========

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2042302623-1599180195-1203687678-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========



The system needed a reboot.

==== End of Fixlog 09:19:56 ====



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:11 AM

Posted 17 February 2017 - 02:31 PM


None of your logs shows references to Uncharted Waters
Check the FRST and Addition.txt logs and let me know what entries you want to remove.
==

Lets see what we can find in the Registry.

Please run the Farbar Recovery Scan Tool. Enter Uncharted Waters in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

===

Problems with the Grahics card Is not my forte. Try the Internal Hardware forum.
https://www.bleepingcomputer.com/forums/f/7/internal-hardware/

===

Run this cleaning tool. It may help.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users